CVE-2026-40902

Name of the Vulnerable Software and Affected Versions PhpSpreadsheet versions prior to 1.30.4 PhpSpreadsheet versions prior to 2.1.16 PhpSpreadsheet versions prior to 2.4.5 PhpSpreadsheet versions prior to 3.10.5 PhpSpreadsheet versions prior to 5.7.0

Description The XLSX reader's ColumnAndRowAttributes::readRowAttributes() method reads row numbers from XML attributes without validating them against the spreadsheet maximum row limit (AddressRange::MAX ROW). An attacker can craft a minimal XLSX file containing a <row r="999999999"/> element that inflates the cachedHighestRow variable. This causes any subsequent row iteration to attempt approximately 1 billion loop cycles, leading to CPU resource exhaustion and potential memory exhaustion if data is accumulated during iteration. This issue occurs because the row index is cast directly from XML without bounds checking in the readRowAttributes() function.

Recommendations Update to version 1.30.4. Update to version 2.1.16. Update to version 2.4.5. Update to version 3.10.5. Update to version 5.7.0.