CVE-2026-32935

Summary

phpseclib is a PHP secure communications library. Projects using versions 0.1.1 through 1.0.26, 2.0.0 through 2.0.51, and 3.0.0 through 3.0.49 are vulnerable to a to padding oracle timing attack when using AES in CBC mode. This issue has been fixed in versions 1.0.27, 2.0.52 and 3.0.50.

Affected Software

VendorProductVersion RangeStatus
phpseclibphpseclib>= 3.0.0, < 3.0.50affected
phpseclibphpseclib>= 2.0.0, < 2.0.52affected
phpseclibphpseclib>= 0.1.1, < 1.0.27affected

Weaknesses

  • CWE-208: CWE-208: Observable Timing Discrepancy

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References