VulnerableCode Package Details - pkg:composer/phpoffice/phpspreadsheet@2.1.16

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-ccuv-g8wh-1ybh	PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the XLSX reader's ColumnAndRowAttributes::readRowAttributes() method reads row numbers from XML attributes without validating them against the spreadsheet maximum row limit (AddressRange::MAX_ROW = 1,048,576). An attacker can craft a minimal XLSX file (~1.6KB) containing a <row r="999999999"/> element that inflates cachedHighestRow to 999,999,999, causing any subsequent row iteration to attempt ~1 billion loop cycles and exhaust CPU resources. This vulnerability is fixed in 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0.	CVE-2026-40902 GHSA-7c6m-4442-2x6m
VCID-nuf2-c8f7-x3hp	PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the SpreadsheetML XML reader (Reader\Xml) does not validate the ss:Index row attribute against the maximum allowed row count (AddressRange::MAX_ROW = 1,048,576). An attacker can craft a SpreadsheetML XML file with ss:Index="999999999" on a <Row> element, which inflates the internal cachedHighestRow to ~1 billion. Any subsequent call to getRowIterator() without an explicit end row will attempt to iterate ~1 billion rows, causing CPU exhaustion and denial of service. This vulnerability is fixed in 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0.	CVE-2026-40863 GHSA-84wq-86v6-x5j6
VCID-pvr2-uryz-wydb	PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.3 and earlier, 2.0.0 through 2.1.15, 2.2.0 through 2.4.4, 3.3.0 through 3.10.4, and 4.0.0 through 5.6.0, the HTML Writer skips htmlspecialchars() output escaping when a cell uses a custom number format containing the @ text placeholder with additional literal text (e.g., @ "items"). The escaping is only applied when the formatted output strictly equals the original cell value. When the format code contains @ with quoted literal text, the formatter substitutes the raw cell value into the format string and returns early without invoking the escaping callback. An attacker who can control cell content in a spreadsheet processed by the HTML Writer can inject arbitrary HTML and JavaScript into the generated output. This issue has been fixed in versions 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0.	CVE-2026-35453 GHSA-6wpp-88cp-7q68
VCID-zn8r-355x-h3az	PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The HTML writer skips htmlspecialchars escaping when a cell's formatted value differs from the original value. When a cell has a custom number format containing the text placeholder @ along with any additional literal characters (for example ". @", "@ ", or "x@"), the formatter replaces @ with the cell value and adds the extra characters, causing the formatted value to differ from the original and bypassing HTML escaping entirely. An attacker who can control the cell value and number format of an uploaded spreadsheet that is later converted to HTML and displayed to other users can achieve stored cross-site scripting. This issue is fixed in versions 5.7.0, 3.10.5, 2.4.5, 2.1.16, and 1.30.4.	CVE-2026-40296 GHSA-hrmw-qprp-wgmc

Vulnerability

Summary

Aliases

VCID-ccuv-g8wh-1ybh

PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the XLSX reader's ColumnAndRowAttributes::readRowAttributes() method reads row numbers from XML attributes without validating them against the spreadsheet maximum row limit (AddressRange::MAX_ROW = 1,048,576). An attacker can craft a minimal XLSX file (~1.6KB) containing a <row r="999999999"/> element that inflates cachedHighestRow to 999,999,999, causing any subsequent row iteration to attempt ~1 billion loop cycles and exhaust CPU resources. This vulnerability is fixed in 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0.

CVE-2026-40902
GHSA-7c6m-4442-2x6m

VCID-nuf2-c8f7-x3hp

PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the SpreadsheetML XML reader (Reader\Xml) does not validate the ss:Index row attribute against the maximum allowed row count (AddressRange::MAX_ROW = 1,048,576). An attacker can craft a SpreadsheetML XML file with ss:Index="999999999" on a <Row> element, which inflates the internal cachedHighestRow to ~1 billion. Any subsequent call to getRowIterator() without an explicit end row will attempt to iterate ~1 billion rows, causing CPU exhaustion and denial of service. This vulnerability is fixed in 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0.

