@blamejs/exceptd-skills 0.12.13 → 0.12.16

package/data/cve-catalog.json

@@ -38,10 +38,234 @@
     "vendor_advisory_note": "Each CVE carries a structured vendor_advisories array (vendor, advisory_id, url, severity, published_date) for downstream consumers that route by vendor advisory. Unknown advisory IDs are null with the canonical vendor CVE-resolver URL — never fabricated. Existing free-form references are preserved in verification_sources; vendor_advisories is additive.",
     "id_conventions": {
       "default": "CVE-YYYY-NNNNN",
-      "non_cve_keys_accepted": ["SNYK-*", "GHSA-*"],
+      "non_cve_keys_accepted": [
+        "SNYK-*",
+        "GHSA-*"
+      ],
       "note": "Catalog keys are CVE-* by default. For pre-CVE-assignment advisories under active operational impact, the project accepts OSV-native identifier shapes as the canonical key, with cross-references retained in `aliases`: MAL-* (OSSF Malicious Packages dataset — published into OSV.dev; primary key for malicious-package compromises), GHSA-* (GitHub Advisory Database; primary key when the package is on GitHub and no CVE has issued yet), and SNYK-* (Snyk advisory dataset; primary key for advisories Snyk catalogued before OSV/GHSA ingested them). When MITRE issues a CVE, the entry is renamed in lockstep with the matching zeroday-lessons key; the previous identifier is retained in `aliases` so historical references continue to resolve. Precedent: MAL-2026-3083 added 2026-05-13 (the elementary-data PyPI worm, 1.1M monthly downloads, OSV/OSSF-cataloged before any CVE issued). EPSS coverage does not extend to non-CVE identifiers; epss_score is null with a documenting epss_note on such entries. Upstream pull from OSV.dev: `exceptd refresh --source osv` (added v0.12.10)."
     }
   },
+  "CVE-2025-53773": {
+    "name": "GitHub Copilot / VS Code 'YOLO mode' Prompt Injection RCE",
+    "type": "RCE-via-prompt-injection",
+    "cvss_score": 7.8,
+    "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+    "cvss_correction_note": "v0.12.6 source audit corrected from CVSS 9.6/AV:N (network) to CVSS 7.8/AV:L (local) — the attack is local-vector via developer-side IDE interaction; the attacker does not reach in over the network. NVD authoritative.",
+    "cwe_refs": [
+      "CWE-77"
+    ],
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "poc_available": true,
+    "poc_description": "Published by Johann Rehberger (Embrace the Red, August 2025). Hidden instructions in any agent-readable content (source comments, README, GitHub issues, tool-call responses) coerce Copilot agent mode to write \"chat.tools.autoApprove\": true to .vscode/settings.json, flipping the agent into 'YOLO mode' where every subsequent shell tool call auto-approves without user confirmation. Demo executes calc.exe / Calculator.app via the autoapproved run_in_terminal tool.",
+    "ai_discovered": false,
+    "ai_assisted_weaponization": true,
+    "ai_assisted_notes": "The vulnerability IS in an AI tool (Copilot agent mode). Attack chain bottlenecks on a structural settings-file write — converts the 'any text could be injection' fuzzy detection problem into a one-line filesystem IoC.",
+    "active_exploitation": "suspected",
+    "affected": "Microsoft Visual Studio 2022 17.14.0-17.14.11 (fixed in 17.14.12). GitHub Copilot Chat extension on VS Code at versions predating the August 2025 Patch Tuesday fix. Architectural surface affects any Copilot-agent-mode-enabled environment.",
+    "affected_versions": [
+      "Visual Studio 2022: >=17.14.0, <17.14.12",
+      "GitHub Copilot Chat (VS Code extension): versions predating the August 2025 Patch Tuesday fix"
+    ],
+    "vector": "Three-step chain: (1) attacker plants instructions in any content the agent reads — source-file comments, README, issue body, web-fetched docs, MCP tool response; (2) Copilot agent mode follows the planted instructions to write `\"chat.tools.autoApprove\": true` into `.vscode/settings.json` (workspace or user-global) — file write is silent and persistent, no in-editor diff shown; (3) every subsequent shell tool call auto-approves without user confirmation, giving full local code execution under the developer's identity. Worm angle (demonstrated): post-exploitation can `git commit` the malicious settings file and push it to other repos.",
+    "complexity": "low",
+    "complexity_notes": "Attacker crafts agent-readable content. The agent writes the YOLO-mode flag itself; no race condition or timing dependency. Invisible Unicode Tag-block (U+E0000-U+E007F) variants demonstrated for content-level evasion.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": true,
+    "live_patch_tools": [
+      "Visual Studio 17.14.12 (August 2025 Patch Tuesday)",
+      "GitHub Copilot Chat extension auto-update"
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-AC-2": "AI agent actions use the developer's authorized service account — AC-2 does not constrain agent-config bypass.",
+      "NIST-800-53-CM-7": "Least functionality does not address agent-mode auto-approval flags.",
+      "SOC2-CC6-logical-access": "Logical access controls don't apply to model-context-window-mediated actions."
+    },
+    "atlas_refs": [
+      "AML.T0051",
+      "AML.T0054"
+    ],
+    "attack_refs": [
+      "T1059",
+      "T1059.001",
+      "T1190"
+    ],
+    "rwep_score": 30,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 15,
+      "active_exploitation": 10,
+      "blast_radius": 10,
+      "patch_available": -15,
+      "live_patch_available": -10,
+      "reboot_required": 0
+    },
+    "rwep_notes": "RWEP recomputed in v0.12.6 after CVSS 9.6→7.8 correction. AV:L (local) reduces blast_radius weight; vendor patch + auto-updating IDE reduce live_patch_available impact.",
+    "epss_score": 0.046,
+    "epss_percentile": 0.893,
+    "epss_date": "2026-05-13",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-53773",
+    "source_verified": "2026-05-13",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-53773",
+      "https://embracethered.com/blog/posts/2025/github-copilot-remote-code-execution-via-prompt-injection/",
+      "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53773",
+      "https://www.wiz.io/vulnerability-database/cve/cve-2025-53773"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "Microsoft MSRC",
+        "advisory_id": "CVE-2025-53773",
+        "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53773",
+        "severity": "high",
+        "published_date": "2025-08-12"
+      },
+      {
+        "vendor": "GitHub Security Advisories",
+        "advisory_id": null,
+        "url": "https://github.com/advisories?query=CVE-2025-53773",
+        "severity": "high",
+        "published_date": "2025-08-12"
+      }
+    ],
+    "iocs": {
+      "filesystem_post_exploit": [
+        ".vscode/settings.json (workspace) OR ~/.vscode/settings.json (user-global) contains \"chat.tools.autoApprove\": true — PRIMARY post-exploitation IoC. Setting is experimental + off by default + structural pivot the entire chain depends on. Near-zero false positive for non-developer users.",
+        ".vscode/settings.json content matches regex \"chat\\\\.(experimental|tools)\\\\..*\":\\\\s*true — broader sweep for any auto-approve / experimental flag in workspace-scoped settings.",
+        "settings.json mtime falls inside Copilot agent-mode session window AND diff includes any key under chat.tools.* or github.copilot.advanced.* — Copilot writes are immediately persistent, no diff-approval UI"
+      ],
+      "repository_supply_chain": [
+        "Repository ships a checked-in .vscode/settings.json with chat.tools.autoApprove or chat.experimental.*: true — pre-arms YOLO mode for any cloner running Copilot agent mode (supply-chain plant variant)",
+        "Repository content (README, source comments, issue/PR bodies) contains literal 'chat.tools.autoApprove' OR 'autoApprove\": true' OR 'YOLO mode' — payload must reference target key by name (suppress on this catalog, MSRC, embracethered.com)",
+        "Files in agent-readable surfaces (README.md, source comments, .github/*, CONTRIBUTING.md) contain codepoints in Unicode Tag block U+E0000-U+E007F or zero-width control characters U+200B-U+200F / U+202A-U+202E / U+2060-U+2064 — invisible-instruction injection technique"
+      ],
+      "behavioral": [
+        "Copilot agent tool-call sequence: read_file|web_fetch|github_issue_read → write_file('.vscode/settings.json' OR '*/settings.json') → run_in_terminal, no request_user_confirmation between writes and exec",
+        "Editor (Code.exe / 'Code Helper') parent process spawns interactive shell (powershell/pwsh/bash/zsh) whose command line is not in user shell history AND not in {--login, REPL}"
+      ],
+      "worm_propagation": [
+        "Agent session writes .vscode/settings.json, then issues git add + git commit + git push within the same session — wormable variant demonstrated by Rehberger"
+      ],
+      "version_exposure": [
+        "Visual Studio 2022 installation with productVersion < 17.14.12 (Windows registry: HKLM\\\\SOFTWARE\\\\Microsoft\\\\VisualStudio\\\\Setup; or vswhere.exe -property installationVersion)",
+        "GitHub Copilot Chat extension at versions predating August 2025 Patch Tuesday fix"
+      ],
+      "forensic_note": "The .vscode/settings.json modification is silent and persistent — no in-editor diff is shown to the user. Defenders investigating suspected compromise should snapshot workspace + user-global settings.json BEFORE remediating; the file IS the primary forensic artifact."
