CVE-2026-4601

Name of the Vulnerable Software and Affected Versions jsrsasign versions prior to 11.1.1

Description The jsrsasign package, versions prior to 11.1.1, contains a flaw in the DSA signing implementation, specifically within the KJUR.crypto.DSA.signWithMessageHash process. This issue allows an attacker to potentially recover the private key by manipulating the signing process to force r or s to be zero. The library then emits an invalid signature without retrying, enabling the attacker to solve for x and thus recover the private key.

Recommendations Update jsrsasign to version 11.1.1 or later.