CVE-2026-34084 | PHPOffice PhpSpreadsheet up to 5.5.0 IOFactory::load filename deserialization

A vulnerability categorized as critical has been discovered in PHPOffice PhpSpreadsheet up to 1.30.2/2.1.14/2.4.3/3.10.3/5.5.0. This issue affects the function IOFactory::load. Executing a manipulation of the argument filename can lead to deserialization.

This vulnerability is tracked as CVE-2026-34084. The attack can be launched remotely. No exploit exists.

It is advisable to upgrade the affected component.VulDB Recent EntriesRead More