Packagist (Composer) package
robrichards/xmlseclibs
pkg:composer/robrichards/xmlseclibs
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-32313 | — | < 3.1.5 | 3.1.5 | Mar 13, 2026 | xmlseclibs is a library written in PHP for working with XML Encryption and Signatures. Prior to 3.1.5, XML nodes encrypted with either aes-128-gcm, aes-192-gcm, or aes-256-gcm lack validation of the authentication tag length. An attacker can use this to brute-force an authenticat | ||
| CVE-2025-66578 | — | < 3.1.4 | 3.1.4 | Dec 9, 2025 | xmlseclibs is a library written in PHP for working with XML Encryption and Signatures. Versions 3.1.3 contain an authentication bypass vulnerability due to a flaw in the libxml2 canonicalization process during document transformation. When libxml2’s canonicalization is invoked on | ||
| CVE-2019-3465 | — | >= 3.0.0, < 3.0.4 | 3.0.4 | Nov 7, 2019 | Rob Richards XmlSecLibs, all versions prior to v3.0.3, as used for example by SimpleSAMLphp, performed incorrect validation of cryptographic signatures in XML messages, allowing an authenticated attacker to impersonate others or elevate privileges by creating a crafted XML messag |
- CVE-2026-32313Mar 13, 2026affected < 3.1.5fixed 3.1.5
xmlseclibs is a library written in PHP for working with XML Encryption and Signatures. Prior to 3.1.5, XML nodes encrypted with either aes-128-gcm, aes-192-gcm, or aes-256-gcm lack validation of the authentication tag length. An attacker can use this to brute-force an authenticat
- CVE-2025-66578Dec 9, 2025affected < 3.1.4fixed 3.1.4
xmlseclibs is a library written in PHP for working with XML Encryption and Signatures. Versions 3.1.3 contain an authentication bypass vulnerability due to a flaw in the libxml2 canonicalization process during document transformation. When libxml2’s canonicalization is invoked on
- CVE-2019-3465Nov 7, 2019affected >= 3.0.0, < 3.0.4fixed 3.0.4
Rob Richards XmlSecLibs, all versions prior to v3.0.3, as used for example by SimpleSAMLphp, performed incorrect validation of cryptographic signatures in XML messages, allowing an authenticated attacker to impersonate others or elevate privileges by creating a crafted XML messag