CVE-2026-55092

Source
https://cve.org/CVERecord?id=CVE-2026-55092
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55092.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-55092
Aliases
  • GHSA-mcj4-mphf-j9ff
Downstream
Related
Published
2026-06-25T16:26:46.081Z
Modified
2026-07-09T10:14:35.701191308Z
Severity
  • 7.0 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Trivy: Path traversal via a crafted vulnerability database or other downloaded artifacts
Details

Trivy is a security scanner. Prior to 0.71.1, when Trivy downloads an OCI artifact, it uses the org.opencontainers.image.title annotation from the artifact manifest as the destination filename without validation. An attacker who can make Trivy fetch an attacker-controlled artifact can supply a crafted annotation that resolves to a path outside the intended destination, causing Trivy to write the layer content to an arbitrary location on the host filesystem. This vulnerability is fixed in 0.71.1.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55092.json",
    "cwe_ids": [
        "CWE-22"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/aquasecurity/trivy

Affected ranges

Type
GIT
Repo
https://github.com/aquasecurity/trivy
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:aquasec:trivy:*:*:*:*:*:go:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.71.1"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ]
}

Affected versions

v0.*
v0.0.10
v0.0.11
v0.0.12
v0.0.13
v0.0.14
v0.0.15
v0.0.16
v0.0.2
v0.0.3
v0.0.4
v0.0.5
v0.0.6
v0.0.7
v0.0.8
v0.0.9
v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.1.7
v0.10.0
v0.10.1
v0.10.2
v0.11.0
v0.12.0
v0.13.0
v0.14.0
v0.15.0
v0.16.0
v0.17.0
v0.17.1
v0.17.2
v0.18.0
v0.18.1
v0.18.2
v0.18.3
v0.19.0
v0.19.1
v0.19.2
v0.2.0
v0.2.1
v0.20.0
v0.20.1
v0.20.2
v0.21.0
v0.21.1
v0.21.2
v0.21.3
v0.22.0
v0.23.0
v0.24.0
v0.24.1
v0.24.2
v0.24.3
v0.24.4
v0.25.0
v0.25.1
v0.25.2
v0.25.3
v0.25.4
v0.26.0
v0.27.0
v0.27.1
v0.28.0
v0.28.1
v0.29.0
v0.29.1
v0.29.2
v0.3.0
v0.3.1
v0.30.0
v0.30.1
v0.30.2
v0.30.3
v0.30.4
v0.31.0
v0.31.1
v0.31.2
v0.31.3
v0.32.0
v0.32.1
v0.33.0
v0.34.0
v0.35.0
v0.36.0
v0.36.1
v0.37.0
v0.37.1
v0.37.2
v0.37.3
v0.38.0
v0.38.1
v0.38.2
v0.38.3
v0.39.0
v0.39.1
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.4.4
v0.40.0
v0.41.0
v0.42.0
v0.42.1
v0.43.0
v0.43.1
v0.44.0
v0.44.1
v0.45.0
v0.45.1
v0.46.0
v0.47.0
v0.48.0
v0.48.1
v0.48.2
v0.49.0
v0.49.1
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.5.4
v0.50.0
v0.50.1
v0.51.0
v0.51.1
v0.52.0
v0.53.0
v0.54.0
v0.55.0
v0.56.0
v0.57.0
v0.58.0
v0.59.0
v0.6.0
v0.60.0
v0.61.0
v0.62.0
v0.63.0
v0.64.0
v0.65.0
v0.66.0
v0.67.0
v0.68.0
v0.68.1
v0.69.0
v0.7.0
v0.70.0
v0.71.0
v0.8.0
v0.9.0
v0.9.1
v0.9.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55092.json"