WS-2018-0181 | Mend Vulnerability Database

Vulnerability DatabaseWS-2018-0181

WS-2018-0181

Published:May 19, 2026

Updated:May 19, 2026

In xmlseclibs, versions prior to version 3.0.2 are vulnerable against XPath injection. The vulnerability occurs when a user supply malformed information to construct a XPath query for XML data. 'src/XMLSecEnc.php' and 'src/XMLSecurityDSig.php' do not filter xpath query were the ID parameter takes place.

Affected Packages

kouinkouin/xmlseclibs (PHP):

Affected version(s) =2.0.x-dev <2.0.1

Fix Suggestion:

Update to version 2.0.1

ninosimeon/xmlseclibs_sunat (PHP):

Affected version(s) >=dev-devel <1.3.x-dev

Fix Suggestion:

Update to version 1.3.x-dev

salesforce-mc/fuel-sdk-php (PHP):

Affected version(s) =v0.9.1 <v1.0.0

Fix Suggestion:

Update to version v1.0.0

redbus-peru/xmlseclibs (PHP):

Affected version(s) >=dev-add-getSignature-method <dev-delete_decrypt

Fix Suggestion:

Update to version dev-delete_decrypt

callbiruk/xmlseclibs (PHP):

Affected version(s) =1.4.0 <1.4.x-dev

Fix Suggestion:

Update to version 1.4.x-dev

tomasz-kusy/xmlseclibs (PHP):

Affected version(s) =1.4.0 <1.4.x-dev

Fix Suggestion:

Update to version 1.4.x-dev

robrichards/xmlseclibs (PHP):

Affected version(s) >=2.0.0 <2.1.0

Fix Suggestion:

Update to version 2.1.0

pfortin/fuel-sdk-php (PHP):

Affected version(s) =v0.9.1 <v1.0.0

Fix Suggestion:

Update to version v1.0.0

robrichards/xmlseclibs (PHP):

Affected version(s) =1.4.0 <1.4.x-dev

Fix Suggestion:

Update to version 1.4.x-dev

vertex-it/xmlseclibs (PHP):

Affected version(s) =3.0.1 <3.0.2

Fix Suggestion:

Update to version 3.0.2

robrichards/xmlseclibs (PHP):

Affected version(s) =3.0.0 <3.0.x-dev

Fix Suggestion:

Update to version 3.0.x-dev

redbus-peru/xmlseclibs (PHP):

Affected version(s) >=1.4.0 <=2.0.1.redbus

Fix Suggestion:

Update to version no_fix

mohitjangra/xmlseclibs (PHP):

Affected version(s) =3.0.1 <3.0.2

Fix Suggestion:

Update to version 3.0.2

mohitjangra/xmlseclibs (PHP):

Affected version(s) =1.4.0 <1.4.x-dev

Fix Suggestion:

Update to version 1.4.x-dev

callbiruk/xmlseclibs (PHP):

Affected version(s) =dev-travis14

Fix Suggestion:

Update to version no_fix

robrichards/xmlseclibs (PHP):

Affected version(s) =dev-travis14 <251.x-dev

Fix Suggestion:

Update to version 251.x-dev

dragos/php-sdk2 (PHP):

Affected version(s) =v0.9.1 <v1.0.0

Fix Suggestion:

Update to version v1.0.0

tomasz-kusy/xmlseclibs (PHP):

Affected version(s) >=3.0.0 <3.0.2

Fix Suggestion:

Update to version 3.0.2

dragos/php-sdk (PHP):

Affected version(s) =v0.9.1 <v1.0.0

Fix Suggestion:

Update to version v1.0.0

vertex-it/xmlseclibs (PHP):

Affected version(s) =dev-travis14

Fix Suggestion:

Update to version no_fix

mohitjangra/xmlseclibs (PHP):

Affected version(s) >=2.0.0 <2.1.0

Fix Suggestion:

