AI description
CVE-2025-22131 is a Cross-Site Scripting (XSS) vulnerability found in PhpSpreadsheet, a PHP library used for reading and writing spreadsheet files. Discovered in January 2025, the vulnerability exists in the code that translates XLSX files into HTML. Specifically, it affects the `generateNavigation()` function. The vulnerability arises because sheet names within an XLSX file are not properly sanitized before being included in the HTML output. This allows an attacker to inject malicious JavaScript code, which can then be executed when a user interacts with the compromised website. The vulnerability has been patched in versions 3.8.0, 1.29.8, 2.1.7, and 2.3.6, with the fix involving proper sanitization of sheet names using `htmlspecialchars()` before including them in the HTML output.
- Description
- PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Cross-Site Scripting (XSS) vulnerability in the code which translates the XLSX file into a HTML representation and displays it in the response.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- phpspreadsheet
CVSS 4.0
- Type
- Secondary
- Base score
- 5.1
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- MEDIUM
CVSS 3.1
- Type
- Primary
- Base score
- 6.1
- Impact score
- 2.7
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- Severity
- MEDIUM
- security-advisories@github.com
- CWE-79
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
45
CVE-2025-22131 これおもろい XSSってホンマにどこにでもあるんやな https://t.co/0HvPmvnois
@427Kohi
24 Oct 2025
53203 Impressions
47 Retweets
395 Likes
194 Bookmarks
3 Replies
4 Quotes
CVE-2025-22131 Cross-Site Scripting in PhpSpreadsheet XLSX to HTML Conversion https://t.co/4Q0kBEdKDG
@VulmonFeeds
20 Jan 2025
51 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-22131 PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Cross-Site Scripting (XSS) vulnerability in the code which translates the XLSX file into a … https://t.co/DrUGrQGMps
@CVEnew
20 Jan 2025
406 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "C902AF09-CD77-455C-97B6-AA5EB6EB97E5",
"versionEndExcluding": "1.29.8"
},
{
"criteria": "cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "1B99E3BD-258D-4017-98CA-1A3F168C573F",
"versionEndExcluding": "2.1.7",
"versionStartIncluding": "2.0.0"
},
{
"criteria": "cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "FE3C504E-C56A-4051-A590-D9FCA1A1A3E4",
"versionEndExcluding": "2.3.6",
"versionStartIncluding": "2.2.0"
},
{
"criteria": "cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "9EF15CF9-433E-4CE8-AEFE-B9BD8E5B761E",
"versionEndExcluding": "3.8.0",
"versionStartIncluding": "3.0.0"
}
],
"operator": "OR"
}
]
}
]