phpseclib/phpseclib Security Advisories for 1.0.26 (3)
-
[LOW] phpseclib has a variable-time HMAC comparison in SSH2::get_binary_packet() using != instead of hash_equals()
PKSA-zh4j-by9m-7mz8 CVE-2026-40194 GHSA-r854-jrxh-36qx
Affected version: >=3.0.0,<3.0.51|>=2.0.0,<2.0.53|<1.0.28
Reported by:
GitHub -
[HIGH] phpseclib's AES-CBC unpadding susceptible to padding oracle timing attack
PKSA-km2b-zc3b-mjm3 CVE-2026-32935 GHSA-94g3-g5v7-q4jg
Affected version: <=1.0.26|>=2.0.0,<=2.0.51|>=3.0.0,<=3.0.49
Reported by:
GitHub -
[HIGH] Improper Certificate Validation in phpseclib
PKSA-mnsd-qtjt-pgcq CVE-2021-30130 GHSA-vf4w-fg7r-5v94
Affected version: <2.0.31|>=3.0.0,<3.0.7
Reported by:
GitHub, FriendsOfPHP/security-advisories