VulnerableCode Package Details - pkg:composer/phpoffice/phpspreadsheet@5.6.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-ccuv-g8wh-1ybh Aliases: CVE-2026-40902 GHSA-7c6m-4442-2x6m	PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the XLSX reader's ColumnAndRowAttributes::readRowAttributes() method reads row numbers from XML attributes without validating them against the spreadsheet maximum row limit (AddressRange::MAX_ROW = 1,048,576). An attacker can craft a minimal XLSX file (~1.6KB) containing a <row r="999999999"/> element that inflates cachedHighestRow to 999,999,999, causing any subsequent row iteration to attempt ~1 billion loop cycles and exhaust CPU resources. This vulnerability is fixed in 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0.	5.7.0 Affected by 0 other vulnerabilities.
VCID-nuf2-c8f7-x3hp Aliases: CVE-2026-40863 GHSA-84wq-86v6-x5j6	PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the SpreadsheetML XML reader (Reader\Xml) does not validate the ss:Index row attribute against the maximum allowed row count (AddressRange::MAX_ROW = 1,048,576). An attacker can craft a SpreadsheetML XML file with ss:Index="999999999" on a <Row> element, which inflates the internal cachedHighestRow to ~1 billion. Any subsequent call to getRowIterator() without an explicit end row will attempt to iterate ~1 billion rows, causing CPU exhaustion and denial of service. This vulnerability is fixed in 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0.	5.7.0 Affected by 0 other vulnerabilities.
VCID-pvr2-uryz-wydb Aliases: CVE-2026-35453 GHSA-6wpp-88cp-7q68	PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.3 and earlier, 2.0.0 through 2.1.15, 2.2.0 through 2.4.4, 3.3.0 through 3.10.4, and 4.0.0 through 5.6.0, the HTML Writer skips htmlspecialchars() output escaping when a cell uses a custom number format containing the @ text placeholder with additional literal text (e.g., @ "items"). The escaping is only applied when the formatted output strictly equals the original cell value. When the format code contains @ with quoted literal text, the formatter substitutes the raw cell value into the format string and returns early without invoking the escaping callback. An attacker who can control cell content in a spreadsheet processed by the HTML Writer can inject arbitrary HTML and JavaScript into the generated output. This issue has been fixed in versions 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0.	5.7.0 Affected by 0 other vulnerabilities.
VCID-zn8r-355x-h3az Aliases: CVE-2026-40296 GHSA-hrmw-qprp-wgmc	PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The HTML writer skips htmlspecialchars escaping when a cell's formatted value differs from the original value. When a cell has a custom number format containing the text placeholder @ along with any additional literal characters (for example ". @", "@ ", or "x@"), the formatter replaces @ with the cell value and adds the extra characters, causing the formatted value to differ from the original and bypassing HTML escaping entirely. An attacker who can control the cell value and number format of an uploaded spreadsheet that is later converted to HTML and displayed to other users can achieve stored cross-site scripting. This issue is fixed in versions 5.7.0, 3.10.5, 2.4.5, 2.1.16, and 1.30.4.	5.7.0 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-ccuv-g8wh-1ybh
Aliases:
CVE-2026-40902
GHSA-7c6m-4442-2x6m

PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the XLSX reader's ColumnAndRowAttributes::readRowAttributes() method reads row numbers from XML attributes without validating them against the spreadsheet maximum row limit (AddressRange::MAX_ROW = 1,048,576). An attacker can craft a minimal XLSX file (~1.6KB) containing a <row r="999999999"/> element that inflates cachedHighestRow to 999,999,999, causing any subsequent row iteration to attempt ~1 billion loop cycles and exhaust CPU resources. This vulnerability is fixed in 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0.

5.7.0
Affected by 0 other vulnerabilities.

VCID-nuf2-c8f7-x3hp
Aliases:
CVE-2026-40863
GHSA-84wq-86v6-x5j6

PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the SpreadsheetML XML reader (Reader\Xml) does not validate the ss:Index row attribute against the maximum allowed row count (AddressRange::MAX_ROW = 1,048,576). An attacker can craft a SpreadsheetML XML file with ss:Index="999999999" on a <Row> element, which inflates the internal cachedHighestRow to ~1 billion. Any subsequent call to getRowIterator() without an explicit end row will attempt to iterate ~1 billion rows, causing CPU exhaustion and denial of service. This vulnerability is fixed in 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0.

5.7.0
Affected by 0 other vulnerabilities.

VCID-pvr2-uryz-wydb
Aliases:
CVE-2026-35453
GHSA-6wpp-88cp-7q68

PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.3 and earlier, 2.0.0 through 2.1.15, 2.2.0 through 2.4.4, 3.3.0 through 3.10.4, and 4.0.0 through 5.6.0, the HTML Writer skips htmlspecialchars() output escaping when a cell uses a custom number format containing the @ text placeholder with additional literal text (e.g., @ "items"). The escaping is only applied when the formatted output strictly equals the original cell value. When the format code contains @ with quoted literal text, the formatter substitutes the raw cell value into the format string and returns early without invoking the escaping callback. An attacker who can control cell content in a spreadsheet processed by the HTML Writer can inject arbitrary HTML and JavaScript into the generated output. This issue has been fixed in versions 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0.

