๐ฅ This vulnerability is being actively exploited in the wild (CISA Known Exploited Vulnerabilities catalog)
CVE-2026-33634: Aquasecurity Trivy Embedded Malicious Code Vulnerability
Summary
Aquasecurity Trivy, a container scanning tool, has embedded malicious code that could let attackers steal sensitive information from CI/CD environments (the automated systems that build and deploy software), including security tokens, SSH keys (authentication credentials for servers), cloud login information, database passwords, and other secrets stored in memory. This is a supply-chain compromise (malicious code inserted into a software product before distribution) and is currently being exploited by real attackers.
Solution / Mitigation
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Additional vendor-provided guidance must be followed to ensure full remediation. See GitHub advisory GHSA-69fq-xp46-6x23 and NVD entry CVE-2026-33634 for more information.
Vulnerability Details
EPSS: 0.1%
Yes
๐ฅ Actively Exploited
March 25, 2026
Classification
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-33634
First tracked: March 26, 2026 at 02:00 PM
Classified by LLM (prompt v3) ยท confidence: 75%