CVE-2026-40902: PhpSpreadsheet DoS Vulnerability Exploited with Malicious XLSX

/HIGH /CVSS 7.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-770
CVE-2026-40902: PhpSpreadsheet DoS Vulnerability Exploited with Malicious XLSX

The National Vulnerability Database has disclosed CVE-2026-40902, a high-severity denial-of-service (DoS) vulnerability impacting PhpSpreadsheet, a widely used PHP library for handling spreadsheet files. This flaw, rated 7.5 CVSS, stems from inadequate validation within the XLSX reader’s ColumnAndRowAttributes::readRowAttributes() method.

Attackers can craft a minimal XLSX file (approximately 1.6KB) containing an oversized row number attribute, specifically <row r="999999999"/>. When processed, this manipulates cachedHighestRow to an astronomical value, forcing subsequent row iterations to attempt around 1 billion loop cycles. This effectively exhausts CPU resources, leading to a denial of service for any application using vulnerable versions of PhpSpreadsheet to parse such a file.

This vulnerability is patched in PhpSpreadsheet versions 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0. Organizations utilizing PhpSpreadsheet are at risk if they haven’t updated, as merely opening a malicious spreadsheet could cripple their services.

What This Means For You

  • If your applications rely on PhpSpreadsheet for processing XLSX files, you are directly exposed to a simple, high-impact DoS attack. Immediately identify all instances of PhpSpreadsheet across your environment and prioritize patching to versions 1.30.4, 2.1.16, 2.4.5, 3.10.5, or 5.7.0 to mitigate CVE-2026-40902. This isn't theoretical; a single maliciously crafted file can take down critical services.

Related ATT&CK Techniques

T1566.002 Phishing: Spearphishing Attachment Initial Access T1204.002 Malicious File: Malicious Attachment Initial Access T1190 Exploit Public-Facing Application Initial Access

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-40902: PhpSpreadsheet Malicious XLSX Upload DoS

Sigma YAML — free preview 
title: CVE-2026-40902: PhpSpreadsheet Malicious XLSX Upload DoS
id: scw-2026-05-12-ai-1
status: experimental
level: high
description: |
  Detects the upload or processing of a malicious XLSX file by a web application utilizing a vulnerable version of PhpSpreadsheet. The rule specifically looks for '.xlsx' file extensions in the URI and a query string containing the crafted row attribute 'r="999999999"' used to trigger the DoS vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-05-12
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-40902/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '.xlsx'
      cs-uri-query|contains:
          - 'r="999999999"'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-40902 DoS PhpSpreadsheet versions prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0
CVE-2026-40902 DoS XLSX reader's ColumnAndRowAttributes::readRowAttributes() method in PhpSpreadsheet
CVE-2026-40902 DoS Crafted XLSX file with element

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 13, 2026 at 01:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

Fuji Tellus Driver Grants All Users Kernel R/W: CVE-2026-8108

CVE-2026-8108 — The installation of Fuji Tellus adds a driver to the kernel which grants all users read and write permissions.

vulnerabilityCVEhigh-severitycwe-749
/SCW Vulnerability Desk /HIGH /7.8 /⚑ 2 IOCs /⚙ 3 Sigma

MonsterInsights WordPress Plugin Exposes Google OAuth Tokens

CVE-2026-5371 — The MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) plugin for WordPress is vulnerable to unauthorized access and modification of...

vulnerabilityCVEhigh-severitycwe-862
/SCW Vulnerability Desk /HIGH /7.1 /⚑ 4 IOCs /⚙ 3 Sigma

ChurchCRM CVE-2026-44548: High-Severity CSRF Allows Silent Record Deletion

CVE-2026-44548 — ChurchCRM is an open-source church management system. Prior to 7.3.2, top-level cross-site GET navigation from an attacker-controlled page to FundRaiserDelete.php, PropertyTypeDelete.php, or NoteDelete.php...

vulnerabilityCVEhigh-severitycwe-352cwe-650
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 4 IOCs /⚙ 3 Sigma