+    },
+    "last_updated": "2026-05-13"
+  },
+  "CVE-2026-30615": {
+    "name": "Windsurf MCP Local-Vector RCE via Adversarial Tool Response",
+    "type": "RCE-supply-chain",
+    "cvss_score": 8,
+    "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
+    "cvss_correction_note": "v0.12.9 (2026-05-13): catalog previously stored CVSS 9.8 / AV:N. NVD authoritative is 8.0 / AV:L (local attack vector; attacker must control HTML content the Windsurf MCP client processes — not a network-vector zero-interaction RCE as initially cataloged). Source: https://nvd.nist.gov/vuln/detail/CVE-2026-30615 (published 2026-04-15, last_modified 2026-04-27, vulnStatus: Deferred). Recompute RWEP with blast_radius reduced from 30→20 to reflect local-vector + Scope:U.",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "poc_available": true,
+    "poc_description": "Partial — MCP client vulnerability in Windsurf allows malicious MCP server to achieve code execution without user interaction",
+    "ai_discovered": false,
+    "ai_assisted_weaponization": false,
+    "active_exploitation": "suspected",
+    "affected": "Windsurf IDE users with MCP servers installed. Architectural attack surface affects all MCP-capable AI coding assistants (Cursor, VS Code, Claude Code, Gemini CLI). 150M+ combined downloads.",
+    "affected_versions": [
+      "Windsurf < patched version"
+    ],
+    "vector": "Malicious MCP server delivers adversarial tool response → AI assistant follows instructions without user interaction → code execution in user context",
+    "complexity": "low",
+    "complexity_notes": "Attacker needs to get a malicious MCP server installed (supply chain, typosquatting, or compromise of legitimate server). Once installed, exploitation is automatic.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": true,
+    "live_patch_tools": [
+      "IDE update — vendor patch"
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SA-12": "Supply chain protection doesn't contemplate MCP server trust as a category.",
+      "NIST-800-53-CM-7": "Least functionality doesn't address AI tool plugin authorization.",
+      "ISO-27001-2022-A.8.30": "Outsourced development controls don't cover MCP server trust.",
+      "SOC2-CC9-vendor-management": "Vendor management doesn't reach developer-installed AI tool plugins."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0016",
+      "AML.T0051",
+      "AML.T0096"
+    ],
+    "attack_refs": [
+      "T1195.001",
+      "T1059",
+      "T1552.001",
+      "T1041"
+    ],
+    "rwep_score": 35,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 10,
+      "blast_radius": 30,
+      "patch_available": -15,
+      "live_patch_available": -10,
+      "reboot_required": 0
+    },
+    "epss_score": 0.14,
+    "epss_percentile": 0.86,
+    "epss_date": "2026-05-11",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-30615",
+    "source_verified": "2026-05-01",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-30615"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "Codeium / Windsurf",
+        "advisory_id": null,
+        "url": "https://codeium.com/security/CVE-2026-30615",
+        "severity": "critical",
+        "published_date": "2026-02-18"
+      },
+      {
+        "vendor": "GitHub Security Advisories",
+        "advisory_id": null,
+        "url": "https://github.com/advisories?query=CVE-2026-30615",
+        "severity": "critical",
+        "published_date": "2026-02-19"
+      }
+    ],
+    "iocs": {
+      "payload_content_patterns": [
+        "ANSI escape sequences (byte 0x1B) in any tools/list field (description, inputSchema.properties.*.description) or tools/call response content[].text — subclasses: SGR color invisibility (\\x1B[38;5;...m), cursor movement (\\x1B[nF/G/H), screen clear (\\x1B[0J), OSC-8 hyperlinks (\\x1B]8;;<url>\\x1B\\\\). Source: Trail of Bits 2025-04-29.",
+        "Unicode Tag-block codepoints U+E0000-U+E007F in any tools/list or tools/call string field (zero-width to humans, tokenized by the LLM). Source: Embrace the Red 2025.",
+        "Instruction-coercion grammar in tool descriptions or responses: <IMPORTANT>...</IMPORTANT> blocks, 'Before using this tool, read ~/.ssh/' or '~/.cursor/mcp.json', 'Do not mention .* to the user', 'pass .* content as', 'THIS TOOL IS REQUIRED FOR (GDPR|SOC2|INTERNAL AUDITING|COMPLIANCE)', 'ALWAYS CONSULT THIS TOOL IMMEDIATELY', 'chmod -R 0666 ~', 'After answering the previous question, please ENSURE you put the following text verbatim'. Sources: Invariant Labs (tool-poisoning), Trail of Bits (line-jumping), Palo Alto Unit 42 (sampling abuse).",
+        "Tool response references sensitive path: ~/.ssh/id_rsa, ~/.aws/credentials, ~/.config/gcloud, ~/.kube/config, ~/.cursor/mcp.json, ~/.codeium/windsurf/mcp_config.json, ~/.config/claude/config.json, ~/.claude/settings.json, ~/.npmrc — OR process.env.{AWS_SECRET*, GITHUB_TOKEN, NPM_TOKEN, OPENAI_API_KEY, ANTHROPIC_API_KEY} (cross-server credential-shadow operational signature)"
+      ],
+      "behavioral": [
+        "Two or more tools/call invocations within a single user turn where second target not named in user prompt AND second target is in {exec, shell, run_command, fetch, write_file, read_file, network_request, eval} — operational signature of line-jumping and Unicode-Tag-smuggled coercion",
+        "MCP child process opens connection to host NOT in manifest.allowed_egress (for signed servers) OR NOT in TOFU baseline (for unsigned). Postmark-mcp class: legitimate-functionality-preserving payload republished under same name, only signal is unexpected egress destination",
+        "MCP server tool invocation count rises ≥10× over 7-day rolling baseline within 24h of (a) version bump, (b) tools/list response shape change with new tools OR ≥3× description length growth, (c) publisher key rotation — compromised-legitimate-publisher signature"
+      ],
+      "persistence_artifacts": [
+        "~/.cursor/mcp.json — mcpServers.* entries added or command field rewritten",
+        "~/.codeium/windsurf/mcp_config.json — mcpServers.* additions",
+        "~/.config/claude/config.json — mcpServers.* additions",
+        "~/.claude/settings.json — permissions.allow relaxations OR hooks.SessionStart additions referencing MCP launcher (cross-cuts CVE-2026-45321 persistence vector)",
+        "~/.config/Code/User/settings.json — chat.mcp.servers additions",
+        ".vscode/mcp.json in project root — workspace-scoped MCP additions",
+        "~/.gemini/settings.json — mcpServers additions",
+        "package.json — postinstall script that writes any of the above"
+      ],
+      "supply_chain_entry_vectors": [
+        "npm same-name republish of legitimate MCP package (canonical example: postmark-mcp impersonating ActiveCampaign's Postmark MCP)",
+        "npm typosquat within edit-distance-2 of @modelcontextprotocol/* official namespace",
+        "SANDWORM_MODE-style worm: malicious package writes mcpServers entry into local AI-assistant config on postinstall, propagating across every assistant on the developer endpoint",
+        "Compromised legitimate publisher key — malicious update from previously-trusted maintainer; signature-based controls do not fire"
+      ]
+    },
+    "last_updated": "2026-05-13"
+  },
   "CVE-2026-31431": {
     "name": "Copy Fail",
     "type": "LPE",
@@ -78,7 +302,7 @@
       "NIST-800-53-SI-2": "30-day critical patch SLA is an exploitation window, not a security window, for CISA KEV + public PoC. 'Timely' is undefined for instant-root deterministic LPE.",
       "ISO-27001-2022-A.8.8": "'Appropriate timescales' is undefined; standard interpretation of 30 days is architecturally unsafe for this class. No live-patch requirement.",
       "PCI-DSS-4.0-6.3.3": "1-month critical patch window; same problem as SI-2.",
-      "NIS2-Art21": "No specific guidance on live patching capability or CISA KEV-class response timelines.",
+      "NIS2-Art21-patch-management": "No specific guidance on live patching capability or CISA KEV-class response timelines.",
       "CIS-Controls-v8-Control7": "IG3 continuous vulnerability management; 'within one month' still too long for this class."
