CVE-2026-40296
published 2026-05-06CVE-2026-40296: PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The HTML writer skips htmlspecialchars escaping when a cell's formatted value…
PriorityP427medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.22%
13.0th percentile
PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The HTML writer skips htmlspecialchars escaping when a cell's formatted value differs from the original value. When a cell has a custom number format containing the text placeholder @ along with any additional literal characters (for example ". @", "@ ", or "x@"), the formatter replaces @ with the cell value and adds the extra characters, causing the formatted value to differ from the original and bypassing HTML escaping entirely. An attacker who can control the cell value and number format of an uploaded spreadsheet that is later converted to HTML and displayed to other users can achieve stored cross-site scripting. This issue is fixed in versions 5.7.0, 3.10.5, 2.4.5, 2.1.16, and 1.30.4.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| phpoffice | phpspreadsheet | < 1.30.4 | 1.30.4 |
| phpoffice | phpspreadsheet | <= 1.30.3 | — |
| phpoffice | phpspreadsheet | — | — |
| phpoffice | phpspreadsheet | — | — |
| phpoffice | phpspreadsheet | — | — |
| phpoffice | phpspreadsheet | — | — |
| phpoffice | phpspreadsheet | >= 0 < 1.30.4 | 1.30.4 |
| phpoffice | phpspreadsheet | >= 2.0.0 < 2.1.16 | 2.1.16 |
| phpoffice | phpspreadsheet | >= 2.0.0 < 2.1.16 | 2.1.16 |
| phpoffice | phpspreadsheet | >= 2.2.0 < 2.4.5 | 2.4.5 |
| phpoffice | phpspreadsheet | >= 2.2.0 < 2.4.5 | 2.4.5 |
| phpoffice | phpspreadsheet | >= 3.3.0 < 3.10.5 | 3.10.5 |
| phpoffice | phpspreadsheet | >= 3.3.0 < 3.10.5 | 3.10.5 |
| phpoffice | phpspreadsheet | >= 4.0.0 < 5.7.0 | 5.7.0 |
| phpoffice | phpspreadsheet | >= 4.0.0 < 5.7.0 | 5.7.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-06
Published