cvedb.io
CVE-2026-40296
MEDIUM · CVSS 5.4
EPSS exploitation probability: 0%
Published 2026-05-06T22:16:25.510 · Last modified 2026-06-17T10:44:57.727

Summary

PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The HTML writer skips htmlspecialchars escaping when a cell's formatted value differs from the original value. When a cell has a custom number format containing the text placeholder @ along with any additional literal characters (for example ". @", "@ ", or "x@"), the formatter replaces @ with the cell value and adds the extra characters, causing the formatted value to differ from the original and bypassing HTML escaping entirely. An attacker who can control the cell value and number format of an uploaded spreadsheet that is later converted to HTML and displayed to other users can achieve stored cross-site scripting. This issue is fixed in versions 5.7.0, 3.10.5, 2.4.5, 2.1.16, and 1.30.4.

Affected products

phpoffice — phpspreadsheet

Does this affect you?

Add your gear to cvedb and we'll alert you only when phpoffice ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.