[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2026-22772":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-06T02:55:33.997Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":23,"aliases":33,"duplicate_of":9,"upstream":36,"downstream":37,"duplicates":60,"related":61,"reserved_at":9,"published_at":73,"modified_at":74,"state":75,"summary":76,"references_raw":84,"kevs":111,"epss":112,"epss_history":115,"metrics":382,"affected":394},"CVE-2026-22772","Fulcio is a certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.5, Fulcio's metaRegex() function uses unanchored regex, allowing attackers to bypass MetaIssuer URL validation and trigger SSRF to arbitrary internal services. Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF. This vulnerability is fixed in 1.8.5.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":9,"capec":18},"CWE-918","Server-Side Request Forgery (SSRF)","The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.","weakness","Incomplete","Base",[19],{"id":20,"name":21,"techniques":22},"CAPEC-664","Server Side Request Forgery",[],[24],{"_key":25,"name":26,"source":27,"url":28,"maturity":29,"reliability_score":30,"verified":31,"type":9,"platforms":32,"requires_auth":9,"exploitdb":9,"metasploit":9},"GITHUB_SIGSTORE_FULCIO","Fulcio","github","https://github.com/sigstore/fulcio/security/advisories/GHSA-59jp-pj84-45mr","poc",0.3,false,[],[34,35],"GHSA-59jp-pj84-45mr","GO-2026-4311",[],[38,40,42,44,46,48,50,52,54,56,58],{"_key":39},"SUSE-SU-2026:0592-1",{"_key":41},"SUSE-SU-2026:0777-1",{"_key":43},"SUSE-SU-2026:0292-1",{"_key":45},"OPENSUSE-RU-2026:20161-1",{"_key":47},"OPENSUSE-SU-2026:10068-1",{"_key":49},"OPENSUSE-SU-2026:10230-1",{"_key":51},"OPENSUSE-SU-2026:10235-1",{"_key":53},"OPENSUSE-SU-2026:20386-1",{"_key":55},"SUSE-SU-2026:20904-1",{"_key":57},"DEBIAN-CVE-2026-22772",{"_key":59},"UBUNTU-CVE-2026-22772",[],[62,63,64,65,66,67,68,69,70,71],{"_key":39},{"_key":41},{"_key":43},{"_key":45},{"_key":47},{"_key":49},{"_key":51},{"_key":53},{"_key":55},{"_key":72},"CGA-6H4P-9V6J-G26C","2026-01-12T20:58:53.659Z","2026-01-12T21:17:31.478Z","Analyzed",{"cisa_kev":31,"cisa_ransomware":31,"cisa_vendor":9,"epss_severity":77,"epss_score":78,"severity":79,"severity_score":80,"severity_version":81,"severity_source":82,"severity_vector":83,"severity_status":75},"low",0.00014,"medium",5.8,"v3.1","cve.org","CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",[85,95,102,106],{"url":28,"sources":86,"tags":89},[82,87,88],"nvd","osv_go",[90,91,92,93,94],"X Refsource CONFIRM","WEB","Advisory","Exploit","Vendor Advisory",{"url":96,"sources":97,"tags":98},"https://github.com/sigstore/fulcio/commit/eaae2f2be56df9dea5f9b439ec81bedae4c0978d",[82,87,88],[99,91,100,101],"X Refsource MISC","FIX","Patch",{"url":103,"sources":104,"tags":105},"https://nvd.nist.gov/vuln/detail/CVE-2026-22772",[88],[92],{"url":107,"sources":108,"tags":109},"https://github.com/sigstore/fulcio",[88],[110],"PACKAGE",[],{"date":113,"score":78,"percentile":114},"2026-06-05",0.0255,[116,120,123,126,129,132,136,139,142,145,148,151,154,157,160,163,166,169,172,175,178,181,184,187,190,193,196,199,202,205,208,211,215,218,221,224,227,231,234,237,239,241,244,247,250,252,255,257,259,261,264,267,270,274,277,280,283,286,289,292,295,298,301,304,307,310,313,316,319,322,325,328,331,334,337,340,343,346,349,352,355,358,361,364,366,368,371,374,377,380],{"date":117,"score":118,"percentile":119},"2026-01-13",0.00016,0.02844,{"date":121,"score":118,"percentile":122},"2026-01-14",0.02848,{"date":124,"score":118,"percentile":125},"2026-01