Path traversal in trivy - #VU136054

 

Path traversal in trivy - #VU136054

Published: July 1, 2026


Vulnerability identifier: #VU136054
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-22
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: Aqua Security
Affected software:
trivy

Detailed vulnerability description

The vulnerability allows a local user to write arbitrary files outside the intended plugin directory.

The vulnerability exists due to path traversal in the plugin manager when installing an attacker-controlled plugin. A local user can provide a crafted plugin manifest to write arbitrary files outside the intended plugin directory.

User interaction is required to install the crafted plugin, and exploitation is limited to locations writable by the user running Trivy.


Remediation

Install security update from vendor's website.

Sources