phpoffice/phpspreadsheet Security Advisories for 1.0.0-beta2 (21)
-
[MEDIUM] PhpSpreadsheet allows bypassing of XSS sanitizer using the javascript protocol and special characters
PKSA-8b16-mcgz-h4cz CVE-2025-23210 GHSA-r57h-547h-w24f
Affected version: >=2.0.0,<2.1.8|>=2.2.0,<2.3.7|<1.29.9|>=3.0.0,<3.9.0
Reported by:
GitHub -
[MEDIUM] Cross-Site Scripting (XSS) vulnerability in generateNavigation() function in PhpSpreadsheet
PKSA-s99r-9yxm-hjvt CVE-2025-22131 GHSA-79xx-vf93-p7cx
Affected version: >=2.2.0,<2.3.6|>=2.0.0,<2.1.7|<1.29.8|>=3.0.0,<3.8.0
Reported by:
GitHub -
[MEDIUM] PhpSpreadsheet allows bypass XSS sanitizer using the javascript protocol and special characters
PKSA-7jd6-nb49-bz4v CVE-2024-56412 GHSA-q9jv-mm3r-j47r
Affected version: >=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0
Reported by:
GitHub -
[MEDIUM] PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header
PKSA-nm34-xhtz-ww9p CVE-2024-56411 GHSA-hwcp-2h35-p66w
Affected version: >=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0
Reported by:
GitHub -
[MEDIUM] PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability in custom properties
PKSA-4ckb-wpj6-c29d CVE-2024-56410 GHSA-wv23-996v-q229
Affected version: >=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0
Reported by:
GitHub -
[HIGH] PhpSpreadsheet allows unauthorized Reflected XSS in Currency.php file
PKSA-ybqb-vyrq-8pdt CVE-2024-56409 GHSA-j2xg-cjcx-4677
Affected version: >=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0
Reported by:
GitHub -
[HIGH] PhpSpreadsheet allows unauthorized Reflected XSS in the Accounting.php file
PKSA-285y-y5bt-kvd9 CVE-2024-56366 GHSA-c6fv-7vh8-2rhr
Affected version: >=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0
Reported by:
GitHub -
[HIGH] PhpSpreadsheet allows unauthorized Reflected XSS in the constructor of the Downloader class
PKSA-jw5c-q9nd-tzj9 CVE-2024-56365 GHSA-jmpx-686v-c3wx
Affected version: >=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0
Reported by:
GitHub -
[HIGH] PhpSpreadsheet allows unauthorized Reflected XSS in `Convert-Online.php` file
PKSA-bcnb-9tc9-bjb8 CVE-2024-56408 GHSA-x88g-h956-m5xg
Affected version: >=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0
Reported by:
GitHub -
[HIGH] XXE in PHPSpreadsheet's XLSX reader
PKSA-gst3-cdk3-bpqt CVE-2024-48917 GHSA-7cc9-j4mv-vcjp
Affected version: >=3.3.0,<3.4.0|>=2.2.0,<2.3.2|>=2.0.0,<2.1.3|<1.29.4
Reported by:
GitHub -
[HIGH] XmlScanner bypass leads to XXE
PKSA-dbrb-pvhs-h3st CVE-2024-47873 GHSA-jw4x-v69f-hh5w
Affected version: >=3.3.0,<3.4.0|>=2.2.0,<2.3.2|>=2.0.0,<2.1.3|<1.29.4
Reported by:
GitHub -
[HIGH] XXE in PHPSpreadsheet's XLSX reader
PKSA-mkg2-1wyw-57y7 CVE-2024-45293 GHSA-6hwr-6v2f-3m88
Affected version: >=2.0.0,<2.1.1|<1.29.1|>=2.2.0,<2.3.0
Reported by:
GitHub -
[MEDIUM] PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via JavaScript hyperlinks
PKSA-p1pj-q951-6f1x CVE-2024-45292 GHSA-r8w8-74ww-j4wh
Affected version: >=2.0.0,<2.1.1|<1.29.2|>=2.2.0,<2.3.0
Reported by:
GitHub -
[MEDIUM] PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery in HTML writer when embedding images is enabled
PKSA-7f9v-sb8k-krfb CVE-2024-45291 GHSA-w9xv-qf98-ccq4
Affected version: >=2.0.0,<2.1.1|<1.29.2|>=2.2.0,<2.3.0
Reported by:
GitHub -
[HIGH] PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery when opening XLSX file
PKSA-xk3k-rd1m-pxmg CVE-2024-45290 GHSA-5gpr-w2p5-6m37
Affected version: >=2.0.0,<2.1.1|<1.29.2|>=2.2.0,<2.3.0
Reported by:
GitHub -
[MEDIUM] PhpSpreadsheet has an Unauthenticated Cross-Site-Scripting (XSS) in sample file
PKSA-dvbq-8ft2-ngrw CVE-2024-45060 GHSA-v66g-p9x6-v98p
Affected version: >=2.0.0,<2.1.1|<1.29.2|>=2.2.0,<2.3.0
Reported by:
GitHub -
[HIGH] XXE in PHPSpreadsheet encoding is returned
PKSA-xp7t-fbrb-qjv4 CVE-2024-45048 GHSA-ghg6-32f9-2jp7
Affected version: >=2.0.0,<2.1.1|>=2.2.0,<2.2.1|<1.29.1
Reported by:
GitHub -
[MEDIUM] PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information
PKSA-m4hk-rk8p-4t5p CVE-2024-45046 GHSA-wgmf-q9vr-vww6
Affected version: <1.29.1|>=2.0.0,<2.1.0
Reported by:
GitHub -
[MEDIUM] XSS Vulnerability in HTML Writer
PKSA-xgcn-ywd7-3wqn CVE-2020-7776 GHSA-4mqv-gcr3-pff9
Affected version: <1.16.0
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] XXE Vulnerability
PKSA-zdkr-vbc6-f2vy CVE-2019-12331 GHSA-vvwv-h69m-wg6f
Affected version: <1.8.0
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] XXE Vulnerability
PKSA-v15t-c7gz-7kpt CVE-2018-19277 GHSA-xcrg-29h7-h4cj
Affected version: <=1.5.0
Reported by:
GitHub, FriendsOfPHP/security-advisories