Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

PhpSpreadsheet — Vulnerabilities & Security Advisories 19

All 19 CVE vulnerabilities found in PhpSpreadsheet, with AI-generated Chinese analysis, references, and POCs.

Vendor: PHPOffice

CVE IDTitleCVSSSeverityPublished
CVE-2025-54370 PhpSpreadsheet vulnerable to SSRF when reading and displaying a processed HTML document in the browser CWE-918 9.8AICriticalAI2025-08-25
CVE-2025-23210 Bypass XSS sanitizer using the javascript protocol and special characters in phpoffice/phpspreadsheet CWE-79 6.1 -2025-02-03
CVE-2025-22131 Cross-Site Scripting (XSS) vulnerability in generateNavigation() function CWE-79 6.1 -2025-01-20
CVE-2024-56412 PhpSpreadsheet vulnerable to bypass of the XSS sanitizer using the javascript protocol and special characters CWE-79 6.1 -2025-01-03
CVE-2024-56411 PhpSpreadsheet has Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header CWE-79 6.1 -2025-01-03
CVE-2024-56410 PhpSpreadsheet has Cross-Site Scripting (XSS) vulnerability in custom properties CWE-79 6.1 -2025-01-03
CVE-2024-56409 PhpSpreadsheet vulnerable to unauthorized reflected XSS in Currency.php file CWE-79 6.1 -2025-01-03
CVE-2024-56366 PhpSpreadsheet vulnerable to unauthorized reflected XSS in the Accounting.php file CWE-79 6.1 -2025-01-03
CVE-2024-56365 PhpSpreadsheet vulnerable to unauthorized reflected XSS in the constructor of the Downloader class CWE-79 6.1 -2025-01-03
CVE-2024-56408 PhpSpreadsheet allows unauthorized reflected XSS in `Convert-Online.php` file CWE-79 6.1 -2025-01-03
CVE-2024-48917 XXE in PHPSpreadsheet's XLSX reader CWE-611 7.5 High2024-11-18
CVE-2024-47873 PhpSpreadsheet XmlScanner bypass leads to XXE CWE-611 7.5 High2024-11-18
CVE-2024-45060 Unauthenticated Cross-Site-Scripting (XSS) in sample file in PHPSpreadsheet CWE-79 7.1 High2024-10-07
CVE-2024-45290 Path traversal and Server-Side Request Forgery when opening XLSX files in PHPSpreadsheet CWE-36 7.7 High2024-10-07
CVE-2024-45291 Path traversal and Server-Side Request Forgery in HTML writer when embedding images is enabled in PHPSpreadsheet CWE-36 6.3 Medium2024-10-07
CVE-2024-45292 PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via JavaScript hyperlinks CWE-79 5.4 Medium2024-10-07
CVE-2024-45293 XML External Entity Reference (XXE) in PHPSpreadsheet's XLSX reader CWE-611 7.5 High2024-10-07
CVE-2024-45046 PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information CWE-79 5.4 Medium2024-08-28
CVE-2024-45048 XML External Entity Reference (XXE) in PHPSpreadsheet CWE-611 8.8 High2024-08-28

All 19 known CVE vulnerabilities affecting PhpSpreadsheet with full Chinese analysis, references, and POCs where available.