Phpspreadsheet Security Vulnerabilities and Issues — Phpspreadsheet CVE List

Lucene search

PhpofficePhpspreadsheet

21 matches found

CVE•added 2018/11/14 11:29 a.m.•1076 views

CVE-2018-19277

securityScan() in PHPOffice PhpSpreadsheet through 1.5.0 allows a bypass of protection mechanisms for XXE via UTF-7 encoding in a .xlsx file

8.8CVSS8.5AI score0.01872EPSS

CVE•added 2024/08/28 9:15 p.m.•65 views

CVE-2024-45048

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions are subject to a bypassing of a filter which allows for an XXE-attack. This in turn allows attacker to obtain contents of local files, even if error reporting is muted. This vulnerability has been addr...

8.8CVSS7.2AI score0.00051EPSS

CVE•added 2024/11/18 5:15 p.m.•63 views

CVE-2024-47873

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The XmlScanner class has a scan method which should prevent XXE attacks. However, prior to versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0, the regexes used in the scan method and the findCharSet method can be bypassed by using UCS-...

7.5CVSS7.4AI score0.00045EPSS

CVE•added 2020/12/09 5:15 p.m.•60 views

CVE-2020-7776

This affects the package phpoffice/phpspreadsheet from 0.0.0. The library is vulnerable to XSS when creating an html output from an excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where user comments are concatenated as part of link and this is ret...

7.1CVSS6.2AI score0.00335EPSS

CVE•added 2019/11/07 3:15 p.m.•59 views

CVE-2019-12331

PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner decodes the sheet1.xml from an .xlsx to utf-8 if something else than UTF-8 is declared in the header. This was a security measurement to prevent CVE-2018-19277 but the fix is not sufficient. By double-encoding the the xml payloa...

8.8CVSS8.4AI score0.01872EPSS

CVE•added 2024/10/07 8:15 p.m.•58 views

CVE-2024-45293

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The security scanner responsible for preventing XXE attacks in the XLSX reader can be bypassed by slightly modifying the XML structure, utilizing white-spaces. On servers that allow users to upload their own Excel (XLSX...

7.5CVSS7.4AI score0.21472EPSS

CVE•added 2025/02/03 10:15 p.m.•52 views

CVE-2025-23210

phpoffice/phpspreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions have been found to have a Bypass of the Cross-site Scripting (XSS) sanitizer using the javascript protocol and special characters. This issue has been addressed in versions 3.9.0, 2.3.7, 2.1....

4.8CVSS6AI score0.0014EPSS

CVE•added 2025/01/20 4:15 p.m.•51 views

CVE-2025-22131

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Cross-Site Scripting (XSS) vulnerability in the code which translates the XLSX file into a HTML representation and displays it in the response.

6.1CVSS5.7AI score0.0004EPSS

CVE•added 2024/08/28 9:15 p.m.•50 views

CVE-2024-45046

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. In affected versions \PhpOffice\PhpSpreadsheet\Writer\Html doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page. As a result an attacker ma...

5.4CVSS5.3AI score0.00112EPSS

CVE•added 2025/01/03 5:15 p.m.•49 views

CVE-2024-56366

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the Accounting.php file. Using the /vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Accounting.p...

8.3CVSS6AI score0.00059EPSS

CVE•added 2025/01/03 6:15 p.m.•49 views

CVE-2024-56410

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have a cross-site scripting (XSS) vulnerability in custom properties. The HTML page is generated without clearing custom properties. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 ...

5.4CVSS5.5AI score0.00059EPSS

CVE•added 2025/01/03 4:15 p.m.•48 views

CVE-2024-56408

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have no sanitization in the /vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php file, which leads to the possibility of a cross-site scripting attack. Ver...

8.3CVSS6.1AI score0.00079EPSS

CVE•added 2025/01/03 5:15 p.m.•47 views

CVE-2024-56365

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the constructor of the Downloader class. Using the /vendor/phpoffice/phpspreadsheet/samples/download.php scri...

8.3CVSS6AI score0.00059EPSS

CVE•added 2025/01/03 6:15 p.m.•47 views

CVE-2024-56411

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have a cross-site scripting (XSS) vulnerability of the hyperlink base in the HTML page header. The HTML page is formed without sanitizing the hyperlink base. Versions 3.7.0, ...

5.4CVSS5.5AI score0.00059EPSS

CVE•added 2024/11/18 8:15 p.m.•46 views

CVE-2024-48917

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The XmlScanner class has a scan method which should prevent XXE attacks. However, in a bypass of the previously reported CVE-2024-47873, the regexes from the findCharSet method, which is used for determining the current enco...

7.5CVSS7.5AI score0.00045EPSS

CVE•added 2025/01/03 6:15 p.m.•45 views

CVE-2024-56412

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to bypass of the cross-site scripting sanitizer using the javascript protocol and special characters. An attacker can use special characters, so that the libra...

5.4CVSS6AI score0.00059EPSS

CVE•added 2025/01/03 5:15 p.m.•44 views

CVE-2024-56409

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the Currency.php file. Using the /vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php s...

8.3CVSS6AI score0.00059EPSS

CVE•added 2024/10/07 8:15 p.m.•39 views

CVE-2024-45292

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. \PhpOffice\PhpSpreadsheet\Writer\Html does not sanitize "javascript:" URLs from hyperlink href attributes, resulting in a Cross-Site Scripting vulnerability. This issue has been addressed in release versions 1.29.2, 2.1...

5.4CVSS5.3AI score0.00215EPSS

CVE•added 2024/10/07 9:15 p.m.•38 views

CVE-2024-45291

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. It's possible for an attacker to construct an XLSX file that links images from arbitrary paths. When embedding images has been enabled in HTML writer with $writer->setEmbedImages(true); those files will be included i...

8.8CVSS7.1AI score0.00355EPSS

CVE•added 2024/10/07 9:15 p.m.•37 views

CVE-2024-45060

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. One of the sample scripts in PhpSpreadsheet is susceptible to a cross-site scripting (XSS) vulnerability due to improper handling of input where a number is expected leading to formula injection. The code in in 45_Quadr...

7.1CVSS6.4AI score0.00227EPSS

CVE•added 2024/10/07 9:15 p.m.•35 views

CVE-2024-45290

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. It's possible for an attacker to construct an XLSX file which links media from external URLs. When opening the XLSX file, PhpSpreadsheet retrieves the image size and type by reading the file contents, if the provided pa...

7.7CVSS7.4AI score0.00174EPSS