PT-2026-6356 — XSS in Packagist Solspace/Craft-Freeform

PT-2026-6356 · Packagist · Solspace/Craft-Freeform

Published

2026-01-15

Updated

2026-01-15

CVSS v4.0

1.9

Low

Vector

AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P

Summary

Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.

PhpOfficePhpSpreadsheetWriterHtml doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page.

Details

Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.

See https://github.com/advisories/GHSA-wgmf-q9vr-vww6

PoC

Complete instructions, including specific configuration details, to reproduce the vulnerability.

Example target script:

<?php

require 'vendor/autoload.php';

$reader = PhpOfficePhpSpreadsheetIOFactory::createReader("Xlsx");
$spreadsheet = $reader->load( DIR  . '/book.xlsx');

$writer = new PhpOfficePhpSpreadsheetWriterHtml($spreadsheet);
print($writer->generateHTMLAll());

Save this file in the same directory:

book.xlsx

Open index.php in a web browser. An alert should be displayed.

Impact

What kind of vulnerability is it? Who is impacted?

Full takeover of the session of users viewing spreadsheet files as HTML.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

GHSA-44JG-MV3H-WJ6G

Affected Products

Solspace/Craft-Freeform