@blamejs/exceptd-skills 0.13.100 → 0.13.101

package/data/atlas-ttps.json

@@ -1745,12 +1745,14 @@
       "CVE-2025-32444",
       "CVE-2025-64496",
       "CVE-2025-64513",
+      "CVE-2025-67818",
       "CVE-2026-0766",
       "CVE-2026-24213",
       "CVE-2026-24214",
       "CVE-2026-24215",
       "CVE-2026-26190",
-      "CVE-2026-34159"
+      "CVE-2026-34159",
+      "CVE-2026-45829"
     ]
   },
   "AML.T0050": {
@@ -2845,7 +2847,8 @@
       "CVE-2025-1550",
       "CVE-2025-32434",
       "CVE-2025-33236",
-      "CVE-2025-8747"
+      "CVE-2025-8747",
+      "CVE-2026-45829"
     ]
   },
   "AML.T0011.001": {

package/data/attack-techniques.json

@@ -327,6 +327,7 @@
       "CVE-2026-39884",
       "CVE-2026-39987",
       "CVE-2026-40933",
+      "CVE-2026-45829",
       "CVE-2026-6973"
     ],
     "description_full": "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). There are also cross-platform interpreters such as [Python](https://attack.mitre.org/techniques/T1059/006), as well as those commonly associated with client applications such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) and [Visual Basic](https://attack.mitre.org/techniques/T1059/005). Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0001) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various [Remote Services](https://attack.mitre.org/techniques/T1021) in order to achieve remote Execution.(Citation: Powershell Remote Commands)(Citation: Cisco IOS Software Integrity Assurance - Command History)(Citation: Remote Shell Execution in Python)",
@@ -986,6 +987,7 @@
       "CVE-2025-6554",
       "CVE-2025-6558",
       "CVE-2025-66644",
+      "CVE-2025-67818",
       "CVE-2025-68613",
       "CVE-2025-68645",
       "CVE-2025-6965",
@@ -1049,6 +1051,7 @@
       "CVE-2026-42208",
       "CVE-2026-42897",
       "CVE-2026-42945",
+      "CVE-2026-45829",
       "CVE-2026-6973",
       "CVE-2026-7482",
       "CVE-2026-9082",

