github.com/sigstore/cosign/v2 (Go) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Go package github.com/sigstore/cosign/v2, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (6)
CVE-2026-22703 — CVSS 5.5 (medium): Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted…
CVE-2026-39395 — CVSS 4.3 (medium): Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may…
CVE-2024-29902 — CVSS 4.2 (medium): Cosign provides code signing and transparency for containers and binaries. Prior to version 2.2.4, a remote image with a malicious…
CVE-2024-29903 — CVSS 4.2 (medium): Cosign provides code signing and transparency for containers and binaries. Prior to version 2.2.4, maliciously-crafted software artifacts…
CVE-2026-24122 — CVSS 3.7 (low): Cosign provides code signing and transparency for containers and binaries. In versions 3.0.4 and below, an issuing certificate with a…
CVE-2023-46737 — CVSS 3.1 (low): Cosign is a sigstore signing tool for OCI containers. Cosign is susceptible to a denial of service by an attacker controlled registry. An…