sigstore

Top products

The 15 most recently published vulnerabilities affecting sigstore.

• CVE-2026-44309gitsign verify accepts signatures over go-git-normalized bytes, enabling trust confusion on malformed commits5.3May 15, 2026
• CVE-2026-44310gitsign --verify panics on empty-certificate PKCS7 and exits 0, bypassing exit-code callers5.4May 15, 2026
• CVE-2026-39984Sigstore Timestamp Authority has Improper Certificate Validation in verifier5.5Apr 14, 2026
• CVE-2026-39395Cosign's verify-blob-attestation reports false positive when payload parsing fails4.3Apr 7, 2026
• CVE-2026-31830sigstore-ruby verifier returns success for DSSE bundles with mismatched in-toto subject digest7.5Mar 10, 2026
• CVE-2026-24122Cosign Certificate Chain Expiry Validation Issue Allows Issuing Certificate Expiry to Be Overlooked3.7Feb 19, 2026
• CVE-2026-24137sigstore legacy TUF client allows for arbitrary file writes with target cache path traversal5.8Jan 23, 2026
• CVE-2026-24117Rekor affected by Server-Side Request Forgery (SSRF) via provided public key URL5.3Jan 22, 2026
• CVE-2026-23831Rekor COSE v0.0.1 Canonicalize crashes when passed empty Message5.3Jan 22, 2026
• CVE-2026-22772Fulcio vulnerable to Server-Side Request Forgery (SSRF) via MetaIssuer Regex Bypass5.8Jan 12, 2026
• CVE-2026-22703Cosign verification accepts any valid Rekor entry under certain conditions5.5Jan 10, 2026
• CVE-2025-66564Sigstore Timestamp Authority allocates excessive memory during request parsing7.5Dec 4, 2025
• CVE-2025-66506Fulcio allocates excessive memory during token parsing7.5Dec 4, 2025
• CVE-2024-53267Vulnerability with bundle verification in sigstore-java5.5Nov 26, 2024
• CVE-2024-45395Unbounded loop over untrusted input can lead to endless data attack3.1Sep 4, 2024