MEIFP – Most Exploited Internet-Facing Products

aquasecurity

Products: setup-trivy · trivy · trivy-action

26.4

Score

CVEs

Active

PoC

KEV

#102

Rank

Period:

Product:

CVE ID	Published	CVSS	Exploit	KEV	AC	PR	Auto	Score(hover)	Affected Products	Description
CVE-2026-33634	2026-03-23	9.4v4.0	ACTIVE		Low	Low	no	26.4	setup-trivytrivytrivy-action	Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in `aquasecurity/trivy-action` to credential-stealing malware, and replace all 7 tags in `aquasecurity/setup-trivy` with maliciou

Each CVE: 10 pts base (Active only), boosted by:

KEV×2.0AC: Low×1.2PR: None×1.3PR: Low×1.1Auto×1.3