Serial number: AV26-283
Date: March 26, 2026
Updated: March 26, 2026
On March 22, 2026, Aqua Security published a security advisory to address a critical vulnerability in the following products:
- trivy – version v0.69.4
- trivy dockerhub images – versions v0.69.5 and v0.69.6
- setup-trivy – versions prior to v0.2.6
- trivy-action – versions prior to v0.35.0
Open-source reporting indicates that CVE-2026-33634 has been exploited.
Update 1
On 26 March 2026, Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026‑33634 to their Known Exploited Vulnerabilities (KEV) Database.
The Cyber Centre encourages users and administrators to review the provided web links, perform the suggested mitigations and apply the necessary updates.