The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-33634, an embedded malicious code vulnerability in Aqua Security's Trivy tool, to its Known Exploited Vulnerabilities catalog after confirming active exploitation. Federal agencies are required to remediate the vulnerability under Binding Operational Directive 22-01, though CISA urges all organizations to prioritize patching given the tool's widespread use in software supply chains.