phpoffice phpspreadsheet Vulnerabilities: CVEs, CISA KEV & Security Advisories

Severity and exploitation

How the CVSS severity of phpoffice phpspreadsheet's CVEs breaks down, plus how many are exploited in the wild or have public exploit code.

Critical1

High14

Medium10

Low0

2 additional CVEs have no CVSS severity score.

In CISA’s Known Exploited Vulnerabilities catalog

None of phpoffice phpspreadsheet's CVEs are currently listed in CISA's KEV catalog.

Public exploits

23 of phpoffice phpspreadsheet's CVEs have a known public exploit available.

Affected versions and CVEs

Browse every phpoffice phpspreadsheet version named in a CVE, then pick one to see only the CVEs that affect it.

Specific versions

1.0.020 CVEs
1.0.0-beta20 CVEs
1.0.0-beta220 CVEs
1.1.020 CVEs
1.2.020 CVEs
1.2.120 CVEs
1.3.020 CVEs
1.3.120 CVEs
1.4.020 CVEs
1.4.120 CVEs
1.5.020 CVEs
phpexcel-last-cherry-picked-commit20 CVEs
phpexcel-last-release-1.8.120 CVEs
1.5.119 CVEs
1.5.219 CVEs
1.6.019 CVEs
1.7.019 CVEs
2.0.019 CVEs
1.10.018 CVEs
1.10.118 CVEs
1.11.018 CVEs
1.12.018 CVEs
1.13.018 CVEs
1.14.018 CVEs
1.14.118 CVEs
1.15.018 CVEs
1.8.018 CVEs
1.8.118 CVEs
1.8.218 CVEs
1.9.018 CVEs
2.1.018 CVEs
2.2.018 CVEs
1.16.017 CVEs
1.17.017 CVEs
1.17.117 CVEs
1.18.017 CVEs
1.19.017 CVEs
1.20.017 CVEs
1.21.017 CVEs
1.22.017 CVEs
1.23.017 CVEs
1.24.017 CVEs
1.24.117 CVEs
1.25.017 CVEs
1.25.117 CVEs
1.25.217 CVEs
1.27.017 CVEs
1.28.017 CVEs
1.29.017 CVEs
2.2.117 CVEs
2.2.217 CVEs
1.29.116 CVEs
1.29.212 CVEs
2.1.112 CVEs
2.3.012 CVEs
1.29.410 CVEs
1.29.510 CVEs
1.29.610 CVEs
2.1.310 CVEs
2.1.410 CVEs
2.1.510 CVEs
2.3.210 CVEs
2.3.310 CVEs
2.3.410 CVEs
< 1.29.77 CVEs
>= 2.0.0, < 2.1.67 CVEs
>= 2.2.0, < 2.3.57 CVEs
>= 3.0.0, < 3.7.07 CVEs
>= 2.0.0, < 2.1.15 CVEs
>= 2.2.0, < 2.3.05 CVEs
< 1.29.24 CVEs
1.29.73 CVEs
2.1.63 CVEs
2.3.53 CVEs
3.3.03 CVEs
< 1.29.42 CVEs
< 1.30.42 CVEs
<= 1.30.32 CVEs
>= 2.0.0, < 2.1.162 CVEs
>= 2.0.0, < 2.1.32 CVEs
>= 2.0.0, <= 2.1.152 CVEs
>= 2.2.0, < 2.3.22 CVEs
>= 2.2.0, < 2.4.52 CVEs
>= 2.2.0, <= 2.4.42 CVEs
>= 3.3.0, < 3.10.52 CVEs
>= 3.3.0, < 3.4.02 CVEs
>= 3.3.0, <= 3.10.42 CVEs
>= 4.0.0, < 5.7.02 CVEs
>= 4.0.0, <= 5.6.02 CVEs
1.29.82 CVEs
2.1.72 CVEs
2.3.62 CVEs
< 1.29.11 CVE
< 1.29.81 CVE
< 1.29.91 CVE
< 1.30.01 CVE
<= 1.30.21 CVE
>= 2.0.0, < 2.1.121 CVE
>= 2.0.0, < 2.1.71 CVE
>= 2.0.0, < 2.1.81 CVE
>= 2.0.0, <= 2.1.141 CVE
>= 2.2.0, < 2.3.61 CVE
>= 2.2.0, < 2.3.71 CVE
>= 2.2.0, < 2.4.01 CVE
>= 2.2.0, <= 2.4.31 CVE
>= 3.0.0, < 3.10.01 CVE
>= 3.0.0, < 3.8.01 CVE
>= 3.0.0, < 3.9.01 CVE
>= 3.3.0, <= 3.10.31 CVE
>= 4.0.0, < 5.0.01 CVE
>= 4.0.0, <= 5.5.01 CVE
1.29.101 CVE
1.29.111 CVE
1.29.121 CVE
1.29.91 CVE
2.1.101 CVE
2.1.111 CVE
2.1.81 CVE
2.1.91 CVE
2.3.101 CVE
2.3.71 CVE
2.3.81 CVE
2.3.91 CVE
3.4.01 CVE
3.5.01 CVE
3.6.01 CVE
3.7.01 CVE
3.8.01 CVE
3.9.01 CVE
3.9.11 CVE
3.9.21 CVE
3.9.31 CVE
4.0.01 CVE
4.1.01 CVE
4.2.01 CVE
4.3.01 CVE
4.3.11 CVE
4.4.01 CVE
4.5.01 CVE

