VYPR

Fulcio

by Sigstore

Source repositories

CVEs (2)

  • CVE-2026-22772Jan 12, 2026
    risk 0.00cvss epss 0.00

    Fulcio is a certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.5, Fulcio's metaRegex() function uses unanchored regex, allowing attackers to bypass MetaIssuer URL validation and trigger SSRF to arbitrary internal…

  • CVE-2025-66506Dec 4, 2025
    risk 0.00cvss epss 0.00

    Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.3, function identity.extractIssuerURL splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in…