CVE-2026-32767 assigned to libexpat, should be CVE-2026-32776

[mmusenbr]

IDs

CVE-2026-32767, CVE-2026-32776

Description

CVE-2026-32767 is linked to libexpat, which is wrong (SiYuan). It seems there was a number switch from CVE-2026-32776.

Reproduction Steps

docker pull eclipse-temurin:21.0.10_7-jdk-alpine-3.23
trivy image eclipse-temurin:21.0.10_7-jdk-alpine-3.23

> libexpat │ CVE-2026-32767 │ CRITICAL │ SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API │ https://avd.aquasec.com/nvd/cve-2026-32767

Target

Container Image

Scanner

Vulnerability

Target OS

No response

Debug Output

$ trivy image eclipse-temurin:21.0.10_7-jdk-alpine-3.23 --debug
2026-03-19T14:49:52+01:00       DEBUG   No plugins loaded
2026-03-19T14:49:52+01:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2026-03-19T14:49:52+01:00       DEBUG   Cache dir       dir="/home/michael/.cache/trivy"
2026-03-19T14:49:52+01:00       DEBUG   Cache dir       dir="/home/michael/.cache/trivy"
2026-03-19T14:49:52+01:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2026-03-19T14:49:52+01:00       DEBUG   Ignore statuses statuses=[]
2026-03-19T14:49:52+01:00       DEBUG   DB update was skipped because the local DB is the latest
2026-03-19T14:49:52+01:00       DEBUG   DB info schema=2 updated_at=2026-03-19T06:49:01.617693213Z next_update=2026-03-20T06:49:01.617692913Z downloaded_at=2026-03-19T12:37:35.228613538Z
2026-03-19T14:49:52+01:00       DEBUG   [pkg] Package types     types=[os library]
2026-03-19T14:49:52+01:00       DEBUG   [pkg] Package relationships     relationships=[unknown root workspace direct indirect]
2026-03-19T14:49:52+01:00       INFO    [vuln] Vulnerability scanning is enabled
2026-03-19T14:49:52+01:00       INFO    [secret] Secret scanning is enabled
2026-03-19T14:49:52+01:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2026-03-19T14:49:52+01:00       INFO    [secret] Please see https://trivy.dev/docs/v0.69/guide/scanner/secret#recommendation for faster secret detection
2026-03-19T14:49:52+01:00       DEBUG   Initializing scan cache...      type="fs"
2026-03-19T14:49:52+01:00       DEBUG   [notification] Running version check
2026-03-19T14:49:52+01:00       DEBUG   Created process-specific temp directory path="/tmp/trivy-132503"
2026-03-19T14:49:52+01:00       DEBUG   [image] Image found     image="eclipse-temurin:21.0.10_7-jdk-alpine-3.23" source="docker"
2026-03-19T14:49:52+01:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2026-03-19T14:49:52+01:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2026-03-19T14:49:52+01:00       DEBUG   [image] Detected image ID       image_id="sha256:4b060c8487c875dd2375caab8423cb7eefee56a1e328181ce90272aaf9390c29"
2026-03-19T14:49:52+01:00       DEBUG   [image] Detected diff ID        diff_ids=[sha256:989e799e634906e94dc9a5ee2ee26fc92ad260522990f26e707861a5f52bf64e sha256:f41e29f762f34e23d45cfe07ab18d05a792b1b3246a1245bd56ba40fa076ba29 sha256:0ec7c25152bf801f07b8817a1ee2dbd7af7947335638eaa5a75caf11ee6b57a2 sha256:2f3f5a60c2a292f31e4943908e965848fc3a07d7729f3811106e89337c946ac1 sha256:949b59606cb23fb1e01ac6d24bb33ffc22288f6e63ee24d5397920888cff39a8]
2026-03-19T14:49:52+01:00       DEBUG   [image] Detected base layers    diff_ids=[sha256:989e799e634906e94dc9a5ee2ee26fc92ad260522990f26e707861a5f52bf64e]
2026-03-19T14:49:52+01:00       INFO    Detected OS     family="alpine" version="3.23.3"
2026-03-19T14:49:52+01:00       INFO    [alpine] Detecting vulnerabilities...   os_version="3.23" repository="3.23" pkg_num=77
2026-03-19T14:49:52+01:00       INFO    Number of language-specific files       num=0
2026-03-19T14:49:52+01:00       WARN    Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/docs/v0.69/guide/scanner/vulnerability#severity-selection for details.
2026-03-19T14:49:52+01:00       DEBUG   Specified ignore file does not exist    file=".trivyignore"
2026-03-19T14:49:52+01:00       DEBUG   [vex] VEX filtering is disabled

