PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-33634 Aquasecurity CVE debrief

CVE-2026-33634 is a CISA Known Exploited Vulnerability affecting Aqua Security Trivy. The available official records describe it as an embedded malicious code vulnerability and note that it may represent a supply-chain compromise that can affect multiple products and environments. Because CISA added it to the KEV catalog, defenders should treat it as an active risk requiring prompt mitigation based on vendor guidance. If mitigations are not available, CISA advises discontinuing use of the product.

Vendor
Aquasecurity
Product
Trivy
CVSS
Unknown
CISA KEV
Listed
Original CVE published
2026-03-26
Original CVE updated
2026-03-26
Advisory published
2026-03-26
Advisory updated
2026-03-26

Who should care

Security teams running Aqua Security Trivy directly, teams consuming Trivy as part of software supply-chain or CI/CD workflows, cloud service operators, and incident response teams responsible for endpoint, build, or artifact scanning infrastructure.

Technical summary

The official source material is limited, but it identifies the issue as an embedded malicious code vulnerability in Aqua Security Trivy. CISA’s KEV entry adds that the problem may involve a supply-chain compromise in a product used across multiple products and environments, which broadens the potential blast radius beyond a single deployment. No CVSS score is provided in the supplied records, so prioritization should rely on KEV status, vendor remediation guidance, and local exposure.

Defensive priority

High. CISA KEV inclusion indicates confirmed exploitation risk and an urgent need to remediate. The same-day KEV date and CVE publication date suggest defenders should act immediately on vendor guidance and verify whether any downstream systems depend on Trivy.

Recommended defensive actions

  • Review Aqua Security’s vendor guidance for CVE-2026-33634 and apply the recommended mitigations without delay.
  • If mitigations are unavailable or incomplete, discontinue use of the affected Trivy version or deployment as CISA advises.
  • Inventory where Trivy is used directly and where it is embedded in other products, pipelines, or managed services to understand downstream exposure.
  • For cloud services, follow applicable BOD 22-01 guidance referenced by CISA KEV.
  • Validate remediation by checking that affected deployments have been updated, replaced, or removed and that dependent systems are no longer using the vulnerable component.

Evidence notes

Supported by official records only: CISA KEV lists CVE-2026-33634 with product/vendor Aqua Security Trivy, date added 2026-03-26, due date 2026-04-09, and required action to apply vendor mitigations or discontinue use if mitigations are unavailable. The KEV note describes a supply-chain compromise risk that may affect multiple products and environments. The CVE record and NVD detail links are included as official references, but no additional technical specifics or CVSS score were provided in the supplied corpus.

Official resources

CVE published: 2026-03-26T00:00:00.000Z. CVE modified: 2026-03-26T00:00:00.000Z. CISA KEV date added: 2026-03-26; due date: 2026-04-09. This debrief uses only the supplied official records and timeline fields.