-15",0.02835,{"date":127,"score":118,"percentile":128},"2026-01-16",0.02833,{"date":130,"score":118,"percentile":131},"2026-01-17",0.02834,{"date":133,"score":134,"percentile":135},"2026-01-18",0.00021,0.04813,{"date":137,"score":134,"percentile":138},"2026-01-19",0.04765,{"date":140,"score":134,"percentile":141},"2026-01-20",0.04726,{"date":143,"score":134,"percentile":144},"2026-01-21",0.04716,{"date":146,"score":134,"percentile":147},"2026-01-22",0.04699,{"date":149,"score":134,"percentile":150},"2026-01-23",0.04751,{"date":152,"score":134,"percentile":153},"2026-01-24",0.04794,{"date":155,"score":134,"percentile":156},"2026-01-25",0.04781,{"date":158,"score":134,"percentile":159},"2026-01-26",0.04759,{"date":161,"score":134,"percentile":162},"2026-01-27",0.04744,{"date":164,"score":134,"percentile":165},"2026-01-28",0.04727,{"date":167,"score":134,"percentile":168},"2026-01-29",0.04745,{"date":170,"score":134,"percentile":171},"2026-01-30",0.0475,{"date":173,"score":134,"percentile":174},"2026-01-31",0.04733,{"date":176,"score":134,"percentile":177},"2026-02-01",0.04837,{"date":179,"score":134,"percentile":180},"2026-02-02",0.04822,{"date":182,"score":134,"percentile":183},"2026-02-03",0.04814,{"date":185,"score":134,"percentile":186},"2026-02-04",0.04816,{"date":188,"score":134,"percentile":189},"2026-02-05",0.0487,{"date":191,"score":134,"percentile":192},"2026-02-06",0.04858,{"date":194,"score":134,"percentile":195},"2026-02-07",0.04877,{"date":197,"score":134,"percentile":198},"2026-02-08",0.04866,{"date":200,"score":134,"percentile":201},"2026-02-09",0.04843,{"date":203,"score":134,"percentile":204},"2026-02-10",0.0484,{"date":206,"score":134,"percentile":207},"2026-02-11",0.04929,{"date":209,"score":134,"percentile":210},"2026-02-12",0.04986,{"date":212,"score":213,"percentile":214},"2026-02-13",0.00023,0.05607,{"date":216,"score":213,"percentile":217},"2026-02-14",0.05599,{"date":219,"score":213,"percentile":220},"2026-02-15",0.05613,{"date":222,"score":213,"percentile":223},"2026-02-16",0.05606,{"date":225,"score":213,"percentile":226},"2026-02-17",0.05581,{"date":228,"score":229,"percentile":230},"2026-02-18",0.00009,0.00796,{"date":232,"score":229,"percentile":233},"2026-02-19",0.00801,{"date":235,"score":229,"percentile":236},"2026-02-20",0.00803,{"date":238,"score":229,"percentile":233},"2026-02-21",{"date":240,"score":229,"percentile":233},"2026-02-22",{"date":242,"score":229,"percentile":243},"2026-02-23",0.00792,{"date":245,"score":229,"percentile":246},"2026-02-24",0.00785,{"date":248,"score":229,"percentile":249},"2026-02-25",0.00787,{"date":251,"score":229,"percentile":249},"2026-02-26",{"date":253,"score":229,"percentile":254},"2026-02-27",0.00793,{"date":256,"score":229,"percentile":230},"2026-02-28",{"date":258,"score":229,"percentile":230},"2026-03-01",{"date":260,"score":229,"percentile":254},"2026-03-02",{"date":262,"score":229,"percentile":263},"2026-03-03",0.0081,{"date":265,"score":229,"percentile":266},"2026-03-04",0.00808,{"date":268,"score":229,"percentile":269},"2026-03-05",0.00817,{"date":271,"score":272,"percentile":273},"2026-03-06",0.00012,0.01632,{"date":275,"score":272,"percentile":276},"2026-03-07",0.01629,{"date":278,"score":272,"percentile":279},"2026-03-08",0.01626,{"date":281,"score":272,"percentile":282},"2026-03-09",0.01617,{"date":284,"score":272,"percentile":285},"2026-03-10",0.01612,{"date":287,"score":272,"percentile":288},"2026-03-11",0.01571,{"date":290,"score":272,"percentile":291},"2026-03-12",0.0158,{"date":293,"score":272,"percentile":294},"2026-