{"id":"CVE-2026-40863","summary":"PhpSpreadsheet: CPU Denial of Service via Unbounded Row Index in SpreadsheetML XML Reader","details":"PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the SpreadsheetML XML reader (Reader\\Xml) does not validate the ss:Index row attribute against the maximum allowed row count (AddressRange::MAX_ROW = 1,048,576). An attacker can craft a SpreadsheetML XML file with ss:Index=\"999999999\" on a \u003cRow\u003e element, which inflates the internal cachedHighestRow to ~1 billion. Any subsequent call to getRowIterator() without an explicit end row will attempt to iterate ~1 billion rows, causing CPU exhaustion and denial of service. This vulnerability is fixed in 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0.","aliases":["GHSA-84wq-86v6-x5j6"],"modified":"2026-07-08T08:05:11.330679678Z","published":"2026-05-12T22:04:29.510Z","database_specific":{"cwe_ids":["CWE-770"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40863.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40863.json"},{"type":"ADVISORY","url":"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-84wq-86v6-x5j6"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40863"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/phpoffice/phpspreadsheet","events":[{"introduced":"0"},{"fixed":"02970383cc12e7bf0bc0707ea6e2e8ed23a7aec9"},{"introduced":"4a77798f835119754961a97714f135826a323caa"},{"fixed":"c91ff54b743e3f70f880e7145a9821474cd82f16"},{"introduced":"b0993b7e4d9c860133365d115b176bc6e0f57022"},{"fixed":"ec7815be350e03df90f3e2ace92653fa6cb4327c"},{"introduced":"87ddd21eb0b6b7ad20a11d314348ef307475f547"},{"fixed":"13f709c73e417c3c8cadc87ac88f809fd8d1fa45"},{"introduced":"2d4b9f3582102aafb6b1378fff8a20eeeacfb31c"},{"fixed":"9f55d3b9b7bcb1084fda8340e4b7ce4ed10cd0c8"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"1.30.4"},{"introduced":"2.0.0"},{"fixed":"2.1.16"},{"introduced":"2.2.0"},{"fixed":"2.4.5"},{"introduced":"3.3.0"},{"fixed":"3.10.5"},{"introduced":"4.0.0"},{"fixed":"5.7.0"}],"cpe":"cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*:*","source":"CPE_RANGE"}}],"versions":["5.6.0","1.30.3","3.10.4","2.4.4","2.1.15","5.5.0","3.10.3","1.30.2","2.4.3","2.1.14","5.4.0","5.3.0","3.10.2","2.1.13","1.30.1","2.4.2","5.1.0","5.2.0","3.10.1","2.4.1","3.10.0","2.4.0","2.1.12","1.30.0","5.0.0","1.29.12","3.9.3","2.3.10","2.1.11","4.5.0","3.9.2","2.3.9","2.1.10","1.29.11","4.4.0","4.3.0","4.3.1","4.2.0","4.1.0","3.3.0","3.9.0","1.29.10","3.9.1","2.3.8","2.1.9","4.0.0","2.3.7","2.1.8","1.29.9","3.8.0","2.3.6","2.1.7","1.29.8","2.3.5","2.1.6","1.29.7","3.7.0","1.29.6","2.3.4","2.1.5","3.6.0","2.3.3","2.1.4","1.29.5","3.5.0","3.4.0","2.3.2","2.1.3","1.29.4","1.29.2","2.1.1","2.3.0","2.1.0","1.29.1","2.2.2","1.29.0","2.2.1","2.2.0","2.0.0","1.28.0","1.27.0","1.25.2","1.25.1","1.25.0","1.24.1","1.24.0","1.23.0","1.22.0","1.21.0","1.20.0","1.19.0","1.18.0","1.17.1","1.17.0","1.16.0","1.15.0","1.14.1","1.14.0","1.13.0","1.12.0","1.11.0","1.10.1","1.10.0","1.8.2","1.8.1","1.8.0","1.7.0","1.6.0","1.5.0","1.4.1","1.4.0","1.3.1","1.3.0","1.2.1","1.2.0","1.1.0","1.0.0","1.0.0-beta2","phpexcel-last-cherry-picked-commit","phpexcel-last-release-1.8.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40863.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}