浏览 27+ 条来自 NVD 与 CNNVD 的 CVE 漏洞,配 AI 中文翻译、AI POC 生成、每日情报;可按厂商、产品、严重等级、CWE 检索。
| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-39984 | Sigstore Timestamp Authority has Improper Certificate Validation in verifier | sigstore | timestamp-authority | Medium | 5.5 | 2026-04-14 23:41:48 | Deep Dive |
| CVE-2026-39395 | Cosign's verify-blob-attestation reports false positive when payload parsing fails | sigstore | cosign | Medium | 4.3 | 2026-04-07 20:06:29 | Deep Dive |
| CVE-2026-31830 | sigstore-ruby verifier returns success for DSSE bundles with mismatched in-toto subject digest | sigstore | sigstore-ruby | High | 7.5 | 2026-03-10 21:46:03 | Deep Dive |
| CVE-2026-24122 | Cosign Certificate Chain Expiry Validation Issue Allows Issuing Certificate Expiry to Be Overlooked | sigstore | cosign | Low | 3.7 | 2026-02-19 22:27:09 | Deep Dive |
| CVE-2026-24408 | sigstore has CSRF possibility in OIDC authentication during signing | sigstore | sigstore-python | None | 0.0 | 2026-01-26 22:21:35 | Deep Dive |
| CVE-2026-24137 | sigstore legacy TUF client allows for arbitrary file writes with target cache path traversal | sigstore | sigstore | Medium | 5.8 | 2026-01-23 00:04:19 | Deep Dive |
| CVE-2026-24117 | Rekor affected by Server-Side Request Forgery (SSRF) via provided public key URL | sigstore | rekor | Medium | 5.3 | 2026-01-22 22:05:08 | Deep Dive |
| CVE-2026-23831 | Rekor COSE v0.0.1 Canonicalize crashes when passed empty Message | sigstore | rekor | Medium | 5.3 | 2026-01-22 21:26:22 | Deep Dive |
| CVE-2026-22772 | Fulcio vulnerable to Server-Side Request Forgery (SSRF) via MetaIssuer Regex Bypass | sigstore | fulcio | Medium | 5.8 | 2026-01-12 20:58:54 | Deep Dive |
| CVE-2026-22703 | Cosign verification accepts any valid Rekor entry under certain conditions | sigstore | cosign | Medium | 5.5 | 2026-01-10 06:11:09 | Deep Dive |
| CVE-2025-66564 | Sigstore Timestamp Authority allocates excessive memory during request parsing | sigstore | timestamp-authority | High | 7.5 | 2025-12-04 22:37:13 | Deep Dive |
| CVE-2025-66506 | Fulcio allocates excessive memory during token parsing | sigstore | fulcio | High | 7.5 | 2025-12-04 22:04:42 | Deep Dive |
| CVE-2024-55655 | sigstore-python has insufficient validation of integration timestamp during verification | sigstore | sigstore-python | 中危 | - | 2024-12-10 23:06:42 | Deep Dive |
| CVE-2024-54140 | sigstore-java has a vulnerability with bundle verification | sigstore | sigstore-java | 中危 | - | 2024-12-05 22:08:37 | Deep Dive |
| CVE-2024-53267 | Vulnerability with bundle verification in sigstore-java | sigstore | sigstore-java | Medium | 5.5 | 2024-11-26 18:41:29 | Deep Dive |
| CVE-2024-51746 | Use of incorrect Rekor entries during verification in gitsign | sigstore | gitsign | 低危 | - | 2024-11-05 18:54:39 | Deep Dive |
| CVE-2024-45395 | Unbounded loop over untrusted input can lead to endless data attack | sigstore | sigstore-go | Low | 3.1 | 2024-09-04 20:15:09 | Deep Dive |
| CVE-2024-29903 | Cosign vulnerable to machine-wide denial of service via malicious artifacts | sigstore | cosign | Medium | 4.2 | 2024-04-10 22:30:51 | Deep Dive |
| CVE-2024-29902 | Cosign vulnerable to system-wide denial of service via malicious attachments | sigstore | cosign | Medium | 4.2 | 2024-04-10 22:28:20 | Deep Dive |
| CVE-2023-47122 | Gitsign's Rekor public keys fetched from upstream API instead of local TUF client. | sigstore | gitsign | Medium | 4.2 | 2023-11-10 21:33:55 | Deep Dive |