github.com/sigstore/cosign/v3 (Go) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Go package github.com/sigstore/cosign/v3, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (3)
CVE-2026-22703 — CVSS 5.5 (medium): Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted…
CVE-2026-39395 — CVSS 4.3 (medium): Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may…
CVE-2026-24122 — CVSS 3.7 (low): Cosign provides code signing and transparency for containers and binaries. In versions 3.0.4 and below, an issuing certificate with a…