@blamejs/exceptd-skills 0.13.100 → 0.13.102

package/data/atlas-ttps.json

@@ -549,7 +549,9 @@
     "last_verified": "2026-05-19",
     "cve_refs": [
       "CVE-2023-44467",
+      "CVE-2024-12366",
       "CVE-2024-21513",
+      "CVE-2024-5565",
       "CVE-2025-53773",
       "CVE-2025-55319",
       "CVE-2025-68664",
@@ -1745,12 +1747,14 @@
       "CVE-2025-32444",
       "CVE-2025-64496",
       "CVE-2025-64513",
+      "CVE-2025-67818",
       "CVE-2026-0766",
       "CVE-2026-24213",
       "CVE-2026-24214",
       "CVE-2026-24215",
       "CVE-2026-26190",
-      "CVE-2026-34159"
+      "CVE-2026-34159",
+      "CVE-2026-45829"
     ]
   },
   "AML.T0050": {
@@ -2845,7 +2849,8 @@
       "CVE-2025-1550",
       "CVE-2025-32434",
       "CVE-2025-33236",
-      "CVE-2025-8747"
+      "CVE-2025-8747",
+      "CVE-2026-45829"
     ]
   },
   "AML.T0011.001": {
@@ -3274,7 +3279,11 @@
       "ATLAS"
     ],
     "stix_id": "attack-pattern--073f16fc-c4c0-5351-8a22-9c77aaaab91f",
-    "is_subtechnique": true
+    "is_subtechnique": true,
+    "cve_refs": [
+      "CVE-2024-12366",
+      "CVE-2024-5565"
+    ]
   },
   "AML.T0051.001": {
     "id": "AML.T0051.001",

package/data/attack-techniques.json

@@ -281,6 +281,7 @@
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
+      "CVE-2024-12366",
       "CVE-2024-13059",
       "CVE-2024-21513",
       "CVE-2024-21575",
@@ -289,6 +290,7 @@
       "CVE-2024-42479",
       "CVE-2024-4889",
       "CVE-2024-50050",
+      "CVE-2024-5565",
       "CVE-2025-1094",
       "CVE-2025-11837",
       "CVE-2025-1550",
@@ -327,6 +329,7 @@
       "CVE-2026-39884",
       "CVE-2026-39987",
       "CVE-2026-40933",
+      "CVE-2026-45829",
       "CVE-2026-6973"
     ],
     "description_full": "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). There are also cross-platform interpreters such as [Python](https://attack.mitre.org/techniques/T1059/006), as well as those commonly associated with client applications such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) and [Visual Basic](https://attack.mitre.org/techniques/T1059/005). Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0001) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various [Remote Services](https://attack.mitre.org/techniques/T1021) in order to achieve remote Execution.(Citation: Powershell Remote Commands)(Citation: Cisco IOS Software Integrity Assurance - Command History)(Citation: Remote Shell Execution in Python)",
@@ -372,7 +375,9 @@
     "version": "v19",
     "cve_refs": [
       "CVE-2023-44467",
+      "CVE-2024-12366",
       "CVE-2024-21513",
+      "CVE-2024-5565",
       "CVE-2025-49844",
       "MAL-2026-3083"
     ],
@@ -986,6 +991,7 @@
       "CVE-2025-6554",
       "CVE-2025-6558",
       "CVE-2025-66644",
+      "CVE-2025-67818",
       "CVE-2025-68613",
       "CVE-2025-68645",
       "CVE-2025-6965",
@@ -1049,6 +1055,7 @@
       "CVE-2026-42208",
       "CVE-2026-42897",
       "CVE-2026-42945",
+      "CVE-2026-45829",
       "CVE-2026-6973",
       "CVE-2026-7482",
       "CVE-2026-9082",

package/data/cve-catalog.json

@@ -55,7 +55,7 @@
     "ai_discovery_methodology": {
       "field_added": "2026-05-15",
       "agents_md_target": "Hard Rule #7 — '41% of 2025 zero-days were AI-discovered'. Catalog target rate floor: 0.40.",
-      "current_rate": 0.032,
+      "current_rate": 0.031,
       "current_floor_enforced_by_test": 0.03,
       "ladder_to_target": [
         0.03,
@@ -15487,6 +15487,432 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "PyTorch's torch.load executes code from a crafted checkpoint even with weights_only=True on <= 2.5.1 (CWE-502), defeating the recommended safe-load guidance; fixed in 2.6.0."
