Sign In

CVE-2026-4599

ADVISORY - github

Summary

Versions of the package jsrsasign from 7.0.0 and before 11.1.1 are vulnerable to Incomplete Comparison with Missing Factors via the getRandomBigIntegerZeroToMax and getRandomBigIntegerMinToMax functions in src/crypto-1.1.js; an attacker can recover the private key by exploiting the incorrect compareTo checks that accept out-of-range candidates and thus bias DSA nonces during signature generation.

EPSS Score: 0.00037 (0.111)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-1023

Incomplete Comparison with Missing Factors

ADVISORY - github

CWE-1023

Incomplete Comparison with Missing Factors

ADVISORY - redhat

CWE-338

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Impacted images

Advisories

NIST

CREATED

UPDATED

ADVISORY IDCVE-2026-4599
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
COMMON WEAKNESS ENUMERATION (CWE)
CWE-1023

CVSS SCORE

9.3critical

GitHub

CREATED

UPDATED

ADVISORY IDGHSA-5jx8-q4cp-rhh6
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-1023

CVSS SCORE

9.3critical

Red Hat

CREATED

UPDATED

ADVISORY IDCVE-2026-4599
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-338

CVSS SCORE

9.1high