@blamejs/exceptd-skills 0.13.100 → 0.13.102

package/data/framework-control-gaps.json

@@ -45,6 +45,7 @@
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
+      "CVE-2024-12366",
       "CVE-2024-13059",
       "CVE-2024-1561",
       "CVE-2024-21575",
@@ -56,6 +57,7 @@
       "CVE-2024-42479",
       "CVE-2024-4889",
       "CVE-2024-50050",
+      "CVE-2024-5565",
       "CVE-2024-6587",
       "CVE-2025-1550",
       "CVE-2025-1753",
@@ -72,6 +74,7 @@
       "CVE-2025-60455",
       "CVE-2025-64496",
       "CVE-2025-64513",
+      "CVE-2025-67818",
       "CVE-2025-8747",
       "CVE-2026-0766",
       "CVE-2026-22252",
@@ -88,7 +91,8 @@
       "CVE-2026-30624",
       "CVE-2026-30625",
       "CVE-2026-34159",
-      "CVE-2026-40933"
+      "CVE-2026-40933",
+      "CVE-2026-45829"
     ],
     "atlas_refs": [
       "AML.T0018",
@@ -157,7 +161,9 @@
     "opened_date": "2026-01-01",
     "evidence_cves": [
       "CVE-2023-44467",
+      "CVE-2024-12366",
       "CVE-2024-21513",
+      "CVE-2024-5565",
       "CVE-2026-25592"
     ],
     "atlas_refs": [
@@ -1257,6 +1263,8 @@
     "opened_date": "2026-01-01",
     "evidence_cves": [
       "CVE-2023-43472",
+      "CVE-2024-12366",
+      "CVE-2024-5565",
       "CVE-2025-0133",
       "CVE-2025-1094",
       "CVE-2025-6965",
@@ -1569,6 +1577,7 @@
       "CVE-2025-6558",
       "CVE-2025-66376",
       "CVE-2025-66644",
+      "CVE-2025-67818",
       "CVE-2025-68461",
       "CVE-2025-68613",
       "CVE-2025-68645",
@@ -1643,6 +1652,7 @@
       "CVE-2026-41940",
       "CVE-2026-42945",
       "CVE-2026-45498",
+      "CVE-2026-45829",
       "CVE-2026-46300",
       "CVE-2026-46333",
       "CVE-2026-5281",
@@ -1872,6 +1882,7 @@
       "CVE-2025-60455",
       "CVE-2025-64496",
       "CVE-2025-64513",
+      "CVE-2025-67818",
       "CVE-2025-8747",
       "CVE-2026-0766",
       "CVE-2026-22252",
@@ -1896,6 +1907,7 @@
       "CVE-2026-41091",
       "CVE-2026-45321",
       "CVE-2026-45498",
+      "CVE-2026-45829",
       "CVE-2026-46300",
       "CVE-2026-46333",
       "CVE-2026-9082",
@@ -2082,7 +2094,9 @@
     "opened_date": "2026-04-01",
     "evidence_cves": [
       "BUG-2026-NIGHTMARE-ECLIPSE-GREENPLASMA",
+      "CVE-2024-12366",
       "CVE-2024-3154",
+      "CVE-2024-5565",
       "CVE-2025-49844",
       "CVE-2025-53773",
       "CVE-2026-30615"
@@ -2308,12 +2322,14 @@
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
+      "CVE-2024-12366",
       "CVE-2024-13059",
       "CVE-2024-21513",
       "CVE-2024-27132",
       "CVE-2024-37032",
       "CVE-2024-39722",
       "CVE-2024-50050",
+      "CVE-2024-5565",
       "CVE-2025-0133",
       "CVE-2025-1094",
       "CVE-2025-1550",
@@ -2324,6 +2340,7 @@
       "CVE-2025-33236",
       "CVE-2025-60455",
       "CVE-2025-64496",
+      "CVE-2025-67818",
       "CVE-2025-6965",
       "CVE-2025-8747",
       "CVE-2026-0766",
@@ -2332,6 +2349,7 @@
       "CVE-2026-24215",
       "CVE-2026-39884",
       "CVE-2026-42208",
+      "CVE-2026-45829",
       "CVE-2026-9082"
     ],
     "atlas_refs": [
@@ -2649,6 +2667,7 @@
       "CVE-2025-6558",
       "CVE-2025-66376",
       "CVE-2025-66644",
+      "CVE-2025-67818",
       "CVE-2025-68461",
       "CVE-2025-68613",
       "CVE-2025-68645",
@@ -2730,6 +2749,7 @@
       "CVE-2026-43284",
       "CVE-2026-43500",
       "CVE-2026-45498",
+      "CVE-2026-45829",
       "CVE-2026-46300",
       "CVE-2026-46333",
       "CVE-2026-5281",
@@ -2766,6 +2786,8 @@
     "opened_date": "2026-02-01",
     "evidence_cves": [
       "BUG-2026-NIGHTMARE-ECLIPSE-UNDEFEND",
+      "CVE-2024-12366",
+      "CVE-2024-5565",
       "CVE-2025-11837",
       "CVE-2026-22778",
       "CVE-2026-32202",
@@ -4948,6 +4970,8 @@
     "opened_date": "2026-05-15",
     "evidence_cves": [
       "CVE-2023-3519",
+      "CVE-2024-12366",
+      "CVE-2024-5565",
       "CVE-2026-0300",
       "CVE-2026-42945"
     ],
@@ -4995,6 +5019,7 @@