Fixed in

02c8625411dcb96e1f63d58c47460284e15b2e807 CVEs
04e8b6edc1bba1bbc8e1aef4111903d11e8323c17 CVEs
1.29.77 CVEs
2.1.67 CVEs
2.3.57 CVEs
3.7.07 CVEs
d836f2d7308a192441ccd1546545890b378af9137 CVEs
2.1.15 CVEs
2.3.05 CVEs
4e58d8ae1502d7f22af9e4cfeb2d645e243dec4e5 CVEs
c972c146ddd5e8350ea839355b9bb0ce6a8fa33e5 CVEs
1.29.24 CVEs
1.30.4

Find a version

27 CVEs

Sort

PhpSpreadsheet: CPU Denial of Service via Unbounded Row Index in SpreadsheetML XML Reader
CVE-2026-40863
Public exploit
Patch
CWE-770
High · CVSS 7.5
EPSS 0.1% (18th pct)2026-05-12
PhpSpreadsheet: CPU Denial of Service via Unbounded Row Number in XLSX Row Dimensions
CVE-2026-40902
Public exploit
Patch
CWE-770
High · CVSS 7.5
EPSS 0.1% (18th pct)2026-05-12
PhpSpreadsheet vulnerable to XSS in HTML writer via custom number format codes
CVE-2026-40296
Public exploit
Patch
CWE-79
Medium · CVSS 5.4
EPSS 0.0% (2th pct)2026-05-06
PhpSpreadsheet XSS via number format text substitution in HTML Writer
CVE-2026-35453
Public exploit
Patch
CWE-79
Medium · CVSS 4.8
EPSS 0.0% (1th pct)2026-05-05
PhpSpreadsheet SSRF and RCE via PHP stream wrappers in IOFactory::load
CVE-2026-34084
Public exploit
Patch
CWE-502
Critical · CVSS 9.2
EPSS 0.2% (45th pct)2026-05-05
PhpSpreadsheet vulnerable to SSRF when reading and displaying a processed HTML document in the browser
CVE-2025-54370
Public exploit
Patch
CWE-918
High · CVSS 8.7
EPSS 0.1% (33th pct)2025-08-25
Bypass XSS sanitizer using the javascript protocol and special characters in phpoffice/phpspreadsheet
CVE-2025-23210
Patch
CWE-79
Medium · CVSS 4.8
EPSS 0.1% (30th pct)2025-02-03
Cross-Site Scripting (XSS) vulnerability in generateNavigation() function
CVE-2025-22131
Public exploit
Patch
CWE-79
Medium · CVSS 5.1
EPSS 0.7% (73th pct)2025-01-20
Medium vulnerability · 2025-01-03
CVE-2024-56412
Public exploit
Patch
CWE-79
Medium · CVSS 4.8
EPSS 0.3% (55th pct)2025-01-03
Medium vulnerability · 2025-01-03
CVE-2024-56411
Public exploit
Patch
CWE-79
Medium · CVSS 4.8
EPSS 0.9% (76th pct)2025-01-03
Medium vulnerability · 2025-01-03
CVE-2024-56410
Public exploit
Patch
CWE-79
Medium · CVSS 4.8
EPSS 0.9% (76th pct)2025-01-03
High vulnerability · 2025-01-03
CVE-2024-56409
Public exploit
Patch
CWE-79
High · CVSS 8.3
EPSS 0.9% (76th pct)2025-01-03
PhpSpreadsheet vulnerable to unauthorized reflected XSS in the Accounting.php file
CVE-2024-56366
Public exploit
Patch
CWE-79
High · CVSS 8.3
EPSS 1.2% (79th pct)2025-01-03
PhpSpreadsheet vulnerable to unauthorized reflected XSS in the constructor of the Downloader class
