CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-22131: Cross-Site Scripting (XSS) vulnerability in generateNavigation() function

5.1 CVSS

Description

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Cross-Site Scripting (XSS) vulnerability in the code which translates the XLSX file into a HTML representation and displays it in the response.

Classification

CVE ID: CVE-2025-22131

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.1

Affected Products

Vendor: PHPOffice

Product: PhpSpreadsheet

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.68% (scored less or equal to compared to others)

EPSS Date: 2025-02-18 (when was this score calculated)

References

https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-79xx-vf93-p7cx
https://github.com/PHPOffice/PhpSpreadsheet/commit/4088381ccfaf241d7d42c333de0dc8c98e338743

Timeline

2025-01-21 00:33:23 UTC
CVE

Cross-Site Scripting (XSS) vulnerability in generateNavigation() function
2025-01-21 22:15:20 UTC
Github Advisory Database (Composer)

[phpoffice/phpspreadsheet] Cross-Site Scripting (XSS) vulnerability in generateNavigation() function in PhpSpreadsheet