aiogithubapi (=23.11.0), authsignal (=2.0.1) +17 more potentially affected by CVE-2026-24408 via sigstore (>=2.0.0rc3 <=3.6.7)

sigstore PYPI version =2.0.0rc3, =2026.5.21.dev103715, =1.50.0, =2.4.0, =0.8.0, =1.0.1 - pylock-attestations =0.0.1a2 and more Source cves: CVE-2026-24408 Source advisory: OSV:GHSA-HM8F-75XX-W2VR...

Insufficient Validation Of Integration Time

sigstore is vulnerable to insufficient validation of integration time. The vulnerability is due to insufficient validation of the integration time in "v2" and "v3" bundles, which allows an attacker to modify the timestamp and cause the signature verification to fail. However, the attack does not...