Stored Cross-Site Scripting Vulnerability in PhpSpreadsheet by PhpOffice
CVE-2026-40296

5.4MEDIUM

Key Information:

Vendor: PHPoffice
Status: PHPspreadsheet
Vendor: CVE Published:; 6 May 2026

What is CVE-2026-40296?

The PhpSpreadsheet library, widely used for managing spreadsheet files, has a vulnerability that affects the HTML output of cells with custom number formatting. Specifically, when a cell's formatted value is altered and conflicts with its original value—due to custom placeholders like '@'—the library fails to escape HTML characters properly. This oversight allows attackers to inject malicious scripts into web pages viewed by other users, leading to stored cross-site scripting (XSS). To protect against this vulnerability, it is crucial for users to update to the patched versions: 5.7.0, 3.10.5, 2.4.5, 2.1.16, or 1.30.4.

Affected Version(s)

PhpSpreadsheet >= 4.0.0, <= 5.6.0 <= 4.0.0, 5.6.0

PhpSpreadsheet >= 3.3.0, <= 3.10.4 <= 3.3.0, 3.10.4

PhpSpreadsheet >= 2.2.0, <= 2.4.4 <= 2.2.0, 2.4.4

References

https://github.com/PHPOffice/PhpSpreadsheet/security/advi...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 6, 2026
Vulnerability Reserved
Apr 10, 2026

CVE-2026-40296 Data

JSON

PHPoffice

What is CVE-2026-40296?

Affected Version(s)

References

CVSS V3.1

Timeline