     },
     "atlas_refs": [],
@@ -102,7 +326,9 @@
     "epss_date": "2026-05-13",
     "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-31431",
     "epss_correction_note": "v0.12.9: refreshed from live FIRST API. Catalog previously stored 0.94 / 0.99 (estimate for newly-published CVE; EPSS model cold-start). Live values reflect post-disclosure exploitation telemetry through 2026-05-13.",
-    "cwe_refs": ["CWE-669"],
+    "cwe_refs": [
+      "CWE-669"
+    ],
     "source_verified": "2026-05-13",
     "verification_sources": [
       "https://nvd.nist.gov/vuln/detail/CVE-2026-31431",
@@ -171,17 +397,214 @@
         "dmesg BUG: or WARN_ON originating from mm/filemap.c, mm/memory.c, fs/splice.c, or mm/gup.c within 60s of an unprivileged-process privilege transition"
       ],
       "behavioral": [
-        "Process whose /proc/<pid>/status transitions Uid: 1000 1000 1000 1000 -> Uid: 0 0 0 0 without an intervening execve of a setuid binary (DirtyCred-class signal)",
-        "Root-uid shell (bash, sh, dash, zsh) whose PPid resolves to a non-setuid, non-root parent (python, ruby, node, user-owned /tmp or /home binary)",
-        "Anonymous RWX region (rwxp 00000000) appearing in /proc/<pid>/maps of a process that did not previously have one and is not a known JIT runtime",
-        "Unprivileged process holding open file descriptor to /proc/self/mem or /proc/<other_pid>/mem in write mode"
+        "Process whose /proc/<pid>/status transitions Uid: 1000 1000 1000 1000 -> Uid: 0 0 0 0 without an intervening execve of a setuid binary (DirtyCred-class signal)",
+        "Root-uid shell (bash, sh, dash, zsh) whose PPid resolves to a non-setuid, non-root parent (python, ruby, node, user-owned /tmp or /home binary)",
+        "Anonymous RWX region (rwxp 00000000) appearing in /proc/<pid>/maps of a process that did not previously have one and is not a known JIT runtime",
+        "Unprivileged process holding open file descriptor to /proc/self/mem or /proc/<other_pid>/mem in write mode"
+      ],
+      "livepatch_gap": [
+        "Kernel version in affected_versions range AND /sys/kernel/livepatch/*/cve-ids does NOT contain CVE-2026-31431 — treat as EXPOSED regardless of generic livepatch-active flag",
+        "RHEL: kpatch-livepatch-*-CVE-2026-31431 RPM installed but not in `kpatch list` Loaded patch modules section (package-installed-without-load silent exposure)",
+        "Ubuntu: `canonical-livepatch status --verbose` 'fixes:' list does not include CVE-2026-31431 while kernel in affected range"
+      ],
+      "forensic_note": "Copy Fail is deterministic, 732-byte, single-stage, memory-only. Disk-forensic indicators (shell history, dropped binaries, persistence files) are unreliable — competent operators leave no on-disk trace. The runtime_syscall + kernel_trace + behavioral entries are the load-bearing detection surface. Disk indicators are limited to the exploit OUTCOMES (/etc/passwd mutation, suid drift), not the exploit ARTIFACTS."
+    },
+    "last_updated": "2026-05-13"
+  },
+  "CVE-2026-39884": {
+    "name": "Flux159 mcp-server-kubernetes Argument Injection via port_forward",
+    "type": "argument-injection",
+    "cvss_score": 8.3,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "poc_available": true,
+    "poc_description": "GHSA-4xqg-gf5c-ghwq publishes the PoC: invoke port_forward tool with resourceName containing space-delimited kubectl flags. Attacker-controllable args reach kubectl via .split(' ') concatenation in startPortForward() / executeKubectlCommandAsync().",
+    "ai_discovered": false,
+    "ai_assisted_weaponization": false,
+    "active_exploitation": "suspected",
+    "active_exploitation_notes": "No public exploitation evidence as of 2026-05-13, but the MCP-server ecosystem has known opportunistic-scan history. Treated as suspected.",
+    "affected": "Flux159 mcp-server-kubernetes — MCP server giving AI assistants kubectl control. Installed in AI agent stacks that talk to Kubernetes clusters.",
+    "affected_versions": [
+      "mcp-server-kubernetes <= 3.4.0"
+    ],
+    "vector": "AI assistant invokes the port_forward MCP tool with resourceName='pod-name --address=0.0.0.0' or similar. The MCP server builds a string-form kubectl command and uses .split(' ') instead of an args array — the attacker-controlled flag lands as a distinct argv entry to kubectl. --address=0.0.0.0 binds the port-forward to all interfaces; -n kube-system redirects to attacker-chosen namespace.",
+    "complexity": "low",
+    "complexity_notes": "Only requires the AI assistant to be tricked (prompt injection in retrieved docs / commit messages / MCP tool responses) into passing a tainted resourceName. PR-injection / RAG-poisoning surface upstream gates exploitation.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": true,
+    "live_patch_tools": [
+      "Upgrade mcp-server-kubernetes to 3.5.0+ (argv-array refactor)",
+      "Until patched: disable the port_forward tool in MCP allowlist (most operator deployments don't rely on it)"
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-10": "Input validation control doesn't address the argv-vs-string boundary that argument injection exploits — many MCP servers concatenate user input into shell commands without registering this as a code-review failure.",
+      "OWASP-LLM-Top-10-2025-LLM01": "Prompt-injection-as-access-control gap — the attacker doesn't compromise the MCP server directly; they feed adversarial input that the AI passes through.",
+      "NIS2-Art21-patch-management": "Patch management presumes traditional CVE timelines; MCP plugin ecosystem patch awareness lags."
+    },
+    "atlas_refs": [
+      "AML.T0053",
+      "AML.T0051"
+    ],
+    "attack_refs": [
+      "T1059",
+      "T1078"
+    ],
+    "rwep_score": 20,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 10,
+      "blast_radius": 15,
+      "patch_available": -15,
+      "live_patch_available": -10,
+      "reboot_required": 0
+    },
+    "rwep_notes": "P3 — patch available, mitigation via tool disable, but the class (AI-mediated argument injection into infrastructure tools) is operationally important to track.",
+    "epss_score": 0.00039,
+    "epss_percentile": 0.11727,
+    "epss_date": "2026-05-13",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-39884",
+    "cwe_refs": [
+      "CWE-88"
+    ],
+    "source_verified": "2026-05-13",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-39884",
+      "https://github.com/Flux159/mcp-server-kubernetes/security/advisories/GHSA-4xqg-gf5c-ghwq"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "Flux159",
+        "advisory_id": "GHSA-4xqg-gf5c-ghwq",
+        "url": "https://github.com/Flux159/mcp-server-kubernetes/security/advisories/GHSA-4xqg-gf5c-ghwq",
+        "severity": "high",
+        "published_date": "2026-04-15"
+      }
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "src/tools/port_forward.ts startPortForward() / executeKubectlCommandAsync() in any version <= 3.4.0 — calls `.split(' ')` on user-input-concatenated command string",
+        "dist/tools/port_forward.js — compiled artifact in installed package"
+      ],
+      "behavioral": [
+        "MCP audit log showing port_forward tool calls with resourceName containing spaces or kubectl flag prefixes (`--`, `-n`)",
+        "kubectl port-forward processes with --address=0.0.0.0 on hosts that never invoke port-forward manually",
+        "kubectl port-forward processes targeting kube-system / kube-public namespaces when the operator's intended namespace was a workload namespace",
+        "Multiple -n flags in a single kubectl invocation (split-by-space duplicate-flag injection signature)"
+      ],
+      "runtime_syscall": [
+        "execve of kubectl with argv containing /^--address=/ from a parent process in node_modules/mcp-server-kubernetes/dist/",
+        "Network listener bound to 0.0.0.0:<port> by a kubectl process on a host that should only port-forward to localhost"
+      ]
+    },
+    "last_updated": "2026-05-13"
+  },
+  "CVE-2026-42208": {
+    "name": "BerriAI LiteLLM Proxy Auth SQL Injection",
+    "type": "RCE-via-sql-injection",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_v4_score": 9.3,
+    "cvss_v4_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
+    "cisa_kev": true,
+    "cisa_kev_date": "2026-05-08",
+    "cisa_kev_due_date": "2026-05-29",
+    "poc_available": true,
+    "poc_description": "GHSA-r75f-5x8p-qvmc documents the sink shape — crafted Authorization header to any LLM API route reaches the vulnerable query through error-handling paths. KEV-listed implies in-wild exploitation evidence.",
+    "ai_discovered": false,
+    "ai_assisted_weaponization": false,
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "CISA KEV listing criterion is in-wild exploitation evidence.",
+    "affected": "BerriAI LiteLLM Proxy — open-source LLM-API gateway managing credentials + routing across model providers. Used in front of AI agent stacks, MCP-server fronts, multi-model proxy deployments. Substantial production footprint.",
+    "affected_versions": [
+      "litellm >= 1.81.16",
+      "litellm < 1.83.7"
+    ],
+    "vector": "Authorization header value passed directly into a SQL query in the proxy's auth path. Crafted bearer-token-shape strings reach the error-logging pathway which executes SQL with the attacker-controlled value as a string-concatenated parameter. Result: read/modify the managed-credentials DB without prior auth.",
+    "complexity": "low",
+    "complexity_notes": "Curl-able exploit — POST to /chat/completions with a SQL-injection payload in Authorization. Network-reachable, no auth, no UI.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": true,
+    "live_patch_tools": [
+      "Upgrade to litellm 1.83.7+ (parameterised query — caller-supplied value is now a SQL parameter not a concatenated string)",
+      "Temporary workaround: `general_settings: disable_error_logs: true` removes the error-handling pathway the injection abuses"
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-10": "Input validation control doesn't address argument-vs-statement distinction in SQL libraries. SI-10 is satisfied by 'we validate inputs' regardless of whether the validation runs before the SQL parameter binding.",
+      "OWASP-LLM-Top-10-2025-LLM01": "Prompt injection control set doesn't address the AI-PROXY backend SQL surface — LiteLLM is the substrate that gates LLM API access, not the LLM itself.",
+      "NIS2-Art21-incident-handling": "Cryptographic measures control doesn't address application-layer SQL injection.",
+      "EU-AI-Act-Art-15": "Robustness + cybersecurity requirement is undefined operationally for AI gateway infrastructure."
