{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4602", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "state": "PUBLISHED", "assignerShortName": "snyk", "dateReserved": "2026-03-22T16:26:15.167Z", "datePublished": "2026-03-23T05:00:10.567Z", "dateUpdated": "2026-03-23T14:37:39.558Z"}, "containers": {"cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P"}, "cvssV4_0": {"version": "4.0", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"}}], "credits": [{"value": "Kr0emer", "lang": "en"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-681", "description": "Incorrect Conversion between Numeric Types", "lang": "en"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2026-03-23T05:00:10.567Z"}, "descriptions": [{"value": "Versions of the package jsrsasign before 11.1.1 are vulnerable to Incorrect Conversion between Numeric Types due to handling negative exponents in ext/jsbn2.js. An attacker can force the computation of incorrect modular inverses and break signature verification by calling modPow with a negative exponent.", "lang": "en"}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15371175"}, {"url": "https://gist.github.com/Kr0emer/7ecd2be7d17419e4677315ef3758faf5"}, {"url": "https://github.com/kjur/jsrsasign/pull/650"}, {"url": "https://github.com/kjur/jsrsasign/commit/5ea1c32bb2aa894b4bd29849839afe4f98728195"}], "affected": [{"product": "jsrsasign", "versions": [{"version": "0", "lessThan": "11.1.1", "status": "affected", "versionType": "semver"}], "vendor": "n/a"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T14:37:35.060950Z", "id": "CVE-2026-4602", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T14:37:39.558Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4602", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T14:37:35.060950Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T14:36:00.641Z"}}], "cna": {"credits": [{"lang": "en", "value": "Kr0emer"}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "confidentialityImpact": "NONE"}, "cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P", "exploitMaturity": "PROOF_OF_CONCEPT", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "n/a", "product": "jsrsasign", "versions": [{"status": "affected", "version": "0", "lessThan": "11.1.1", "versionType": "semver"}]}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15371175"}, {"url": "https://gist.github.com/Kr0emer/7ecd2be7d17419e4677315ef3758faf5"}, {"url": "https://github.com/kjur/jsrsasign/pull/650"}, {"url": "https://github.com/kjur/jsrsasign/commit/5ea1c32bb2aa894b4bd29849839afe4f98728195"}], "descriptions": [{"lang": "en", "value": "Versions of the package jsrsasign before 11.1.1 are vulnerable to Incorrect Conversion between Numeric Types due to handling negative exponents in ext/jsbn2.js. An attacker can force the computation of incorrect modular inverses and break signature verification by calling modPow with a negative exponent."}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-681", "description": "Incorrect Conversion between Numeric Types"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2026-03-23T05:00:10.567Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4602", "state": "PUBLISHED", "dateUpdated": "2026-03-23T14:37:39.558Z", "dateReserved": "2026-03-22T16:26:15.167Z", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "datePublished": "2026-03-23T05:00:10.567Z", "assignerShortName": "snyk"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jsrsasign_project:jsrsasign:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "1EBBE1A6-4D19-4ED2-859C-73AFBDA25DEA", "versionEndExcluding": "11.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Versions of the package jsrsasign before 11.1.1 are vulnerable to Incorrect Conversion between Numeric Types due to handling negative exponents in ext/jsbn2.js. An attacker can force the computation of incorrect modular inverses and break signature verification by calling modPow with a negative exponent."}], "id": "CVE-2026-4602", "lastModified": "2026-03-23T16:08:58.320", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "report@snyk.io", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2026-03-23T06:16:22.070", "references": [{"source": "report@snyk.io", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://gist.github.com/Kr0emer/7ecd2be7d17419e4677315ef3758faf5"}, {"source": "report@snyk.io", "tags": ["Patch"], "url": "https://github.com/kjur/jsrsasign/commit/5ea1c32bb2aa894b4bd29849839afe4f98728195"}, {"source": "report@snyk.io", "tags": ["Issue Tracking"], "url": "https://github.com/kjur/jsrsasign/pull/650"}, {"source": "report@snyk.io", "tags": ["Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15371175"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-681"}], "source": "report@snyk.io", "type": "Secondary"}]}

{"bugzilla": {"description": "jsrsasign: jsrsasign: Signature verification bypass via negative exponent handling", "id": "2450206", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450206"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "status": "draft"}, "cwe": "CWE-681", "details": ["A flaw was found in jsrsasign. A remote attacker can exploit an incorrect conversion between numeric types by providing a negative exponent to the `modPow` function. This vulnerability can force the computation of incorrect modular inverses, which ultimately allows an attacker to bypass signature verification."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-4602", "package_state": [{"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Affected", "package_name": "migration-toolkit-virtualization/mtv-console-plugin-rhel9", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Affected", "package_name": "mtv-candidate/mtv-console-plugin-rhel9", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/quay-rhel9", "product_name": "Red Hat Quay 3"}], "public_date": "2026-03-23T05:00:10Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-4602\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-4602\nhttps://gist.github.com/Kr0emer/7ecd2be7d17419e4677315ef3758faf5\nhttps://github.com/kjur/jsrsasign/commit/5ea1c32bb2aa894b4bd29849839afe4f98728195\nhttps://github.com/kjur/jsrsasign/pull/650\nhttps://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15371175"], "statement": "This is an IMPORTANT flaw. The `jsrsasign` library, as used in Red Hat products such as Migration Toolkit for Virtualization and Red Hat Quay, is vulnerable to a signature verification bypass. A remote attacker could provide a specially crafted negative exponent to the `modPow` function, leading to incorrect modular inverse computations and allowing them to bypass signature verification.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,11.1.1)"}}], "enrichment": {"confidence": 90.0, "confidence_source": "inferred", "scores": [{"score": 90.0, "source": "inferred"}]}, "original": {"product": "jsrsasign", "source": "cna", "vendor": "n/a"}, "product": "jsrsasign", "vendor": "kjur"}], "analysis": {"en": {"generated_at": "2026-03-23T17:36:27.524966+00:00", "value": {"mitigation_remediation": ["Upgrade jsrsasign to version 11.1.1 or newer.", "Verify that the upgrade is complete and that no older versions remain in the project dependencies."], "summary": {"action": "Immediate Patch", "impact": "Signature Verification Bypass"}, "threat_synthesis": {"affected_systems": "The affected product is the jsrsasign JavaScript library, used in Node.js projects. All releases before version 11.1.1 are vulnerable. Projects that rely on jsrsasign to validate cryptographic signatures of external data are at risk.", "description_and_impact": "The vulnerability is an incorrect conversion between numeric types in the jsrsasign library. When a negative exponent is passed to the modPow function in ext/jsbn2.js, the library computes an incorrect modular inverse, leading to a signature verification bypass. An attacker able to supply such input can forge signatures for any data validated by the library, potentially compromising code integrity or authentication mechanisms. The weakness corresponds to CWE\u2011681.", "risk_and_exploitability": "The CVSS score of 8.7 indicates a high severity, but the EPSS score lower than 1 percent suggests that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog, implying no documented exploitation yet. Attackers would need the ability to influence the input data that triggers the modPow function, which typically occurs in scenarios where an application accepts untrusted signatures. Once the input is controlled, the attacker can bypass verification and potentially inject malicious content."}}}}, "created": "2026-03-23T09:45:34.158669+00:00", "updated": "2026-03-25T14:49:51.434034+00:00", "vendors": ["kjur", "kjur$PRODUCT$jsrsasign"]}