CVE-2026-48978
The CVE-2026-48978 issue affects the oras-go library prior to 2.6.1, where auth.Client can follow the registry’s Bearer challenge realm without validating the scheme/host. This enables a malicious or compromised registry to trigger SSRF to internal networks (e.g., 169.254.169.254, 10.0.0.x, 127.0...