Active Exploited Vulnerability in Aqua Security Trivy (CVE‑2026‑33634) Threatens Container Scanning Integrity
What It Is – A critical flaw in Aqua Security’s open‑source image scanner Trivy allows an attacker to embed malicious code that can be executed during image analysis. The vulnerability stems from improper handling of external payloads, enabling code injection.
Exploitability – CISA has confirmed active exploitation in the wild and added the CVE to its Known Exploited Vulnerabilities (KEV) catalog. Public proof‑of‑concepts have been observed, and the CVSS v3.1 base score is estimated at 8.8 (High).
Affected Products – Aqua Security Trivy (all versions prior to the emergency patch released March 2026).
TPRM Impact –
- Third‑party container pipelines that rely on Trivy for image validation may silently introduce malware into production workloads.
- Supply‑chain risk escalates for any organization that outsources container image building or uses Trivy as a security gate for SaaS offerings.
Recommended Actions –
- Prioritize patching Trivy to the version released on 2026‑03‑25 or later.
- Conduct an immediate inventory of all environments (CI/CD, dev, prod) that invoke Trivy and verify remediation status.
- Augment vulnerability management programs with continuous monitoring of the CISA KEV catalog.
- For high‑risk workloads, consider temporary mitigation (e.g., disabling Trivy scanning or switching to an alternative scanner) until patches are verified.
Source: CISA Advisory – CVE‑2026‑33634