pkg:Packagist/phpoffice/phpspreadsheet

All known vulnerabilities

• HIGH8.8CVE-2024-45048XXE in PHPSpreadsheet encoding is returned
  from 0, < 1.29.1
• HIGH8.8CVE-2019-12331XXE in PHPSpreadsheet due to incomplete fix for previous encoding issue
  from 0, < 1.8.0
• HIGH8.8CVE-2018-19277XXE in PHPSpreadsheet due to encoding issue
  from 0, < 1.5.1
• HIGH7.7PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery when opening XLSX file
  >= 2.2.0, < 2.3.0
• HIGH7.5PhpSpreadsheet has CPU Denial of Service via Unbounded Row Number in XLSX Row Dimensions
  >= 4.0.0, < 5.7.0
• HIGH7.5PhpSpreadsheet has CPU Denial of Service via Unbounded Row Index in SpreadsheetML XML Reader
  >= 4.0.0, < 5.7.0
• HIGH7.5XXE in PHPSpreadsheet's XLSX reader
  from 0, < 1.29.4
• HIGH7.5XmlScanner bypass leads to XXE
  from 0, < 1.29.4
• HIGH7.5XXE in PHPSpreadsheet's XLSX reader
  >= 2.2.0, < 2.3.0
• HIGH7.1PhpSpreadsheet allows unauthorized Reflected XSS in Currency.php file
  >= 3.0.0, < 3.7.0
• HIGH7.1PhpSpreadsheet allows unauthorized Reflected XSS in the Accounting.php file
  >= 3.0.0, < 3.7.0
• HIGH7.1PhpSpreadsheet allows unauthorized Reflected XSS in the constructor of the Downloader class
  >= 3.0.0, < 3.7.0
• HIGH7.1PhpSpreadsheet allows unauthorized Reflected XSS in `Convert-Online.php` file
  >= 3.0.0, < 3.7.0
• MEDIUM6.4Cross-site scripting in phpoffice/phpspreadsheet
  from 0, < 1.16.0
• MEDIUM6.3PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery in HTML writer when embedding images is enabled
  >= 2.2.0, < 2.3.0
• MEDIUM6.1Cross-Site Scripting (XSS) vulnerability in generateNavigation() function in PhpSpreadsheet
  >= 3.0.0, < 3.8.0
• MEDIUM6.1PhpSpreadsheet has an Unauthenticated Cross-Site-Scripting (XSS) in sample file
  >= 2.2.0, < 2.3.0
• MEDIUM5.4PhpSpreadsheet has XSS via number format code with @ text placeholder bypasses htmlspecialchars in HTML writer
  >= 4.0.0, < 5.7.0
• MEDIUM5.4PhpSpreadsheet allows bypassing of XSS sanitizer using the javascript protocol and special characters
  >= 3.0.0, < 3.9.0
• MEDIUM5.4PhpSpreadsheet allows bypass XSS sanitizer using the javascript protocol and special characters
  >= 3.0.0, < 3.7.0
• MEDIUM5.4PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header
  >= 3.0.0, < 3.7.0
• MEDIUM5.4PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability in custom properties
  >= 3.0.0, < 3.7.0
• MEDIUM5.4PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via JavaScript hyperlinks
  >= 2.2.0, < 2.3.0
• MEDIUM5.4PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information
  >= 2.0.0, < 2.1.0
• —PHPSpreadsheet has a patch bypass for CVE-2026-34084
  from 0, < 1.30.5
• —PhpSpreadsheet has SSRF/RCE in IOFactory::load when $filename is user controlled
  >= 4.0.0, < 5.6.0
• —PhpSpreadsheet has XSS via NumberFormat @ Text Substitution in HTML Writer
  >= 4.0.0, < 5.7.0
• —PhpSpreadsheet vulnerable to SSRF when reading and displaying a processed HTML document in the browser
  from 0, < 1.30.0