HTML Injection Vulnerability in PhpSpreadsheet by PHPOffice
CVE-2026-35453

4.8MEDIUM

Key Information:

Vendor: PHPoffice
Status: PHPspreadsheet
Vendor: CVE Published:; 5 May 2026

What is CVE-2026-35453?

A vulnerability exists in PhpSpreadsheet's HTML Writer component that allows attackers to inject arbitrary HTML and JavaScript if they can manipulate the content of a cell with a specific custom number format. The issue arises due to inadequate output escaping when the custom format includes the '@' text placeholder alongside additional literal text. The vulnerability has been addressed in the latest versions, ensuring that appropriate escaping is applied to prevent the injection of malicious content.

Affected Version(s)

PhpSpreadsheet >= 4.0.0, <= 5.6.0 <= 4.0.0, 5.6.0

PhpSpreadsheet >= 3.3.0, <= 3.10.4 <= 3.3.0, 3.10.4

PhpSpreadsheet >= 2.2.0, <= 2.4.4 <= 2.2.0, 2.4.4

References

https://github.com/PHPOffice/PhpSpreadsheet/security/advi...

x_refsource_CONFIRM

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2026
Vulnerability Reserved
Apr 2, 2026

CVE-2026-35453 Data

JSON

PHPoffice

What is CVE-2026-35453?

Affected Version(s)

References

CVSS V4

Timeline