Which versions of jsrsasign are affected by CVE-2026-4600?

jsrsasign versions before 11.1.1 contain a cryptographic signature bypass vulnerability that allows attackers to forge DSA signatures and X.509 certificates, directly compromising authentication and…. A patch is available.

jsrsasign CVE-2026-4600

Q: What is the CVSS score of CVE-2026-4600?

CVE-2026-4600 has a CVSS 4.0 base score of 8.1 (High). CVSS vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-14375 HIGH

Improper Verification of Cryptographic Signature (CWE-347)

2026-03-23 snyk

GHSA-wvqx-v3f6-w8rh

Information Disclosure Jwt Attack

8.1

CVSS 4.0

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

Apr 29, 2026 - 01:34 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 29, 2026 - 01:11 vuln.today

cvss_changed

CVSS changed

Apr 29, 2026 - 01:11 NVD

7.4 (HIGH) 8.1 (HIGH)

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 23, 2026 - 05:45 euvd

EUVD-2026-14375

Analysis Generated

Mar 23, 2026 - 05:45 vuln.today

CVE Published

Mar 23, 2026 - 05:00 nvd

HIGH 7.4

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

33 npm packages depend on jsrsasign (9 direct, 24 indirect)

Ecosystem-wide dependent count for version 11.1.1.

DescriptionNVD

Versions of the package jsrsasign before 11.1.1 are vulnerable to Improper Verification of Cryptographic Signature via the DSA domain-parameter validation in KJUR.crypto.DSA.setPublic (and the related DSA/X509 verification flow in src/dsa-2.0.js). An attacker can forge DSA signatures or X.509 certificates that X509.verifySignature() accepts by supplying malicious domain parameters such as g=1, y=1, and a fixed r=1, which make the verification equation true for any hash.

AnalysisAI

Cryptographic signature bypass in jsrsasign before 11.1.1 allows remote attackers to forge DSA signatures and X.509 certificates by supplying malicious domain parameters (g=1, y=1, r=1) that cause verification functions to incorrectly validate any message hash. This actively undermines authentication and integrity checks in applications using the library for JWT validation, certificate verification, or digital signatures. …

RemediationAI

Within 24 hours: Identify all applications and dependencies using jsrsasign and document current versions in use. Within 7 days: Upgrade jsrsasign to version 11.1.1 or later across all development, staging, and production environments; verify upgrades via dependency audits (npm audit, yarn audit, or equivalent). …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Vendor StatusVendor

CVE-2026-4600 vulnerability details – vuln.today

Back

jsrsasign CVE-2026-4600

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Vendor StatusVendor

Share

jsrsasign CVE-2026-4600

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Vendor StatusVendor

Share

External POC / Exploit Code