CVE-2026-4600 in jsrsasigninfo

Summary

Versions of the package jsrsasign before 11.1.1 are vulnerable to Improper Verification of Cryptographic Signature via the DSA domain-parameter validation in KJUR.crypto.DSA.setPublic (and the related DSA/X509 verification flow in src/dsa-2.0.js). An attacker can forge DSA signatures or X.509 certificates that X509.verifySignature() accepts by supplying malicious domain parameters such as g=1, y=1, and a fixed r=1, which make the verification equation true for any hash.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Responsible

snyk

Reservation

03/22/2026

Disclosure

03/23/2026

Status

Confirmed

Entries

VulDB provides additional information and datapoints for this CVE:

ID	Vulnerability	CWE	Exp	Cou	CVE
352488	jsrsasign Domain dsa-2.0.js KJUR.crypto.DSA.setPublic signature verification	347	Proof-of-Concept	Official fix	CVE-2026-4600

Description

CPE

CWE

CVSS

Exploits

History

Diff

Relate

Threat Intelligence

API JSON

API XML

API CSV

Sources

◂ PreviousOverviewNext ▸

Want to know what is going to be exploited?

We predict KEV entries!