AI description
CVE-2025-22131 is a Cross-Site Scripting (XSS) vulnerability found in PhpSpreadsheet, a PHP library used for reading and writing spreadsheet files. Discovered in January 2025, the vulnerability exists in the code that translates XLSX files into HTML. Specifically, it affects the `generateNavigation()` function. The vulnerability arises because sheet names within an XLSX file are not properly sanitized before being included in the HTML output. This allows an attacker to inject malicious JavaScript code, which can then be executed when a user interacts with the compromised website. The vulnerability has been patched in versions 3.8.0, 1.29.8, 2.1.7, and 2.3.6, with the fix involving proper sanitization of sheet names using `htmlspecialchars()` before including them in the HTML output.
- Description
- PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Cross-Site Scripting (XSS) vulnerability in the code which translates the XLSX file into a HTML representation and displays it in the response.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- phpspreadsheet
CVSS 4.0
- Type
- Secondary
- Base score
- 5.1
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- MEDIUM
CVSS 3.1
- Type
- Primary
- Base score
- 6.1
- Impact score
- 2.7
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- Severity
- MEDIUM
- security-advisories@github.com
- CWE-79
- Hype score
- Not currently trending
Top 5 Trending CVEs: 1 - CVE-2021-28550 2 - CVE-2025-33073 3 - CVE-2023-20870 4 - CVE-2025-37947 5 - CVE-2025-22131 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W
@CVEShield
26 Oct 2025
11 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
配信終わり!!! 見に来てくれた方々ありがとうございました!! 好評であればこういう脆弱性実証配信またやろうと思います!! こういうのまた見たいよって人は高評価押してね! #がくらいぶ XSS…お前
@427Kohi
26 Oct 2025
1780 Impressions
1 Retweet
11 Likes
2 Bookmarks
0 Replies
0 Quotes
ちょっと面白かったXSSの実証を配信でやります サムネは海外Youtuberみたいにしました #がくらいぶ XSS…お前そんなとこにもいたんだ…!【CVE-2025-22131】【脆弱性解説配信】 https://t.co/Zpvk27S74t @YouTubeより
@427Kohi
25 Oct 2025
8845 Impressions
5 Retweets
48 Likes
35 Bookmarks
0 Replies
0 Quotes
CVE-2025-22131
@haturatutaro
25 Oct 2025
74 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
CVE-2025-22131 これおもろい XSSってホンマにどこにでもあるんやな https://t.co/0HvPmvnois
@427Kohi
24 Oct 2025
53673 Impressions
48 Retweets
399 Likes
195 Bookmarks
3 Replies
4 Quotes
CVE-2025-22131 Cross-Site Scripting in PhpSpreadsheet XLSX to HTML Conversion https://t.co/4Q0kBEdKDG
@VulmonFeeds
20 Jan 2025
51 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-22131 PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Cross-Site Scripting (XSS) vulnerability in the code which translates the XLSX file into a … https://t.co/DrUGrQGMps
@CVEnew
20 Jan 2025
406 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "C902AF09-CD77-455C-97B6-AA5EB6EB97E5",
"versionEndExcluding": "1.29.8"
},
{
"criteria": "cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "1B99E3BD-258D-4017-98CA-1A3F168C573F",
"versionEndExcluding": "2.1.7",
"versionStartIncluding": "2.0.0"
},
{
"criteria": "cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "FE3C504E-C56A-4051-A590-D9FCA1A1A3E4",
"versionEndExcluding": "2.3.6",
"versionStartIncluding": "2.2.0"
},
{
"criteria": "cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "9EF15CF9-433E-4CE8-AEFE-B9BD8E5B761E",
"versionEndExcluding": "3.8.0",
"versionStartIncluding": "3.0.0"
}
],
"operator": "OR"
}
]
}
]