CVE-2025-22131

Name of the Vulnerable Software and Affected Versions PhpSpreadsheet (affected versions not specified)

Description The issue is related to a Cross-Site Scripting (XSS) vulnerability in the code that translates XLSX files into HTML representations and displays them in the response. This occurs when generating HTML from an XLSX file containing multiple sheets, where the sheet names are not sanitized, allowing an attacker to execute JavaScript code. The impact of this vulnerability can range from annoyance to complete account compromise, including disclosure of user session cookies, redirecting users to other pages, modifying content, automatically downloading malicious files, and requesting access to victim geolocation or camera.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.