   },
+  "CVE-2026-45829": {
+    "name": "ChromaDB FastAPI Pre-Auth Remote Code Execution (ChromaToast)",
+    "type": "RCE",
+    "cvss_score": 10,
+    "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
+    "cvss_note": "CNA CVSS v4.0 base 10.0 (CRITICAL); NVD has not published its own CVSS 3.x assessment (awaiting enrichment). The FastAPI collections endpoint processes a caller-supplied embedding-function config (a model repo with trust_remote_code=true) before authentication, yielding unauthenticated code execution (CWE-94).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory (SecurityWeek / ChromaDB advisory): an unauthenticated request to the collections endpoint loads a malicious model repo and executes code.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via SecurityWeek / ChromaDB advisory. The abused surface is a widely used vector database (RAG persistence layer).",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; pre-auth code injection on the vector DB.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Public reporting urges urgent action on exposed instances; no confirmed in-the-wild exploitation as of curation. No fixed Python release published, so exposure persists.",
+    "affected": "ChromaDB (Python FastAPI server) 1.0.0 and later; the Rust 'chroma run' deployment and official Docker images are not affected.",
+    "affected_versions": [
+      "ChromaDB (Python FastAPI) >= 1.0.0"
+    ],
+    "vector": "ChromaDB's Python FastAPI server processes collection-creation logic - including a caller-supplied embedding-function configuration that can specify a model repository with trust_remote_code=true - before verifying the caller's identity, on /api/v2/tenants/{tenant}/databases/{db}/collections. An unauthenticated attacker therefore triggers remote code execution (CWE-94) by getting the server to load a malicious model repo. Disclosed as ChromaToast.",
+    "complexity": "low",
+    "complexity_notes": "AV:N / AC:L / PR:N - unauthenticated, network-reachable FastAPI server.",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No fixed release published as of curation; mitigate via network isolation and the non-FastAPI deployment (see vendor_update_paths).",
+    "vendor_update_paths": [
+      "No fixed ChromaDB Python release is published as of curation. Mitigate by restricting network access to the FastAPI port (do not expose to untrusted networks), using the Rust 'chroma run' deployment or official Docker images, and disabling trust_remote_code model loading."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-IA-2": "Authentication is not enforced before the vector DB processes attacker-controlled collection config.",
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track the vector database (RAG persistence layer) as managed, RCE-bearing software.",
+      "NIST-800-53-SI-10": "Input validation is not applied to the embedding-function model-repo config before the vector DB acts on it.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the vector database's collection/embedding endpoints as a code-execution / file-write surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the vector DB as a privileged RAG data store.",
+      "DORA-Art-9": "ICT protection measures do not model vector-DB takeover (RAG data / host files) as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for input validation / path containment on the vector database.",
+      "AU-ISM-1546": "Patch-application control does not single out vector databases.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats the vector database as a sensitive RAG store whose request/backup paths must validate untrusted input before code execution or file write."
+    },
+    "atlas_refs": [
+      "AML.T0049",
+      "AML.T0011.000"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 44,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 24,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Elevated (RWEP 44, \"patch within 7 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation; no fixed release published, so no patch credit. poc_available=20 + blast_radius=24.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-45829",
+    "cwe_refs": [
+      "CWE-94"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Unauthenticated POST requests to ChromaDB /api/v2/.../collections specifying an embedding-function config with a remote model repository and trust_remote_code=true.",
+        "ChromaDB FastAPI server fetching a remote model repo and executing its code during collection creation.",
+        "Code/process execution on the ChromaDB host triggered before any authenticated session.",
+        "ChromaDB Python FastAPI server >= 1.0.0 exposed to untrusted networks - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the SecurityWeek / ChromaDB advisory advisory (https://www.securityweek.com/unpatched-chromadb-vulnerability-can-lead-to-server-takeover/) and NVD CVE-2026-45829 (CWE-94)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-45829",
+      "https://www.securityweek.com/unpatched-chromadb-vulnerability-can-lead-to-server-takeover/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "SecurityWeek / ChromaDB advisory",
+        "advisory_id": "CVE-2026-45829",
+        "url": "https://www.securityweek.com/unpatched-chromadb-vulnerability-can-lead-to-server-takeover/",
+        "severity": "critical",
+        "published_date": "2026-05-18"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-45829",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45829",
+        "severity": "critical",
+        "published_date": "2026-05-18"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-94; CNA CVSS v4.0 10.0, no NVD 3.x score) + the SecurityWeek / ChromaDB advisory advisory. Vector-database flaw (RAG persistence layer); shares the vector-DB authentication control NEW-CTRL-101 with the Milvus entries.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "ChromaDB's Python FastAPI server runs collection-creation logic (embedding-function config with trust_remote_code) before auth, giving unauthenticated RCE (CWE-94, ChromaToast); no fixed release published - mitigate via network isolation / Rust deployment."
