VDB

CVE-2026-4600

CVE-2026-4600 PUBLISHED CVSS 7.400000095367432 HIGH

Versions of the package jsrsasign before 11.1.1 are vulnerable to Improper Verification of Cryptographic Signature via the DSA domain-parameter validation in KJUR.crypto.DSA.setPublic (and the related DSA/X509 verification flow in src/dsa-2.0.js). An attacker can forge DSA signatures or X.509 certificates that X509.verifySignature() accepts by supplying malicious domain parameters such as g=1, y=1, and a fixed r=1, which make the verification equation true for any hash.

EPSS 0.01% · 1.3th percentile

Risk Scores

CVSS 3.1
7.400000095367432
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P
EPSS Score
0.01%
1.3th percentile

Affected Products

VendorProductVersions
n/ajsrsasign0, 0, 0
npmjsrsasign0
jsrsasign_projectjsrsasign0, 0, 0

Exploit Intelligence

Timeline

  • Mar 23, 2026 CVE Published
  • Mar 23, 2026 EPSS Score
  • Mar 23, 2026 PoC Published
  • Mar 24, 2026 EPSS Score
  • Mar 24, 2026 PoC Published
  • Mar 25, 2026 EPSS Score
  • Mar 25, 2026 Coalition ESS Score
  • Mar 26, 2026 EPSS Score
  • Mar 26, 2026 Coalition ESS Score
  • Mar 27, 2026 Coalition ESS Score
  • Mar 29, 2026 Security Advisory
  • Mar 30, 2026 CVE Updated

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›