CVE-2026-34084: PhpSpreadsheet has SSRF/RCE in IOFactory::load when $filename is user controlled

April 29, 2026 (updated May 8, 2026)

The usage of is_file, used to verify if the $filename is indeed an actual file, by all(?) Reader implementations (inside the helper function File::assertFile) is php-wrapper aware, for any php wrappers implementing stat(). The 3 wrappers ftp://, phar:// and ssh2.sftp://, all satisfy this requirement - 2 of which are shown in the PoC below.

This results in a SSRF, at “best”, and RCE at worse.

This was tested against the latest release - but the issue seems to go back a while from a first quick check (still present in v1.30.2).

References

github.com/PHPOffice/PhpSpreadsheet
github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-q4q6-r8wh-5cgh
github.com/advisories/GHSA-q4q6-r8wh-5cgh
nvd.nist.gov/vuln/detail/CVE-2026-34084
www.php.net/manual/en/wrappers.php

Code Behaviors & Features

Detect and mitigate CVE-2026-34084 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →