CVE-2026-28353
Trivy Vulnerability Scanner: Unauthorized AI Agent Execution Code Included in OpenVSX Extension Release
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Trivy Vulnerability Scanner is a VS Code extension that helps find vulnerabilities. In Trivy VSCode Extension version 1.8.12, which was distributed via OpenVSX marketplace was compromised and contained malicious code designed to leverage local AI coding agent to collect and exfiltrate sensitive information. Users using the affected artifact are advised to immediately remove it and rotate environment secrets. The malicious artifact has been removed from the marketplace. No other affected artifacts have been identified.
| CWE | CWE-506 |
| Vendor | aquasecurity |
| Product | trivy-vscode-extension |
| Published | Mar 5, 2026 |
| Last Updated | Mar 6, 2026 |
Stay Ahead of the Next One
Get instant alerts for aquasecurity trivy-vscode-extension
Be the first to know when new unknown vulnerabilities affecting aquasecurity trivy-vscode-extension are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
aquasecurity / trivy-vscode-extension
= 1.8.12