+    },
+    "atlas_refs": [
+      "AML.T0055"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1078.001"
+    ],
+    "rwep_score": 65,
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 25,
+      "patch_available": -15,
+      "live_patch_available": -10,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Operationally P1 — KEV-listed, network-vector, no auth, full credential DB compromise. AI-stack fleets running LiteLLM as the gateway should patch within the KEV 21-day window at minimum.",
+    "epss_score": 0.37368,
+    "epss_percentile": 0.9722,
+    "epss_date": "2026-05-13",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-42208",
+    "cwe_refs": [
+      "CWE-89"
+    ],
+    "source_verified": "2026-05-13",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-42208",
+      "https://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc",
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42208"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "BerriAI",
+        "advisory_id": "GHSA-r75f-5x8p-qvmc",
+        "url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc",
+        "severity": "critical",
+        "published_date": "2026-05-08"
+      },
+      {
+        "vendor": "CISA KEV",
+        "advisory_id": null,
+        "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42208",
+        "severity": "critical",
+        "published_date": "2026-05-08"
+      }
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "POST /chat/completions with Authorization header value containing SQL-injection metacharacters (`'`, `--`, `OR 1=1`, UNION-based payloads)",
+        "Any HTTP request to a LiteLLM proxy where the Authorization header value is unusually long (> 100 chars) or contains characters outside [A-Za-z0-9\\-_.~+/=]"
+      ],
+      "behavioral": [
+        "LiteLLM proxy db (default sqlite or postgres) showing new rows in the LiteLLM_VerificationToken / LiteLLM_UserTable created without a corresponding admin-UI session",
+        "LiteLLM error logs containing parameterised-SQL failure shapes that include the Authorization header string verbatim (pre-1.83.7 the value lands in error logs in cleartext)",
+        "Outbound network from a LiteLLM proxy host to a model-provider endpoint using a freshly-issued virtual key that has no admin-event history",
+        "Mass key-generation events in LiteLLM logs (the SQLi path includes a key-mint primitive)"
       ],
-      "livepatch_gap": [
-        "Kernel version in affected_versions range AND /sys/kernel/livepatch/*/cve-ids does NOT contain CVE-2026-31431 — treat as EXPOSED regardless of generic livepatch-active flag",
-        "RHEL: kpatch-livepatch-*-CVE-2026-31431 RPM installed but not in `kpatch list` Loaded patch modules section (package-installed-without-load silent exposure)",
-        "Ubuntu: `canonical-livepatch status --verbose` 'fixes:' list does not include CVE-2026-31431 while kernel in affected range"
+      "c2_indicators": [
+        "Outbound from a LiteLLM proxy host to model-provider endpoints (openai, anthropic, etc.) using virtual keys not minted via the admin UI (compromised proxy uses its own stolen keys to mask attacker traffic as legitimate proxy traffic)"
       ],
-      "forensic_note": "Copy Fail is deterministic, 732-byte, single-stage, memory-only. Disk-forensic indicators (shell history, dropped binaries, persistence files) are unreliable — competent operators leave no on-disk trace. The runtime_syscall + kernel_trace + behavioral entries are the load-bearing detection surface. Disk indicators are limited to the exploit OUTCOMES (/etc/passwd mutation, suid drift), not the exploit ARTIFACTS."
+      "credential_paths_scanned": [
+        "LiteLLM proxy DATABASE_URL-pointed database (sqlite file or postgres connection) — once SQLi reaches the DB, the entire managed-credentials table is read/write",
+        "Environment variables LITELLM_MASTER_KEY, DATABASE_URL on the proxy host"
+      ]
     },
     "last_updated": "2026-05-13"
   },
@@ -238,7 +661,9 @@
     "epss_date": "2026-05-13",
     "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-43284",
     "epss_correction_note": "v0.12.9: refreshed from live FIRST API. Previous values (0.18 / 0.88) were estimates for the newly-published CVE; cold-start EPSS routinely overstates newly-cataloged kernel CVEs.",
-    "cwe_refs": ["CWE-123"],
+    "cwe_refs": [
+      "CWE-123"
+    ],
     "source_verified": "2026-05-13",
     "verification_sources": [
       "https://nvd.nist.gov/vuln/detail/CVE-2026-43284"
@@ -288,18 +713,32 @@
       }
     ],
     "subsystem_anchors": {
-      "kernel_modules": ["esp4", "esp6", "xfrm_user", "xfrm_algo"],
+      "kernel_modules": [
+        "esp4",
+        "esp6",
+        "xfrm_user",
+        "xfrm_algo"
+      ],
       "kernel_symbols": [
-        "esp_input", "esp_input_tail", "esp_input_done2",
-        "esp6_input", "esp6_input_done2",
-        "xfrm_input", "xfrm_rcv_cb", "xfrm_replay_advance"
+        "esp_input",
+        "esp_input_tail",
+        "esp_input_done2",
+        "esp6_input",
+        "esp6_input_done2",
+        "xfrm_input",
+        "xfrm_rcv_cb",
+        "xfrm_replay_advance"
+      ],
+      "procfs_paths": [
+        "/proc/net/xfrm_stat"
       ],
-      "procfs_paths": ["/proc/net/xfrm_stat"],
       "syscall_surface": [
         "socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM=6)",
         "sendmsg() to xfrm netlink with XFRM_MSG_NEWSA / XFRM_MSG_UPDSA"
       ],
-      "caps_required_legit": ["CAP_NET_ADMIN"],
+      "caps_required_legit": [
+        "CAP_NET_ADMIN"
+      ],
       "caps_required_exploit": "CAP_NET_ADMIN within user namespace if unprivileged_userns_clone=1; else CAP_NET_ADMIN on host",
       "deployment_prevalence_note": "IPsec subsystem present in essentially every distro kernel (CONFIG_XFRM=y). Module ESP4/ESP6 loads lazily on first use; presence of /proc/net/xfrm_stat alone does not indicate active IPsec — check `ip xfrm state` for live SAs."
