CVE-2026-34084 PhpSpreadsheet SSRF and RCE via PHP stream wrappers in IOFactory::load

PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through 3.10.3, and 4.0.0 through 5.5.0, when the filename argument to IOFactory::load is user-controlled, an attacker can supply a PHP stream...

CVE-2026-34084

CVE-2026-34084 describes a vulnerability in PhpSpreadsheet where IOFactory::load() with a user-controlled filename can pass PHP stream wrappers (phar://, ftp://, ssh2.sftp://) to is_file(), triggering PHAR deserialization and potential remote code execution if an appropriate gadget chain exists. ...

PhpSpreadsheet has SSRF/RCE in IOFactory::load when $filename is user controlled

The usage of isfile, used to verify if the $filename is indeed an actual file, by all? Reader implementations inside the helper function File::assertFile is php-wrapper aware, for any php wrappers implementing stat. The 3 wrappers ftp://, phar:// and ssh2.sftp://, all satisfy this requirement - 2...

GHSA-Q4Q6-R8WH-5CGH PhpSpreadsheet has SSRF/RCE in IOFactory::load when $filename is user controlled

The usage of isfile, used to verify if the $filename is indeed an actual file, by all? Reader implementations inside the helper function File::assertFile is php-wrapper aware, for any php wrappers implementing stat. The 3 wrappers ftp://, phar:// and ssh2.sftp://, all satisfy this requirement - 2...

Server-side Request Forgery (SSRF)

Overview phpoffice/phpspreadsheet is a Spreadsheet engine that Read, Create and Write Spreadsheet documents in PHP . Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the IOFactory::load process. An attacker can execute arbitrary code or initiate unauthorize...

XML External Entity (XXE) Injection

Overview Affected versions of this package are vulnerable to XML External Entity XXE Injection via the IOFactory::load function. An attacker can read local files or potentially execute arbitrary code by uploading a malicious XLSX template that contains a specially crafted XML payload. This is onl...

Kimai has an XXE Leading to Local File Read

Summary Kimai uses PHPSpreadsheet for importing and exporting invoices. Recently, a CVE was identified in PHPSpreadsheet, which could lead to an XXE vulnerability. Details Exploitation requires an Administrator account, allowing the upload of an XLSX template containing the payload. The...

GHSA-534C-HCR7-67JG Kimai has an XXE Leading to Local File Read

Summary Kimai uses PHPSpreadsheet for importing and exporting invoices. Recently, a CVE was identified in PHPSpreadsheet, which could lead to an XXE vulnerability. Details Exploitation requires an Administrator account, allowing the upload of an XLSX template containing the payload. The...

GHSA-GHG6-32F9-2JP7 XXE in PHPSpreadsheet encoding is returned

Summary Bypassing the filter allows a XXE-attack. Which is turn allows attacker to obtain contents of local files, even if error reporting muted by @ symbol. LFI-attack Details Check $pattern = '/encoding=".?"/'; easy to bypass. Just use a single quote symbol '. So payload looks like this:...