Phpoffice Phpspreadsheet — known CVE vulnerabilities
Every CVE whose affected-product data names Phpoffice Phpspreadsheet, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (25)
CVE-2026-34084 — CVSS 9.8 (critical): PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through…
CVE-2019-12331 — CVSS 8.8 (high): PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner decodes the sheet1.xml from an .xlsx to utf-8 if something else than…
CVE-2018-19277 — CVSS 8.8 (high): securityScan() in PHPOffice PhpSpreadsheet through 1.5.0 allows a bypass of protection mechanisms for XXE via UTF-7 encoding in a .xlsx file
CVE-2024-45048 — CVSS 8.8 (high): PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions are subject to a bypassing of a filter…
CVE-2024-45290 — CVSS 7.7 (high): PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. It's possible for an attacker to construct an XLSX file…
CVE-2026-40902 — CVSS 7.5 (high): PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the XLSX…
CVE-2024-45293 — CVSS 7.5 (high): PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The security scanner responsible for preventing XXE attacks…
CVE-2024-47873 — CVSS 7.5 (high): PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The XmlScanner class has a scan method which should prevent XXE…
CVE-2024-48917 — CVSS 7.5 (high): PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The `XmlScanner` class has a scan method which should prevent…
CVE-2026-40863 — CVSS 7.5 (high): PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the…
CVE-2024-45060 — CVSS 7.1 (high): PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. One of the sample scripts in PhpSpreadsheet is susceptible…
CVE-2020-7776 — CVSS 7.1 (high): This affects the package phpoffice/phpspreadsheet from 0.0.0. The library is vulnerable to XSS when creating an html output from an excel…
CVE-2024-45291 — CVSS 6.3 (medium): PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. It's possible for an attacker to construct an XLSX file…
CVE-2025-22131 — CVSS 6.1 (medium): PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Cross-Site Scripting (XSS) vulnerability in the code which…
CVE-2024-56409 — CVSS 5.4 (medium): PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable…
CVE-2024-56410 — CVSS 5.4 (medium): PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have a…
CVE-2024-56411 — CVSS 5.4 (medium): PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have a…
CVE-2024-56412 — CVSS 5.4 (medium): PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable…
CVE-2024-45046 — CVSS 5.4 (medium): PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. In affected versions `\PhpOffice\PhpSpreadsheet\Writer\Html`…
CVE-2024-45292 — CVSS 5.4 (medium): PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. `\PhpOffice\PhpSpreadsheet\Writer\Html` does not sanitize…
CVE-2026-40296 — CVSS 5.4 (medium): PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The HTML writer skips htmlspecialchars escaping when a…
CVE-2026-35453 — CVSS 5.4 (medium): PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.3 and earlier, 2.0.0 through 2.1.15, 2.2.0 through…
CVE-2024-56365 — CVSS 5.4 (medium): PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable…
CVE-2024-56366 — CVSS 5.4 (medium): PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable…
CVE-2024-56408 — CVSS 5.4 (medium): PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have no…