EUVD-2026-1868

Cosign verification accepts any valid Rekor entry under certain conditions...

CVE-2026-22772

Fulcio is a certificate authority for issuing code signing certificates for an OpenID Connect OIDC identity. Prior to 1.8.5, Fulcio's metaRegex function uses unanchored regex, allowing attackers to bypass MetaIssuer URL validation and trigger SSRF to arbitrary internal services. Since the SSRF on...

UBUNTU-CVE-2026-22703

Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When verifying a Rekor...

PT-2026-2253

Name of the Vulnerable Software and Affected Versions Cosign versions prior to 2.6.2 and 3.0.4 Description Cosign is a tool providing code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, a crafted Cosign bundle could successfully verify an artifact even if...

CVE-2024-53267

sigstore-java (the Java client) is affected by a vulnerability where KeylessVerifier.verify() may accept a validly-signed but mismatched bundle as proof of inclusion in a transparency log. The log-entry could be unrelated to the artifact, allowing a bundle to appear logged without proof the signi...

CVE-2024-53267 Vulnerability with bundle verification in sigstore-java

sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a validly-signed but "mismatched" bundle is presented as proof of inclusion into a transparency log. This bug impacts clients using any variation...

CVE-2024-53267 Vulnerability with bundle verification in sigstore-java

sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a validly-signed but "mismatched" bundle is presented as proof of inclusion into a transparency log. This bug impacts clients using any variation...

sigstore-java has vulnerability with bundle verification

Summary sigstore-java has insufficient verification for a situation where a validly-signed but "mismatched" bundle is presented as proof of inclusion into a transparency log Impact This bug impacts clients using any variation of KeylessVerifier.verify The verifier may accept a bundle with an...

GO-2022-0326 Improper certificate validation in github.com/sigstore/cosign

Cosign can be manipulated to claim that an entry for a signature in the OCI registry exists in the Rekor transparency log even if it does not. This requires the attacker to have pull and push permissions for the signature in OCI. This can happen with both standard signing with a keypair and...