Is phpoffice/phpexcel safe to use?

phpoffice/phpexcel has 19 known vulnerabilities on the latest version (1.8.2). DepScope rates its health at 0/100 (critical risk).

What is the latest version of phpoffice/phpexcel?

The latest version of phpoffice/phpexcel is 1.8.2, released 2018-11-22.

Does phpoffice/phpexcel have known vulnerabilities?

Yes. phpoffice/phpexcel has 19 known vulnerabilities. See depscope.dev/pkg/composer/phpoffice/phpexcel for details.

Is phpoffice/phpexcel deprecated?

Yes, phpoffice/phpexcel is deprecated: phpoffice/phpspreadsheet

What are alternatives to phpoffice/phpexcel?

DepScope has no curated alternatives for phpoffice/phpexcel at this time.

What license does phpoffice/phpexcel use?

phpoffice/phpexcel is licensed under LGPL-2.1.

phpoffice/phpexcel

composerv1.8.2deprecated

PHPExcel - OpenXML - Read, Create and Write Spreadsheet documents in PHP - Spreadsheet engine

License LGPL-2.1weak copyleft9 versions4 maintainers4 deps

PHPOffice/PHPExcel

/ 100

Health

find alternative

phpoffice/phpexcel is deprecated — find an alternative

Update to >= 2.3.5 to fix known vulnerabilities

Low health score (0/100)
9 high severity vulnerabilities
Package is deprecated

Health breakdown0 – 100

0/25

maintenance

0/20

popularity

0/25

security

6/15

maturity

0/15

community

Vulnerabilities

9 high10 medium

Advisories (19)

Severity	ID	Summary	Fixed in
medium	CVE-2020-7776	Cross-site scripting in phpoffice/phpspreadsheet	1.16.0
high	CVE-2024-45290	PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery when opening XLSX file	2.1.1
high	CVE-2024-45293	XXE in PHPSpreadsheet's XLSX reader	2.1.1
medium	CVE-2025-22131	Cross-Site Scripting (XSS) vulnerability in generateNavigation() function in PhpSpreadsheet	2.3.6
high	CVE-2024-48917	XXE in PHPSpreadsheet's XLSX reader	3.4.0
high	CVE-2024-56366	PhpSpreadsheet allows unauthorized Reflected XSS in the Accounting.php file	2.3.5
high	CVE-2024-45048	XXE in PHPSpreadsheet encoding is returned	2.1.1
medium	CVE-2024-56411	PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header	2.3.5
high	CVE-2024-56409	PhpSpreadsheet allows unauthorized Reflected XSS in Currency.php file	2.3.5
high	CVE-2024-56365	PhpSpreadsheet allows unauthorized Reflected XSS in the constructor of the Downloader class	2.3.5
high	CVE-2024-47873	XmlScanner bypass leads to XXE	3.4.0
medium	CVE-2024-56412	PhpSpreadsheet allows bypass XSS sanitizer using the javascript protocol and special characters	2.3.5
medium	CVE-2025-23210	PhpSpreadsheet allows bypassing of XSS sanitizer using the javascript protocol and special characters	2.1.8
medium	CVE-2024-45292	PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via JavaScript hyperlinks	2.1.1
medium	CVE-2024-45060	PhpSpreadsheet has an Unauthenticated Cross-Site-Scripting (XSS) in sample file	2.1.1
medium	CVE-2024-45291	PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery in HTML writer when embedding images is enabled	2.1.1
medium	CVE-2024-45046	PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information	1.29.1
medium	CVE-2024-56410	PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability in custom properties	2.3.5
high	CVE-2024-56408	PhpSpreadsheet allows unauthorized Reflected XSS in `Convert-Online.php` file	2.3.5

Threat intelligence

1 likely exploited (EPSS ≥ 0.5)

Threat tier per vulnerability derived from CISA KEV catalog + FIRST.org EPSS scores.

Maintainer trust

Active maintainers (3m)

1

Contributors (12m)

0

Primary author dominance

0%

GitHub stars

11,381

single active maintainer 3marchived repo

Health History

Dependency Tree

License Audit

Dependencies (4)

php ext-mbstring ext-xml ext-xmlwriter

API access

Get this data programmatically — free, no authentication.

curl https://depscope.dev/api/check/composer/phpoffice/phpexcel

Last updated · 2018-11-22T23:07:24+00:00