CVE-2026-4602

HIGH EPSS 31.9%
Published Mar 23, 20263mo ago · Modified Jun 22, 20261w ago
7.7 CVSS 4.0
High
Find Similar
Published Mar 23, 2026 3mo ago
Last Modified Jun 22, 2026 1w ago

Description

Versions of the package jsrsasign before 11.1.1 are vulnerable to Incorrect Conversion between Numeric Types due to handling negative exponents in ext/jsbn2.js. An attacker can force the computation of incorrect modular inverses and break signature verification by calling modPow with a negative exponent.

CVSS Details

Base Score
7.7
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
31.9% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-681

Affected Products 1

VendorProductVersionRange
kjurjsrsasign* <11.1.1

References 4

  • gist.github.com https://gist.github.com/Kr0emer/7ecd2be7d17419e4677315ef3758faf5
    ExploitMitigationThird Party Advisory
  • github.com https://github.com/kjur/jsrsasign/commit/5ea1c32bb2aa894b4bd29849839afe4f98728195
    Patch
  • github.com https://github.com/kjur/jsrsasign/pull/650
    Issue Tracking
  • security.snyk.io https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15371175
    Third Party Advisory

Remediation

  • github.com https://github.com/kjur/jsrsasign/commit/5ea1c32bb2aa894b4bd29849839afe4f98728195
    Patch