THREAT SENTINEL
Back to Dashboard
Hacking IncidentsCritical

CVE-2026-33634: Critical Vulnerability in Aquasecurity Trivy

Sunday, March 29, 2026
Global
CISA KEV

Summary

Aquasecurity Trivy contains an embedded malicious code vulnerability that could allow an attacker to gain access to everything in the CI/CD environment, including all tokens, SSH keys, cloud credentials, database passwords, and any sensitive configuration in memory.

Threat Analysis

**Vulnerability ID:** CVE-2026-33634 **CVSS Score:** 9.0 (CRITICAL) **⚠️ ACTIVELY EXPLOITED** - Added to CISA KEV Catalog **Required Action:** Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. **Due Date:** 2026-04-09

**Description:** Aquasecurity Trivy contains an embedded malicious code vulnerability that could allow an attacker to gain access to everything in the CI/CD environment, including all tokens, SSH keys, cloud credentials, database passwords, and any sensitive configuration in memory.

**Affected Products:** Aquasecurity Trivy

**Recommended Actions:** - **URGENT:** Apply vendor patches immediately - Isolate affected systems if patches unavailable - Monitor for indicators of compromise

Last updated: Mar 29, 2026, 08:17 AM

Daily Intelligence

Stay Ahead of Threats

Subscribe to receive daily threat briefings delivered to your inbox. Be the first to know about emerging security risks.

No spamUnsubscribe anytimeDaily at 9 AM