CVE-2026-34084

EUVD-2026-27454

05.05.2026, 20:16

PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through 3.10.3, and 4.0.0 through 5.5.0, when the filename argument to IOFactory::load() is user-controlled, an attacker can supply a PHP stream wrapper path (such as phar://, ftp://, or ssh2.sftp://) that passes the is_file() check in File::assertFile(). The phar:// wrapper triggers deserialization of the PHAR metadata, which can lead to remote code execution if a suitable gadget chain is available in the application. The ftp:// and ssh2.sftp:// wrappers can be used for server-side request forgery. This issue has been fixed in versions 1.30.3, 2.1.15, 2.4.4, 3.10.4, and 5.6.0.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 27%

Affected Products (NVD)

Vendor	Product	Version
phpoffice	phpspreadsheet	𝑥 < 1.30.3
phpoffice	phpspreadsheet	2.0.0 ≤ 𝑥 < 2.1.15
phpoffice	phpspreadsheet	2.2.0 ≤ 𝑥 < 2.4.4
phpoffice	phpspreadsheet	3.3.0 ≤ 𝑥 < 3.10.4
phpoffice	phpspreadsheet	4.0.0 ≤ 𝑥 < 5.6.0

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-502 - Deserialization of Untrusted Data
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References

https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-q4q6-r8wh-5cgh