@blamejs/exceptd-skills 0.12.31 → 0.12.32
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +27 -0
- package/bin/exceptd.js +68 -12
- package/data/_indexes/_meta.json +6 -6
- package/data/_indexes/activity-feed.json +2 -2
- package/data/_indexes/catalog-summaries.json +2 -2
- package/data/_indexes/chains.json +869 -46
- package/data/_indexes/frequency.json +9 -0
- package/data/cve-catalog.json +18 -18
- package/data/cwe-catalog.json +31 -22
- package/data/framework-control-gaps.json +331 -6
- package/data/zeroday-lessons.json +580 -0
- package/manifest-snapshot.json +1 -1
- package/manifest-snapshot.sha256 +1 -1
- package/manifest.json +44 -44
- package/package.json +1 -1
- package/sbom.cdx.json +18 -18
- package/scripts/refresh-reverse-refs.js +63 -6
|
@@ -2519,6 +2519,8 @@
|
|
|
2519
2519
|
"AU-Essential-8-Backup",
|
|
2520
2520
|
"AU-Essential-8-MFA",
|
|
2521
2521
|
"AU-Essential-8-Patch",
|
|
2522
|
+
"CIS-Controls-v8-10.1",
|
|
2523
|
+
"DORA-Art-9",
|
|
2522
2524
|
"DORA-Art28",
|
|
2523
2525
|
"DORA-IA-CTPP-Oversight",
|
|
2524
2526
|
"DORA-ITS-TLPT",
|
|
@@ -2534,8 +2536,15 @@
|
|
|
2534
2536
|
"HIPAA-Security-Rule-2026-NPRM-164.310",
|
|
2535
2537
|
"HIPAA-Security-Rule-2026-NPRM-164.312",
|
|
2536
2538
|
"HIPAA-Security-Rule-2026-NPRM-164.314",
|
|
2539
|
+
"ISO-27001-2022-A.8.7",
|
|
2540
|
+
"NIS2-Art21-identity-management",
|
|
2537
2541
|
"NIS2-Art21-incident-handling",
|
|
2542
|
+
"NIS2-Art21-vulnerability-management",
|
|
2543
|
+
"NIST-800-53-AC-3",
|
|
2544
|
+
"NIST-800-53-AC-6",
|
|
2545
|
+
"NIST-800-53-SC-44",
|
|
2538
2546
|
"NIST-800-53-SI-10",
|
|
2547
|
+
"OWASP-LLM-Top-10-2025-LLM05",
|
|
2539
2548
|
"PCI-DSS-4.0.1-11.6.1",
|
|
2540
2549
|
"PCI-DSS-4.0.1-12.10.7",
|
|
2541
2550
|
"PCI-DSS-4.0.1-12.3.3",
|
package/data/cve-catalog.json
CHANGED
|
@@ -2769,8 +2769,6 @@
|
|
|
2769
2769
|
"rwep_correction_note": "v0.12.30: canonicalized rwep_factors to satisfy Shape B invariant (Σ factors === rwep_score). Prior values used non-canonical weights and/or blast_radius > 30 (over-cap). Stored rwep_score unchanged; factor block now reproducible from canonical RWEP_WEIGHTS + operational fields."
|
|
2770
2770
|
},
|
|
2771
2771
|
"CVE-2026-0300": {
|
|
2772
|
-
"_draft": true,
|
|
2773
|
-
"_auto_imported": true,
|
|
2774
2772
|
"name": "PAN-UID — Palo Alto Networks PAN-OS User-ID Authentication Portal RCE",
|
|
2775
2773
|
"type": "rce",
|
|
2776
2774
|
"cvss_score": 9.3,
|
|
@@ -2874,11 +2872,11 @@
|
|
|
2874
2872
|
]
|
|
2875
2873
|
},
|
|
2876
2874
|
"last_updated": "2026-05-15",
|
|
2877
|
-
"discovery_attribution_note": "Internal discovery by Palo Alto Networks PSIRT during proactive authentication-subsystem auditing; vendor advisory published 2026-05-13 alongside CISA KEV listing 2026-05-06. No AI-tool credit. Source: https://security.paloaltonetworks.com/CVE-2026-0300 and https://www.cisa.gov/news-events/alerts/2026/05/06/cisa-adds-one-known-exploited-vulnerability-catalog."
