Cosign's verify-blob-attestation reports false positive when payload parsing fails in github.com/sigstore/cosign
{ "url": "https://pkg.go.dev/vuln/GO-2026-5694", "review_status": "UNREVIEWED" }
"https://vuln.go.dev/ID/GO-2026-5694.json"