Phpoffice Phpspreadsheet vulnerabilities

CVE-2025-54370 [HIGH] CWE-918 CVE-2025-54370: PhpOffice/PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to v PhpOffice/PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to versions 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0, SSRF can occur when a processed HTML document is read and displayed in the browser. The vulnerability lies in the setPath method of the PhpOffice\PhpSpreadsheet\Worksheet\Drawing class, where a crafted s

CVE-2025-23210 [MEDIUM] CWE-79 CVE-2025-23210: phpoffice/phpspreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected v phpoffice/phpspreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions have been found to have a Bypass of the Cross-site Scripting (XSS) sanitizer using the javascript protocol and special characters. This issue has been addressed in versions 3.9.0, 2.3.7, 2.1.8, and 1.29.9. Users are advised to upgrade. There ar

CVE-2025-22131 [MEDIUM] CWE-79 CVE-2025-22131: PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Cross-Site Scripting (XSS PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Cross-Site Scripting (XSS) vulnerability in the code which translates the XLSX file into a HTML representation and displays it in the response.

CVE-2024-56366 [HIGH] CWE-79 CVE-2024-56366: PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the `Accounting.php` file. Using the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Accounting.php` script, an attacker can perform a cross-site scri

CVE-2024-56408 [HIGH] CWE-79 CVE-2024-56408: PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have no sanitization in the `/vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php` file, which leads to the possibility of a cross-site scripting attack. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch

CVE-2024-56365 [HIGH] CWE-79 CVE-2024-56365: PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the constructor of the `Downloader` class. Using the `/vendor/phpoffice/phpspreadsheet/samples/download.php` script, an attacker can perform a cross-site scripting a

CVE-2024-56409 [HIGH] CWE-79 CVE-2024-56409: PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the `Currency.php` file. Using the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php` script, an attacker can perform a cross-site scriptin

CVE-2024-56411 [MEDIUM] CWE-79 CVE-2024-56411: PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have a cross-site scripting (XSS) vulnerability of the hyperlink base in the HTML page header. The HTML page is formed without sanitizing the hyperlink base. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue

CVE-2024-56410 [MEDIUM] CWE-79 CVE-2024-56410: PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have a cross-site scripting (XSS) vulnerability in custom properties. The HTML page is generated without clearing custom properties. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue.

CVE-2024-56412 [MEDIUM] CWE-79 CVE-2024-56412: PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to bypass of the cross-site scripting sanitizer using the javascript protocol and special characters. An attacker can use special characters, so that the library processes the javascript protocol with special char

CVE-2024-47873 [HIGH] CWE-611 CVE-2024-47873: PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The XmlScanner class has PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The XmlScanner class has a scan method which should prevent XXE attacks. However, prior to versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0, the regexes used in the `scan` method and the findCharSet method can be bypassed by using UCS-4 and encoding guessing. An attacker can bypass the s

CVE-2024-48917 [HIGH] CVE-2024-48917: PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The `XmlScanner` class ha PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The `XmlScanner` class has a scan method which should prevent XXE attacks. However, in a bypass of the previously reported `CVE-2024-47873`, the regexes from the `findCharSet` method, which is used for determining the current encoding can be bypassed by using a payload in the encoding

CVE-2024-45293 [HIGH] CWE-611 CVE-2024-45293: PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The security scanner PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The security scanner responsible for preventing XXE attacks in the XLSX reader can be bypassed by slightly modifying the XML structure, utilizing white-spaces. On servers that allow users to upload their own Excel (XLSX) sheets, Server files and sensitive information can b

CVE-2024-45290 [HIGH] CWE-36 CVE-2024-45290: PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. It's possible for an PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. It's possible for an attacker to construct an XLSX file which links media from external URLs. When opening the XLSX file, PhpSpreadsheet retrieves the image size and type by reading the file contents, if the provided path is a URL. By using specially crafted `php://filter`

CVE-2024-45291 [HIGH] CWE-36 CVE-2024-45291: PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. It's possible for an PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. It's possible for an attacker to construct an XLSX file that links images from arbitrary paths. When embedding images has been enabled in HTML writer with `$writer->setEmbedImages(true);` those files will be included in the output as `data:` URLs, regardless of the file's t

CVE-2024-45292 [MEDIUM] CWE-79 CVE-2024-45292: PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. `\PhpOffice\PhpSprea PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. `\PhpOffice\PhpSpreadsheet\Writer\Html` does not sanitize "javascript:" URLs from hyperlink `href` attributes, resulting in a Cross-Site Scripting vulnerability. This issue has been addressed in release versions 1.29.2, 2.1.1, and 2.3.0. All users are advised to upgrade.

CVE-2024-45060 [MEDIUM] CWE-79 CVE-2024-45060: PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. One of the sample sc PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. One of the sample scripts in PhpSpreadsheet is susceptible to a cross-site scripting (XSS) vulnerability due to improper handling of input where a number is expected leading to formula injection. The code in in `45_Quadratic_equation_solver.php` concatenates the user supp

CVE-2024-45046 [MEDIUM] CWE-79 CVE-2024-45046: PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. In affected versions PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. In affected versions `\PhpOffice\PhpSpreadsheet\Writer\Html` doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page. As a result an attacker may used a crafted spreadsheet to fully takeover a se

CVE-2024-45048 [MEDIUM] CWE-611 CVE-2024-45048: PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions ar PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions are subject to a bypassing of a filter which allows for an XXE-attack. This in turn allows attacker to obtain contents of local files, even if error reporting is muted. This vulnerability has been addressed in release version 2.2.1. All users are advise

CVE-2020-7776 [MEDIUM] CWE-79 CVE-2020-7776: This affects the package phpoffice/phpspreadsheet from 0.0.0. The library is vulnerable to XSS when This affects the package phpoffice/phpspreadsheet from 0.0.0. The library is vulnerable to XSS when creating an html output from an excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where user comments are concatenated as part of link and this is returned as HTML. A fix for this issue is available on comm