VDB

CVE-2026-33634

CVE-2026-33634 PUBLISHED KEV

On March 22, 2026, Aqua Security published a security advisory to address a critical vulnerability in the following products: trivy – version v0.69.4 trivy dockerhub images – versions v0.69.5 and v0.69.6 setup-trivy – versions prior to v0.2.6 trivy-action – versions prior to v0.35.0 Open-source reporting indicates that CVE-2026-33634 has been exploited. Update 1 On 26 March 2026, Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026‑33634 to their Known Exploited Vulnerabilities (KEV) Database. The Cyber Centre encourages users and administrators to review the provided web links, perform the suggested mitigations and apply the necessary updates.

EPSS 23.90% · 96.1th percentile

Risk Scores

EPSS Score
23.90%
96.1th percentile

Affected Products

VendorProductVersions
trivytrivy dockerhub images – versions v0.69.5 and v0.69.6
trivytrivy – version v0.69.4
setup-trivysetup-trivy – versions prior to v0.2.6
trivy-actiontrivy-action – versions prior to v0.35.0

Exploit Intelligence

…and 225 more exploits

Timeline

  • Mar 21, 2026 CVE Published
  • Mar 23, 2026 PoC Published
  • Mar 24, 2026 EPSS Score
  • Mar 24, 2026 PoC Published
  • Mar 24, 2026 PoC Published
  • Mar 24, 2026 PoC Published
  • Mar 25, 2026 EPSS Score
  • Mar 25, 2026 Coalition ESS Score
  • Mar 25, 2026 PoC Published
  • Mar 25, 2026 PoC Published
  • Mar 25, 2026 PoC Published
  • Mar 26, 2026 CISA KEV Added

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›