[HIGH] PhpSpreadsheet has SSRF/RCE in IOFactory::load when $filename is user controlled

PKSA-8cfg-tzhf-fr83 CVE-2026-34084 GHSA-q4q6-r8wh-5cgh

Affected package: phpoffice/phpspreadsheet

Affected version: <=1.30.2|>=2.0.0,<=2.1.14|>=2.2.0,<=2.4.3|>=3.3.0,<=3.10.3|>=4.0.0,<=5.5.0

Reported by:
GitHub