CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

63 matches found

RedhatCVE•added 2026/03/26 3:2 p.m.•1 views

CVE-2026-32313

xmlseclibs is a library written in PHP for working with XML Encryption and Signatures. Prior to 3.1.5, XML nodes encrypted with either aes-128-gcm, aes-192-gcm, or aes-256-gcm lack validation of the authentication tag length. An attacker can use this to brute-force an authentication tag, recover...

8.2CVSS5.9AI score0.00052EPSS

Exploits1References1

CNNVD•added 2026/03/16 12:0 a.m.•3 views

Xmlseclibs 安全漏洞

Xmlseclibs is a library developed by robrichards, written in PHP, for handling XML encryption and signing. Versions of Xmlseclibs prior to 3.1.5 contained security vulnerabilities. These vulnerabilities stemmed from the lack of authentication tag length validation for XML nodes encrypted using...

8.2CVSS5.9AI score0.00052EPSS

Exploits1References3

Snyk•added 2026/03/13 10:41 p.m.•1 views

Improper Validation of Integrity Check Value

Overview robrichards/xmlseclibs is a PHP library for XML Security. Affected versions of this package are vulnerable to Improper Validation of Integrity Check Value in the decryptSymmetric function, when checking tag length for the aes-128-gcm, aes-192-gcm, and aes-256-gcm encryption algorithms. A...

8.2CVSS5.9AI score0.00052EPSS

Exploits1References2

OSV•added 2026/03/13 8:4 p.m.•1 views

GHSA-4V26-V6CG-G6F9 xmlseclibs: Missing AES-GCM Authentication Tag Validation on Encrypted Nodes Allows for Unauthorized Decryption

Summary XML nodes encrypted with either aes-128-gcm, aes-192-gcm, or aes-256-gcm lack validation of the authentication tag length. An attacker can use this to brute-force an authentication tag, recover the GHASH key, and decrypt the encrypted nodes. It also allows to forge arbitrary ciphertexts...

8.2CVSS5.8AI score0.00052EPSS

Exploits1References5

Github Security Blog•added 2026/03/13 8:4 p.m.•8 views

xmlseclibs: Missing AES-GCM Authentication Tag Validation on Encrypted Nodes Allows for Unauthorized Decryption

8.2CVSS5.8AI score0.00052EPSS

Exploits1References5Affected Software1

Cvelist•added 2026/03/13 7:50 p.m.•24 views

CVE-2026-32313 xmlseclibs is Missing AES-GCM Authentication Tag Validation on Encrypted Nodes Allows for Unauthorized Decryption

8.2CVSS0.00052EPSS

Exploits1References3

ATTACKERKB•added 2026/03/13 7:50 p.m.•2 views

CVE-2026-32313

8.2CVSS5.9AI score0.00052EPSS

Exploits1References4Affected Software1

CVE•added 2026/03/13 7:50 p.m.•3 views

CVE-2026-32313

CVE-2026-32313 affects the PHP library xmlseclibs (XML Encryption/Signatures). Prior to version 3.1.5, nodes encrypted with AES-128/192/256-GCM lack validation of the authentication tag length, enabling an attacker to brute-force the tag, recover the GHASH key, and decrypt encrypted nodes. The vu...

8.2CVSS5.9AI score0.00052EPSS

Exploits1References3Affected Software1

OSV•added 2026/03/13 7:50 p.m.•1 views

CVE-2026-32313 xmlseclibs is Missing AES-GCM Authentication Tag Validation on Encrypted Nodes Allows for Unauthorized Decryption

8.2CVSS5.9AI score0.00052EPSS

Exploits1References5

Positive Technologies•added 2026/03/13 12:0 a.m.•1 views

PT-2026-25372

8.2CVSS5.8AI score0.00052EPSS

Exploits1References9

Veracode•added 2025/12/13 6:19 a.m.•2 views

Authentication Bypass

robrichards/xmlseclibs is vulnerable to authentication bypass. The vulnerability is due to improper handling in the libxml2 canonicalization process where invalid XML inputs may return an empty string, which allows an attacker to bypass authentication by manipulating the DigestValue computation...

7.5CVSS5.9AI score0.00032EPSS

Exploits1References4Affected Software1

RedhatCVE•added 2025/12/10 3:26 a.m.•3 views

CVE-2025-66578

xmlseclibs is a library written in PHP for working with XML Encryption and Signatures. Versions 3.1.3 contain an authentication bypass vulnerability due to a flaw in the libxml2 canonicalization process during document transformation. When libxml2’s canonicalization is invoked on an invalid XML...

7.5CVSS6.8AI score0.00032EPSS

Exploits1References1

EUVD•added 2025/12/09 5:24 p.m.•2 views

EUVD-2025-202168

SAML PHP Toolkit Vulnerability on xmlseclibs CVE-2025-66475...

6.4AI score

Exploits0References6

OSV•added 2025/12/09 5:24 p.m.•3 views

GHSA-5J8P-438X-RGG5 SAML PHP Toolkit Vulnerability on xmlseclibs CVE-2025-66475

Summary There is a critical vulnerability on xmlseclibs CVE-2025-66475, a dependency of php-saml Update to the following versions of php-saml which forces the use of patched versions of xmlseclibs: - 2.21.1 - 3.8.1 - 4.3.1 Impact Signature Wrapping Vulnerabilities allows an attacker to impersonat...

9.3CVSS6.8AI score

Exploits0References6

Github Security Blog•added 2025/12/09 5:24 p.m.•10 views

SAML PHP Toolkit Vulnerability on xmlseclibs CVE-2025-66475

6.9AI score

Exploits0References6Affected Software1

NVD•added 2025/12/09 4:18 p.m.•1 views

CVE-2025-66578

7.5CVSS0.00032EPSS

Exploits1References3

Snyk•added 2025/12/09 3:40 a.m.•3 views

Uncaught Exception

Overview robrichards/xmlseclibs is a PHP library for XML Security. Affected versions of this package are vulnerable to Uncaught Exception in the form of improper handling of canonicalization failures. An attacker can bypass signature or digest validation by submitting specially crafted invalid XM...

7.5CVSS6.9AI score0.00032EPSS

Exploits1References2

CVE•added 2025/12/09 2:41 a.m.•9 views

CVE-2025-66578

CVE-2025-66578 affects robrichards/xmlseclibs (PHP) up to version 3.1.3. The root cause is a flaw in libxml2 canonicalization during document transformation: when canonicalizing invalid XML input, libxml2 may return an empty string instead of a canonicalized node. xmlseclibs then computes the Dig...

7.5CVSS6.6AI score0.00032EPSS

Exploits1References3Affected Software1