Description
PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.5, CVE-2026-34084 was patched by the helper File::prohibitWrappers. The helper calls parse_url($filename, PHP_URL_SCHEME) and then checks is_string($scheme) && strlen($scheme) > 1 to reject stream wrappers such as phar://, php://, data:// or expect://. The check is not equivalent to "does the path contain a wrapper". When the input has the form phar:///path/file.phar/inner with three or more slashes after the scheme, parse_url returns boolean false instead of returning the scheme string. The is_string($scheme) branch is therefore skipped, the helper returns without throwing, and the caller proceeds. PHP's stream layer, however, still treats phar:///... as a valid phar wrapper and opens the underlying phar file. The result is that IOFactory::load($attackerPath) walks past the patch and still touches the phar wrapper. On PHP 7.x, simply reaching the phar wrapper via is_file is enough for PHP to automatically deserialize the phar metadata, which in turn invokes the magic methods __wakeup and __destruct of an attacker controlled object and gives full RCE. On PHP 8.x, automatic metadata deserialization for plain file ops was removed, so the chain at the PhpSpreadsheet layer reduces to a phar wrapper file read primitive, and RCE only resurfaces if the downstream consumer ever calls Phar::getMetadata. This vulnerability is fixed in 1.30.5.
Published: 2026-06-22
Score: 9.2 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from PhpSpreadsheet's File::prohibitWrappers improperly rejecting certain stream wrapper paths, allowing a specially crafted phar URL to bypass the guard and enable PHP to deserialize attacker‑controlled objects. This mis‑validation leads to arbitrary code execution, exploiting a deserialization flaw (CWE‑502). On PHP 7.x, simply reaching the wrapper triggers __wakeup and __destruct, making RCE immediate; on PHP 8.x, the same wrapper still permits a vulnerable deserialization chain if downstream code calls Phar::getMetadata.

Affected Systems

The flaw exists in PHPOffice PhpSpreadsheet versions prior to 1.30.5. Any PHP application that uses these older releases and exposes the IOFactory::load function to user input is impacted, whether running PHP 7.x or PHP 8.x. Systems that have not applied the 1.30.5 patch remain vulnerable.

Risk and Exploitability

With a CVSS score of 9.2 the issue is considered critical. The EPSS score is not available, and the vulnerability is not yet listed in the CISA KEV catalog. The likely attack vector is remote exploitation. Based on the description, it is inferred that an attacker can supply a crafted phar://… path through a web form or API that ultimately calls IOFactory::load, leading to code execution on PHP 7.x or when metadata functions are used in PHP 8.x.

Generated by OpenCVE AI on June 22, 2026 at 22:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update PhpSpreadsheet to version 1.30.5 or later to apply the official patch.
  • If an upgrade cannot be performed immediately, counteract the vulnerability by disabling phar://, php://, data://, and expect:// stream wrappers in the PHP configuration or by calling stream_wrapper_disable for these schemes.
  • Ensure that any path supplied to IOFactory::load is sanitized, validated against permitted directories, and strictly controlled to prevent the injection of malicious wrapper URLs.

Generated by OpenCVE AI on June 22, 2026 at 22:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-87m4-826x-3crx PHPSpreadsheet has a patch bypass for CVE-2026-34084
History

Tue, 23 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Phpoffice
Phpoffice phpspreadsheet
Vendors & Products Phpoffice
Phpoffice phpspreadsheet

Mon, 22 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.5, CVE-2026-34084 was patched by the helper File::prohibitWrappers. The helper calls parse_url($filename, PHP_URL_SCHEME) and then checks is_string($scheme) && strlen($scheme) > 1 to reject stream wrappers such as phar://, php://, data:// or expect://. The check is not equivalent to "does the path contain a wrapper". When the input has the form phar:///path/file.phar/inner with three or more slashes after the scheme, parse_url returns boolean false instead of returning the scheme string. The is_string($scheme) branch is therefore skipped, the helper returns without throwing, and the caller proceeds. PHP's stream layer, however, still treats phar:///... as a valid phar wrapper and opens the underlying phar file. The result is that IOFactory::load($attackerPath) walks past the patch and still touches the phar wrapper. On PHP 7.x, simply reaching the phar wrapper via is_file is enough for PHP to automatically deserialize the phar metadata, which in turn invokes the magic methods __wakeup and __destruct of an attacker controlled object and gives full RCE. On PHP 8.x, automatic metadata deserialization for plain file ops was removed, so the chain at the PhpSpreadsheet layer reduces to a phar wrapper file read primitive, and RCE only resurfaces if the downstream consumer ever calls Phar::getMetadata. This vulnerability is fixed in 1.30.5.
Title PhpSpreadsheet: File::prohibitWrappers bypass
Weaknesses CWE-502
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Phpoffice Phpspreadsheet
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T20:32:32.011Z

Reserved: 2026-05-08T16:58:28.897Z

Link: CVE-2026-45034

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T00:00:16Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data