CVE-2026-35453

Source
https://cve.org/CVERecord?id=CVE-2026-35453
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-35453.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-35453
Aliases
Published
2026-05-05T19:39:54.507Z
Modified
2026-07-08T08:10:13.255741518Z
Severity
  • 4.8 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
PhpSpreadsheet XSS via number format text substitution in HTML Writer
Details

PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.3 and earlier, 2.0.0 through 2.1.15, 2.2.0 through 2.4.4, 3.3.0 through 3.10.4, and 4.0.0 through 5.6.0, the HTML Writer skips htmlspecialchars() output escaping when a cell uses a custom number format containing the @ text placeholder with additional literal text (e.g., @ "items"). The escaping is only applied when the formatted output strictly equals the original cell value. When the format code contains @ with quoted literal text, the formatter substitutes the raw cell value into the format string and returns early without invoking the escaping callback. An attacker who can control cell content in a spreadsheet processed by the HTML Writer can inject arbitrary HTML and JavaScript into the generated output. This issue has been fixed in versions 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35453.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ]
}
References

Affected packages

Git / github.com/phpoffice/phpspreadsheet

Affected ranges

Type
GIT
Repo
https://github.com/phpoffice/phpspreadsheet
Events
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.30.4"
        },
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.1.16"
        },
        {
            "introduced": "2.2.0"
        },
        {
            "fixed": "2.4.5"
        },
        {
            "introduced": "3.3.0"
        },
        {
            "fixed": "3.10.5"
        },
        {
            "introduced": "4.0.0"
        },
        {
            "fixed": "5.7.0"
        }
    ]
}

Affected versions

1.*
1.0.0
1.0.0-beta2
1.1.0
1.10.0
1.10.1
1.11.0
1.12.0
1.13.0
1.14.0
1.14.1
1.15.0
1.16.0
1.17.0
1.17.1
1.18.0
1.19.0
1.2.0
1.2.1
1.20.0
1.21.0
1.22.0
1.23.0
1.24.0
1.24.1
1.25.0
1.25.1
1.25.2
1.27.0
1.28.0
1.29.0
1.29.1
1.29.10
1.29.11
1.29.12
1.29.2
1.29.4
1.29.5
1.29.6
1.29.7
1.29.8
1.29.9
1.3.0
1.3.1
1.30.0
1.30.1
1.30.2
1.30.3
1.4.0
1.4.1
1.5.0
1.6.0
1.7.0
1.8.0
1.8.1
1.8.2
2.*
2.0.0
2.1.0
2.1.1
2.1.10
2.1.11
2.1.12
2.1.13
2.1.14
2.1.15
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.2.0
2.2.1
2.2.2
2.3.0
2.3.10
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8
2.3.9
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
3.*
3.10.0
3.10.1
3.10.2
3.10.3
3.10.4
3.3.0
3.4.0
3.5.0
3.6.0
3.7.0
3.8.0
3.9.0
3.9.1
3.9.2
3.9.3
4.*
4.0.0
4.1.0
4.2.0
4.3.0
4.3.1
4.4.0
4.5.0
5.*
5.0.0
5.1.0
5.2.0
5.3.0
5.4.0
5.5.0
5.6.0
Other
phpexcel-last-cherry-picked-commit
phpexcel-last-release-1.*
phpexcel-last-release-1.8.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-35453.json"