Distribution's token authentication allows attacker to inject an untrusted signing key in a JWT in github.com/distribution/distribution
{ "review_status": "UNREVIEWED", "url": "https://pkg.go.dev/vuln/GO-2025-3460" }