VYPR

Phpseclib

by Phpseclib

Source repositories

CVEs (8)

  • CVE-2026-44167HigMay 12, 2026
    risk 0.42cvss 7.5epss 0.00

    phpseclib is a PHP secure communications library. Prior to 1.0.29, 2.0.54, and 3.0.52, anyone loading untrusted ASN1 files (eg. X509 certificates, RSA PKCS8 private or public keys, etc). This is a bypass of CVE-2024-27355. This vulnerability is fixed in 1.0.29, 2.0.54, and…

  • CVE-2026-32935MedMar 20, 2026
    risk 0.31cvss 5.9epss 0.00

    phpseclib is a PHP secure communications library. Projects using versions 0.1.1 through 1.0.26, 2.0.0 through 2.0.51, and 3.0.0 through 3.0.49 are vulnerable to a to padding oracle timing attack when using AES in CBC mode. This issue has been fixed in versions 1.0.27, 2.0.52 and…

  • CVE-2026-40194LowApr 10, 2026
    risk 0.17cvss 3.7epss 0.00

    phpseclib is a PHP secure communications library. Starting in 0.1.1 and prior to 3.0.51, 2.0.53, and 1.0.28, phpseclib\Net\SSH2::get_binary_packet() uses PHP's != operator to compare a received SSH packet HMAC against the locally computed HMAC. != on equal-length binary strings…

  • CVE-2026-55599Jun 22, 2026
    risk 0.00cvss epss 0.00

    phpseclib is a PHP secure communications library. From 0.1.1 until 1.0.30, 2.0.55, and 3.0.54, when an application validates an untrusted X.509 certificate with phpseclib, X509::validateSignature() reads a URL out of that certificate's Authority Information Access (AIA)…

  • CVE-2023-52892Jun 27, 2024
    risk 0.00cvss epss 0.00

    In phpseclib before 1.0.22, 2.x before 2.0.46, and 3.x before 3.0.33, some characters in Subject Alternative Name fields in TLS certificates are incorrectly allowed to have a special meaning in regular expressions (such as a + wildcard), leading to name confusion in X.509…

  • CVE-2024-27355Mar 1, 2024
    risk 0.00cvss epss 0.01

    An issue was discovered in phpseclib 1.x before 1.0.23, 2.x before 2.0.47, and 3.x before 3.0.36. When processing the ASN.1 object identifier of a certificate, a sub identifier may be provided that leads to a denial of service (CPU consumption for decodeOID).

  • CVE-2024-27354Mar 1, 2024
    risk 0.00cvss epss 0.01

    An issue was discovered in phpseclib 1.x before 1.0.23, 2.x before 2.0.47, and 3.x before 3.0.36. An attacker can construct a malformed certificate containing an extremely large prime to cause a denial of service (CPU consumption for an isPrime primality check). NOTE: this issue…

  • CVE-2023-27560Mar 3, 2023
    risk 0.00cvss epss 0.01

    Math/PrimeField.php in phpseclib 3.x before 3.0.19 has an infinite loop with composite primefields.