+  },
+  "CVE-2025-67818": {
+    "name": "Weaviate Backup Restore ZipSlip Path Traversal",
+    "type": "RCE",
+    "cvss_score": 7.2,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "CISA-ADP CVSS v3.1 base 7.2 (HIGH, PR:H); NVD has not published its own assessed score, and the GitHub (CNA) advisory rates it HIGH (CVSS v4.0 8.7). An attacker with data-write access crafts backup entries with absolute paths or ../ traversal that escape the restore root on restore (CWE-22 ZipSlip), creating/overwriting arbitrary files.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory (GitHub Security Advisory): a write-capable attacker crafts a backup with traversal paths that escape the restore root.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via GitHub Security Advisory. The abused surface is a widely used vector database (RAG persistence layer).",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; path traversal on the vector DB's backup restore.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Weaviate OSS before the branch fixes 1.30.20, 1.31.19, 1.32.16, and 1.33.4 (the GHSA ships per-maintained-branch patches).",
+    "affected_versions": [
+      "Weaviate OSS < 1.30.20",
+        "Weaviate OSS >= 1.31.0-rc.0, < 1.31.19",
+        "Weaviate OSS >= 1.32.0-rc.0, < 1.32.16",
+        "Weaviate OSS >= 1.33.0-rc.0, < 1.33.4"
+    ],
+    "vector": "Weaviate OSS does not constrain backup entry paths during restore, so an attacker with insert/write access crafts entries with absolute or ../ traversal paths that escape the restore root (CWE-22 ZipSlip), creating or overwriting files in arbitrary locations on the Weaviate host.",
+    "complexity": "low",
+    "complexity_notes": "CISA-ADP AV:N / AC:L / PR:H - requires data-write access to craft the backup.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to the fixed release on your maintained branch (1.30.20 / 1.31.19 / 1.32.16 / 1.33.4); redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Weaviate OSS to the fixed release on your maintained branch (1.30.20, 1.31.19, 1.32.16, or 1.33.4). Restrict who can insert data / trigger restores and run Weaviate as a least-privilege user."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-IA-2": "Authentication is relied upon but the backup-restore path is reachable by ordinary write-capable accounts.",
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track the vector database (RAG persistence layer) as managed, RCE-bearing software.",
+      "NIST-800-53-SI-10": "Input validation is not applied to backup entry paths before the vector DB acts on it.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the vector database's backup-restore path as a code-execution / file-write surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the vector DB as a privileged RAG data store.",
+      "DORA-Art-9": "ICT protection measures do not model vector-DB takeover (RAG data / host files) as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for input validation / path containment on the vector database.",
+      "AU-ISM-1546": "Patch-application control does not single out vector databases.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats the vector database as a sensitive RAG store whose request/backup paths must validate untrusted input before code execution or file write."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190"
+    ],
+    "rwep_score": 25,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 20,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 25, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3). poc_available=20 + blast_radius=20 minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-67818",
+    "cwe_refs": [
+      "CWE-22"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Weaviate backup archives whose entries contain absolute paths or ../ traversal sequences.",
+        "Files written by Weaviate outside the restore root during a backup restore.",
+        "Restore operations triggered by accounts that should not have that capability.",
+        "Weaviate OSS < 1.33.4 with restore reachable by write-capable accounts - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-7v39-2hx7-7c43) and NVD CVE-2025-67818 (CWE-22)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-67818",
+      "https://github.com/advisories/GHSA-7v39-2hx7-7c43"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2025-67818",
+        "url": "https://github.com/advisories/GHSA-7v39-2hx7-7c43",
+        "severity": "high",
+        "published_date": "2025-12-12"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-67818",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67818",
+        "severity": "high",
+        "published_date": "2025-12-12"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the GitHub (CNA) advisory (GHSA-7v39-2hx7-7c43, CWE-22) + CISA-ADP (CVSS v3.1 7.2; NVD has not published its own score). Vector-database flaw (RAG persistence layer); shares the AI-app path-traversal control NEW-CTRL-094.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Weaviate OSS backup restore does not constrain entry paths (CWE-22 ZipSlip), letting a write-capable attacker create/overwrite arbitrary host files; fixed per branch (1.30.20 / 1.31.19 / 1.32.16 / 1.33.4)."