|
|
2875
|
+
"discovery_attribution_note": "Internal discovery by Palo Alto Networks PSIRT during proactive authentication-subsystem auditing; vendor advisory published 2026-05-13 alongside CISA KEV listing 2026-05-06. No AI-tool credit. Source: https://security.paloaltonetworks.com/CVE-2026-0300 and https://www.cisa.gov/news-events/alerts/2026/05/06/cisa-adds-one-known-exploited-vulnerability-catalog.",
|
|
2876
|
+
"_editorial_promoted": "2026-05-15",
|
|
2877
|
+
"_editorial_note": "Promoted from draft v0.12.32 (cycle 12 F1 fix): cycle 11 audit confirmed all required fields populated (iocs, vendor_advisories, verification_sources, complexity, affected_versions); RWEP factors satisfy Shape B invariant; discovery_attribution_note cites a researcher / team with URL. Editorial gate: passed."
|
|
2878
2878
|
},
|
|
2879
2879
|
"CVE-2026-39987": {
|
|
2880
|
-
"_draft": true,
|
|
2881
|
-
"_auto_imported": true,
|
|
2882
2880
|
"name": "Marimo Python Notebook Pre-Auth WebSocket Terminal RCE",
|
|
2883
2881
|
"type": "rce",
|
|
2884
2882
|
"cvss_score": 9.3,
|
|
@@ -2989,11 +2987,11 @@
|
|
|
2989
2987
|
]
|
|
2990
2988
|
},
|
|
2991
2989
|
"last_updated": "2026-05-15",
|
|
2992
|
-
"discovery_attribution_note": "Marimo team's security review of the terminal subsystem prompted by Sysdig honeypot evidence; vendor advisory + Sysdig blog jointly disclosed 2026-04-21 / 2026-04-23. No AI-tool credit for the discovery; the vulnerable component IS an AI/ML developer surface but the bug was found by conventional human review. Source: https://www.sysdig.com/blog/cve-2026-39987-update-how-attackers-weaponized-marimo-to-deploy-a-blockchain-botnet-via-huggingface and https://github.com/marimo-team/marimo/security/advisories."
|
|
2990
|
+
"discovery_attribution_note": "Marimo team's security review of the terminal subsystem prompted by Sysdig honeypot evidence; vendor advisory + Sysdig blog jointly disclosed 2026-04-21 / 2026-04-23. No AI-tool credit for the discovery; the vulnerable component IS an AI/ML developer surface but the bug was found by conventional human review. Source: https://www.sysdig.com/blog/cve-2026-39987-update-how-attackers-weaponized-marimo-to-deploy-a-blockchain-botnet-via-huggingface and https://github.com/marimo-team/marimo/security/advisories.",
|
|
2991
|
+
"_editorial_promoted": "2026-05-15",
|
|
2992
|
+
"_editorial_note": "Promoted from draft v0.12.32 (cycle 12 F1 fix): cycle 11 audit confirmed all required fields populated (iocs, vendor_advisories, verification_sources, complexity, affected_versions); RWEP factors satisfy Shape B invariant; discovery_attribution_note cites a researcher / team with URL. Editorial gate: passed."
|
|
2993
2993
|
},
|
|
2994
2994
|
"CVE-2026-6973": {
|
|
2995
|
-
"_draft": true,
|
|
2996
|
-
"_auto_imported": true,
|
|
2997
2995
|
"name": "Ivanti EPMM Authenticated-Admin RCE",
|
|
2998
2996
|
"type": "rce",
|
|
2999
2997
|
"cvss_score": 7.2,
|
|
@@ -3099,11 +3097,11 @@
|
|
|
3099
3097
|
]
|
|
3100
3098
|
},
|
|
3101
3099
|
"last_updated": "2026-05-15",
|
|
3102
|
-
"discovery_attribution_note": "Internal Ivanti product-security discovery; vendor advisory + CISA KEV listing jointly published 2026-05-07 with a 3-day due date reflecting confirmed in-wild exploitation. No AI-tool credit. Source: https://forums.ivanti.com/s/article/Security-Advisory-EPMM-CVE-2026-6973 and https://www.helpnetsecurity.com/2026/05/08/ivanti-epmm-zero-day-cve-2026-6973/."
