CVE-2026-40863

Source
https://cve.org/CVERecord?id=CVE-2026-40863
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40863.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-40863
Aliases
Published
2026-05-12T22:04:29.510Z
Modified
2026-07-08T08:05:11.330679678Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
PhpSpreadsheet: CPU Denial of Service via Unbounded Row Index in SpreadsheetML XML Reader
Details

PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the SpreadsheetML XML reader (Reader\Xml) does not validate the ss:Index row attribute against the maximum allowed row count (AddressRange::MAX_ROW = 1,048,576). An attacker can craft a SpreadsheetML XML file with ss:Index="999999999" on a <Row> element, which inflates the internal cachedHighestRow to ~1 billion. Any subsequent call to getRowIterator() without an explicit end row will attempt to iterate ~1 billion rows, causing CPU exhaustion and denial of service. This vulnerability is fixed in 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40863.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-770"
    ]
}
References

Affected packages

Git / github.com/phpoffice/phpspreadsheet

Affected ranges

Type
GIT
Repo
https://github.com/phpoffice/phpspreadsheet
Events
Database specific
{
    "cpe": "cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*:*",
    "source": "CPE_RANGE",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.30.4"
        },
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.1.16"
        },
        {
            "introduced": "2.2.0"
        },
        {
            "fixed": "2.4.5"
        },
        {
            "introduced": "3.3.0"
        },
        {
            "fixed": "3.10.5"
        },
        {
            "introduced": "4.0.0"
        },
        {
            "fixed": "5.7.0"
        }
    ]
}

Affected versions

1.*
1.0.0
1.0.0-beta2
1.1.0
1.10.0
1.10.1
1.11.0
1.12.0
1.13.0
1.14.0
1.14.1
1.15.0
1.16.0
1.17.0
1.17.1
1.18.0
1.19.0
1.2.0
1.2.1
1.20.0
1.21.0
1.22.0
1.23.0
1.24.0
1.24.1
1.25.0
1.25.1
1.25.2
1.27.0
1.28.0
1.29.0
1.29.1
1.29.10
1.29.11
1.29.12
1.29.2
1.29.4
1.29.5
1.29.6
1.29.7
1.29.8
1.29.9
1.3.0
1.3.1
1.30.0
1.30.1
1.30.2
1.30.3
1.4.0
1.4.1
1.5.0
1.6.0
1.7.0
1.8.0
1.8.1
1.8.2
2.*
2.0.0
2.1.0
2.1.1
2.1.10
2.1.11
2.1.12
2.1.13
2.1.14
2.1.15
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.2.0
2.2.1
2.2.2
2.3.0
2.3.10
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8
2.3.9
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
3.*
3.10.0
3.10.1
3.10.2
3.10.3
3.10.4
3.3.0
3.4.0
3.5.0
3.6.0
3.7.0
3.8.0
3.9.0
3.9.1
3.9.2
3.9.3
4.*
4.0.0
4.1.0
4.2.0
4.3.0
4.3.1
4.4.0
4.5.0
5.*
5.0.0
5.1.0
5.2.0
5.3.0
5.4.0
5.5.0
5.6.0
Other
phpexcel-last-cherry-picked-commit
phpexcel-last-release-1.*
phpexcel-last-release-1.8.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40863.json"