{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-18T07:01:50.491","vulnerabilities":[{"cve":{"id":"CVE-2026-24408","sourceIdentifier":"security-advisories@github.com","published":"2026-01-26T23:16:08.973","lastModified":"2026-03-02T21:19:25.777","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"sigstore-python is a Python tool for generating and verifying Sigstore signatures. Prior to version 4.2.0, the sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. `_OAuthSession` creates a unique \"state\" and sends it as a parameter in the authentication request but the \"state\" in the server response seems not not be cross-checked with this value. Version 4.2.0 contains a patch for the issue."},{"lang":"es","value":"sigstore-python es una herramienta de Python para generar y verificar firmas de Sigstore. Antes de la versión 4.2.0, el flujo de autenticación OAuth de sigstore-python es susceptible a la falsificación de petición en sitios cruzados. `_OAuthSession` crea un 'estado' único y lo envía como parámetro en la petición de autenticación, pero el 'estado' en la respuesta del servidor parece no ser verificado con este valor. La versión 4.2.0 contiene un parche para el problema."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N","baseScore":0.0,"baseSeverity":"NONE","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":1.6,"impactScore":0.0},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","baseScore":5.0,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":1.6,"impactScore":3.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-352"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:linuxfoundation:sigstore-python:*:*:*:*:*:*:*:*","versionEndExcluding":"4.2.0","matchCriteriaId":"7DA3586E-04FD-4D7E-85C8-BAE152F3C9D8"}]}]}],"references":[{"url":"https://github.com/sigstore/sigstore-python/commit/5e77497fe8f0b202bdd118949074ec2f20da69aa","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/sigstore/sigstore-python/releases/tag/v4.2.0","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/sigstore/sigstore-python/security/advisories/GHSA-hm8f-75xx-w2vr","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}