Lucene search
+L

4 matches found

cve
cve
added 3 days ago30 views

CVE-2026-48758

CVE-2026-48758 affects sigstore-js with a flaw in the preAuthEncoding function in @sigstore/core: it uses Node.js ASCII encoding when converting PAE strings to bytes, allowing payloadType to be mutated after signing without invalidating the DSSE signature. The issue is fixed in @sigstore/core ver...

5.4CVSS6.1AI score0.00264EPSS
Exploits0References4
cvelist
cvelist
added 3 days ago36 views

CVE-2026-48815 sigstore-js: `certificateOIDs` verification constraints are silently dropped and never enforced

sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 4.1.1, the documented certificateOIDs option in sigstore.verify is accepted by the public API but discarded before verification, so required certificate extension OIDs are never checked and applications...

7.5CVSS0.0019EPSS
Exploits0References4
cve
cve
added 3 days ago5 views

CVE-2026-59891

The CVE-2026-59891 entry concerns sigstore-js prior to 0.7.1. getRegistryCredentials() reads Docker config credentials and selects an entry by substring match of the target registry, which can cause credentials for one registry to be sent to a different registry whose hostname has a matching subs...

9.6CVSS6.1AI score0.00321EPSS
Exploits0References3
redhatcve
redhatcve
added 3 days ago7 views

CVE-2026-48816

A flaw was found in sigstore-js. The software derives a transparency-log timestamp from tlogEntries.integratedTime and uses it to validate certificate validity windows and satisfy timestampThreshold. For bundle v0.2, a transparency log tlog entry can be inclusion-proof-only, meaning the inclusion...

6.5CVSS6.1AI score0.00158EPSS
Exploits0References4
Rows per page
Query Builder