Security Advisory - Published 2026-06-23 - PHP / Laravel
PhpSpreadsheet, Filament, and phpseclib: check Composer locks and admin logs
This PHP batch affects import paths, Laravel admin panels, MFA recovery handling, temporary uploads, login behavior, and certificate validation. Start with the Composer lock, then review the app features that expose each library.
Affected packages
| CVE | Package | Affected / fixed | Review | CVSS |
|---|---|---|---|---|
| CVE-2026-45034 | PhpSpreadsheet | < 1.30.5 | Upgrade PhpSpreadsheet to 1.30.5 and review spreadsheet import paths | 9.2 |
| CVE-2026-55409 | Filament | 3.3.53 | Upgrade Filament Forms to 3.3.53 and review disabled RichEditor fields | 7.6 |
| CVE-2026-48505 | Filament | 4.11.5 / 5.6.5 | Upgrade Filament to 4.11.5 or 5.6.5 and review MFA recovery-code usage | 7.4 |
| CVE-2026-48500 | Filament | 3.3.52 / 4.11.5 / 5.6.5 | Upgrade Filament to 3.3.52, 4.11.5, or 5.6.5 and review temporary upload storage | 6.5 |
| CVE-2026-55599 | phpseclib | 1.0.30 / 2.0.55 / 3.0.54 | Upgrade phpseclib to 1.0.30, 2.0.55, or 3.0.54 and review certificate validation paths | 5.8 |
| CVE-2026-48166 | Filament | 4.11.5 / 5.6.5 | Upgrade Filament to 4.11.5 or 5.6.5 and review login enumeration risk | 5.3 |
Owner self-check
composer show phpoffice/phpspreadsheet filament/forms filament/filament phpseclib/phpseclib 2>/dev/null
grep -Rni 'phpoffice/phpspreadsheet\\|filament/forms\\|filament/filament\\|phpseclib/phpseclib' composer.json composer.lock 2>/dev/null
grep -Rni 'IOFactory::load\\|RichEditor\\|WithFileUploads\\|recovery code\\|validateSignature\\|X509' app config routes resources 2>/dev/null | head -180
grep -Rni 'spreadsheet\\|upload\\|mfa\\|recovery\\|login\\|certificate\\|x509\\|ssrf' storage/logs var/log 2>/dev/null | tail -180What to review
- PhpSpreadsheet import jobs that accept uploaded or remote spreadsheet paths, especially older PHP 7.x deployments.
- Filament v3 forms with disabled RichEditor fields that display stored rich text.
- Filament MFA recovery-code use, session creation, and account recovery events.
- Filament login and auth pages with unexpected temporary uploads or repeated account-probing traffic.
- phpseclib certificate validation paths where partner, user, SAML, SSH, or TLS certificates are supplied to the app.
Safe fix path
- Upgrade PhpSpreadsheet to 1.30.5 where the 1.x branch is used. Review newer branch release notes if the same helper is present.
- Upgrade Filament Forms to 3.3.53 for RichEditor handling.
- Upgrade Filament to 3.3.52, 4.11.5, or 5.6.5 depending on the deployed branch.
- Upgrade phpseclib to 1.0.30, 2.0.55, or 3.0.54 and restrict outbound network access from certificate-validation workers.
- Preserve app logs, auth logs, upload directories, temporary storage, and queue-worker logs before cleanup.
Repair help
Use Ping7 CVE Repair when spreadsheet imports are public, Filament handles admin or customer accounts, certificate validation can make outbound requests, or logs need review before reopening the app.