|
|
3100
|
+
"discovery_attribution_note": "Internal Ivanti product-security discovery; vendor advisory + CISA KEV listing jointly published 2026-05-07 with a 3-day due date reflecting confirmed in-wild exploitation. No AI-tool credit. Source: https://forums.ivanti.com/s/article/Security-Advisory-EPMM-CVE-2026-6973 and https://www.helpnetsecurity.com/2026/05/08/ivanti-epmm-zero-day-cve-2026-6973/.",
|
|
3101
|
+
"_editorial_promoted": "2026-05-15",
|
|
3102
|
+
"_editorial_note": "Promoted from draft v0.12.32 (cycle 12 F1 fix): cycle 11 audit confirmed all required fields populated (iocs, vendor_advisories, verification_sources, complexity, affected_versions); RWEP factors satisfy Shape B invariant; discovery_attribution_note cites a researcher / team with URL. Editorial gate: passed."
|
|
3103
3103
|
},
|
|
3104
3104
|
"CVE-2026-42897": {
|
|
3105
|
-
"_draft": true,
|
|
3106
|
-
"_auto_imported": true,
|
|
3107
3105
|
"name": "Microsoft Exchange OWA Stored XSS / Spoofing Zero-Day",
|
|
3108
3106
|
"type": "stored-xss",
|
|
3109
3107
|
"cvss_score": 8.1,
|
|
@@ -3212,11 +3210,11 @@
|
|
|
3212
3210
|
"forensic_note": "Defenders should snapshot the OWA IIS logs + Exchange transport logs covering the attack window BEFORE applying EEMS rules; the EEMS rule strips the payload pattern from subsequent renders, but historical IIS log entries retain the request shape that surfaces the exploitation."
|
|
3213
3211
|
},
|
|
3214
3212
|
"last_updated": "2026-05-15",
|
|
3215
|
-
"discovery_attribution_note": "Microsoft MSRC discovery from in-the-wild exploitation telemetry; disclosed 2026-05-15 with concurrent CISA KEV listing and Exchange Team blog publication. No binary patch at disclosure; mitigation via Exchange Emergency Mitigation Service. No AI-tool credit. Source: https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498 and https://www.bleepingcomputer.com/news/microsoft/microsoft-warns-of-exchange-zero-day-flaw-exploited-in-attacks/."
|
|
3213
|
+
"discovery_attribution_note": "Microsoft MSRC discovery from in-the-wild exploitation telemetry; disclosed 2026-05-15 with concurrent CISA KEV listing and Exchange Team blog publication. No binary patch at disclosure; mitigation via Exchange Emergency Mitigation Service. No AI-tool credit. Source: https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498 and https://www.bleepingcomputer.com/news/microsoft/microsoft-warns-of-exchange-zero-day-flaw-exploited-in-attacks/.",
|
|
3214
|
+
"_editorial_promoted": "2026-05-15",
|
|
3215
|
+
"_editorial_note": "Promoted from draft v0.12.32 (cycle 12 F1 fix): cycle 11 audit confirmed all required fields populated (iocs, vendor_advisories, verification_sources, complexity, affected_versions); RWEP factors satisfy Shape B invariant; discovery_attribution_note cites a researcher / team with URL. Editorial gate: passed."
