Spreadsheet of Doom: XSS in Craft CMS Freeform via Font Names
Jan 16, 2026·5 min read·8 visits
Executive Summary (TL;DR)
The Solspace Freeform plugin relies on `PhpSpreadsheet` to handle Excel files. A flaw in how that library converts spreadsheets to HTML allows attackers to inject malicious JavaScript into the *font name* of a cell. When an admin previews a submitted form containing a malicious Excel file, the script executes, potentially leading to full account takeover.
A high-severity Cross-Site Scripting (XSS) vulnerability exists in the Solspace Freeform plugin for Craft CMS, inherited from the upstream PhpSpreadsheet library. By manipulating metadata within an Excel file—specifically the font name—an attacker can execute arbitrary JavaScript in the browser of an administrator viewing the file.
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
solspace/craft-freeform Solspace | < 4.1.23 | 4.1.23 |
| Attribute | Detail |
|---|---|
| Vulnerability Type | Cross-Site Scripting (XSS) |
| Root Cause | Improper Output Neutralization for Logs/Messages (CWE-116) |
| CVSS Score | 7.1 (High) |
| Attack Vector | Network (User Interaction Required) |
| Affected Component | PhpSpreadsheet\Writer\Html |
| Exploit Status | PoC Available |
MITRE ATT&CK Mapping
The software does not properly neutralize output for downstream components, allowing special characters to be interpreted as control sequences or code.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.