+  },
+  "CVE-2024-5565": {
+    "name": "Vanna.AI Prompt Injection to Remote Code Execution",
+    "type": "RCE",
+    "cvss_score": 8.1,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "JFrog (CNA) CVSS v3.1 base 8.1 (HIGH); the GitHub advisory (GHSA-7735-w2jp-gvg6) rates it 9.2 (CRITICAL); NVD has not published its own assessed score. Prompt injection through the text-to-SQL ask method - with visualization enabled, the default - makes the LLM emit attacker-chosen Python that Vanna runs to build the Plotly figure, giving remote code execution (CWE-94 / CWE-77).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "JFrog published a working proof-of-concept (prompt-injection payload through ask yielding host code execution).",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via GitHub Security Advisory (https://github.com/advisories/GHSA-7735-w2jp-gvg6). The abused surface is an LLM natural-language-to-code/SQL data-analysis agent that executes model-generated code by design.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw IS an AI-pipeline flaw - prompt injection drives the agent's own code-generation-and-execution path.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory/research disclosure with a public proof-of-concept; no confirmed in-the-wild exploitation reported as of curation. No fixed release is published, so exposed deployments remain vulnerable.",
+    "affected": "Vanna (pip) 0.5.5 and earlier; no fixed release is published.",
+    "affected_versions": [
+      "Vanna (pip) <= 0.5.5"
+    ],
+    "vector": "Vanna is a text-to-SQL library: a natural-language question is turned into SQL and, with visualization enabled (the default), into Python that Vanna executes to render a Plotly figure. By injecting instructions into the question, an attacker overrides the intended visualization code and runs arbitrary Python on the host - prompt injection to remote code execution. Disclosed by JFrog.",
+    "complexity": "high",
+    "complexity_notes": "JFrog (CNA) AV:N / AC:H / PR:N - network-reachable and unauthenticated, but AC:H reflects that visualization must be enabled (default) and the injected question must reach the code path.",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No fixed release is published as of curation; mitigation is sandboxing the code-execution path and treating natural-language input as untrusted (see vendor_update_paths).",
+    "vendor_update_paths": [
+      "No fixed Vanna release is published. Mitigate by running Vanna in a sandboxed/least-privilege environment, disabling automatic visualization (the code-execution path) for untrusted questions, and treating every natural-language question as untrusted input that must never reach a Python exec/codegen path unsandboxed."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-3": "Malicious-code protection does not cover an AI agent that generates and runs code from natural-language input as a code-execution channel.",
+      "NIST-800-53-SI-10": "Input validation is not applied to the natural-language question (and analyzed data) before the agent turns it into executable code.",
+      "NIST-800-53-CM-7": "Least-functionality is not enforced: the agent's code-execution / visualization path is enabled by default rather than disabled or sandboxed.",
+      "ISO-27001-2022-A.8.28": "Secure-coding expectations do not address LLM-generated code being executed with host privileges.",
+      "NIS2-Art21-vulnerability-management": "Vulnerability-management measures do not enumerate NL-to-code/SQL agents as an unauthenticated RCE surface.",
+      "DORA-Art-9": "ICT protection measures do not model an AI data-analysis agent's codegen path as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for sandboxing LLM-generated code or validating prompt-injectable input.",
+      "AU-ISM-1546": "Application-control / patch guidance does not single out LLM agents that execute generated code.",
+      "ALL-PROMPT-INJECTION-ACCESS-CONTROL": "No framework requires that prompt-injectable natural-language input be denied a path to code execution in NL-to-code/SQL agents.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an LLM data-analysis agent's generate-and-execute-code design as a privileged execution surface that must be sandboxed."
