Cyber Posture

CVE-2026-34084

CriticalPublic PoCRCE

Published: 05 May 2026

Published
05 May 2026
Modified
08 May 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0013 31.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34084 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Phpoffice Phpspreadsheet. Its CVSS base score is 9.8 (Critical).

Operationally, ranked at the 31.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

CA-8 Penetration Testing
addresses: CWE-918 CWE-502

Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.

SI-10 Information Input Validation
addresses: CWE-918 CWE-502

Validates server-side URLs and resource references to block SSRF attempts.

SA-11 Developer Testing and Evaluation
addresses: CWE-502

Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.

SC-44 Detonation Chambers
addresses: CWE-502

Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.

SC-7 Boundary Protection
addresses: CWE-918

Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.

SI-3 Malicious Code Protection
addresses: CWE-502

Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.

SI-4 System Monitoring
addresses: CWE-918

Detects server-side request forgery through monitoring of unexpected outbound connections.

SI-7 Software, Firmware, and Information Integrity
addresses: CWE-502

Integrity verification of serialized information can detect tampering before deserialization occurs.

NVD Description

PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through 3.10.3, and 4.0.0 through 5.5.0, when the filename argument to IOFactory::load() is user-controlled, an attacker can supply…

more

a PHP stream wrapper path (such as phar://, ftp://, or ssh2.sftp://) that passes the is_file() check in File::assertFile(). The phar:// wrapper triggers deserialization of the PHAR metadata, which can lead to remote code execution if a suitable gadget chain is available in the application. The ftp:// and ssh2.sftp:// wrappers can be used for server-side request forgery. This issue has been fixed in versions 1.30.3, 2.1.15, 2.4.4, 3.10.4, and 5.6.0.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s)
CWE-502CWE-918

Affected Products

phpoffice
phpspreadsheet
≤ 1.30.3 · 2.0.0 — 2.1.15 · 2.2.0 — 2.4.4

CVEs Like This One

CVE-2026-26222Shared CWE-502, CWE-918
CVE-2025-58163Shared CWE-502
CVE-2025-60037Shared CWE-502
CVE-2025-54001Shared CWE-502
CVE-2025-27816Shared CWE-502
CVE-2025-55010Shared CWE-502
CVE-2025-13096Shared CWE-918
CVE-2025-27300Shared CWE-502
CVE-2026-30242Shared CWE-918
CVE-2025-60224Shared CWE-502

References