CVE-2026-32600HIGH 8.2EPSS p4.4%

CVE-2026-32600CVE-2026-32600

Description

xml-security is a library that implements XML signatures and encryption. Prior to versions 2.3.1 and 1.13.9, XML nodes encrypted with either aes-128-gcm, aes-192-gcm, or aes-256-gcm lack validation of the authentication tag length. An attacker can use this to brute-force an authentication tag, recover the GHASH key, and decrypt the encrypted nodes. It also allows to forge arbitrary ciphertexts without knowing the encryption key. This vulnerability is fixed in 2.3.1 and 1.13.9.

Scoring

CVSS 3.18.2 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS0.15% probability of exploitation · percentile 4.4% · 2026-06-19T12:03:05Z
Published2026-03-16
Last modified2026-03-17

Underlying weaknesses· 1

CWE-354

References

  1. https://github.com/simplesamlphp/xml-security/commit/cad6d57cf0a5a0b7e0cc4e4a5b18752e56eb1520
  2. https://github.com/simplesamlphp/xml-security/commit/fdc12449e959c610943f9fd428e95e3832d74c25
  3. https://github.com/simplesamlphp/xml-security/security/advisories/GHSA-r353-4845-pr5p

1

TypeTargetConfidenceTier
WeaknessImproper Validation of Integrity Check Valuecwe-3540%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-32313
CVE
CVE-2026-34182
CVE
CVE-2025-40934
CVE
CVE-2026-7210
CVE
CVE-2025-49796
CVE
CVE-2025-9287
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.