CVE-2026-34084
published 2026-05-05CVE-2026-34084: PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through…
PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.71%
49.0th percentile
PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through 3.10.3, and 4.0.0 through 5.5.0, when the filename argument to IOFactory::load() is user-controlled, an attacker can supply a PHP stream wrapper path (such as phar://, ftp://, or ssh2.sftp://) that passes the is_file() check in File::assertFile(). The phar:// wrapper triggers deserialization of the PHAR metadata, which can lead to remote code execution if a suitable gadget chain is available in the application. The ftp:// and ssh2.sftp:// wrappers can be used for server-side request forgery. This issue has been fixed in versions 1.30.3, 2.1.15, 2.4.4, 3.10.4, and 5.6.0.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| phpoffice | phpspreadsheet | < 1.30.5 | 1.30.5 |
| phpoffice | phpspreadsheet | < 1.30.3 | 1.30.3 |
| phpoffice | phpspreadsheet | >= 0 < 1.30.5 | 1.30.5 |
| phpoffice | phpspreadsheet | >= 0 < 1.30.3 | 1.30.3 |
| phpoffice | phpspreadsheet | >= 2.0.0 < 2.1.15 | 2.1.15 |
| phpoffice | phpspreadsheet | >= 2.0.0 < 2.1.15 | 2.1.15 |
| phpoffice | phpspreadsheet | >= 2.2.0 < 2.4.4 | 2.4.4 |
| phpoffice | phpspreadsheet | >= 2.2.0 < 2.4.4 | 2.4.4 |
| phpoffice | phpspreadsheet | >= 3.3.0 < 3.10.4 | 3.10.4 |
| phpoffice | phpspreadsheet | >= 3.3.0 < 3.10.4 | 3.10.4 |
| phpoffice | phpspreadsheet | >= 4.0.0 < 5.6.0 | 5.6.0 |
| phpoffice | phpspreadsheet | >= 4.0.0 < 5.6.0 | 5.6.0 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
PHPSpreadsheet has a patch bypass for CVE-2026-34084
ghsa·2026-06-08·CVSS 9.8
CVE-2026-45034 [CRITICAL] CWE-502 PHPSpreadsheet has a patch bypass for CVE-2026-34084
PHPSpreadsheet has a patch bypass for CVE-2026-34084
## Summary
CVE-2026-34084 was patched by the helper `File::prohibitWrappers`. The helper calls `parse_url($filename, PHP_URL_SCHEME)` and then checks `is_string($scheme) && strlen($scheme) > 1` to reject stream wrappers such as `phar://`, `php://`, `data://` or `expect://`. The check is not equivalent to "does the path contain a wrapper". When the input has the form `phar:///path/file.phar/inner` with three or more slashes after the scheme, `parse_url` returns boolean `false` instead of returning the scheme string. The `is_string($scheme)` branch is therefore skipped, the helper returns without throwing, and the caller proceeds. PHP's stream layer, however, still treats `phar:///...` as a valid phar wrapper and opens the underlying pha
VulDB
PHPOffice PhpSpreadsheet up to 5.5.0 IOFactory::load filename deserialization
vuldb·2026-05-05·CVSS 9.2
CVE-2026-34084 [CRITICAL] PHPOffice PhpSpreadsheet up to 5.5.0 IOFactory::load filename deserialization
A vulnerability categorized as critical has been discovered in PHPOffice PhpSpreadsheet up to 1.30.2/2.1.14/2.4.3/3.10.3/5.5.0. This issue affects the function IOFactory::load. Executing a manipulation of the argument filename can lead to deserialization.
This vulnerability is tracked as CVE-2026-34084. The attack can be launched remotely. No exploit exists.
It is advisable to upgrade the affected component.
GHSA
PhpSpreadsheet has SSRF/RCE in IOFactory::load when $filename is user controlled
ghsa·2026-04-29
CVE-2026-34084 [HIGH] CWE-502 PhpSpreadsheet has SSRF/RCE in IOFactory::load when $filename is user controlled
PhpSpreadsheet has SSRF/RCE in IOFactory::load when $filename is user controlled
The usage of `is_file`, used to verify if the `$filename` is indeed an actual file, by all(?) `Reader` implementations (inside the helper function `File::assertFile`) is php-wrapper aware, for any [php wrappers](https://www.php.net/manual/en/wrappers.php) implementing `stat()`.
The 3 wrappers `ftp://`, `phar://` and `ssh2.sftp://`, all satisfy this requirement - 2 of which are shown in the PoC below.
This results in a SSRF, at "best", and RCE at worse.
This was tested against the `latest` release - but the issue seems to go back a while from a first quick check (still present in `v1.30.2`).
## PoC
To reproduce the vulnerable behavior, the following scripts were used:
`php.ini` file, only needed to build t
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-05
Published