GHSA-44jg-mv3h-wj6g: solspace/craft-freeform Vulnerable to XSS in `PhpSpreadsheet` HTML Writer Due to Unsanitized Styling Data

January 15, 2026

Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.

\PhpOffice\PhpSpreadsheet\Writer\Html doesn’t sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page.

References

github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-wgmf-q9vr-vww6
github.com/advisories/GHSA-44jg-mv3h-wj6g
github.com/solspace/craft-freeform
github.com/solspace/craft-freeform/releases/tag/v4.1.23
github.com/solspace/craft-freeform/security/advisories/GHSA-44jg-mv3h-wj6g

Code Behaviors & Features

Detect and mitigate GHSA-44jg-mv3h-wj6g with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →