@blamejs/exceptd-skills 0.12.8 → 0.12.10

package/data/cve-catalog.json

@@ -1,7 +1,7 @@
 {
   "_meta": {
     "schema_version": "1.0.0",
-    "last_updated": "2026-05-11",
+    "last_updated": "2026-05-13",
     "source": "NVD + CISA KEV + vendor advisories — see sources/index.json",
     "required_fields": [
       "type",
@@ -35,7 +35,12 @@
       "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
     },
     "vendor_advisory_field_added": "2026-05-11",
-    "vendor_advisory_note": "Each CVE carries a structured vendor_advisories array (vendor, advisory_id, url, severity, published_date) for downstream consumers that route by vendor advisory. Unknown advisory IDs are null with the canonical vendor CVE-resolver URL — never fabricated. Existing free-form references are preserved in verification_sources; vendor_advisories is additive."
+    "vendor_advisory_note": "Each CVE carries a structured vendor_advisories array (vendor, advisory_id, url, severity, published_date) for downstream consumers that route by vendor advisory. Unknown advisory IDs are null with the canonical vendor CVE-resolver URL — never fabricated. Existing free-form references are preserved in verification_sources; vendor_advisories is additive.",
+    "id_conventions": {
+      "default": "CVE-YYYY-NNNNN",
+      "non_cve_keys_accepted": ["SNYK-*", "GHSA-*"],
+      "note": "Catalog keys are CVE-* by default. For pre-CVE-assignment advisories under active operational impact, the project accepts OSV-native identifier shapes as the canonical key, with cross-references retained in `aliases`: MAL-* (OSSF Malicious Packages dataset — published into OSV.dev; primary key for malicious-package compromises), GHSA-* (GitHub Advisory Database; primary key when the package is on GitHub and no CVE has issued yet), and SNYK-* (Snyk advisory dataset; primary key for advisories Snyk catalogued before OSV/GHSA ingested them). When MITRE issues a CVE, the entry is renamed in lockstep with the matching zeroday-lessons key; the previous identifier is retained in `aliases` so historical references continue to resolve. Precedent: MAL-2026-3083 added 2026-05-13 (the elementary-data PyPI worm, 1.1M monthly downloads, OSV/OSSF-cataloged before any CVE issued). EPSS coverage does not extend to non-CVE identifiers; epss_score is null with a documenting epss_note on such entries. Upstream pull from OSV.dev: `exceptd refresh --source osv` (added v0.12.10)."
+    }
   },
   "CVE-2026-31431": {
     "name": "Copy Fail",
@@ -43,8 +48,9 @@
     "cvss_score": 7.8,
     "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
     "cisa_kev": true,
-    "cisa_kev_date": "2026-03-15",
-    "cisa_kev_due_date": "2026-04-05",
+    "cisa_kev_date": "2026-05-01",
+    "cisa_kev_due_date": "2026-05-15",
+    "cisa_kev_date_correction_note": "v0.12.9 (2026-05-13): catalog previously stored 2026-03-15 / due 2026-04-05. CISA KEV JSON authoritative is dateAdded 2026-05-01 / dueDate 2026-05-15 (source: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json filtered for CVE-2026-31431). The catalog was running six weeks ahead of the real KEV listing; downstream framework-SLA computations were anchored on a date that hadn't yet been authoritative.",
     "poc_available": true,
     "poc_description": "Public exploit script — single-stage, 732 bytes, no race condition, deterministic root escalation from any unprivileged user or container",
     "ai_discovered": true,
@@ -91,11 +97,13 @@
       "live_patch_available": -10,
       "reboot_required": 5
     },
-    "epss_score": 0.94,
-    "epss_percentile": 0.99,
-    "epss_date": "2026-05-11",
+    "epss_score": 0.0257,
+    "epss_percentile": 0.8569,
+    "epss_date": "2026-05-13",
     "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-31431",
-    "source_verified": "2026-05-01",
+    "epss_correction_note": "v0.12.9: refreshed from live FIRST API. Catalog previously stored 0.94 / 0.99 (estimate for newly-published CVE; EPSS model cold-start). Live values reflect post-disclosure exploitation telemetry through 2026-05-13.",
+    "cwe_refs": ["CWE-669"],
+    "source_verified": "2026-05-13",
     "verification_sources": [
       "https://nvd.nist.gov/vuln/detail/CVE-2026-31431",
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
@@ -180,8 +188,11 @@
   "CVE-2026-43284": {
     "name": "Dirty Frag (ESP/IPsec component)",
     "type": "LPE",
-    "cvss_score": 7.8,
-    "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
+    "cvss_correction_note": "v0.12.9 (2026-05-13): catalog previously stored 7.8 / Scope:U. NVD secondary CVSS block authoritative is 8.8 / Scope:C (Scope: Changed — kernel→user-namespace breakout is in-scope, which supports the container-escape framing). Source: https://nvd.nist.gov/vuln/detail/CVE-2026-43284. The lower-scored block remains valid for compatibility readers; the higher block is the operational risk floor.",
+    "cvss_score_alternate": 7.8,
+    "cvss_vector_alternate": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
     "cisa_kev": false,
     "cisa_kev_date": null,
     "poc_available": true,
@@ -222,11 +233,13 @@
       "live_patch_available": 0,
       "reboot_required": 5
     },
-    "epss_score": 0.18,
-    "epss_percentile": 0.88,
-    "epss_date": "2026-05-11",
+    "epss_score": 0.00007,
+    "epss_percentile": 0.0051,
+    "epss_date": "2026-05-13",
     "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-43284",
-    "source_verified": "2026-05-01",
+    "epss_correction_note": "v0.12.9: refreshed from live FIRST API. Previous values (0.18 / 0.88) were estimates for the newly-published CVE; cold-start EPSS routinely overstates newly-cataloged kernel CVEs.",
+    "cwe_refs": ["CWE-123"],
+    "source_verified": "2026-05-13",
     "verification_sources": [
       "https://nvd.nist.gov/vuln/detail/CVE-2026-43284"
     ],
@@ -346,11 +359,13 @@
       "live_patch_available": 0,
       "reboot_required": 5
     },
-    "epss_score": 0.07,
-    "epss_percentile": 0.75,
-    "epss_date": "2026-05-11",
+    "epss_score": 0.0001,
+    "epss_percentile": 0.0115,
+    "epss_date": "2026-05-13",
     "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-43500",
-    "source_verified": "2026-05-01",
+    "epss_correction_note": "v0.12.9: refreshed from live FIRST API (cold-start cleanup).",
+    "cwe_refs": ["CWE-787"],
+    "source_verified": "2026-05-13",
     "verification_sources": [
       "https://nvd.nist.gov/vuln/detail/CVE-2026-43500"
     ],
@@ -553,10 +568,11 @@
     "last_updated": "2026-05-13"
   },
   "CVE-2026-30615": {
-    "name": "Windsurf MCP Zero-Interaction RCE",
+    "name": "Windsurf MCP Local-Vector RCE via Adversarial Tool Response",
     "type": "RCE-supply-chain",
-    "cvss_score": 9.8,
-    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_score": 8.0,
+    "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
+    "cvss_correction_note": "v0.12.9 (2026-05-13): catalog previously stored CVSS 9.8 / AV:N. NVD authoritative is 8.0 / AV:L (local attack vector; attacker must control HTML content the Windsurf MCP client processes — not a network-vector zero-interaction RCE as initially cataloged). Source: https://nvd.nist.gov/vuln/detail/CVE-2026-30615 (published 2026-04-15, last_modified 2026-04-27, vulnStatus: Deferred). Recompute RWEP with blast_radius reduced from 30→20 to reflect local-vector + Scope:U.",
     "cisa_kev": false,
     "cisa_kev_date": null,
     "poc_available": true,
@@ -722,10 +738,11 @@
       "reboot_required": 0
     },
     "rwep_notes": "RWEP cap of 30 on blast_radius understates the real exposure (42 packages, ~150M+ weekly downloads combined). Operationally treat as P0; the formula caps blast_radius regardless of magnitude. Once CISA KEV-lists this CVE, the +25 boost will lift score to 70 (P1 territory).",
-    "epss_score": 0.78,
-    "epss_percentile": 0.97,
+    "epss_score": 0.00039,
+    "epss_percentile": 0.1179,
     "epss_date": "2026-05-13",
     "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-45321",
+    "epss_correction_note": "v0.12.9: refreshed from live FIRST API. Previous values (0.78 / 0.97) were cold-start estimates inconsistent with confirmed in-wild exploitation; the qualitative narrative (rwep_notes above) remains the authoritative risk signal — raw EPSS underreports newly-disclosed worm payload classes.",
     "source_verified": "2026-05-13",
     "verification_sources": [
       "https://nvd.nist.gov/vuln/detail/CVE-2026-45321",
@@ -823,5 +840,350 @@
       ]
     },
     "last_updated": "2026-05-13"
+  },
+  "MAL-2026-3083": {
+    "name": "Elementary-Data PyPI Worm (Forged Release via GitHub Actions Script Injection)",
+    "type": "RCE-supply-chain",
+    "aliases": [
+      "SNYK-PYTHON-ELEMENTARYDATA-16316110",
+      "pypi/2026-04-compr-elementary-data/elementary-data"
+    ],
+    "aliases_note": "Primary key is OSV-native MAL-2026-3083 (OSSF Malicious Packages dataset; first publisher 2026-04-24T22:54Z). Snyk SNYK-PYTHON-ELEMENTARYDATA-16316110 and kam193 campaign id pypi/2026-04-compr-elementary-data are cross-references for operator lookup. MITRE has not assigned a CVE id as of 2026-05-13; if one is issued later the catalog key is renamed and aliases retained.",
+    "cvss_score": 9.3,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "poc_available": true,
+    "poc_description": "Public forensic writeups + the malicious orphan commit b1e4b1f3aad0d489ab0e9208031c67402bbb8480 still readable on GitHub. The .pth-file install-time payload mechanism is well-understood; the exfiltration domain (skyhanni.cloud subdomain) was active in the wild during the window 2026-04-24 22:20Z through 2026-04-25 ~06:30Z.",
+    "ai_discovered": false,
+    "ai_assisted_weaponization": false,
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "1.1M monthly downloads — anyone who pip-installed elementary-data==0.23.3 during the 8-hour exposure window was hit. Window: 2026-04-24 22:20Z → 2026-04-25 ~06:30Z.",
+    "affected": "elementary-data (PyPI) — data observability tool inside dbt analytics pipelines. ~1.1M monthly downloads.",
+    "affected_versions": [
+      "elementary-data == 0.23.3"
+    ],
+    "vector": "GitHub Actions script-injection sink in `.github/workflows/update_pylon_issue.yml`. Workflow interpolated `${{ github.event.comment.body }}` directly into a `run:` shell script — commenting on any open PR was sufficient to execute attacker-controlled shell with the elevated GITHUB_TOKEN. Attacker forged orphan commit b1e4b1f3aad0d489ab0e9208031c67402bbb8480, tagged v0.23.3, and dispatched the legitimate publishing pipeline — producing a properly-signed release pointing at code the maintainers never saw.",
+    "complexity": "low",
+    "complexity_notes": "Anyone with a GitHub account can comment on a public PR. Self-replicating in pattern: any project running a similar workflow shape (`${{ github.event.* }}` directly in `run:`) is exploitable by the same primitive.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": true,
+    "live_patch_tools": [
+      "pip uninstall elementary-data && pip install elementary-data==0.23.4 (clean replacement, same-day)",
+      "Yank 0.23.3 from any private mirror; PyPI has already yanked the public copy",
+      "GHCR :latest re-points to clean image; rebuild any image FROM elementary-data:0.23.3"
+    ],
+    "framework_control_gaps": {
+      "SLSA-L3": "Same shape as CVE-2026-45321 — provenance valid, payload malicious. The publishing pipeline ran on a malicious orphan commit and emitted a legitimate signed release. SLSA-L3 attests WHICH pipeline built the artifact, not that the pipeline was driven by trusted inputs.",
+      "NIST-800-53-SA-12": "Supply chain protection treats signed release as the trust anchor. The signature was valid; the input to the signing pipeline was attacker-controlled.",
+      "NIST-800-218-PO.4": "Define and use secure development security checks. Direct interpolation of github.event.* into run: scripts is a documented secure-development anti-pattern (GitHub Actions docs explicitly warn against it) but is not framework-enforced.",
+      "EU-CRA-Art13": "Required vulnerability handling doesn't address the case where the maintainer was an unwitting publisher.",
+      "NIS2-Art21-2d": "Supply chain risk management presumes detectable signal at consumption. Valid signature neutralizes consumer-side checks."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0018",
+      "AML.T0055"
+    ],
+    "attack_refs": [
+      "T1195.001",
+      "T1195.002",
+      "T1078.004",
+      "T1552.001",
+      "T1059.006"
+    ],
+    "rwep_score": 45,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 30,
+      "patch_available": -15,
+      "live_patch_available": -10,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Canonical RWEP = 45. Operationally treat as P1 — the 8h mass-exposure window (2026-04-24 22:20Z → 2026-04-25 ~06:30Z) means anyone who installed during that window is affected regardless of whether they later upgraded; credential rotation is required. The RWEP formula caps blast_radius at 30 and has no factor for time-bounded mass-exposure windows; the qualitative narrative here is the authoritative risk signal. CISA KEV listing (when it arrives) will add +25 → 70.",
+    "epss_score": null,
+    "epss_percentile": null,
+    "epss_date": "2026-05-13",
+    "epss_source": null,
+    "epss_note": "EPSS coverage does not extend to non-CVE advisories. FIRST EPSS API only indexes CVE identifiers; MAL-* / SNYK-* / GHSA-* keys return no data. Re-query and populate epss_score when MITRE assigns a CVE id and the entry is renamed.",
+    "cwe_refs": ["CWE-506", "CWE-77", "CWE-94"],
+    "source_verified": "2026-05-13",
+    "verification_sources": [
+      "https://api.osv.dev/v1/query (POST {package:{name:elementary-data,ecosystem:PyPI},version:0.23.3}) — returns MAL-2026-3083",
+      "https://security.snyk.io/vuln/SNYK-PYTHON-ELEMENTARYDATA-16316110",
+      "https://www.stepsecurity.io/blog/elementary-data-compromised-on-pypi-and-ghcr-forged-release-pushed-via-github-actions-script-injection",
+      "https://snyk.io/blog/malicious-release-of-elementary-data-pypi-package-steals-cloud-credentials-from-data-engineers/",
+      "https://www.bleepingcomputer.com/news/security/pypi-package-with-11m-monthly-downloads-hacked-to-push-infostealer/",
+      "https://www.chainguard.dev/unchained/chainguard-customers-safe-from-elementary-data-compromise",
+      "https://www.elementary-data.com/post/security-incident-report-malicious-release-of-elementary-oss-python-cli-v0-23-3",
+      "https://bad-packages.kam193.eu/pypi/campaign/2026-04-compr-elementary-data"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "OSV.dev (OSSF Malicious Packages)",
+        "advisory_id": "MAL-2026-3083",
+        "url": "https://osv.dev/vulnerability/MAL-2026-3083",
+        "severity": "critical",
+        "published_date": "2026-04-24"
+      },
+      {
+        "vendor": "Snyk",
+        "advisory_id": "SNYK-PYTHON-ELEMENTARYDATA-16316110",
+        "url": "https://security.snyk.io/vuln/SNYK-PYTHON-ELEMENTARYDATA-16316110",
+        "severity": "critical",
+        "published_date": "2026-04-28"
+      },
+      {
+        "vendor": "StepSecurity",
+        "advisory_id": null,
+        "url": "https://www.stepsecurity.io/blog/elementary-data-compromised-on-pypi-and-ghcr-forged-release-pushed-via-github-actions-script-injection",
+        "severity": "critical",
+        "published_date": "2026-04-25"
+      },
+      {
+        "vendor": "Elementary Data",
+        "advisory_id": null,
+        "url": "https://github.com/elementary-data/elementary/issues/2205",
+        "severity": "critical",
+        "published_date": "2026-04-25"
+      }
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "site-packages/elementary.pth (any line starting with `import` — auto-execs on every python invocation; ~245 KB base64-encoded harvester)",
+        "PyPI package elementary-data==0.23.3 (yanked; the wheel+sdist differ from 0.23.2 by exactly one file: elementary.pth)",
+        "GHCR image elementarydata/elementary-data:latest pre-2026-04-25 — image digest sha256:31ecc5939de6d24cf60c50d4ca26cf7a8c322db82a8ce4bd122ebd89cf634255",
+        "Clean baseline: GHCR sha256:b3bbfafde1a0db3a4d47e70eb0eb2ca19daef4a19410154a71abee567b35d3d9"
+      ],
+      "persistence_artifacts": [
+        "$TMPDIR/.trinny-security-update (campaign persistence marker; presence on disk = install-time payload executed)",
+        "elementary.pth in any site-packages — Python auto-loads .pth files on interpreter startup"
+      ],
+      "credential_paths_scanned": [
+        "~/.dbt/profiles.yml (dbt warehouse credentials — primary target given elementary's dbt user base)",
+        "~/.aws/credentials, application_default_credentials.json (GCP), ~/.azure/",
+        "~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.git-credentials",
+        "~/.docker/config.json, ~/.kube/config, /etc/kubernetes/*.conf",
+        "~/.npmrc, ~/.pypirc, ~/.cargo/credentials.toml",
+        ".env* files up to 6 directory levels deep",
+        "~/.vault-token, ~/.netrc, ~/.pgpass, ~/.my.cnf",
+        "/etc/passwd, /etc/shadow, shell history files, /var/log/auth.log",
+        "Cryptocurrency wallet files"
+      ],
