Lucene search
K

344 matches found

NVD
NVD
added 2026/05/06 10:16 p.m.17 views

CVE-2026-40296

PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The HTML writer skips htmlspecialchars escaping when a cell's formatted value differs from the original value. When a cell has a custom number format containing the text placeholder @ along with any additional literal...

5.4CVSS0.00225EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/05/06 8:48 p.m.37 views

CVE-2026-40296 PhpSpreadsheet vulnerable to XSS in HTML writer via custom number format codes

PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The HTML writer skips htmlspecialchars escaping when a cell's formatted value differs from the original value. When a cell has a custom number format containing the text placeholder @ along with any additional literal...

5.4CVSS0.00225EPSS
Exploits1References1
EUVD
EUVD
added 2026/05/06 8:48 p.m.6 views

EUVD-2026-28221

PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The HTML writer skips htmlspecialchars escaping when a cell's formatted value differs from the original value. When a cell has a custom number format containing the text placeholder @ along with any additional literal...

5.4CVSS5.4AI score0.00225EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/05/06 8:48 p.m.4 views

CVE-2026-40296

PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The HTML writer skips htmlspecialchars escaping when a cell's formatted value differs from the original value. When a cell has a custom number format containing the text placeholder @ along with any additional literal...

5.4CVSS5.4AI score0.00225EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/06 8:48 p.m.13 views

CVE-2026-40296 PhpSpreadsheet vulnerable to XSS in HTML writer via custom number format codes

PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The HTML writer skips htmlspecialchars escaping when a cell's formatted value differs from the original value. When a cell has a custom number format containing the text placeholder @ along with any additional literal...

5.4CVSS5.4AI score0.00225EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/05/06 8:22 p.m.8 views

CVE-2026-35453

PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.3 and earlier, 2.0.0 through 2.1.15, 2.2.0 through 2.4.4, 3.3.0 through 3.10.4, and 4.0.0 through 5.6.0, the HTML Writer skips htmlspecialchars output escaping when a cell uses a custom number format containin...

5.4CVSS6AI score0.00202EPSS
Exploits1References1
CNNVD
CNNVD
added 2026/05/06 12:0 a.m.20 views

PhpSpreadsheet 跨站脚本漏洞

PhpSpreadsheet is a PHP library developed by PHPOffice, designed for reading and writing spreadsheet files. Versions prior to PhpSpreadsheet 5.7.0, 3.10.5, 2.4.5, 2.1.16, and 1.30.4 contained a cross-site scripting vulnerability. This vulnerability stemmed from HTML writers skipping...

5.4CVSS5.8AI score0.00225EPSS
Exploits1References1
NVD
NVD
added 2026/05/05 8:16 p.m.5 views

CVE-2026-35453

PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.3 and earlier, 2.0.0 through 2.1.15, 2.2.0 through 2.4.4, 3.3.0 through 3.10.4, and 4.0.0 through 5.6.0, the HTML Writer skips htmlspecialchars output escaping when a cell uses a custom number format containin...

5.4CVSS0.00202EPSS
Exploits1References1
NVD
NVD
added 2026/05/05 8:16 p.m.19 views

CVE-2026-34084

PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through 3.10.3, and 4.0.0 through 5.5.0, when the filename argument to IOFactory::load is user-controlled, an attacker can supply a PHP stream...

9.8CVSS0.00712EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/05/05 7:39 p.m.28 views

CVE-2026-35453 PhpSpreadsheet XSS via number format text substitution in HTML Writer

PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.3 and earlier, 2.0.0 through 2.1.15, 2.2.0 through 2.4.4, 3.3.0 through 3.10.4, and 4.0.0 through 5.6.0, the HTML Writer skips htmlspecialchars output escaping when a cell uses a custom number format containin...

4.8CVSS0.00202EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/05/05 7:39 p.m.8 views

CVE-2026-35453 PhpSpreadsheet XSS via number format text substitution in HTML Writer

PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.3 and earlier, 2.0.0 through 2.1.15, 2.2.0 through 2.4.4, 3.3.0 through 3.10.4, and 4.0.0 through 5.6.0, the HTML Writer skips htmlspecialchars output escaping when a cell uses a custom number format containin...

