Home / Vulnerability Intelligence / CVE-2026-4600

CVE-2026-4600 - Vulnerability Analysis

HighCVSS: 7.4

Last Updated: March 23, 2026

jsrsasign - Broken Authentication

Published: March 23, 2026Updated: March 23, 2026PoC AvailableRemote Exploitable

Overview

jsrsasign < 11.1.1 contains an improper verification of cryptographic signature caused by lack of DSA domain-parameter validation in KJUR.crypto.DSA.setPublic, letting attackers forge DSA signatures or X.509 certificates, exploit requires crafted malicious domain parameters.

Severity & Score

Severity: High

CVSS Score: 7.4

Impact

Attackers can forge DSA signatures or X.509 certificates, bypassing signature verification and compromising trust.

Mitigation

Update to version 11.1.1 or later.

References

https://gist.github.com/Kr0emer/bf15ddc097176e951659a24a8e9002a7
https://github.com/kjur/jsrsasign/commit/37b4c06b145c7bfd6bc2a6df5d0a12c56b15ef60
https://github.com/kjur/jsrsasign/pull/646
https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15370940

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-4600
Severity: High
CVSS Score: 7.4
Type: broken_authentication
Status: confirmed

CWE

CWE-347

CVSS Metrics

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N