← back
CVE-2025-23210

Bypass XSS sanitizer using the javascript protocol and special characters in phpoffice/phpspreadsheet

CVSS 4.8 MEDIUMEPSS 0.4%CWE-79
phpoffice/phpspreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions have been found to have a Bypass of the Cross-site Scripting (XSS) sanitizer using the javascript protocol and special characters. This issue has been addressed in versions 3.9.0, 2.3.7, 2.1.8, and 1.29.9. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
Affected products
PHPOffice · PhpSpreadsheet

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/PHPOffice/PhpSpreadsheet/commit/cde2926a9e2baf146783f8fd1771bbed7d1dc7b3https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-r57h-547h-w24f