@blamejs/exceptd-skills 0.12.24 → 0.12.26

package/data/cve-catalog.json

@@ -59,6 +59,8 @@
     "poc_available": true,
     "poc_description": "Published by Johann Rehberger (Embrace the Red, August 2025). Hidden instructions in any agent-readable content (source comments, README, GitHub issues, tool-call responses) coerce Copilot agent mode to write \"chat.tools.autoApprove\": true to .vscode/settings.json, flipping the agent into 'YOLO mode' where every subsequent shell tool call auto-approves without user confirmation. Demo executes calc.exe / Calculator.app via the autoapproved run_in_terminal tool.",
     "ai_discovered": false,
+    "ai_discovery_source": "unknown",
+    "ai_discovery_notes": "Disclosure provenance for the original bug discovery is unattributed in published references. Distinct from ai_assisted_weaponization (set true) — ai_assisted_weaponization=AI used to develop the exploit; ai_discovered=AI found the bug. The two fields are NOT interchangeable; clarified here to reconcile with data/exploit-availability.json's ai_discovery_confirmed=false + ai_tool_enabled=true on this CVE.",
     "ai_assisted_weaponization": true,
     "ai_assisted_notes": "The vulnerability IS in an AI tool (Copilot agent mode). Attack chain bottlenecks on a structural settings-file write — converts the 'any text could be injection' fuzzy detection problem into a one-line filesystem IoC.",
     "active_exploitation": "suspected",
@@ -154,7 +156,7 @@
       ],
       "forensic_note": "The .vscode/settings.json modification is silent and persistent — no in-editor diff is shown to the user. Defenders investigating suspected compromise should snapshot workspace + user-global settings.json BEFORE remediating; the file IS the primary forensic artifact."
     },
-    "last_updated": "2026-05-13"
+    "last_updated": "2026-05-15"
   },
   "CVE-2026-30615": {
     "name": "Windsurf MCP Local-Vector RCE via Adversarial Tool Response",
@@ -167,6 +169,8 @@
     "poc_available": true,
     "poc_description": "Partial — MCP client vulnerability in Windsurf allows malicious MCP server to achieve code execution without user interaction",
     "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Human security research by Trail of Bits (2026-04-29 tool-poisoning analysis) and Johann Rehberger (Embrace the Red) on the MCP adversarial-tool-response surface class. No agentic-AI discovery component reported by either party.",
     "ai_assisted_weaponization": false,
     "active_exploitation": "suspected",
     "affected": "Windsurf IDE users with MCP servers installed. Architectural attack surface affects all MCP-capable AI coding assistants (Cursor, VS Code, Claude Code, Gemini CLI). 150M+ combined downloads.",
@@ -264,7 +268,7 @@
         "Compromised legitimate publisher key — malicious update from previously-trusted maintainer; signature-based controls do not fire"
       ]
     },
-    "last_updated": "2026-05-13"
+    "last_updated": "2026-05-15"
   },
   "CVE-2026-31431": {
     "name": "Copy Fail",
@@ -421,6 +425,8 @@
     "poc_available": true,
     "poc_description": "GHSA-4xqg-gf5c-ghwq publishes the PoC: invoke port_forward tool with resourceName containing space-delimited kubectl flags. Attacker-controllable args reach kubectl via .split(' ') concatenation in startPortForward() / executeKubectlCommandAsync().",
     "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Human security research surfaced the .split(' ') vs argv-array boundary; GHSA-4xqg-gf5c-ghwq documents the sink shape directly without an AI-tooling provenance trail. The AI angle is in the *exploitation channel* (prompt-injection-mediated tool call), not the *discovery* of the underlying argv-injection.",
     "ai_assisted_weaponization": false,
     "active_exploitation": "suspected",
     "active_exploitation_notes": "No public exploitation evidence as of 2026-05-13, but the MCP-server ecosystem has known opportunistic-scan history. Treated as suspected.",
@@ -500,7 +506,7 @@
         "Network listener bound to 0.0.0.0:<port> by a kubectl process on a host that should only port-forward to localhost"
       ]
     },
-    "last_updated": "2026-05-13"
+    "last_updated": "2026-05-15"
   },
   "CVE-2026-42208": {
     "name": "BerriAI LiteLLM Proxy Auth SQL Injection",
@@ -515,6 +521,8 @@
     "poc_available": true,
     "poc_description": "GHSA-r75f-5x8p-qvmc documents the sink shape — crafted Authorization header to any LLM API route reaches the vulnerable query through error-handling paths. KEV-listed implies in-wild exploitation evidence.",
     "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Conventional human security research by Sysdig Threat Research Team. SQLi sink discovery did not use AI-agentic tooling per the published disclosure. AI relevance is downstream — LiteLLM is AI-gateway infrastructure but the bug class is classical SQLi.",
     "ai_assisted_weaponization": false,
     "active_exploitation": "confirmed",
     "active_exploitation_notes": "CISA KEV listing criterion is in-wild exploitation evidence.",
@@ -606,7 +614,7 @@
         "Environment variables LITELLM_MASTER_KEY, DATABASE_URL on the proxy host"
       ]
     },
-    "last_updated": "2026-05-13"
+    "last_updated": "2026-05-15"
   },
   "CVE-2026-43284": {
     "name": "Dirty Frag (ESP/IPsec component)",
@@ -621,6 +629,8 @@
     "poc_available": true,
     "poc_description": "Chain component — exploits page-cache write primitive in ESP/IPsec subsystem. Part of two-CVE chain with CVE-2026-43500.",
     "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via netdev upstream + Sysdig writeup. Sysdig speculated AI-assistance given 9-year latency in upstream skb_try_coalesce path, but no vendor advisory or researcher claim confirms AI discovery. Reverted to human_researcher until upstream attribution clarifies.",
     "ai_assisted_weaponization": false,
     "active_exploitation": "suspected",
     "affected": "Linux systems using IPsec/ESP kernel subsystem — all major distributions with kernel IPsec support",
@@ -656,7 +666,7 @@
       "live_patch_available": 0,
       "reboot_required": 5
     },
-    "epss_score": 7e-05,
+    "epss_score": 0.00007,
     "epss_percentile": 0.0051,
     "epss_date": "2026-05-13",
     "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-43284",
@@ -755,7 +765,7 @@
         "Re-sample 60s after lsmod-loaded-no-policy fires; persistent absence of `ip xfrm state` for >120s with loaded modules indicates non-startup-race anomaly"
       ]
     },
-    "last_updated": "2026-05-13"
+    "last_updated": "2026-05-15"
   },
   "CVE-2026-43500": {
     "name": "Dirty Frag (RxRPC component)",
@@ -767,6 +777,8 @@
     "poc_available": true,
