Padding Oracle Timing Attack Vulnerability in phpseclib by phpseclib
CVE-2026-32935

8.2HIGH

Key Information:

Vendor: PHPseclib
Status: PHPseclib
Vendor: CVE Published:; 20 March 2026

What is CVE-2026-32935?

phpseclib, a widely used PHP secure communications library, is susceptible to a padding oracle timing attack when utilizing AES in CBC mode. This vulnerability affects multiple versions, specifically versions 1.0.26 and below, 2.0.0 through 2.0.51, and 3.0.0 through 3.0.49. Users of these versions are at risk, as the attack could lead to the exposure of sensitive information. It is highly recommended to upgrade to the fixed versions: 1.0.27, 2.0.52, and 3.0.50 to ensure secure communications.

Affected Version(s)

phpseclib >= 3.0.0, < 3.0.50 < 3.0.0, 3.0.50

phpseclib >= 2.0.0, < 2.0.52 < 2.0.0, 2.0.52

phpseclib < 1.0.27 < 1.0.27

References

https://github.com/phpseclib/phpseclib/security/advisorie...

x_refsource_CONFIRM

https://github.com/phpseclib/phpseclib/commit/ccc21aef71e...

x_refsource_MISC

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2026
Vulnerability Reserved
Mar 17, 2026

CVE-2026-32935 Data

JSON

PHPseclib

What is CVE-2026-32935?

Affected Version(s)

References

CVSS V4

Timeline