THE Known Exploited Vulnerabilities Catalog lists CVE-2026-33634 as an Aquasecurity Trivy embedded malicious code vulnerability, capable of granting an attacker access to everything in the CI/CD environment, including tokens, SSH keys, cloud credentials, and sensitive in-memory configuration. It notes a supply-chain compromise in a product used across multiple environments, with additional vendor guidance required to complete remediation.
The entry records a Date Added of 26 March 2026 and a Due Date of 9 April 2026, and flags the vulnerability as Unknown regarding whether it has been used in ransomware campaigns.
Related CWE is CWE-506, and the recommended action states: apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. according to CISA, this KEV item emphasises prioritising vulnerability management and vendor guidance to ensure full remediation.