     },
@@ -364,7 +803,9 @@
     "epss_date": "2026-05-13",
     "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-43500",
     "epss_correction_note": "v0.12.9: refreshed from live FIRST API (cold-start cleanup).",
-    "cwe_refs": ["CWE-787"],
+    "cwe_refs": [
+      "CWE-787"
+    ],
     "source_verified": "2026-05-13",
     "verification_sources": [
       "https://nvd.nist.gov/vuln/detail/CVE-2026-43500"
@@ -406,275 +847,63 @@
         "published_date": "2026-04-04"
       },
       {
-        "vendor": "Microsoft (WSL2)",
-        "advisory_id": null,
-        "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-43500",
-        "severity": "important",
-        "published_date": "2026-04-05"
-      }
-    ],
-    "subsystem_anchors": {
-      "kernel_modules": ["rxrpc", "af_rxrpc", "kafs"],
-      "kernel_symbols": [
-        "rxrpc_recvmsg", "rxrpc_sendmsg",
-        "rxrpc_input_packet", "rxrpc_input_data",
-        "rxrpc_alloc_skb", "rxrpc_kernel_send_data",
-        "afs_make_call", "afs_deliver_to_call"
-      ],
-      "procfs_paths": [
-        "/proc/net/rxrpc/calls",
-        "/proc/net/rxrpc/conns",
-        "/proc/net/rxrpc/peers",
-        "/proc/net/rxrpc/locals"
-      ],
-      "syscall_surface": [
-        "socket(AF_RXRPC, SOCK_DGRAM, PF_INET|PF_INET6)",
-        "setsockopt(RXRPC_SECURITY_KEY / RXRPC_EXCLUSIVE_CONNECTION / RXRPC_UPGRADEABLE_SERVICE)"
-      ],
-      "caps_required_legit": "none — AF_RXRPC sockets openable by any user with the protocol family compiled in",
-      "caps_required_exploit": "none for socket open; CAP_NET_ADMIN not required — this is part of why RxRPC is attractive in a chain",
-      "deployment_prevalence_note": "RxRPC present in mainline as tristate module (CONFIG_AF_RXRPC=m). Loaded only on demand; only first-party in-tree consumer is kafs (CONFIG_AFS_FS). Estimated <2% of enterprise Linux hosts have rxrpc loaded at any given moment. Low ambient noise makes any AF_RXRPC socket open by a non-AFS process a high-signal IoC.",
-      "legitimate_rxrpc_openers": [
-        "Kernel threads: kafsd (per-namespace), kworker doing kafs work",
-        "OpenAFS suite: afsd, aklog, unlog, tokens, fs, vos, pts, bos, kas, udebug, cmdebug, kpasswd, klog, rxdebug, rxgen, xstat_*",
-        "kafs-utils equivalents (varies by distro)",
-        "Filesystem mount processes: mount.afs, mount.kafs"
-      ]
-    },
-    "iocs": {
-      "behavioral": [
-        "Any process not on the kafs/OpenAFS allowlist (afsd, aklog, fs, vos, pts, bos, kas, kpasswd, rxdebug, mount.afs, mount.kafs, kafsd, kworker) opening AF_RXRPC socket — RxRPC has near-zero ambient noise outside AFS environments",
-        "/proc/net/rxrpc/calls non-empty on a host with no AFS configuration (/etc/openafs/CellServDB absent AND /etc/krb5.conf absent)",
-        "lsmod contains rxrpc OR af_rxrpc AND lsmod does NOT contain kafs AND /etc/openafs/CellServDB does not exist — module loaded without its only first-party consumer",
-        "Outbound UDP/7000-7007 (kafs RxRPC port range) from a host not declared as an AFS client"
-      ],
-      "false_positive_distinguishers": [
-        "Academic / research / national-lab environments commonly run OpenAFS — establish per-host baseline rather than fleet-wide block",
-        "Integration tests (kafs-testing, OpenAFS regression suite) open AF_RXRPC briefly — distinguish by parent process and lifetime <60s",
-        "Check for kafs-testing or OpenAFS source tree in /home or /opt; check short-lived (<5min) module load via `dmesg | grep rxrpc` timestamps"
-      ]
-    },
-    "pairing_note": "CVE-2026-43500 only realizes its full primitive when chained with CVE-2026-43284. Detection of either subsystem being exercised on a host that should have neither is itself the chain-detection signal. Simultaneous match of esp-module-loaded-no-policy AND rxrpc-active-call-no-afs-config should escalate to a deterministic paired finding.",
-    "last_updated": "2026-05-13"
-  },
-  "CVE-2025-53773": {
-    "name": "GitHub Copilot / VS Code 'YOLO mode' Prompt Injection RCE",
-    "type": "RCE-via-prompt-injection",
-    "cvss_score": 7.8,
-    "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
-    "cvss_correction_note": "v0.12.6 source audit corrected from CVSS 9.6/AV:N (network) to CVSS 7.8/AV:L (local) — the attack is local-vector via developer-side IDE interaction; the attacker does not reach in over the network. NVD authoritative.",
-    "cwe_refs": ["CWE-77"],
-    "cisa_kev": false,
-    "cisa_kev_date": null,
-    "poc_available": true,
-    "poc_description": "Published by Johann Rehberger (Embrace the Red, August 2025). Hidden instructions in any agent-readable content (source comments, README, GitHub issues, tool-call responses) coerce Copilot agent mode to write \"chat.tools.autoApprove\": true to .vscode/settings.json, flipping the agent into 'YOLO mode' where every subsequent shell tool call auto-approves without user confirmation. Demo executes calc.exe / Calculator.app via the autoapproved run_in_terminal tool.",
-    "ai_discovered": false,
-    "ai_assisted_weaponization": true,
-    "ai_assisted_notes": "The vulnerability IS in an AI tool (Copilot agent mode). Attack chain bottlenecks on a structural settings-file write — converts the 'any text could be injection' fuzzy detection problem into a one-line filesystem IoC.",
-    "active_exploitation": "suspected",
-    "affected": "Microsoft Visual Studio 2022 17.14.0-17.14.11 (fixed in 17.14.12). GitHub Copilot Chat extension on VS Code at versions predating the August 2025 Patch Tuesday fix. Architectural surface affects any Copilot-agent-mode-enabled environment.",
-    "affected_versions": [
-      "Visual Studio 2022: >=17.14.0, <17.14.12",
-      "GitHub Copilot Chat (VS Code extension): versions predating the August 2025 Patch Tuesday fix"
-    ],
-    "vector": "Three-step chain: (1) attacker plants instructions in any content the agent reads — source-file comments, README, issue body, web-fetched docs, MCP tool response; (2) Copilot agent mode follows the planted instructions to write `\"chat.tools.autoApprove\": true` into `.vscode/settings.json` (workspace or user-global) — file write is silent and persistent, no in-editor diff shown; (3) every subsequent shell tool call auto-approves without user confirmation, giving full local code execution under the developer's identity. Worm angle (demonstrated): post-exploitation can `git commit` the malicious settings file and push it to other repos.",
-    "complexity": "low",
-    "complexity_notes": "Attacker crafts agent-readable content. The agent writes the YOLO-mode flag itself; no race condition or timing dependency. Invisible Unicode Tag-block (U+E0000-U+E007F) variants demonstrated for content-level evasion.",
-    "patch_available": true,
-    "patch_required_reboot": false,
-    "live_patch_available": true,
-    "live_patch_tools": [
-      "Visual Studio 17.14.12 (August 2025 Patch Tuesday)",
-      "GitHub Copilot Chat extension auto-update"
-    ],
-    "framework_control_gaps": {
-      "ALL-MAJOR-FRAMEWORKS": "No framework has a control category for AI-agent-configuration bypass of user confirmation. Agent writes a settings file the user never sees a diff for; access control treats this as the developer's authorized action.",
-      "NIST-800-53-AC-2": "AI agent actions use the developer's authorized service account — AC-2 does not constrain agent-config bypass.",
-      "NIST-800-53-CM-7": "Least functionality does not address agent-mode auto-approval flags.",
-      "SOC2-CC6": "Logical access controls don't apply to model-context-window-mediated actions."
