CVE-2026-32935

UNKNOWN 0.0

phpseclib's AES-CBC unpadding susceptible to padding oracle timing attack

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

2th

phpseclib is a PHP secure communications library. Projects using versions 1.0.26 and below, 2.0.0 through 2.0.51, and 3.0.0 through 3.0.49 are vulnerable to a to padding oracle timing attack when using AES in CBC mode. This issue has been fixed in versions 1.0.27, 2.0.52 and 3.0.50.

CWE	CWE-208
Vendor	phpseclib
Product	phpseclib
Published	Mar 20, 2026
Last Updated	Mar 20, 2026

Stay Ahead of the Next One

Get instant alerts for phpseclib phpseclib

Be the first to know when new unknown vulnerabilities affecting phpseclib phpseclib are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

phpseclib / phpseclib

>= 3.0.0, < 3.0.50 >= 2.0.0, < 2.0.52 < 1.0.27

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/phpseclib/phpseclib/security/advisories/GHSA-94g3-g5v7-q4jg github.com: https://github.com/phpseclib/phpseclib/commit/ccc21aef71eb170e9bf819b167e67d1fd9e6e788