[HIGH] PhpSpreadsheet has CPU Denial of Service via Unbounded Row Number in XLSX Row Dimensions

PKSA-gz3f-3cz3-3wsw CVE-2026-40902 GHSA-7c6m-4442-2x6m

Affected version: <=1.30.3|>=2.0.0,<=2.1.15|>=2.2.0,<=2.4.4|>=3.3.0,<=3.10.4|>=4.0.0,<=5.6.0

Reported by:
GitHub

[HIGH] PhpSpreadsheet has CPU Denial of Service via Unbounded Row Index in SpreadsheetML XML Reader

PKSA-x13r-n4wc-4gcr CVE-2026-40863 GHSA-84wq-86v6-x5j6

Affected version: <=1.30.3|>=2.0.0,<=2.1.15|>=2.2.0,<=2.4.4|>=3.3.0,<=3.10.4|>=4.0.0,<=5.6.0

Reported by:
GitHub

[MEDIUM] PhpSpreadsheet has XSS via number format code with @ text placeholder bypasses htmlspecialchars in HTML writer

PKSA-hznc-gbby-6w16 CVE-2026-40296 GHSA-hrmw-qprp-wgmc

Affected version: <=1.30.3|>=2.0.0,<=2.1.15|>=2.2.0,<=2.4.4|>=3.3.0,<=3.10.4|>=4.0.0,<=5.6.0

Reported by:
GitHub

[MEDIUM] PhpSpreadsheet has XSS via NumberFormat @ Text Substitution in HTML Writer

PKSA-jtdk-dcr5-f11n CVE-2026-35453 GHSA-6wpp-88cp-7q68

Affected version: <=1.30.3|>=2.0.0,<=2.1.15|>=2.2.0,<=2.4.4|>=3.3.0,<=3.10.4|>=4.0.0,<=5.6.0

Reported by:
GitHub