External risk intelligence

PhpSpreadsheet allows attackers to run code or access internal systems.

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-34084

A critical flaw in PhpSpreadsheet lets attackers execute code or spy on your systems by tricking it into opening malicious spreadsheet files, impacting applications that handle user uploads.

4Halo Surface Signal

Deserialization

Phpoffice Phpspreadsheet

before 1.30.32.0.0 to before 2.1.152.2.0 to before 2.4.43.3.0 to before 3.10.44.0.0 to before 5.6.0

External exposure likelihood

Halo Surface Signal score for CVE-2026-34084

This library is a common dependency for PHP web applications that process user-uploaded documents. Because document upload and processing features are frequently implemented in internet-facing web portals, APIs, and business applications, this vulnerability is often reachable from the public internet.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This issue in PhpSpreadsheet allows an attacker to execute code on your server or trick it into making requests to external systems. This is possible when the library processes spreadsheet files uploaded or referenced by users, potentially leading to significant compromise of your application's integrity and data.

  • Attacker can run arbitrary code.
  • Application can be tricked into making unintended requests.
  • Affects applications processing user-provided files.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this by tricking a user into uploading a specially crafted file to an application using a vulnerable version of PhpSpreadsheet. This crafted file can cause the application to execute arbitrary PHP code or perform unauthorized network requests on the server.

  • User-controlled filenames can be weaponized.
  • PHAR deserialization leads to RCE.
  • Remote file wrappers cause SSRF.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in PhpSpreadsheet allows for remote code execution or server-side request forgery when handling user-controlled filenames that leverage PHP stream wrappers. Attackers would likely favor this vulnerability for its potential to achieve arbitrary code execution with minimal authentication requirements, making it attractive for widespread exploitation. The ability to inject stream wrappers like phar:// to trigger deserialization is a well-understood attack vector.

  • Exploitation is possible via user input.
  • Vulnerable to RCE and SSRF.
  • Fixes released for multiple versions.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching or updating PhpSpreadsheet to a secure version immediately, as vulnerable versions allow remote code execution or server-side request forgery through crafted spreadsheet files. If patching is delayed, implement input validation and content security policy to mitigate risks associated with user-supplied file paths and stream wrappers.

  • Update to 1.30.3, 2.1.15, 2.4.4, 3.10.4, or 5.6.0.
  • Validate all user-supplied filenames.
  • Monitor for unexpected network traffic.

Frequently asked questions

What is PhpSpreadsheet and what is it used for?

PhpSpreadsheet is a PHP library that allows applications to read and write various spreadsheet file formats, such as Excel (.xlsx) and LibreOffice Calc (.ods) [3, 5, 6]. It is commonly used for tasks like data import and export, generating reports, creating invoices, and managing budgets or schedules [6, 7].

How does CVE-2026-34084 allow attackers to compromise a system?

CVE-2026-34084 is a deserialization vulnerability (CWE-502) where an attacker can supply a malicious path to the `IOFactory::load()` function. This path can trigger PHP's stream wrappers, like `phar://`, to deserialize PHAR metadata, potentially leading to remote code execution if vulnerable application code is present [4, 8, 11, 14]. Other stream wrappers like `ftp://` and `ssh2.sftp://` can be used for Server-Side Request Forgery (SSRF), allowing unauthorized requests to other systems [4, 8, 11, 14].

What are the preconditions for an attacker to exploit CVE-2026-34084?

An attacker needs to control a filename or path that is passed to the `IOFactory::load()` function within PhpSpreadsheet. If this user-controlled input is processed and the application has specific code vulnerabilities (gadget chains), the attacker can exploit the library's handling of PHP stream wrappers to achieve their goal.

Who should be concerned about CVE-2026-34084 affecting their internet-facing applications?

Any organization that uses PhpSpreadsheet in web applications, APIs, or business applications that are accessible from the internet should be concerned. This is because features like document upload and processing are often exposed externally, making these applications potential targets for attackers seeking to execute code or perform unauthorized network requests [4, 8, 10, 11, 12, 14, 18].

What is the first step to respond to this threat?

The immediate and most crucial step is to update PhpSpreadsheet to a patched version, such as 1.30.3, 2.1.15, 2.4.4, 3.10.4, or 5.6.0 [8, 11, 14]. If immediate patching is not possible, review and validate all user-supplied filenames passed to `IOFactory::load()` to prevent the use of malicious stream wrappers.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified