Phpoffice Phpspreadsheet vulnerabilities
28 known vulnerabilities affecting phpoffice/phpspreadsheet.
Total CVEs
28
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH10MEDIUM16
Vulnerabilities
Page 1 of 2
CVE-2018-19277P3HIGHCVSS 8.8PoC≤ 1.5.02018-11-14
CVE-2018-19277 [HIGH] CWE-91 CVE-2018-19277: securityScan() in PHPOffice PhpSpreadsheet through 1.5.0 allows a bypass of protection mechanisms fo
securityScan() in PHPOffice PhpSpreadsheet through 1.5.0 allows a bypass of protection mechanisms for XXE via UTF-7 encoding in a .xlsx file
ghsanvdosv
CVE-2024-45293P3HIGHCVSS 7.5PoCfixed in 1.29.1≥ 2.0.0, < 2.1.1+3 more2024-10-07
CVE-2024-45293 [HIGH] CWE-611 CVE-2024-45293: PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The security scanner
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The security scanner responsible for preventing XXE attacks in the XLSX reader can be bypassed by slightly modifying the XML structure, utilizing white-spaces. On servers that allow users to upload their own Excel (XLSX) sheets, Server files and sensitive information can b
ghsanvdosv
CVE-2026-34084P2CRITICALCVSS 9.8fixed in 1.30.3≥ 2.0.0, < 2.1.15+4 more2026-05-05
CVE-2026-34084 [CRITICAL] CWE-502 CVE-2026-34084: PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.2 and earlie
PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through 3.10.3, and 4.0.0 through 5.5.0, when the filename argument to IOFactory::load() is user-controlled, an attacker can supply a PHP stream wrapper path (such as phar://, ftp://, or ssh2.sftp:
ghsanvd
CVE-2024-45291P2HIGHCVSS 8.8fixed in 1.29.2≥ 2.0.0, < 2.1.1+3 more2024-10-07
CVE-2024-45291 [HIGH] CWE-36 CVE-2024-45291: PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. It's possible for an
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. It's possible for an attacker to construct an XLSX file that links images from arbitrary paths. When embedding images has been enabled in HTML writer with `$writer->setEmbedImages(true);` those files will be included in the output as `data:` URLs, regardless of the file's t
ghsanvdosv
CVE-2026-45034P3CRITICALCVSS 9.8≥ 0, < 1.30.52026-06-08
CVE-2026-45034 [CRITICAL] CWE-502 PHPSpreadsheet has a patch bypass for CVE-2026-34084
PHPSpreadsheet has a patch bypass for CVE-2026-34084
## Summary
CVE-2026-34084 was patched by the helper `File::prohibitWrappers`. The helper calls `parse_url($filename, PHP_URL_SCHEME)` and then checks `is_string($scheme) && strlen($scheme) > 1` to reject stream wrappers such as `phar://`, `php://`, `data://` or `expect://`. The check is not equivalent to "does the path contain a wrapper". When the input ha
ghsa
CVE-2025-54370P3HIGHCVSS 8.7fixed in 1.30.0v>= 2.0.0, < 2.1.12+3 more2025-08-25
CVE-2025-54370 [HIGH] CWE-918 CVE-2025-54370: PhpOffice/PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to v
PhpOffice/PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to versions 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0, SSRF can occur when a processed HTML document is read and displayed in the browser. The vulnerability lies in the setPath method of the PhpOffice\PhpSpreadsheet\Worksheet\Drawing class, where a crafted s
ghsanvdosv
CVE-2024-47873P3HIGHCVSS 7.5fixed in 1.29.4≥ 2.0.0, < 2.1.3+5 more2024-11-18
CVE-2024-47873 [HIGH] CWE-611 CVE-2024-47873: PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The XmlScanner class has
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The XmlScanner class has a scan method which should prevent XXE attacks. However, prior to versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0, the regexes used in the `scan` method and the findCharSet method can be bypassed by using UCS-4 and encoding guessing. An attacker can bypass the s
ghsanvdosv
CVE-2024-45290P3HIGHCVSS 7.5fixed in 1.29.2≥ 2.0.0, < 2.1.1+3 more2024-10-07
CVE-2024-45290 [HIGH] CWE-36 CVE-2024-45290: PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. It's possible for an
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. It's possible for an attacker to construct an XLSX file which links media from external URLs. When opening the XLSX file, PhpSpreadsheet retrieves the image size and type by reading the file contents, if the provided path is a URL. By using specially crafted `php://filter`
ghsanvdosv
CVE-2024-48917P3HIGHCVSS 7.5fixed in 1.29.4≥ 2.0.0, < 2.1.3+2 more2024-11-18
CVE-2024-48917 [HIGH] CVE-2024-48917: PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The `XmlScanner` class ha
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The `XmlScanner` class has a scan method which should prevent XXE attacks. However, in a bypass of the previously reported `CVE-2024-47873`, the regexes from the `findCharSet` method, which is used for determining the current encoding can be bypassed by using a payload in the encoding
ghsanvdosv
CVE-2026-40902P3HIGHCVSS 7.5fixed in 1.30.4≥ 2.0.0, < 2.1.16+7 more2026-05-12
CVE-2026-40902 [HIGH] CWE-770 CVE-2026-40902: PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1
PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the XLSX reader's ColumnAndRowAttributes::readRowAttributes() method reads row numbers from XML attributes without validating them against the spreadsheet maximum row limit (AddressRange::MAX_ROW = 1,048,576). An attacker
ghsanvd
CVE-2026-40863P3HIGHCVSS 7.5fixed in 1.30.4≥ 2.0.0, < 2.1.16+7 more2026-05-12
CVE-2026-40863 [HIGH] CWE-770 CVE-2026-40863: PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1
PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the SpreadsheetML XML reader (Reader\Xml) does not validate the ss:Index row attribute against the maximum allowed row count (AddressRange::MAX_ROW = 1,048,576). An attacker can craft a SpreadsheetML XML file with ss:Index
ghsanvd
CVE-2019-12331P3HIGHCVSS 8.8fixed in 1.8.02019-11-07
CVE-2019-12331 [HIGH] CVE-2019-12331: PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner decodes the sheet1.xml from a
PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner decodes the sheet1.xml from an .xlsx to utf-8 if something else than UTF-8 is declared in the header. This was a security measurement to prevent CVE-2018-19277 but the fix is not sufficient. By double-encoding the the xml payload to utf-7 it is possible to bypass the check for the string ‚
ghsanvdosv
CVE-2024-45048P4MEDIUMCVSS 6.5fixed in 1.29.1≥ 2.0.0, < 2.2.1+1 more2024-08-28
CVE-2024-45048 [MEDIUM] CWE-611 CVE-2024-45048: PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions ar
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions are subject to a bypassing of a filter which allows for an XXE-attack. This in turn allows attacker to obtain contents of local files, even if error reporting is muted. This vulnerability has been addressed in release version 2.2.1. All users are advise
ghsanvdosv
CVE-2020-7776P4MEDIUMCVSS 6.4fixed in 1.16.0≥ 0.0.0, < unspecified2020-12-09
CVE-2020-7776 [MEDIUM] CWE-79 CVE-2020-7776: This affects the package phpoffice/phpspreadsheet from 0.0.0. The library is vulnerable to XSS when
This affects the package phpoffice/phpspreadsheet from 0.0.0. The library is vulnerable to XSS when creating an html output from an excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where user comments are concatenated as part of link and this is returned as HTML. A fix for this issue is available on comm
ghsanvdosv
CVE-2026-35453P4MEDIUMCVSS 5.4fixed in 1.30.4≥ 2.0.0, < 2.1.16+8 more2026-05-05
CVE-2026-35453 [MEDIUM] CWE-79 CVE-2026-35453: PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.3 and earlie
PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.3 and earlier, 2.0.0 through 2.1.15, 2.2.0 through 2.4.4, 3.3.0 through 3.10.4, and 4.0.0 through 5.6.0, the HTML Writer skips htmlspecialchars() output escaping when a cell uses a custom number format containing the @ text placeholder with additional literal text
ghsanvd
CVE-2024-45046P4MEDIUMCVSS 5.4fixed in 1.29.1≥ 2.0.0, < 2.1.0+1 more2024-08-28
CVE-2024-45046 [MEDIUM] CWE-79 CVE-2024-45046: PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. In affected versions
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. In affected versions `\PhpOffice\PhpSpreadsheet\Writer\Html` doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page. As a result an attacker may used a crafted spreadsheet to fully takeover a se
ghsanvdosv
CVE-2024-56408P4MEDIUMCVSS 5.4fixed in 1.29.7≥ 2.0.0, < 2.1.6+5 more2025-01-03
CVE-2024-56408 [MEDIUM] CWE-79 CVE-2024-56408: PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0,
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have no sanitization in the `/vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php` file, which leads to the possibility of a cross-site scripting attack. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patc
ghsanvdosv
CVE-2026-40296P4MEDIUMCVSS 5.4fixed in 1.30.4≥ 2.0.0, < 2.1.16+8 more2026-05-06
CVE-2026-40296 [MEDIUM] CWE-79 CVE-2026-40296: PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The HTML writer skip
PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The HTML writer skips htmlspecialchars escaping when a cell's formatted value differs from the original value. When a cell has a custom number format containing the text placeholder @ along with any additional literal characters (for example ". @", "@ ", or "x@"), the for
ghsanvd
CVE-2024-45060P4MEDIUMCVSS 6.1fixed in 1.29.2≥ 2.0.0, < 2.1.1+3 more2024-10-07
CVE-2024-45060 [MEDIUM] CWE-79 CVE-2024-45060: PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. One of the sample sc
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. One of the sample scripts in PhpSpreadsheet is susceptible to a cross-site scripting (XSS) vulnerability due to improper handling of input where a number is expected leading to formula injection. The code in in `45_Quadratic_equation_solver.php` concatenates the user supp
ghsanvdosv
CVE-2024-56366P4MEDIUMCVSS 5.4fixed in 1.29.7≥ 2.0.0, < 2.1.6+5 more2025-01-03
CVE-2024-56366 [MEDIUM] CWE-79 CVE-2024-56366: PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0,
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the `Accounting.php` file. Using the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Accounting.php` script, an attacker can perform a cross-site sc
ghsanvdosv
1 / 2Next →