{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28353", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-26T18:38:13.890Z", "datePublished": "2026-03-05T20:02:59.865Z", "dateUpdated": "2026-03-06T17:04:35.360Z"}, "containers": {"cna": {"title": "Trivy Vulnerability Scanner: Unauthorized AI Agent Execution Code Included in OpenVSX Extension Release", "problemTypes": [{"descriptions": [{"cweId": "CWE-506", "lang": "en", "description": "CWE-506: Embedded Malicious Code", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/aquasecurity/trivy-vscode-extension/security/advisories/GHSA-8mr6-gf9x-j8qg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/aquasecurity/trivy-vscode-extension/security/advisories/GHSA-8mr6-gf9x-j8qg"}], "affected": [{"vendor": "aquasecurity", "product": "trivy-vscode-extension", "versions": [{"version": "= 1.8.12", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-05T20:02:59.865Z"}, "descriptions": [{"lang": "en", "value": "Trivy Vulnerability Scanner is a VS Code extension that helps find vulnerabilities. In Trivy VSCode Extension version 1.8.12, which was distributed via OpenVSX marketplace was compromised and contained malicious code designed to leverage local AI coding agent to collect and exfiltrate sensitive information. Users using the affected artifact are advised to immediately remove it and rotate environment secrets. The malicious artifact has been removed from the marketplace. No other affected artifacts have been identified."}], "source": {"advisory": "GHSA-8mr6-gf9x-j8qg", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T17:04:26.726102Z", "id": "CVE-2026-28353", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T17:04:35.360Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28353", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-06T17:04:26.726102Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T17:04:30.236Z"}}], "cna": {"title": "Trivy Vulnerability Scanner: Unauthorized AI Agent Execution Code Included in OpenVSX Extension Release", "source": {"advisory": "GHSA-8mr6-gf9x-j8qg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "aquasecurity", "product": "trivy-vscode-extension", "versions": [{"status": "affected", "version": "= 1.8.12"}]}], "references": [{"url": "https://github.com/aquasecurity/trivy-vscode-extension/security/advisories/GHSA-8mr6-gf9x-j8qg", "name": "https://github.com/aquasecurity/trivy-vscode-extension/security/advisories/GHSA-8mr6-gf9x-j8qg", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Trivy Vulnerability Scanner is a VS Code extension that helps find vulnerabilities. In Trivy VSCode Extension version 1.8.12, which was distributed via OpenVSX marketplace was compromised and contained malicious code designed to leverage local AI coding agent to collect and exfiltrate sensitive information. Users using the affected artifact are advised to immediately remove it and rotate environment secrets. The malicious artifact has been removed from the marketplace. No other affected artifacts have been identified."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-506", "description": "CWE-506: Embedded Malicious Code"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-05T20:02:59.865Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28353", "state": "PUBLISHED", "dateUpdated": "2026-03-06T17:04:35.360Z", "dateReserved": "2026-02-26T18:38:13.890Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-05T20:02:59.865Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Trivy Vulnerability Scanner is a VS Code extension that helps find vulnerabilities. In Trivy VSCode Extension version 1.8.12, which was distributed via OpenVSX marketplace was compromised and contained malicious code designed to leverage local AI coding agent to collect and exfiltrate sensitive information. Users using the affected artifact are advised to immediately remove it and rotate environment secrets. The malicious artifact has been removed from the marketplace. No other affected artifacts have been identified."}, {"lang": "es", "value": "Trivy Vulnerability Scanner es una extensi\u00f3n de VS Code que ayuda a encontrar vulnerabilidades. En la versi\u00f3n 1.8.12 de la extensi\u00f3n Trivy VSCode, que fue distribuida a trav\u00e9s del marketplace OpenVSX, fue comprometida y conten\u00eda c\u00f3digo malicioso dise\u00f1ado para aprovechar un agente de codificaci\u00f3n de IA local para recopilar y exfiltrar informaci\u00f3n sensible. Se aconseja a los usuarios que utilizan el artefacto afectado que lo eliminen inmediatamente y roten los secretos del entorno. El artefacto malicioso ha sido eliminado del marketplace. No se han identificado otros artefactos afectados."}], "id": "CVE-2026-28353", "lastModified": "2026-04-28T21:11:07.100", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-05T20:16:16.493", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/aquasecurity/trivy-vscode-extension/security/advisories/GHSA-8mr6-gf9x-j8qg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-506"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.8.12"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "trivy-vscode-extension", "vendor": "aquasecurity"}], "analysis": {"en": {"generated_at": "2026-04-16T12:10:49.383203+00:00", "value": {"mitigation_remediation": ["Uninstall or disable the Trivy VS Code Extension version 1.8.12 and delete its cached files from the local VS Code environment", "Verify that no residual files such as configuration scripts or temporary caches remain that could still contain malicious code", "Rotate or revoke all environment secrets that might have been accessed by the malicious extension"], "summary": {"action": "Immediate Removal", "impact": "Unauthorized code execution leading to potential exfiltration of sensitive data"}, "threat_synthesis": {"affected_systems": "Aqua Security Trivy VS Code Extension, version 1.8.12, distributed through the OpenVSX marketplace, is the only affected variant; no other versions or artifacts have been identified as compromised.", "description_and_impact": "In version 1.8.12 of the Aqua Security Trivy VS Code Extension, code was added that exploits the local AI coding agent to collect and exfiltrate sensitive information. The injected code represents a code injection flaw (CWE-506) that allows an attacker to execute arbitrary logic on the host system where the extension runs. The impact is a compromise of confidentiality and integrity of environment secrets and other data that the extension may access.", "risk_and_exploitability": "The vulnerability scores a CVSS of 10, indicating critical severity, yet the EPSS probability is reported as less than 1%, implying low likelihood of exploitation at the moment. The extension runs locally within the VS Code environment, so the attack vector is an end\u2011user installing or updating the plugin. Since the malicious artifact has already been removed from the marketplace, the remaining risk revolves around devices that still have the compromised extension installed or have cached remnants. The vulnerability is not listed in the CISA KEV catalog, but its high impact warrants immediate attention."}}}}, "created": "2026-03-06T15:01:08.727737+00:00", "updated": "2026-04-16T12:15:35.092993+00:00", "vendors": ["aquasecurity", "aquasecurity$PRODUCT$trivy-vscode-extension"]}