4.8CVSS6AI score0.00202EPSS
Exploits1References1
CVE
CVE
added 2026/05/05 7:39 p.m.34 views

CVE-2026-35453

PhpSpreadsheet contains an XSS vulnerability in the HTML Writer when a cell uses a custom number format with an @ placeholder and additional literal text. The formatter returns early and escaping via htmlspecialchars() is skipped, allowing injected HTML/JavaScript in the generated HTML. Affected ...

5.4CVSS6AI score0.00202EPSS
Exploits1References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/05 7:39 p.m.12 views

CVE-2026-35453

PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.3 and earlier, 2.0.0 through 2.1.15, 2.2.0 through 2.4.4, 3.3.0 through 3.10.4, and 4.0.0 through 5.6.0, the HTML Writer skips htmlspecialchars output escaping when a cell uses a custom number format containin...

4.8CVSS6AI score0.00202EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/05/05 7:22 p.m.39 views

CVE-2026-34084 PhpSpreadsheet SSRF and RCE via PHP stream wrappers in IOFactory::load

PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through 3.10.3, and 4.0.0 through 5.5.0, when the filename argument to IOFactory::load is user-controlled, an attacker can supply a PHP stream...

9.2CVSS0.00712EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/05/05 7:22 p.m.6 views

CVE-2026-34084 PhpSpreadsheet SSRF and RCE via PHP stream wrappers in IOFactory::load

PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through 3.10.3, and 4.0.0 through 5.5.0, when the filename argument to IOFactory::load is user-controlled, an attacker can supply a PHP stream...

9.2CVSS6.4AI score0.00712EPSS
Exploits1References1
CVE
CVE
added 2026/05/05 7:22 p.m.40 views

CVE-2026-34084

CVE-2026-34084 describes a vulnerability in PhpSpreadsheet where IOFactory::load() with a user-controlled filename can pass PHP stream wrappers (phar://, ftp://, ssh2.sftp://) to is_file(), triggering PHAR deserialization and potential remote code execution if an appropriate gadget chain exists. ...

9.8CVSS6.4AI score0.00712EPSS
Exploits1References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/05 7:22 p.m.11 views

CVE-2026-34084

PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through 3.10.3, and 4.0.0 through 5.5.0, when the filename argument to IOFactory::load is user-controlled, an attacker can supply a PHP stream...

9.2CVSS6.4AI score0.00712EPSS
Exploits1References2Affected Software1
CNNVD
CNNVD
added 2026/05/05 12:0 a.m.17 views

PhpSpreadsheet 代码问题漏洞

PhpSpreadsheet is a PHP library developed by PHPOffice, designed for reading and writing spreadsheet files. Code vulnerabilities exist in versions 1.30.2 and earlier, as well as versions 2.0.0 to 2.1.14, 2.2.0 to 2.4.3, 3.3.0 to 3.10.3, and 4.0.0 to 5.5.0 of PhpSpreadsheet. These vulnerabilities...

9.8CVSS6.4AI score0.00712EPSS
Exploits1References1
CNNVD
CNNVD
added 2026/05/05 12:0 a.m.10 views

PhpSpreadsheet 跨站脚本漏洞

PhpSpreadsheet is a PHP library developed by PHPOffice, designed for reading and writing spreadsheet files. PhpSpreadsheet has a cross-site scripting vulnerability. This vulnerability arises when the HTML Writer skips htmlspecialchars output escaping when using custom number formats that contain ...

5.4CVSS5.8AI score0.00202EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/29 8:24 p.m.6 views

Cross-site Scripting (XSS)

Overview phpoffice/phpspreadsheet is a Spreadsheet engine that Read, Create and Write Spreadsheet documents in PHP . Affected versions of this package are vulnerable to Cross-site Scripting XSS through the readRowAttributes process. An attacker can exhaust CPU and memory resources by submitting a...

8.7CVSS5.5AI score0.00395EPSS
Exploits1References2
Rows per page
Query Builder