CVE-2026-4602 — jsrsasign: Negative Exponent Handling Leads to Signature Verification Bypass

Description

Versions of the package jsrsasign before 11.1.1 are vulnerable to Incorrect Conversion between Numeric Types due to handling negative exponents in ext/jsbn2.js. An attacker can force the computation of incorrect modular inverses and break signature verification by calling modPow with a negative exponent.

How to fix CVE-2026-4602

To remediate CVE-2026-4602, upgrade the affected package to a fixed version below.

—upgrade to 11.1.1 or later

Is CVE-2026-4602 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 11.1.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-4602
PATCHgithub.com/kjur/jsrsasign
WEBgist.github.com/Kr0emer/7ecd2be7d17419e4677315ef3758faf5
WEBgithub.com/kjur/jsrsasign/commit/5ea1c32bb2aa894b4bd29849839afe4f98728195
WEB