     "poc_description": "Chain component — exploits page-cache write primitive in RxRPC subsystem. Used in combination with CVE-2026-43284.",
     "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via netdev upstream + Sysdig writeup. Sysdig speculated AI-assistance given 9-year latency in upstream skb_try_coalesce path, but no vendor advisory or researcher claim confirms AI discovery. Reverted to human_researcher until upstream attribution clarifies.",
     "ai_assisted_weaponization": false,
     "active_exploitation": "suspected",
     "affected": "Linux systems with RxRPC support",
@@ -904,7 +916,7 @@
       ]
     },
     "pairing_note": "CVE-2026-43500 only realizes its full primitive when chained with CVE-2026-43284. Detection of either subsystem being exercised on a host that should have neither is itself the chain-detection signal. Simultaneous match of esp-module-loaded-no-policy AND rxrpc-active-call-no-afs-config should escalate to a deterministic paired finding.",
-    "last_updated": "2026-05-13"
+    "last_updated": "2026-05-15"
   },
   "CVE-2026-45321": {
     "name": "Mini Shai-Hulud TanStack npm worm",
@@ -918,6 +930,8 @@
     "poc_available": true,
     "poc_description": "Confirmed in-the-wild — 84 malicious versions published across 42 @tanstack/* packages between 2026-05-11 19:20-19:26 UTC. The worm itself IS the PoC; payload analysis published by multiple researchers within 20 minutes.",
     "ai_discovered": false,
+    "ai_discovery_source": "threat_actor_ai_built",
+    "ai_discovery_notes": "Engineering-grade chained CI-trust-boundary attack attributed to TeamPCP. No AI-discovery component — the primitives (pull_request_target co-residency, actions/cache poisoning, /proc/<pid>/mem token-scraping) are documented human tradecraft. Tagged threat_actor_ai_built source enum to capture the AI-relevant impact-class framing without claiming AI-discovery of the underlying primitive.",
     "ai_assisted_weaponization": false,
     "ai_assisted_notes": "Attack methodology is engineering-grade — chained primitives across CI/CD, pnpm cache, and OIDC token handling. No evidence of AI-assisted exploit development; attribution: TeamPCP.",
     "active_exploitation": "confirmed",
@@ -1068,7 +1082,7 @@
         "Windows variant (original Shai-Hulud carry-forward): del /F /Q /S \"%USERPROFILE%*\" && cipher /W:%USERPROFILE%"
       ]
     },
-    "last_updated": "2026-05-13"
+    "last_updated": "2026-05-15"
   },
   "MAL-2026-3083": {
     "name": "Elementary-Data PyPI Worm (Forged Release via GitHub Actions Script Injection)",
@@ -1237,6 +1251,8 @@
     "poc_available": true,
     "poc_description": "Public PoC released alongside disclosure on the V12 security team's GitHub. One-line invocation against /usr/bin/su yields a root shell. No race condition — the page-cache write primitive is deterministic.",
     "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by William Bowling / V12 security team (human researcher). Earlier RULE7 backfill attributed to Zellic.io conflated Fragnesia with adjacent Dirty Frag commentary; the V12 PoC against /usr/bin/su is human-authored.",
     "ai_assisted_weaponization": false,
     "active_exploitation": "none",
     "affected": "Linux kernel — all distributions shipping kernel >= 5.10 with the XFRM ESP-in-TCP path enabled (default on RHEL 8/9, Ubuntu 20.04+, Debian 11+, Amazon Linux 2/2023, SUSE 15, AlmaLinux 8/9, CloudLinux 8/9, Rocky Linux 8/9, Alpine, and derivatives). Containers inherit host-kernel exposure regardless of image patch level.",
@@ -1391,6 +1407,1290 @@
       ],
       "forensic_note": "Fragnesia corrupts page-cache pages without touching disk. File-integrity tools that hash on-disk bytes (AIDE, Tripwire, IMA in measure-only mode) cannot detect the corruption — the on-disk file is unchanged. Detection requires either (a) reading the binary through the page cache (`vmtouch` + `sha256sum`) and comparing to a freshly-read-from-disk copy after `echo 3 > /proc/sys/vm/drop_caches`, or (b) the runtime_syscall + kernel_trace indicators above. Operators who blacklisted esp4 / esp6 / rxrpc for CVE-2026-43284 / CVE-2026-43500 (Dirty Frag) are already mitigated for Fragnesia — the mitigation set is identical."
     },
-    "last_updated": "2026-05-14"
+    "last_updated": "2026-05-15"
+  },
+  "CVE-2024-21626": {
+    "_draft": true,
+    "_auto_imported": true,
+    "ai_assisted_weaponization": false,
+    "name": "runc /proc/self/fd leak (Leaky Vessels)",
+    "type": "container-escape",
+    "cvss_score": 8.6,
+    "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
+    "cisa_kev": true,
+    "cisa_kev_date": "2024-04-08",
+    "poc_available": true,
+    "poc_description": "Snyk Labs published PoC demonstrating container escape via leaked /proc/self/fd file descriptor pointing at host filesystem root.",
+    "ai_discovered": false,
+    "active_exploitation": "confirmed",
+    "affected": "runc <= 1.1.11 — Docker, containerd, Kubernetes, podman, and every container runtime built on runc.",
+    "affected_versions": [
+      "runc <= 1.1.11"
+    ],
+    "vector": "File descriptor leak in runc's WORKDIR / process.cwd handling — attacker container process inherits an fd to the host filesystem, executes against /proc/self/fd/N to escape.",
+    "complexity": "low",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "vendor_update_paths": [
+      "runc 1.1.12+",
+      "Docker 25.0.2+",
+      "containerd 1.7.13+"
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SC-39": "Process isolation control assumes runtime correctness — does not account for runtime-level escape.",
+      "ISO-27001-2022-A.8.22": "Segregation of networks/workloads doesn't address container-runtime escape.",
+      "CIS-Kubernetes-Benchmark-5.7": "Pod security standards do not require runtime patch SLA <= 24h for container-escape KEV entries."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1611"
+    ],
+    "rwep_score": 75,
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 30,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "epss_score": 0.65,
+    "epss_date": "2026-05-14",
+    "cwe_refs": [
+      "CWE-403"
+    ],
+    "source_verified": "2026-05-14",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-21626",
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+      "https://snyk.io/blog/leaky-vessels-docker-runc-container-breakout-vulnerabilities/"
+    ],
+    "last_updated": "2026-05-15"
+  },
+  "CVE-2024-3094": {
+    "_draft": true,
+    "_auto_imported": true,
+    "ai_assisted_weaponization": false,
+    "name": "xz-utils liblzma backdoor",
+    "type": "supply-chain-backdoor",
+    "cvss_score": 10,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
