2 matches found
CVE-2026-26189
CVE-2026-26189 affects aquasecurity/trivy-action (GitHub Action) where command injection is possible via unsafely exporting environment variables to trivy_envs.txt and sourcing it in entrypoint.sh. Affected versions are 0.31.0 through 0.33.1; a patch was released in 0.34.0. The issue arises from ...
CVE-2026-26189 Trivy Action has a script injection via sourced env file in composite action
Trivy Action runs Trivy as GitHub action to scan a Docker container image for vulnerabilities. A command injection vulnerability exists in aquasecurity/trivy-action versions 0.31.0 through 0.33.1 due to improper handling of action inputs when exporting environment variables. The action writes...