Explore top 10 tips to secure your open-source projects now. Read More
×
This update for trivy fixes the following issues
Update to version 0.72.0.
- CVE-2026-54448: tar unpacker reads scanned Helm chart archives (.tgz) with `io.ReadAll(tr)` and defines no size
limit, which can lead to a DoS (bsc#1269271).
- CVE-2026-55092: `org.opencontainers.image.title` annotation from OCI artifact manifest is used as a destination
filename without validation and can lead to arbitrary file writes (bsc#1269269).
Other updates and bugfixes:
- Version 0.72.0:
* feat(bottlerocket): add vulnerability matching for Bottlerocket OS (#10893)
* fix(misconf): support github_repository_vulnerability_alerts resource (#10680)
* feat(java): detect JAR licenses from packaged LICENSE files (#10856)
* fix(nodejs): parse project dependencies from multi-document pnpm-lock.yaml (#10861)
* fix(server): propagate package repository class in client/server mode (#10874)
* chore(deps): bump github.com/containerd/containerd/v2 from 2.3.1 to 2.3.2 (#10888)
* fix(vuln): fall...
Read the Full Advisory- openSUSE Leap 16.0:
trivy-0.72.0-160000.1.1
* bsc#1269269
* bsc#1269271
References:
* https://www.suse.com/security/cve/CVE-2026-54448.html
* https://www.suse.com/security/cve/CVE-2026-55092.html
Get the latest Linux and open source security news straight to your inbox.