CVE-2026-33634

CWE-5064 documents4 sources
9.4
CVSS
CRITICAL
EPSS21.2%(96th)
CISA KEV
CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Affected Packages5 packages

NVDaquasec/setup-trivy< 0.2.6
NVDaquasec/trivy_action< 0.35.0
NVDaquasec/trivy0.69.4
NVDtelnyx/telnyx4.87.1, 4.87.2+1
NVDlitellm/litellm1.82.7, 1.82.8+1
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in `aquasecurity/trivy-action` to credential-stealing malware, and replace all 7 tags in `aquasecurity/setup-trivy` with malicious commits. This incident is a continuation of the supply chain attack that began in late February 2026. Following the initial disclosure on March 1, credential rotation was performed but was not atomi...
NVDMITRE

🔴Vulnerability Details

2
CVEList
Trivy ecosystem supply chain briefly compromised2026-03-23
VulnCheck
Aquasecurity Trivy Embedded Malicious Code Vulnerability2026

📋Vendor Advisories

1
CISA
Aquasecurity Trivy Embedded Malicious Code Vulnerability2026-03-26