CVE-2025-22131Cross-site Scripting in Phpspreadsheet

CWE-79Cross-site Scripting4 documents4 sources
Severity
5.1MEDIUMNVD
EPSS
0.5%
top 36.14%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Phpoffice PhpspreadsheetPhpoffice Phpexcel
Timeline
PublishedJan 20
Latest updateJan 21

Description

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Cross-Site Scripting (XSS) vulnerability in the code which translates the XLSX file into a HTML representation and displays it in the response.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Affected Packages4 packages

CVEListV5phpoffice/phpspreadsheet< 1.29.8+3
NVDphpoffice/phpspreadsheet2.0.02.1.7+3
Packagistphpoffice/phpspreadsheet3.0.03.8.0+3
Packagistphpoffice/phpexcel1.8.2

Patches

Patch: github.com

🔴Vulnerability Details

3
OSV
Cross-Site Scripting (XSS) vulnerability in generateNavigation() function in PhpSpreadsheet2025-01-21
GHSA
Cross-Site Scripting (XSS) vulnerability in generateNavigation() function in PhpSpreadsheet2025-01-21
CVEList
Cross-Site Scripting (XSS) vulnerability in generateNavigation() function2025-01-20
CVE-2025-22131 — Cross-site Scripting in Phpspreadsheet | cvebase