+    },
+    "atlas_refs": [
+      "AML.T0051",
+      "AML.T0051.000"
+    ],
+    "attack_refs": [
+      "T1059",
+      "T1059.006"
+    ],
+    "rwep_score": 40,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 20,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Elevated (RWEP 40, \"patch within 7 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, and no fixed release published so no patch credit (Hard Rule #3) - the high CVSS reflects unauthenticated RCE, while RWEP stays moderate because exploitation needs the agent exposed with codegen enabled and no public mass-exploitation is reported. poc_available=20 + blast_radius=20.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-5565",
+    "cwe_refs": [
+      "CWE-94",
+      "CWE-77"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Natural-language questions to Vanna's ask containing Python/Plotly directives or code-fence payloads rather than analytical questions.",
+        "Vanna executing generated Python that performs file, network, or process operations unrelated to figure rendering.",
+        "Code/process execution spawned from the Vanna visualization path.",
+        "Vanna (pip) <= 0.5.5 reachable with visualization enabled - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-7735-w2jp-gvg6), the disclosing research (https://jfrog.com/blog/prompt-injection-attack-code-execution-in-vanna-ai-cve-2024-5565/), and NVD CVE-2024-5565 (CWE-94/CWE-77)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-5565",
+      "https://github.com/advisories/GHSA-7735-w2jp-gvg6",
+      "https://jfrog.com/blog/prompt-injection-attack-code-execution-in-vanna-ai-cve-2024-5565/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2024-5565",
+        "url": "https://github.com/advisories/GHSA-7735-w2jp-gvg6",
+        "severity": "critical",
+        "published_date": "2024-06-27"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-5565",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5565",
+        "severity": "high",
+        "published_date": "2024-06-27"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-7735-w2jp-gvg6, CWE-94/CWE-77) + the disclosing research (https://jfrog.com/blog/prompt-injection-attack-code-execution-in-vanna-ai-cve-2024-5565/) + JFrog (CNA) CVSS v3.1 8.1 (NVD has not published its own score). LLM natural-language-to-code/SQL agent flaw; shares the codegen-execution-isolation control NEW-CTRL-102.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Vanna.AI text-to-SQL ask runs LLM-generated Python for Plotly visualization, so prompt injection in the question yields RCE (CWE-94/CWE-77); no fixed release - sandbox the codegen path."
+  },
+  "CVE-2024-12366": {
+    "name": "PandasAI Prompt Injection to Remote Code Execution",
+    "type": "RCE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "CISA-ADP CVSS v3.1 base 9.8 (CRITICAL); the GitHub advisory (GHSA-vv2h-2w3q-3fx7) also rates it Critical; NVD has not published its own assessed score. PandasAI's interactive prompt (chat) fails to distinguish legitimate from malicious input, so prompt injection drives the natural-language interface into executing arbitrary Python - remote code execution (CWE-94), no authentication or user interaction required.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Proof-of-concept documented via the CERT/CC note (VU#148244) and the disclosing advisory.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via GitHub Security Advisory (https://github.com/advisories/GHSA-vv2h-2w3q-3fx7). The abused surface is an LLM natural-language-to-code/SQL data-analysis agent that executes model-generated code by design.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw IS an AI-pipeline flaw - prompt injection drives the agent's own code-generation-and-execution path.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory/research disclosure with a public proof-of-concept; no confirmed in-the-wild exploitation reported as of curation. No fixed release is published, so exposed deployments remain vulnerable.",
+    "affected": "PandasAI (pip) 2.4.2 and earlier; no fixed release is published (the v3 advanced-security-agent is a mitigation, not a backport).",
+    "affected_versions": [
+      "PandasAI (pip) <= 2.4.2"
+    ],
+    "vector": "PandasAI lets users query DataFrames in natural language; the chat interface turns the question into Python that PandasAI runs. Because it does not distinguish legitimate analytical input from injected instructions, an attacker uses prompt injection to make it generate and execute arbitrary Python, escaping the intended sandbox and achieving remote code execution. Tracked by CERT/CC as VU#148244.",
+    "complexity": "low",
+    "complexity_notes": "CISA-ADP AV:N / AC:L / PR:N / UI:N - unauthenticated, no user interaction; the natural-language interface itself is the exec path.",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No fixed release is published as of curation; mitigation is sandboxing the code-execution path and treating natural-language input as untrusted (see vendor_update_paths).",
+    "vendor_update_paths": [
+      "No fixed PandasAI release is published; the v3 advanced security agent (docs.pandas-ai.com/advanced-security-agent) is a mitigation layer. Run PandasAI in a hardened sandbox with no host/network privileges, enable the security agent, and treat both the question and any analyzed data as untrusted input that must not reach an unsandboxed Python exec path."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-3": "Malicious-code protection does not cover an AI agent that generates and runs code from natural-language input as a code-execution channel.",
+      "NIST-800-53-SI-10": "Input validation is not applied to the natural-language question (and analyzed data) before the agent turns it into executable code.",
+      "NIST-800-53-CM-7": "Least-functionality is not enforced: the agent's code-execution / visualization path is enabled by default rather than disabled or sandboxed.",
+      "ISO-27001-2022-A.8.28": "Secure-coding expectations do not address LLM-generated code being executed with host privileges.",
+      "NIS2-Art21-vulnerability-management": "Vulnerability-management measures do not enumerate NL-to-code/SQL agents as an unauthenticated RCE surface.",
+      "DORA-Art-9": "ICT protection measures do not model an AI data-analysis agent's codegen path as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for sandboxing LLM-generated code or validating prompt-injectable input.",
+      "AU-ISM-1546": "Application-control / patch guidance does not single out LLM agents that execute generated code.",
+      "ALL-PROMPT-INJECTION-ACCESS-CONTROL": "No framework requires that prompt-injectable natural-language input be denied a path to code execution in NL-to-code/SQL agents.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an LLM data-analysis agent's generate-and-execute-code design as a privileged execution surface that must be sandboxed."
