CVE-2026-40863: PhpSpreadsheet DoS Vulnerability Hits High Severity

/HIGH /CVSS 7.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitydenial-of-servicecwe-770
CVE-2026-40863: PhpSpreadsheet DoS Vulnerability Hits High Severity

The National Vulnerability Database (NVD) has detailed CVE-2026-40863, a high-severity Denial of Service (DoS) vulnerability impacting PhpSpreadsheet, a widely used PHP library for spreadsheet file manipulation. This flaw, rated 7.5 CVSS, resides in the SpreadsheetML XML reader (Reader\Xml) and stems from inadequate validation of the ss:Index row attribute.

According to the NVD, an attacker can craft a malicious SpreadsheetML XML file where a <Row> element specifies an ss:Index value, such as “999999999”, far exceeding the legitimate maximum row count of 1,048,576. This manipulation inflates the internal cachedHighestRow to approximately one billion. Subsequent calls to getRowIterator() without an explicit end row parameter will then attempt to iterate through this massive, fabricated row count, leading to severe CPU exhaustion and a complete denial of service.

This vulnerability affects older versions of PhpSpreadsheet and has been addressed. The NVD confirms fixes are available in versions 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0. While no specific affected products were listed by the NVD, any application leveraging vulnerable PhpSpreadsheet versions for handling untrusted spreadsheet files is at risk. This is a classic CWE-770 (Allocation of Resources Without Limits or Throttling) scenario, demonstrating how unbounded resource allocation can be weaponized for disruption.

What This Means For You

  • If your organization uses PhpSpreadsheet to process spreadsheet files, especially those from external or untrusted sources, you need to prioritize patching. An unauthenticated attacker can trigger a denial of service with a simple malformed file. Update to PhpSpreadsheet versions 1.30.4, 2.1.16, 2.4.5, 3.10.5, or 5.7.0 immediately. Don't assume your internal apps are safe; even internal tools can be exploited if they process external input.

Related ATT&CK Techniques

T1499 Service Stop Impact T1190 Exploit Public-Facing Application Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-40863: PhpSpreadsheet XML DoS via Malformed Row Index

Sigma YAML — free preview 
title: CVE-2026-40863: PhpSpreadsheet XML DoS via Malformed Row Index
id: scw-2026-05-12-ai-1
status: experimental
level: high
description: |
  Detects attempts to exploit CVE-2026-40863 by identifying web requests that contain a .xlsx file extension in the URI and a malformed ss:Index attribute within the query string, indicative of an attacker attempting to trigger a Denial of Service in PhpSpreadsheet by crafting an XML file with an excessively large row index.
author: SCW Feed Engine (AI-generated)
date: 2026-05-12
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-40863/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '.xlsx'
      cs-uri-query|contains:
          - 'ss:Index="999999999"'
      sc-status:
          - 200
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-40863 DoS PhpSpreadsheet versions prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0
CVE-2026-40863 DoS Vulnerable component: SpreadsheetML XML reader (Reader\Xml)
CVE-2026-40863 DoS Attack vector: Crafted SpreadsheetML XML file with ss:Index="999999999" on a element
CVE-2026-40863 DoS Vulnerable function: getRowIterator() without explicit end row

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 13, 2026 at 01:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

Fuji Tellus Driver Grants All Users Kernel R/W: CVE-2026-8108

CVE-2026-8108 — The installation of Fuji Tellus adds a driver to the kernel which grants all users read and write permissions.

vulnerabilityCVEhigh-severitycwe-749
/SCW Vulnerability Desk /HIGH /7.8 /⚑ 2 IOCs /⚙ 3 Sigma

MonsterInsights WordPress Plugin Exposes Google OAuth Tokens

CVE-2026-5371 — The MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) plugin for WordPress is vulnerable to unauthorized access and modification of...

vulnerabilityCVEhigh-severitycwe-862
/SCW Vulnerability Desk /HIGH /7.1 /⚑ 4 IOCs /⚙ 3 Sigma

ChurchCRM CVE-2026-44548: High-Severity CSRF Allows Silent Record Deletion

CVE-2026-44548 — ChurchCRM is an open-source church management system. Prior to 7.3.2, top-level cross-site GET navigation from an attacker-controlled page to FundRaiserDelete.php, PropertyTypeDelete.php, or NoteDelete.php...

vulnerabilityCVEhigh-severitycwe-352cwe-650
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 4 IOCs /⚙ 3 Sigma