cvedb.io
CVE-2026-32313
HIGH · CVSS 8.2
EPSS exploitation probability: 0%
Published 2026-03-16T14:19:33.837 · Last modified 2026-06-17T10:35:32.813

Summary

xmlseclibs is a library written in PHP for working with XML Encryption and Signatures. Prior to 3.1.5, XML nodes encrypted with either aes-128-gcm, aes-192-gcm, or aes-256-gcm lack validation of the authentication tag length. An attacker can use this to brute-force an authentication tag, recover the GHASH key, and decrypt the encrypted nodes. It also allows to forge arbitrary ciphertexts without knowing the encryption key. This vulnerability is fixed in 3.1.5.

Affected products

xmlseclibs_project — xmlseclibs

Does this affect you?

Add your gear to cvedb and we'll alert you only when xmlseclibs_project ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.