package/data/cve-catalog.json

@@ -55,7 +55,7 @@
     "ai_discovery_methodology": {
       "field_added": "2026-05-15",
       "agents_md_target": "Hard Rule #7 — '41% of 2025 zero-days were AI-discovered'. Catalog target rate floor: 0.40.",
-      "current_rate": 0.032,
+      "current_rate": 0.031,
       "current_floor_enforced_by_test": 0.03,
       "ladder_to_target": [
         0.03,
@@ -15487,6 +15487,217 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "PyTorch's torch.load executes code from a crafted checkpoint even with weights_only=True on <= 2.5.1 (CWE-502), defeating the recommended safe-load guidance; fixed in 2.6.0."
   },
+  "CVE-2026-45829": {
+    "name": "ChromaDB FastAPI Pre-Auth Remote Code Execution (ChromaToast)",
+    "type": "RCE",
+    "cvss_score": 10,
+    "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
+    "cvss_note": "CNA CVSS v4.0 base 10.0 (CRITICAL); NVD has not published its own CVSS 3.x assessment (awaiting enrichment). The FastAPI collections endpoint processes a caller-supplied embedding-function config (a model repo with trust_remote_code=true) before authentication, yielding unauthenticated code execution (CWE-94).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory (SecurityWeek / ChromaDB advisory): an unauthenticated request to the collections endpoint loads a malicious model repo and executes code.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via SecurityWeek / ChromaDB advisory. The abused surface is a widely used vector database (RAG persistence layer).",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; pre-auth code injection on the vector DB.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Public reporting urges urgent action on exposed instances; no confirmed in-the-wild exploitation as of curation. No fixed Python release published, so exposure persists.",
+    "affected": "ChromaDB (Python FastAPI server) 1.0.0 and later; the Rust 'chroma run' deployment and official Docker images are not affected.",
+    "affected_versions": [
+      "ChromaDB (Python FastAPI) >= 1.0.0"
+    ],
+    "vector": "ChromaDB's Python FastAPI server processes collection-creation logic - including a caller-supplied embedding-function configuration that can specify a model repository with trust_remote_code=true - before verifying the caller's identity, on /api/v2/tenants/{tenant}/databases/{db}/collections. An unauthenticated attacker therefore triggers remote code execution (CWE-94) by getting the server to load a malicious model repo. Disclosed as ChromaToast.",
+    "complexity": "low",
+    "complexity_notes": "AV:N / AC:L / PR:N - unauthenticated, network-reachable FastAPI server.",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No fixed release published as of curation; mitigate via network isolation and the non-FastAPI deployment (see vendor_update_paths).",
+    "vendor_update_paths": [
+      "No fixed ChromaDB Python release is published as of curation. Mitigate by restricting network access to the FastAPI port (do not expose to untrusted networks), using the Rust 'chroma run' deployment or official Docker images, and disabling trust_remote_code model loading."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-IA-2": "Authentication is not enforced before the vector DB processes attacker-controlled collection config.",
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track the vector database (RAG persistence layer) as managed, RCE-bearing software.",
+      "NIST-800-53-SI-10": "Input validation is not applied to the embedding-function model-repo config before the vector DB acts on it.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the vector database's collection/embedding endpoints as a code-execution / file-write surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the vector DB as a privileged RAG data store.",
+      "DORA-Art-9": "ICT protection measures do not model vector-DB takeover (RAG data / host files) as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for input validation / path containment on the vector database.",
+      "AU-ISM-1546": "Patch-application control does not single out vector databases.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats the vector database as a sensitive RAG store whose request/backup paths must validate untrusted input before code execution or file write."
+    },
+    "atlas_refs": [
+      "AML.T0049",
+      "AML.T0011.000"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 44,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 24,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Elevated (RWEP 44, \"patch within 7 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation; no fixed release published, so no patch credit. poc_available=20 + blast_radius=24.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-45829",
+    "cwe_refs": [
+      "CWE-94"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Unauthenticated POST requests to ChromaDB /api/v2/.../collections specifying an embedding-function config with a remote model repository and trust_remote_code=true.",
+        "ChromaDB FastAPI server fetching a remote model repo and executing its code during collection creation.",
+        "Code/process execution on the ChromaDB host triggered before any authenticated session.",
+        "ChromaDB Python FastAPI server >= 1.0.0 exposed to untrusted networks - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the SecurityWeek / ChromaDB advisory advisory (https://www.securityweek.com/unpatched-chromadb-vulnerability-can-lead-to-server-takeover/) and NVD CVE-2026-45829 (CWE-94)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-45829",
+      "https://www.securityweek.com/unpatched-chromadb-vulnerability-can-lead-to-server-takeover/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "SecurityWeek / ChromaDB advisory",
+        "advisory_id": "CVE-2026-45829",
+        "url": "https://www.securityweek.com/unpatched-chromadb-vulnerability-can-lead-to-server-takeover/",
+        "severity": "critical",
+        "published_date": "2026-05-18"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-45829",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45829",
+        "severity": "critical",
+        "published_date": "2026-05-18"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-94; CNA CVSS v4.0 10.0, no NVD 3.x score) + the SecurityWeek / ChromaDB advisory advisory. Vector-database flaw (RAG persistence layer); shares the vector-DB authentication control NEW-CTRL-101 with the Milvus entries.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "ChromaDB's Python FastAPI server runs collection-creation logic (embedding-function config with trust_remote_code) before auth, giving unauthenticated RCE (CWE-94, ChromaToast); no fixed release published - mitigate via network isolation / Rust deployment."
+  },
+  "CVE-2025-67818": {
+    "name": "Weaviate Backup Restore ZipSlip Path Traversal",
+    "type": "RCE",
+    "cvss_score": 7.2,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "CISA-ADP CVSS v3.1 base 7.2 (HIGH, PR:H); NVD has not published its own assessed score, and the GitHub (CNA) advisory rates it HIGH (CVSS v4.0 8.7). An attacker with data-write access crafts backup entries with absolute paths or ../ traversal that escape the restore root on restore (CWE-22 ZipSlip), creating/overwriting arbitrary files.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory (GitHub Security Advisory): a write-capable attacker crafts a backup with traversal paths that escape the restore root.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via GitHub Security Advisory. The abused surface is a widely used vector database (RAG persistence layer).",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; path traversal on the vector DB's backup restore.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Weaviate OSS before the branch fixes 1.30.20, 1.31.19, 1.32.16, and 1.33.4 (the GHSA ships per-maintained-branch patches).",
+    "affected_versions": [
+      "Weaviate OSS < 1.30.20",
+        "Weaviate OSS >= 1.31.0-rc.0, < 1.31.19",
+        "Weaviate OSS >= 1.32.0-rc.0, < 1.32.16",
+        "Weaviate OSS >= 1.33.0-rc.0, < 1.33.4"
+    ],
+    "vector": "Weaviate OSS does not constrain backup entry paths during restore, so an attacker with insert/write access crafts entries with absolute or ../ traversal paths that escape the restore root (CWE-22 ZipSlip), creating or overwriting files in arbitrary locations on the Weaviate host.",
+    "complexity": "low",
+    "complexity_notes": "CISA-ADP AV:N / AC:L / PR:H - requires data-write access to craft the backup.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to the fixed release on your maintained branch (1.30.20 / 1.31.19 / 1.32.16 / 1.33.4); redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Weaviate OSS to the fixed release on your maintained branch (1.30.20, 1.31.19, 1.32.16, or 1.33.4). Restrict who can insert data / trigger restores and run Weaviate as a least-privilege user."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-IA-2": "Authentication is relied upon but the backup-restore path is reachable by ordinary write-capable accounts.",
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track the vector database (RAG persistence layer) as managed, RCE-bearing software.",
+      "NIST-800-53-SI-10": "Input validation is not applied to backup entry paths before the vector DB acts on it.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the vector database's backup-restore path as a code-execution / file-write surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the vector DB as a privileged RAG data store.",
+      "DORA-Art-9": "ICT protection measures do not model vector-DB takeover (RAG data / host files) as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for input validation / path containment on the vector database.",
+      "AU-ISM-1546": "Patch-application control does not single out vector databases.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats the vector database as a sensitive RAG store whose request/backup paths must validate untrusted input before code execution or file write."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190"
+    ],
+    "rwep_score": 25,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 20,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 25, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3). poc_available=20 + blast_radius=20 minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-67818",
+    "cwe_refs": [
+      "CWE-22"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Weaviate backup archives whose entries contain absolute paths or ../ traversal sequences.",
+        "Files written by Weaviate outside the restore root during a backup restore.",
+        "Restore operations triggered by accounts that should not have that capability.",
+        "Weaviate OSS < 1.33.4 with restore reachable by write-capable accounts - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-7v39-2hx7-7c43) and NVD CVE-2025-67818 (CWE-22)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-67818",
+      "https://github.com/advisories/GHSA-7v39-2hx7-7c43"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2025-67818",
+        "url": "https://github.com/advisories/GHSA-7v39-2hx7-7c43",
+        "severity": "high",
+        "published_date": "2025-12-12"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-67818",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67818",
+        "severity": "high",
+        "published_date": "2025-12-12"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the GitHub (CNA) advisory (GHSA-7v39-2hx7-7c43, CWE-22) + CISA-ADP (CVSS v3.1 7.2; NVD has not published its own score). Vector-database flaw (RAG persistence layer); shares the AI-app path-traversal control NEW-CTRL-094.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Weaviate OSS backup restore does not constrain entry paths (CWE-22 ZipSlip), letting a write-capable attacker create/overwrite arbitrary host files; fixed per branch (1.30.20 / 1.31.19 / 1.32.16 / 1.33.4)."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -109,6 +109,7 @@
       "CVE-2025-27920",
       "CVE-2025-4632",
       "CVE-2025-6218",
+      "CVE-2025-67818",
       "CVE-2025-8110",
       "CVE-2026-25592",
       "CVE-2026-34926"
@@ -408,6 +409,7 @@
       "CVE-2026-30615",
       "CVE-2026-33017",
       "CVE-2026-34197",
+      "CVE-2026-45829",
       "CVE-2026-6973",
       "MAL-2026-3083"
     ],

