CVE-2026-4599CRITICAL 9.1EPSS p26.2%

CVE-2026-4599CVE-2026-4599

Description

Versions of the package jsrsasign from 7.0.0 and before 11.1.1 are vulnerable to Incomplete Comparison with Missing Factors via the getRandomBigIntegerZeroToMax and getRandomBigIntegerMinToMax functions in src/crypto-1.1.js; an attacker can recover the private key by exploiting the incorrect compareTo checks that accept out-of-range candidates and thus bias DSA nonces during signature generation.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS0.34% probability of exploitation · percentile 26.2% · 2026-06-19T12:03:05Z
Published2026-03-23
Last modified2026-03-23

Underlying weaknesses· 1

CWE-1023

References

  1. https://gist.github.com/Kr0emer/081681818b51605c91945126d74b4f20
  2. https://github.com/kjur/jsrsasign/commit/ee4b013478366cb16cea9a4bdfb218b6077f83b1
  3. https://github.com/kjur/jsrsasign/pull/647
  4. https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15370939

1

TypeTargetConfidenceTier
WeaknessIncomplete Comparison with Missing Factorscwe-10230%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-4601
CVE
CVE-2026-4600
CVE
CVE-2025-3757
CVE
CVE-2026-4258
CVE
CVE-2026-34950
CVE
CVE-2025-46688
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.