CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

19 matches found

Amazon•added 2026/04/01 12:0 a.m.•6 views

Medium: runfinch-finch

Issue Overview: Fulcio is a certificate authority for issuing code signing certificates for an OpenID Connect OIDC identity. Prior to 1.8.5, Fulcio's metaRegex function uses unanchored regex, allowing attackers to bypass MetaIssuer URL validation and trigger SSRF to arbitrary internal services...

7.5CVSS6.9AI score0.0052EPSS

Exploits2

Tenable Nessus•added 2026/02/21 12:0 a.m.•6 views

openSUSE 15 Security Update : vexctl (SUSE-SU-2026:0592-1)

The remote openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0592-1 advisory. - Update to version 0.4.1+git78.f951e3a: - CVE-2025-22868: Unexpected memory consumption during token parsing in golang.org/x/oauth2. bsc1239186 -...

9.1CVSS7AI score0.03092EPSS

Exploits5References28

Tenable Nessus•added 2026/01/27 12:0 a.m.•5 views

Linux Distros Unpatched Vulnerability : CVE-2026-24137

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - sigstore framework is a common go library shared across sigstore services and clients. In versions 1.10.3 and below, the legacy TUF client pkg/tuf/client.go...

5.8CVSS6.8AI score0.0037EPSS

Exploits0References4

Snyk•added 2026/01/23 12:49 a.m.•4 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the TUF client. An attacker can overwrite arbitrary files on the filesystem by supplying crafted target metadata that causes path traversal outside the intended cache directory. Note: This is only exploitable if...

5.8CVSS6.5AI score0.0037EPSS

Exploits0References2

NVD•added 2026/01/23 12:15 a.m.•10 views

CVE-2026-24137

sigstore framework is a common go library shared across sigstore services and clients. In versions 1.10.3 and below, the legacy TUF client pkg/tuf/client.go supports caching target files to disk. It constructs a filesystem path by joining a cache base directory with a target name sourced from...

5.8CVSS0.0037EPSS

Exploits0References3

Cvelist•added 2026/01/23 12:4 a.m.•32 views

CVE-2026-24137 sigstore legacy TUF client allows for arbitrary file writes with target cache path traversal

5.8CVSS0.0037EPSS

Exploits0References3

ATTACKERKB•added 2026/01/23 12:4 a.m.•4 views

CVE-2026-24137

5.8CVSS5.5AI score0.0037EPSS

Exploits0References4Affected Software1

CVE•added 2026/01/23 12:4 a.m.•21 views

CVE-2026-24137

CVE-2026-24137 affects the sigstore framework (Go library used by sigstore services/clients). In versions ≤ 1.10.3, the legacy TUF client stores cached target files on disk by constructing a filesystem path from a cache base directory and a name from signed target metadata, without ensuring the p...

5.8CVSS5.7AI score0.0037EPSS

Exploits0References3

Vulnrichment•added 2026/01/23 12:4 a.m.•2 views

CVE-2026-24137 sigstore legacy TUF client allows for arbitrary file writes with target cache path traversal

5.8CVSS5.7AI score0.0037EPSS

Exploits0References3

OSV•added 2026/01/23 12:4 a.m.•6 views

CVE-2026-24137 sigstore legacy TUF client allows for arbitrary file writes with target cache path traversal

5.8CVSS5.7AI score0.0037EPSS

Exploits0References5

UbuntuCve•added 2026/01/23 12:0 a.m.•6 views

CVE-2026-24137

5.8CVSS6.7AI score0.0037EPSS

Exploits0References4

NVD•added 2026/01/22 3:15 a.m.•3 views

CVE-2026-23991

go-tuf is a Go implementation of The Update Framework TUF. Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository or any of its mirrors returns invalid TUF metadata JSON valid JSON but not well formed TUF metadata, the client will panic during parsing, causing a denial of...

7.5CVSS0.0053EPSS

Exploits0References3

EUVD•added 2026/01/22 2:16 a.m.•5 views

EUVD-2026-3673

5.9CVSS5.4AI score0.0053EPSS

Exploits0References4

OSV•added 2026/01/21 4:19 p.m.•2 views

GHSA-846P-JG2W-W324 go-tuf affected by client DoS via malformed server response

Security Disclosure: Client DoS via malformed server response Summary If the TUF repository or any of its mirrors returns invalid TUF metadata JSON valid JSON but not well formed TUF metadata, the client will panic during parsing, causing a DoS. The panic happens before any signature is validated...

5.9CVSS5.6AI score0.0053EPSS

Exploits0References5

Github Security Blog•added 2023/11/14 8:31 p.m.•29 views

Gitsign's Rekor public keys fetched from upstream API instead of local TUF client.

Impact In certain versions of gitsign, Rekor public keys were fetched via the Rekor API, instead of through the local TUF client. If the upstream Rekor server happened to be compromised, gitsign clients could potentially be tricked into trusting incorrect signatures. There is no known compromise...

5.3CVSS6.3AI score0.00369EPSS

Exploits0References6Affected Software1

Veracode•added 2023/11/13 7:25 a.m.•10 views

Improper Verification Of Cryptographic Signature

github.com/sigstore/gitsign is vulnerable to Improper Verification Of Cryptographic Signature. The vulnerability is applicable in the case where a Rekor server is compromised, as gitsign directly fetches public keys via the API without TUF client validations. This leads to lack of validation and...

5.3CVSS7AI score0.00369EPSS

Exploits0References4Affected Software1

NVD•added 2023/11/10 10:15 p.m.•17 views

CVE-2023-47122

Gitsign is software for keyless Git signing using Sigstore. In versions of gitsign starting with 0.6.0 and prior to 0.8.0, Rekor public keys were fetched via the Rekor API, instead of through the local TUF client. If the upstream Rekor server happened to be compromised, gitsign clients could...

5.3CVSS0.00369EPSS

Exploits0References4