|
|
3216
3216
|
},
|
|
3217
3217
|
"CVE-2026-32202": {
|
|
3218
|
-
"_draft": true,
|
|
3219
|
-
"_auto_imported": true,
|
|
3220
3218
|
"name": "Microsoft Windows Shell LNK Mark-of-the-Web Bypass (APT28)",
|
|
3221
3219
|
"type": "protection-mechanism-failure",
|
|
3222
3220
|
"cvss_score": 7.5,
|
|
@@ -3325,11 +3323,11 @@
|
|
|
3325
3323
|
]
|
|
3326
3324
|
},
|
|
3327
3325
|
"last_updated": "2026-05-15",
|
|
3328
|
-
"discovery_attribution_note": "APT28 (Fancy Bear) in-the-wild weaponization observed by Microsoft + Help Net Security 2026-04-28; CVE-2026-32202 represents an incomplete-patch re-exploit of CVE-2026-21510 and chains with CVE-2026-21513 in the operational APT28 toolkit. Nation-state tradecraft; no AI-tool credit on either the discovery or weaponization side. Source: https://www.helpnetsecurity.com/2026/04/29/windows-cve-2026-32202-exploited/ and https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32202."
|
|
3326
|
+
"discovery_attribution_note": "APT28 (Fancy Bear) in-the-wild weaponization observed by Microsoft + Help Net Security 2026-04-28; CVE-2026-32202 represents an incomplete-patch re-exploit of CVE-2026-21510 and chains with CVE-2026-21513 in the operational APT28 toolkit. Nation-state tradecraft; no AI-tool credit on either the discovery or weaponization side. Source: https://www.helpnetsecurity.com/2026/04/29/windows-cve-2026-32202-exploited/ and https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32202.",
|
|
3327
|
+
"_editorial_promoted": "2026-05-15",
|
|
3328
|
+
"_editorial_note": "Promoted from draft v0.12.32 (cycle 12 F1 fix): cycle 11 audit confirmed all required fields populated (iocs, vendor_advisories, verification_sources, complexity, affected_versions); RWEP factors satisfy Shape B invariant; discovery_attribution_note cites a researcher / team with URL. Editorial gate: passed."
|
|
3329
3329
|
},
|
|
3330
3330
|
"CVE-2026-33825": {
|
|
3331
|
-
"_draft": true,
|
|
3332
|
-
"_auto_imported": true,
|
|
3333
3331
|
"name": "BlueHammer — Microsoft Defender File-Remediation TOCTOU LPE",
|
|
3334
3332
|
"type": "race-condition",
|
|
3335
3333
|
"cvss_score": 7.8,
|
|
@@ -3440,6 +3438,8 @@
|
|
|
3440
3438
|
]
|
|
3441
3439
|
},
|
|
3442
3440
|
"last_updated": "2026-05-15",
|
|
3443
|
-
"discovery_attribution_note": "Picus Security ('BlueHammer' / RedSun research) published a working PoC before Microsoft released the patch — true zero-day disclosure 2026-04-22; CISA KEV listed same day with a 14-day due date. No AI-tool credit on the discovery; conventional Windows-Defender internals research. Source: https://www.picussecurity.com/resource/blog/bluehammer-redsun-windows-defender-cve-2026-33825-zero-day-vulnerability-explained and https://www.cisa.gov/known-exploited-vulnerabilities-catalog."
|
|
3441
|
+
"discovery_attribution_note": "Picus Security ('BlueHammer' / RedSun research) published a working PoC before Microsoft released the patch — true zero-day disclosure 2026-04-22; CISA KEV listed same day with a 14-day due date. No AI-tool credit on the discovery; conventional Windows-Defender internals research. Source: https://www.picussecurity.com/resource/blog/bluehammer-redsun-windows-defender-cve-2026-33825-zero-day-vulnerability-explained and https://www.cisa.gov/known-exploited-vulnerabilities-catalog.",
|
|
3442
|
+
"_editorial_promoted": "2026-05-15",
|
|
3443
|
+
"_editorial_note": "Promoted from draft v0.12.32 (cycle 12 F1 fix): cycle 11 audit confirmed all required fields populated (iocs, vendor_advisories, verification_sources, complexity, affected_versions); RWEP factors satisfy Shape B invariant; discovery_attribution_note cites a researcher / team with URL. Editorial gate: passed."