5.7.0
Affected by 0 other vulnerabilities.

VCID-zn8r-355x-h3az
Aliases:
CVE-2026-40296
GHSA-hrmw-qprp-wgmc

PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The HTML writer skips htmlspecialchars escaping when a cell's formatted value differs from the original value. When a cell has a custom number format containing the text placeholder @ along with any additional literal characters (for example ". @", "@ ", or "x@"), the formatter replaces @ with the cell value and adds the extra characters, causing the formatted value to differ from the original and bypassing HTML escaping entirely. An attacker who can control the cell value and number format of an uploaded spreadsheet that is later converted to HTML and displayed to other users can achieve stored cross-site scripting. This issue is fixed in versions 5.7.0, 3.10.5, 2.4.5, 2.1.16, and 1.30.4.

5.7.0
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-bv2n-rthc-h3ar	PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through 3.10.3, and 4.0.0 through 5.5.0, when the filename argument to IOFactory::load() is user-controlled, an attacker can supply a PHP stream wrapper path (such as phar://, ftp://, or ssh2.sftp://) that passes the is_file() check in File::assertFile(). The phar:// wrapper triggers deserialization of the PHAR metadata, which can lead to remote code execution if a suitable gadget chain is available in the application. The ftp:// and ssh2.sftp:// wrappers can be used for server-side request forgery. This issue has been fixed in versions 1.30.3, 2.1.15, 2.4.4, 3.10.4, and 5.6.0.	CVE-2026-34084 GHSA-q4q6-r8wh-5cgh

Vulnerability

Summary

Aliases

VCID-bv2n-rthc-h3ar

PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through 3.10.3, and 4.0.0 through 5.5.0, when the filename argument to IOFactory::load() is user-controlled, an attacker can supply a PHP stream wrapper path (such as phar://, ftp://, or ssh2.sftp://) that passes the is_file() check in File::assertFile(). The phar:// wrapper triggers deserialization of the PHAR metadata, which can lead to remote code execution if a suitable gadget chain is available in the application. The ftp:// and ssh2.sftp:// wrappers can be used for server-side request forgery. This issue has been fixed in versions 1.30.3, 2.1.15, 2.4.4, 3.10.4, and 5.6.0.

CVE-2026-34084
GHSA-q4q6-r8wh-5cgh

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-13T06:29:42.482945+00:00	GHSA Importer	Affected by	VCID-ccuv-g8wh-1ybh	https://github.com/advisories/GHSA-7c6m-4442-2x6m	38.6.0
2026-06-13T06:29:42.267275+00:00	GHSA Importer	Affected by	VCID-nuf2-c8f7-x3hp	https://github.com/advisories/GHSA-84wq-86v6-x5j6	38.6.0
2026-06-13T06:29:42.158064+00:00	GHSA Importer	Fixing	VCID-bv2n-rthc-h3ar	https://github.com/advisories/GHSA-q4q6-r8wh-5cgh	38.6.0
2026-06-13T06:29:40.781183+00:00	GHSA Importer	Affected by	VCID-zn8r-355x-h3az	https://github.com/advisories/GHSA-hrmw-qprp-wgmc	38.6.0
2026-06-13T06:29:40.674016+00:00	GHSA Importer	Affected by	VCID-pvr2-uryz-wydb	https://github.com/advisories/GHSA-6wpp-88cp-7q68	38.6.0
2026-06-12T22:15:43.649998+00:00	GitLab Importer	Affected by	VCID-ccuv-g8wh-1ybh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/phpoffice/phpspreadsheet/CVE-2026-40902.yml	38.6.0
2026-06-12T22:15:31.515798+00:00	GitLab Importer	Affected by	VCID-nuf2-c8f7-x3hp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/phpoffice/phpspreadsheet/CVE-2026-40863.yml	38.6.0
2026-06-12T22:15:06.472274+00:00	GitLab Importer	Fixing	VCID-bv2n-rthc-h3ar	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/phpoffice/phpspreadsheet/CVE-2026-34084.yml	38.6.0
2026-06-12T22:14:28.131903+00:00	GitLab Importer	Affected by	VCID-zn8r-355x-h3az	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/phpoffice/phpspreadsheet/CVE-2026-40296.yml	38.6.0
2026-06-12T22:14:23.539975+00:00	GitLab Importer	Affected by	VCID-pvr2-uryz-wydb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/phpoffice/phpspreadsheet/CVE-2026-35453.yml	38.6.0
2026-06-12T07:45:53.838147+00:00	GithubOSV Importer	Fixing	VCID-bv2n-rthc-h3ar	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-q4q6-r8wh-5cgh/GHSA-q4q6-r8wh-5cgh.json	38.6.0