Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:composer/phpoffice/phpspreadsheet@3.7.0
purl pkg:composer/phpoffice/phpspreadsheet@3.7.0
Next non-vulnerable version 3.10.5
Latest non-vulnerable version 5.7.0
Risk 4.5
Vulnerabilities affecting this package (8)
Vulnerability Summary Fixed by
VCID-b755-j9km-cfgf
Aliases:
CVE-2025-23210
GHSA-r57h-547h-w24f
phpoffice/phpspreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions have been found to have a Bypass of the Cross-site Scripting (XSS) sanitizer using the javascript protocol and special characters. This issue has been addressed in versions 3.9.0, 2.3.7, 2.1.8, and 1.29.9. Users are advised to upgrade. There are no known workarounds for this vulnerability.
3.9.0
Affected by 6 other vulnerabilities.
VCID-bv2n-rthc-h3ar
Aliases:
CVE-2026-34084
GHSA-q4q6-r8wh-5cgh
PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through 3.10.3, and 4.0.0 through 5.5.0, when the filename argument to IOFactory::load() is user-controlled, an attacker can supply a PHP stream wrapper path (such as phar://, ftp://, or ssh2.sftp://) that passes the is_file() check in File::assertFile(). The phar:// wrapper triggers deserialization of the PHAR metadata, which can lead to remote code execution if a suitable gadget chain is available in the application. The ftp:// and ssh2.sftp:// wrappers can be used for server-side request forgery. This issue has been fixed in versions 1.30.3, 2.1.15, 2.4.4, 3.10.4, and 5.6.0.
3.10.4
Affected by 4 other vulnerabilities.
5.6.0
Affected by 4 other vulnerabilities.
VCID-ccuv-g8wh-1ybh
Aliases:
CVE-2026-40902
GHSA-7c6m-4442-2x6m
PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the XLSX reader's ColumnAndRowAttributes::readRowAttributes() method reads row numbers from XML attributes without validating them against the spreadsheet maximum row limit (AddressRange::MAX_ROW = 1,048,576). An attacker can craft a minimal XLSX file (~1.6KB) containing a <row r="999999999"/> element that inflates cachedHighestRow to 999,999,999, causing any subsequent row iteration to attempt ~1 billion loop cycles and exhaust CPU resources. This vulnerability is fixed in 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0.
3.10.5
Affected by 0 other vulnerabilities.
5.7.0
Affected by 0 other vulnerabilities.
VCID-nuf2-c8f7-x3hp
Aliases:
CVE-2026-40863
GHSA-84wq-86v6-x5j6
PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the SpreadsheetML XML reader (Reader\Xml) does not validate the ss:Index row attribute against the maximum allowed row count (AddressRange::MAX_ROW = 1,048,576). An attacker can craft a SpreadsheetML XML file with ss:Index="999999999" on a <Row> element, which inflates the internal cachedHighestRow to ~1 billion. Any subsequent call to getRowIterator() without an explicit end row will attempt to iterate ~1 billion rows, causing CPU exhaustion and denial of service. This vulnerability is fixed in 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0.
3.10.5
Affected by 0 other vulnerabilities.
5.7.0
Affected by 0 other vulnerabilities.
VCID-pvr2-uryz-wydb
Aliases:
CVE-2026-35453
GHSA-6wpp-88cp-7q68
PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.3 and earlier, 2.0.0 through 2.1.15, 2.2.0 through 2.4.4, 3.3.0 through 3.10.4, and 4.0.0 through 5.6.0, the HTML Writer skips htmlspecialchars() output escaping when a cell uses a custom number format containing the @ text placeholder with additional literal text (e.g., @ "items"). The escaping is only applied when the formatted output strictly equals the original cell value. When the format code contains @ with quoted literal text, the formatter substitutes the raw cell value into the format string and returns early without invoking the escaping callback. An attacker who can control cell content in a spreadsheet processed by the HTML Writer can inject arbitrary HTML and JavaScript into the generated output. This issue has been fixed in versions 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0.
3.10.5
Affected by 0 other vulnerabilities.
5.7.0
Affected by 0 other vulnerabilities.