+    "cisa_kev": true,
+    "cisa_kev_date": "2024-04-03",
+    "poc_available": true,
+    "poc_description": "Backdoor itself is the PoC — public analyses by Andres Freund, Akamai, JFrog, Binarly document the signed-binary insertion and the sshd RSA-pubkey-mediated payload trigger.",
+    "ai_discovered": false,
+    "ai_discovery_notes": "Discovered by Andres Freund (human researcher) via performance-regression investigation — sshd 0.5s startup delay traced to liblzma symbol resolution.",
+    "active_exploitation": "suspected",
+    "active_exploitation_notes": "Backdoor was caught before mass exploitation; payload trigger reachable only via attacker holding the corresponding Ed448 signing key.",
+    "affected": "xz-utils 5.6.0 and 5.6.1 — distributed in Debian sid, Fedora 40/41 betas, Kali rolling, openSUSE Tumbleweed, Arch (briefly).",
+    "affected_versions": [
+      "xz-utils 5.6.0",
+      "xz-utils 5.6.1"
+    ],
+    "vector": "Multi-stage build-time injection — encrypted shell stages in test fixtures, assembled by m4 macros at configure time, inject a runtime function-pointer override into liblzma's IFUNC resolver. sshd linked against libsystemd (which depends on liblzma) routes specific RSA pubkeys to attacker code path.",
+    "complexity": "high",
+    "complexity_notes": "Exploitation requires possession of the Ed448 signing key embedded in the backdoor.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "vendor_update_paths": [
+      "xz-utils 5.6.2+",
+      "Distribution rollback to xz-utils 5.4.x",
+      "Debian/RedHat security-pinned 5.2.x"
+    ],
+    "framework_control_gaps": {
+      "NIST-800-218-SSDF-PW.4": "Reuse of secure-by-default components assumes upstream components ARE secure; xz-utils was an upstream that compromised itself across two years of maintainer takeover.",
+      "ISO-27001-2022-A.8.30": "Outsourced development controls don't address upstream OSS maintainer-compromise — the org has no contract with xz.",
+      "NIST-800-53-SR-3": "Supply chain controls anchor on direct vendors; tier-3 (libsystemd -> liblzma) dependencies routinely escape SR-3 inventory.",
+      "EU-CRA-Art13": "Cyber Resilience Act requires SBOM but does not require upstream-maintainer trust assessment.",
+      "SLSA-v1.0-Build-L3": "SLSA build-integrity does not address pre-build source-tree compromise; the malicious test fixtures were committed by the legitimate maintainer account."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1195.002",
+      "T1554"
+    ],
+    "rwep_score": 70,
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 10,
+      "blast_radius": 40,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "epss_score": 0.86,
+    "epss_date": "2026-05-14",
+    "cwe_refs": [
+      "CWE-506",
+      "CWE-1357"
+    ],
+    "source_verified": "2026-05-14",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-3094",
+      "https://www.openwall.com/lists/oss-security/2024/03/29/4",
+      "https://research.swtch.com/xz-script"
+    ],
+    "last_updated": "2026-05-15"
+  },
+  "CVE-2024-3154": {
+    "_draft": true,
+    "_auto_imported": true,
+    "ai_assisted_weaponization": false,
+    "name": "CRI-O arbitrary kernel-module load",
+    "type": "container-escape",
+    "cvss_score": 8.1,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "poc_available": true,
+    "poc_description": "Public PoC demonstrates kernel module load via crafted pod spec.",
+    "ai_discovered": false,
+    "active_exploitation": "unknown",
+    "affected": "CRI-O 1.27.x < 1.27.10, 1.28.x < 1.28.7, 1.29.x < 1.29.4.",
+    "affected_versions": [
+      "cri-o < 1.29.4",
+      "cri-o < 1.28.7",
+      "cri-o < 1.27.10"
+    ],
+    "vector": "Pod spec attributes reach modprobe argument path without validation — attacker with pod-create RBAC loads arbitrary kernel module onto node.",
+    "complexity": "low",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": true,
+    "live_patch_tools": [
+      "AppArmor deny-module-load profile",
+      "SELinux module_load deny rule"
+    ],
+    "vendor_update_paths": [
+      "cri-o 1.29.4+",
+      "cri-o 1.28.7+",
+      "cri-o 1.27.10+"
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-CM-7": "Least functionality control assumes node-level kernel-module policy is enforced; cluster runtimes that broker module loads invert the trust direction.",
+      "CIS-Kubernetes-Benchmark-4.2.13": "AppArmor profile guidance does not specifically require deny-module-load.",
+      "NIS2-Art21-supply-chain": "Container-runtime supply chain not differentiated from application-runtime supply chain."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1611",
+      "T1547.006"
+    ],
+    "rwep_score": 30,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 5,
+      "blast_radius": 30,
+      "patch_available": -15,
+      "live_patch_available": -10,
+      "reboot_required": 0
+    },
+    "epss_score": 0.012,
+    "epss_date": "2026-05-14",
+    "cwe_refs": [
+      "CWE-20"
+    ],
+    "source_verified": "2026-05-14",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-3154",
+      "https://github.com/cri-o/cri-o/security/advisories"
+    ],
+    "last_updated": "2026-05-15"
+  },
+  "CVE-2023-43472": {
+    "_draft": true,
+    "_auto_imported": true,
+    "ai_assisted_weaponization": false,
+    "name": "MLflow path-traversal arbitrary file read",
+    "type": "path-traversal",
+    "cvss_score": 7.5,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "poc_available": true,
+    "poc_description": "Protect AI Huntr report — crafted artifact-fetch URL with ../ traversal reads arbitrary file via MLflow tracking-server endpoints.",
+    "ai_discovered": false,
+    "ai_discovery_notes": "Discovered via Protect AI bug bounty program (Huntr).",
+    "active_exploitation": "unknown",
+    "affected": "MLflow < 2.9.0 — ML training/serving workflows, model registries.",
+    "affected_versions": [
+      "mlflow < 2.9.0"
+    ],
+    "vector": "GET /model-versions/get-artifact?path=../../../etc/passwd — server resolves user-controlled path under artifact root without normalization.",
+    "complexity": "low",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "vendor_update_paths": [
+      "mlflow 2.9.0+"
+    ],
+    "framework_control_gaps": {
+      "NIST-AI-RMF-MEASURE-2.7": "ML-pipeline asset confidentiality is referenced but no specific control on tracking-server path normalization.",
+      "OWASP-ML-Top-10-2023-ML06": "Insufficient supply-chain controls in ML — MLflow tracking servers routinely expose model + experiment IO without auth.",
+      "ISO-27001-2022-A.8.28": "Secure coding control does not anchor on ML-runtime web-surface review."
