Fulcio has OIDC Discovery Redirect Following Allows SSRF and JWKS Substitution for Meta-Issuer Paths, with Kubernetes Service-Account Token Leakage in github.com/sigstore/fulcio
{
"url": "https://pkg.go.dev/vuln/GO-2026-5853",
"review_status": "UNREVIEWED"
}