{"id":"CVE-2020-7776","details":"This affects the package phpoffice/phpspreadsheet from 0.0.0. The library is vulnerable to XSS when creating an html output from an excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where user comments are concatenated as part of link and this is returned as HTML. A fix for this issue is available on commit 0ed5b800be2136bcb8fa9c1bdf59abc957a98845/master branch.","aliases":["GHSA-4mqv-gcr3-pff9"],"modified":"2026-03-13T00:47:06.921729Z","published":"2020-12-09T17:15:31.883Z","related":["SNYK-PHP-PHPOFFICEPHPSPREADSHEET-1048856"],"references":[{"type":"WEB","url":"https://github.com/PHPOffice/PhpSpreadsheet/blob/master/src/PhpSpreadsheet/Writer/Html.php%23L1792"},{"type":"FIX","url":"https://github.com/PHPOffice/PhpSpreadsheet/commit/0ed5b800be2136bcb8fa9c1bdf59abc957a98845"},{"type":"EVIDENCE","url":"https://snyk.io/vuln/SNYK-PHP-PHPOFFICEPHPSPREADSHEET-1048856"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/phpoffice/phpspreadsheet","events":[{"introduced":"0"},{"fixed":"76d4323b85129d0c368149c831a07a3e258b2b50"},{"fixed":"0ed5b800be2136bcb8fa9c1bdf59abc957a98845"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.16.0"}]}}],"versions":["1.0.0","1.0.0-beta","1.0.0-beta2","1.1.0","1.10.0","1.10.1","1.11.0","1.12.0","1.13.0","1.14.0","1.14.1","1.15.0","1.2.0","1.2.1","1.3.0","1.3.1","1.4.0","1.4.1","1.5.0","1.5.1","1.5.2","1.6.0","1.7.0","1.8.0","1.8.1","1.8.2","1.9.0","phpexcel-last-cherry-picked-commit","phpexcel-last-release-1.8.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-7776.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}]}