CVE-2026-35453: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in PHPOffice PhpSpreadsheet
CVE-2026-35453 is a cross-site scripting (XSS) vulnerability in the PHPOffice PhpSpreadsheet library affecting multiple versions up to 5. 6. 0. The issue arises because the HTML Writer component fails to properly escape output when a cell uses a custom number format containing the @ text placeholder with additional literal text. This allows an attacker controlling spreadsheet cell content to inject arbitrary HTML or JavaScript into the generated HTML output. The vulnerability has a medium severity with a CVSS score of 4. 8. Fixes have been released in versions 1. 30. 4, 2.
AI Analysis
Technical Summary
PhpSpreadsheet versions 1.30.3 and earlier, 2.0.0 through 2.1.15, 2.2.0 through 2.4.4, 3.3.0 through 3.10.4, and 4.0.0 through 5.6.0 contain a CWE-79 cross-site scripting vulnerability in the HTML Writer. The vulnerability occurs because when a cell uses a custom number format with the @ placeholder plus additional literal text, the library skips the htmlspecialchars() escaping function. This happens because the escaping is only applied if the formatted output exactly matches the original cell value. When the format includes @ with quoted literal text, the raw cell value is substituted directly into the output without escaping, enabling injection of arbitrary HTML/JavaScript. This can be exploited by an attacker who can control spreadsheet cell content processed by the HTML Writer. The issue is fixed in versions 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0.
Potential Impact
An attacker able to control cell content in a spreadsheet processed by the vulnerable PhpSpreadsheet HTML Writer can inject arbitrary HTML and JavaScript into the generated output. This could lead to cross-site scripting attacks when the HTML output is rendered in a browser context. The CVSS score of 4.8 indicates a medium severity impact with network attack vector, low complexity, no privileges required, and requiring user interaction.
Mitigation Recommendations
Fixed versions are available: 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0. Users of PhpSpreadsheet should upgrade to one of these versions to remediate the vulnerability. Patch status is not explicitly stated in the vendor advisory content provided, but the presence of fixed versions indicates an official fix exists. No other mitigation guidance is provided or required.
CVE-2026-35453: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in PHPOffice PhpSpreadsheet
Description
CVE-2026-35453 is a cross-site scripting (XSS) vulnerability in the PHPOffice PhpSpreadsheet library affecting multiple versions up to 5. 6. 0. The issue arises because the HTML Writer component fails to properly escape output when a cell uses a custom number format containing the @ text placeholder with additional literal text. This allows an attacker controlling spreadsheet cell content to inject arbitrary HTML or JavaScript into the generated HTML output. The vulnerability has a medium severity with a CVSS score of 4. 8. Fixes have been released in versions 1. 30. 4, 2.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
PhpSpreadsheet versions 1.30.3 and earlier, 2.0.0 through 2.1.15, 2.2.0 through 2.4.4, 3.3.0 through 3.10.4, and 4.0.0 through 5.6.0 contain a CWE-79 cross-site scripting vulnerability in the HTML Writer. The vulnerability occurs because when a cell uses a custom number format with the @ placeholder plus additional literal text, the library skips the htmlspecialchars() escaping function. This happens because the escaping is only applied if the formatted output exactly matches the original cell value. When the format includes @ with quoted literal text, the raw cell value is substituted directly into the output without escaping, enabling injection of arbitrary HTML/JavaScript. This can be exploited by an attacker who can control spreadsheet cell content processed by the HTML Writer. The issue is fixed in versions 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0.
Potential Impact
An attacker able to control cell content in a spreadsheet processed by the vulnerable PhpSpreadsheet HTML Writer can inject arbitrary HTML and JavaScript into the generated output. This could lead to cross-site scripting attacks when the HTML output is rendered in a browser context. The CVSS score of 4.8 indicates a medium severity impact with network attack vector, low complexity, no privileges required, and requiring user interaction.
Mitigation Recommendations
Fixed versions are available: 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0. Users of PhpSpreadsheet should upgrade to one of these versions to remediate the vulnerability. Patch status is not explicitly stated in the vendor advisory content provided, but the presence of fixed versions indicates an official fix exists. No other mitigation guidance is provided or required.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-02T19:25:52.192Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fa4dc2cbff5d86102152b5
Added to database: 5/5/2026, 8:06:26 PM
Last enriched: 5/5/2026, 8:21:53 PM
Last updated: 5/5/2026, 9:08:28 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.