Path traversal in trivy - #VU136054
Published: July 1, 2026
trivy
Detailed vulnerability description
The vulnerability allows a local user to write arbitrary files outside the intended plugin directory.
The vulnerability exists due to path traversal in the plugin manager when installing an attacker-controlled plugin. A local user can provide a crafted plugin manifest to write arbitrary files outside the intended plugin directory.
User interaction is required to install the crafted plugin, and exploitation is limited to locations writable by the user running Trivy.