phpoffice/phpspreadsheet
Packagist19 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting phpoffice/phpspreadsheetpage 1 of 1
- CVE-2018-19277HIGHCVSS 8.8EG 8.8✓ Fixed in 1.5.12018-11-14
vulnerable: 1.0.0 ... 1.5.0 (11 versions)
securityScan() in PHPOffice PhpSpreadsheet through 1.5.0 allows a bypass of protection mechanisms for XXE via UTF-7 encoding in a .xlsx file
- CVE-2019-12331HIGHCVSS 8.8EG 8.8✓ Fixed in 1.8.02019-11-07
vulnerable: 1.0.0 ... 1.7.0 (15 versions)
PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner decodes the sheet1.xml from an .xlsx to utf-8 if something else than UTF-8 is declared in the header. This was a security measurement to prevent CVE-2018-19277 but the …
- CVE-2020-7776HIGHCVSS 7.1EG 7.1✓ Fixed in 1.16.02020-12-09
vulnerable: 1.0.0 ... 1.9.0 (27 versions)
This affects the package phpoffice/phpspreadsheet from 0.0.0. The library is vulnerable to XSS when creating an html output from an excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where us…
- CVE-2024-45046MEDIUMCVSS 5.4EG 5.4✓ Fixed in 1.29.12024-08-28
vulnerable: 1.0.0 ... 1.9.0 (46 versions)
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. In affected versions `\PhpOffice\PhpSpreadsheet\Writer\Html` doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to injec…
- CVE-2024-45048HIGHCVSS 8.8EG 8.8✓ Fixed in 2.1.12024-08-28
vulnerable: 2.0.0, 2.1.0
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions are subject to a bypassing of a filter which allows for an XXE-attack. This in turn allows attacker to obtain contents of local files, even i…
- CVE-2024-45060HIGHCVSS 7.1EG 7.1✓ Fixed in 2.1.12024-10-07
vulnerable: 2.0.0, 2.1.0
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. One of the sample scripts in PhpSpreadsheet is susceptible to a cross-site scripting (XSS) vulnerability due to improper handling of input where a number is ex…
- CVE-2024-45290HIGHCVSS 7.7EG 7.7✓ Fixed in 2.1.12024-10-07
vulnerable: 2.0.0, 2.1.0
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. It's possible for an attacker to construct an XLSX file which links media from external URLs. When opening the XLSX file, PhpSpreadsheet retrieves the image si…
- CVE-2024-45291MEDIUMCVSS 6.3EG 6.3✓ Fixed in 2.1.12024-10-07
vulnerable: 2.0.0, 2.1.0
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. It's possible for an attacker to construct an XLSX file that links images from arbitrary paths. When embedding images has been enabled in HTML writer with `$wr…
- CVE-2024-45292MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2.1.12024-10-07
vulnerable: 2.0.0, 2.1.0
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. `\PhpOffice\PhpSpreadsheet\Writer\Html` does not sanitize "javascript:" URLs from hyperlink `href` attributes, resulting in a Cross-Site Scripting vulnerabilit…
- CVE-2024-45293HIGHCVSS 7.5EG 7.5✓ Fixed in 2.1.12024-10-07
vulnerable: 2.0.0, 2.1.0
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The security scanner responsible for preventing XXE attacks in the XLSX reader can be bypassed by slightly modifying the XML structure, utilizing white-spaces.…
- CVE-2024-47873HIGHCVSS 7.5EG 7.5✓ Fixed in 3.4.02024-11-18
vulnerable: 3.3.0
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The XmlScanner class has a scan method which should prevent XXE attacks. However, prior to versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0, the regexes used in the `scan` m…
- CVE-2024-48917HIGHCVSS 7.5EG 7.5✓ Fixed in 3.4.02024-11-18
vulnerable: 3.3.0
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The `XmlScanner` class has a scan method which should prevent XXE attacks. However, in a bypass of the previously reported `CVE-2024-47873`, the regexes from the `f…
- CVE-2025-23210MEDIUMCVSS 4.8EG 0.0✓ Fixed in 2.1.82025-02-03
vulnerable: 2.0.0 ... 2.1.7 (8 versions)
phpoffice/phpspreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions have been found to have a Bypass of the Cross-site Scripting (XSS) sanitizer using the javascript protocol and special characters. …
- CVE-2025-54370HIGHCVSS 8.7EG 0.0✓ Fixed in 5.0.02025-08-25
vulnerable: 4.0.0 ... 4.5.0 (7 versions)
PhpOffice/PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to versions 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0, SSRF can occur when a processed HTML document is read and displayed in the browser. The v…
- CVE-2026-34084CRITICALCVSS 9.8EG 9.8✓ Fixed in 1.30.32026-05-05
vulnerable: 1.0.0 ... 1.9.0 (60 versions)
PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through 3.10.3, and 4.0.0 through 5.5.0, when the filename argument to IOFactory::load(…
- CVE-2026-35453MEDIUMCVSS 5.4EG 5.4✓ Fixed in 1.30.42026-05-05
vulnerable: 1.0.0 ... 1.9.0 (61 versions)
PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.3 and earlier, 2.0.0 through 2.1.15, 2.2.0 through 2.4.4, 3.3.0 through 3.10.4, and 4.0.0 through 5.6.0, the HTML Writer skips htmlspecialchars() outpu…
- CVE-2026-40296MEDIUMCVSS 5.4EG 5.4✓ Fixed in 1.30.42026-05-06
vulnerable: 1.0.0 ... 1.9.0 (61 versions)
PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The HTML writer skips htmlspecialchars escaping when a cell's formatted value differs from the original value. When a cell has a custom number format containin…
- CVE-2026-40863HIGHCVSS 7.5EG 7.5✓ Fixed in 1.30.42026-05-12
vulnerable: 1.0.0 ... 1.9.0 (61 versions)
PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the SpreadsheetML XML reader (Reader\Xml) does not validate the ss:Index row attribute against the maximum a…
- CVE-2026-40902HIGHCVSS 7.5EG 7.5✓ Fixed in 1.30.42026-05-12
vulnerable: 1.0.0 ... 1.9.0 (61 versions)
PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the XLSX reader's ColumnAndRowAttributes::readRowAttributes() method reads row numbers from XML attributes w…
Check whether phpoffice/phpspreadsheet is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for phpoffice/phpspreadsheet CVEs against the assets you own.
Start Free Scan →