UBUNTU-CVE-2026-22703

Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When verifying a Rekor...

EUVD-2023-1916

Malicious code in bioql PyPI...

CVE-2025-25204

gh is GitHub’s official command line tool. Starting in version 2.49.0 and prior to version 2.67.0, under certain conditions, a bug in GitHub's Artifact Attestation cli tool gh attestation verify causes it to return a zero exit status when no attestations are present. This behavior is incorrect:...

CVE-2023-33959 Verification bypass can cause users into verifying the wrong artifact

notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry can cause users to verify the wrong artifact. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation-go library to v1.0.0-rc.6 or above. Use...

PT-2023-24599 · Unknown · Notation-Go

Name of the Vulnerable Software and Affected Versions: notation versions prior to v1.0.0-rc.6 Description: An attacker who has compromised a registry can cause users to verify the wrong artifact. This issue allows an attacker to lead a user into verifying the wrong artifact if they control or...

SUSE-SU-2022:3486-1 Security update for cosign

This update for cosign fixes the following issues: Updated to version 1.12.0 jscSLE-23879: - CVE-2022-36056: Fixed verify-blob could successfully verify an artifact when verification should have failed bsc1203430...