Phpoffice Phpspreadsheet vulnerabilities
28 known vulnerabilities affecting phpoffice/phpspreadsheet.
Total CVEs
28
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH10MEDIUM16
Vulnerabilities
Page 2 of 2
CVE-2024-56409P4MEDIUMCVSS 5.4fixed in 1.29.7≥ 2.0.0, < 2.1.6+5 more2025-01-03
CVE-2024-56409 [MEDIUM] CWE-79 CVE-2024-56409: PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0,
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the `Currency.php` file. Using the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php` script, an attacker can perform a cross-site script
ghsanvdosv
CVE-2024-56412P4MEDIUMCVSS 5.4fixed in 1.29.7≥ 2.0.0, < 2.1.6+5 more2025-01-03
CVE-2024-56412 [MEDIUM] CWE-79 CVE-2024-56412: PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0,
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to bypass of the cross-site scripting sanitizer using the javascript protocol and special characters. An attacker can use special characters, so that the library processes the javascript protocol with special char
ghsanvdosv
CVE-2024-56410P4MEDIUMCVSS 5.4fixed in 1.29.7≥ 2.0.0, < 2.1.6+5 more2025-01-03
CVE-2024-56410 [MEDIUM] CWE-79 CVE-2024-56410: PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0,
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have a cross-site scripting (XSS) vulnerability in custom properties. The HTML page is generated without clearing custom properties. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue.
ghsanvdosv
CVE-2024-56365P4MEDIUMCVSS 5.4fixed in 1.29.7≥ 2.0.0, < 2.1.6+5 more2025-01-03
CVE-2024-56365 [MEDIUM] CWE-79 CVE-2024-56365: PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0,
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the constructor of the `Downloader` class. Using the `/vendor/phpoffice/phpspreadsheet/samples/download.php` script, an attacker can perform a cross-site scripting
ghsanvdosv
CVE-2024-56411P4MEDIUMCVSS 5.4fixed in 1.29.7≥ 2.0.0, < 2.1.6+5 more2025-01-03
CVE-2024-56411 [MEDIUM] CWE-79 CVE-2024-56411: PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0,
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have a cross-site scripting (XSS) vulnerability of the hyperlink base in the HTML page header. The HTML page is formed without sanitizing the hyperlink base. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue
ghsanvdosv
CVE-2024-45292P4MEDIUMCVSS 5.4fixed in 1.29.2≥ 2.0.0, < 2.1.1+3 more2024-10-07
CVE-2024-45292 [MEDIUM] CWE-79 CVE-2024-45292: PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. `\PhpOffice\PhpSprea
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. `\PhpOffice\PhpSpreadsheet\Writer\Html` does not sanitize "javascript:" URLs from hyperlink `href` attributes, resulting in a Cross-Site Scripting vulnerability. This issue has been addressed in release versions 1.29.2, 2.1.1, and 2.3.0. All users are advised to upgrade.
ghsanvdosv
CVE-2025-22131P4MEDIUMCVSS 6.1fixed in 1.29.8≥ 2.0.0, < 2.1.7+5 more2025-01-20
CVE-2025-22131 [MEDIUM] CWE-79 CVE-2025-22131: PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Cross-Site Scripting (XSS
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Cross-Site Scripting (XSS) vulnerability in the code which translates the XLSX file into a HTML representation and displays it in the response.
ghsanvdosv
CVE-2025-23210P4MEDIUMCVSS 4.8v>= 3.0.0, < 3.9.0v>= 2.2.0, < 2.3.7+2 more2025-02-03
CVE-2025-23210 [MEDIUM] CWE-79 CVE-2025-23210: phpoffice/phpspreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected v
phpoffice/phpspreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions have been found to have a Bypass of the Cross-site Scripting (XSS) sanitizer using the javascript protocol and special characters. This issue has been addressed in versions 3.9.0, 2.3.7, 2.1.8, and 1.29.9. Users are advised to upgrade. There ar
ghsanvdosv
← Previous2 / 2