Exploit for CVE-2026-45034

## https://sploitus.com/exploit?id=6E759A42-6EB5-5158-BC5F-E1FD8AE27F04
# 🧨 PHPSpreadsheet Phar Deserialization Exploit

> **Bypass `prohibitWrappers` + Remote Code Execution (RCE) on `phpoffice/phpspreadsheet`**

This repository provides a **proof-of-concept (PoC)** exploit for a critical vulnerability in the popular PHP library **PHPSpreadsheet**. The attack abuses the **phar:// wrapper** to trigger object deserialization, leading to **bypass of security protections** and even **full remote code execution** on vulnerable versions.

---

## ⚡ Vulnerability Overview

| Version        | Status      | Description                                                                 |
|:---------------|:------------|:----------------------------------------------------------------------------|
| **5.7.0** (latest 5.x) | ✅ Bypass   | `prohibitWrappers` protection can be bypassed, but RCE gadget chain may be missing. |
| **1.30.4** (latest 1.x) | 🔥 **RCE** | Full gadget chain exists (PHP 7.4) – arbitrary code execution possible.    |

The vulnerability occurs when user-controlled input is passed to functions that accept a **phar://** stream wrapper. By crafting a malicious PHAR archive containing a serialized gadget, an attacker can trigger `__wakeup()` and `__destruct()` calls, leading to file write or command execution.

---

## 🚀 Usage

### 1. Clone the repository
```bash
git clone https://github.com/Cyber-DarkNay/CVE-2026-45034.git
cd CVE-2026-45034