SB2026070146 - Path traversal in trivy



SB2026070146 - Path traversal in trivy

Published: July 1, 2026

Security Bulletin ID SB2026070146
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Local access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Path traversal (CVE-ID: N/A)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a local user to write arbitrary files outside the intended plugin directory.

The vulnerability exists due to path traversal in the plugin manager when installing an attacker-controlled plugin. A local user can provide a crafted plugin manifest to write arbitrary files outside the intended plugin directory.

User interaction is required to install the crafted plugin, and exploitation is limited to locations writable by the user running Trivy.


Remediation

Install update from vendor's website.