CVE-2026-40863
GHSA-84wq-86v6-x5j6

VCID-pvr2-uryz-wydb

PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.3 and earlier, 2.0.0 through 2.1.15, 2.2.0 through 2.4.4, 3.3.0 through 3.10.4, and 4.0.0 through 5.6.0, the HTML Writer skips htmlspecialchars() output escaping when a cell uses a custom number format containing the @ text placeholder with additional literal text (e.g., @ "items"). The escaping is only applied when the formatted output strictly equals the original cell value. When the format code contains @ with quoted literal text, the formatter substitutes the raw cell value into the format string and returns early without invoking the escaping callback. An attacker who can control cell content in a spreadsheet processed by the HTML Writer can inject arbitrary HTML and JavaScript into the generated output. This issue has been fixed in versions 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0.

CVE-2026-35453
GHSA-6wpp-88cp-7q68

VCID-zn8r-355x-h3az

PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The HTML writer skips htmlspecialchars escaping when a cell's formatted value differs from the original value. When a cell has a custom number format containing the text placeholder @ along with any additional literal characters (for example ". @", "@ ", or "x@"), the formatter replaces @ with the cell value and adds the extra characters, causing the formatted value to differ from the original and bypassing HTML escaping entirely. An attacker who can control the cell value and number format of an uploaded spreadsheet that is later converted to HTML and displayed to other users can achieve stored cross-site scripting. This issue is fixed in versions 5.7.0, 3.10.5, 2.4.5, 2.1.16, and 1.30.4.

CVE-2026-40296
GHSA-hrmw-qprp-wgmc

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-13T06:29:42.390039+00:00	GHSA Importer	Fixing	VCID-ccuv-g8wh-1ybh	https://github.com/advisories/GHSA-7c6m-4442-2x6m	38.6.0
2026-06-13T06:29:42.309071+00:00	GHSA Importer	Fixing	VCID-nuf2-c8f7-x3hp	https://github.com/advisories/GHSA-84wq-86v6-x5j6	38.6.0
2026-06-13T06:29:40.821006+00:00	GHSA Importer	Fixing	VCID-zn8r-355x-h3az	https://github.com/advisories/GHSA-hrmw-qprp-wgmc	38.6.0
2026-06-13T06:29:40.641837+00:00	GHSA Importer	Fixing	VCID-pvr2-uryz-wydb	https://github.com/advisories/GHSA-6wpp-88cp-7q68	38.6.0
2026-06-12T22:15:43.415700+00:00	GitLab Importer	Fixing	VCID-ccuv-g8wh-1ybh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/phpoffice/phpspreadsheet/CVE-2026-40902.yml	38.6.0
2026-06-12T22:15:31.281923+00:00	GitLab Importer	Fixing	VCID-nuf2-c8f7-x3hp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/phpoffice/phpspreadsheet/CVE-2026-40863.yml	38.6.0
2026-06-12T22:14:27.891289+00:00	GitLab Importer	Fixing	VCID-zn8r-355x-h3az	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/phpoffice/phpspreadsheet/CVE-2026-40296.yml	38.6.0
2026-06-12T22:14:23.277629+00:00	GitLab Importer	Fixing	VCID-pvr2-uryz-wydb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/phpoffice/phpspreadsheet/CVE-2026-35453.yml	38.6.0
2026-06-12T07:46:49.443613+00:00	GithubOSV Importer	Fixing	VCID-ccuv-g8wh-1ybh	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-7c6m-4442-2x6m/GHSA-7c6m-4442-2x6m.json	38.6.0
2026-06-12T07:46:32.098066+00:00	GithubOSV Importer	Fixing	VCID-nuf2-c8f7-x3hp	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-84wq-86v6-x5j6/GHSA-84wq-86v6-x5j6.json	38.6.0
2026-06-12T07:45:45.070001+00:00	GithubOSV Importer	Fixing	VCID-pvr2-uryz-wydb	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-6wpp-88cp-7q68/GHSA-6wpp-88cp-7q68.json	38.6.0
2026-06-12T07:45:33.444444+00:00	GithubOSV Importer	Fixing	VCID-zn8r-355x-h3az	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-hrmw-qprp-wgmc/GHSA-hrmw-qprp-wgmc.json	38.6.0