Security Advisories - phpoffice/phpspreadsheet - Packagist

phpoffice/phpspreadsheet Security Advisories for 3.3.0 (11)

[MEDIUM] PhpSpreadsheet allows bypassing of XSS sanitizer using the javascript protocol and special characters

PKSA-8b16-mcgz-h4cz CVE-2025-23210 GHSA-r57h-547h-w24f

Affected version: >=2.0.0,<2.1.8|>=2.2.0,<2.3.7|<1.29.9|>=3.0.0,<3.9.0

Reported by:
GitHub
[MEDIUM] Cross-Site Scripting (XSS) vulnerability in generateNavigation() function in PhpSpreadsheet

PKSA-s99r-9yxm-hjvt CVE-2025-22131 GHSA-79xx-vf93-p7cx

Affected version: >=2.2.0,<2.3.6|>=2.0.0,<2.1.7|<1.29.8|>=3.0.0,<3.8.0

Reported by:
GitHub
[MEDIUM] PhpSpreadsheet allows bypass XSS sanitizer using the javascript protocol and special characters

PKSA-7jd6-nb49-bz4v CVE-2024-56412 GHSA-q9jv-mm3r-j47r

Affected version: >=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0

Reported by:
GitHub
[MEDIUM] PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header

PKSA-nm34-xhtz-ww9p CVE-2024-56411 GHSA-hwcp-2h35-p66w

Affected version: >=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0

Reported by:
GitHub
[MEDIUM] PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability in custom properties

PKSA-4ckb-wpj6-c29d CVE-2024-56410 GHSA-wv23-996v-q229

Affected version: >=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0

Reported by:
GitHub
[HIGH] PhpSpreadsheet allows unauthorized Reflected XSS in Currency.php file

PKSA-ybqb-vyrq-8pdt CVE-2024-56409 GHSA-j2xg-cjcx-4677

Affected version: >=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0

Reported by:
GitHub
[HIGH] PhpSpreadsheet allows unauthorized Reflected XSS in the Accounting.php file

PKSA-285y-y5bt-kvd9 CVE-2024-56366 GHSA-c6fv-7vh8-2rhr

Affected version: >=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0

Reported by:
GitHub
[HIGH] PhpSpreadsheet allows unauthorized Reflected XSS in the constructor of the Downloader class

PKSA-jw5c-q9nd-tzj9 CVE-2024-56365 GHSA-jmpx-686v-c3wx

Affected version: >=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0

Reported by:
GitHub
[HIGH] PhpSpreadsheet allows unauthorized Reflected XSS in `Convert-Online.php` file

PKSA-bcnb-9tc9-bjb8 CVE-2024-56408 GHSA-x88g-h956-m5xg

Affected version: >=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0

Reported by:
GitHub
[HIGH] XXE in PHPSpreadsheet's XLSX reader

PKSA-gst3-cdk3-bpqt CVE-2024-48917 GHSA-7cc9-j4mv-vcjp

Affected version: >=3.3.0,<3.4.0|>=2.2.0,<2.3.2|>=2.0.0,<2.1.3|<1.29.4

Reported by:
GitHub
[HIGH] XmlScanner bypass leads to XXE

PKSA-dbrb-pvhs-h3st CVE-2024-47873 GHSA-jw4x-v69f-hh5w

Affected version: >=3.3.0,<3.4.0|>=2.2.0,<2.3.2|>=2.0.0,<2.1.3|<1.29.4

Reported by:
GitHub