+      "c2_indicators": [
+        "DNS / outbound HTTPS to igotnofriendsonlineorirl-imgonnakmslmao.skyhanni.cloud (sole exfiltration domain)",
+        "Outbound HTTP request carrying header `X-Rise-To-The-Trinny: agree` (campaign tag)",
+        "Any outbound from python child of pip / pip install on a host that just installed elementary-data"
+      ],
+      "supply_chain_entry_vectors": [
+        "GitHub repo with any `.github/workflows/*.yml` interpolating `${{ github.event.comment.body }}` / `github.event.issue.body` / `github.event.review.body` directly into a `run: |` block — exploitable by anyone who can comment on a PR/issue",
+        "Orphan-commit-driven release: any release tag whose target commit is NOT an ancestor of the default branch — forged via privileged token usage",
+        "GitHub repo with `permissions: contents: write` on a workflow that triggers on `issue_comment` / `pull_request_target` / similar untrusted-input triggers"
+      ],
+      "behavioral": [
+        "Brand-new GitHub account (created within 7 days) commenting on a high-download package's open PR with a payload-shaped string (shell metacharacters in a context that gets shell-interpolated)",
+        "Release tag pointing at an orphan commit (no path through git rev-list to the default branch)",
+        "Workflow run on a public repo where GITHUB_TOKEN.permissions includes contents:write AND the trigger event is issue_comment / pull_request_target",
+        "pip install of a major-version-pinned package returning a wheel whose contents differ from the previous patch version by added .pth file"
+      ]
+    },
+    "last_updated": "2026-05-13"
+  },
+  "CVE-2026-42208": {
+    "name": "BerriAI LiteLLM Proxy Auth SQL Injection",
+    "type": "RCE-via-sql-injection",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_v4_score": 9.3,
+    "cvss_v4_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
+    "cisa_kev": true,
+    "cisa_kev_date": "2026-05-08",
+    "cisa_kev_due_date": "2026-05-29",
+    "poc_available": true,
+    "poc_description": "GHSA-r75f-5x8p-qvmc documents the sink shape — crafted Authorization header to any LLM API route reaches the vulnerable query through error-handling paths. KEV-listed implies in-wild exploitation evidence.",
+    "ai_discovered": false,
+    "ai_assisted_weaponization": false,
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "CISA KEV listing criterion is in-wild exploitation evidence.",
+    "affected": "BerriAI LiteLLM Proxy — open-source LLM-API gateway managing credentials + routing across model providers. Used in front of AI agent stacks, MCP-server fronts, multi-model proxy deployments. Substantial production footprint.",
+    "affected_versions": [
+      "litellm >= 1.81.16",
+      "litellm < 1.83.7"
+    ],
+    "vector": "Authorization header value passed directly into a SQL query in the proxy's auth path. Crafted bearer-token-shape strings reach the error-logging pathway which executes SQL with the attacker-controlled value as a string-concatenated parameter. Result: read/modify the managed-credentials DB without prior auth.",
+    "complexity": "low",
+    "complexity_notes": "Curl-able exploit — POST to /chat/completions with a SQL-injection payload in Authorization. Network-reachable, no auth, no UI.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": true,
+    "live_patch_tools": [
+      "Upgrade to litellm 1.83.7+ (parameterised query — caller-supplied value is now a SQL parameter not a concatenated string)",
+      "Temporary workaround: `general_settings: disable_error_logs: true` removes the error-handling pathway the injection abuses"
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-10": "Input validation control doesn't address argument-vs-statement distinction in SQL libraries. SI-10 is satisfied by 'we validate inputs' regardless of whether the validation runs before the SQL parameter binding.",
+      "OWASP-LLM01": "Prompt injection control set doesn't address the AI-PROXY backend SQL surface — LiteLLM is the substrate that gates LLM API access, not the LLM itself.",
+      "NIS2-Art21-2e": "Cryptographic measures control doesn't address application-layer SQL injection.",
+      "EU-AI-Act-Art-15": "Robustness + cybersecurity requirement is undefined operationally for AI gateway infrastructure."
