CVE-2026-40296

PhpSpreadsheet is affected by a stored XSS in the HTML writer when a cell uses a custom number format containing the text placeholder @. If the formatted value diverges from the original value (e.g., formats like ". @", "@ ", or "x@"), htmlspecialchars() escaping is skipped, allowing unescaped HT...

PT-2026-37096

Name of the Vulnerable Software and Affected Versions PhpSpreadsheet versions prior to 1.30.3 PhpSpreadsheet versions 2.0.0 through 2.1.14 PhpSpreadsheet versions 2.2.0 through 2.4.3 PhpSpreadsheet versions 3.3.0 through 3.10.3 PhpSpreadsheet versions 4.0.0 through 5.5.0 Description When the...

CVE-2025-58051

CVE-2025-58051 affects Nextcloud Tables. Prior to versions 0.7.6, 0.8.8, and 0.9.5, the app allowed a user importing a table to specify server files; if the file format is supported by PhpSpreadsheet, the file content could be leaked to the user via path traversal. This is a server-side disclosur...

CVE-2025-54370

PhpOffice/PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to versions 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0, SSRF can occur when a processed HTML document is read and displayed in the browser. The vulnerability lies in the setPath method of the...

CVE-2025-54370 PhpSpreadsheet vulnerable to SSRF when reading and displaying a processed HTML document in the browser

PhpOffice/PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to versions 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0, SSRF can occur when a processed HTML document is read and displayed in the browser. The vulnerability lies in the setPath method of the...

CVE-2024-56365

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the constructor of the Downloader class. Using the /vendor/phpoffice/phpspreadsheet/samples/download.php...

CVE-2024-56412

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to bypass of the cross-site scripting sanitizer using the javascript protocol and special characters. An attacker can use special characters, so that the...

XML External Entity (XXE) Injection

Overview phpoffice/phpspreadsheet is a Spreadsheet engine that Read, Create and Write Spreadsheet documents in PHP . Affected versions of this package are vulnerable to XML External Entity XXE Injection via the scan method in the XmlScanner class. Exploiting this vulnerability is possible when...

PT-2024-40087 · Unknown +1 · Phpspreadsheet +1

Name of the Vulnerable Software and Affected Versions: Kimai versions affected versions not specified PHPSpreadsheet versions affected versions not specified Description: The issue is related to an XXE vulnerability in PHPSpreadsheet, which is used by Kimai for importing and exporting invoices...

DRUPAL-CONTRIB-2021-043

This module enables aklump/loft\data\grids to be used as a Drupal module. Excel support was provided by , which is abandoned and there are known security vulnerabilities: CVE-2018-19277: PHPOffice/PhpSpreadsheet771. Excel support has since been replaced with the newer library. This module provide...