diff --git a/.github/workflows/image-scan.yml b/.github/workflows/image-scan.yml
index 3ea082d..d646c3b 100644
--- a/.github/workflows/image-scan.yml
+++ b/.github/workflows/image-scan.yml
@@ -63,4 +63,3 @@ jobs:
           trivyignores: .trivyignore
           scanners: vuln
           format: table
-          severity: CRITICAL,HIGH
diff --git a/.trivyignore b/.trivyignore
index 7924dbf..08620b1 100644
--- a/.trivyignore
+++ b/.trivyignore
@@ -61,3 +61,15 @@ CVE-2026-22184
 # Go stdlib net/url: incorrect parsing of IPv6 host literals.
 # CNI plugins do not parse user-supplied URLs.
 CVE-2026-25679
+
+# zlib: DoS via infinite loop in crc32_combine functions.
+# No code path in this product calls crc32_combine directly.
+CVE-2026-27171
+
+# Go stdlib html/template: URL escaping issue in meta content attribute.
+# CNI plugins do not generate or serve HTML.
+CVE-2026-27142
+
+# Go stdlib os: FileInfo can escape from a Root in ReadDir.
+# CNI plugins do not use the os.Root sandboxed filesystem API.
+CVE-2026-27139