COOEY // HUBcompliance · community · intelligence

Exposures › CVE-2026-4600

CVE-2026-4600

Severity
high
Source
NVD · cve
Published
2026-03-23
CVSS
7.4
Reference
https://nvd.nist.gov/vuln/detail/CVE-2026-4600
shame 25/100

Versions of the package jsrsasign before 11.1.1 are vulnerable to Improper Verification of Cryptographic Signature via the DSA domain-parameter validation in KJUR.crypto.DSA.setPublic (and the related DSA/X509 verification flow in src/dsa-2.0.js). An attacker can forge DSA signat

Players implicated

kjur · vendorjsrsasign · product

Description

Versions of the package jsrsasign before 11.1.1 are vulnerable to Improper Verification of Cryptographic Signature via the DSA domain-parameter validation in KJUR.crypto.DSA.setPublic (and the related DSA/X509 verification flow in src/dsa-2.0.js). An attacker can forge DSA signatures or X.509 certificates that X509.verifySignature() accepts by supplying malicious domain parameters such as g=1, y=1, and a fixed r=1, which make the verification equation true for any hash.

Affected FedRAMP products 0 in the catalog

No correlated FedRAMP products.