Report Summary

┌───────────────────────────────────────────────────────────┬────────┬─────────────────┬─────────┐
│                          Target                           │  Type  │ Vulnerabilities │ Secrets │
├───────────────────────────────────────────────────────────┼────────┼─────────────────┼─────────┤
│ eclipse-temurin:21.0.10_7-jdk-alpine-3.23 (alpine 3.23.3) │ alpine │        8        │    -    │
└───────────────────────────────────────────────────────────┴────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


eclipse-temurin:21.0.10_7-jdk-alpine-3.23 (alpine 3.23.3)

Total: 8 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 3, CRITICAL: 1)

┌──────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library  │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                            │
├──────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ gnutls   │ CVE-2026-1584  │ HIGH     │ fixed  │ 3.8.11-r0         │ 3.8.12-r0     │ gnutls: gnutls: Remote Denial of Service via crafted        │
│          │                │          │        │                   │               │ ClientHello with invalid PSK...                             │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-1584                   │
│          ├────────────────┼──────────┤        │                   │               ├─────────────────────────────────────────────────────────────┤
│          │ CVE-2025-14831 │ MEDIUM   │        │                   │               │ gnutls: GnuTLS: Denial of Service via excessive resource    │
│          │                │          │        │                   │               │ consumption during certificate verification...              │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-14831                  │
├──────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libexpat │ CVE-2026-32767 │ CRITICAL │        │ 2.7.4-r0          │ 2.7.5-r0      │ SiYuan: Authorization Bypass Allows Arbitrary SQL Execution │
│          │                │          │        │                   │               │ via Search API                                              │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-32767                  │
│          ├────────────────┼──────────┤        │                   │               ├─────────────────────────────────────────────────────────────┤
│          │ CVE-2026-32777 │ MEDIUM   │        │                   │               │ libexpat: libexpat: Denial of Service via infinite loop in  │
│          │                │          │        │                   │               │ DTD content parsing...                                      │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-32777                  │
│          ├────────────────┤          │        │                   │               ├─────────────────────────────────────────────────────────────┤
│          │ CVE-2026-32778 │          │        │                   │               │ libexpat: libexpat: Denial of Service via NULL pointer      │
│          │                │          │        │                   │               │ dereference after out-of-memory condition...                │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-32778                  │
├──────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libpng   │ CVE-2026-25646 │ HIGH     │        │ 1.6.54-r0         │ 1.6.55-r0     │ libpng: LIBPNG has a heap buffer overflow in                │
│          │                │          │        │                   │               │ png_set_quantize                                            │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-25646                  │
├──────────┼────────────────┤          │        ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ zlib     │ CVE-2026-22184 │          │        │ 1.3.1-r2          │ 1.3.2-r0      │ zlib: zlib: Arbitrary code execution via buffer overflow in │
│          │                │          │        │                   │               │ untgz utility                                               │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-22184                  │
│          ├────────────────┼──────────┤        │                   │               ├─────────────────────────────────────────────────────────────┤
│          │ CVE-2026-27171 │ MEDIUM   │        │                   │               │ zlib: zlib: Denial of Service via infinite loop in CRC32    │
│          │                │          │        │                   │               │ combine functions...                                        │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-27171                  │
└──────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
2026-03-19T14:49:52+01:00       DEBUG   Cleaning up temp directory      path="/tmp/trivy-132503"

Version

$ trivy --version
Version: 0.69.3
Vulnerability DB:
  Version: 2
  UpdatedAt: 2026-03-19 06:49:01.617693213 +0000 UTC
  NextUpdate: 2026-03-20 06:49:01.617692913 +0000 UTC
  DownloadedAt: 2026-03-19 12:37:35.228613538 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2026-03-19 01:17:54.395813642 +0000 UTC
  NextUpdate: 2026-03-22 01:17:54.39581332 +0000 UTC
  DownloadedAt: 2026-03-19 12:39:42.006013135 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[Arsenicu]

aquasecurity/vuln-list@8352d1b

[rahg0]

I could still see the behaviour even after the change. Am i missing something here.?

[DmitriyLewen]

Hello @rahg0
DId you update trivy-db?

[rahg0]

Initiated a new scan and it looks OK now.
Was there a delay in publishing the new db after the above change.?

[DmitriyLewen]

Right. We stopped updating trivy-db to fix the security incident - #10425 (comment)

[rahg0]

Got it!. Thank you, Dmitriy. 🙏