Which versions of jsrsasign are affected by CVE-2026-4601?

jsrsasign library versions before 11.1.1 allow attackers to recover RSA/DSA private keys through forced invalid signature exploitation, directly compromising cryptographic authentication and data…. A patch is available.

How to fix or mitigate CVE-2026-4601?

Within 24 hours: Identify all systems and applications using jsrsasign and document current versions via dependency scanning. Within 7 days: Upgrade jsrsasign to version 11.1.1 or later on all affected systems and redeploy applications. Within 30 days: Rotate all private keys generated or used with jsrsasign versions prior to 11.1.1, audit key usage logs for suspicious signing patterns, and validate patch deployment across all environments.

jsrsasign CVE-2026-4601

Q: What is the CVSS score of CVE-2026-4601?

CVE-2026-4601 has a CVSS 4.0 base score of 8.8 (High). CVSS vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:H/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-14377 HIGH

Missing Cryptographic Step (CWE-325)

2026-03-23 snyk

GHSA-w8q8-93cx-6h7r

Information Disclosure

8.8

CVSS 4.0

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:H/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

Apr 29, 2026 - 01:33 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 29, 2026 - 01:11 vuln.today

cvss_changed

CVSS changed

Apr 29, 2026 - 01:11 NVD

8.7 (HIGH) 8.8 (HIGH)

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 23, 2026 - 05:45 euvd

EUVD-2026-14377

Analysis Generated

Mar 23, 2026 - 05:45 vuln.today

CVE Published

Mar 23, 2026 - 05:00 nvd

HIGH 8.7

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

33 npm packages depend on jsrsasign (9 direct, 24 indirect)

Ecosystem-wide dependent count for version 11.1.1.

DescriptionNVD

Versions of the package jsrsasign before 11.1.1 are vulnerable to Missing Cryptographic Step via the KJUR.crypto.DSA.signWithMessageHash process in the DSA signing implementation. An attacker can recover the private key by forcing r or s to be zero, so the library emits an invalid signature without retrying, and then solves for x from the resulting signature.

AnalysisAI

Private key recovery is possible in jsrsasign versions before 11.1.1 when attackers force invalid DSA signatures with zero r or s values during the signing process. The library fails to validate or retry these malformed signatures, allowing attackers to algebraically solve for the private key x from the emitted signature. …

RemediationAI

Within 24 hours: Identify all systems and applications using jsrsasign and document current versions via dependency scanning. Within 7 days: Upgrade jsrsasign to version 11.1.1 or later on all affected systems and redeploy applications. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Vendor StatusVendor

CVE-2026-4601 vulnerability details – vuln.today

Back

jsrsasign CVE-2026-4601

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Vendor StatusVendor

Share

jsrsasign CVE-2026-4601

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Vendor StatusVendor

Share

External POC / Exploit Code