5 matches found
PT-2026-58289
Name of the Vulnerable Software and Affected Versions sigstore-js versions prior to 0.7.1 Description The getRegistryCredentials function reads credentials from the Docker config file and selects an entry by checking if any configured auth key contains the target registry string. Due to the use o...
PT-2026-39313
🔴 Docker Registry Auth Substring Match Forwards Credentials to a Different Registry CVE-2025-27119, High https://t.co/gO08whMpWZ...
Tekton Pipelines has VerificationPolicy regex pattern bypass via substring matching
hey guys, triage contract this is a first-screen summary; deterministic proof is in the proof bundle canonical.log/control.log/witness.txt. summary trusted resources verification policies match a resource source string refSource.URI against spec.resources.pattern using regexp.MatchString. in go,...
CVE-2026-25542 Tekton Pipelines: VerificationPolicy regex pattern bypass via substring matching
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 0.43.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, trusted resources verification policies match a resource source string refSource.URI against spec.resources.pattern...
CVE-2025-50864
The CVE-2025-50864 entry describes an Origin Validation Error in the elysia-cors library (through version 1.3.0) that permits unauthorized access to user data. The root cause is improper origin validation: the origin is checked as a substring against any domain in the CORS policy instead of an ex...