CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

NVD•added 2026/01/26 11:16 p.m.•7 views

CVE-2026-24408

5CVSS0.00158EPSS

ATTACKERKB•added 2026/01/26 10:21 p.m.•5 views

CVE-2026-24408

Exploits0References4Affected Software1

Vulnrichment•added 2026/01/26 10:21 p.m.•4 views

CVE-2026-24408 sigstore has CSRF possibility in OIDC authentication during signing

EUVD•added 2026/01/26 10:21 p.m.•3 views

EUVD-2026-4729

Cvelist•added 2026/01/26 10:21 p.m.•22 views

CVE-2026-24408 sigstore has CSRF possibility in OIDC authentication during signing

0.00158EPSS

Snyk•added 2026/01/26 9:34 p.m.•3 views

Cross-site Request Forgery (CSRF)

Overview sigstore is an A tool for signing Python package distributions Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the OIDC authentication process, which fails to check the state parameter. An attacker in a MitM position can cause a user to sign data...

5CVSS5.9AI score0.00158EPSS

Exploits0References2

OSV•added 2026/01/26 9:34 p.m.•5 views

GHSA-HM8F-75XX-W2VR sigstore CSRF possibility in OIDC authentication during signing

Summary The sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. Details OAuthSession creates a unique "state" and sends it as a parameter in the authentication request but the "state" in the server response seems not not be cross-checked with this value. Fix...

Positive Technologies•added 2026/01/26 12:0 a.m.•6 views

PT-2026-4830

Name of the Vulnerable Software and Affected Versions sigstore-python versions prior to 4.2.0 Description sigstore-python is a Python tool used for generating and verifying Sigstore signatures. A flaw exists in the OAuth authentication flow, making it susceptible to Cross-Site Request Forgery. Th...

CNNVD•added 2026/01/26 12:0 a.m.•6 views

Exploits0References9

sigstore-python Cross-Site Request Forgery Vulnerability

sigstore-python is an open-source tool developed by sigstore for generating and verifying Sigstore signatures in Python. Versions of sigstore-python prior to 4.2.0 contained a cross-site request forgeing vulnerability. This vulnerability stemmed from the OAuth authentication process’s...

5CVSS5.7AI score0.00158EPSS

Exploits0References4

EUVD•added 2025/10/03 8:7 p.m.•3 views

EUVD-2024-3479

Malicious code in bioql PyPI...

6.9CVSS6.3AI score0.00235EPSS

RedhatCVE•added 2025/05/23 7:41 a.m.•3 views

CVE-2024-55655

sigstore-python is a Python tool for generating and verifying Sigstore signatures. Versions of sigstore-python newer than 2.0.0 but prior to 3.6.0 perform insufficient validation of the "integration time" present in "v2" and "v3" bundles during the verification flow: the "integration time" is...

6.9CVSS6.8AI score0.00235EPSS

Exploits0References1

OSV•added 2024/12/11 6:42 p.m.•8 views

GHSA-HHFG-FWRW-87W7 sigstore has insufficient validation of integration timestamp during verification

Summary Versions of sigstore-python newer than 2.0.0 but prior to 3.6.0 perform insufficient validation of the "integration time" present in "v2" and "v3" bundles during the verification flow: the "integration time" is verified if a source of signed time such as an inclusion promise is present, b...

6.9CVSS6.2AI score0.00235EPSS

Snyk•added 2024/12/10 11:44 p.m.•2 views

Improper Input Validation

Overview sigstore is an A tool for signing Python package distributions Affected versions of this package are vulnerable to Improper Input Validation due to the integration time verification process. An attacker can induce a Denial of Service by modifying the integration timestamp within a bundle...

6.9CVSS6.9AI score0.00235EPSS

Exploits0References2

NVD•added 2024/12/10 11:15 p.m.•11 views

CVE-2024-55655

6.9CVSS0.00235EPSS

Vulnrichment•added 2024/12/10 11:6 p.m.•11 views

CVE-2024-55655 sigstore-python has insufficient validation of integration timestamp during verification

6.9CVSS6.5AI score0.00235EPSS

CVE•added 2024/12/10 11:6 p.m.•55 views

CVE-2024-55655

CVE-2024-55655 affects sigstore-python versions newer than 2.0.0 but before 3.6.0, with insufficient validation of the integration time in v2/v3 bundles during verification. The integration time is checked only when a source of signed time (e.g., an inclusion promise) exists; otherwise it is trus...

6.9CVSS6.9AI score0.00235EPSS

Cvelist•added 2024/12/10 11:6 p.m.•12 views

CVE-2024-55655 sigstore-python has insufficient validation of integration timestamp during verification

6.9CVSS0.00235EPSS

OSV•added 2024/12/10 11:6 p.m.•5 views

CVE-2024-55655 sigstore-python has insufficient validation of integration timestamp during verification

6.9CVSS6.6AI score0.00235EPSS