CVE-2026-35453

Exploit

EPSS 0.2%
Veröffentlicht 05.05.2026 20:16:38
Zuletzt bearbeitet 08.05.2026 17:08:50
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

PhpSpreadsheet XSS via number format text substitution in HTML Writer

PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.3 and earlier, 2.0.0 through 2.1.15, 2.2.0 through 2.4.4, 3.3.0 through 3.10.4, and 4.0.0 through 5.6.0, the HTML Writer skips htmlspecialchars() output escaping when a cell uses a custom number format containing the @ text placeholder with additional literal text (e.g., @ "items"). The escaping is only applied when the formatted output strictly equals the original cell value. When the format code contains @ with quoted literal text, the formatter substitutes the raw cell value into the format string and returns early without invoking the escaping callback. An attacker who can control cell content in a spreadsheet processed by the HTML Writer can inject arbitrary HTML and JavaScript into the generated output. This issue has been fixed in versions 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

NVD 5 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Phpoffice ≫ Phpspreadsheet Version < 1.30.4

Phpoffice ≫ Phpspreadsheet Version >= 2.0.0 < 2.1.16

Phpoffice ≫ Phpspreadsheet Version >= 2.2.0 < 2.4.5

Phpoffice ≫ Phpspreadsheet Version >= 3.3.0 < 3.10.5

Phpoffice ≫ Phpspreadsheet Version >= 4.0.0 < 5.7.0

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.2%	0.101

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com	4.8	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-6wpp-88cp-7q68

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2026-35453

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-35453

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-35453

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-35453