ACCORDING to CISA, the U.S. Cybersecurity and Infrastructure Security Agency added an Aquasecurity Trivy flaw, tracked as CVE-2026-33017 and CVE-2026-33634 (CVSS score 9.3), to its Known Exploited Vulnerabilities catalog. The incident involved attackers on March 19, 2026, using compromised credentials to release a malicious version of Trivy (v0.69.4) and tamper with related GitHub Actions as part of a supply chain attack that began in late February.
Several components were affected, including Trivy binaries, container images, and GitHub Actions, and safe versions have since been identified, though systems running the compromised versions should be treated as exposed.
CISA orders federal agencies to fix the vulnerability by April 9, 2026 and recommends private organisations review the Catalog, remove affected artifacts, rotate all secrets, and review logs for suspicious activity, especially around March 19–20, with GitHub Actions pinned to immutable commit hashes rather than version tags.