CVE-2026-35453

Name of the Vulnerable Software and Affected Versions PhpSpreadsheet versions prior to 1.30.4 PhpSpreadsheet versions 2.0.0 through 2.1.15 PhpSpreadsheet versions 2.2.0 through 2.4.4 PhpSpreadsheet versions 3.3.0 through 3.10.4 PhpSpreadsheet versions 4.0.0 through 5.6.0

Description The HTML Writer skips htmlspecialchars() output escaping when a cell uses a custom number format containing the @ text placeholder combined with additional literal text (e.g., @ "items"). This occurs because the formatter substitutes the raw cell value into the format string and returns early, bypassing the escaping callback. Consequently, an attacker who can control cell content in a spreadsheet processed by the HTML Writer can inject arbitrary HTML and JavaScript into the generated output.

Recommendations Update to version 1.30.4 for versions prior to 1.30.4. Update to version 2.1.16 for versions 2.0.0 through 2.1.15. Update to version 2.4.5 for versions 2.2.0 through 2.4.4. Update to version 3.10.5 for versions 3.3.0 through 3.10.4. Update to version 5.7.0 for versions 4.0.0 through 5.6.0.