CVE-2026-4601
jsrsasign: Missing cryptographic validation during DSA signing enables private key extraction
8.7
HIGH
CVSS 3.1
EPSS 0.02%
Description
Versions of the package jsrsasign before 11.1.1 are vulnerable to Missing Cryptographic Step via the KJUR.crypto.DSA.signWithMessageHash process in the DSA signing implementation. An attacker can recover the private key by forcing r or s to be zero, so the library emits an invalid signature without retrying, and then solves for x from the resulting signature.
How to fix CVE-2026-4601
To remediate CVE-2026-4601, upgrade the affected package to a fixed version below.
- —upgrade to 11.1.1 or later
Is CVE-2026-4601 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 11.1.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:H/SA:N/E:P |
| osv | CVSS 3.1 | HIGH8.7 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N |