Home / Vulnerability Intelligence / CVE-2026-4601

CVE-2026-4601 - Vulnerability Analysis

HighCVSS: 8.7

Last Updated: March 23, 2026

jsrsasign - Weak Cryptography

Published: March 23, 2026Updated: March 23, 2026PoC AvailableRemote Exploitable

Overview

jsrsasign < 11.1.1 contains a missing cryptographic step caused by improper handling of zero values in DSA signing implementation, letting attackers recover private keys by forcing r or s to zero, exploit requires crafted signature inputs.

Severity & Score

Severity: High

CVSS Score: 8.7

EPSS Score: 1.9%(Probability of exploitation in next 30 days)

Impact

Attackers can recover private keys, compromising cryptographic security and enabling signature forgery.

Mitigation

Update to version 11.1.1 or later.

References

Social Media Activity(1 post)

Offensive Sequence

@offseq

Mar 23, 2026

🛡️ CVE-2026-4601: CRITICAL bug in jsrsasign <11.1.1 misses a vital DSA signing step, letting attackers recover private keys if exploited. No active attacks yet, but update ASAP! Details: https://radar.offseq.com/threat/cve-2026-4601-missing-cryptographic-step-in-jsrsas-1b19c447 #OffSeq #CVE20264601 #Crypto #Vuln

View original post

Related Resources

Details

CVE ID: CVE-2026-4601
Severity: High
CVSS Score: 8.7
Type: weak_cryptography
Status: confirmed
EPSS: 1.9%
Social Posts: 1

CWE

CWE-325

CVSS Metrics

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

EPSS Score

1.9%Probability of exploitation in the next 30 days