CVE-2025-22131

MEDIUM

PhpSpreadsheet <1.29.8 and 3.0.0-3.7.9 - Cross-Site Scripting in XLSX to HTML Translation

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-22131. PoCs published by s0ck37, ZzN1NJ4.

AI-analyzed exploit summary This PoC generates a malicious Excel file (exploit.xlsx) by embedding user-provided HTML/JavaScript into the workbook.xml file of a sample spreadsheet. The exploit leverages CVE-2025-22131, an XSS vulnerability, by replacing a sheet name with the injected payload.

Description

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Cross-Site Scripting (XSS) vulnerability in the code which translates the XLSX file into a HTML representation and displays it in the response.

Exploits (2)

nomisec WORKING POC 3 stars

by s0ck37 · poc

https://github.com/s0ck37/CVE-2025-22131-POC

View Code ZIP pw:eip

This PoC generates a malicious Excel file (exploit.xlsx) by embedding user-provided HTML/JavaScript into the workbook.xml file of a sample spreadsheet. The exploit leverages CVE-2025-22131, an XSS vulnerability, by replacing a sheet name with the injected payload.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Microsoft Excel (version not specified)

No auth needed

Prerequisites: sample.xlsx file · Python environment

MITRE ATT&CK

T1189 - Drive-by Compromise T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by ZzN1NJ4 · poc

https://github.com/ZzN1NJ4/CVE-2025-22131-PoC

View Code ZIP pw:eip

This PoC demonstrates an XSS vulnerability in PhpSpreadsheet where unsanitized sheet names in XLSX files can inject malicious HTML. The exploit modifies the workbook.xml file to include an XSS payload that exfiltrates cookies to an attacker-controlled URL.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: PhpSpreadsheet <1.29.8, >=2.2.0 <2.3.6, >=2.0.0 <2.1.7, >=3.0.0 <3.8.0

No auth needed

Prerequisites: XLSX file with multiple sheets · ability to upload/modify XLSX files on target server

MITRE ATT&CK

T1189 - Drive-by Compromise T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-79xx-vf93-p7cx

Patch x_refsource_misc

https://github.com/PHPOffice/PhpSpreadsheet/commit/4088381ccfaf241d7d42c333de0dc8c98e338743

View Patch ZIP pw:eip

Scores

CVSS v3 6.1

EPSS 0.0096

EPSS Percentile 77.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (3)

phpoffice/phpexcel 0Packagist

phpoffice/phpspreadsheet < 1.29.8

phpoffice/phpspreadsheet 3.0.0 - 3.8.0Packagist

Published Jan 20, 2025

Tracked Since Feb 18, 2026