CVE-2026-40863

Name of the Vulnerable Software and Affected Versions PhpSpreadsheet versions prior to 1.30.4 PhpSpreadsheet versions prior to 2.1.16 PhpSpreadsheet versions prior to 2.4.5 PhpSpreadsheet versions prior to 3.10.5 PhpSpreadsheet versions prior to 5.7.0

Description The SpreadsheetML XML reader (ReaderXml) fails to validate the ss:Index row attribute against the maximum allowed row count. An attacker can provide a crafted SpreadsheetML XML file with an excessively high ss:Index value on a <Row> element, which inflates the internal cachedHighestRow variable. Consequently, any subsequent call to the getRowIterator() function without a specified end row will attempt to iterate through an enormous number of rows, leading to CPU exhaustion and a denial of service. This issue occurs because the $rowID read from the ss:Index attribute is cast to an integer without an upper bound check before being processed by getRowDimension() and getCell().

Recommendations Update to version 1.30.4 or newer. Update to version 2.1.16 or newer. Update to version 2.4.5 or newer. Update to version 3.10.5 or newer. Update to version 5.7.0 or newer.