CVE-2024-56410

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have a cross-site scripting (XSS) vulnerability in custom properties. The HTML page is generated without clearing custom properties. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue.

Published: Jan 3, 2025
Updated: Aug 11, 2025
CVE: CVE-2024-56410
GHSA: GHSA-wv23-996v-q229
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
phpoffice / phpspreadsheet	3.0.0	3.7.0
phpoffice / phpspreadsheet	-	1.29.7
phpoffice / phpspreadsheet	2.0.0	2.1.6
phpoffice / phpspreadsheet	2.2.0	2.3.5
phpoffice / phpexcel	-	1.8.2.x
phpoffice / phpspreadsheet	3.3.0	3.7.0

https://github.com/PHPOffice/PhpSpreadsheet/commit/45052f88e04c735d56457a8ffcdc40b2635a028e
https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-wv23-996v-q229

Vulnerability Database

CVE-2024-56410

Deep Security Visibility Without the Complexity