Vulnerabilities
Report: Latest: CVE-2026-40296 - PhpSpreadsheet vulnerable to XSS in HTML writer via custom number format codes
CVE ID :CVE-2026-40296 Published : May 6, 2026, 10:16 p.m. | 24 minutes ago Description :PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The HTML writer skips htmlspecialchars escaping when a cell's formatted value differs from the original value. When a cell has a custom number format containing the text placeholder @ along with any additional literal characters (for example