VCID-q8sj-ph4s-xbdt
Aliases:
CVE-2025-54370
GHSA-rx7m-68vc-ppxh
PhpOffice/PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to versions 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0, SSRF can occur when a processed HTML document is read and displayed in the browser. The vulnerability lies in the setPath method of the PhpOffice\PhpSpreadsheet\Worksheet\Drawing class, where a crafted string from the user is passed to the HTML reader. This issue has been patched in versions 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0.
3.10.0
Affected by 5 other vulnerabilities.
5.0.0
Affected by 5 other vulnerabilities.
VCID-yk82-b7dm-r3fz
Aliases:
CVE-2025-22131
GHSA-79xx-vf93-p7cx
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Cross-Site Scripting (XSS) vulnerability in the code which translates the XLSX file into a HTML representation and displays it in the response.
3.8.0
Affected by 7 other vulnerabilities.
VCID-zn8r-355x-h3az
Aliases:
CVE-2026-40296
GHSA-hrmw-qprp-wgmc
PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The HTML writer skips htmlspecialchars escaping when a cell's formatted value differs from the original value. When a cell has a custom number format containing the text placeholder @ along with any additional literal characters (for example ". @", "@ ", or "x@"), the formatter replaces @ with the cell value and adds the extra characters, causing the formatted value to differ from the original and bypassing HTML escaping entirely. An attacker who can control the cell value and number format of an uploaded spreadsheet that is later converted to HTML and displayed to other users can achieve stored cross-site scripting. This issue is fixed in versions 5.7.0, 3.10.5, 2.4.5, 2.1.16, and 1.30.4.
3.10.5
Affected by 0 other vulnerabilities.
5.7.0
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (7)
Vulnerability Summary Aliases
VCID-5y3a-g167-cfcc PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the `Currency.php` file. Using the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php` script, an attacker can perform a cross-site scripting attack. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue. CVE-2024-56409
GHSA-j2xg-cjcx-4677
VCID-7ems-eufh-fbfa PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have a cross-site scripting (XSS) vulnerability in custom properties. The HTML page is generated without clearing custom properties. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue. CVE-2024-56410
GHSA-wv23-996v-q229
VCID-djyw-zdtt-w3bh PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have a cross-site scripting (XSS) vulnerability of the hyperlink base in the HTML page header. The HTML page is formed without sanitizing the hyperlink base. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue. CVE-2024-56411
GHSA-hwcp-2h35-p66w
VCID-j7nc-f2fc-zbgj PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have no sanitization in the `/vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php` file, which leads to the possibility of a cross-site scripting attack. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue. CVE-2024-56408
GHSA-x88g-h956-m5xg
VCID-kmuj-5s89-eybd PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the constructor of the `Downloader` class. Using the `/vendor/phpoffice/phpspreadsheet/samples/download.php` script, an attacker can perform a cross-site scripting attack. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue. CVE-2024-56365
GHSA-jmpx-686v-c3wx
VCID-ug83-4nag-xye6 PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the `Accounting.php` file. Using the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Accounting.php` script, an attacker can perform a cross-site scripting attack. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue. CVE-2024-56366
GHSA-c6fv-7vh8-2rhr
VCID-wnr2-svnk-zqaz PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to bypass of the cross-site scripting sanitizer using the javascript protocol and special characters. An attacker can use special characters, so that the library processes the javascript protocol with special characters and generates an HTML link. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue. CVE-2024-56412
