Sigstore Cosign
9 CVEs affecting Sigstore Cosign. Latest disclosed: 2026-04-07. Critical: 0, High: 1.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2022-35929 | High | 7.1 | 2022-08-04 | cosign is a container signing and verification utility. In versions prior to 1.10.1 cosign can report a false positive if any attestation exists. `cosign verif… |
CVE-2026-22703 | Medium | 5.5 | 2026-01-10 | Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully veri… |
CVE-2022-36056 | Medium | 5.5 | 2022-09-14 | Cosign is a project under the sigstore organization which aims to make signatures invisible infrastructure. In versions prior to 1.12.0 a number of vulnerabili… |
CVE-2026-39395 | Medium | 4.3 | 2026-04-07 | Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneously report a "V… |
CVE-2024-29903 | Medium | 4.2 | 2024-04-10 | Cosign provides code signing and transparency for containers and binaries. Prior to version 2.2.4, maliciously-crafted software artifacts can cause denial of s… |
CVE-2024-29902 | Medium | 4.2 | 2024-04-10 | Cosign provides code signing and transparency for containers and binaries. Prior to version 2.2.4, a remote image with a malicious attachment can cause denial… |
CVE-2026-24122 | Low | 3.7 | 2026-02-19 | Cosign provides code signing and transparency for containers and binaries. In versions 3.0.4 and below, an issuing certificate with a validity that expires bef… |
CVE-2022-23649 | Low | 3.3 | 2022-02-18 | Cosign provides container signing, verification, and storage in an OCI registry for the sigstore project. Prior to version 1.5.2, Cosign can be manipulated to… |
CVE-2023-46737 | Low | 3.1 | 2023-11-07 | Cosign is a sigstore signing tool for OCI containers. Cosign is susceptible to a denial of service by an attacker controlled registry. An attacker who controls… |