Product
A high-severity vulnerability (CVE-2026-48815) in the `npm/sigstore` library (versions <= 4.1.0) causes the `certificateOIDs` verification constraint to be silently ignored, allowing applications to accept unauthorized certificates that should have been rejected based on extension policy, which could lead to supply chain attacks by trusting malicious artifacts.