Cross-site Scripting (XSS)

Overview phpoffice/phpspreadsheet is a Spreadsheet engine that Read, Create and Write Spreadsheet documents in PHP . Affected versions of this package are vulnerable to Cross-site Scripting XSS in the HTML generation process when a cell uses a custom number format containing the @ text placeholde...

EUVD-2026-10173

A vulnerability was identified in xlnt-community xlnt up to 1.6.1. The affected element is the function xlnt::detail::xlsxconsumer::readofficedocument of the file source/detail/serialization/xlsxconsumer.cpp of the component XLSX File Parser. The manipulation leads to null pointer dereference. Th...

CVE-2026-3665

A vulnerability was identified in xlnt-community xlnt up to 1.6.1. The affected element is the function xlnt::detail::xlsxconsumer::readofficedocument of the file source/detail/serialization/xlsxconsumer.cpp of the component XLSX File Parser. The manipulation leads to null pointer dereference. Th...

EUVD-2026-10155

A vulnerability was found in xlnt-community xlnt up to 1.6.1. This issue affects the function xlnt::detail::compounddocumentistreambuf::xsgetn of the file source/detail/cryptography/compounddocument.cpp of the component XLSX File Parser. Performing a manipulation results in out-of-bounds read. Th...

CVE-2026-3663

The CVE-2026-3663 issue affects xlnt-community xlnt up to 1.6.1, specifically the xlnt::detail::compound_document_istreambuf::xsgetn function in source/detail/cryptography/compound_document.cpp of the XLSX File Parser. A manipulation can trigger an out-of-bounds read, with local access required. ...

PT-2026-23859

A vulnerability was found in xlnt-community xlnt up to 1.6.1. This issue affects the function xlnt::detail::compound document istreambuf::xsgetn of the file source/detail/cryptography/compound document.cpp of the component XLSX File Parser. Performing a manipulation results in out-of-bounds read...

EUVD-2019-0766

Malware in sbrugna...

EUVD-2021-1466

Malware in sbrugna...

EUVD-2024-2952

Malicious code in bioql PyPI...

EUVD-2023-38836

Malicious code in bioql PyPI...

EUVD-2022-31416

Malicious code in bioql PyPI...

CVE-2024-45291

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. It's possible for an attacker to construct an XLSX file that links images from arbitrary paths. When embedding images has been enabled in HTML writer with $writer-setEmbedImagestrue; those files will be included in th...

CVE-2024-45290

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. It's possible for an attacker to construct an XLSX file which links media from external URLs. When opening the XLSX file, PhpSpreadsheet retrieves the image size and type by reading the file contents, if the provided...

CVE-2025-22131 Cross-Site Scripting (XSS) vulnerability in generateNavigation() function

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Cross-Site Scripting XSS vulnerability in the code which translates the XLSX file into a HTML representation and displays it in the response...

CVE-2024-45291 Path traversal and Server-Side Request Forgery in HTML writer when embedding images is enabled in PHPSpreadsheet

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. It's possible for an attacker to construct an XLSX file that links images from arbitrary paths. When embedding images has been enabled in HTML writer with $writer-setEmbedImagestrue; those files will be included in th...

XXE in PHPSpreadsheet encoding is returned

Summary Bypassing the filter allows a XXE-attack. Which is turn allows attacker to obtain contents of local files, even if error reporting muted by @ symbol. LFI-attack Details Check $pattern = '/encoding=".?"/'; easy to bypass. Just use a single quote symbol '. So payload looks like this:...

CVE-2024-41518

An Incorrect Access Control vulnerability in "/admin/programm//export/statistics" in Feripro = v2.2.3 allows remote attackers to export an XLSX file with information about registrations and participants...

CVE-2024-41518

An Incorrect Access Control vulnerability in "/admin/programm//export/statistics" in Feripro = v2.2.3 allows remote attackers to export an XLSX file with information about registrations and participants...

CVE-2024-41518

CVE-2024-41518 concerns Feripro prior to 2.2.3, where an Incorrect Access Control flaw in the endpoint /admin/programm//export/statistics allows remote attackers to export an XLSX file containing registrations and participant information. The Red Hat and NVD entries corroborate the same path and ...

The vulnerability of the NPM package SheetJS Community Edition lies in the uncontrolled modification of prototype attributes, allowing an attacker to execute a “prototype pollution” attack.

The vulnerability of the SheetJS Community Edition NPM package is related to uncontrolled changes to prototype attributes of objects. Exploiting this vulnerability could allow a malicious actor to execute a “prototype pollution” attack using a specially crafted xlsx file...