Aqua Security Trivy Critical Vulnerability (CVSS 9.9)
Summary
CERT-Bund issued a critical security advisory (WID-SEC-2026-0898) for a vulnerability in Aqua Security Trivy, an open-source vulnerability scanner for container images, filesystems, and Git repositories. The vulnerability carries a CVSS Base Score of 9.9 (critical) and allows remote attackers to completely compromise affected systems. Multiple product versions are affected including Trivy 0.69.4, setup-trivy <0.2.6, trivy-action <0.35.0, and Container Images 0.69.5 and 0.69.6. Mitigation measures are available.
What changed
CERT-Bund published a critical security advisory for a remote code execution vulnerability in Aqua Security Trivy affecting versions 0.69.4 and below (setup-trivy <0.2.6, trivy-action <0.35.0, Container Image 0.69.5 and 0.69.6). The vulnerability achieves the maximum CVSS Base Score of 9.9, indicating critical severity, with a Temporal Score of 9.5. All major operating systems including Linux, macOS, UNIX, and Windows are affected.
Organizations using Aqua Security Trivy for container image scanning must immediately identify affected installations across their infrastructure and apply available mitigation measures. Security teams should prioritize patching given the remote attack vector and potential for complete system compromise. The advisory confirms mitigation is available and organizations should monitor for subsequent patches to address this vulnerability.
What to do next
- Identify all Aqua Security Trivy installations across the organization and determine affected versions
- Apply available mitigation measures immediately given the critical severity and remote attack vector
- Monitor for updated patches and upgrade to non-affected versions once released
Archived snapshot
Mar 30, 2026GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.
[WID-SEC-2026-0898] Aqua Security Trivy: Schwachstelle ermöglicht vollständige Kompromittierung des Systems CVSS Base Score 9.9 (kritisch) CVSS Temporal Score 9.5 (kritisch) Remoteangriff ja Datum 29.03.2026 Stand 30.03.2026 Mitigation ja
Betroffene Systeme
Betriebssystem
- Linux
- MacOS X
- UNIX
- Windows
Produktbeschreibung
Aqua Security Trivy ist ein Open-Source-Sicherheitsscanner, der Schwachstellen in Container-Images, Dateisystemen und Git-Repositories identifiziert.
Produkte
29.03.2026
- Aqua Security Trivy 0.69.4
Aqua Security Trivy setup-trivy <0.2.6
Aqua Security Trivy trivy-action <0.35.0
Aqua Security Trivy Container Image 0.69.5
Aqua Security Trivy Container Image 0.69.6
Angriff
Angriff
Ein Angreifer kann eine Schwachstelle in Aqua Security Trivy ausnutzen, um das vollständige System zu kompromittieren. CVE Informationen Versionshistorie Feedback zum Advisory geben
Related changes
Get daily alerts for CERT-Bund Security Advisories
Daily digest delivered to your inbox.
Free. Unsubscribe anytime.
Source
About this page
Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission
Source document text, dates, docket IDs, and authority are extracted directly from CERT-Bund.
The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.
Classification
Who this affects
Taxonomy
Browse Categories
Get alerts for this source
We'll email you when CERT-Bund Security Advisories publishes new changes.
Subscribed!
Optional. Filters your digest to exactly the updates that matter to you.