CVE-2026-33634 - Aquasecurity Trivy Embedded Malicious Code Vulnerability

漏洞名称

Aquasecurity Trivy Embedded Malicious Code Vulnerability

描述

Aquasecurity Trivy contains an embedded malicious code vulnerability that could allow an attacker to gain access to everything in the CI/CD environment, including all tokens, SSH keys, cloud credentials, database passwords, and any sensitive configuration in memory.

已知用于勒索软件活动吗？

Unknown

采集行动

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

其他说明

This vulnerability involves a supply‑chain compromise in a product that may be used across multiple products and environments. Additional vendor‑provided guidance must be followed to ensure full remediation. For more information, please see: https://github.com/advisories/GHSA-69fq-xp46-6x23

https://nvd.nist.gov/vuln/detail/CVE-2026-33634

相关新闻文章

OpenAI Revokes macOS App Certificate After Malicious Axios Supply Chain IncidentApril 13, 2026

CISA sounds alarm on Langflow RCE, Trivy supply chain compromise after rapid exploitationMarch 27, 2026