CVE-2026-34084
Analyzed Analyzed - Analysis Complete
Phar Deserialization RCE in PhpSpreadsheet Library

Publication date: 2026-05-05

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through 3.10.3, and 4.0.0 through 5.5.0, when the filename argument to IOFactory::load() is user-controlled, an attacker can supply a PHP stream wrapper path (such as phar://, ftp://, or ssh2.sftp://) that passes the is_file() check in File::assertFile(). The phar:// wrapper triggers deserialization of the PHAR metadata, which can lead to remote code execution if a suitable gadget chain is available in the application. The ftp:// and ssh2.sftp:// wrappers can be used for server-side request forgery. This issue has been fixed in versions 1.30.3, 2.1.15, 2.4.4, 3.10.4, and 5.6.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-08
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34084
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
phpoffice phpspreadsheet to 1.30.3 (exc)
phpoffice phpspreadsheet From 2.0.0 (inc) to 2.1.15 (exc)
phpoffice phpspreadsheet From 2.2.0 (inc) to 2.4.4 (exc)
phpoffice phpspreadsheet From 3.3.0 (inc) to 3.10.4 (exc)
phpoffice phpspreadsheet From 4.0.0 (inc) to 5.6.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in PhpSpreadsheet allows remote code execution and server-side request forgery, which can lead to unauthorized access or manipulation of data.

Such security issues can impact compliance with standards like GDPR and HIPAA, which require protection of sensitive data and secure handling of information systems.

If exploited, this vulnerability could result in data breaches or unauthorized data access, potentially violating data protection regulations and leading to legal and financial consequences.

Executive Summary

CVE-2026-34084 is a vulnerability in PhpSpreadsheet, a PHP library used for reading and writing spreadsheet files. The issue occurs in the IOFactory::load function when the filename argument is controlled by an attacker. The library uses the is_file() function to check if the file is valid, but this check can be bypassed using PHP stream wrappers such as phar://, ftp://, or ssh2.sftp://.

Using the phar:// wrapper triggers deserialization of PHAR metadata, which can lead to remote code execution if a suitable gadget chain exists in the application. The ftp:// and ssh2.sftp:// wrappers can be exploited for server-side request forgery (SSRF). This vulnerability arises because the library does not properly validate the filename to exclude these wrappers.

The vulnerability affects multiple versions of PhpSpreadsheet up to 5.5.0 and has been fixed in later versions. The root cause is reliance on is_file() without proper validation, allowing attackers to bypass security checks.

Impact Analysis

This vulnerability can have serious impacts including remote code execution (RCE) and server-side request forgery (SSRF).

  • Remote Code Execution: An attacker can execute arbitrary code on the server by exploiting the deserialization of malicious PHAR metadata.
  • Server-Side Request Forgery: Attackers can use ftp:// or ssh2.sftp:// wrappers to make unauthorized requests from the server, potentially accessing internal resources.

These impacts can lead to full system compromise, data theft, or unauthorized access to internal network resources.

Detection Guidance

This vulnerability can be detected by checking if your application uses vulnerable versions of PhpSpreadsheet (versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through 3.10.3, and 4.0.0 through 5.5.0) and if the IOFactory::load() function is called with user-controlled filename arguments.

To detect potential exploitation attempts, you can look for usage of PHP stream wrappers such as phar://, ftp://, or ssh2.sftp:// in the filename parameter passed to IOFactory::load().

Suggested commands to help detect this vulnerability include searching your codebase for calls to IOFactory::load() with user input, for example using grep:

  • grep -r "IOFactory::load" /path/to/your/project

Additionally, you can monitor logs or network traffic for suspicious requests involving PHP stream wrappers or unexpected PHAR file accesses.

Mitigation Strategies

Immediate mitigation steps include upgrading PhpSpreadsheet to a patched version: 1.30.3, 2.1.15, 2.4.4, 3.10.4, or 5.6.0 or later.

If upgrading is not immediately possible, ensure that the filename argument passed to IOFactory::load() is properly validated to disallow PHP stream wrappers such as phar://, ftp://, and ssh2.sftp://.

Use functions like realpath() to resolve and validate file paths before passing them to IOFactory::load(), preventing attackers from bypassing file existence checks.

Avoid accepting user-controlled input directly as filenames without strict validation or sanitization.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34084. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart