Vulnerabilities

Report: Update: CVE-2026-35453 - PhpSpreadsheet XSS via number format text substitution in HTML Writer

2026-05-05 0 views admin

CVE ID :CVE-2026-35453 Published : May 5, 2026, 7:39 p.m. | 46 minutes ago Description :PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.3 and earlier, 2.0.0 through 2.1.15, 2.2.0 through 2.4.4, 3.3.0 through 3.10.4, and 4.0.0 through 5.6.0, the HTML Writer skips htmlspecialchars() output escaping when a cell uses a custom number format containing the @ text placeholder with additional literal text (e.g., @

CVE Details

CVE ID

CVE-2026-35453

Published

May 5, 2026

🏷️ Tags

reportupdate35453phpspreadsheetnumberformatsubstitutionwritercvexss

InfinitSec - Latest Cybersecurity, Technology & Gaming News

Report: Update: CVE-2026-35453 - PhpSpreadsheet XSS via number format text substitution in HTML Writer

CVE Details

🏷️ Tags

More from Vulnerabilities

Report: CVE-2026-27960 - OpenCTI privilege escalation and unauthenticated access via default admin account - Complete Guide

Report: CVE-2026-42997 - Dell Idrac Authorization Credential Exposure

Report: Latest: CVE-2026-7855 - D-Link DI-8100 HTTP Request tggl.asp tggl_asp buffer overflow

Report: CVE-2026-7854 - D-Link DI-8100 POST Parameter url_rule.asp url_rule_asp buffer overflow

Trending

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

CVE-2025-43939: Dell Unity OS Command Injection (High)

Google disputes false claims of massive Gmail data breach

Microsoft: DNS outage impacts Azure and Microsoft 365 services

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting