Packagist (Composer) package

phpoffice/phpspreadsheet

pkg:composer/phpoffice/phpspreadsheet

Vulnerabilities (27)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-40902	Hig	7.5	>= 4.0.0, < 5.7.0	5.7.0	May 12, 2026	PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the XLSX reader's ColumnAndRowAttributes::readRowAttributes() method reads row numbers from XML attributes without validating them against the spread
CVE-2026-40863	Hig	7.5	>= 4.0.0, < 5.7.0	5.7.0	May 12, 2026	PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the SpreadsheetML XML reader (Reader\Xml) does not validate the ss:Index row attribute against the maximum allowed row count (AddressRange::MAX_ROW =
CVE-2026-40296	Med	5.4	>= 4.0.0, < 5.7.0	5.7.0	May 6, 2026	PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The HTML writer skips htmlspecialchars escaping when a cell's formatted value differs from the original value. When a cell has a custom number format containing the text placeholder @ along with any a
CVE-2026-35453	Med	5.4	>= 4.0.0, < 5.7.0	5.7.0	May 5, 2026	PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.3 and earlier, 2.0.0 through 2.1.15, 2.2.0 through 2.4.4, 3.3.0 through 3.10.4, and 4.0.0 through 5.6.0, the HTML Writer skips htmlspecialchars() output escaping when a cell uses a custom numb
CVE-2026-34084	Cri	9.8	>= 4.0.0, < 5.6.0	5.6.0	May 5, 2026	PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through 3.10.3, and 4.0.0 through 5.5.0, when the filename argument to IOFactory::load() is user-controlled, an attacker can sup
CVE-2025-54370	Hig	—	< 1.30.0	1.30.0	Aug 25, 2025	PhpOffice/PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to versions 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0, SSRF can occur when a processed HTML document is read and displayed in the browser. The vulnerability lies in the setPath method o
CVE-2025-23210	Med	—	>= 3.0.0, < 3.9.0	3.9.0	Feb 3, 2025	phpoffice/phpspreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions have been found to have a Bypass of the Cross-site Scripting (XSS) sanitizer using the javascript protocol and special characters. This issue has been addressed in versions
CVE-2025-22131		—	>= 3.0.0, < 3.8.0	3.8.0	Jan 20, 2025	PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Cross-Site Scripting (XSS) vulnerability in the code which translates the XLSX file into a HTML representation and displays it in the response.
CVE-2024-56412		—	>= 3.0.0, < 3.7.0	3.7.0	Jan 3, 2025	PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to bypass of the cross-site scripting sanitizer using the javascript protocol and special characters. An attacker can use special characters
CVE-2024-56411		—	>= 3.0.0, < 3.7.0	3.7.0	Jan 3, 2025	PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have a cross-site scripting (XSS) vulnerability of the hyperlink base in the HTML page header. The HTML page is formed without sanitizing the hyperlink bas
CVE-2024-56410		—	>= 3.0.0, < 3.7.0	3.7.0	Jan 3, 2025	PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have a cross-site scripting (XSS) vulnerability in custom properties. The HTML page is generated without clearing custom properties. Versions 3.7.0, 2.3.5,
CVE-2024-56409		—	>= 3.0.0, < 3.7.0	3.7.0	Jan 3, 2025	PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the `Currency.php` file. Using the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/Numbe
CVE-2024-56366		—	>= 3.0.0, < 3.7.0	3.7.0	Jan 3, 2025	PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the `Accounting.php` file. Using the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/Num
CVE-2024-56365		—	>= 3.0.0, < 3.7.0	3.7.0	Jan 3, 2025	PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the constructor of the `Downloader` class. Using the `/vendor/phpoffice/phpspreadsheet/sam
CVE-2024-56408		—	>= 3.0.0, < 3.7.0	3.7.0	Jan 3, 2025	PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have no sanitization in the `/vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php` file, which leads to the possibility of a cross-site
CVE-2024-48917		—	< 1.29.4	1.29.4	Nov 18, 2024	PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The `XmlScanner` class has a scan method which should prevent XXE attacks. However, in a bypass of the previously reported `CVE-2024-47873`, the regexes from the `findCharSet` method, which is used for det
CVE-2024-47873		—	< 1.29.4	1.29.4	Nov 18, 2024	PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The XmlScanner class has a scan method which should prevent XXE attacks. However, prior to versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0, the regexes used in the `scan` method and the findCharSet method can be b
CVE-2024-45060		—	>= 2.2.0, < 2.3.0	2.3.0	Oct 7, 2024	PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. One of the sample scripts in PhpSpreadsheet is susceptible to a cross-site scripting (XSS) vulnerability due to improper handling of input where a number is expected leading to formula injection. The
CVE-2024-45290		—	>= 2.2.0, < 2.3.0	2.3.0	Oct 7, 2024	PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. It's possible for an attacker to construct an XLSX file which links media from external URLs. When opening the XLSX file, PhpSpreadsheet retrieves the image size and type by reading the file contents,
CVE-2024-45291		—	>= 2.2.0, < 2.3.0	2.3.0	Oct 7, 2024	PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. It's possible for an attacker to construct an XLSX file that links images from arbitrary paths. When embedding images has been enabled in HTML writer with `$writer->setEmbedImages(true);` those files

CVE-2026-40902HigMay 12, 2026
affected >= 4.0.0, < 5.7.0fixed 5.7.0
PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the XLSX reader's ColumnAndRowAttributes::readRowAttributes() method reads row numbers from XML attributes without validating them against the spread
CVE-2026-40863HigMay 12, 2026
affected >= 4.0.0, < 5.7.0fixed 5.7.0
PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the SpreadsheetML XML reader (Reader\Xml) does not validate the ss:Index row attribute against the maximum allowed row count (AddressRange::MAX_ROW =
CVE-2026-40296MedMay 6, 2026
affected >= 4.0.0, < 5.7.0fixed 5.7.0
PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The HTML writer skips htmlspecialchars escaping when a cell's formatted value differs from the original value. When a cell has a custom number format containing the text placeholder @ along with any a
CVE-2026-35453MedMay 5, 2026
affected >= 4.0.0, < 5.7.0fixed 5.7.0
PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.3 and earlier, 2.0.0 through 2.1.15, 2.2.0 through 2.4.4, 3.3.0 through 3.10.4, and 4.0.0 through 5.6.0, the HTML Writer skips htmlspecialchars() output escaping when a cell uses a custom numb
CVE-2026-34084CriMay 5, 2026
affected >= 4.0.0, < 5.6.0fixed 5.6.0
PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through 3.10.3, and 4.0.0 through 5.5.0, when the filename argument to IOFactory::load() is user-controlled, an attacker can sup
CVE-2025-54370HigAug 25, 2025
affected < 1.30.0fixed 1.30.0
PhpOffice/PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to versions 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0, SSRF can occur when a processed HTML document is read and displayed in the browser. The vulnerability lies in the setPath method o
CVE-2025-23210MedFeb 3, 2025
affected >= 3.0.0, < 3.9.0fixed 3.9.0
phpoffice/phpspreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions have been found to have a Bypass of the Cross-site Scripting (XSS) sanitizer using the javascript protocol and special characters. This issue has been addressed in versions
CVE-2025-22131Jan 20, 2025
affected >= 3.0.0, < 3.8.0fixed 3.8.0
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Cross-Site Scripting (XSS) vulnerability in the code which translates the XLSX file into a HTML representation and displays it in the response.
CVE-2024-56412Jan 3, 2025
affected >= 3.0.0, < 3.7.0fixed 3.7.0
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to bypass of the cross-site scripting sanitizer using the javascript protocol and special characters. An attacker can use special characters
CVE-2024-56411Jan 3, 2025
affected >= 3.0.0, < 3.7.0fixed 3.7.0
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have a cross-site scripting (XSS) vulnerability of the hyperlink base in the HTML page header. The HTML page is formed without sanitizing the hyperlink bas
CVE-2024-56410Jan 3, 2025
affected >= 3.0.0, < 3.7.0fixed 3.7.0
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have a cross-site scripting (XSS) vulnerability in custom properties. The HTML page is generated without clearing custom properties. Versions 3.7.0, 2.3.5,
CVE-2024-56409Jan 3, 2025
affected >= 3.0.0, < 3.7.0fixed 3.7.0
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the `Currency.php` file. Using the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/Numbe
CVE-2024-56366Jan 3, 2025
affected >= 3.0.0, < 3.7.0fixed 3.7.0
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the `Accounting.php` file. Using the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/Num
CVE-2024-56365Jan 3, 2025
affected >= 3.0.0, < 3.7.0fixed 3.7.0
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the constructor of the `Downloader` class. Using the `/vendor/phpoffice/phpspreadsheet/sam
CVE-2024-56408Jan 3, 2025
affected >= 3.0.0, < 3.7.0fixed 3.7.0
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have no sanitization in the `/vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php` file, which leads to the possibility of a cross-site
CVE-2024-48917Nov 18, 2024
affected < 1.29.4fixed 1.29.4
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The `XmlScanner` class has a scan method which should prevent XXE attacks. However, in a bypass of the previously reported `CVE-2024-47873`, the regexes from the `findCharSet` method, which is used for det
CVE-2024-47873Nov 18, 2024
affected < 1.29.4fixed 1.29.4
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The XmlScanner class has a scan method which should prevent XXE attacks. However, prior to versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0, the regexes used in the `scan` method and the findCharSet method can be b
CVE-2024-45060Oct 7, 2024
affected >= 2.2.0, < 2.3.0fixed 2.3.0
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. One of the sample scripts in PhpSpreadsheet is susceptible to a cross-site scripting (XSS) vulnerability due to improper handling of input where a number is expected leading to formula injection. The
CVE-2024-45290Oct 7, 2024
affected >= 2.2.0, < 2.3.0fixed 2.3.0
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. It's possible for an attacker to construct an XLSX file which links media from external URLs. When opening the XLSX file, PhpSpreadsheet retrieves the image size and type by reading the file contents,
CVE-2024-45291Oct 7, 2024
affected >= 2.2.0, < 2.3.0fixed 2.3.0
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. It's possible for an attacker to construct an XLSX file that links images from arbitrary paths. When embedding images has been enabled in HTML writer with `$writer->setEmbedImages(true);` those files

Page 1 of 2