CVE-2026-33634HIGH 8.8CISA KEVEPSS p99.0%

CVE-2026-33634Aquasecurity Trivy Embedded Malicious Code Vulnerability

Aquasecurity / Trivy

Description

Aquasecurity Trivy contains an embedded malicious code vulnerability that could allow an attacker to gain access to everything in the CI/CD environment, including all tokens, SSH keys, cloud credentials, database passwords, and any sensitive configuration in memory.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS60.37% probability of exploitation · percentile 99.0% · 2026-06-18T12:00:27Z
Published2026-03-23
Last modified2026-03-30

CISA KEV entry

Added to KEV: 2026-03-26

Underlying weaknesses· 1

CWE-506

References

  1. https://docs.litellm.ai/blog/security-update-march-2026
  2. https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack
  3. https://github.com/BerriAI/litellm/issues/24518
  4. https://github.com/aquasecurity/trivy/discussions/10425
  5. https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6x23
  6. https://github.com/pypa/advisory-database/tree/main/vulns/litellm/PYSEC-2026-2.yaml
  7. https://github.com/team-telnyx/telnyx-python/security/advisories/GHSA-955r-262c-33jc
  8. https://inspector.pypi.io/project/litellm/1.82.7/packages/79/5f/b6998d42c6ccd32d36e12661f2734602e72a576d52a51f4245aef0b20b4d/litellm-1.82.7-py3-none-any.whl/litellm/proxy/proxy_server.py#line.130

1

TypeTargetConfidenceTier
WeaknessEmbedded Malicious Codecwe-5060%live

(incoming)1

TypeTargetConfidenceTier
KEVEntryAquasecurity Trivy Embedded Malicious Code Vulnerabilitykev-cve-2026-336340%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-26189
CVE
CVE-2026-8634
CVE
CVE-2026-35650
CVE
Langflow Code Injection Vulnerability
CVE
CVE-2026-49377
CVE
CVE-2026-33587
Sourced from NVD + CISA KEV + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.