Aquasecurity Trivy Embedded Malicious Code Vulnerability

Technical Severity

CVSS v3.1 Metrics

HIGH

8.8 / 10

Minimal Risk Critical

Vector Specification

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitation Likelihood

EPSS Prediction

21.15 %

Predictive Probability

Percentile Rank

95.6 th

Documented as more likely to be exploited than 95.6% of known CVEs.

Detection Date

Mar 26, 2026

Remediation Due

Apr 09, 2026

CISA Catalog Active

Threat Analysis

Aquasecurity Trivy contains an embedded malicious code vulnerability that could allow an attacker to gain access to everything in the CI/CD environment, including all tokens, SSH keys, cloud credentials, database passwords, and any sensitive configuration in memory.

Remediation Directive

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

External Intelligence

This vulnerability involves a supply‑chain compromise in a product that may be used across multiple products and environments. Additional vendor‑provided guidance must be followed to ensure full remediation. For more information, please see:

https://github.com/advisories/GHSA-69fq-xp46-6x23

NVD

National Vulnerability Database

https://nvd.nist.gov/vuln/detail/CVE-2026-33634