PHPOffice PhpSpreadsheet is vulnerable to XXE. The fix to prevent CVE-2018-19277 was not sufficient to protect against the previous vulnerability. An attacker is able to bypass the mitigation by double-encoding the the XML payload into utf-7
and bypass the check for the string ?<!ENTITY?
.