sigstore legacy TUF client allows for arbitrary file writes with target cache path traversal in github.com/sigstore/sigstore
{ "url": "https://pkg.go.dev/vuln/GO-2026-4358", "review_status": "UNREVIEWED" }
{ "imports": [ { "path": "github.com/sigstore/sigstore/pkg/tuf", "symbols": [ "GetRootStatus", "Initialize", "NewFromEnv", "NewSigstoreTufRepo", "TUF.GetTarget", "TUF.GetTargetsByMeta", "diskCache.Get", "diskCache.Set" ] } ] }
"https://vuln.go.dev/ID/GO-2026-4358.json"