Security Advisories - PKSA-zh4j-by9m-7mz8 - Packagist.org

PKSA-zh4j-by9m-7mz8 Security Advisory

[LOW] phpseclib has a variable-time HMAC comparison in SSH2::get_binary_packet() using != instead of hash_equals()

PKSA-zh4j-by9m-7mz8 CVE-2026-40194 GHSA-r854-jrxh-36qx

Affected package: phpseclib/phpseclib

Affected version: >=3.0.0,<3.0.51|>=2.0.0,<2.0.53|<1.0.28

Reported by:
GitHub