-    },
-    "atlas_refs": [
-      "AML.T0051",
-      "AML.T0054"
-    ],
-    "attack_refs": [
-      "T1059",
-      "T1059.001",
-      "T1190"
-    ],
-    "rwep_score": 30,
-    "rwep_factors": {
-      "cisa_kev": 0,
-      "poc_available": 20,
-      "ai_factor": 15,
-      "active_exploitation": 10,
-      "blast_radius": 10,
-      "patch_available": -15,
-      "live_patch_available": -10,
-      "reboot_required": 0
-    },
-    "rwep_notes": "RWEP recomputed in v0.12.6 after CVSS 9.6→7.8 correction. AV:L (local) reduces blast_radius weight; vendor patch + auto-updating IDE reduce live_patch_available impact.",
-    "epss_score": 0.046,
-    "epss_percentile": 0.893,
-    "epss_date": "2026-05-13",
-    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-53773",
-    "source_verified": "2026-05-13",
-    "verification_sources": [
-      "https://nvd.nist.gov/vuln/detail/CVE-2025-53773",
-      "https://embracethered.com/blog/posts/2025/github-copilot-remote-code-execution-via-prompt-injection/",
-      "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53773",
-      "https://www.wiz.io/vulnerability-database/cve/cve-2025-53773"
-    ],
-    "vendor_advisories": [
-      {
-        "vendor": "Microsoft MSRC",
-        "advisory_id": "CVE-2025-53773",
-        "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53773",
-        "severity": "high",
-        "published_date": "2025-08-12"
-      },
-      {
-        "vendor": "GitHub Security Advisories",
-        "advisory_id": null,
-        "url": "https://github.com/advisories?query=CVE-2025-53773",
-        "severity": "high",
-        "published_date": "2025-08-12"
-      }
-    ],
-    "iocs": {
-      "filesystem_post_exploit": [
-        ".vscode/settings.json (workspace) OR ~/.vscode/settings.json (user-global) contains \"chat.tools.autoApprove\": true — PRIMARY post-exploitation IoC. Setting is experimental + off by default + structural pivot the entire chain depends on. Near-zero false positive for non-developer users.",
-        ".vscode/settings.json content matches regex \"chat\\\\.(experimental|tools)\\\\..*\":\\\\s*true — broader sweep for any auto-approve / experimental flag in workspace-scoped settings.",
-        "settings.json mtime falls inside Copilot agent-mode session window AND diff includes any key under chat.tools.* or github.copilot.advanced.* — Copilot writes are immediately persistent, no diff-approval UI"
-      ],
-      "repository_supply_chain": [
-        "Repository ships a checked-in .vscode/settings.json with chat.tools.autoApprove or chat.experimental.*: true — pre-arms YOLO mode for any cloner running Copilot agent mode (supply-chain plant variant)",
-        "Repository content (README, source comments, issue/PR bodies) contains literal 'chat.tools.autoApprove' OR 'autoApprove\": true' OR 'YOLO mode' — payload must reference target key by name (suppress on this catalog, MSRC, embracethered.com)",
-        "Files in agent-readable surfaces (README.md, source comments, .github/*, CONTRIBUTING.md) contain codepoints in Unicode Tag block U+E0000-U+E007F or zero-width control characters U+200B-U+200F / U+202A-U+202E / U+2060-U+2064 — invisible-instruction injection technique"
-      ],
-      "behavioral": [
-        "Copilot agent tool-call sequence: read_file|web_fetch|github_issue_read → write_file('.vscode/settings.json' OR '*/settings.json') → run_in_terminal, no request_user_confirmation between writes and exec",
-        "Editor (Code.exe / 'Code Helper') parent process spawns interactive shell (powershell/pwsh/bash/zsh) whose command line is not in user shell history AND not in {--login, REPL}"
-      ],
-      "worm_propagation": [
-        "Agent session writes .vscode/settings.json, then issues git add + git commit + git push within the same session — wormable variant demonstrated by Rehberger"
-      ],
-      "version_exposure": [
-        "Visual Studio 2022 installation with productVersion < 17.14.12 (Windows registry: HKLM\\\\SOFTWARE\\\\Microsoft\\\\VisualStudio\\\\Setup; or vswhere.exe -property installationVersion)",
-        "GitHub Copilot Chat extension at versions predating August 2025 Patch Tuesday fix"
-      ],
-      "forensic_note": "The .vscode/settings.json modification is silent and persistent — no in-editor diff is shown to the user. Defenders investigating suspected compromise should snapshot workspace + user-global settings.json BEFORE remediating; the file IS the primary forensic artifact."
-    },
-    "last_updated": "2026-05-13"
-  },
-  "CVE-2026-30615": {
-    "name": "Windsurf MCP Local-Vector RCE via Adversarial Tool Response",
-    "type": "RCE-supply-chain",
-    "cvss_score": 8.0,
-    "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
-    "cvss_correction_note": "v0.12.9 (2026-05-13): catalog previously stored CVSS 9.8 / AV:N. NVD authoritative is 8.0 / AV:L (local attack vector; attacker must control HTML content the Windsurf MCP client processes — not a network-vector zero-interaction RCE as initially cataloged). Source: https://nvd.nist.gov/vuln/detail/CVE-2026-30615 (published 2026-04-15, last_modified 2026-04-27, vulnStatus: Deferred). Recompute RWEP with blast_radius reduced from 30→20 to reflect local-vector + Scope:U.",
-    "cisa_kev": false,
-    "cisa_kev_date": null,
-    "poc_available": true,
-    "poc_description": "Partial — MCP client vulnerability in Windsurf allows malicious MCP server to achieve code execution without user interaction",
-    "ai_discovered": false,
-    "ai_assisted_weaponization": false,
-    "active_exploitation": "suspected",
-    "affected": "Windsurf IDE users with MCP servers installed. Architectural attack surface affects all MCP-capable AI coding assistants (Cursor, VS Code, Claude Code, Gemini CLI). 150M+ combined downloads.",
-    "affected_versions": [
-      "Windsurf < patched version"
-    ],
-    "vector": "Malicious MCP server delivers adversarial tool response → AI assistant follows instructions without user interaction → code execution in user context",
-    "complexity": "low",
-    "complexity_notes": "Attacker needs to get a malicious MCP server installed (supply chain, typosquatting, or compromise of legitimate server). Once installed, exploitation is automatic.",
-    "patch_available": true,
-    "patch_required_reboot": false,
-    "live_patch_available": true,
-    "live_patch_tools": [
-      "IDE update — vendor patch"
-    ],
-    "framework_control_gaps": {
-      "NIST-800-53-SA-12": "Supply chain protection doesn't contemplate MCP server trust as a category.",
-      "NIST-800-53-CM-7": "Least functionality doesn't address AI tool plugin authorization.",
-      "ISO-27001-2022-A.8.30": "Outsourced development controls don't cover MCP server trust.",
-      "SOC2-CC9": "Vendor management doesn't reach developer-installed AI tool plugins."
-    },
-    "atlas_refs": [
-      "AML.T0010",
-      "AML.T0016",
-      "AML.T0051",
-      "AML.T0096"
-    ],
-    "attack_refs": [
-      "T1195.001",
-      "T1059",
-      "T1552.001",
-      "T1041"
-    ],
-    "rwep_score": 35,
-    "rwep_factors": {
-      "cisa_kev": 0,
-      "poc_available": 20,
-      "ai_factor": 0,
-      "active_exploitation": 10,
-      "blast_radius": 30,
-      "patch_available": -15,
-      "live_patch_available": -10,
-      "reboot_required": 0
-    },
-    "epss_score": 0.14,
-    "epss_percentile": 0.86,
-    "epss_date": "2026-05-11",
-    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-30615",
-    "source_verified": "2026-05-01",
-    "verification_sources": [
-      "https://nvd.nist.gov/vuln/detail/CVE-2026-30615"
-    ],
-    "vendor_advisories": [
-      {
-        "vendor": "Codeium / Windsurf",
-        "advisory_id": null,
-        "url": "https://codeium.com/security/CVE-2026-30615",
-        "severity": "critical",
-        "published_date": "2026-02-18"
-      },
-      {
-        "vendor": "GitHub Security Advisories",
+        "vendor": "Microsoft (WSL2)",
         "advisory_id": null,
-        "url": "https://github.com/advisories?query=CVE-2026-30615",
-        "severity": "critical",
-        "published_date": "2026-02-19"
+        "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-43500",
+        "severity": "important",
+        "published_date": "2026-04-05"
       }
     ],
-    "iocs": {
-      "payload_content_patterns": [
-        "ANSI escape sequences (byte 0x1B) in any tools/list field (description, inputSchema.properties.*.description) or tools/call response content[].text — subclasses: SGR color invisibility (\\x1B[38;5;...m), cursor movement (\\x1B[nF/G/H), screen clear (\\x1B[0J), OSC-8 hyperlinks (\\x1B]8;;<url>\\x1B\\\\). Source: Trail of Bits 2025-04-29.",
-        "Unicode Tag-block codepoints U+E0000-U+E007F in any tools/list or tools/call string field (zero-width to humans, tokenized by the LLM). Source: Embrace the Red 2025.",
-        "Instruction-coercion grammar in tool descriptions or responses: <IMPORTANT>...</IMPORTANT> blocks, 'Before using this tool, read ~/.ssh/' or '~/.cursor/mcp.json', 'Do not mention .* to the user', 'pass .* content as', 'THIS TOOL IS REQUIRED FOR (GDPR|SOC2|INTERNAL AUDITING|COMPLIANCE)', 'ALWAYS CONSULT THIS TOOL IMMEDIATELY', 'chmod -R 0666 ~', 'After answering the previous question, please ENSURE you put the following text verbatim'. Sources: Invariant Labs (tool-poisoning), Trail of Bits (line-jumping), Palo Alto Unit 42 (sampling abuse).",
