Aqua Security Product Security Update Advisory (CVE-2026-33634)

overview

We have released security updates that address vulnerabilities in our Aqua Security products. users of affected products are encouraged to update to the latest version.

affected products

CVE-2026-33634

Aquasecurity/setup-trivy Version: Before 0.2.6
aquasecurity/trivy-action Version: less than 0.35.0
github.com/aquasecurity/trivy Version: 0.69.4

resolved vulnerabilities

Supply chain attack vulnerability in Trivy (CVE-2026-33634)

vulnerability patches

Vulnerability patches have been made available in the latest update. please follow the instructions on the reference site to update to the latest version of the vulnerability patch.

CVE-2026-33634

Aquasecurity/setup-trivy Version: 0.2.6
aquasecurity/trivy-action Version: 0.35.0
github.com/aquasecurity/trivy Version: 0.69.3

references

[1] Trivy ecosystem supply chain temporarily compromised
https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6×23