Vulnerability DatabaseCVE-2026-40296
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-40296
Published:May 06, 2026
Updated:May 16, 2026
PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The HTML writer skips htmlspecialchars escaping when a cell's formatted value differs from the original value. When a cell has a custom number format containing the text placeholder @ along with any additional literal characters (for example ". @", "@ ", or "x@"), the formatter replaces @ with the cell value and adds the extra characters, causing the formatted value to differ from the original and bypassing HTML escaping entirely. An attacker who can control the cell value and number format of an uploaded spreadsheet that is later converted to HTML and displayed to other users can achieve stored cross-site scripting. This issue is fixed in versions 5.7.0, 3.10.5, 2.4.5, 2.1.16, and 1.30.4.
Affected Packages
phpoffice/phpspreadsheet (PHP):
Affected version(s) >=2.0.0 <2.1.16
Fix Suggestion:
Update to version 2.1.16
phpoffice/phpspreadsheet (PHP):
Affected version(s) >=4.0.0 <5.7.0
Fix Suggestion:
Update to version 5.7.0
phpoffice/phpspreadsheet (PHP):
Affected version(s) >=dev-release <1.30.4
Fix Suggestion:
Update to version 1.30.4
phpoffice/phpspreadsheet (PHP):
Affected version(s) >=3.3.0 <3.10.5
Fix Suggestion:
Update to version 3.10.5
phpoffice/phpspreadsheet (PHP):
Affected version(s) >=2.2.0 <2.4.5
Fix Suggestion:
Update to version 2.4.5
phpoffice/phpspreadsheet (PHP):
Affected version(s) >=1.0.0-beta <1.30.4
Fix Suggestion:
Update to version 1.30.4
Related Resources (3)
https://github.com/PHPOffice/PhpSpreadsheet
https://nvd.nist.gov/vuln/detail/CVE-2026-40296
https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-hrmw-qprp-wgmc
Do you need more information?
Contact Us
CVSS v4
Base Score:
5.1
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
PASSIVE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
LOW
Subsequent System Integrity
LOW
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.4
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-79
EPSS
Base Score:
0.03