CVE-2026-32313HIGH 8.2EPSS p4.7%

CVE-2026-32313CVE-2026-32313

Description

xmlseclibs is a library written in PHP for working with XML Encryption and Signatures. Prior to 3.1.5, XML nodes encrypted with either aes-128-gcm, aes-192-gcm, or aes-256-gcm lack validation of the authentication tag length. An attacker can use this to brute-force an authentication tag, recover the GHASH key, and decrypt the encrypted nodes. It also allows to forge arbitrary ciphertexts without knowing the encryption key. This vulnerability is fixed in 3.1.5.

Scoring

CVSS 3.18.2 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS0.15% probability of exploitation · percentile 4.7% · 2026-06-18T12:00:27Z
Published2026-03-16
Last modified2026-03-17

Underlying weaknesses· 1

CWE-354

References

  1. https://github.com/robrichards/xmlseclibs/commit/03062be78178cbb5e8f605cd255dc32a14981f92
  2. https://github.com/robrichards/xmlseclibs/releases/tag/3.1.5
  3. https://github.com/robrichards/xmlseclibs/security/advisories/GHSA-4v26-v6cg-g6f9

1

TypeTargetConfidenceTier
WeaknessImproper Validation of Integrity Check Valuecwe-3540%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-32600
CVE
CVE-2026-38429
CVE
CVE-2026-34182
CVE
CVE-2025-40934
CVE
CVE-2025-8732
CVE
Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) Vulnerability
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.