CVE-2026-4600
low-risk
Published 2026-03-23
Versions of the package jsrsasign before 11.1.1 are vulnerable to Improper Verification of Cryptographic Signature via the DSA domain-parameter validation in KJUR.crypto.DSA.setPublic (and the related DSA/X509 verification flow in src/dsa-2.0.js). An attacker can forge DSA signatures or X.509 certificates that X509.verifySignature() accepts by supplying malicious domain parameters such as g=1, y=1, and a fixed r=1, which make the verification equation true for any hash.
Do I need to act?
-
0.01% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.4/10
High
NETWORK
/ HIGH complexity
Affected Products (1)
Jsrsasign
Affected Vendors
References (5)
Issue Tracking
https://github.com/kjur/jsrsasign/pull/646
Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15370940
27
/ 100
low-risk
Severity
22/34 · High
Exploitability
0/34 · Minimal
Exposure
5/34 · Minimal