← ExploitWatch
HomeExploited Vulnerabilities

CVE-2026-33634 — Actively Exploited: Trivy (Aquasecurity)

Aquasecurity Trivy contains an embedded malicious code vulnerability that could allow an attacker to gain access to everything in the CI/CD environment, including all tokens, SSH keys, cloud credentials, database passwords, and any sensitive configuration in memory.

CVE IDCVE-2026-33634
VendorAquasecurity
ProductTrivy
Vulnerability nameAquasecurity Trivy Embedded Malicious Code Vulnerability
Date added2026-03-26
Remediation due2026-04-09
Known ransomware useUnknown
Required actionApply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
DescriptionAquasecurity Trivy contains an embedded malicious code vulnerability that could allow an attacker to gain access to everything in the CI/CD environment, including all tokens, SSH keys, cloud credentials, database passwords, and any sensitive configuration in memory.
SourceCISA Known Exploited Vulnerabilities

🔍 Search all exploited vulnerabilities →