Denial of Service in PhpSpreadsheet Library for Reading Spreadsheet Files
CVE-2026-40863

7.5HIGH

Key Information:

Vendor: PHPoffice
Status: PHPspreadsheet
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-40863?

The PhpSpreadsheet library, which enables the reading and writing of spreadsheet files in PHP, is subject to a vulnerability affecting versions prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0. The vulnerability arises from the SpreadsheetML XML reader's failure to validate the ss:Index row attribute against the maximum allowed row count, allowing an attacker to exploit it by crafting a malicious XML file. By setting the ss:Index value to an excessively high number, such as '999999999', an attacker can trigger an inflated internal cached highest row count, leading to an attempt to iterate through approximately one billion rows. This excessive processing can exhaust CPU resources, resulting in a denial of service condition for applications utilizing the PhpSpreadsheet library.

Affected Version(s)

PhpSpreadsheet < 1.30.4 < 1.30.4

PhpSpreadsheet >= 2.0.0, < 2.1.16 < 2.0.0, 2.1.16

PhpSpreadsheet >= 2.2.0, < 2.4.5 < 2.2.0, 2.4.5

References

https://github.com/PHPOffice/PhpSpreadsheet/security/advi...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Apr 15, 2026

CVE-2026-40863 Data

JSON

PHPoffice

What is CVE-2026-40863?

Affected Version(s)

References

CVSS V3.1

Timeline