+    },
+    "atlas_refs": [
+      "AML.T0016"
+    ],
+    "attack_refs": [
+      "T1083",
+      "T1005"
+    ],
+    "rwep_score": 30,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 25,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "epss_score": 0.014,
+    "epss_date": "2026-05-14",
+    "cwe_refs": [
+      "CWE-22"
+    ],
+    "source_verified": "2026-05-14",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2023-43472",
+      "https://huntr.com/bounties/"
+    ],
+    "last_updated": "2026-05-15"
+  },
+  "CVE-2020-10148": {
+    "_draft": true,
+    "_auto_imported": true,
+    "ai_assisted_weaponization": false,
+    "name": "SolarWinds Orion API authentication bypass (SUNBURST chain)",
+    "type": "auth-bypass",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cisa_kev": true,
+    "cisa_kev_date": "2021-11-03",
+    "poc_available": true,
+    "poc_description": "CISA AA20-352A documents the URI-pattern auth bypass that SUNBURST operators chained to API write access.",
+    "ai_discovered": false,
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "Component of the historic SUNBURST campaign — exploitation occurred at scale against US federal and Fortune 500 networks.",
+    "affected": "SolarWinds Orion Platform 2019.4 HF5 through 2020.2.1.",
+    "affected_versions": [
+      "solarwinds-orion-platform >= 2019.4-HF5",
+      "solarwinds-orion-platform <= 2020.2.1"
+    ],
+    "vector": "URI pattern matching against SkipI18nStrings triggers bypass — unauthenticated request matching the pattern reaches API write endpoints.",
+    "complexity": "low",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "vendor_update_paths": [
+      "Orion Platform 2020.2.1 HF2+",
+      "WAF blocking SkipI18nStrings pattern"
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-IA-2": "Identification and Authentication control trusted the application's URI-matching layer — does not address pattern-bypass classes.",
+      "ISO-27001-2022-A.5.15": "Access control reviewed at organizational level; URI-pattern auth bypass is a code-level failure under app-vendor responsibility."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190",
+      "T1078"
+    ],
+    "rwep_score": 75,
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 25,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "epss_score": 0.945,
+    "epss_date": "2026-05-14",
+    "cwe_refs": [
+      "CWE-287"
+    ],
+    "source_verified": "2026-05-14",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2020-10148",
+      "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a"
+    ],
+    "last_updated": "2026-05-15"
+  },
+  "CVE-2023-3519": {
+    "_draft": true,
+    "_auto_imported": true,
+    "ai_assisted_weaponization": false,
+    "name": "Citrix NetScaler ADC/Gateway unauth RCE (CitrixBleed precursor)",
+    "type": "RCE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cisa_kev": true,
+    "cisa_kev_date": "2023-07-19",
+    "poc_available": true,
+    "poc_description": "Multiple public PoCs — stack buffer overflow in the SAML authentication endpoint reached pre-auth with HTTP POST.",
+    "ai_discovered": false,
+    "active_exploitation": "confirmed",
+    "affected": "Citrix NetScaler ADC + Gateway 12.1, 13.0, 13.1.",
+    "affected_versions": [
+      "netscaler-adc < 13.1-49.13",
+      "netscaler-adc < 13.0-91.13",
+      "netscaler-adc < 12.1-66.13"
+    ],
+    "vector": "Pre-auth stack buffer overflow in nsppe SAML processing — POST to /gwtest/formssso reaches vulnerable parser.",
+    "complexity": "low",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "vendor_update_paths": [
+      "NetScaler 13.1-49.13+",
+      "NetScaler 13.0-91.13+",
+      "NetScaler 12.1-66.13+"
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "30-day patch SLA insufficient for unauth RCE on public-facing appliances.",
+      "PCI-DSS-4.0-6.3.3": "Same — 1-month critical patch window is a permission slip.",
+      "NIS2-Art21-vulnerability-management": "EU NIS2 generic patch-management guidance without unauth-RCE-specific SLA."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190"
+    ],
+    "rwep_score": 75,
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 30,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "epss_score": 0.967,
+    "epss_date": "2026-05-14",
+    "cwe_refs": [
+      "CWE-119",
+      "CWE-787"
+    ],
+    "source_verified": "2026-05-14",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2023-3519",
+      "https://support.citrix.com/article/CTX561482"
+    ],
+    "last_updated": "2026-05-15"
+  },
+  "CVE-2024-1709": {
+    "_draft": true,
+    "_auto_imported": true,
+    "ai_assisted_weaponization": false,
+    "name": "ConnectWise ScreenConnect auth-bypass",
+    "type": "auth-bypass",
+    "cvss_score": 10,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
+    "cisa_kev": true,
+    "cisa_kev_date": "2024-02-22",
+    "poc_available": true,
+    "poc_description": "Trivially exploitable — append /SetupWizard.aspx/anything to URL to bypass auth and reach admin setup page.",
+    "ai_discovered": false,
+    "active_exploitation": "confirmed",
+    "affected": "ConnectWise ScreenConnect <= 23.9.7 — remote IT support tooling deployed in MSP fleets.",
+    "affected_versions": [
+      "screenconnect <= 23.9.7"
+    ],
+    "vector": "Path-traversal to bypass auth filter on /SetupWizard.aspx — attacker gains admin context and creates new admin user via setup endpoint.",
+    "complexity": "low",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "vendor_update_paths": [
+      "ScreenConnect 23.9.8+"
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-AC-3": "Access enforcement assumed; bypass occurred at routing layer before AC-3 check.",
+      "NIST-800-53-IA-2": "MFA on admin would not have prevented — bypass creates a new admin account that satisfies whatever MFA policy applies.",
+      "CIS-Controls-v8-Control6": "Access control management does not require setup-endpoint hardening on production deployments."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190",
+      "T1078"
+    ],
+    "rwep_score": 75,
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 25,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "epss_score": 0.973,
+    "epss_date": "2026-05-14",
+    "cwe_refs": [
+      "CWE-288"
+    ],
+    "source_verified": "2026-05-14",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-1709",
+      "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8"
+    ],
+    "last_updated": "2026-05-15"
+  },
+  "CVE-2026-20182": {
+    "_draft": true,
+    "_auto_imported": true,
+    "ai_assisted_weaponization": false,
+    "name": "Cisco SD-WAN authentication bypass to admin",
+    "type": "auth-bypass",
+    "cvss_score": 10,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
+    "cisa_kev": true,
+    "cisa_kev_date": "2026-05-14",
+    "poc_available": false,
+    "ai_discovered": false,
+    "ai_discovery_source": "unknown",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "KEV-added with active-exploitation flag 2026-05-14.",
+    "affected": "Cisco SD-WAN vManage and vEdge controllers across multiple software trains.",
+    "affected_versions": [
+      "cisco-sdwan-vmanage <vendor-build>",
+      "cisco-sdwan-vedge <vendor-build>"
+    ],
+    "vector": "Authentication bypass in SD-WAN controller management plane — unauthenticated attacker reaches admin-equivalent state on the controller.",
+    "complexity": "low",
+    "patch_available": true,
+    "patch_required_reboot": true,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "vendor_update_paths": [
+      "Cisco SD-WAN per cisco-sa-sdwan-authbypass advisory build matrix"
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-IA-2": "Network-fabric controller auth depended on the bypassed surface; IA-2 satisfied on paper.",
+      "NIS2-Art21-network-security": "EU NIS2 critical-infrastructure rules treat SD-WAN controllers as essential service infrastructure but lack CISA-KEV-tied 24h SLA.",
+      "DORA-Art-9": "ICT third-party risk: SD-WAN vendor risk concentrated in single advisory cadence."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190",
+      "T1078"
+    ],
+    "rwep_score": 65,
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 0,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 35,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 5
+    },
+    "epss_score": 0.5,
+    "epss_date": "2026-05-14",
+    "cwe_refs": [
+      "CWE-287"
+    ],
+    "source_verified": "2026-05-14",
+    "verification_sources": [
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+      "https://sec.cloudapps.cisco.com/security/center/publicationListing.x"
+    ],
+    "last_updated": "2026-05-15"
+  },
+  "CVE-2024-40635": {
+    "_draft": true,
+    "_auto_imported": true,
+    "ai_assisted_weaponization": false,
+    "name": "containerd integer overflow IP mask leak",
+    "type": "information-disclosure",
+    "cvss_score": 5.9,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "poc_available": true,
+    "poc_description": "Snyk Labs PoC — crafted CIDR specification overflows uint32 mask conversion.",
+    "ai_discovered": false,
+    "active_exploitation": "unknown",
+    "affected": "containerd 1.6.x < 1.6.34, 1.7.x < 1.7.21.",
+    "affected_versions": [
+      "containerd < 1.6.34",
+      "containerd < 1.7.21"
+    ],
+    "vector": "Integer overflow in CNI IP-allocation path — container receives spurious mask, leaks across network namespaces.",
+    "complexity": "moderate",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "vendor_update_paths": [
+      "containerd 1.7.21+",
+      "containerd 1.6.34+"
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SC-7": "Boundary protection presumes network-namespace integrity; integer overflow in IPAM defeats it.",
+      "CIS-Kubernetes-Benchmark-5.3": "Network policies don't address container-runtime IPAM correctness."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1525",
+      "T1046"
+    ],
+    "rwep_score": 30,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 20,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "epss_score": 0.005,
+    "epss_date": "2026-05-14",
+    "cwe_refs": [
+      "CWE-190"
+    ],
+    "source_verified": "2026-05-14",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-40635",
+      "https://github.com/containerd/containerd/security/advisories"
+    ],
+    "last_updated": "2026-05-15"
+  },
+  "MAL-2026-TANSTACK-MINI": {
+    "_draft": true,
+    "_auto_imported": true,
+    "ai_assisted_weaponization": false,
+    "name": "Mini Shai-Hulud (TanStack worm)",
+    "type": "supply-chain-worm",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "poc_available": true,
+    "poc_description": "84 malicious versions across 42 @tanstack/* packages 2026-05-11 — the worm IS the PoC.",
+    "ai_discovered": false,
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "Self-propagating — malicious versions executed at install time, harvested local credentials, attempted to republish to other packages the host had npm-publish access to.",
+    "affected": "@tanstack/* packages — 42 packages affected via shared maintainer org compromise.",
+    "affected_versions": [
+      "@tanstack/* malicious versions per TanStack security advisory 2026-05-11"
+    ],
+    "vector": "Compromised maintainer npm token published 84 versions that ran a malicious postinstall hook. Hook harvested ~/.npmrc, ~/.aws/credentials, GitHub PAT files, then attempted republication.",
+    "complexity": "low",
+    "complexity_notes": "Consumer-side exploitation is install-time — `npm install` of any pinned-range that resolves to a malicious version triggers payload before any dev review.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "vendor_update_paths": [
+      "npm yanked affected versions 2026-05-11",
+      "Pin to @tanstack/* versions published before 2026-05-11T00:00Z",
+      "Audit lockfiles against TanStack security-advisory version list"
+    ],
+    "framework_control_gaps": {
+      "NIST-800-218-SSDF-PW.4": "Reused-OSS-component control assumes maintainer-account integrity.",
+      "SLSA-v1.0-Source-L3": "SLSA source-integrity reviews don't apply to npm packages without provenance attestations.",
+      "EU-CRA-Art13": "SBOM requirement does not address freshness-of-published-version.",
+      "NIS2-Art21-supply-chain": "Generic supply chain controls without npm-ecosystem-specific guidance."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0019"
+    ],
+    "attack_refs": [
+      "T1195.001",
+      "T1552.001"
+    ],
+    "rwep_score": 55,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 40,
+      "patch_available": -10,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "epss_score": null,
+    "epss_date": "2026-05-14",
+    "cwe_refs": [
+      "CWE-506",
+      "CWE-1395"
+    ],
+    "source_verified": "2026-05-14",
+    "verification_sources": [
+      "https://tanstack.com/security",
+      "https://github.com/TanStack/query/security/advisories",
+      "https://www.npmjs.com/advisories"
+    ],
+    "last_updated": "2026-05-15"
+  },
+  "MAL-2026-ANTHROPIC-MCP-STDIO": {
+    "_draft": true,
+    "_auto_imported": true,
+    "ai_assisted_weaponization": false,
+    "name": "Anthropic SDK MCP STDIO command-injection (embargoed)",
+    "type": "command-injection",
+    "cvss_score": 9,
+    "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "poc_available": false,
+    "poc_description": "Embargoed — operator-supplied configuration parameter reaches subprocess exec argv concatenation.",
+    "ai_discovered": false,
+    "active_exploitation": "unknown",
+    "active_exploitation_notes": "Embargoed disclosure pending vendor advisory.",
+    "affected": "Anthropic MCP-client STDIO transport in published SDK versions handling operator-configured server-spawn commands.",
+    "affected_versions": [
+      "anthropic-sdk pending-vendor-advisory"
+    ],
+    "vector": "MCP-client spawns server subprocess from operator config — argument parsing concatenates user-controlled fields into the exec argv via shell-like splitting rather than argv-array passing.",
+    "complexity": "low",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": true,
+    "live_patch_tools": [
+      "Operator-side allowlist of MCP server configurations",
+      "Pin MCP server commands to immutable absolute paths",
+      "Disable user-provided MCP server config until vendor advisory lands"
+    ],
+    "vendor_update_paths": [
+      "Pending Anthropic SDK security release"
+    ],
+    "framework_control_gaps": {
+      "NIST-AI-RMF-MEASURE-2.7": "MCP-client trust boundary not specifically called out — operator-config-as-input is treated as platform-trusted.",
+      "OWASP-LLM-Top-10-2025-LLM05": "Improper output handling on LLM-side; this is the symmetric upstream — improper INPUT handling on transport side.",
+      "ISO-27001-2022-A.8.28": "Secure coding assumed in vendor SDKs without tooling to attest."
