CVE-2026-40863 HIGH

CVE-2026-40863: PhpSpreadsheet: CPU Denial of Service via Unbounded Row Index in SpreadsheetML XML Reader

Vendor Phpoffice

Product PhpSpreadsheet

Weakness CWE-770 · Uncontrolled resource consumption

Published May 12, 2026

Last update May 13, 2026

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

Description

PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the SpreadsheetML XML reader (Reader\Xml) does not validate the ss:Index row attribute against the maximum allowed row count (AddressRange::MAX_ROW = 1,048,576). An attacker can craft a SpreadsheetML XML file with ss:Index="999999999" on a <Row> element, which inflates the internal cachedHighestRow to ~1 billion. Any subsequent call to getRowIterator() without an explicit end row will attempt to iterate ~1 billion rows, causing CPU exhaustion and denial of service. This vulnerability is fixed in 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0.

Key dates

Disclosure timeline

May 12, 2026 CVE published

May 13, 2026 Record updated

Identifiers

CVE CVE-2026-40863

CWE CWE-770

CVSS 7.5 / HIGH

Affected versions

Vendor Phpoffice

Product PhpSpreadsheet

Affected < 1.30.4

Vendor Phpoffice

Product PhpSpreadsheet

Affected >= 2.0.0, < 2.1.16

Vendor Phpoffice

Product PhpSpreadsheet

Affected >= 2.2.0, < 2.4.5

Vendor Phpoffice

Product PhpSpreadsheet

Affected >= 3.3.0, < 3.10.5

Vendor Phpoffice

Product PhpSpreadsheet

Affected >= 4.0.0, < 5.7.0