3 matches found
CVE-2026-45034 PhpSpreadsheet: File::prohibitWrappers bypass
PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.5, CVE-2026-34084 was patched by the helper File::prohibitWrappers. The helper calls parseurl$filename, PHPURLSCHEME and then checks isstring$scheme && strlen$scheme 1 to reject stream wrappers such as...
Exploit for CVE-2026-45034
🧨 PHPSpreadsheet Phar Deserialization Exploit Bypass pro...
PHPSpreadsheet has a patch bypass for CVE-2026-34084
Summary CVE-2026-34084 was patched by the helper File::prohibitWrappers. The helper calls parseurl$filename, PHPURLSCHEME and then checks isstring$scheme && strlen$scheme 1 to reject stream wrappers such as phar://, php://, data:// or expect://. The check is not equivalent to "does the path conta...