Skip to main content
Version: v1.1.x

CVE-2026-54448

CVE Details

Visit the official vulnerability details page for CVE-2026-54448 to learn more.

Initial Publication

06/25/2026

Last Update

06/26/2026

Third Party Dependency

github.com/aquasecurity/trivy

NIST CVE Summary

Trivy is a security scanner. Prior to 0.71.0, when Trivy scans a Helm chart archive (.tgz), its custom tar unpacker reads each entry with io.ReadAll(tr) and no size limit. An attacker who can place a malicious .tgz file in the scanned path can craft a small compressed archive that decompresses to gigabytes, causing the Trivy process to be killed by the OS OOM killer. This vulnerability is fixed in 0.71.0.

CVE Severity

6.5

Our Official Summary

Investigation is ongoing to determine how this vulnerability affects our products.

Status

Analyzed

Affected Products & Versions

VersionPaletteAIPaletteAI VerteX
1.1.8⚠️ Impacted⚠️ Impacted

Revision History

No revisions available.