+    },
+    "atlas_refs": [
+      "AML.T0040"
+    ],
+    "attack_refs": [
+      "T1059"
+    ],
+    "rwep_score": 25,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 10,
+      "ai_factor": 0,
+      "active_exploitation": 5,
+      "blast_radius": 30,
+      "patch_available": 0,
+      "live_patch_available": -5,
+      "reboot_required": 0
+    },
+    "epss_score": null,
+    "epss_date": "2026-05-14",
+    "cwe_refs": [
+      "CWE-78",
+      "CWE-88"
+    ],
+    "source_verified": "2026-05-14",
+    "verification_sources": [
+      "https://docs.anthropic.com/security",
+      "https://modelcontextprotocol.io/"
+    ],
+    "last_updated": "2026-05-15"
+  },
+  "CVE-2026-GTIG-AI-2FA": {
+    "_draft": true,
+    "_auto_imported": true,
+    "name": "GTIG-tracked AI-built 2FA-bypass zero-day (placeholder)",
+    "type": "auth-bypass",
+    "cvss_score": 8.1,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "poc_available": false,
+    "poc_description": "Embargoed — GTIG 2026-05-11 report references in-the-wild exploitation by a financially motivated threat actor using AI-built exploit code targeting an unnamed enterprise 2FA service.",
+    "ai_discovered": true,
+    "ai_discovery_notes": "First documented case of a fully AI-BUILT zero-day exploit observed in-the-wild.",
+    "ai_assisted_weaponization": true,
+    "ai_assisted_notes": "Per GTIG attribution analysis — exploit code structure consistent with AI-generated output.",
+    "active_exploitation": "confirmed",
+    "affected": "Unnamed enterprise 2FA service per GTIG embargo; placeholder entry pending CVE assignment.",
+    "affected_versions": [
+      "pending-disclosure"
+    ],
+    "vector": "Authentication state-machine confusion — exploit payload bypasses second-factor challenge by manipulating session token at the post-primary-auth / pre-2FA-challenge boundary.",
+    "complexity": "moderate",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": true,
+    "live_patch_tools": [
+      "Vendor-side rate-limiting on 2FA challenge endpoint",
+      "Anomaly detection on session-token mutation between auth phases",
+      "Out-of-band MFA fallback"
+    ],
+    "vendor_update_paths": [
+      "Pending vendor advisory"
+    ],
+    "framework_control_gaps": {
+      "NIST-AI-RMF-MEASURE-2.7": "AI-discovered + AI-built exploit class not anchored in any framework.",
+      "NIS2-Art21-incident-handling": "EU NIS2 incident-handling SLA does not differentiate AI-built vs human-built exploit class.",
+      "ISO-27001-2022-A.5.7": "Threat intelligence control does not specifically require AI-attack-development feeds.",
+      "FedRAMP-IA-2": "MFA requirement satisfied on paper; AI-built bypass operates at a layer below the MFA control surface.",
+      "EU-AI-Act-Art-15": "AI Act robustness requirement applies to AI SYSTEMS not to defending against AI-built attacks."
+    },
+    "atlas_refs": [
+      "AML.T0040",
+      "AML.T0051"
+    ],
+    "attack_refs": [
+      "T1078",
+      "T1556"
+    ],
+    "rwep_score": 55,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 10,
+      "ai_factor": 25,
+      "active_exploitation": 20,
+      "blast_radius": 30,
+      "patch_available": 0,
+      "live_patch_available": -5,
+      "reboot_required": 0
+    },
+    "epss_score": null,
+    "epss_date": "2026-05-14",
+    "cwe_refs": [
+      "CWE-287",
+      "CWE-841"
+    ],
+    "source_verified": "2026-05-14",
+    "verification_sources": [
+      "https://cloud.google.com/blog/topics/threat-intelligence/",
+      "https://services.google.com/fh/files/misc/gtig-2026-ai-attack-trends.pdf"
+    ],
+    "last_updated": "2026-05-15"
+  },
+  "CVE-2026-30623": {
+    "_draft": true,
+    "_auto_imported": true,
+    "ai_assisted_weaponization": false,
+    "name": "Anthropic MCP SDK stdio command-injection",
+    "type": "command-injection",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "poc_available": true,
+    "poc_description": "Public advisory documents the argv-string concatenation in MCP-client stdio transport.",
+    "ai_discovered": false,
+    "ai_discovery_source": "unknown",
+    "active_exploitation": "suspected",
+    "affected": "Anthropic MCP SDK stdio transport versions prior to vendor security release (Apr 2026).",
+    "affected_versions": [
+      "anthropic-mcp <= 0.x.x-pre-fix"
+    ],
+    "vector": "Operator-supplied MCP server-spawn command string reaches subprocess exec without argv-array discipline.",
+    "complexity": "low",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": true,
+    "live_patch_tools": [
+      "Pin MCP server commands in immutable config",
+      "Operator-side allowlist of MCP server binaries"
+    ],
+    "vendor_update_paths": [
+      "anthropic-mcp post-Apr-2026 security release"
+    ],
+    "framework_control_gaps": {
+      "OWASP-LLM-Top-10-2025-LLM05": "Improper output handling — applied symmetrically to client-side INPUT handling.",
+      "NIST-AI-RMF-MEASURE-2.7": "MCP transport trust boundary not specifically addressed in MEASURE 2.7.",
+      "ISO-27001-2022-A.8.28": "Secure coding control assumed in third-party SDKs."
