Threat Advisory

PhpSpreadsheet Vulnerability Exposes Remote SSRF RCE

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in PhpSpreadsheet, a popular PHP library for reading and writing spreadsheet files. The affected versions include v1.30.2 and potentially earlier versions. The vulnerabilities include SSRF/RCE in IOFactory::load when $filename is user controlled and CPU Denial of Service via Unbounded Row Index in SpreadsheetML XML Reader and CPU Denial of Service via Unbounded Row Number in XLSX Row Dimensions. These vulnerabilities can be exploited by attackers to gain unauthorized access to sensitive data or cause denial of service by exhausting server CPU resources. The business risk and impact of these vulnerabilities are significant, as they can be exploited remotely and may allow attackers to gain access to sensitive data or disrupt business operations.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in PhpSpreadsheet, a popular PHP library for reading and writing spreadsheet files. The affected versions include v1.30.2 and potentially earlier versions. The vulnerabilities include SSRF/RCE in IOFactory::load when $filename is user controlled and CPU Denial of Service via Unbounded Row Index in SpreadsheetML XML Reader and CPU Denial of Service via Unbounded Row Number in XLSX Row Dimensions. These vulnerabilities can be exploited by attackers to gain unauthorized access to sensitive data or cause denial of service by exhausting server CPU resources. The business risk and impact of these vulnerabilities are significant, as they can be exploited remotely and may allow attackers to gain access to sensitive data or disrupt business operations.[emaillocker id="1283"]

  • CVE-2026-34084 with a CVSS score of 7.5 – This vulnerability allows an attacker to perform SSRF/RCE in IOFactory::load when $filename is user controlled. An attacker can craft a malicious file that, when loaded, will execute arbitrary code, leading to remote code execution. The attacker needs to control the $filename parameter, which can be done by uploading a file or by manipulating the file path.
  • CVE-2026-40863 with a CVSS score of 7.5 – This vulnerability allows an attacker to cause a CPU Denial of Service via Unbounded Row Index in SpreadsheetML XML Reader. An attacker can craft a malicious SpreadsheetML XML file that, when loaded, will cause the server to attempt to iterate over an unbounded number of rows, leading to CPU exhaustion. The attacker needs to create a malicious SpreadsheetML XML file and upload it to the server.
  • CVE-2026-40902 with a CVSS score of 7.5 – This vulnerability allows an attacker to cause a CPU Denial of Service via Unbounded Row Number in XLSX Row Dimensions. An attacker can craft a malicious XLSX file that, when loaded, will cause the server to attempt to iterate over an unbounded number of rows, leading to CPU exhaustion. The attacker needs to create a malicious XLSX file and upload it to the server.

The overall risk and urgency of these vulnerabilities are high, as they can be exploited remotely and may allow attackers to gain access to sensitive data or disrupt business operations. If exploited, these vulnerabilities can have significant business consequences, including data breaches, financial losses, and reputational damage.

RECOMMENDATION:

  • We recommend you to update PhpSpreadsheet to version 5.7.0, 3.10.5, 2.4.5, 2.1.16 or 1.30.4.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-q4q6-r8wh-5cgh
https://github.com/advisories/GHSA-84wq-86v6-x5j6
https://github.com/advisories/GHSA-7c6m-4442-2x6m

[/emaillocker]
crossmenu