Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

110 matches found

NVD
NVDadded 2 days ago7 views

CVE-2026-45034

PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.5, CVE-2026-34084 was patched by the helper File::prohibitWrappers. The helper calls parseurl$filename, PHPURLSCHEME and then checks isstring$scheme && strlen$scheme 1 to reject stream wrappers such as...

9.2CVSS0.00351EPSS
Exploits1References1
CVE
CVEadded 2 days ago57 views

CVE-2026-45034

Summary: PhpSpreadsheet before 1.30.5 contains a bypass in File::prohibitWrappers that can be exploited via phar:// wrapper paths (e.g., phar:///path/file.phar/inner). When input contains three or more slashes after the scheme, parse_url can return false, skipping the check and allowing phar wrap...

9.2CVSS5.9AI score0.00351EPSS
Exploits1References1
NVD
NVDadded 5 days ago7 views

CVE-2026-49286

PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, pontedilana/php-weasyprint guarded the output filename against the phar:// stream wrapper with a case-sensitive blacklist. PHP stream wrappers are case-insensitive, so PHAR://, Phar://, etc...

8.1CVSS0.00555EPSS
Exploits0References4
Cvelist
Cvelistadded 5 days ago15 views

CVE-2026-49286 PhpWeasyPrint vulnerable to PHAR deserialization via output filename (CVE-2023-28115 case-insensitive bypass)

PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, pontedilana/php-weasyprint guarded the output filename against the phar:// stream wrapper with a case-sensitive blacklist. PHP stream wrappers are case-insensitive, so PHAR://, Phar://, etc...

8.1CVSS0.00555EPSS
Exploits0References4
Positive Technologies
Positive Technologiesadded 5 days ago9 views

PT-2026-50999

Name of the Vulnerable Software and Affected Versions PhpWeasyPrint versions prior to 2.6.0 Description PhpWeasyPrint is a PHP library used for generating PDFs from HTML pages or URLs. The software uses a case-sensitive blacklist to protect output filenames against the phar:// stream wrapper...

8.1CVSS6.2AI score0.00555EPSS
Exploits0References7
Github Security Blog
Github Security Blogadded 2026/06/08 11:0 p.m.10 views

PHPSpreadsheet has a patch bypass for CVE-2026-34084

Summary CVE-2026-34084 was patched by the helper File::prohibitWrappers. The helper calls parseurl$filename, PHPURLSCHEME and then checks isstring$scheme && strlen$scheme 1 to reject stream wrappers such as phar://, php://, data:// or expect://. The check is not equivalent to "does the path conta...

9.8CVSS5.7AI score0.00712EPSS
Exploits2References3Affected Software1
OSV
OSVadded 2026/06/08 11:0 p.m.6 views

GHSA-87M4-826X-3CRX PHPSpreadsheet has a patch bypass for CVE-2026-34084

Summary CVE-2026-34084 was patched by the helper File::prohibitWrappers. The helper calls parseurl$filename, PHPURLSCHEME and then checks isstring$scheme && strlen$scheme 1 to reject stream wrappers such as phar://, php://, data:// or expect://. The check is not equivalent to "does the path conta...

9.2CVSS5.7AI score0.00351EPSS
Exploits1References3
Positive Technologies
Positive Technologiesadded 2026/06/08 12:0 a.m.20 views

PT-2026-47606

Name of the Vulnerable Software and Affected Versions PhpSpreadsheet versions prior to 1.30.5 Description An issue exists in the File::prohibitWrappers function where the use of parse url to detect stream wrappers can be bypassed. When an input contains three or more slashes after the scheme e.g....

9.2CVSS6.5AI score0.00351EPSS
Exploits1References6
RedhatCVE
RedhatCVEadded 2026/06/05 7:22 p.m.6 views

CVE-2026-34084

PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through 3.10.3, and 4.0.0 through 5.5.0, when the filename argument to IOFactory::load is user-controlled, an attacker can supply a PHP stream...