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
+      "CVE-2024-12366",
       "CVE-2024-13059",
       "CVE-2024-1561",
       "CVE-2024-21513",
@@ -5008,6 +5033,7 @@
       "CVE-2024-42479",
       "CVE-2024-4889",
       "CVE-2024-50050",
+      "CVE-2024-5565",
       "CVE-2024-6587",
       "CVE-2025-1550",
       "CVE-2025-1753",
@@ -5024,6 +5050,7 @@
       "CVE-2025-60455",
       "CVE-2025-64496",
       "CVE-2025-64513",
+      "CVE-2025-67818",
       "CVE-2025-8747",
       "CVE-2026-0300",
       "CVE-2026-0766",
@@ -5049,6 +5076,7 @@
       "CVE-2026-42897",
       "CVE-2026-42945",
       "CVE-2026-45498",
+      "CVE-2026-45829",
       "CVE-2026-46300",
       "CVE-2026-46333",
       "CVE-2026-9082"
@@ -5544,6 +5572,7 @@
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
+      "CVE-2024-12366",
       "CVE-2024-13059",
       "CVE-2024-1561",
       "CVE-2024-21513",
@@ -5556,6 +5585,7 @@
       "CVE-2024-42478",
       "CVE-2024-42479",
       "CVE-2024-50050",
+      "CVE-2024-5565",
       "CVE-2025-1550",
       "CVE-2025-1753",
       "CVE-2025-23254",
@@ -5570,6 +5600,7 @@
       "CVE-2025-54136",
       "CVE-2025-60455",
       "CVE-2025-64496",
+      "CVE-2025-67818",
       "CVE-2025-8747",
       "CVE-2026-0766",
       "CVE-2026-22252",
@@ -5588,6 +5619,7 @@
       "CVE-2026-40933",
       "CVE-2026-41091",
       "CVE-2026-45498",
+      "CVE-2026-45829",
       "CVE-2026-46300",
       "CVE-2026-46333",
       "CVE-2026-9082",
@@ -5634,6 +5666,7 @@
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
+      "CVE-2024-12366",
       "CVE-2024-13059",
       "CVE-2024-1561",
       "CVE-2024-21513",
@@ -5647,6 +5680,7 @@
       "CVE-2024-42479",
       "CVE-2024-4889",
       "CVE-2024-50050",
+      "CVE-2024-5565",
       "CVE-2024-6587",
       "CVE-2025-1550",
       "CVE-2025-1753",
@@ -5663,6 +5697,7 @@
       "CVE-2025-60455",
       "CVE-2025-64496",
       "CVE-2025-64513",
+      "CVE-2025-67818",
       "CVE-2025-8747",
       "CVE-2026-0766",
       "CVE-2026-22252",
@@ -5684,6 +5719,7 @@
       "CVE-2026-40933",
       "CVE-2026-41091",
       "CVE-2026-45498",
+      "CVE-2026-45829",
       "CVE-2026-46300",
       "CVE-2026-46333",
       "CVE-2026-9082"
@@ -5966,10 +6002,12 @@
       "CVE-2024-4889",
       "CVE-2024-6587",
       "CVE-2025-64513",
+      "CVE-2025-67818",
       "CVE-2026-20182",
       "CVE-2026-24206",
       "CVE-2026-24207",
-      "CVE-2026-26190"
+      "CVE-2026-26190",
+      "CVE-2026-45829"
     ],
     "atlas_refs": [],
     "attack_refs": [

package/data/zeroday-lessons.json

@@ -4211,6 +4211,206 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2026-45829": {
+    "name": "ChromaDB FastAPI Pre-Auth Remote Code Execution (ChromaToast)",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "ChromaDB's Python FastAPI server processes a caller-supplied embedding-function config (model repo with trust_remote_code=true) on the collections endpoint before authenticating, giving unauthenticated RCE (CWE-94).",
+      "privileges_required": "none (CVSS v4.0 PR:N) - unauthenticated, before any auth check",
+      "complexity": "low",
+      "ai_factor": "The abused surface is a widely used vector database - the RAG persistence layer that stores embeddings and source data behind LLM applications. The lesson: vector databases are sensitive, RCE-bearing data stores; they must authenticate before acting on caller config and never load remote model code on untrusted input."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the vector database (RAG persistence layer) as managed, RCE-bearing software."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Input validation / auth is not applied before the vector DB processes attacker-controlled collection/embedding config."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats the vector database as a sensitive RAG store whose request path must authenticate before code execution."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 74,
