CVE-2026-28353

Trivy Vulnerability Scanner is a VS Code extension that helps find vulnerabilities. In Trivy VSCode Extension version 1.8.12, which was distributed via OpenVSX marketplace was compromised and contained malicious code designed to leverage local AI coding agent to collect and exfiltrate sensitive information. Users using the affected artifact are advised to immediately remove it and rotate environment secrets. The malicious artifact has been removed from the marketplace. No other affected artifacts have been identified.

CVSS

No CVSS.

References

Link	Resource
https://github.com/aquasecurity/trivy-vscode-extension/security/advisories/GHSA-8mr6-gf9x-j8qg

Configurations

No configuration.

History

09 Mar 2026, 13:36

Type	Values Removed	Values Added
Summary		(es) Trivy Vulnerability Scanner es una extensión de VS Code que ayuda a encontrar vulnerabilidades. En la versión 1.8.12 de la extensión Trivy VSCode, que fue distribuida a través del marketplace OpenVSX, fue comprometida y contenía código malicioso diseñado para aprovechar un agente de codificación de IA local para recopilar y exfiltrar información sensible. Se aconseja a los usuarios que utilizan el artefacto afectado que lo eliminen inmediatamente y roten los secretos del entorno. El artefacto malicioso ha sido eliminado del marketplace. No se han identificado otros artefactos afectados.

05 Mar 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-05 20:16

Updated : 2026-03-09 13:36

NVD link : CVE-2026-28353

Mitre link : CVE-2026-28353

CVE.ORG link : CVE-2026-28353

JSON object : View

Products Affected

No product.

CWE

CWE-506

Embedded Malicious Code

{"id": "CVE-2026-28353", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 10.0, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-05T20:16:16.493", "references": [{"url": "https://github.com/aquasecurity/trivy-vscode-extension/security/advisories/GHSA-8mr6-gf9x-j8qg", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-506"}]}], "descriptions": [{"lang": "en", "value": "Trivy Vulnerability Scanner is a VS Code extension that helps find vulnerabilities. In Trivy VSCode Extension version 1.8.12, which was distributed via OpenVSX marketplace was compromised and contained malicious code designed to leverage local AI coding agent to collect and exfiltrate sensitive information. Users using the affected artifact are advised to immediately remove it and rotate environment secrets. The malicious artifact has been removed from the marketplace. No other affected artifacts have been identified."}, {"lang": "es", "value": "Trivy Vulnerability Scanner es una extensi\u00f3n de VS Code que ayuda a encontrar vulnerabilidades. En la versi\u00f3n 1.8.12 de la extensi\u00f3n Trivy VSCode, que fue distribuida a trav\u00e9s del marketplace OpenVSX, fue comprometida y conten\u00eda c\u00f3digo malicioso dise\u00f1ado para aprovechar un agente de codificaci\u00f3n de IA local para recopilar y exfiltrar informaci\u00f3n sensible. Se aconseja a los usuarios que utilizan el artefacto afectado que lo eliminen inmediatamente y roten los secretos del entorno. El artefacto malicioso ha sido eliminado del marketplace. No se han identificado otros artefactos afectados."}], "lastModified": "2026-03-09T13:36:08.413", "sourceIdentifier": "security-advisories@github.com"}