Resource Exhaustion Vulnerability in PhpSpreadsheet by PHPOffice
CVE-2026-40902

7.5HIGH

Key Information:

Vendor: PHPoffice
Status: PHPspreadsheet
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-40902?

The PhpSpreadsheet library has a vulnerability in its XLSX reader component that improperly handles row numbers when reading attributes from XML. Specifically, the method ColumnAndRowAttributes::readRowAttributes() fails to validate these row numbers against a maximum limit, which could allow an attacker to craft a malicious XLSX file. This file can inflate the highest cached row number excessively, causing significant CPU resource depletion from extensive looping during row iterations. This issue was addressed in multiple versions, making it vital for users to update to the latest versions to mitigate potential attacks.

Affected Version(s)

PhpSpreadsheet < 1.30.4 < 1.30.4

PhpSpreadsheet >= 2.0.0, < 2.1.16 < 2.0.0, 2.1.16

PhpSpreadsheet >= 2.2.0, < 2.4.5 < 2.2.0, 2.4.5

References

https://github.com/PHPOffice/PhpSpreadsheet/security/advi...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Apr 15, 2026

CVE-2026-40902 Data

JSON

PHPoffice

What is CVE-2026-40902?

Affected Version(s)

References

CVSS V3.1

Timeline