+    },
+    "atlas_refs": [
+      "AML.T0055"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1078.001"
+    ],
+    "rwep_score": 65,
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 25,
+      "patch_available": -15,
+      "live_patch_available": -10,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Operationally P1 — KEV-listed, network-vector, no auth, full credential DB compromise. AI-stack fleets running LiteLLM as the gateway should patch within the KEV 21-day window at minimum.",
+    "epss_score": 0.37368,
+    "epss_percentile": 0.9722,
+    "epss_date": "2026-05-13",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-42208",
+    "cwe_refs": ["CWE-89"],
+    "source_verified": "2026-05-13",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-42208",
+      "https://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc",
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42208"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "BerriAI",
+        "advisory_id": "GHSA-r75f-5x8p-qvmc",
+        "url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc",
+        "severity": "critical",
+        "published_date": "2026-05-08"
+      },
+      {
+        "vendor": "CISA KEV",
+        "advisory_id": null,
+        "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42208",
+        "severity": "critical",
+        "published_date": "2026-05-08"
+      }
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "POST /chat/completions with Authorization header value containing SQL-injection metacharacters (`'`, `--`, `OR 1=1`, UNION-based payloads)",
+        "Any HTTP request to a LiteLLM proxy where the Authorization header value is unusually long (> 100 chars) or contains characters outside [A-Za-z0-9\\-_.~+/=]"
+      ],
+      "behavioral": [
+        "LiteLLM proxy db (default sqlite or postgres) showing new rows in the LiteLLM_VerificationToken / LiteLLM_UserTable created without a corresponding admin-UI session",
+        "LiteLLM error logs containing parameterised-SQL failure shapes that include the Authorization header string verbatim (pre-1.83.7 the value lands in error logs in cleartext)",
+        "Outbound network from a LiteLLM proxy host to a model-provider endpoint using a freshly-issued virtual key that has no admin-event history",
+        "Mass key-generation events in LiteLLM logs (the SQLi path includes a key-mint primitive)"
+      ],
+      "c2_indicators": [
+        "Outbound from a LiteLLM proxy host to model-provider endpoints (openai, anthropic, etc.) using virtual keys not minted via the admin UI (compromised proxy uses its own stolen keys to mask attacker traffic as legitimate proxy traffic)"
+      ],
+      "credential_paths_scanned": [
+        "LiteLLM proxy DATABASE_URL-pointed database (sqlite file or postgres connection) — once SQLi reaches the DB, the entire managed-credentials table is read/write",
+        "Environment variables LITELLM_MASTER_KEY, DATABASE_URL on the proxy host"
+      ]
+    },
+    "last_updated": "2026-05-13"
+  },
+  "CVE-2026-39884": {
+    "name": "Flux159 mcp-server-kubernetes Argument Injection via port_forward",
+    "type": "argument-injection",
+    "cvss_score": 8.3,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "poc_available": true,
+    "poc_description": "GHSA-4xqg-gf5c-ghwq publishes the PoC: invoke port_forward tool with resourceName containing space-delimited kubectl flags. Attacker-controllable args reach kubectl via .split(' ') concatenation in startPortForward() / executeKubectlCommandAsync().",
+    "ai_discovered": false,
+    "ai_assisted_weaponization": false,
+    "active_exploitation": "suspected",
+    "active_exploitation_notes": "No public exploitation evidence as of 2026-05-13, but the MCP-server ecosystem has known opportunistic-scan history. Treated as suspected.",
+    "affected": "Flux159 mcp-server-kubernetes — MCP server giving AI assistants kubectl control. Installed in AI agent stacks that talk to Kubernetes clusters.",
+    "affected_versions": [
+      "mcp-server-kubernetes <= 3.4.0"
+    ],
+    "vector": "AI assistant invokes the port_forward MCP tool with resourceName='pod-name --address=0.0.0.0' or similar. The MCP server builds a string-form kubectl command and uses .split(' ') instead of an args array — the attacker-controlled flag lands as a distinct argv entry to kubectl. --address=0.0.0.0 binds the port-forward to all interfaces; -n kube-system redirects to attacker-chosen namespace.",
+    "complexity": "low",
+    "complexity_notes": "Only requires the AI assistant to be tricked (prompt injection in retrieved docs / commit messages / MCP tool responses) into passing a tainted resourceName. PR-injection / RAG-poisoning surface upstream gates exploitation.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": true,
+    "live_patch_tools": [
+      "Upgrade mcp-server-kubernetes to 3.5.0+ (argv-array refactor)",
+      "Until patched: disable the port_forward tool in MCP allowlist (most operator deployments don't rely on it)"
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-10": "Input validation control doesn't address the argv-vs-string boundary that argument injection exploits — many MCP servers concatenate user input into shell commands without registering this as a code-review failure.",
+      "OWASP-LLM01": "Prompt-injection-as-access-control gap — the attacker doesn't compromise the MCP server directly; they feed adversarial input that the AI passes through.",
+      "NIS2-Art21-2g": "Patch management presumes traditional CVE timelines; MCP plugin ecosystem patch awareness lags."
