CVE-2026-40863 - Vulnerability Analysis
HighCVSS: 7.5Last Updated: May 13, 2026
PhpSpreadsheet - Denial of Service
Published: May 12, 2026Updated: May 13, 2026PoC AvailableRemote Exploitable
Overview
PhpSpreadsheet < 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0 contains a denial of service caused by lack of validation of ss:Index row attribute in SpreadsheetML XML reader, letting attackers cause CPU exhaustion by crafting large row indices, exploit requires crafted SpreadsheetML XML file.
Severity & Score
Severity: High
CVSS Score: 7.5
Impact
Attackers can cause CPU exhaustion and denial of service by forcing iteration over ~1 billion rows.
Mitigation
Upgrade to versions 1.30.4, 2.1.16, 2.4.5, 3.10.5, or 5.7.0 or later.
Related Resources
Details
- CVE ID
- CVE-2026-40863
- Severity
- High
- CVSS Score
- 7.5
- Type
- denial_of_service
- Status
- confirmed
CWE
- CWE-770
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H