**CVE-2026-45034**: A critical remote code execution (RCE) vulnerability has been discovered in the popular PhpSpreadsheet library, which is widely used for reading and writing spreadsheet formats. This flaw allows remote attackers to execute arbitrary code due to a critical patch bypass related to URL handling. The exploit exploits a flaw in the `File::prohibitWrappers` function, allowing attackers to manipulate the input and bypass security checks by using specific URL formatting with slashes.
THE vulnerability affects PHP applications running on all versions of PhpSpreadsheet up to 1.30.4; upgrading to version 1.30.5 is essential for protection. Security experts recommend implementing strict string containment checks instead of relying on the `parse_url` function to maintain security.