CVE-2025-22131 MEDIUM

CVE-2025-22131: Cross-Site Scripting (XSS) vulnerability in generateNavigation() function

Vendor Phpoffice
Product PhpSpreadsheet
Weakness CWE-79 · XSS
Published January 20, 2025
Last update January 21, 2025
View on NVD All CVEs

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Cross-Site Scripting (XSS) vulnerability in the code which translates the XLSX file into a HTML representation and displays it in the response.

Key dates

02Disclosure timeline

January 20, 2025 CVE published
January 21, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-23706 WordPress Jet Skinner for BuddyPress plugin <= 1.2.5 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2024-49282 WordPress Responsive Lightbox & Gallery plugin <= 2.4.8 - Cross Site Scripting (XSS) vulnerability CVE-2024-2753 Concrete CMS version 9 below 9.2.8 and below 8.5.16 is vulnerable to stored XSS on the calendar color settings screen CVE-2025-47201 CVE-2023-46086 WordPress affiliate-toolkit – WordPress Affiliate Plugin Plugin <= 3.4.3 is vulnerable to Cross Site Scripting (XSS)