Vendor
Trivy versions prior to 0.71.0 are vulnerable to CVE-2026-54448, a denial-of-service attack where a crafted Helm chart archive (.tgz) can cause unbounded memory consumption, leading to the OS OOM killer terminating the Trivy process and other services on the host or CI runner.