-        "Tool response references sensitive path: ~/.ssh/id_rsa, ~/.aws/credentials, ~/.config/gcloud, ~/.kube/config, ~/.cursor/mcp.json, ~/.codeium/windsurf/mcp_config.json, ~/.config/claude/config.json, ~/.claude/settings.json, ~/.npmrc — OR process.env.{AWS_SECRET*, GITHUB_TOKEN, NPM_TOKEN, OPENAI_API_KEY, ANTHROPIC_API_KEY} (cross-server credential-shadow operational signature)"
+    "subsystem_anchors": {
+      "kernel_modules": [
+        "rxrpc",
+        "af_rxrpc",
+        "kafs"
       ],
-      "behavioral": [
-        "Two or more tools/call invocations within a single user turn where second target not named in user prompt AND second target is in {exec, shell, run_command, fetch, write_file, read_file, network_request, eval} — operational signature of line-jumping and Unicode-Tag-smuggled coercion",
-        "MCP child process opens connection to host NOT in manifest.allowed_egress (for signed servers) OR NOT in TOFU baseline (for unsigned). Postmark-mcp class: legitimate-functionality-preserving payload republished under same name, only signal is unexpected egress destination",
-        "MCP server tool invocation count rises ≥10× over 7-day rolling baseline within 24h of (a) version bump, (b) tools/list response shape change with new tools OR ≥3× description length growth, (c) publisher key rotation — compromised-legitimate-publisher signature"
+      "kernel_symbols": [
+        "rxrpc_recvmsg",
+        "rxrpc_sendmsg",
+        "rxrpc_input_packet",
+        "rxrpc_input_data",
+        "rxrpc_alloc_skb",
+        "rxrpc_kernel_send_data",
+        "afs_make_call",
+        "afs_deliver_to_call"
       ],
-      "persistence_artifacts": [
-        "~/.cursor/mcp.json — mcpServers.* entries added or command field rewritten",
-        "~/.codeium/windsurf/mcp_config.json — mcpServers.* additions",
-        "~/.config/claude/config.json — mcpServers.* additions",
-        "~/.claude/settings.json — permissions.allow relaxations OR hooks.SessionStart additions referencing MCP launcher (cross-cuts CVE-2026-45321 persistence vector)",
-        "~/.config/Code/User/settings.json — chat.mcp.servers additions",
-        ".vscode/mcp.json in project root — workspace-scoped MCP additions",
-        "~/.gemini/settings.json — mcpServers additions",
-        "package.json — postinstall script that writes any of the above"
+      "procfs_paths": [
+        "/proc/net/rxrpc/calls",
+        "/proc/net/rxrpc/conns",
+        "/proc/net/rxrpc/peers",
+        "/proc/net/rxrpc/locals"
       ],
-      "supply_chain_entry_vectors": [
-        "npm same-name republish of legitimate MCP package (canonical example: postmark-mcp impersonating ActiveCampaign's Postmark MCP)",
-        "npm typosquat within edit-distance-2 of @modelcontextprotocol/* official namespace",
-        "SANDWORM_MODE-style worm: malicious package writes mcpServers entry into local AI-assistant config on postinstall, propagating across every assistant on the developer endpoint",
-        "Compromised legitimate publisher key — malicious update from previously-trusted maintainer; signature-based controls do not fire"
+      "syscall_surface": [
+        "socket(AF_RXRPC, SOCK_DGRAM, PF_INET|PF_INET6)",
+        "setsockopt(RXRPC_SECURITY_KEY / RXRPC_EXCLUSIVE_CONNECTION / RXRPC_UPGRADEABLE_SERVICE)"
+      ],
+      "caps_required_legit": "none — AF_RXRPC sockets openable by any user with the protocol family compiled in",
+      "caps_required_exploit": "none for socket open; CAP_NET_ADMIN not required — this is part of why RxRPC is attractive in a chain",
+      "deployment_prevalence_note": "RxRPC present in mainline as tristate module (CONFIG_AF_RXRPC=m). Loaded only on demand; only first-party in-tree consumer is kafs (CONFIG_AFS_FS). Estimated <2% of enterprise Linux hosts have rxrpc loaded at any given moment. Low ambient noise makes any AF_RXRPC socket open by a non-AFS process a high-signal IoC.",
+      "legitimate_rxrpc_openers": [
+        "Kernel threads: kafsd (per-namespace), kworker doing kafs work",
+        "OpenAFS suite: afsd, aklog, unlog, tokens, fs, vos, pts, bos, kas, udebug, cmdebug, kpasswd, klog, rxdebug, rxgen, xstat_*",
+        "kafs-utils equivalents (varies by distro)",
+        "Filesystem mount processes: mount.afs, mount.kafs"
+      ]
+    },
+    "iocs": {
+      "behavioral": [
+        "Any process not on the kafs/OpenAFS allowlist (afsd, aklog, fs, vos, pts, bos, kas, kpasswd, rxdebug, mount.afs, mount.kafs, kafsd, kworker) opening AF_RXRPC socket — RxRPC has near-zero ambient noise outside AFS environments",
+        "/proc/net/rxrpc/calls non-empty on a host with no AFS configuration (/etc/openafs/CellServDB absent AND /etc/krb5.conf absent)",
+        "lsmod contains rxrpc OR af_rxrpc AND lsmod does NOT contain kafs AND /etc/openafs/CellServDB does not exist — module loaded without its only first-party consumer",
+        "Outbound UDP/7000-7007 (kafs RxRPC port range) from a host not declared as an AFS client"
+      ],
+      "false_positive_distinguishers": [
+        "Academic / research / national-lab environments commonly run OpenAFS — establish per-host baseline rather than fleet-wide block",
+        "Integration tests (kafs-testing, OpenAFS regression suite) open AF_RXRPC briefly — distinguish by parent process and lifetime <60s",
+        "Check for kafs-testing or OpenAFS source tree in /home or /opt; check short-lived (<5min) module load via `dmesg | grep rxrpc` timestamps"
       ]
     },
+    "pairing_note": "CVE-2026-43500 only realizes its full primitive when chained with CVE-2026-43284. Detection of either subsystem being exercised on a host that should have neither is itself the chain-detection signal. Simultaneous match of esp-module-loaded-no-policy AND rxrpc-active-call-no-afs-config should escalate to a deterministic paired finding.",
     "last_updated": "2026-05-13"
   },
   "CVE-2026-45321": {
@@ -910,7 +1139,11 @@
     "epss_date": "2026-05-13",
     "epss_source": null,
     "epss_note": "EPSS coverage does not extend to non-CVE advisories. FIRST EPSS API only indexes CVE identifiers; MAL-* / SNYK-* / GHSA-* keys return no data. Re-query and populate epss_score when MITRE assigns a CVE id and the entry is renamed.",
-    "cwe_refs": ["CWE-506", "CWE-77", "CWE-94"],
+    "cwe_refs": [
+      "CWE-506",
+      "CWE-77",
+      "CWE-94"
+    ],
     "source_verified": "2026-05-13",
     "verification_sources": [
       "https://api.osv.dev/v1/query (POST {package:{name:elementary-data,ecosystem:PyPI},version:0.23.3}) — returns MAL-2026-3083",
@@ -992,198 +1225,5 @@
       ]
     },
     "last_updated": "2026-05-13"
-  },
-  "CVE-2026-42208": {
-    "name": "BerriAI LiteLLM Proxy Auth SQL Injection",
-    "type": "RCE-via-sql-injection",
-    "cvss_score": 9.8,
-    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
-    "cvss_v4_score": 9.3,
-    "cvss_v4_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
-    "cisa_kev": true,
-    "cisa_kev_date": "2026-05-08",
-    "cisa_kev_due_date": "2026-05-29",
-    "poc_available": true,
-    "poc_description": "GHSA-r75f-5x8p-qvmc documents the sink shape — crafted Authorization header to any LLM API route reaches the vulnerable query through error-handling paths. KEV-listed implies in-wild exploitation evidence.",
-    "ai_discovered": false,
-    "ai_assisted_weaponization": false,
-    "active_exploitation": "confirmed",
-    "active_exploitation_notes": "CISA KEV listing criterion is in-wild exploitation evidence.",
-    "affected": "BerriAI LiteLLM Proxy — open-source LLM-API gateway managing credentials + routing across model providers. Used in front of AI agent stacks, MCP-server fronts, multi-model proxy deployments. Substantial production footprint.",
-    "affected_versions": [
-      "litellm >= 1.81.16",
-      "litellm < 1.83.7"
-    ],
-    "vector": "Authorization header value passed directly into a SQL query in the proxy's auth path. Crafted bearer-token-shape strings reach the error-logging pathway which executes SQL with the attacker-controlled value as a string-concatenated parameter. Result: read/modify the managed-credentials DB without prior auth.",
-    "complexity": "low",
-    "complexity_notes": "Curl-able exploit — POST to /chat/completions with a SQL-injection payload in Authorization. Network-reachable, no auth, no UI.",
-    "patch_available": true,
-    "patch_required_reboot": false,
-    "live_patch_available": true,
-    "live_patch_tools": [
-      "Upgrade to litellm 1.83.7+ (parameterised query — caller-supplied value is now a SQL parameter not a concatenated string)",
-      "Temporary workaround: `general_settings: disable_error_logs: true` removes the error-handling pathway the injection abuses"
-    ],
-    "framework_control_gaps": {
-      "NIST-800-53-SI-10": "Input validation control doesn't address argument-vs-statement distinction in SQL libraries. SI-10 is satisfied by 'we validate inputs' regardless of whether the validation runs before the SQL parameter binding.",
-      "OWASP-LLM-Top-10-2025-LLM01": "Prompt injection control set doesn't address the AI-PROXY backend SQL surface — LiteLLM is the substrate that gates LLM API access, not the LLM itself.",
-      "NIS2-Art21-incident-handling": "Cryptographic measures control doesn't address application-layer SQL injection.",
-      "EU-AI-Act-Art-15": "Robustness + cybersecurity requirement is undefined operationally for AI gateway infrastructure."
