CVE-2026-32935 HIGH

CVE-2026-32935: phpseclib's AES-CBC unpadding susceptible to padding oracle timing attack

Vendor Phpseclib

Product phpseclib

Weakness CWE-208

Published March 20, 2026

Last update May 8, 2026

View on NVD All CVEs

CVSS base score

8.2/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

Description

phpseclib is a PHP secure communications library. Projects using versions 0.1.1 through 1.0.26, 2.0.0 through 2.0.51, and 3.0.0 through 3.0.49 are vulnerable to a to padding oracle timing attack when using AES in CBC mode. This issue has been fixed in versions 1.0.27, 2.0.52 and 3.0.50.

Key dates

Disclosure timeline

March 20, 2026 CVE published

May 8, 2026 Record updated

Identifiers

CVE CVE-2026-32935

CWE CWE-208

CVSS 8.2 / HIGH

Affected versions

Vendor Phpseclib

Product phpseclib

Affected >= 3.0.0, < 3.0.50

Vendor Phpseclib

Product phpseclib

Affected >= 2.0.0, < 2.0.52

Vendor Phpseclib

Product phpseclib

Affected >= 0.1.1, < 1.0.27