The Cybersecurity and Infrastructure Security Agency (CISA) has added a serious flaw in Aqua Security's Trivy scanner to its Known Exploited Vulnerabilities (KEV) list This article explores security trivy. . The flaw, known as CVE-2026-33634, is already being used by hackers and is a big risk to the supply chain.

Trivy is a well-known open-source tool that finds security problems in repositories, file systems, and container images. Because it is so deeply built into modern development pipelines, any breach of the tool can put a lot of sensitive systems at risk. If an attacker gets into a CI/CD pipeline, they can change builds, add harmful code to software releases, or keep access to development environments for a long time. This event shows how the risks are growing as trusted security tools become targets for attacks.

CISA says that businesses need to keep an eye on and protect their development ecosystems all the time to protect against new supply chain threats. Federal Civilian Executive Branch (FCEB) agencies have until April 9, 2026, to fix the problems, according to the agency. Security teams should also follow Binding Operational Directive (BOD) 22-01, which describes what needs to be done to fix known exploited vulnerabilities.

CISA says that if patches or fixes aren't available yet, people should stop using Trivy until the environment can be made safe. The agency wrote in a blog post on March 26, 20 26, that this shows how serious the threat is and how important it is to stop more people from being exposed. On March 25, 2025, the vulnerability was added to the KEV catalog.

On March 27, 2023, CISA officially added the vulnerability to its KEV list.