9.8CVSS6.2AI score0.00712EPSS
Exploits1References1
NVD
NVDadded 2026/05/05 8:16 p.m.10 views

CVE-2026-34084

PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through 3.10.3, and 4.0.0 through 5.5.0, when the filename argument to IOFactory::load is user-controlled, an attacker can supply a PHP stream...

9.8CVSS0.00712EPSS
Exploits1References1
Cvelist
Cvelistadded 2026/05/05 7:22 p.m.36 views

CVE-2026-34084 PhpSpreadsheet SSRF and RCE via PHP stream wrappers in IOFactory::load

PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through 3.10.3, and 4.0.0 through 5.5.0, when the filename argument to IOFactory::load is user-controlled, an attacker can supply a PHP stream...

9.2CVSS0.00712EPSS
Exploits1References1
OSV
OSVadded 2026/04/29 8:22 p.m.2 views

GHSA-Q4Q6-R8WH-5CGH PhpSpreadsheet has SSRF/RCE in IOFactory::load when $filename is user controlled

The usage of isfile, used to verify if the $filename is indeed an actual file, by all? Reader implementations inside the helper function File::assertFile is php-wrapper aware, for any php wrappers implementing stat. The 3 wrappers ftp://, phar:// and ssh2.sftp://, all satisfy this requirement - 2...

9.2CVSS5.8AI score0.00712EPSS
Exploits1References4
Github Security Blog
Github Security Blogadded 2026/04/29 8:22 p.m.7 views

PhpSpreadsheet has SSRF/RCE in IOFactory::load when $filename is user controlled

The usage of isfile, used to verify if the $filename is indeed an actual file, by all? Reader implementations inside the helper function File::assertFile is php-wrapper aware, for any php wrappers implementing stat. The 3 wrappers ftp://, phar:// and ssh2.sftp://, all satisfy this requirement - 2...

9.8CVSS5.7AI score0.00712EPSS
Exploits1References4Affected Software1
Positive Technologies
Positive Technologiesadded 2026/04/29 12:0 a.m.7 views

PT-2026-37096

Name of the Vulnerable Software and Affected Versions PhpSpreadsheet versions prior to 1.30.3 PhpSpreadsheet versions 2.0.0 through 2.1.14 PhpSpreadsheet versions 2.2.0 through 2.4.3 PhpSpreadsheet versions 3.3.0 through 3.10.3 PhpSpreadsheet versions 4.0.0 through 5.5.0 Description When the...

9.8CVSS6.4AI score0.00712EPSS
Exploits1References13
EUVD
EUVDadded 2025/10/07 12:30 a.m.3 views

EUVD-2020-0510

Malware in sbrugna...

9.8CVSS9.2AI score0.02597EPSS
Exploits0References8
EUVD
EUVDadded 2025/10/03 8:7 p.m.3 views

EUVD-2022-34703

Malicious code in bioql PyPI...

7.2CVSS7AI score0.01329EPSS
Exploits0References5
EUVD
EUVDadded 2025/10/03 8:7 p.m.3 views

EUVD-2022-34695

Malicious code in bioql PyPI...

8.8CVSS8.4AI score0.01207EPSS
Exploits0References4
EUVD
EUVDadded 2025/10/03 8:7 p.m.5 views

EUVD-2022-34707

Malicious code in bioql PyPI...

7.2CVSS6.5AI score0.00578EPSS
Exploits0References2
EUVD
EUVDadded 2025/10/03 8:7 p.m.6 views

EUVD-2022-34705

Malicious code in bioql PyPI...

8.8CVSS8.5AI score0.01762EPSS
Exploits0References6
Microsoft CVE
Microsoft CVEadded 2025/10/02 6:11 a.m.3 views

phar wrapper can occur dos when using quine gzip file

...

5.5CVSS7AI score0.00565EPSS
Exploits0
Rows per page
Query Builder