CVE-2026-34084

PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through 3.10.3, and 4.0.0 through 5.5.0, when the filename argument to IOFactory::load is user-controlled, an attacker can supply a PHP stream...

CVE-2026-34084 PhpSpreadsheet SSRF and RCE via PHP stream wrappers in IOFactory::load

PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through 3.10.3, and 4.0.0 through 5.5.0, when the filename argument to IOFactory::load is user-controlled, an attacker can supply a PHP stream...

PhpSpreadsheet has SSRF/RCE in IOFactory::load when $filename is user controlled

The usage of isfile, used to verify if the $filename is indeed an actual file, by all? Reader implementations inside the helper function File::assertFile is php-wrapper aware, for any php wrappers implementing stat. The 3 wrappers ftp://, phar:// and ssh2.sftp://, all satisfy this requirement - 2...

GHSA-Q4Q6-R8WH-5CGH PhpSpreadsheet has SSRF/RCE in IOFactory::load when $filename is user controlled

The usage of isfile, used to verify if the $filename is indeed an actual file, by all? Reader implementations inside the helper function File::assertFile is php-wrapper aware, for any php wrappers implementing stat. The 3 wrappers ftp://, phar:// and ssh2.sftp://, all satisfy this requirement - 2...

PT-2026-37096

Name of the Vulnerable Software and Affected Versions PhpSpreadsheet versions prior to 1.30.3 PhpSpreadsheet versions 2.0.0 through 2.1.14 PhpSpreadsheet versions 2.2.0 through 2.4.3 PhpSpreadsheet versions 3.3.0 through 3.10.3 PhpSpreadsheet versions 4.0.0 through 5.5.0 Description When the...

EUVD-2020-0510

Malware in sbrugna...

EUVD-2022-34703

Malicious code in bioql PyPI...

EUVD-2022-34707

Malicious code in bioql PyPI...

EUVD-2022-34705

Malicious code in bioql PyPI...

EUVD-2022-34695

Malicious code in bioql PyPI...

phar wrapper can occur dos when using quine gzip file

...

Linux Distros Unpatched Vulnerability : CVE-2018-17057

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue was discovered in TCPDF before 6.2.22. Attackers can trigger deserialization of arbitrary data via the phar:// wrapper. CVE-2018-17057 Note that Nessus...

Linux Distros Unpatched Vulnerability : CVE-2019-6339

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar...

BIT-LIBPHP-2022-31628 phar wrapper can occur dos when using quine gzip file

In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop...

CVE-2022-2436

The Download Manager plugin for WordPress is vulnerable to deserialization of untrusted input via the 'filepackagedir' parameter in versions up to, and including 3.2.49. This makes it possible for authenticated attackers with contributor privileges and above to call files using a PHAR wrapper tha...

CVE-2022-2442

The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to deserialization of untrusted input via the 'path' parameter in versions up to, and including 0.9.74. This makes it possible for authenticated attackers with administrative privileges to call files using a PHAR wrapper...

CVE-2022-2433

The WordPress Infinite Scroll – Ajax Load More plugin for WordPress is vulnerable to deserialization of untrusted input via the 'almrepeatersexport' parameter in versions up to, and including 5.5.3. This makes it possible for unauthenticated users to call files using a PHAR wrapper, granted they...

CVE-2022-2444

The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to deserialization of untrusted input via the 'remotedata' parameter in versions up to, and including 3.7.9. This makes it possible for authenticated attackers with contributor privileges and above to call...

CVE-2022-2439

The Easy Digital Downloads – Simple eCommerce for Selling Digital Files plugin for WordPress is vulnerable to deserialization of untrusted input via the 'uploadfile' parameter in versions up to, and including 3.3.3. This makes it possible for authenticated administrative users to call files using...

CVE-2022-2446

The WP Editor plugin for WordPress is vulnerable to deserialization of untrusted input via the 'currentthemeroot' parameter in versions up to, and including 1.2.9. This makes it possible for authenticated attackers with administrative privileges to call files using a PHAR wrapper that will...