CVE-2026-4602

Summary

Versions of the package jsrsasign before 11.1.1 are vulnerable to Incorrect Conversion between Numeric Types due to handling negative exponents in ext/jsbn2.js. An attacker can force the computation of incorrect modular inverses and break signature verification by calling modPow with a negative exponent.

Affected Software

VendorProductVersion RangeStatus
n/ajsrsasign0 < 11.1.1affected
n/aorg.webjars.npm:jsrsasign0 < *affected

Weaknesses

  • CWE-681: Incorrect Conversion between Numeric Types

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

jsrsasign: jsrsasign: Signature verification bypass via negative exponent handling

Additional References

References