PT-2026-26464 · Phpseclib · Phpseclib
Highterrafrost
·
Published
2026-03-19
·
Updated
2026-05-08
·
CVE-2026-32935
CVSS v4.0
8.2
High
| Vector | AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
phpseclib versions 1.0.26 and below
phpseclib versions 2.0.0 through 2.0.51
phpseclib versions 3.0.0 through 3.0.49
Description
phpseclib is a PHP secure communications library. Projects utilizing the affected versions are susceptible to a padding oracle timing attack when using AES in CBC mode. The issue has been addressed in versions 1.0.27, 2.0.52, and 3.0.50.
Recommendations
phpseclib versions 1.0.26 and below: Update to version 1.0.27 or later.
phpseclib versions 2.0.0 through 2.0.51: Update to version 2.0.52 or later.
phpseclib versions 3.0.0 through 3.0.49: Update to version 3.0.50 or later.
As an alternative, use AES in CTR, CFB, or OFB modes.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Phpseclib