CVE-2026-32313

[NvanWeeghel]

The xmlseclibs has a new CVE: GHSA-4v26-v6cg-g6f9

[PimpMyShell]

This CVE targets the aes-128-gcm, aes-192-gcm and aes-256-gcm algorithms.
None of these algorithms seem to be used in the project, as seen in the source code here: : https://github.com/SAML-Toolkits/php-saml/blob/master/extlib/xmlseclibs/xmlseclibs.php

[sneakyvv]

This CVE targets the aes-128-gcm, aes-192-gcm and aes-256-gcm algorithms. None of these algorithms seem to be used in the project, as seen in the source code here: : https://github.com/SAML-Toolkits/php-saml/blob/master/extlib/xmlseclibs/xmlseclibs.php

it still creates composer audit issue for packages depending on this one

[pitbulk]

Thanks for reporting this. I forced xmlseclibs in the 3.x and 4.x dev branches.

I will keep this ticket opened for visibility.

[kasteckis]

@pitbulk When are you planning on releasing new PATCH tag with bumped version? Curious about 3.8.2 release.