pkg:Go/github.com/sigstore/cosign

All known vulnerabilities

• HIGH7.1CVE-2022-35929False positive signature verification in cosign
  from 0, < 1.10.1
• HIGH7.1CVE-2022-35929False positive signature verification in cosign
  from 0, < 1.10.1
• MEDIUM5.5CVE-2026-22703Cosign verification accepts any valid Rekor entry under certain conditions
  from 0
• MEDIUM5.5CVE-2022-36056Vulnerabilities with blob verification in sigstore cosign
  from 0, < 1.12.0
• MEDIUM5.5CVE-2022-36056Vulnerabilities with blob verification in sigstore cosign
  from 0, < 1.12.0
• MEDIUM4.3CVE-2026-39395Cosign's verify-blob-attestation reports false positive when payload parsing fails
  >= 3.0.0, < 3.0.6
• MEDIUM4.2CVE-2024-29903Cosign malicious artifacts can cause machine-wide DoS
  from 0, <= 2.2.3
• MEDIUM4.2CVE-2024-29903Cosign malicious artifacts can cause machine-wide DoS
  from 0
• MEDIUM4.2CVE-2024-29902Cosign malicious attachments can cause system-wide denial of service
  from 0, <= 2.2.3
• MEDIUM4.2CVE-2024-29902Cosign malicious attachments can cause system-wide denial of service
  from 0
• LOW3.7CVE-2026-24122Cosign Certificate Chain Expiry Validation Issue Allows Issuing Certificate Expiry to Be Overlooked
  from 0
• LOW3.7CVE-2026-24122Cosign Certificate Chain Expiry Validation Issue Allows Issuing Certificate Expiry to Be Overlooked
  from 0, < 3.0.5
• LOW3.3CVE-2022-23649Improper Certificate Validation in Cosign
  from 0, < 1.5.2
• LOW3.3CVE-2022-23649Improper Certificate Validation in Cosign
  from 0, < 1.5.2
• LOW3.1CVE-2023-46737Cosign vulnerable to possible endless data attack from attacker-controlled registry
  from 0
• LOW3.1CVE-2023-46737Cosign vulnerable to possible endless data attack from attacker-controlled registry
  from 0, < 1.13.2