SB2026070146 - Path traversal in trivy
Published: July 1, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Path traversal (CVE-ID: N/A)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a local user to write arbitrary files outside the intended plugin directory.
The vulnerability exists due to path traversal in the plugin manager when installing an attacker-controlled plugin. A local user can provide a crafted plugin manifest to write arbitrary files outside the intended plugin directory.
User interaction is required to install the crafted plugin, and exploitation is limited to locations writable by the user running Trivy.
Remediation
Install update from vendor's website.