{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-17T02:58:11.857","vulnerabilities":[{"cve":{"id":"CVE-2026-40194","sourceIdentifier":"security-advisories@github.com","published":"2026-04-10T21:16:27.583","lastModified":"2026-04-13T16:16:32.630","vulnStatus":"Undergoing Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"phpseclib is a PHP secure communications library. Prior to 3.0.51, 2.0.53, and 1.0.28, phpseclib\\Net\\SSH2::get_binary_packet() uses PHP's != operator to compare a received SSH packet HMAC against the locally computed HMAC. != on equal-length binary strings in PHP uses memcmp(), which short-circuits on the first differing byte. This is a real variable-time comparison (CWE-208), proven by scaling benchmarks. This vulnerability is fixed in 3.0.51, 2.0.53, and 1.0.28."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":3.7,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-208"}]}],"references":[{"url":"https://github.com/phpseclib/phpseclib/commit/ffe48b6b1b1af6963327f0a5330e3aa004a194ac","source":"security-advisories@github.com"},{"url":"https://github.com/phpseclib/phpseclib/releases/tag/1.0.28","source":"security-advisories@github.com"},{"url":"https://github.com/phpseclib/phpseclib/releases/tag/2.0.53","source":"security-advisories@github.com"},{"url":"https://github.com/phpseclib/phpseclib/releases/tag/3.0.51","source":"security-advisories@github.com"},{"url":"https://github.com/phpseclib/phpseclib/security/advisories/GHSA-r854-jrxh-36qx","source":"security-advisories@github.com"},{"url":"https://github.com/phpseclib/phpseclib/security/advisories/GHSA-r854-jrxh-36qx","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}]}