Lucene search
+L

476 matches found

Vulnrichment
Vulnrichment
added yesterday4 views

CVE-2026-49834 sigstore-go: Multi-log threshold bypass via single compromised log

sigstore-go is a Go library for Sigstore signing and verification. Prior to 1.2.0, a verifier configured with WithTransparencyLogN1 or WithSignedCertificateTimestampsN1 counts verified witnesses per entry or per validation path rather than per log authority, allowing a single compromised...

5.9CVSS5.2AI score
Exploits0References4
CVE
CVE
added yesterday18 views

CVE-2026-49834

Technical details about CVE-2026-49834 are not publicly available in the provided connected documents. Monitor for updates.

5.9CVSS5.2AI score
Exploits0References4
Cvelist
Cvelist
added yesterday18 views

CVE-2026-49834 sigstore-go: Multi-log threshold bypass via single compromised log

sigstore-go is a Go library for Sigstore signing and verification. Prior to 1.2.0, a verifier configured with WithTransparencyLogN1 or WithSignedCertificateTimestampsN1 counts verified witnesses per entry or per validation path rather than per log authority, allowing a single compromised...

5.9CVSS
Exploits0References4
CVE
CVE
added yesterday25 views

CVE-2026-49835

CVE-2026-49835 affects Sigstore Timestamp Authority. The issue arises from the legacy wrapMetrics middleware, which records raw HTTP path and method as Prometheus labels for latency and request count, enabling an unauthenticated attacker to issue requests with arbitrary paths/methods and create u...

5.9CVSS5.3AI score
Exploits0References3
Cvelist
Cvelist
added yesterday23 views

CVE-2026-49835 Sigstore Timestamp Authority: OOM due to unbounded metric label cardinality

Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.1.0, the global wrapMetrics middleware records raw HTTP request path r.URL.Path and raw HTTP request method r.Method as Prometheus labels for latency and request count metric vectors before routing, allowing an...

5.9CVSS
Exploits0References3
NVD
NVD
added 4 days ago7 views

CVE-2026-48758

sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 3.2.1, the preAuthEncoding function in @sigstore/core uses Node.js ascii encoding when converting the PAE string to bytes, allowing payloadType to be mutated after signing without invalidating the signature...

5.4CVSS0.00264EPSS
Exploits0References4
NVD
NVD
added 4 days ago4 views

CVE-2026-48815

sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 4.1.1, the documented certificateOIDs option in sigstore.verify is accepted by the public API but discarded before verification, so required certificate extension OIDs are never checked and applications...

7.5CVSS0.0019EPSS
Exploits0References4
Cvelist
Cvelist
added 4 days ago39 views

CVE-2026-48816 sigstore-js: Insufficient Verification of Data Authenticity

sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 3.1.1, @sigstore/verify derives a transparency-log timestamp from tlogEntries.integratedTime for bundle v0.2 inclusionProof-only entries even though the inclusion proof path does not cryptographically bind...

6.5CVSS0.00158EPSS
Exploits0References4
CVE
CVE
added 4 days ago20 views

CVE-2026-48816

CVE-2026-48816 affects sigstore-js, where prior to version 3.1.1 the verification logic in @sigstore/verify derives a transparency-log timestamp from tlogEntries[].integratedTime for bundle v0.2 inclusionProof-only entries, even though the inclusion proof path does not cryptographically bind inte...

6.5CVSS6.1AI score0.00158EPSS
Exploits0References4
OSV
OSV
added 4 days ago5 views

CVE-2026-48816 sigstore-js: Insufficient Verification of Data Authenticity

sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 3.1.1, @sigstore/verify derives a transparency-log timestamp from tlogEntries.integratedTime for bundle v0.2 inclusionProof-only entries even though the inclusion proof path does not cryptographically bind...

6.5CVSS6.1AI score0.00158EPSS
Exploits0References6
CVE
CVE
added 4 days ago39 views

CVE-2026-48758

CVE-2026-48758 affects sigstore-js with a flaw in the preAuthEncoding function in @sigstore/core: it uses Node.js ASCII encoding when converting PAE strings to bytes, allowing payloadType to be mutated after signing without invalidating the DSSE signature. The issue is fixed in @sigstore/core ver...

5.4CVSS6.1AI score0.00264EPSS
Exploits0References4
Cvelist
Cvelist
added 4 days ago39 views

CVE-2026-48758 sigstore-js: DSSE payloadType type-binding failure

sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 3.2.1, the preAuthEncoding function in @sigstore/core uses Node.js ascii encoding when converting the PAE string to bytes, allowing payloadType to be mutated after signing without invalidating the signature...

5.4CVSS0.00264EPSS
Exploits0References4
OSV
OSV
added 4 days ago5 views

CVE-2026-48758 sigstore-js: DSSE payloadType type-binding failure

sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 3.2.1, the preAuthEncoding function in @sigstore/core uses Node.js ascii encoding when converting the PAE string to bytes, allowing payloadType to be mutated after signing without invalidating the signature...

5.4CVSS6.1AI score0.00264EPSS
Exploits0References6
Cvelist
Cvelist
added 4 days ago36 views

CVE-2026-48815 sigstore-js: `certificateOIDs` verification constraints are silently dropped and never enforced

sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 4.1.1, the documented certificateOIDs option in sigstore.verify is accepted by the public API but discarded before verification, so required certificate extension OIDs are never checked and applications...

7.5CVSS0.0019EPSS
Exploits0References4
CVE
CVE
added 4 days ago40 views

CVE-2026-48815

Summary of CVE-2026-48815 : In sigstore-js, the documented certificateOIDs option in sigstore.verify() is accepted by the public API before verification but discarded during verification, causing certificate extension OIDs to not be checked. This allows applications to accept unauthorized certifi...

7.5CVSS6.1AI score0.0019EPSS
Exploits0References4
OSV
OSV
added 4 days ago4 views

CVE-2026-48815 sigstore-js: `certificateOIDs` verification constraints are silently dropped and never enforced

sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 4.1.1, the documented certificateOIDs option in sigstore.verify is accepted by the public API but discarded before verification, so required certificate extension OIDs are never checked and applications...

7.5CVSS6.1AI score0.0019EPSS
Exploits0References6
CVE
CVE
added 4 days ago5 views

CVE-2026-59891

The CVE-2026-59891 entry concerns sigstore-js prior to 0.7.1. getRegistryCredentials() reads Docker config credentials and selects an entry by substring match of the target registry, which can cause credentials for one registry to be sent to a different registry whose hostname has a matching subs...

9.6CVSS6.1AI score0.00321EPSS
Exploits0References3
OSV
OSV
added 4 days ago3 views

CVE-2026-59891 Credential confusion in  @sigstore/oci  can leak registry credentials to an attacker-controlled registry

sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 0.7.1, getRegistryCredentials reads credentials from the Docker config file and selects an entry by checking whether any configured auth key contains the target registry string. Because this is a substring...

9.6CVSS6.1AI score0.00321EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 4 days ago6 views

CVE-2026-48815

A flaw was found in sigstore. The certificateOIDs option, intended to restrict which certificates can sign artifacts, is accepted by the public application programming interface API but is not used during the verification process. This allows unauthorized certificates to be accepted, bypassing...

7.5CVSS6AI score0.0019EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 4 days ago7 views

CVE-2026-49835

A flaw was found in Sigstore Timestamp Authority. An unauthenticated remote attacker can exploit this vulnerability by sending requests with arbitrary HTTP paths and methods. This leads to the creation of an excessive number of unique metric labels, causing unbounded memory growth and a denial of...

5.9CVSS6.1AI score
Exploits0References4
Rows per page
Query Builder