CVE-2026-40296 MEDIUM

CVE-2026-40296: PhpSpreadsheet vulnerable to XSS in HTML writer via custom number format codes

Vendor Phpoffice

Product PhpSpreadsheet

Weakness CWE-79 · XSS

Published May 6, 2026

Last update May 7, 2026

View on NVD All CVEs

CVSS base score

5.4/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

Description

PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The HTML writer skips htmlspecialchars escaping when a cell's formatted value differs from the original value. When a cell has a custom number format containing the text placeholder @ along with any additional literal characters (for example ". @", "@ ", or "x@"), the formatter replaces @ with the cell value and adds the extra characters, causing the formatted value to differ from the original and bypassing HTML escaping entirely. An attacker who can control the cell value and number format of an uploaded spreadsheet that is later converted to HTML and displayed to other users can achieve stored cross-site scripting. This issue is fixed in versions 5.7.0, 3.10.5, 2.4.5, 2.1.16, and 1.30.4.

Key dates

Disclosure timeline

May 6, 2026 CVE published

May 7, 2026 Record updated

Identifiers

CVE CVE-2026-40296

CWE CWE-79

CVSS 5.4 / MEDIUM

Affected versions

Vendor Phpoffice

Product PhpSpreadsheet

Affected >= 4.0.0, <= 5.6.0

Vendor Phpoffice

Product PhpSpreadsheet

Affected >= 3.3.0, <= 3.10.4

Vendor Phpoffice

Product PhpSpreadsheet

Affected >= 2.2.0, <= 2.4.4

Vendor Phpoffice

Product PhpSpreadsheet

Affected >= 2.0.0, <= 2.1.15

Vendor Phpoffice

Product PhpSpreadsheet

Affected <= 1.30.3