+    },
+    "atlas_refs": [
+      "AML.T0051",
+      "AML.T0051.000"
+    ],
+    "attack_refs": [
+      "T1059",
+      "T1059.006"
+    ],
+    "rwep_score": 46,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 26,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Elevated (RWEP 46, \"patch within 7 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, and no fixed release published so no patch credit (Hard Rule #3) - the high CVSS reflects unauthenticated RCE, while RWEP stays moderate because exploitation needs the agent exposed with codegen enabled and no public mass-exploitation is reported. poc_available=20 + blast_radius=26.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-12366",
+    "cwe_refs": [
+      "CWE-94"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Natural-language chat inputs to PandasAI carrying Python directives, imports, or code-fence payloads instead of analytical questions.",
+        "PandasAI executing generated Python that touches the filesystem, network, or spawns processes beyond DataFrame operations.",
+        "Sandbox-escape or unexpected process execution originating from the PandasAI codegen path.",
+        "PandasAI (pip) <= 2.4.2 reachable without the security agent / sandbox - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-vv2h-2w3q-3fx7), the disclosing research (https://www.kb.cert.org/vuls/id/148244), and NVD CVE-2024-12366 (CWE-94)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-12366",
+      "https://github.com/advisories/GHSA-vv2h-2w3q-3fx7",
+      "https://www.kb.cert.org/vuls/id/148244"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2024-12366",
+        "url": "https://github.com/advisories/GHSA-vv2h-2w3q-3fx7",
+        "severity": "critical",
+        "published_date": "2025-02-11"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-12366",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12366",
+        "severity": "high",
+        "published_date": "2025-02-11"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-vv2h-2w3q-3fx7, CWE-94) + the disclosing research (https://www.kb.cert.org/vuls/id/148244) + CISA-ADP CVSS v3.1 9.8 (NVD has not published its own score). LLM natural-language-to-code/SQL agent flaw; shares the codegen-execution-isolation control NEW-CTRL-102.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "PandasAI chat natural-language interface runs LLM-generated Python without separating malicious input, so prompt injection yields unauthenticated RCE / sandbox escape (CWE-94); no fixed release - enable the security agent + sandbox."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -109,6 +109,7 @@
       "CVE-2025-27920",
       "CVE-2025-4632",
       "CVE-2025-6218",
+      "CVE-2025-67818",
       "CVE-2025-8110",
       "CVE-2026-25592",
       "CVE-2026-34926"
@@ -148,6 +149,7 @@
       "CVE-2016-10033",
       "CVE-2020-25079",
       "CVE-2023-33538",
+      "CVE-2024-5565",
       "CVE-2025-10035",
       "CVE-2025-29635",
       "CVE-2025-4008",
@@ -379,10 +381,12 @@
       "CVE-2020-25078",
       "CVE-2022-48503",
       "CVE-2023-44467",
+      "CVE-2024-12366",
       "CVE-2024-21513",
       "CVE-2024-21576",
       "CVE-2024-27132",
       "CVE-2024-4889",
+      "CVE-2024-5565",
       "CVE-2024-56145",
       "CVE-2025-11837",
       "CVE-2025-1550",
@@ -408,6 +412,7 @@
       "CVE-2026-30615",
       "CVE-2026-33017",
       "CVE-2026-34197",
+      "CVE-2026-45829",
       "CVE-2026-6973",
       "MAL-2026-3083"
     ],