CVE-2026-34084
Phar Deserialization RCE in PhpSpreadsheet Library
Publication date: 2026-05-05
Last updated on: 2026-05-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| phpspreadsheet | phpspreadsheet | to 1.30.3 (exc) |
| phpspreadsheet | phpspreadsheet | From 2.0.0 (inc) to 2.1.14 (inc) |
| phpspreadsheet | phpspreadsheet | From 2.2.0 (inc) to 2.4.3 (inc) |
| phpspreadsheet | phpspreadsheet | From 3.3.0 (inc) to 3.10.3 (inc) |
| phpspreadsheet | phpspreadsheet | From 4.0.0 (inc) to 5.5.0 (inc) |
| phpspreadsheet | phpspreadsheet | 1.30.3 |
| phpspreadsheet | phpspreadsheet | 2.1.15 |
| phpspreadsheet | phpspreadsheet | 2.4.4 |
| phpspreadsheet | phpspreadsheet | 3.10.4 |
| phpspreadsheet | phpspreadsheet | 5.6.0 |
| phpoffice | phpspreadsheet | to 5.5.0 (inc) |
| phpoffice | phpspreadsheet | 1.30.3 |
| phpoffice | phpspreadsheet | From 2.0.0 (inc) to 2.1.14 (inc) |
| phpoffice | phpspreadsheet | 2.1.15 |
| phpoffice | phpspreadsheet | From 2.2.0 (inc) to 2.4.3 (inc) |
| phpoffice | phpspreadsheet | 2.4.4 |
| phpoffice | phpspreadsheet | From 3.3.0 (inc) to 3.10.3 (inc) |
| phpoffice | phpspreadsheet | 3.10.4 |
| phpoffice | phpspreadsheet | From 4.0.0 (inc) to 5.5.0 (inc) |
| phpoffice | phpspreadsheet | 5.6.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in PhpSpreadsheet allows remote code execution and server-side request forgery, which can lead to unauthorized access or manipulation of data.
Such security issues can impact compliance with standards like GDPR and HIPAA, which require protection of sensitive data and secure handling of information systems.
If exploited, this vulnerability could result in data breaches or unauthorized data access, potentially violating data protection regulations and leading to legal and financial consequences.
Can you explain this vulnerability to me?
CVE-2026-34084 is a vulnerability in PhpSpreadsheet, a PHP library used for reading and writing spreadsheet files. The issue occurs in the IOFactory::load function when the filename argument is controlled by an attacker. The library uses the is_file() function to check if the file is valid, but this check can be bypassed using PHP stream wrappers such as phar://, ftp://, or ssh2.sftp://.
Using the phar:// wrapper triggers deserialization of PHAR metadata, which can lead to remote code execution if a suitable gadget chain exists in the application. The ftp:// and ssh2.sftp:// wrappers can be exploited for server-side request forgery (SSRF). This vulnerability arises because the library does not properly validate the filename to exclude these wrappers.
The vulnerability affects multiple versions of PhpSpreadsheet up to 5.5.0 and has been fixed in later versions. The root cause is reliance on is_file() without proper validation, allowing attackers to bypass security checks.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including remote code execution (RCE) and server-side request forgery (SSRF).
- Remote Code Execution: An attacker can execute arbitrary code on the server by exploiting the deserialization of malicious PHAR metadata.
- Server-Side Request Forgery: Attackers can use ftp:// or ssh2.sftp:// wrappers to make unauthorized requests from the server, potentially accessing internal resources.
These impacts can lead to full system compromise, data theft, or unauthorized access to internal network resources.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your application uses vulnerable versions of PhpSpreadsheet (versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through 3.10.3, and 4.0.0 through 5.5.0) and if the IOFactory::load() function is called with user-controlled filename arguments.
To detect potential exploitation attempts, you can look for usage of PHP stream wrappers such as phar://, ftp://, or ssh2.sftp:// in the filename parameter passed to IOFactory::load().
Suggested commands to help detect this vulnerability include searching your codebase for calls to IOFactory::load() with user input, for example using grep:
- grep -r "IOFactory::load" /path/to/your/project
Additionally, you can monitor logs or network traffic for suspicious requests involving PHP stream wrappers or unexpected PHAR file accesses.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading PhpSpreadsheet to a patched version: 1.30.3, 2.1.15, 2.4.4, 3.10.4, or 5.6.0 or later.
If upgrading is not immediately possible, ensure that the filename argument passed to IOFactory::load() is properly validated to disallow PHP stream wrappers such as phar://, ftp://, and ssh2.sftp://.
Use functions like realpath() to resolve and validate file paths before passing them to IOFactory::load(), preventing attackers from bypassing file existence checks.
Avoid accepting user-controlled input directly as filenames without strict validation or sanitization.