package/data/framework-control-gaps.json

@@ -72,6 +72,7 @@
       "CVE-2025-60455",
       "CVE-2025-64496",
       "CVE-2025-64513",
+      "CVE-2025-67818",
       "CVE-2025-8747",
       "CVE-2026-0766",
       "CVE-2026-22252",
@@ -88,7 +89,8 @@
       "CVE-2026-30624",
       "CVE-2026-30625",
       "CVE-2026-34159",
-      "CVE-2026-40933"
+      "CVE-2026-40933",
+      "CVE-2026-45829"
     ],
     "atlas_refs": [
       "AML.T0018",
@@ -1569,6 +1571,7 @@
       "CVE-2025-6558",
       "CVE-2025-66376",
       "CVE-2025-66644",
+      "CVE-2025-67818",
       "CVE-2025-68461",
       "CVE-2025-68613",
       "CVE-2025-68645",
@@ -1643,6 +1646,7 @@
       "CVE-2026-41940",
       "CVE-2026-42945",
       "CVE-2026-45498",
+      "CVE-2026-45829",
       "CVE-2026-46300",
       "CVE-2026-46333",
       "CVE-2026-5281",
@@ -1872,6 +1876,7 @@
       "CVE-2025-60455",
       "CVE-2025-64496",
       "CVE-2025-64513",
+      "CVE-2025-67818",
       "CVE-2025-8747",
       "CVE-2026-0766",
       "CVE-2026-22252",
@@ -1896,6 +1901,7 @@
       "CVE-2026-41091",
       "CVE-2026-45321",
       "CVE-2026-45498",
+      "CVE-2026-45829",
       "CVE-2026-46300",
       "CVE-2026-46333",
       "CVE-2026-9082",
@@ -2324,6 +2330,7 @@
       "CVE-2025-33236",
       "CVE-2025-60455",
       "CVE-2025-64496",
+      "CVE-2025-67818",
       "CVE-2025-6965",
       "CVE-2025-8747",
       "CVE-2026-0766",
@@ -2332,6 +2339,7 @@
       "CVE-2026-24215",
       "CVE-2026-39884",
       "CVE-2026-42208",
+      "CVE-2026-45829",
       "CVE-2026-9082"
     ],
     "atlas_refs": [
@@ -2649,6 +2657,7 @@
       "CVE-2025-6558",
       "CVE-2025-66376",
       "CVE-2025-66644",
+      "CVE-2025-67818",
       "CVE-2025-68461",
       "CVE-2025-68613",
       "CVE-2025-68645",
@@ -2730,6 +2739,7 @@
       "CVE-2026-43284",
       "CVE-2026-43500",
       "CVE-2026-45498",
+      "CVE-2026-45829",
       "CVE-2026-46300",
       "CVE-2026-46333",
       "CVE-2026-5281",
@@ -5024,6 +5034,7 @@
       "CVE-2025-60455",
       "CVE-2025-64496",
       "CVE-2025-64513",
+      "CVE-2025-67818",
       "CVE-2025-8747",
       "CVE-2026-0300",
       "CVE-2026-0766",
@@ -5049,6 +5060,7 @@
       "CVE-2026-42897",
       "CVE-2026-42945",
       "CVE-2026-45498",
+      "CVE-2026-45829",
       "CVE-2026-46300",
       "CVE-2026-46333",
       "CVE-2026-9082"
@@ -5570,6 +5582,7 @@
       "CVE-2025-54136",
       "CVE-2025-60455",
       "CVE-2025-64496",
+      "CVE-2025-67818",
       "CVE-2025-8747",
       "CVE-2026-0766",
       "CVE-2026-22252",
@@ -5588,6 +5601,7 @@
       "CVE-2026-40933",
       "CVE-2026-41091",
       "CVE-2026-45498",
+      "CVE-2026-45829",
       "CVE-2026-46300",
       "CVE-2026-46333",
       "CVE-2026-9082",
@@ -5663,6 +5677,7 @@
       "CVE-2025-60455",
       "CVE-2025-64496",
       "CVE-2025-64513",
+      "CVE-2025-67818",
       "CVE-2025-8747",
       "CVE-2026-0766",
       "CVE-2026-22252",
@@ -5684,6 +5699,7 @@
       "CVE-2026-40933",
       "CVE-2026-41091",
       "CVE-2026-45498",
+      "CVE-2026-45829",
       "CVE-2026-46300",
       "CVE-2026-46333",
       "CVE-2026-9082"
@@ -5966,10 +5982,12 @@
       "CVE-2024-4889",
       "CVE-2024-6587",
       "CVE-2025-64513",
+      "CVE-2025-67818",
       "CVE-2026-20182",
       "CVE-2026-24206",
       "CVE-2026-24207",
-      "CVE-2026-26190"
+      "CVE-2026-26190",
+      "CVE-2026-45829"
     ],
     "atlas_refs": [],
     "attack_refs": [