GHSA-q9jv-mm3r-j47r

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-12T22:15:43.542082+00:00 GitLab Importer Affected by VCID-ccuv-g8wh-1ybh https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/phpoffice/phpspreadsheet/CVE-2026-40902.yml 38.6.0
2026-06-12T22:15:31.404465+00:00 GitLab Importer Affected by VCID-nuf2-c8f7-x3hp https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/phpoffice/phpspreadsheet/CVE-2026-40863.yml 38.6.0
2026-06-12T22:15:06.351772+00:00 GitLab Importer Affected by VCID-bv2n-rthc-h3ar https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/phpoffice/phpspreadsheet/CVE-2026-34084.yml 38.6.0
2026-06-12T22:14:28.013270+00:00 GitLab Importer Affected by VCID-zn8r-355x-h3az https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/phpoffice/phpspreadsheet/CVE-2026-40296.yml 38.6.0
2026-06-12T22:14:23.406979+00:00 GitLab Importer Affected by VCID-pvr2-uryz-wydb https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/phpoffice/phpspreadsheet/CVE-2026-35453.yml 38.6.0
2026-06-12T20:12:43.181124+00:00 GitLab Importer Affected by VCID-q8sj-ph4s-xbdt https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/phpoffice/phpspreadsheet/CVE-2025-54370.yml 38.6.0
2026-06-12T19:51:18.247007+00:00 GitLab Importer Affected by VCID-b755-j9km-cfgf https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/phpoffice/phpspreadsheet/CVE-2025-23210.yml 38.6.0
2026-06-12T19:50:34.391878+00:00 GitLab Importer Affected by VCID-yk82-b7dm-r3fz https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/phpoffice/phpspreadsheet/CVE-2025-22131.yml 38.6.0
2026-06-12T19:49:07.103075+00:00 GitLab Importer Fixing VCID-kmuj-5s89-eybd https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/phpoffice/phpspreadsheet/CVE-2024-56365.yml 38.6.0
2026-06-12T19:49:06.630372+00:00 GitLab Importer Fixing VCID-j7nc-f2fc-zbgj https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/phpoffice/phpspreadsheet/CVE-2024-56408.yml 38.6.0
2026-06-12T19:49:05.969558+00:00 GitLab Importer Fixing VCID-ug83-4nag-xye6 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/phpoffice/phpspreadsheet/CVE-2024-56366.yml 38.6.0
2026-06-12T19:49:05.331630+00:00 GitLab Importer Fixing VCID-wnr2-svnk-zqaz https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/phpoffice/phpspreadsheet/CVE-2024-56412.yml 38.6.0
2026-06-12T19:49:04.699666+00:00 GitLab Importer Fixing VCID-5y3a-g167-cfcc https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/phpoffice/phpspreadsheet/CVE-2024-56409.yml 38.6.0
2026-06-12T19:49:04.205403+00:00 GitLab Importer Fixing VCID-djyw-zdtt-w3bh https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/phpoffice/phpspreadsheet/CVE-2024-56411.yml 38.6.0
2026-06-12T19:49:03.712590+00:00 GitLab Importer Fixing VCID-7ems-eufh-fbfa https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/phpoffice/phpspreadsheet/CVE-2024-56410.yml 38.6.0
2026-06-12T07:53:13.427747+00:00 GithubOSV Importer Fixing VCID-djyw-zdtt-w3bh https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-hwcp-2h35-p66w/GHSA-hwcp-2h35-p66w.json 38.6.0
2026-06-12T07:53:09.329272+00:00 GithubOSV Importer Fixing VCID-wnr2-svnk-zqaz https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-q9jv-mm3r-j47r/GHSA-q9jv-mm3r-j47r.json 38.6.0
2026-06-12T07:53:08.625909+00:00 GithubOSV Importer Fixing VCID-ug83-4nag-xye6 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-c6fv-7vh8-2rhr/GHSA-c6fv-7vh8-2rhr.json 38.6.0
2026-06-12T07:53:06.531709+00:00 GithubOSV Importer Fixing VCID-kmuj-5s89-eybd https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-jmpx-686v-c3wx/GHSA-jmpx-686v-c3wx.json 38.6.0
2026-06-12T07:53:05.996911+00:00 GithubOSV Importer Fixing VCID-7ems-eufh-fbfa https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-wv23-996v-q229/GHSA-wv23-996v-q229.json 38.6.0
2026-06-12T07:53:05.655292+00:00 GithubOSV Importer Fixing VCID-j7nc-f2fc-zbgj https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-x88g-h956-m5xg/GHSA-x88g-h956-m5xg.json 38.6.0
2026-06-12T07:53:03.452653+00:00 GithubOSV Importer Fixing VCID-5y3a-g167-cfcc https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-j2xg-cjcx-4677/GHSA-j2xg-cjcx-4677.json 38.6.0