437 matches found
GHSA-9VCR-P3RJ-Q5Q6 vulnerabilities
Vulnerabilities for packages: cloudbeat-fips, policy-controller-fips, cloudbeat, trivy-fips, tkn, crossplane, trivy-operator-fips, image-factory, kyverno-fips, policy-controller, tbot, tflint, tekton-chains, kubescape-server, trivy, falcoctl, aactl, kubescape, trivy-operator, spire-server-fips,...
GHSA-9VCR-P3RJ-Q5Q6 vulnerabilities
Vulnerabilities for packages: trivy-operator, tkn, gitsign, tflint, teleport, falcoctl, kyverno, policy-controller, kubescape, aactl, tekton-chains, zarf, neuvector-sigstore-interface, trivy, kyverno-notation-aws, crossplane...
CVE-2026-49834 vulnerabilities
Vulnerabilities for packages: trivy-operator, tkn, gitsign, tflint, teleport, falcoctl, kyverno, policy-controller, kubescape, aactl, tekton-chains, zarf, neuvector-sigstore-interface, trivy, kyverno-notation-aws, crossplane...
CVE-2026-48816
creationtimestamp| type| source ---|---|--- 2026-07-01 20:35:05+00:00| published-proof-of-concept| https://github.com/sigstore/sigstore-js/security/advisories/GHSA-xgjw-pm74-86q4...
CVE-2026-48815
creationtimestamp| type| source ---|---|--- 2026-07-01 20:35:03+00:00| published-proof-of-concept| https://github.com/sigstore/sigstore-js/security/advisories/GHSA-52v5-jr5w-gjxr...
GHSA-XGJW-PM74-86Q4 sigstore-js has Insufficient Verification of Data Authenticity
sigstore-js derives a transparency-log timestamp from tlogEntries.integratedTime and uses it to validate certificate validity windows and satisfy timestampThreshold. For bundle v0.2, a tlog entry can be inclusionProof-only no signed inclusionPromise/set, and the inclusion proof path does not...
CVE-2026-48702 vulnerabilities
Vulnerabilities for packages: cloudbeat-fips, policy-controller-fips, ratify, ko-fips, cloudbeat, tkn, crossplane, trivy-operator-fips, spire-server, kyverno-fips, slsa-verifier, policy-controller, tbot, tflint, tekton-chains, kubescape-server, falcoctl, aactl, kubescape, trivy-operator,...
GHSA-47Q9-M4WW-924M vulnerabilities
Vulnerabilities for packages: cloudbeat-fips, policy-controller-fips, ratify, ko-fips, cloudbeat, tkn, crossplane, trivy-operator-fips, spire-server, kyverno-fips, slsa-verifier, policy-controller, tbot, tflint, tekton-chains, kubescape-server, falcoctl, aactl, kubescape, trivy-operator,...
GHSA-47Q9-M4WW-924M vulnerabilities
Vulnerabilities for packages: tkn, tflint, policy-controller, neuvector-sigstore-interface, goreleaser, falcoctl, kyverno, slsa-verifier, kubescape, aactl, trivy-operator, kyverno-notation-aws, spire-server, ratify, teleport, tekton-chains, zarf, crossplane, gitsign, ko...
CVE-2026-48702 vulnerabilities
Vulnerabilities for packages: tkn, tflint, policy-controller, neuvector-sigstore-interface, goreleaser, falcoctl, kyverno, slsa-verifier, kubescape, aactl, trivy-operator, kyverno-notation-aws, spire-server, ratify, teleport, tekton-chains, zarf, crossplane, gitsign, ko...
GHSA-JFC7-64V2-MR8C @sigstore/core has DSSE payloadType type-binding failure
Impact The preAuthEncoding function in @sigstore/core uses Node.js 'ascii' encoding when converting the PAE Pre-Authentication Encoding string to bytes. This allows payloadType to be mutated after signing without invalidating the signature, breaking the type-binding guarantee that DSSE is designe...
GO-2026-5763 Sigstore Timestamp Authority has Improper Certificate Validation in verifier in github.com/sigstore/timestamp-authority
Sigstore Timestamp Authority has Improper Certificate Validation in verifier in github.com/sigstore/timestamp-authority...
SUSE-SU-2026:2609-1 Security update for apptainer
This update for apptainer fixes the following issues - CVE-2026-24137: github.com/sigstore/sigstore/pkg/tuf: legacy TUF client allows for arbitrary file writes with target cache path traversal bsc1264177. - CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of...
MAL-2026-5141 Malicious code in @redhat-cloud-services/host-inventory-client (npm)
Part of the "Mini Shai-Hulud" supply chain worm campaign that compromised the GitHub Actions OIDC trusted publisher shared by Red Hat Cloud Services npm packages. The attacker injected a preinstall hook into this and 31 other packages in the @redhat-cloud-services scope. The hook delivers a...
Malicious code in @redhat-cloud-services/compliance-client (npm)
Part of the "Mini Shai-Hulud" supply chain worm campaign that compromised the GitHub Actions OIDC trusted publisher shared by Red Hat Cloud Services npm packages. The attacker injected a preinstall hook into this and 31 other packages in the @redhat-cloud-services scope. The hook delivers a...
Malicious code in @redhat-cloud-services/tsc-transform-imports (npm)
Part of the "Mini Shai-Hulud" supply chain worm campaign that compromised the GitHub Actions OIDC trusted publisher shared by Red Hat Cloud Services npm packages. The attacker injected a preinstall hook into this and 31 other packages in the @redhat-cloud-services scope. The hook delivers a...
MAL-2026-5144 Malicious code in @redhat-cloud-services/notifications-client (npm)
Part of the "Mini Shai-Hulud" supply chain worm campaign that compromised the GitHub Actions OIDC trusted publisher shared by Red Hat Cloud Services npm packages. The attacker injected a preinstall hook into this and 31 other packages in the @redhat-cloud-services scope. The hook delivers a...
MAL-2026-5142 Malicious code in @redhat-cloud-services/insights-client (npm)
Part of the "Mini Shai-Hulud" supply chain worm campaign that compromised the GitHub Actions OIDC trusted publisher shared by Red Hat Cloud Services npm packages. The attacker injected a preinstall hook into this and 31 other packages in the @redhat-cloud-services scope. The hook delivers a...
MAL-2026-5146 Malicious code in @redhat-cloud-services/remediations-client (npm)
Part of the "Mini Shai-Hulud" supply chain worm campaign that compromised the GitHub Actions OIDC trusted publisher shared by Red Hat Cloud Services npm packages. The attacker injected a preinstall hook into this and 31 other packages in the @redhat-cloud-services scope. The hook delivers a...
MAL-2026-5134 Malicious code in @redhat-cloud-services/config-manager-client (npm)
Part of the "Mini Shai-Hulud" supply chain worm campaign that compromised the GitHub Actions OIDC trusted publisher shared by Red Hat Cloud Services npm packages. The attacker injected a preinstall hook into this and 31 other packages in the @redhat-cloud-services scope. The hook delivers a...