pkg:Packagist/phpoffice/phpspreadsheet

共 27 筆 CVEHIGH13MEDIUM11

✅ 檢查你的版本

所有已知漏洞

  • HIGH8.8CVE-2024-45048XXE in PHPSpreadsheet encoding is returned
    from 0, < 1.29.1
  • HIGH8.8CVE-2019-12331XXE in PHPSpreadsheet due to incomplete fix for previous encoding issue
    from 0, < 1.8.0
  • HIGH8.8CVE-2018-19277XXE in PHPSpreadsheet due to encoding issue
    from 0, < 1.5.1
  • HIGH7.7CVE-2024-45290PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery when opening XLSX file
    >= 2.2.0, < 2.3.0
  • HIGH7.5CVE-2026-40902PhpSpreadsheet has CPU Denial of Service via Unbounded Row Number in XLSX Row Dimensions
    >= 4.0.0, < 5.7.0
  • HIGH7.5CVE-2026-40863PhpSpreadsheet has CPU Denial of Service via Unbounded Row Index in SpreadsheetML XML Reader
    >= 4.0.0, < 5.7.0
  • HIGH7.5CVE-2024-48917XXE in PHPSpreadsheet's XLSX reader
    from 0, < 1.29.4
  • HIGH7.5CVE-2024-47873XmlScanner bypass leads to XXE
    from 0, < 1.29.4
  • HIGH7.5CVE-2024-45293XXE in PHPSpreadsheet's XLSX reader
    >= 2.2.0, < 2.3.0
  • HIGH7.1CVE-2024-56409PhpSpreadsheet allows unauthorized Reflected XSS in Currency.php file
    >= 3.0.0, < 3.7.0
  • HIGH7.1CVE-2024-56366PhpSpreadsheet allows unauthorized Reflected XSS in the Accounting.php file
    >= 3.0.0, < 3.7.0
  • HIGH7.1CVE-2024-56365PhpSpreadsheet allows unauthorized Reflected XSS in the constructor of the Downloader class
    >= 3.0.0, < 3.7.0
  • HIGH7.1CVE-2024-56408PhpSpreadsheet allows unauthorized Reflected XSS in `Convert-Online.php` file
    >= 3.0.0, < 3.7.0
  • MEDIUM6.4CVE-2020-7776Cross-site scripting in phpoffice/phpspreadsheet
    from 0, < 1.16.0
  • MEDIUM6.3CVE-2024-45291PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery in HTML writer when embedding images is enabled
    >= 2.2.0, < 2.3.0
  • MEDIUM6.1CVE-2025-22131Cross-Site Scripting (XSS) vulnerability in generateNavigation() function in PhpSpreadsheet
    >= 3.0.0, < 3.8.0
  • MEDIUM6.1CVE-2024-45060PhpSpreadsheet has an Unauthenticated Cross-Site-Scripting (XSS) in sample file
    >= 2.2.0, < 2.3.0
  • MEDIUM5.4CVE-2026-40296PhpSpreadsheet has XSS via number format code with @ text placeholder bypasses htmlspecialchars in HTML writer
    >= 4.0.0, < 5.7.0
  • MEDIUM5.4CVE-2025-23210PhpSpreadsheet allows bypassing of XSS sanitizer using the javascript protocol and special characters
    >= 3.0.0, < 3.9.0
  • MEDIUM5.4CVE-2024-56412PhpSpreadsheet allows bypass XSS sanitizer using the javascript protocol and special characters
    >= 3.0.0, < 3.7.0
  • MEDIUM5.4CVE-2024-56411PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header
    >= 3.0.0, < 3.7.0
  • MEDIUM5.4CVE-2024-56410PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability in custom properties
    >= 3.0.0, < 3.7.0
  • MEDIUM5.4CVE-2024-45292PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via JavaScript hyperlinks
    >= 2.2.0, < 2.3.0
  • MEDIUM5.4CVE-2024-45046PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information
    >= 2.0.0, < 2.1.0
  • CVE-2026-34084PhpSpreadsheet has SSRF/RCE in IOFactory::load when $filename is user controlled
    >= 4.0.0, < 5.6.0
  • CVE-2026-35453PhpSpreadsheet has XSS via NumberFormat @ Text Substitution in HTML Writer
    >= 4.0.0, < 5.7.0
  • CVE-2025-54370PhpSpreadsheet vulnerable to SSRF when reading and displaying a processed HTML document in the browser
    from 0, < 1.30.0