4 matches found
CVE-2026-48758
CVE-2026-48758 affects sigstore-js with a flaw in the preAuthEncoding function in @sigstore/core: it uses Node.js ASCII encoding when converting PAE strings to bytes, allowing payloadType to be mutated after signing without invalidating the DSSE signature. The issue is fixed in @sigstore/core ver...
CVE-2026-48815 sigstore-js: `certificateOIDs` verification constraints are silently dropped and never enforced
sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 4.1.1, the documented certificateOIDs option in sigstore.verify is accepted by the public API but discarded before verification, so required certificate extension OIDs are never checked and applications...
CVE-2026-59891
The CVE-2026-59891 entry concerns sigstore-js prior to 0.7.1. getRegistryCredentials() reads Docker config credentials and selects an entry by substring match of the target registry, which can cause credentials for one registry to be sent to a different registry whose hostname has a matching subs...
CVE-2026-48816
A flaw was found in sigstore-js. The software derives a transparency-log timestamp from tlogEntries.integratedTime and uses it to validate certificate validity windows and satisfy timestampThreshold. For bundle v0.2, a transparency log tlog entry can be inclusion-proof-only, meaning the inclusion...