CVE-2026-40902 HIGH

CVE-2026-40902: PhpSpreadsheet: CPU Denial of Service via Unbounded Row Number in XLSX Row Dimensions

Vendor Phpoffice

Product PhpSpreadsheet

Weakness CWE-770 · Uncontrolled resource consumption

Published May 12, 2026

Last update May 13, 2026

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

Description

PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the XLSX reader's ColumnAndRowAttributes::readRowAttributes() method reads row numbers from XML attributes without validating them against the spreadsheet maximum row limit (AddressRange::MAX_ROW = 1,048,576). An attacker can craft a minimal XLSX file (~1.6KB) containing a <row r="999999999"/> element that inflates cachedHighestRow to 999,999,999, causing any subsequent row iteration to attempt ~1 billion loop cycles and exhaust CPU resources. This vulnerability is fixed in 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0.

Key dates

Disclosure timeline

May 12, 2026 CVE published

May 13, 2026 Record updated

Identifiers

CVE CVE-2026-40902

CWE CWE-770

CVSS 7.5 / HIGH

Affected versions

Vendor Phpoffice

Product PhpSpreadsheet

Affected < 1.30.4

Vendor Phpoffice

Product PhpSpreadsheet

Affected >= 2.0.0, < 2.1.16

Vendor Phpoffice

Product PhpSpreadsheet

Affected >= 2.2.0, < 2.4.5

Vendor Phpoffice

Product PhpSpreadsheet

Affected >= 3.3.0, < 3.10.5

Vendor Phpoffice

Product PhpSpreadsheet

Affected >= 4.0.0, < 5.7.0