Security Advisories - phpoffice/phpspreadsheet - Packagist.org

phpoffice/phpspreadsheet Security Advisories for 1.30.2 (5)

[HIGH] PhpSpreadsheet has CPU Denial of Service via Unbounded Row Number in XLSX Row Dimensions

PKSA-gz3f-3cz3-3wsw CVE-2026-40902 GHSA-7c6m-4442-2x6m

Affected version: <=1.30.3|>=2.0.0,<=2.1.15|>=2.2.0,<=2.4.4|>=3.3.0,<=3.10.4|>=4.0.0,<=5.6.0

Reported by:
GitHub
[HIGH] PhpSpreadsheet has CPU Denial of Service via Unbounded Row Index in SpreadsheetML XML Reader

PKSA-x13r-n4wc-4gcr CVE-2026-40863 GHSA-84wq-86v6-x5j6

Affected version: <=1.30.3|>=2.0.0,<=2.1.15|>=2.2.0,<=2.4.4|>=3.3.0,<=3.10.4|>=4.0.0,<=5.6.0

Reported by:
GitHub
[HIGH] PhpSpreadsheet has SSRF/RCE in IOFactory::load when $filename is user controlled

PKSA-8cfg-tzhf-fr83 CVE-2026-34084 GHSA-q4q6-r8wh-5cgh

Affected version: <=1.30.2|>=2.0.0,<=2.1.14|>=2.2.0,<=2.4.3|>=3.3.0,<=3.10.3|>=4.0.0,<=5.5.0

Reported by:
GitHub
[MEDIUM] PhpSpreadsheet has XSS via number format code with @ text placeholder bypasses htmlspecialchars in HTML writer

PKSA-hznc-gbby-6w16 CVE-2026-40296 GHSA-hrmw-qprp-wgmc

Affected version: <=1.30.3|>=2.0.0,<=2.1.15|>=2.2.0,<=2.4.4|>=3.3.0,<=3.10.4|>=4.0.0,<=5.6.0

Reported by:
GitHub
[MEDIUM] PhpSpreadsheet has XSS via NumberFormat @ Text Substitution in HTML Writer

PKSA-jtdk-dcr5-f11n CVE-2026-35453 GHSA-6wpp-88cp-7q68

Affected version: <=1.30.3|>=2.0.0,<=2.1.15|>=2.2.0,<=2.4.4|>=3.3.0,<=3.10.4|>=4.0.0,<=5.6.0

Reported by:
GitHub