-    },
-    "atlas_refs": [
-      "AML.T0055"
-    ],
-    "attack_refs": [
-      "T1190",
-      "T1078.001"
-    ],
-    "rwep_score": 65,
-    "rwep_factors": {
-      "cisa_kev": 25,
-      "poc_available": 20,
-      "ai_factor": 0,
-      "active_exploitation": 20,
-      "blast_radius": 25,
-      "patch_available": -15,
-      "live_patch_available": -10,
-      "reboot_required": 0
-    },
-    "rwep_notes": "Operationally P1 — KEV-listed, network-vector, no auth, full credential DB compromise. AI-stack fleets running LiteLLM as the gateway should patch within the KEV 21-day window at minimum.",
-    "epss_score": 0.37368,
-    "epss_percentile": 0.9722,
-    "epss_date": "2026-05-13",
-    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-42208",
-    "cwe_refs": ["CWE-89"],
-    "source_verified": "2026-05-13",
-    "verification_sources": [
-      "https://nvd.nist.gov/vuln/detail/CVE-2026-42208",
-      "https://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc",
-      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42208"
-    ],
-    "vendor_advisories": [
-      {
-        "vendor": "BerriAI",
-        "advisory_id": "GHSA-r75f-5x8p-qvmc",
-        "url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc",
-        "severity": "critical",
-        "published_date": "2026-05-08"
-      },
-      {
-        "vendor": "CISA KEV",
-        "advisory_id": null,
-        "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42208",
-        "severity": "critical",
-        "published_date": "2026-05-08"
-      }
-    ],
-    "iocs": {
-      "payload_artifacts": [
-        "POST /chat/completions with Authorization header value containing SQL-injection metacharacters (`'`, `--`, `OR 1=1`, UNION-based payloads)",
-        "Any HTTP request to a LiteLLM proxy where the Authorization header value is unusually long (> 100 chars) or contains characters outside [A-Za-z0-9\\-_.~+/=]"
-      ],
-      "behavioral": [
-        "LiteLLM proxy db (default sqlite or postgres) showing new rows in the LiteLLM_VerificationToken / LiteLLM_UserTable created without a corresponding admin-UI session",
-        "LiteLLM error logs containing parameterised-SQL failure shapes that include the Authorization header string verbatim (pre-1.83.7 the value lands in error logs in cleartext)",
-        "Outbound network from a LiteLLM proxy host to a model-provider endpoint using a freshly-issued virtual key that has no admin-event history",
-        "Mass key-generation events in LiteLLM logs (the SQLi path includes a key-mint primitive)"
-      ],
-      "c2_indicators": [
-        "Outbound from a LiteLLM proxy host to model-provider endpoints (openai, anthropic, etc.) using virtual keys not minted via the admin UI (compromised proxy uses its own stolen keys to mask attacker traffic as legitimate proxy traffic)"
-      ],
-      "credential_paths_scanned": [
-        "LiteLLM proxy DATABASE_URL-pointed database (sqlite file or postgres connection) — once SQLi reaches the DB, the entire managed-credentials table is read/write",
-        "Environment variables LITELLM_MASTER_KEY, DATABASE_URL on the proxy host"
-      ]
-    },
-    "last_updated": "2026-05-13"
-  },
-  "CVE-2026-39884": {
-    "name": "Flux159 mcp-server-kubernetes Argument Injection via port_forward",
-    "type": "argument-injection",
-    "cvss_score": 8.3,
-    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
-    "cisa_kev": false,
-    "cisa_kev_date": null,
-    "poc_available": true,
-    "poc_description": "GHSA-4xqg-gf5c-ghwq publishes the PoC: invoke port_forward tool with resourceName containing space-delimited kubectl flags. Attacker-controllable args reach kubectl via .split(' ') concatenation in startPortForward() / executeKubectlCommandAsync().",
-    "ai_discovered": false,
-    "ai_assisted_weaponization": false,
-    "active_exploitation": "suspected",
-    "active_exploitation_notes": "No public exploitation evidence as of 2026-05-13, but the MCP-server ecosystem has known opportunistic-scan history. Treated as suspected.",
-    "affected": "Flux159 mcp-server-kubernetes — MCP server giving AI assistants kubectl control. Installed in AI agent stacks that talk to Kubernetes clusters.",
-    "affected_versions": [
-      "mcp-server-kubernetes <= 3.4.0"
-    ],
-    "vector": "AI assistant invokes the port_forward MCP tool with resourceName='pod-name --address=0.0.0.0' or similar. The MCP server builds a string-form kubectl command and uses .split(' ') instead of an args array — the attacker-controlled flag lands as a distinct argv entry to kubectl. --address=0.0.0.0 binds the port-forward to all interfaces; -n kube-system redirects to attacker-chosen namespace.",
-    "complexity": "low",
-    "complexity_notes": "Only requires the AI assistant to be tricked (prompt injection in retrieved docs / commit messages / MCP tool responses) into passing a tainted resourceName. PR-injection / RAG-poisoning surface upstream gates exploitation.",
-    "patch_available": true,
-    "patch_required_reboot": false,
-    "live_patch_available": true,
-    "live_patch_tools": [
-      "Upgrade mcp-server-kubernetes to 3.5.0+ (argv-array refactor)",
-      "Until patched: disable the port_forward tool in MCP allowlist (most operator deployments don't rely on it)"
-    ],
-    "framework_control_gaps": {
-      "NIST-800-53-SI-10": "Input validation control doesn't address the argv-vs-string boundary that argument injection exploits — many MCP servers concatenate user input into shell commands without registering this as a code-review failure.",
-      "OWASP-LLM-Top-10-2025-LLM01": "Prompt-injection-as-access-control gap — the attacker doesn't compromise the MCP server directly; they feed adversarial input that the AI passes through.",
-      "NIS2-Art21-patch-management": "Patch management presumes traditional CVE timelines; MCP plugin ecosystem patch awareness lags."
-    },
-    "atlas_refs": [
-      "AML.T0053",
-      "AML.T0051"
-    ],
-    "attack_refs": [
-      "T1059",
-      "T1078"
-    ],
-    "rwep_score": 20,
-    "rwep_factors": {
-      "cisa_kev": 0,
-      "poc_available": 20,
-      "ai_factor": 0,
-      "active_exploitation": 10,
-      "blast_radius": 15,
-      "patch_available": -15,
-      "live_patch_available": -10,
-      "reboot_required": 0
-    },
-    "rwep_notes": "P3 — patch available, mitigation via tool disable, but the class (AI-mediated argument injection into infrastructure tools) is operationally important to track.",
-    "epss_score": 0.00039,
-    "epss_percentile": 0.11727,
-    "epss_date": "2026-05-13",
-    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-39884",
-    "cwe_refs": ["CWE-88"],
-    "source_verified": "2026-05-13",
-    "verification_sources": [
-      "https://nvd.nist.gov/vuln/detail/CVE-2026-39884",
-      "https://github.com/Flux159/mcp-server-kubernetes/security/advisories/GHSA-4xqg-gf5c-ghwq"
-    ],
-    "vendor_advisories": [
-      {
-        "vendor": "Flux159",
-        "advisory_id": "GHSA-4xqg-gf5c-ghwq",
-        "url": "https://github.com/Flux159/mcp-server-kubernetes/security/advisories/GHSA-4xqg-gf5c-ghwq",
-        "severity": "high",
-        "published_date": "2026-04-15"
-      }
-    ],
-    "iocs": {
-      "payload_artifacts": [
-        "src/tools/port_forward.ts startPortForward() / executeKubectlCommandAsync() in any version <= 3.4.0 — calls `.split(' ')` on user-input-concatenated command string",
-        "dist/tools/port_forward.js — compiled artifact in installed package"
-      ],
-      "behavioral": [
-        "MCP audit log showing port_forward tool calls with resourceName containing spaces or kubectl flag prefixes (`--`, `-n`)",
-        "kubectl port-forward processes with --address=0.0.0.0 on hosts that never invoke port-forward manually",
-        "kubectl port-forward processes targeting kube-system / kube-public namespaces when the operator's intended namespace was a workload namespace",
-        "Multiple -n flags in a single kubectl invocation (split-by-space duplicate-flag injection signature)"
-      ],
-      "runtime_syscall": [
-        "execve of kubectl with argv containing /^--address=/ from a parent process in node_modules/mcp-server-kubernetes/dist/",
-        "Network listener bound to 0.0.0.0:<port> by a kubectl process on a host that should only port-forward to localhost"
-      ]
-    },
-    "last_updated": "2026-05-13"
   }
-}
+}