PhpSpreadsheet is a PHP library for spreadsheet file manipulation. The vulnerability arises in the HTML writer component, which fails to apply htmlspecialchars escaping if a cell's formatted value differs from its original value. This difference occurs when a custom number format uses the '@' placeholder combined with extra literal characters, causing the formatted output to bypass HTML escaping. An attacker with the ability to upload spreadsheets and control cell values and number formats can exploit this to achieve stored XSS when the spreadsheet is rendered as HTML. The issue is fixed in versions 5.7.0, 3.10.5, 2.4.5, 2.1.16, and 1.30.4, but no direct patch links or vendor advisory details are provided in the input.

Successful exploitation allows an attacker to execute stored cross-site scripting attacks by injecting malicious scripts into spreadsheet cells that are later rendered as HTML. This can lead to limited confidentiality and integrity impacts, such as theft of user session data or manipulation of displayed content. The CVSS score of 5.4 reflects a medium severity with network attack vector, low attack complexity, requiring low privileges and user interaction, and partial impact on confidentiality and integrity but no impact on availability.

The vulnerability is fixed in PhpSpreadsheet versions 5.7.0, 3.10.5, 2.4.5, 2.1.16, and 1.30.4. Users should upgrade affected PhpSpreadsheet installations to these or later versions to remediate the issue. Since no vendor advisory or patch links are provided, confirm patch availability and upgrade guidance from the official PHPOffice PhpSpreadsheet project resources before deployment. Until patched, avoid processing untrusted spreadsheet files or displaying their HTML-rendered content to untrusted users.