package/data/zeroday-lessons.json

@@ -4211,6 +4211,106 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2026-45829": {
+    "name": "ChromaDB FastAPI Pre-Auth Remote Code Execution (ChromaToast)",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "ChromaDB's Python FastAPI server processes a caller-supplied embedding-function config (model repo with trust_remote_code=true) on the collections endpoint before authenticating, giving unauthenticated RCE (CWE-94).",
+      "privileges_required": "none (CVSS v4.0 PR:N) - unauthenticated, before any auth check",
+      "complexity": "low",
+      "ai_factor": "The abused surface is a widely used vector database - the RAG persistence layer that stores embeddings and source data behind LLM applications. The lesson: vector databases are sensitive, RCE-bearing data stores; they must authenticate before acting on caller config and never load remote model code on untrusted input."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the vector database (RAG persistence layer) as managed, RCE-bearing software."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Input validation / auth is not applied before the vector DB processes attacker-controlled collection/embedding config."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats the vector database as a sensitive RAG store whose request path must authenticate before code execution."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 74,
+      "basis": "Vector databases are deployed as convenience RAG infrastructure on trusted-network assumptions; their request and backup paths are not hardened.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-101",
+        "name": "VECTOR-DB-AUTHENTICATION-ENFORCEMENT",
+        "description": "A vector database must authenticate callers BEFORE processing any caller-supplied configuration (collection/embedding-function config, model repositories), must not load remote model code (trust_remote_code) on untrusted input, and must never be exposed to untrusted networks. For ChromaDB, restrict the FastAPI port, use the Rust 'chroma run' / official Docker deployment, and disable trust_remote_code. The distinguishing test: send an unauthenticated collection-create request with a malicious embedding-function model repo to a staging instance and confirm it is refused before any code loads.",
+        "evidence": "https://www.securityweek.com/unpatched-chromadb-vulnerability-can-lead-to-server-takeover/",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2025-67818": {
+    "name": "Weaviate Backup Restore ZipSlip Path Traversal",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Weaviate OSS does not constrain backup entry paths on restore, so a write-capable attacker uses absolute / ../ paths to escape the restore root (CWE-22 ZipSlip) and create or overwrite arbitrary host files.",
+      "privileges_required": "data-write access (NVD PR:H)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is a widely used vector database - the RAG persistence layer that stores embeddings and source data behind LLM applications. The lesson: vector databases are sensitive, RCE-bearing data stores; their file/archive-handling paths must be containment-checked."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the vector database (RAG persistence layer) as managed, RCE-bearing software."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Path validation is not applied to backup entry paths on restore."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats the vector database as a sensitive RAG store whose backup/file paths must be containment-checked."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 64,
+      "basis": "Vector databases are deployed as convenience RAG infrastructure on trusted-network assumptions; their request and backup paths are not hardened.",
+      "theater_pattern": "ai_demo_framework_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-094",
+        "name": "AI-RUNTIME-API-PATH-TRAVERSAL-VALIDATION",
+        "description": "An AI application's file/path-bearing inputs - including archive (backup) entry paths on extraction - must be canonicalized and constrained to the intended directory before any write (reject absolute paths and ../ traversal / ZipSlip). Upgrade Weaviate OSS to the fixed release on your maintained branch (1.30.20 / 1.31.19 / 1.32.16 / 1.33.4), restrict who can insert data or trigger restores, and run least-privilege. This is the same path-traversal class as the Ollama / AnythingLLM entries. The distinguishing test: restore a backup containing a ../ entry on a staging instance and confirm it is rejected, not written outside the restore root.",
+        "evidence": "https://github.com/advisories/GHSA-7v39-2hx7-7c43",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2026-26190": {
     "name": "Milvus Port 9091 Missing Authentication / Weak Default Token",
     "lesson_date": "2026-05-25",