|
|
3444
3444
|
}
|
|
3445
3445
|
}
|
package/data/cwe-catalog.json
CHANGED
|
@@ -46,7 +46,9 @@
|
|
|
46
46
|
"skills_referencing": [
|
|
47
47
|
"fuzz-testing-strategy"
|
|
48
48
|
],
|
|
49
|
-
"evidence_cves": [
|
|
49
|
+
"evidence_cves": [
|
|
50
|
+
"CVE-2026-6973"
|
|
51
|
+
],
|
|
50
52
|
"framework_controls_partially_addressing": [
|
|
51
53
|
"NIST-800-53-SI-10",
|
|
52
54
|
"ISO-27001-2022-A.8.28",
|
|
@@ -112,8 +114,8 @@
|
|
|
112
114
|
"webapp-security"
|
|
113
115
|
],
|
|
114
116
|
"evidence_cves": [
|
|
115
|
-
"
|
|
116
|
-
"
|
|
117
|
+
"CVE-2025-53773",
|
|
118
|
+
"MAL-2026-3083"
|
|
117
119
|
],
|
|
118
120
|
"framework_controls_partially_addressing": [
|
|
119
121
|
"NIST-800-53-SI-10",
|
|
@@ -145,7 +147,9 @@
|
|
|
145
147
|
"fuzz-testing-strategy",
|
|
146
148
|
"webapp-security"
|
|
147
149
|
],
|
|
148
|
-
"evidence_cves": [
|
|
150
|
+
"evidence_cves": [
|
|
151
|
+
"CVE-2026-39987"
|
|
152
|
+
],
|
|
149
153
|
"framework_controls_partially_addressing": [
|
|
150
154
|
"NIST-800-53-SI-10",
|
|
151
155
|
"ISO-27001-2022-A.8.28"
|
|
@@ -177,7 +181,9 @@
|
|
|
177
181
|
"attack-surface-pentest",
|
|
178
182
|
"webapp-security"
|
|
179
183
|
],
|
|
180
|
-
"evidence_cves": [
|
|
184
|
+
"evidence_cves": [
|
|
185
|
+
"CVE-2026-42897"
|
|
186
|
+
],
|
|
181
187
|
"framework_controls_partially_addressing": [
|
|
182
188
|
"NIST-800-53-SI-10",
|
|
183
189
|
"NIST-800-53-SC-18",
|
|
@@ -271,8 +277,7 @@
|
|
|
271
277
|
"webapp-security"
|
|
272
278
|
],
|
|
273
279
|
"evidence_cves": [
|
|
274
|
-
"CVE-
|
|
275
|
-
"CVE-2026-30615",
|
|
280
|
+
"CVE-2026-6973",
|
|
276
281
|
"MAL-2026-3083"
|
|
277
282
|
],
|
|
278
283
|
"framework_controls_partially_addressing": [
|
|
@@ -559,7 +564,10 @@
|
|
|
559
564
|
"sector-energy",
|
|
560
565
|
"sector-telecom"
|
|
561
566
|
],
|
|
562
|
-
"evidence_cves": [
|
|
567
|
+
"evidence_cves": [
|
|
568
|
+
"CVE-2026-0300",
|
|
569
|
+
"CVE-2026-39987"
|
|
570
|
+
],
|
|
563
571
|
"framework_controls_partially_addressing": [
|
|
564
572
|
"NIST-800-53-IA-2",
|
|
565
573
|
"ISO-27001-2022-A.5.17"
|
|
@@ -846,7 +854,7 @@
|
|
|
846
854
|
"mcp-agent-trust"
|
|
847
855
|
],
|
|
848
856
|
"evidence_cves": [
|
|
849
|
-
"CVE-2026-
|
|
857
|
+
"CVE-2026-32202"
|
|
850
858
|
],
|
|
851
859
|
"framework_controls_partially_addressing": [
|
|
852
860
|
"NIST-800-53-SA-12",
|
|
@@ -905,7 +913,9 @@
|
|
|
905
913
|
"CAPEC-39"
|
|
906
914
|
],
|
|
907
915
|
"skills_referencing": [],
|
|
908
|
-
"evidence_cves": [
|
|
916
|
+
"evidence_cves": [
|
|
917
|
+
"CVE-2026-32202"
|
|
918
|
+
],
|
|
909
919
|
"framework_controls_partially_addressing": [
|
|
910
920
|
"NIST-800-53-SI-7",
|
|
911
921
|
"NIST-800-53-SC-8(1)",
|
|
@@ -938,7 +948,9 @@
|
|
|
938
948
|
"fuzz-testing-strategy",
|
|
939
949
|
"kernel-lpe-triage"
|
|
940
950
|
],
|
|
941
|
-
"evidence_cves": [
|
|
951
|
+
"evidence_cves": [
|
|
952
|
+
"CVE-2026-33825"
|
|
953
|
+
],
|
|
942
954
|
"framework_controls_partially_addressing": [
|
|
943
955
|
"NIST-800-53-SI-16",
|
|
944
956
|
"ISO-27001-2022-A.8.28"
|
|
@@ -967,10 +979,7 @@
|
|
|
967
979
|
"fuzz-testing-strategy",
|
|
968
980
|
"kernel-lpe-triage"
|
|
969
981
|
],
|
|
970
|
-
"evidence_cves": [
|
|
971
|
-
"CVE-2026-43284",
|
|
972
|
-
"CVE-2026-43500"
|
|
973
|
-
],
|
|
982
|
+
"evidence_cves": [],
|
|
974
983
|
"framework_controls_partially_addressing": [
|
|
975
984
|
"NIST-800-53-SI-16",
|
|
976
985
|
"NIST-800-53-SI-2",
|
|
@@ -1058,9 +1067,7 @@
|
|
|
1058
1067
|
"mcp-agent-trust",
|
|
1059
1068
|
"supply-chain-integrity"
|
|
1060
1069
|
],
|
|
1061
|
-
"evidence_cves": [
|
|
1062
|
-
"CVE-2026-30615"
|
|
1063
|
-
],
|
|
1070
|
+
"evidence_cves": [],
|
|
1064
1071
|
"framework_controls_partially_addressing": [
|
|
1065
1072
|
"NIST-800-53-SI-7",
|
|
1066
1073
|
"NIST-800-53-SA-12",
|
|
@@ -1120,7 +1127,6 @@
|
|
|
1120
1127
|
],
|
|
1121
1128
|
"skills_referencing": [],
|
|
1122
1129
|
"evidence_cves": [
|
|
1123
|
-
"CVE-2026-45321",
|
|
1124
1130
|
"MAL-2026-3083"
|
|
1125
1131
|
],
|
|
1126
1132
|
"framework_controls_partially_addressing": [
|
|
@@ -1214,7 +1220,9 @@
|
|
|
1214
1220
|
"skills_referencing": [
|
|
1215
1221
|
"kernel-lpe-triage"
|
|
1216
1222
|
],
|
|
1217
|
-
"evidence_cves": [
|
|
1223
|
+
"evidence_cves": [
|
|
1224
|
+
"CVE-2026-46300"
|
|
1225
|
+
],
|
|
1218
1226
|
"framework_controls_partially_addressing": [
|
|
1219
1227
|
"NIST-800-53-SI-16",
|
|
1220
1228
|
"ISO-27001-2022-A.8.28"
|
|
@@ -1339,8 +1347,9 @@
|
|
|
1339
1347
|
"kernel-lpe-triage"
|
|
1340
1348
|
],
|
|
1341
1349
|
"evidence_cves": [
|
|
1342
|
-
"CVE-2026-
|
|
1343
|
-
"CVE-2026-43500"
|
|
1350
|
+
"CVE-2026-0300",
|
|
1351
|
+
"CVE-2026-43500",
|
|
1352
|
+
"CVE-2026-46300"
|
|
1344
1353
|
],
|
|
1345
1354
|
"framework_controls_partially_addressing": [
|
|
1346
1355
|
"NIST-800-53-SI-10",
|