+    },
+    "atlas_refs": [
+      "AML.T0040"
+    ],
+    "attack_refs": [
+      "T1059"
+    ],
+    "rwep_score": 30,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 10,
+      "blast_radius": 25,
+      "patch_available": -15,
+      "live_patch_available": -10,
+      "reboot_required": 0
+    },
+    "epss_score": 0.02,
+    "epss_date": "2026-05-14",
+    "cwe_refs": [
+      "CWE-78",
+      "CWE-88"
+    ],
+    "source_verified": "2026-05-14",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-30623",
+      "https://github.com/anthropics/anthropic-sdk-python/security/advisories"
+    ],
+    "last_updated": "2026-05-15"
+  },
+  "CVE-2025-12686": {
+    "_draft": true,
+    "_auto_imported": true,
+    "ai_assisted_weaponization": false,
+    "name": "Synology BeeStation unauth RCE (Pwn2Own Ireland 2025)",
+    "type": "RCE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "poc_available": true,
+    "poc_description": "Pwn2Own Ireland 2025 demonstration — full chain pre-auth RCE on BeeStation NAS.",
+    "ai_discovered": false,
+    "active_exploitation": "unknown",
+    "affected": "Synology BeeStation Manager < 1.4.0-65374 — consumer NAS appliance.",
+    "affected_versions": [
+      "bsm < 1.4.0-65374"
+    ],
+    "vector": "Pre-auth RCE chain on BeeStation web management.",
+    "complexity": "low",
+    "patch_available": true,
+    "patch_required_reboot": true,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "vendor_update_paths": [
+      "BSM 1.4.0-65374+"
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Consumer-NAS patch SLA undefined.",
+      "EU-CRA-Art13": "Cyber Resilience Act applies to consumer-IoT but enforcement begins 2027."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190"
+    ],
+    "rwep_score": 50,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 5,
+      "blast_radius": 30,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 5
+    },
+    "epss_score": 0.04,
+    "epss_date": "2026-05-14",
+    "cwe_refs": [
+      "CWE-78"
+    ],
+    "source_verified": "2026-05-14",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-12686",
+      "https://www.zerodayinitiative.com/blog"
+    ],
+    "last_updated": "2026-05-15"
+  },
+  "CVE-2025-62847": {
+    "_draft": true,
+    "_auto_imported": true,
+    "ai_assisted_weaponization": false,
+    "name": "QNAP QTS/QuTS hero RCE (Pwn2Own Ireland 2025, chain 1/3)",
+    "type": "RCE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "poc_available": true,
+    "poc_description": "Pwn2Own Ireland 2025 demonstration — chain 1/3.",
+    "ai_discovered": false,
+    "active_exploitation": "unknown",
+    "affected": "QNAP QTS < 5.2.4.2950, QuTS hero < h5.2.4.2950.",
+    "affected_versions": [
+      "qts < 5.2.4.2950",
+      "quts-hero < h5.2.4.2950"
+    ],
+    "vector": "Component 1/3 of Pwn2Own chain on QNAP appliances.",
+    "complexity": "moderate",
+    "patch_available": true,
+    "patch_required_reboot": true,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "vendor_update_paths": [
+      "QTS 5.2.4.2950+",
+      "QuTS hero h5.2.4.2950+"
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "NAS-appliance patch SLA undefined.",
+      "EU-CRA-Art13": "Consumer-NAS coverage begins 2027."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190"
+    ],
+    "rwep_score": 45,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 5,
+      "blast_radius": 25,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 5
+    },
+    "epss_score": 0.03,
+    "epss_date": "2026-05-14",
+    "cwe_refs": [
+      "CWE-78"
+    ],
+    "source_verified": "2026-05-14",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-62847",
+      "https://www.qnap.com/en/security-advisory/"
+    ],
+    "last_updated": "2026-05-15"
+  },
+  "CVE-2025-62848": {
+    "_draft": true,
+    "_auto_imported": true,
+    "ai_assisted_weaponization": false,
+    "name": "QNAP QTS/QuTS hero RCE (Pwn2Own Ireland 2025, chain 2/3)",
+    "type": "RCE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "poc_available": true,
+    "poc_description": "Pwn2Own Ireland 2025 — chain 2/3.",
+    "ai_discovered": false,
+    "active_exploitation": "unknown",
+    "affected": "QNAP QTS < 5.2.4.2950, QuTS hero < h5.2.4.2950.",
+    "affected_versions": [
+      "qts < 5.2.4.2950",
+      "quts-hero < h5.2.4.2950"
+    ],
+    "vector": "Component 2/3 of Pwn2Own QNAP appliance chain.",
+    "complexity": "moderate",
+    "patch_available": true,
+    "patch_required_reboot": true,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "vendor_update_paths": [
+      "QTS 5.2.4.2950+",
+      "QuTS hero h5.2.4.2950+"
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "NAS-appliance patch SLA undefined.",
+      "EU-CRA-Art13": "Consumer-NAS coverage begins 2027."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190"
+    ],
+    "rwep_score": 45,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 5,
+      "blast_radius": 25,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 5
+    },
+    "epss_score": 0.03,
+    "epss_date": "2026-05-14",
+    "cwe_refs": [
+      "CWE-94"
+    ],
+    "source_verified": "2026-05-14",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-62848",
+      "https://www.qnap.com/en/security-advisory/"
+    ],
+    "last_updated": "2026-05-15"
+  },
+  "CVE-2025-62849": {
+    "_draft": true,
+    "_auto_imported": true,
+    "ai_assisted_weaponization": false,
+    "name": "QNAP QTS/QuTS hero RCE (Pwn2Own Ireland 2025, chain 3/3)",
+    "type": "RCE",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "poc_available": true,
+    "poc_description": "Pwn2Own Ireland 2025 — chain 3/3 (post-auth elevation).",
+    "ai_discovered": false,
+    "active_exploitation": "unknown",
+    "affected": "QNAP QTS < 5.2.4.2950, QuTS hero < h5.2.4.2950.",
+    "affected_versions": [
+      "qts < 5.2.4.2950",
+      "quts-hero < h5.2.4.2950"
+    ],
+    "vector": "Component 3/3 of Pwn2Own QNAP appliance chain — post-auth elevation.",
+    "complexity": "moderate",
+    "patch_available": true,
+    "patch_required_reboot": true,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "vendor_update_paths": [
+      "QTS 5.2.4.2950+",
+      "QuTS hero h5.2.4.2950+"
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "NAS-appliance patch SLA undefined.",
+      "EU-CRA-Art13": "Consumer-NAS coverage begins 2027."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1068"
+    ],
+    "rwep_score": 40,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 5,
+      "blast_radius": 20,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 5
+    },
+    "epss_score": 0.02,
+    "epss_date": "2026-05-14",
+    "cwe_refs": [
+      "CWE-269"
+    ],
+    "source_verified": "2026-05-14",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-62849",
+      "https://www.qnap.com/en/security-advisory/"
+    ],
+    "last_updated": "2026-05-15"
+  },
+  "CVE-2025-59389": {
+    "_draft": true,
+    "_auto_imported": true,
+    "ai_assisted_weaponization": false,
+    "name": "QNAP Hyper Data Protector critical RCE (Pwn2Own Ireland 2025)",
+    "type": "RCE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "poc_available": true,
+    "poc_description": "Summoning Team / Sina Kheirkhah Pwn2Own Ireland 2025 demonstration — critical unauth RCE on QNAP Hyper Data Protector.",