+    },
+    "atlas_refs": [
+      "AML.T0053",
+      "AML.T0051"
+    ],
+    "attack_refs": [
+      "T1059",
+      "T1078"
+    ],
+    "rwep_score": 20,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 10,
+      "blast_radius": 15,
+      "patch_available": -15,
+      "live_patch_available": -10,
+      "reboot_required": 0
+    },
+    "rwep_notes": "P3 — patch available, mitigation via tool disable, but the class (AI-mediated argument injection into infrastructure tools) is operationally important to track.",
+    "epss_score": 0.00039,
+    "epss_percentile": 0.11727,
+    "epss_date": "2026-05-13",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-39884",
+    "cwe_refs": ["CWE-88"],
+    "source_verified": "2026-05-13",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-39884",
+      "https://github.com/Flux159/mcp-server-kubernetes/security/advisories/GHSA-4xqg-gf5c-ghwq"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "Flux159",
+        "advisory_id": "GHSA-4xqg-gf5c-ghwq",
+        "url": "https://github.com/Flux159/mcp-server-kubernetes/security/advisories/GHSA-4xqg-gf5c-ghwq",
+        "severity": "high",
+        "published_date": "2026-04-15"
+      }
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "src/tools/port_forward.ts startPortForward() / executeKubectlCommandAsync() in any version <= 3.4.0 — calls `.split(' ')` on user-input-concatenated command string",
+        "dist/tools/port_forward.js — compiled artifact in installed package"
+      ],
+      "behavioral": [
+        "MCP audit log showing port_forward tool calls with resourceName containing spaces or kubectl flag prefixes (`--`, `-n`)",
+        "kubectl port-forward processes with --address=0.0.0.0 on hosts that never invoke port-forward manually",
+        "kubectl port-forward processes targeting kube-system / kube-public namespaces when the operator's intended namespace was a workload namespace",
+        "Multiple -n flags in a single kubectl invocation (split-by-space duplicate-flag injection signature)"
+      ],
+      "runtime_syscall": [
+        "execve of kubectl with argv containing /^--address=/ from a parent process in node_modules/mcp-server-kubernetes/dist/",
+        "Network listener bound to 0.0.0.0:<port> by a kubectl process on a host that should only port-forward to localhost"
+      ]
+    },
+    "last_updated": "2026-05-13"
   }
 }

package/data/cwe-catalog.json

@@ -1302,5 +1302,39 @@
     "real_requirement": "Argon2id (memory-hard, RFC 9106) with tuned m/t/p; scrypt as fallback; bcrypt with work factor ≥ 12 acceptable for legacy. PBKDF2 only with iteration count ≥ 600,000 (NIST SP 800-63B 2022 update).",
     "lag_notes": "SP 800-63B updated iteration guidance in 2022; many compliance attestations still cite the 2017 numbers. Argon2id is RFC-9106 (2021) but absent from FIPS-approved lists, creating policy friction in federal contexts.",
     "last_verified": "2026-05-13"
+  },
+  "CWE-506": {
+    "id": "CWE-506",
+    "name": "Embedded Malicious Code",
+    "abstraction": "Class",
+    "category": "Supply Chain",
+    "description": "The application contains code that appears to perform a legitimate function but actually contains a payload that performs an additional, attacker-controlled action — typically credential theft, persistence, or remote loader logic. The class covers package-registry malware (PyPI / npm / RubyGems / Cargo / Maven typosquats, compromised maintainer accounts, forged-release-via-CI vectors).",
+    "top_25_rank_2024": null,
+    "top_25_rank_2025": null,
+    "view_memberships": ["CWE-1000"],
+    "related_attack_patterns_capec": ["CAPEC-442", "CAPEC-446", "CAPEC-538"],
+    "skills_referencing": ["library-author", "supply-chain-integrity"],
+    "evidence_cves": ["CVE-2026-45321", "MAL-2026-3083"],
+    "framework_controls_partially_addressing": ["NIST-800-53-SA-12", "NIST-800-218-PS.1", "ISO-27001-2022-A.8.30", "SLSA-Level-3"],
+    "real_requirement": "Provenance attestation at install time (Sigstore, in-toto, SLSA L3+); registry-side malware scanning on every uploaded artifact; install-time .pth / postinstall / preinstall hook auditing; differential analysis between consecutive releases of the same package (added files, new network egress, new file reads); cooldown periods on new releases of high-download packages so registry scanners and community detection have time to fire before mass install.",
+    "lag_notes": "SA-12 contemplates the traditional supply chain but does not require differential-analysis between adjacent releases. The elementary-data 0.23.3 attack (April 2026) added exactly one file (a `.pth` install-time payload) versus 0.23.2 — a difference any naive diff would catch but no registry-side scanner currently runs at upload time by default.",
