Skip to main content

Trivy

2 CVEs product

Monthly

CVE-2026-54448 Go MEDIUM POC PATCH GHSA This Month

Decompression bomb (zip bomb) in Trivy's Helm chart scanner causes denial of service via OOM kill when processing a crafted .tgz archive. Affected versions prior to 0.71.0 use io.ReadAll without any size cap on tar entries inside Helm chart archives, allowing a small compressed file to expand to gigabytes in memory. An attacker who can place a malicious archive in any path that Trivy is directed to scan can reliably crash the Trivy process. No public exploit or CISA KEV listing at time of analysis.

Denial Of Service Trivy Suse
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-55092 HIGH PATCH This Week

Arbitrary file write in Aqua Security's Trivy scanner (prior to 0.71.1) allows an attacker who can make Trivy fetch an attacker-controlled OCI artifact to write layer content anywhere on the host filesystem. Trivy trusts the org.opencontainers.image.title manifest annotation as the output filename without sanitization, so a crafted value containing path-traversal sequences escapes the intended download directory (CWE-22). No public exploit has been identified at time of analysis; the CVSS 4.0 score is 7.0 (high), driven by high integrity and availability impact requiring user interaction.

Path Traversal Trivy Suse
NVD GitHub VulDB
CVSS 4.0
7.0
EPSS
0.3%
EPSS 0% CVSS 6.9
MEDIUM POC PATCH This Month

Decompression bomb (zip bomb) in Trivy's Helm chart scanner causes denial of service via OOM kill when processing a crafted .tgz archive. Affected versions prior to 0.71.0 use io.ReadAll without any size cap on tar entries inside Helm chart archives, allowing a small compressed file to expand to gigabytes in memory. An attacker who can place a malicious archive in any path that Trivy is directed to scan can reliably crash the Trivy process. No public exploit or CISA KEV listing at time of analysis.

Denial Of Service Trivy Suse
NVD GitHub VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Arbitrary file write in Aqua Security's Trivy scanner (prior to 0.71.1) allows an attacker who can make Trivy fetch an attacker-controlled OCI artifact to write layer content anywhere on the host filesystem. Trivy trusts the org.opencontainers.image.title manifest annotation as the output filename without sanitization, so a crafted value containing path-traversal sequences escapes the intended download directory (CWE-22). No public exploit has been identified at time of analysis; the CVSS 4.0 score is 7.0 (high), driven by high integrity and availability impact requiring user interaction.

Path Traversal Trivy Suse
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy