diff --git a/vhdbuilder/packer/trivy-scan.sh b/vhdbuilder/packer/trivy-scan.sh
index 5b440e394b4..66451b2f921 100644
--- a/vhdbuilder/packer/trivy-scan.sh
+++ b/vhdbuilder/packer/trivy-scan.sh
@@ -9,16 +9,16 @@ CVE_LIST_QUERY_OUTPUT_PATH=${TRIVY_REPORT_DIRNAME}/cve-list.txt
 TRIVY_DB_REPOSITORIES="mcr.microsoft.com/mirror/ghcr/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db"
 
 # renovate: datasource=custom.deb2004 depName=trivy versioning=deb
-TRIVY_DEB_2004_VERSION="0.68.2-ubuntu20.04u7"
+TRIVY_DEB_2004_VERSION="0.68.2-ubuntu20.04u8"
 
 # renovate: datasource=custom.deb2204 depName=trivy versioning=deb
-TRIVY_DEB_2204_VERSION="0.68.2-ubuntu22.04u7"
+TRIVY_DEB_2204_VERSION="0.68.2-ubuntu22.04u8"
 
 # renovate: datasource=custom.deb2404 depName=trivy versioning=deb
-TRIVY_DEB_2404_VERSION="0.68.2-ubuntu24.04u7"
+TRIVY_DEB_2404_VERSION="0.68.2-ubuntu24.04u8"
 
 # renovate: datasource=rpm depName=trivy registryUrl=https://packages.microsoft.com/azurelinux/3.0/prod/cloud-native/x86_64/repodata
-TRIVY_RPM_VERSION="0.68.2-7.azl3"
+TRIVY_RPM_VERSION="0.68.2-8.azl3"
 
 # Fallback version for SKUs without PMC packages (Flatcar, AzureContainerLinux, AzureLinuxOSGuard).
 # This MUST match an actual upstream GitHub release tag — PMC versions (0.68.x) don't exist on GitHub.