XSS in Phpoffice Phpspreadsheet

CVE-2025-23210

phpoffice/phpspreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions have been found to have a Bypass of the Cross-site Scripting (XSS) sanitizer using the javascript protocol and special characters…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.001 (29.5th percentile) — read the EPSS interpretation.

Affected products

Phpoffice Phpspreadsheet — versions >= 3.0.0, < 3.9.0, >= 2.2.0, < 2.3.7, >= 2.0.0, < 2.1.8

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-r57h-547h-w24f (x_refsource_CONFIRM)
https://github.com/PHPOffice/PhpSpreadsheet/commit/cde2926a9e2baf146783f8fd1771bbed7d1dc7b3 (x_refsource_MISC)