CVE-2026-4600
CVSS Score
7.4
EPSS Score
0.0%
EPSS Percentile
0th
Versions of the package jsrsasign before 11.1.1 are vulnerable to Improper Verification of Cryptographic Signature via the DSA domain-parameter validation in KJUR.crypto.DSA.setPublic (and the related DSA/X509 verification flow in src/dsa-2.0.js). An attacker can forge DSA signatures or X.509 certificates that X509.verifySignature() accepts by supplying malicious domain parameters such as g=1, y=1, and a fixed r=1, which make the verification equation true for any hash.
| CWE | CWE-347 |
| Vendor | n/a |
| Product | jsrsasign |
| Published | Mar 23, 2026 |
| Last Updated | Mar 23, 2026 |
Stay Ahead of the Next One
Get instant alerts for n/a jsrsasign
Be the first to know when new high vulnerabilities affecting n/a jsrsasign are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Affected Versions
n/a / jsrsasign
0 < 11.1.1
References
security.snyk.io: https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15370940 gist.github.com: https://gist.github.com/Kr0emer/bf15ddc097176e951659a24a8e9002a7 github.com: https://github.com/kjur/jsrsasign/pull/646 github.com: https://github.com/kjur/jsrsasign/commit/37b4c06b145c7bfd6bc2a6df5d0a12c56b15ef60
Credits
Kr0emer