Skip to main content

Xmlseclibs

2 CVEs product

Monthly

CVE-2026-32313 PHP HIGH PATCH This Week

Critical cryptographic vulnerability in the xmlseclibs PHP library (versions before 3.1.5) that fails to validate authentication tag lengths in AES-GCM encrypted XML nodes. Attackers can exploit this remotely without authentication to brute-force encryption keys, decrypt sensitive data, and forge ciphertexts. While not currently in CISA's KEV catalog, the vulnerability has a high CVSS score of 8.2 and affects a widely-used XML security library.

PHP Information Disclosure Xmlseclibs
NVD GitHub VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2019-3465 PHP HIGH PATCH This Week

Rob Richards XmlSecLibs, all versions prior to v3.0.3, as used for example by SimpleSAMLphp, performed incorrect validation of cryptographic signatures in XML messages, allowing an authenticated. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Jwt Attack Information Disclosure Xmlseclibs Debian Linux Simplesamlphp
NVD GitHub
CVSS 3.1
8.8
EPSS
3.0%
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Critical cryptographic vulnerability in the xmlseclibs PHP library (versions before 3.1.5) that fails to validate authentication tag lengths in AES-GCM encrypted XML nodes. Attackers can exploit this remotely without authentication to brute-force encryption keys, decrypt sensitive data, and forge ciphertexts. While not currently in CISA's KEV catalog, the vulnerability has a high CVSS score of 8.2 and affects a widely-used XML security library.

PHP Information Disclosure Xmlseclibs
NVD GitHub VulDB
EPSS 3% CVSS 8.8
HIGH PATCH This Week

Rob Richards XmlSecLibs, all versions prior to v3.0.3, as used for example by SimpleSAMLphp, performed incorrect validation of cryptographic signatures in XML messages, allowing an authenticated. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Jwt Attack Information Disclosure Xmlseclibs +2
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy