phpoffice/phpspreadsheet vulnerabilities

Browse known CVEs and advisories by package and ecosystem. Severity tells you the worst case. What determines real risk is whether the vulnerable code actually runs in your applications.

Get a demo

Browse by ecosystem

npmPyPIMavenGoRubyGemsCargoNuGetComposerpubSwiftGitHub Actions
CVE-IDSeverityPackage summary
CVE-2026-45034Criticalphpoffice/phpspreadsheet: PHPSpreadsheet has a patch bypass for CVE-2026-34084 CVE-2026-40902Highphpoffice/phpspreadsheet: PhpSpreadsheet has CPU Denial of Service via Unbounded Row Number in XLSX Row DimensionsCVE-2026-40863Highphpoffice/phpspreadsheet: PhpSpreadsheet has CPU Denial of Service via Unbounded Row Index in SpreadsheetML XML ReaderCVE-2026-34084Criticalphpoffice/phpspreadsheet: PhpSpreadsheet has SSRF/RCE in IOFactory::load when $filename is user controlledCVE-2026-40296Mediumphpoffice/phpspreadsheet: PhpSpreadsheet has XSS via number format code with @ text placeholder bypasses htmlspecialchars in…CVE-2026-35453Mediumphpoffice/phpspreadsheet: PhpSpreadsheet has XSS via NumberFormat @ Text Substitution in HTML WriterCVE-2025-54370Highphpoffice/phpspreadsheet: PhpSpreadsheet vulnerable to SSRF when reading and displaying a processed HTML document in the…CVE-2025-23210Mediumphpoffice/phpspreadsheet: PhpSpreadsheet allows bypassing of XSS sanitizer using the javascript protocol and special…CVE-2025-22131Mediumphpoffice/phpspreadsheet: Cross-Site Scripting (XSS) vulnerability in generateNavigation() function in PhpSpreadsheetCVE-2024-56412Mediumphpoffice/phpspreadsheet: PhpSpreadsheet allows bypass XSS sanitizer using the javascript protocol and special charactersCVE-2024-56411Mediumphpoffice/phpspreadsheet: PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML…CVE-2024-56410Mediumphpoffice/phpspreadsheet: PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability in custom propertiesCVE-2024-56409Highphpoffice/phpspreadsheet: PhpSpreadsheet allows unauthorized Reflected XSS in Currency.php fileCVE-2024-56366Highphpoffice/phpspreadsheet: PhpSpreadsheet allows unauthorized Reflected XSS in the Accounting.php fileCVE-2024-56365Highphpoffice/phpspreadsheet: PhpSpreadsheet allows unauthorized Reflected XSS in the constructor of the Downloader classCVE-2024-56408Highphpoffice/phpspreadsheet: PhpSpreadsheet allows unauthorized Reflected XSS in `Convert-Online.php` fileCVE-2024-48917Highphpoffice/phpspreadsheet: XXE in PHPSpreadsheet's XLSX readerCVE-2024-47873Highphpoffice/phpspreadsheet: XmlScanner bypass leads to XXECVE-2024-45293Highphpoffice/phpspreadsheet: XXE in PHPSpreadsheet's XLSX readerCVE-2024-45292Mediumphpoffice/phpspreadsheet: PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via JavaScript hyperlinksCVE-2024-45291Mediumphpoffice/phpspreadsheet: PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery in HTML writer when…CVE-2024-45290Highphpoffice/phpspreadsheet: PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery when opening XLSX fileCVE-2024-45060Mediumphpoffice/phpspreadsheet: PhpSpreadsheet has an Unauthenticated Cross-Site-Scripting (XSS) in sample fileCVE-2024-45048Highphpoffice/phpspreadsheet: XXE in PHPSpreadsheet encoding is returnedCVE-2024-45046Mediumphpoffice/phpspreadsheet: PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information

Stop the waste.
Protect your environment with Kodem.