What is CVE-2025-22131?

CVE-2025-22131 is a vulnerability in Phpoffice Phpspreadsheet, classified under Cross-site Scripting. Published 2025-01-20.

Is CVE-2025-22131 known to be exploited?

6 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

XSS in Phpoffice Phpspreadsheet

CVE-2025-22131

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Cross-Site Scripting (XSS) vulnerability in the code which translates the XLSX file into a HTML representation and displays it in the response.

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.007 (72.5th percentile) — read the EPSS interpretation.

Affected products

Phpoffice Phpspreadsheet — versions >= 3.0.0, < 3.8.0, >= 2.2.0, < 2.3.6, >= 2.0.0, < 2.1.7

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

Public proof-of-concept exploits

References

https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-79xx-vf93-p7cx (x_refsource_CONFIRM)
https://github.com/PHPOffice/PhpSpreadsheet/commit/4088381ccfaf241d7d42c333de0dc8c98e338743 (x_refsource_MISC)

Frequently asked questions

What is CVE-2025-22131?: CVE-2025-22131 is a vulnerability in Phpoffice Phpspreadsheet, classified under Cross-site Scripting. Published 2025-01-20.
Is CVE-2025-22131 known to be exploited?: 6 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.