Description
PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through 3.10.3, and 4.0.0 through 5.5.0, when the filename argument to IOFactory::load() is user-controlled, an attacker can supply a PHP stream wrapper path (such as phar://, ftp://, or ssh2.sftp://) that passes the is_file() check in File::assertFile(). The phar:// wrapper triggers deserialization of the PHAR metadata, which can lead to remote code execution if a suitable gadget chain is available in the application. The ftp:// and ssh2.sftp:// wrappers can be used for server-side request forgery. This issue has been fixed in versions 1.30.3, 2.1.15, 2.4.4, 3.10.4, and 5.6.0.
Published: 2026-05-05
Score: 9.2 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

PhpSpreadsheet is a library for handling spreadsheet files. In the affected versions, if the filename parameter passed to IOFactory::load() is user‑controlled, an attacker can supply a PHP stream wrapper such as phar://, ftp://, or ssh2.sftp://. The phar:// wrapper bypasses the is_file() check and triggers deserialization of PHAR metadata, which can lead to remote code execution when a suitable gadget chain is present. The ftp:// and ssh2.sftp:// wrappers enable the application to perform outbound requests, creating a server‑side request forgery vector.

Affected Systems

The issue resides in PHPOffice PhpSpreadsheet versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through 3.10.3, and 4.0.0 through 5.5.0. The vulnerability was remediated in 1.30.3, 2.1.15, 2.4.4, 3.10.4, and 5.6.0.

Risk and Exploitability

The flaw carries a CVSS score of 9.2, denoting high severity. EPSS data is unavailable, and the vulnerability is not included in the CISA KEV catalog. The likely attack path requires an attacker to supply a crafted file path or URL to the IOFactory::load call. When a phar:// URI containing malicious PHAR metadata is used, deserialization may execute arbitrary code. Alternatively, ftp:// or ssh2.sftp:// wrappers can cause the server to contact internal targets, allowing exploitation of internal services or data.

Generated by OpenCVE AI on May 5, 2026 at 20:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest PhpSpreadsheet release (>=1.30.3, >=2.1.15, >=2.4.4, >=3.10.4, or >=5.6.0).
  • If an upgrade is not immediately possible, restrict IOFactory::load to accept only local or whitelisted paths and reject PHP stream wrapper protocols such as phar://, ftp://, and ssh2.sftp://.
  • Sanitize and validate all user‑supplied filenames before passing them to IOFactory::load to ensure no malicious wrapper or path injection is possible.

Generated by OpenCVE AI on May 5, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q4q6-r8wh-5cgh PhpSpreadsheet has SSRF/RCE in IOFactory::load when $filename is user controlled
History

Tue, 05 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 05 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through 3.10.3, and 4.0.0 through 5.5.0, when the filename argument to IOFactory::load() is user-controlled, an attacker can supply a PHP stream wrapper path (such as phar://, ftp://, or ssh2.sftp://) that passes the is_file() check in File::assertFile(). The phar:// wrapper triggers deserialization of the PHAR metadata, which can lead to remote code execution if a suitable gadget chain is available in the application. The ftp:// and ssh2.sftp:// wrappers can be used for server-side request forgery. This issue has been fixed in versions 1.30.3, 2.1.15, 2.4.4, 3.10.4, and 5.6.0.
Title PhpSpreadsheet SSRF and RCE via PHP stream wrappers in IOFactory::load
Weaknesses CWE-502
CWE-918
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-05T19:32:59.799Z

Reserved: 2026-03-25T16:21:40.869Z

Link: CVE-2026-34084

cve-icon Vulnrichment

Updated: 2026-05-05T19:32:47.363Z

cve-icon NVD

Status : Received

Published: 2026-05-05T20:16:37.007

Modified: 2026-05-05T20:16:37.007

Link: CVE-2026-34084

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T20:30:31Z

Weaknesses