External risk intelligence

PhpSpreadsheet Phar Wrapper Deserialization Remote Code Execution

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-45034

PhpSpreadsheet is a library integrated into custom applications to process files. It is not an internet-facing service by design. Reachability depends entirely on whether a specific application exposes a file upload or processing feature to the public, rather than the library itself being a public service.

Deserialization

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

PhpSpreadsheet, a widely used PHP library for spreadsheet manipulation, has a critical vulnerability that could allow attackers to execute code remotely. This flaw stems from how the library handles file wrappers, specifically with Phar archives, potentially leading to unauthorized code execution on systems running certain PHP versions. The main concern is confirming if and where this library is used within our applications to assess exposure.

  • Library flaw allows remote code execution.
  • Affects systems processing spreadsheet files.
  • Confirm usage; assess exposure and impact.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by tricking a web application that uses the vulnerable PhpSpreadsheet library into processing a specially crafted file. The vulnerability lies in how the library handles file paths, specifically when dealing with stream wrappers like `phar://`. When a file path is presented in a specific format with multiple slashes, the library's protective checks are bypassed, allowing it to interpret the path as a valid `phar` archive. This can lead to the execution of arbitrary code on the server, particularly on older PHP versions.

  • File upload or processing feature exposure required.
  • Specially crafted file path triggers wrapper bypass.
  • Remote code execution on older PHP versions.

Live Threat

Current exploitation, exposure, and threat context

When processed with a specially crafted spreadsheet file, PhpSpreadsheet could allow an attacker to execute arbitrary code. This is possible when the library is used to load a file path that includes a crafted `phar://` stream wrapper, bypassing security checks. On PHP 7.x, this can lead to immediate remote code execution. On PHP 8.x, it reduces to a file read primitive unless the downstream consumer further interacts with Phar metadata.

  • Arbitrary code execution.
  • Malicious file load via phar wrapper.
  • Compromise of the application server.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability resides in the PhpSpreadsheet library, commonly integrated into custom PHP applications for spreadsheet processing. The immediate first step is to identify all instances of PhpSpreadsheet within your environment, determine if they are exposed to external input or reachable over the network, and confirm the accountable application or platform owner. Remediation planning should then prioritize critical and exposed assets.

  • Application owners should manage this issue.
  • Verify upstream application exposure and reachability.
  • Coordinate with vendors for timely updates.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is PhpSpreadsheet and how is it used?

PhpSpreadsheet is a pure PHP software library that developers integrate into custom web applications to programmatically read, write, and manipulate various spreadsheet file formats. It acts as a processing engine, allowing applications to import user-uploaded documents or export data into formats like Excel. It is a backend component, not a standalone service, meaning its functionality is entirely dependent on how the host application manages file inputs.

What is the vulnerability behind CVE-2026-45034?

The vulnerability is categorized as Deserialization of Untrusted Data (CWE-502). It occurs because the library fails to properly filter file paths containing 'phar://' stream wrappers when they are formatted with three or more slashes. This allows an attacker to bypass security checks designed to block these wrappers, ultimately leading the library to interact with files in a way that can trigger malicious code execution on the server.

How can an attacker trigger this CVE-2026-45034 flaw?

An attacker triggers the flaw by providing a specially crafted file path—using the 'phar://' wrapper with extra slashes—to an application that uses the vulnerable library. Importantly, simply sending a standard spreadsheet file does not trigger the bug; it requires a path specifically designed to bypass the library's existing protective helper function. Once the path is accepted, the library attempts to load the malicious archive, potentially resulting in unintended code execution.

Is my environment at risk based on Halo Surface Signal?

Halo Surface Signal indicates that risk depends on whether your specific application exposes file upload or processing features to the internet. Since PhpSpreadsheet is a library rather than a public-facing service, it is not inherently internet-facing. You are primarily at risk if your application takes file input from external users and passes those paths to the library, creating a reachable path for an attacker to exploit the deserialization weakness.

How do I start addressing CVE-2026-45034?

Your first step is to perform an inventory to locate all applications in your environment that utilize the PhpSpreadsheet library. Once identified, confirm if these applications accept file uploads or process external file paths. You should coordinate with the platform owners to update the library to version 1.30.5 or later, which contains the corrected logic for handling these file wrappers. Prioritize updates for any applications reachable from the public internet.

References