Browse all 27 CVE security advisories affecting sigstore. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Sigstore is an open-source infrastructure project designed to provide transparent, secure artifact signing and verification, primarily serving the software supply chain by enabling developers to sign code and verify provenance without managing complex key infrastructure. Despite its utility, the project has recorded 27 Common Vulnerabilities and Exposures (CVEs), reflecting a history of security challenges typical for complex cryptographic systems. These vulnerabilities have predominantly included remote code execution, privilege escalation, and improper access control issues, often stemming from implementation flaws in its signing or verification components. While no single catastrophic breach has defined its public history, the cumulative nature of these CVEs highlights the inherent risks in maintaining critical security tooling. The project continues to address these issues through rigorous auditing and community-driven patches, aiming to maintain trust in its cryptographic guarantees for modern software distribution pipelines.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-24117 | Rekor affected by Server-Side Request Forgery (SSRF) via provided public key URL — rekorCWE-918 | 5.3 | Medium | 2026-01-22 |
| CVE-2026-23831 | Rekor COSE v0.0.1 Canonicalize crashes when passed empty Message — rekorCWE-476 | 5.3 | Medium | 2026-01-22 |
| CVE-2023-33199 | malformed proposed intoto v0.0.2 entries can cause a panic in Rekor — rekorCWE-617 | 5.3 | Medium | 2023-05-26 |
| CVE-2023-30551 | Rekor's compressed archives can result in OOM conditions — rekorCWE-770 | 7.5 | High | 2023-05-08 |
This page lists every published CVE security advisory associated with sigstore. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.