CVE-2026-33634 - Vulnerability Analysis
N/aLast Updated: March 25, 2026
Aqua Security Trivy - Supply Chain Attack
Overview
Aqua Security Trivy v0.69.4, trivy-action 0.0.1–0.34.2, and setup-trivy 0.2.0–0.2.6 contain a supply chain attack caused by compromised credentials allowing malicious code injection in releases and GitHub Actions, letting attackers steal credentials and exfiltrate secrets, exploit requires compromised credentials.
Severity & Score
Impact
Attackers can steal credentials and exfiltrate secrets, leading to full compromise of affected pipelines and environments.
Mitigation
Update to Trivy versions 0.69.2 or 0.69.3, trivy-action 0.35.0, and setup-trivy 0.2.6 with safe commits; rotate all exposed secrets and pin GitHub Actions to immutable commit SHAs
References
- https://rosesecurity.dev/2026/03/20/typosquatting-trivy.html
- https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack
- https://github.com/BerriAI/litellm/issues/24518
- https://github.com/pypa/advisory-database/tree/main/vulns/litellm/PYSEC-2026-2.yaml
- https://inspector.pypi.io/project/litellm/1.82.8/packages/f6/2c/731b614e6cee0bca1e010a36fd381fba69ee836fe3cb6753ba23ef2b9601/litellm-1.82.8.tar.gz/litellm-1.82.8/litellm_init.pth#line.1
- https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6x23
- https://inspector.pypi.io/project/litellm/1.82.7/packages/79/5f/b6998d42c6ccd32d36e12661f2734602e72a576d52a51f4245aef0b20b4d/litellm-1.82.7-py3-none-any.whl/litellm/proxy/proxy_server.py#line.130
- https://www.wiz.io/blog/teampcp-attack-kics-github-action
- https://github.com/aquasecurity/trivy/discussions/10425
Social Media Activity(1 post)
📈 CVE Published in last 30 days (2026-03-02 - 2026-04-01) See more at https://secdb.nttzen.cloud/dashboard Total CVEs: 6145 Severity: - Critical: 615 - High: 2408 - Medium: 2575 - Low: 237 - None: 310 Status: - : 52 - Analyzed: 2872 - Awaiting Analysis: 2622 - Modified: 245 - Received: 185 - Rejected: 58 - Undergoing Analysis: 111 Top CNAs: - GitHub, Inc.: 1471 - Patchstack: 699 - VulnCheck: 594 - VulDB: 577 - MITRE: 381 - Wordfence: 308 - kernel.org: 180 - Microsoft Corporation: 97 - Apple Inc.: 89 - Adobe Systems Incorporated: 86 Top Affected Products: - UNKNOWN: 3040 - Openclaw: 173 - Google Android: 101 - Apple Macos: 79 - Google Chrome: 75 - Wwbn Avideo: 65 - Parseplatform Parse-server: 56 - Mozilla Firefox: 48 - Apple Ipados: 44 - Open-emr Openemr: 44 Top EPSS Score: - CVE-2025-14558 - 53.60 % (https://secdb.nttzen.cloud/cve/detail/CVE-2025-14558) - CVE-2026-29058 - 42.99 % (https://secdb.nttzen.cloud/cve/detail/CVE-2026-29058) - CVE-2026-1492 - 29.00 % (https://secdb.nttzen.cloud/cve/detail/CVE-2026-1492) - CVE-2026-2025 - 26.43 % (https://secdb.nttzen.cloud/cve/detail/CVE-2026-2025) - CVE-2026-2413 - 26.22 % (https://secdb.nttzen.cloud/cve/detail/CVE-2026-2413) - CVE-2026-27971 - 23.12 % (https://secdb.nttzen.cloud/cve/detail/CVE-2026-27971) - CVE-2023-7337 - 22.17 % (https://secdb.nttzen.cloud/cve/detail/CVE-2023-7337) - CVE-2026-33634 - 20.84 % (https://secdb.nttzen.cloud/cve/detail/CVE-2026-33634) - CVE-2026-2493 - 15.24 % (https://secdb.nttzen.cloud/cve/detail/CVE-2026-2493) - CVE-2025-71260 - 9.15 % (https://secdb.nttzen.cloud/cve/detail/CVE-2025-71260)
View original postGitHub Repositories(3 repos)
Related Resources
Details
- CVE ID
- CVE-2026-33634
- Severity
- N/a
- Type
- supply_chain_attack
- Status
- unconfirmed
- EPSS
- 2115.3%
- Social Posts
- 1
CWE
- CWE-506
CVSS Metrics
N/A