CVE-2026-4600

HIGH

jsrsasign <11.1.1 - Improper Verification of Cryptographic Signature

Title source: llm
STIX 2.1

Description

Versions of the package jsrsasign before 11.1.1 are vulnerable to Improper Verification of Cryptographic Signature via the DSA domain-parameter validation in KJUR.crypto.DSA.setPublic (and the related DSA/X509 verification flow in src/dsa-2.0.js). An attacker can forge DSA signatures or X.509 certificates that X509.verifySignature() accepts by supplying malicious domain parameters such as g=1, y=1, and a fixed r=1, which make the verification equation true for any hash.

References (4)

Scores

CVSS v3 7.4
EPSS 0.0001
EPSS Percentile 1.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-347
Status published
Products (3)
jsrsasign_project/jsrsasign < 11.1.1
n/a/jsrsasign < 11.1.1
npm/jsrsasign 0 - 11.1.1npm
Published Mar 23, 2026
Tracked Since Mar 23, 2026