[MEDIUM] PhpSpreadsheet has XSS via number format code with @ text placeholder bypasses htmlspecialchars in HTML writer

PKSA-hznc-gbby-6w16 CVE-2026-40296 GHSA-hrmw-qprp-wgmc

Affected package: phpoffice/phpspreadsheet

Affected version: <=1.30.3|>=2.0.0,<=2.1.15|>=2.2.0,<=2.4.4|>=3.3.0,<=3.10.4|>=4.0.0,<=5.6.0

Reported by:
GitHub