03-13",0.01572,{"date":296,"score":272,"percentile":297},"2026-03-14",0.01534,{"date":299,"score":272,"percentile":300},"2026-03-15",0.01524,{"date":302,"score":272,"percentile":303},"2026-03-16",0.01516,{"date":305,"score":272,"percentile":306},"2026-03-17",0.01487,{"date":308,"score":272,"percentile":309},"2026-03-18",0.01484,{"date":311,"score":272,"percentile":312},"2026-03-19",0.01478,{"date":314,"score":272,"percentile":315},"2026-03-20",0.01479,{"date":317,"score":272,"percentile":318},"2026-03-21",0.0178,{"date":320,"score":272,"percentile":321},"2026-03-22",0.01778,{"date":323,"score":272,"percentile":324},"2026-03-23",0.01777,{"date":326,"score":272,"percentile":327},"2026-03-24",0.01768,{"date":329,"score":272,"percentile":330},"2026-03-25",0.01763,{"date":332,"score":272,"percentile":333},"2026-03-26",0.01771,{"date":335,"score":272,"percentile":336},"2026-03-27",0.01772,{"date":338,"score":272,"percentile":339},"2026-03-28",0.0177,{"date":341,"score":272,"percentile":342},"2026-03-29",0.01764,{"date":344,"score":272,"percentile":345},"2026-03-30",0.01762,{"date":347,"score":272,"percentile":348},"2026-03-31",0.01745,{"date":350,"score":272,"percentile":351},"2026-04-01",0.01742,{"date":353,"score":272,"percentile":354},"2026-04-02",0.01786,{"date":356,"score":272,"percentile":357},"2026-04-03",0.01798,{"date":359,"score":272,"percentile":360},"2026-04-04",0.01797,{"date":362,"score":272,"percentile":363},"2026-04-05",0.01796,{"date":365,"score":272,"percentile":360},"2026-04-06",{"date":367,"score":272,"percentile":360},"2026-04-07",{"date":369,"score":272,"percentile":370},"2026-04-08",0.018,{"date":372,"score":272,"percentile":373},"2026-04-09",0.01814,{"date":375,"score":272,"percentile":376},"2026-04-10",0.0181,{"date":378,"score":272,"percentile":379},"2026-04-11",0.01807,{"date":381,"score":272,"percentile":360},"2026-04-12",[383,388,392],{"source":82,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":384,"cvss_v4_0":9},{"baseScore":80,"baseSeverity":385,"vectorString":83,"impactScore":386,"exploitabilityScore":387},"MEDIUM",2.3,10,{"source":87,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":389,"cvss_v4_0":9},{"baseScore":390,"baseSeverity":385,"vectorString":391,"impactScore":386,"exploitabilityScore":387},5.3,"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",{"source":88,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":393,"cvss_v4_0":9},{"baseScore":80,"baseSeverity":9,"vectorString":83,"impactScore":386,"exploitabilityScore":387},[395,408,415],{"ecosystem":396,"name":397,"vendor":398,"product":399,"cpe_part":9,"purl_type":400,"purl_namespace":398,"purl_name":399,"source":9,"versions":401},"Go","github.com/sigstore/fulcio","github.com/sigstore","fulcio","golang",[402],{"version":403,"is_range":404,"range_type":405,"version_start":9,"version_start_type":9,"version_end":406,"version_end_type":407,"fixed_in":9},"lt1_8_5",true,"semver","1.8.5","excluding",{"ecosystem":9,"name":399,"vendor":409,"product":399,"cpe_part":410,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":411},"linuxfoundation","a",[412],{"version":413,"is_range":404,"range_type":414,"version_start":9,"version_start_type":9,"version_end":406,"version_end_type":407,"fixed_in":9},"lt1.8.5","cpe",{"ecosystem":9,"name":399,"vendor":416,"product":399,"cpe_part":410,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":417},"sigstore",[418],{"version":419,"is_range":404,"range_type":82,"version_start":9,"version_start_type":9,"version_end":406,"version_end_type":407,"fixed_in":9},"\u003C 1.8.5"]