Update to version 2.1.0

callbiruk/xmlseclibs (PHP):

Affected version(s) >=2.0.0 <2.1.0

Fix Suggestion:

Update to version 2.1.0

vertex-it/xmlseclibs (PHP):

Affected version(s) =1.4.0 <1.4.x-dev

Fix Suggestion:

Update to version 1.4.x-dev

kouinkouin/xmlseclibs (PHP):

Affected version(s) =1.4.x-dev <1.4.1

Fix Suggestion:

Update to version 1.4.1

tomasz-kusy/xmlseclibs (PHP):

Affected version(s) >=2.0.0 <2.1.0

Fix Suggestion:

Update to version 2.1.0

vertex-it/xmlseclibs (PHP):

Affected version(s) =3.0.0 <3.0.x-dev

Fix Suggestion:

Update to version 3.0.x-dev

draganmorty/xmlseclibs (PHP):

Affected version(s) >=dev-master <=v1.0

Fix Suggestion:

Update to version no_fix

mohitjangra/xmlseclibs (PHP):

Affected version(s) =dev-travis14

Fix Suggestion:

Update to version no_fix

robrichards/xmlseclibs (PHP):

Affected version(s) >=1.4.1 <1.4.3

Fix Suggestion:

Update to version 1.4.3

callbiruk/xmlseclibs (PHP):

Affected version(s) >=1.4.1 <1.4.3

Fix Suggestion:

Update to version 1.4.3

vertex-it/xmlseclibs (PHP):

Affected version(s) >=2.0.0 <2.1.0

Fix Suggestion:

Update to version 2.1.0

callbiruk/xmlseclibs (PHP):

Affected version(s) =3.0.0 <3.0.x-dev

Fix Suggestion:

Update to version 3.0.x-dev

callbiruk/xmlseclibs (PHP):

Affected version(s) =3.0.1 <3.0.2

Fix Suggestion:

Update to version 3.0.2

ninosimeon/xmlseclibs_sunat (PHP):

Affected version(s) >=1.4.0 <=3.0.1

Fix Suggestion:

Update to version no_fix

mohitjangra/xmlseclibs (PHP):

Affected version(s) =3.0.0 <3.0.x-dev

Fix Suggestion:

Update to version 3.0.x-dev

mohitjangra/xmlseclibs (PHP):

Affected version(s) >=1.4.1 <1.4.3

Fix Suggestion:

Update to version 1.4.3

craigowendavis/fuel-sdk-php (PHP):

Affected version(s) =v0.9.1 <v1.0.0

Fix Suggestion:

Update to version v1.0.0

simplesamlphp/xmlseclibs (PHP):

Affected version(s) >=1.4.0 <=3.0.1

Fix Suggestion:

Update to version no_fix

vertex-it/xmlseclibs (PHP):

Affected version(s) >=1.4.1 <1.4.3

Fix Suggestion:

Update to version 1.4.3

robrichards/xmlseclibs (PHP):

Affected version(s) =3.0.1 <3.0.2

Fix Suggestion:

Update to version 3.0.2

simplesamlphp/xmlseclibs (PHP):

Affected version(s) =dev-bugfix/avoid-key-recursion <dev-bugfix/xpath

Fix Suggestion:

Update to version dev-bugfix/xpath

tomasz-kusy/xmlseclibs (PHP):

Affected version(s) >=1.4.1 <1.4.3

Fix Suggestion:

Update to version 1.4.3

tomasz-kusy/xmlseclibs (PHP):

Affected version(s) =dev-travis14

Fix Suggestion:

Update to version no_fix

Related Resources (1)

https://github.com/robrichards/xmlseclibs/commit/649032643f7aac493e91ca318da0339aec72aa4a

Do you need more information?

CVSS v4

Base Score:

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

LOW

User Interaction

NONE

Vulnerable System Confidentiality

LOW

Vulnerable System Integrity

LOW

Vulnerable System Availability

NONE

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE