github.com/sigstore/cosign vulnerabilities

Browse known CVEs and advisories by package and ecosystem. Severity tells you the worst case. What determines real risk is whether the vulnerable code actually runs in your applications.

Get a demo

Browse by ecosystem

npmPyPIMavenGoRubyGemsCargoNuGetComposerpubSwiftGitHub Actions
CVE-IDSeverityPackage summary
CVE-2026-39395Mediumgithub.com/sigstore/cosign: Cosign's verify-blob-attestation reports false positive when payload parsing failsCVE-2026-24122Lowgithub.com/sigstore/cosign: Cosign considered signatures valid with expired intermediate certificates when transparency log verification is skippedCVE-2024-29903Mediumgithub.com/sigstore/cosign: Cosign malicious artifacts can cause machine-wide DoSCVE-2024-29902Mediumgithub.com/sigstore/cosign: Cosign malicious attachments can cause system-wide denial of serviceCVE-2023-46737Lowgithub.com/sigstore/cosign/v2: Cosign vulnerable to possible endless data attack from attacker-controlled registryCVE-2022-36056Mediumgithub.com/sigstore/cosign: Cosign bundle can be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signatureCVE-2022-35929Highgithub.com/sigstore/cosign: cosign's `cosign verify-attestaton --type` can report a false positive if any attestation existsCVE-2022-23649Lowgithub.com/sigstore/cosign: Improper Certificate Validation in Cosign

Stop the waste.
Protect your environment with Kodem.