VIR Vulnerability Intelligence Relay

Package impact

php Packagist / phpoffice/phpspreadsheet

Severitycriticalhighmediumlowunknown
0
KEVHas exploit
Reset
CVE Severity CVSS Risk Flags OS Vendor Published Description
CVE-2026-34084 critical 9.8 9.8 1mo ago PhpSpreadsheet has SSRF/RCE in IOFactory::load when $filename is user controlled
CVE-2026-40902 high 7.5 7.5 1mo ago PhpSpreadsheet has CPU Denial of Service via Unbounded Row Number in XLSX Row Dimensions
CVE-2026-40863 high 7.5 7.5 1mo ago PhpSpreadsheet has CPU Denial of Service via Unbounded Row Index in SpreadsheetML XML Reader
CVE-2026-40296 medium 5.4 5.4 1mo ago PhpSpreadsheet has XSS via number format code with @ text placeholder bypasses htmlspecialchars in HTML writer
CVE-2026-35453 medium 5.4 5.4 1mo ago PhpSpreadsheet has XSS via NumberFormat @ Text Substitution in HTML Writer
CVE-2018-19277 unknown 1.0 7y ago XXE in PHPSpreadsheet due to encoding issue
CVE-2025-54370 unknown 9mo ago PhpSpreadsheet vulnerable to SSRF when reading and displaying a processed HTML document in the browser
CVE-2025-23210 unknown 1y ago PhpSpreadsheet allows bypassing of XSS sanitizer using the javascript protocol and special characters
CVE-2025-22131 unknown 1y ago Cross-Site Scripting (XSS) vulnerability in generateNavigation() function in PhpSpreadsheet
CVE-2024-56412 unknown 1y ago PhpSpreadsheet allows bypass XSS sanitizer using the javascript protocol and special characters
CVE-2024-56411 unknown 1y ago PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header
CVE-2024-56410 unknown 1y ago PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability in custom properties
CVE-2024-56409 unknown 1y ago PhpSpreadsheet allows unauthorized Reflected XSS in Currency.php file
CVE-2024-56366 unknown 1y ago PhpSpreadsheet allows unauthorized Reflected XSS in the Accounting.php file
CVE-2024-56365 unknown 1y ago PhpSpreadsheet allows unauthorized Reflected XSS in the constructor of the Downloader class
CVE-2024-56408 unknown 1y ago PhpSpreadsheet allows unauthorized Reflected XSS in `Convert-Online.php` file
CVE-2024-48917 unknown 2y ago XXE in PHPSpreadsheet's XLSX reader
CVE-2024-47873 unknown 2y ago XmlScanner bypass leads to XXE
CVE-2024-45293 unknown 2y ago XXE in PHPSpreadsheet's XLSX reader
CVE-2024-45292 unknown 2y ago PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via JavaScript hyperlinks
CVE-2024-45291 unknown 2y ago PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery in HTML writer when embedding images is enabled
CVE-2024-45290 unknown 2y ago PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery when opening XLSX file
CVE-2024-45060 unknown 2y ago PhpSpreadsheet has an Unauthenticated Cross-Site-Scripting (XSS) in sample file
CVE-2024-45048 unknown 2y ago XXE in PHPSpreadsheet encoding is returned
CVE-2024-45046 unknown 2y ago PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information
CVE-2020-7776 unknown 5y ago Cross-site scripting in phpoffice/phpspreadsheet
CVE-2019-12331 unknown 7y ago XXE in PHPSpreadsheet due to incomplete fix for previous encoding issue