These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-4603 is a low-severity vulnerability affecting the jsrsasign package versions before 11.1.1. The issue arises from a division by zero error in the RSASetPublic/KEYUTIL parsing path and BigInteger.modPowInt reduction logic. An attacker can exploit this by providing a JWK with a modulus that decodes to zero, causing RSA public-key operations to produce deterministic zero outputs and conceal 'invali [truncated]
CVE-2026-4601 is a HIGH-severity vulnerability (CVSS Score: 8.8) affecting jsrsasign versions before 11.1.1. The vulnerability stems from a missing cryptographic step in the DSA signing implementation, specifically in the KJUR.crypto.DSA.signWithMessageHash process. An attacker can exploit this by forcing 'r' or 's' to be zero, causing the library to emit an invalid signature without retrying, allowing th [truncated]
CVE-2026-4600 is a HIGH severity vulnerability (CVSS Score: 8.1) affecting versions of the jsrsasign package before 11.1.1. The vulnerability involves Improper Verification of Cryptographic Signature via DSA domain-parameter validation. An attacker can exploit this by supplying malicious domain parameters (e.g., g=1, y=1, and a fixed r=1) to forge DSA signatures or X.509 certificates that are accepted by [truncated]
CVE-2026-4599 is a critical vulnerability in the jsrsasign package, affecting versions from 7.0.0 to before 11.1.1. The issue stems from an incomplete comparison with missing factors in the getRandomBigIntegerZeroToMax and getRandomBigIntegerMinToMax functions. This flaw allows an attacker to recover the private key by exploiting incorrect compareTo checks, which accept out-of-range candidates and bias DS [truncated]
CVE-2026-4598 is a high-severity vulnerability in the jsrsasign package, affecting versions before 11.1.1. The issue arises from the bnModInverse function in ext/jsbn2.js, which can enter an infinite loop when given zero or negative inputs. This allows an attacker to permanently hang a process by providing crafted values. The vulnerability has a CVSS score of 7.7 and is considered high severity. Defenders [truncated]