Jsrsasign < 11.1.1 Incorrect Conversion Vulnerability (CVE-2026-4602)
Jsrsasign versions before 11.1.1 are vulnerable to an incorrect conversion between numeric types vulnerability, where an attacker can force the computation of incorrect modular inverses and break signature verification by calling modPow with a negative exponent.
Jsrsasign is a free open source cryptography library for JavaScript. Versions before 11.1.1 contain an incorrect conversion between numeric types due to improper handling of negative exponents in the ext/jsbn2.js file. This vulnerability, identified as CVE-2026-4602, allows an attacker to force the computation of incorrect modular inverses, leading to the potential breakage of signature verification. The vulnerability was reported and patched in March 2026. This could allow an attacker to…
Detection coverage 2
Detect jsrsasign version usage in package-lock.json
mediumDetects the usage of vulnerable jsrsasign versions in package-lock.json files, indicating potential vulnerability.
Detect jsrsasign version usage in package.json
mediumDetects the usage of vulnerable jsrsasign versions in package.json files, indicating potential vulnerability.
Detection queries are kept inside the platform. Get full rules →