EPSS
Percentile
88.8%
phpspreadsheet is vulnerable to XML external entity injection (XXE). The function securityScan does not support enough encoding mechanism in scanning XMLs for XXE protection, bypassing the malicious XML with UTF-7 encoding.
securityScan
github.com/MewesK/TwigSpreadsheetBundle/issues/18
github.com/PHPOffice/PhpSpreadsheet/issues/771
www.bishopfox.com/news/2018/11/phpoffice-versions/
www.drupal.org/sa-contrib-2021-043