CVE-2024-56365
Public exploit
Patch
CWE-79
High · CVSS 8.3
EPSS 0.9% (76th pct)2025-01-03
High vulnerability · 2025-01-03
CVE-2024-56408
Public exploit
Patch
CWE-79
High · CVSS 8.3
EPSS 1.4% (81th pct)2025-01-03
High vulnerability · 2024-11-18
CVE-2024-48917
Patch
CWE-611
High · CVSS 7.5
EPSS 0.2% (38th pct)2024-11-18
High vulnerability · 2024-11-18
CVE-2024-47873
Public exploit
Patch
CWE-611
High · CVSS 7.5
EPSS 0.2% (38th pct)2024-11-18
High vulnerability · 2024-10-07
CVE-2024-45060
Public exploit
Patch
CWE-79
High · CVSS 7.1
EPSS 1.3% (80th pct)2024-10-07
Path traversal and Server-Side Request Forgery when opening XLSX files in PHPSpreadsheet
CVE-2024-45290
Public exploit
Patch
CWE-918
High · CVSS 7.7
EPSS 0.3% (54th pct)2024-10-07
Medium vulnerability · 2024-10-07
CVE-2024-45291
Public exploit
Patch
CWE-918
Medium · CVSS 6.3
EPSS 0.9% (76th pct)2024-10-07
Medium vulnerability · 2024-10-07
CVE-2024-45292
Public exploit
Patch
CWE-79
Medium · CVSS 5.4
EPSS 1.1% (78th pct)2024-10-07
High vulnerability · 2024-10-07
CVE-2024-45293
Public exploit
Patch
CWE-611
High · CVSS 7.5
EPSS 71.6% (99th pct)2024-10-07
Medium vulnerability · 2024-08-28
CVE-2024-45046
Public exploit
Patch
CWE-79
Medium · CVSS 5.4
EPSS 0.3% (56th pct)2024-08-28
XML External Entity Reference (XXE) in PHPSpreadsheet
CVE-2024-45048
Public exploit
Patch
CWE-611
High · CVSS 8.8
EPSS 0.2% (36th pct)2024-08-28
Cross-site Scripting (XSS)
CVE-2020-7776
Patch
High · CVSS 7.1
EPSS 0.3% (57th pct)2020-12-09
Vulnerability · 2019-11-07
CVE-2019-12331
Patch
Unscored
EPSS 0.1% (31th pct)2019-11-07
Vulnerability · 2018-11-14
CVE-2018-19277
Public exploit
Patch
Unscored
EPSS 3.0% (87th pct)2018-11-14

Severity and exploitation

phpoffice phpspreadsheet Vulnerabilities

Overview

Severity and exploitation

Affected versions and CVEs

Specific versions

Fixed in

Common weakness types

Disclosure activity by year

Other phpoffice products

Frequently asked questions

How many CVEs does phpoffice phpspreadsheet have?

How many phpoffice phpspreadsheet CVEs are in CISA KEV?

Are there public exploits for phpoffice phpspreadsheet vulnerabilities?

Which versions of phpoffice phpspreadsheet are affected?

What are the most common weakness types in phpoffice phpspreadsheet CVEs?

How many critical phpoffice phpspreadsheet vulnerabilities are there?

What is the average severity of phpoffice phpspreadsheet CVEs?

References

Track phpoffice phpspreadsheet vulnerabilities