CVE-2026-35453: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in PHPOffice PhpSpreadsheet
CVE-2026-35453 is a cross-site scripting (XSS) vulnerability in the PHPOffice PhpSpreadsheet library affecting multiple versions up to 5.6.0. The issue arises because the HTML Writer component fails to properly escape output when a cell uses a custom number format with the @ text placeholder combined with additional literal text. This allows an attacker who can control spreadsheet cell content to inject arbitrary HTML and JavaScript into the generated output. The vulnerability has a medium severity with a CVSS score of 4.8. Fixes have been released in PhpSpreadsheet versions 1.30.4, 2.
AI Analysis
Technical Summary
PhpSpreadsheet versions 1.30.3 and earlier, 2.0.0 through 2.1.15, 2.2.0 through 2.4.4, 3.3.0 through 3.10.4, and 4.0.0 through 5.6.0 contain an XSS vulnerability in the HTML Writer. The vulnerability occurs because the output escaping function htmlspecialchars() is skipped when a cell uses a custom number format containing the @ placeholder with additional literal text. This results in raw cell content being injected into the HTML output without proper escaping, enabling injection of arbitrary HTML and JavaScript. The issue is resolved in versions 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0.
Potential Impact
An attacker able to control cell content in a spreadsheet processed by the vulnerable PhpSpreadsheet HTML Writer can inject arbitrary HTML and JavaScript into the generated output. This could lead to cross-site scripting attacks when the HTML output is rendered in a browser context. The CVSS 4.8 score reflects a medium severity impact with network attack vector, low attack complexity, and requiring user interaction and low privileges.
Mitigation Recommendations
Upgrading to PhpSpreadsheet versions 1.30.4, 2.1.16, 2.4.5, 3.10.5, or 5.7.0 or later addresses this vulnerability. Since these fixed versions are identified, users should apply these official updates to remediate the issue. Patch status is not explicitly stated in the vendor advisory content, but the presence of fixed versions indicates an official fix is available. No additional mitigation steps are specified.
CVE-2026-35453: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in PHPOffice PhpSpreadsheet
Description
CVE-2026-35453 is a cross-site scripting (XSS) vulnerability in the PHPOffice PhpSpreadsheet library affecting multiple versions up to 5.6.0. The issue arises because the HTML Writer component fails to properly escape output when a cell uses a custom number format with the @ text placeholder combined with additional literal text. This allows an attacker who can control spreadsheet cell content to inject arbitrary HTML and JavaScript into the generated output. The vulnerability has a medium severity with a CVSS score of 4.8. Fixes have been released in PhpSpreadsheet versions 1.30.4, 2.
CVSS v4.0
Score 4.8medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
PhpSpreadsheet versions 1.30.3 and earlier, 2.0.0 through 2.1.15, 2.2.0 through 2.4.4, 3.3.0 through 3.10.4, and 4.0.0 through 5.6.0 contain an XSS vulnerability in the HTML Writer. The vulnerability occurs because the output escaping function htmlspecialchars() is skipped when a cell uses a custom number format containing the @ placeholder with additional literal text. This results in raw cell content being injected into the HTML output without proper escaping, enabling injection of arbitrary HTML and JavaScript. The issue is resolved in versions 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0.
Potential Impact
An attacker able to control cell content in a spreadsheet processed by the vulnerable PhpSpreadsheet HTML Writer can inject arbitrary HTML and JavaScript into the generated output. This could lead to cross-site scripting attacks when the HTML output is rendered in a browser context. The CVSS 4.8 score reflects a medium severity impact with network attack vector, low attack complexity, and requiring user interaction and low privileges.
Mitigation Recommendations
Upgrading to PhpSpreadsheet versions 1.30.4, 2.1.16, 2.4.5, 3.10.5, or 5.7.0 or later addresses this vulnerability. Since these fixed versions are identified, users should apply these official updates to remediate the issue. Patch status is not explicitly stated in the vendor advisory content, but the presence of fixed versions indicates an official fix is available. No additional mitigation steps are specified.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-02T19:25:52.192Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fa4dc2cbff5d86102152b5
Added to database: 5/5/2026, 8:06:26 PM
Last enriched: 5/13/2026, 3:50:07 AM
Last updated: 6/20/2026, 7:33:59 AM
Views: 81
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.