Phpoffice/phpexcel

This hub aggregates every CVE we track for Phpoffice/phpexcel, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Phpoffice/phpexcel.

• CVE-2025-23210Bypass XSS sanitizer using the javascript protocol and special characters in phpoffice/phpspreadsheet6.4Feb 3, 2025
• CVE-2025-22131Cross-Site Scripting (XSS) vulnerability in generateNavigation() function6.1Jan 20, 2025
• CVE-2024-56412PhpSpreadsheet vulnerable to bypass of the XSS sanitizer using the javascript protocol and special characters5.4Jan 3, 2025
• CVE-2024-56411PhpSpreadsheet has Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header5.4Jan 3, 2025
• CVE-2024-56410PhpSpreadsheet has Cross-Site Scripting (XSS) vulnerability in custom properties5.4Jan 3, 2025
• CVE-2024-56409PhpSpreadsheet vulnerable to unauthorized reflected XSS in Currency.php file5.4Jan 3, 2025
• CVE-2024-56366PhpSpreadsheet vulnerable to unauthorized reflected XSS in the Accounting.php file5.4Jan 3, 2025
• CVE-2024-56365PhpSpreadsheet vulnerable to unauthorized reflected XSS in the constructor of the Downloader class5.4Jan 3, 2025
• CVE-2024-56408PhpSpreadsheet allows unauthorized reflected XSS in `Convert-Online.php` file5.4Jan 3, 2025
• CVE-2024-48917XXE in PHPSpreadsheet's XLSX reader7.5Nov 18, 2024
• CVE-2024-47873PhpSpreadsheet XmlScanner bypass leads to XXE7.5Nov 18, 2024
• CVE-2024-45060Unauthenticated Cross-Site-Scripting (XSS) in sample file in PHPSpreadsheet7.1Oct 7, 2024
• CVE-2024-45290Path traversal and Server-Side Request Forgery when opening XLSX files in PHPSpreadsheet7.7Oct 7, 2024
• CVE-2024-45291Path traversal and Server-Side Request Forgery in HTML writer when embedding images is enabled in PHPSpreadsheet6.3Oct 7, 2024
• CVE-2024-45292PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via JavaScript hyperlinks5.4Oct 7, 2024