Cross-site Scripting (XSS)
Description
This affects the package phpoffice/phpspreadsheet from 0.0.0. The library is vulnerable to XSS when creating an html output from an excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where user comments are concatenated as part of link and this is returned as HTML. A fix for this issue is available on commit 0ed5b800be2136bcb8fa9c1bdf59abc957a98845/master branch.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PhpSpreadsheet HTML writer is vulnerable to stored XSS via cell comments, allowing script injection when converting Excel files to HTML.
Vulnerability
Overview
CVE-2020-7776 is a stored cross-site scripting (XSS) vulnerability in the PHPOffice PhpSpreadsheet library, affecting all versions prior to 1.16.0. The root cause lies in the HTML writer, which fails to sanitize user-controlled cell comments when generating HTML output from an Excel file. Comments are concatenated directly into the generated HTML without proper escaping, enabling an attacker to inject arbitrary JavaScript or HTML. [1][2][3]
Attack
Vector and Exploitation
An attacker can exploit this vulnerability by crafting an Excel file containing a malicious payload (e.g., `) within a cell comment. When this file is loaded and converted to HTML using the library's IOFactory::createWriter($spreadsheet, 'Html')` method, the injected script is embedded into the resulting HTML output. Any user who then views the generated HTML file in a browser will execute the attacker's script. No prior authentication is required; the attack only needs the victim to process a malicious Excel file through the affected library. [3]
Impact
Successful exploitation leads to stored XSS, which can be used to steal session cookies, redirect users to malicious sites, deface web content, or perform other actions within the context of the victim's browser session. Because the HTML output can be served to multiple users (e.g., in a web application that converts uploaded spreadsheets), the impact may extend to many victims. [1][2][3]
Mitigation
The vulnerability was fixed in commit 0ed5b800be2136bcb8fa9c1bdf59abc957a98845, and the patch is included in PhpSpreadsheet version 1.16.0 and later. Users should upgrade to the latest version of the library. No workaround is available if the HTML writer is used with untrusted Excel input. The vulnerability is publicly documented and proof-of-concept code exists. [1][3][4]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpoffice/phpspreadsheetPackagist | < 1.16.0 | 1.16.0 |
phpoffice/phpexcelPackagist | <= 1.8.2 | — |
Affected products
3- phpoffice/phpspreadsheetdescription
- ghsa-coords2 versions
<= 1.8.2+ 1 more
- (no CPE)range: <= 1.8.2
- (no CPE)range: < 1.16.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-4mqv-gcr3-pff9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-7776ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/phpoffice/phpspreadsheet/CVE-2020-7776.yamlghsaWEB
- github.com/PHPOffice/PhpSpreadsheet/blob/master/src/PhpSpreadsheet/Writer/Html.php%23L1792ghsax_refsource_MISCWEB
- github.com/PHPOffice/PhpSpreadsheet/commit/0ed5b800be2136bcb8fa9c1bdf59abc957a98845ghsax_refsource_MISCWEB
- github.com/PHPOffice/PhpSpreadsheet/pull/1719ghsaWEB
- snyk.io/vuln/SNYK-PHP-PHPOFFICEPHPSPREADSHEET-1048856ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.