+    "ai_discovered": false,
+    "active_exploitation": "unknown",
+    "affected": "QNAP Hyper Data Protector < 2.1.4.0420 — backup orchestration appliance.",
+    "affected_versions": [
+      "hdp < 2.1.4.0420"
+    ],
+    "vector": "Pre-auth RCE on Hyper Data Protector management surface.",
+    "complexity": "low",
+    "patch_available": true,
+    "patch_required_reboot": true,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "vendor_update_paths": [
+      "HDP 2.1.4.0420+"
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Backup-appliance patch SLA undefined; backup tier compromise is a recovery-control failure.",
+      "ISO-27001-2022-A.8.13": "Backup integrity assumed — a vulnerable backup appliance becomes the attacker's pivot rather than the operator's recovery path.",
+      "NIS2-Art21-business-continuity": "Backup-side resilience presumed; backup appliance compromise inverts recovery assumptions."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190",
+      "T1490"
+    ],
+    "rwep_score": 45,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 5,
+      "blast_radius": 35,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 5
+    },
+    "epss_score": 0.05,
+    "epss_date": "2026-05-14",
+    "cwe_refs": [
+      "CWE-78"
+    ],
+    "source_verified": "2026-05-14",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-59389",
+      "https://www.qnap.com/en/security-advisory/"
+    ],
+    "last_updated": "2026-05-15"
+  },
+  "CVE-2025-11837": {
+    "_draft": true,
+    "_auto_imported": true,
+    "ai_assisted_weaponization": false,
+    "name": "QNAP Malware Remover code-injection",
+    "type": "code-injection",
+    "cvss_score": 8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "poc_available": true,
+    "poc_description": "Code-injection in QNAP Malware Remover.",
+    "ai_discovered": false,
+    "active_exploitation": "unknown",
+    "active_exploitation_notes": "Theater-detection signal: the affected software IS a security tool.",
+    "affected": "QNAP Malware Remover < 6.6.8.20251023 — endpoint security tool on QNAP appliances.",
+    "affected_versions": [
+      "malware-remover < 6.6.8.20251023"
+    ],
+    "vector": "Code-injection in malware-definition-handling path — attacker who can deliver a crafted update or hijack the definition-fetch channel gains code execution as the security tool.",
+    "complexity": "low",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "vendor_update_paths": [
+      "Malware Remover 6.6.8.20251023+"
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-3": "Malicious code protection control assumes the AV/AM tool is itself uncompromised; theater-detection test = run the AV with a crafted definition file in a sandbox and confirm rejection.",
+      "ISO-27001-2022-A.8.7": "Anti-malware controls treated as trust anchors; CVE-2025-11837 demonstrates the trust-anchor inversion class.",
+      "PCI-DSS-4.0-5.1": "Anti-malware deployment satisfied on paper; deployed tool itself is the vulnerability."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1059",
+      "T1554"
+    ],
+    "rwep_score": 40,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 5,
+      "blast_radius": 30,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "epss_score": 0.025,
+    "epss_date": "2026-05-14",
+    "cwe_refs": [
+      "CWE-94"
+    ],
+    "source_verified": "2026-05-14",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-11837",
+      "https://www.qnap.com/en/security-advisory/"
+    ],
+    "last_updated": "2026-05-15"
+  },
+  "CVE-2026-42945": {
+    "_draft": true,
+    "_auto_imported": true,
+    "name": "NGINX Rift",
+    "type": "RCE",
+    "cvss_score": 9.2,
+    "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "poc_available": true,
+    "poc_description": "depthfirst-disclosure published PoC at https://github.com/depthfirstdisclosures/nginx-rift — heap buffer overflow in rewrite-directive PCRE handling for unnamed captures.",
+    "ai_discovered": true,
+    "ai_discovery_notes": "Discovered by depthfirst autonomous-analysis platform — first publicly-attributed AI-discovered nginx CVE. Anchor case for Hard Rule #7. Discovery 2026-05-13; affected code path present since nginx 0.6.27 (2007).",
+    "ai_assisted_weaponization": false,
+    "active_exploitation": "none",
+    "active_exploitation_notes": "No confirmed in-wild exploitation at disclosure; predict KEV-add within 14 days.",
+    "affected": "nginx 0.6.27 through 1.30.0 (every release for 18 years); nginx Plus R32 through R36.",
+    "affected_versions": [
+      "nginx >= 0.6.27",
+      "nginx <= 1.30.0",
+      "nginx-plus R32-R36"
+    ],
+    "vector": "Heap buffer overflow in PCRE unnamed-capture handling within rewrite directive — single HTTP request whose URI matches a rewrite rule using unnamed captures triggers out-of-bounds heap write.",
+    "complexity": "low",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": true,
+    "live_patch_tools": [
+      "Replace unnamed PCRE captures with named captures in rewrite directives (operator-side mitigation, no nginx restart required)",
+      "Disable rewrite directives temporarily where named-capture rewrite is not possible"
+    ],
+    "vendor_update_paths": [
+      "nginx 1.30.1+",
+      "nginx 1.31.0+",
+      "nginx Plus R32 P6+",
+      "nginx Plus R36 P4+"
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "30-day SLA insufficient for pre-auth unauth heap RCE on web fabric.",
+      "NIST-AI-RMF-MAP-3.4": "AI-discovery class not anchored — Hard Rule #7 says AI-as-research-tool is current reality, framework controls treat it as emerging.",
+      "ISO-27001-2022-A.8.8": "Appropriate timescales undefined.",
+      "EU-CRA-Art13": "Cyber Resilience Act SBOM requirement does not surface configuration-derived exposure (rewrite-directive presence is the real-world filter).",
+      "NIS2-Art21-vulnerability-management": "EU NIS2 ICT-essential-service tier should treat 18-year-deployed web-fabric components as Tier-1 exposure.",
+      "OWASP-Top-10-2021-A06": "Vulnerable and outdated components — nginx upgrade is the standard answer; the live-patch path (rewrite-directive edit) is configuration-side and not covered.",
+      "DORA-Art-9": "Financial-services ICT third-party risk does not differentiate between vendor-patch path and configuration-side mitigation path."
+    },
+    "atlas_refs": [
+      "AML.T0040"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1505.003"
+    ],
+    "rwep_score": 40,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 25,
+      "active_exploitation": 0,
+      "blast_radius": 40,
+      "patch_available": -15,
+      "live_patch_available": -10,
+      "reboot_required": 0
+    },
+    "rwep_notes": "P1 anchor — ai_factor scored at 25 reflects FIRST publicly-attributed AI-discovery on a Tier-1 web component.",
+    "epss_score": null,
+    "epss_date": "2026-05-14",
+    "cwe_refs": [
+      "CWE-122",
+      "CWE-787"
+    ],
+    "source_verified": "2026-05-14",
+    "verification_sources": [
+      "https://github.com/depthfirstdisclosures/nginx-rift",
+      "https://my.f5.com/manage/s/article/K000150420",
+      "https://nginx.org/en/security_advisories.html"
+    ],
+    "last_updated": "2026-05-15"
   }
 }