+    "last_verified": "2026-05-13"
+  },
+  "CWE-88": {
+    "id": "CWE-88",
+    "name": "Improper Neutralization of Argument Delimiters in a Command",
+    "abstraction": "Base",
+    "category": "Injection",
+    "description": "The product constructs a string for a downstream command (typically by concatenating user input into a shell command line, then splitting on whitespace to argv) without escaping argument-delimiter characters. Distinguished from CWE-77 (Command Injection) by the narrower attack surface: the attacker cannot run arbitrary commands but CAN inject additional flags / arguments to a command the application already invokes, which is often sufficient to break the security model (redirect kubectl to attacker-control, change kubectl namespace, etc.).",
+    "top_25_rank_2024": null,
+    "top_25_rank_2025": null,
+    "view_memberships": ["CWE-1000", "CWE-1003"],
+    "related_attack_patterns_capec": ["CAPEC-460"],
+    "skills_referencing": ["mcp-agent-trust", "container-runtime-security"],
+    "evidence_cves": ["CVE-2026-39884"],
+    "framework_controls_partially_addressing": ["NIST-800-53-SI-10"],
+    "real_requirement": "Pass arguments to spawned processes as an array, not a string. When a string-form command is unavoidable, use the runtime's argument-list API (Node `child_process.spawn(cmd, argsArray)`, Python `subprocess.run([cmd, ...args])`) or a vetted escape function. Linter rule that flags any `.split(' ')` followed by `spawn`/`exec` on user-tainted input.",
+    "lag_notes": "SI-10 addresses input validation categorically but does not specify the argv-vs-string boundary that argument injection exploits. Many MCP servers and CI runners string-concatenate user input into shell commands without registering this as a code-review failure mode.",
+    "last_verified": "2026-05-13"
   }
 }

package/data/playbooks/library-author.json

@@ -757,6 +757,20 @@
           "deterministic": true,
           "attack_ref": "T1195.002"
         },
+        {
+          "id": "gha-workflow-script-injection-sink",
+          "type": "file_path",
+          "value": "Within the release-workflows artifact (any file under .github/workflows/*.yml): a `run:` shell script body directly interpolates an attacker-controllable github.event field — ${{ github.event.comment.body }}, ${{ github.event.issue.body }}, ${{ github.event.issue.title }}, ${{ github.event.pull_request.body }}, ${{ github.event.pull_request.title }}, ${{ github.event.review.body }}, ${{ github.event.head_commit.message }}, ${{ github.head_ref }}, ${{ github.event.discussion.body }}, ${{ github.event.discussion.title }} — without first capturing the value into an env: variable. Grep regex (multi-line YAML aware): `run:\\s*\\|[\\s\\S]*?\\$\\{\\{\\s*github\\.(event\\.(comment|issue|pull_request|review|head_commit|discussion)\\.|head_ref)`. Corroborate via the branch-tag-protection artifact: if any workflow with this sink also triggers on `pull_request_target` / `issue_comment` / `pull_request_review_comment` AND its job has `permissions: contents: write` (or unrestricted GITHUB_TOKEN), the sink is exploitable by any GitHub user who can comment on the repo.",
+          "description": "GitHub Actions script-injection sink. Elementary-data 0.23.3 (April 2026) was forged via this exact pattern — `${{ github.event.comment.body }}` interpolated into a `run:` block in update_pylon_issue.yml, escalated via the workflow's GITHUB_TOKEN to publish a malicious release. Without this indicator, a publisher account compromise via attacker-controlled comments looks identical to a clean release at the consumer side.",
+          "confidence": "deterministic",
+          "deterministic": true,
+          "false_positive_checks_required": [
+            "If the run: block reads the github.event field via an `env:` variable first (env: COMMENT_BODY: ${{ github.event.comment.body }}) and then references $COMMENT_BODY in the shell — that is the documented-safe pattern; demote to miss.",
+            "If the workflow only runs in a sandboxed `pull_request` event (not `pull_request_target`) AND has default `permissions: contents: read` AND does not use secrets.* — the sink is not exploitable; demote to miss."
+          ],
+          "attack_ref": "T1195.001",
+          "cve_ref": "MAL-2026-3083"
+        },
         {
           "id": "publish-workflow-no-id-token-write",
           "type": "file_path",

package/data/playbooks/mcp.json

@@ -94,6 +94,7 @@
       "T1190"
     ],
     "cve_refs": [
+      "CVE-2025-53773",
       "CVE-2026-30615",
       "CVE-2026-45321"
     ],