AIKIDO-2026-10496

phpoffice/phpspreadsheet is vulnerable to Server-Side Request Forgery (SSRF)

Server-Side Request Forgery (SSRF) Pre-CVE Published Apr 16, 2026

Medium Risk

This Affects:

phpoffice/phpspreadsheet

1.30.0 - 1.30.2

Fixed in 1.30.3

2.1.0 - 2.1.14

Fixed in 2.1.15

2.4.0 - 2.4.3

Fixed in 2.4.4

3.3.0 - 3.10.3

Fixed in 3.10.4

Are you affected? Scan for Free

TL;DR

Spreadsheet readers resolve paths and external references while loading workbooks and embedded assets. Without strict checks, stream-style schemes (for example phar://) can be abused as file paths, and helpers that resolve download paths may follow unsafe combinations of directory and filename. External-linked images can also pull remote content unless policy is enforced. The changes reject disallowed stream wrappers at file assertion points, tighten download path resolution, and add an optional whitelist callback so callers can allow only vetted external image URLs instead of loading them unconditionally.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your implementation allows the loading of external images without strict URL validation.

Background info

phpoffice/phpspreadsheet is vulnerable to Server-Side Request Forgery (SSRF) in versions 1.30.0 - 1.30.2, 2.1.0 - 2.1.14, 2.4.0 - 2.4.3 and 3.3.0 - 3.10.3.

How to fix this

Upgrade the phpoffice/phpspreadsheet library to the patch version. You must also implement the newly added whitelist callback to vet allowed external URLs. Alternatively, if external images are not required, disable them entirely using the library's existing configuration options.

Medium Risk