# [CRIT] [GHSA / CRITICAL] CVE-2026-45034: PHPSpreadsheet has a patch bypass for CVE-2026-34084 **Source:** GitHub Security Advisories **Published:** 2026-06-08 **Article:** https://github.com/advisories/GHSA-87m4-826x-3crx ## Threat Profile PHPSpreadsheet has a patch bypass for CVE-2026-34084 ## Summary CVE-2026-34084 was patched by the helper `File::prohibitWrappers`. The helper calls `parse_url($filename, PHP_URL_SCHEME)` and then checks `is_string($scheme) && strlen($scheme) > 1` to reject stream wrappers such as `phar://`, `php://`, `data://` or `expect://`. The check is not equivalent to "does the path contain a wrapper". When the input has the form `phar:///path/file.phar/inner` with three or more slashes after the scheme, … ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-45034` - **CVE:** `CVE-2026-34084` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1204.002** — User Execution: Malicious File - **T1059** — Command and Scripting Interpreter - **T1059.004** — Unix Shell - **T1059.001** — PowerShell - **T1505.003** — Web Shell - **T1105** — Ingress Tool Transfer ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### PHPSpreadsheet phar:/// three-slash wrapper in HTTP request (CVE-2026-45034) `UC_99_2` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Web.url) as urls values(Web.http_user_agent) as user_agents values(Web.http_method) as methods from datamodel=Web where (Web.url="*phar://*" OR Web.url="*phar%3A%2F%2F*" OR Web.url="*phar%3a%2f%2f*") by Web.dest Web.src Web.user | `drop_dm_object_name(Web)` | eval bypass_attempt=if(match(urls,"(?i)phar:/{3,}") OR match(urls,"(?i)phar%3a%2f%2f%2f"),"yes","no") | eval cve="CVE-2026-45034" | where bypass_attempt="yes" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` ### Web-server process (php-fpm / apache / nginx / w3wp) spawning shell or network tooling `UC_99_3` · phase: **exploit** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as cmdlines values(Processes.process_path) as paths from datamodel=Endpoint.Processes where (Processes.parent_process_name IN ("php-fpm","php-fpm.exe","php","php.exe","php-cgi.exe","apache2","httpd","httpd.exe","nginx","nginx.exe","w3wp.exe")) AND (Processes.process_name IN ("sh","bash","dash","zsh","ksh","cmd.exe","powershell.exe","pwsh.exe","curl","curl.exe","wget","wget.exe","nc","ncat","ncat.exe","socat","python","python3","python.exe","perl","ruby","certutil.exe","bitsadmin.exe")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name | `drop_dm_object_name(Processes)` | eval cve="CVE-2026-45034" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName in~ ("php-fpm","php-fpm.exe","php","php.exe","php-cgi.exe","apache2","httpd","httpd.exe","nginx","nginx.exe","w3wp.exe") | where FileName in~ ("sh","bash","dash","zsh","ksh","cmd.exe","powershell.exe","pwsh.exe","curl","curl.exe","wget","wget.exe","nc","ncat","ncat.exe","socat","python","python3","python.exe","perl","ruby","certutil.exe","bitsadmin.exe") | where AccountName != "" and AccountName !endswith "$" | project Timestamp, DeviceName, AccountName, ParentImage = InitiatingProcessFolderPath, ParentCmd = InitiatingProcessCommandLine, ChildImage = FolderPath, ChildCmd = ProcessCommandLine, SHA256 | order by Timestamp desc ``` ### Phar archive or PHPSpreadsheet RCE marker written by web-server process `UC_99_4` · phase: **delivery** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.file_path) as paths values(Filesystem.process_name) as procs from datamodel=Endpoint.Filesystem where (Filesystem.file_name="*.phar" OR Filesystem.file_name="pwned_marker" OR Filesystem.file_name="exploit.phar") AND Filesystem.process_name IN ("php-fpm","php-fpm.exe","php","php.exe","apache2","httpd","httpd.exe","nginx","nginx.exe","w3wp.exe") by Filesystem.dest Filesystem.user Filesystem.file_name Filesystem.process_name | `drop_dm_object_name(Filesystem)` | eval cve="CVE-2026-45034" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` **Defender KQL:** ```kql DeviceFileEvents | where Timestamp > ago(7d) | where ActionType in ("FileCreated","FileModified","FileRenamed") | where InitiatingProcessFileName in~ ("php-fpm","php-fpm.exe","php","php.exe","php-cgi.exe","apache2","httpd","httpd.exe","nginx","nginx.exe","w3wp.exe") | where FileName endswith ".phar" or FileName =~ "pwned_marker" or FileName =~ "exploit.phar" | project Timestamp, DeviceName, FileName, FolderPath, SHA256, FileSize, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessFolderPath | order by Timestamp desc ``` ### Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-45034: PHPSpreadsheet has a patch bypass for CVE-2026 `UC_99_1` · phase: **exploit** · confidence: **High** **Splunk SPL (CIM):** ```spl ``` Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-45034: PHPSpreadsheet has a patch bypass for CVE-2026 ``` | tstats `summariesonly` count earliest(_time) AS firstTime latest(_time) AS lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN ("run.sh")) by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name, Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | append [ | tstats `summariesonly` count from datamodel=Endpoint.Filesystem where Filesystem.action IN ("created","modified") AND (Filesystem.file_name IN ("run.sh")) by Filesystem.dest, Filesystem.user, Filesystem.process_name, Filesystem.file_path, Filesystem.file_name | `drop_dm_object_name(Filesystem)` ] ``` **Defender KQL:** ```kql // Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-45034: PHPSpreadsheet has a patch bypass for CVE-2026 // Hunts the actual binaries / paths / commandline fragments named // in the article instead of a generic technique-class template. DeviceProcessEvents | where Timestamp > ago(30d) | where (FileName in~ ("run.sh")) | project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc // File-creation events for the named binaries / paths DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated","FileModified") | where (FileName in~ ("run.sh")) | project Timestamp, DeviceName, AccountName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-45034`, `CVE-2026-34084` ## Why this matters Severity classified as **CRIT** based on: CVE present, 5 use case(s) fired, 7 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.