github.com/sigstore/cosign (Go) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Go package github.com/sigstore/cosign, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (9)
CVE-2022-35929 — CVSS 7.1 (high): cosign is a container signing and verification utility. In versions prior to 1.10.1 cosign can report a false positive if any attestation…
CVE-2026-22703 — CVSS 5.5 (medium): Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted…
CVE-2022-36056 — CVSS 5.5 (medium): Cosign is a project under the sigstore organization which aims to make signatures invisible infrastructure. In versions prior to 1.12.0 a…
CVE-2026-39395 — CVSS 4.3 (medium): Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may…
CVE-2024-29902 — CVSS 4.2 (medium): Cosign provides code signing and transparency for containers and binaries. Prior to version 2.2.4, a remote image with a malicious…
CVE-2024-29903 — CVSS 4.2 (medium): Cosign provides code signing and transparency for containers and binaries. Prior to version 2.2.4, maliciously-crafted software artifacts…
CVE-2026-24122 — CVSS 3.7 (low): Cosign provides code signing and transparency for containers and binaries. In versions 3.0.4 and below, an issuing certificate with a…
CVE-2022-23649 — CVSS 3.3 (low): Cosign provides container signing, verification, and storage in an OCI registry for the sigstore project. Prior to version 1.5.2, Cosign…
CVE-2023-46737 — CVSS 3.1 (low): Cosign is a sigstore signing tool for OCI containers. Cosign is susceptible to a denial of service by an attacker controlled registry. An…