Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

PHPOffice — Vulnerabilities & Security Advisories 23

Browse all 23 CVE security advisories affecting PHPOffice. AI-powered Chinese analysis, POCs, and references for each vulnerability.

PHPOffice is an open-source PHP library suite designed to read and write various file formats, including Microsoft Office documents, PDFs, and spreadsheets. Its primary utility lies in enabling web applications to generate or manipulate office documents without external dependencies. Historically, the project has faced numerous security challenges, with twenty-two Common Vulnerabilities and Exposures (CVEs) documented. These incidents predominantly involve remote code execution, cross-site scripting, and improper input validation within parsers for legacy formats like OLE2 and HTML. While modern versions have improved sanitization, the complexity of parsing diverse document structures continues to introduce risks. Notable incidents often stem from deserialization flaws or buffer overflows in older components. Developers are advised to maintain strict input validation and keep dependencies updated to mitigate these persistent threats associated with handling untrusted document data.

Top products by PHPOffice: PhpSpreadsheet Math
CVE IDTitleCVSSSeverityPublished
CVE-2026-40296 PhpSpreadsheet vulnerable to XSS in HTML writer via custom number format codes — PhpSpreadsheetCWE-79 5.4 Medium2026-05-06
CVE-2026-35453 PhpSpreadsheet XSS via number format text substitution in HTML Writer — PhpSpreadsheetCWE-79--2026-05-05
CVE-2026-34084 PhpSpreadsheet SSRF and RCE via PHP stream wrappers in IOFactory::load — PhpSpreadsheetCWE-502--2026-05-05
CVE-2025-54370 PhpSpreadsheet vulnerable to SSRF when reading and displaying a processed HTML document in the browser — PhpSpreadsheetCWE-918 9.8AICriticalAI2025-08-25
CVE-2025-48882 PHPOffice Math allows XXE when processing an XML file in the MathML format — MathCWE-611 9.8AICriticalAI2025-05-30
CVE-2025-23210 Bypass XSS sanitizer using the javascript protocol and special characters in phpoffice/phpspreadsheet — PhpSpreadsheetCWE-79 6.1 -2025-02-03
CVE-2025-22131 Cross-Site Scripting (XSS) vulnerability in generateNavigation() function — PhpSpreadsheetCWE-79 6.1 -2025-01-20
CVE-2024-56412 PhpSpreadsheet vulnerable to bypass of the XSS sanitizer using the javascript protocol and special characters — PhpSpreadsheetCWE-79 6.1 -2025-01-03
CVE-2024-56411 PhpSpreadsheet has Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header — PhpSpreadsheetCWE-79 6.1 -2025-01-03
CVE-2024-56410 PhpSpreadsheet has Cross-Site Scripting (XSS) vulnerability in custom properties — PhpSpreadsheetCWE-79 6.1 -2025-01-03
CVE-2024-56409 PhpSpreadsheet vulnerable to unauthorized reflected XSS in Currency.php file — PhpSpreadsheetCWE-79 6.1 -2025-01-03
CVE-2024-56366 PhpSpreadsheet vulnerable to unauthorized reflected XSS in the Accounting.php file — PhpSpreadsheetCWE-79 6.1 -2025-01-03
CVE-2024-56365 PhpSpreadsheet vulnerable to unauthorized reflected XSS in the constructor of the Downloader class — PhpSpreadsheetCWE-79 6.1 -2025-01-03
CVE-2024-56408 PhpSpreadsheet allows unauthorized reflected XSS in `Convert-Online.php` file — PhpSpreadsheetCWE-79 6.1 -2025-01-03
CVE-2024-48917 XXE in PHPSpreadsheet's XLSX reader — PhpSpreadsheetCWE-611 7.5 High2024-11-18
CVE-2024-47873 PhpSpreadsheet XmlScanner bypass leads to XXE — PhpSpreadsheetCWE-611 7.5 High2024-11-18
CVE-2024-45060 Unauthenticated Cross-Site-Scripting (XSS) in sample file in PHPSpreadsheet — PhpSpreadsheetCWE-79 7.1 High2024-10-07
CVE-2024-45290 Path traversal and Server-Side Request Forgery when opening XLSX files in PHPSpreadsheet — PhpSpreadsheetCWE-36 7.7 High2024-10-07
CVE-2024-45291 Path traversal and Server-Side Request Forgery in HTML writer when embedding images is enabled in PHPSpreadsheet — PhpSpreadsheetCWE-36 6.3 Medium2024-10-07
CVE-2024-45292 PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via JavaScript hyperlinks — PhpSpreadsheetCWE-79 5.4 Medium2024-10-07
CVE-2024-45293 XML External Entity Reference (XXE) in PHPSpreadsheet's XLSX reader — PhpSpreadsheetCWE-611 7.5 High2024-10-07
CVE-2024-45046 PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information — PhpSpreadsheetCWE-79 5.4 Medium2024-08-28
CVE-2024-45048 XML External Entity Reference (XXE) in PHPSpreadsheet — PhpSpreadsheetCWE-611 8.8 High2024-08-28

This page lists every published CVE security advisory associated with PHPOffice. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.