CVE-2026-34084

Name of the Vulnerable Software and Affected Versions PhpSpreadsheet versions prior to 1.30.3 PhpSpreadsheet versions 2.0.0 through 2.1.14 PhpSpreadsheet versions 2.2.0 through 2.4.3 PhpSpreadsheet versions 3.3.0 through 3.10.3 PhpSpreadsheet versions 4.0.0 through 5.5.0

Description When the filename argument passed to the IOFactory::load() function is user-controlled, an attacker can provide a PHP stream wrapper path that bypasses the is file() check within the File::assertFile() function. The use of the phar:// wrapper triggers the deserialization of PHAR metadata, which can lead to remote code execution if a suitable gadget chain is present in the application. Additionally, the ftp:// and ssh2.sftp:// wrappers can be exploited to perform server-side request forgery (SSRF), a technique where the attacker forces the server to make requests to an unintended location.

Recommendations Update to version 1.30.3 for versions prior to 1.30.3. Update to version 2.1.15 for versions 2.0.0 through 2.1.14. Update to version 2.4.4 for versions 2.2.0 through 2.4.3. Update to version 3.10.4 for versions 3.3.0 through 3.10.3. Update to version 5.6.0 for versions 4.0.0 through 5.5.0. As a temporary mitigation, ensure that the filename argument passed to IOFactory::load() does not contain PHP stream wrappers by validating that the URL scheme is null or has a length of one character, or by processing the path with realpath() before verification.