CVE-2026-4601

HIGH 8.7

CVSS Score

8.7

EPSS Score

0.0%

EPSS Percentile

5th

Versions of the package jsrsasign before 11.1.1 are vulnerable to Missing Cryptographic Step via the KJUR.crypto.DSA.signWithMessageHash process in the DSA signing implementation. An attacker can recover the private key by forcing r or s to be zero, so the library emits an invalid signature without retrying, and then solves for x from the resulting signature.

CWE	CWE-325
Vendor	n/a
Product	jsrsasign
Published	Mar 23, 2026
Last Updated	Mar 23, 2026

Stay Ahead of the Next One

Get instant alerts for n/a jsrsasign

Be the first to know when new high vulnerabilities affecting n/a jsrsasign are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N/E:P

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Affected Versions

n/a / jsrsasign

0 < 11.1.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

security.snyk.io: https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15370941 gist.github.com: https://gist.github.com/Kr0emer/93789fe6efe5519db9692d4ad1dad586 github.com: https://github.com/kjur/jsrsasign/pull/645 github.com: https://github.com/kjur/jsrsasign/commit/0710e392ec35de697ce11e4219c988ba2b5fe0eb

Credits

Kr0emer