cvedb.io
CVE-2026-4600
HIGH · CVSS 7.4
EPSS exploitation probability: 0%
Published 2026-03-23T06:16:21.697 · Last modified 2026-07-01T13:17:41.737

Summary

Versions of the package jsrsasign before 11.1.1 are vulnerable to Improper Verification of Cryptographic Signature via the DSA domain-parameter validation in KJUR.crypto.DSA.setPublic (and the related DSA/X509 verification flow in src/dsa-2.0.js). An attacker can forge DSA signatures or X.509 certificates that X509.verifySignature() accepts by supplying malicious domain parameters such as g=1, y=1, and a fixed r=1, which make the verification equation true for any hash.

Affected products

kjur — jsrsasign

Does this affect you?

Add your gear to cvedb and we'll alert you only when kjur ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.