phpoffice/phpspreadsheet

PHPSpreadsheet - Read, Create and Write Spreadsheet documents in PHP - Spreadsheet engine

Latest 5.8.0

100%

Total Score

Dependencies

100

Maturity

100

Supply Chain

100

Are you affected? Scan for Free

Vulnerabilities

Title	Versions	Severity
CVE-2026-45034 New phpoffice/phpspreadsheet is vulnerable to Deserialization of Untrusted Data in versions 0.0.0 - 1.30.4.	0.0.0 - 1.30.4	Critical
CVE-2026-40296 phpoffice/phpspreadsheet is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in versions 4.0.0 - 5.6.0, 3.3.0 - 3.10.4, 2.2.0 - 2.4.4, 2.0.0 - 2.1.15 and 0.0.0 - 1.30.3.	0.0.0 - 1.30.32.0.0 - 2.1.152.2.0 - 2.4.4 +2 more	Medium
CVE-2026-35453 phpoffice/phpspreadsheet is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in versions 4.0.0 - 5.6.0, 3.3.0 - 3.10.4, 2.2.0 - 2.4.4, 2.0.0 - 2.1.15 and 0.0.0 - 1.30.3.	0.0.0 - 1.30.32.0.0 - 2.1.152.2.0 - 2.4.4 +2 more	Medium
CVE-2026-40902 phpoffice/phpspreadsheet is vulnerable to Uncontrolled Resource Consumption in versions 4.0.0 - 5.6.0, 3.3.0 - 3.10.4, 2.2.0 - 2.4.4, 2.0.0 - 2.1.15 and 0.0.0 - 1.30.3.	0.0.0 - 1.30.32.0.0 - 2.1.152.2.0 - 2.4.4 +2 more	High
CVE-2026-40863 phpoffice/phpspreadsheet is vulnerable to Uncontrolled Resource Consumption in versions 4.0.0 - 5.6.0, 3.3.0 - 3.10.4, 2.2.0 - 2.4.4, 2.0.0 - 2.1.15 and 0.0.0 - 1.30.3.	0.0.0 - 1.30.32.0.0 - 2.1.152.2.0 - 2.4.4 +2 more	High

Maarten Balliauw

Mark Baker

Franck Lefevre

Erik Tilt

Adrien Crivelli

Owen Leibman

Dependency	Last Release	Score
composer/pcre Version ^1\|\|^2\|\|^3	—	—
markbaker/matrix Version ^3.0	—	—
psr/simple-cache Version ^1.0 \|\| ^2.0 \|\| ^3.0	—	—
markbaker/complex Version ^3.0	—	—
maennchen/zipstream-php Version ^2.1 \|\| ^3.0	—	—