+      "basis": "Vector databases are deployed as convenience RAG infrastructure on trusted-network assumptions; their request and backup paths are not hardened.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-101",
+        "name": "VECTOR-DB-AUTHENTICATION-ENFORCEMENT",
+        "description": "A vector database must authenticate callers BEFORE processing any caller-supplied configuration (collection/embedding-function config, model repositories), must not load remote model code (trust_remote_code) on untrusted input, and must never be exposed to untrusted networks. For ChromaDB, restrict the FastAPI port, use the Rust 'chroma run' / official Docker deployment, and disable trust_remote_code. The distinguishing test: send an unauthenticated collection-create request with a malicious embedding-function model repo to a staging instance and confirm it is refused before any code loads.",
+        "evidence": "https://www.securityweek.com/unpatched-chromadb-vulnerability-can-lead-to-server-takeover/",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2024-5565": {
+    "name": "Vanna.AI Prompt Injection to Remote Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Vanna's text-to-SQL ask method turns a natural-language question into Python and runs it to render a Plotly visualization (default-on), so prompt injection in the question overrides the visualization code and executes arbitrary Python on the host.",
+      "privileges_required": "none (unauthenticated; AC:H - visualization enabled + injected question)",
+      "complexity": "high",
+      "ai_factor": "The flaw is intrinsic to the AI pipeline: the agent's purpose is to turn natural language into executed code, so prompt injection is the exploit primitive. The lesson - LLM-generated code is attacker-controllable code and must be sandboxed, never run with host privileges."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Malicious-code protection does not treat an LLM agent's generate-and-run-code path as a code-execution channel."
+      },
+      "NIST-800-53-CM-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Least-functionality is not enforced - the code-execution / visualization path is on by default rather than sandboxed or disabled for untrusted input."
+      },
+      "ALL-PROMPT-INJECTION-ACCESS-CONTROL": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework requires that prompt-injectable natural-language input be denied a path to code execution in NL-to-code/SQL agents."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 80,
+      "basis": "NL-to-code/SQL agents are adopted for analyst productivity and run model-generated code by design; their codegen path is rarely sandboxed and the natural-language input is not treated as untrusted.",
+      "theater_pattern": "ai_agent_codegen_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-102",
+        "name": "AI-NL-TO-CODE-AGENT-EXECUTION-ISOLATION",
+        "description": "An LLM data-analysis agent that generates and executes code or SQL from natural language (text-to-SQL, text-to-Python, charting agents) must treat BOTH the natural-language question and any analyzed data as untrusted, prompt-injectable input, and must never run model-generated code with host or network privileges. Disable code-execution/visualization paths by default for untrusted input, run generated code only in a hardened sandbox (no filesystem/network/process access beyond the dataset), enforce least functionality, and validate or constrain the generated artifact before execution. The distinguishing test: send an analytical question containing an injected instruction to emit non-analytical code (e.g. a shell/file/network call) on a staging agent and confirm the agent refuses to execute it - paper 'AI security' policies that do not sandbox the generate-and-run path still permit RCE.",
+        "evidence": "https://jfrog.com/blog/prompt-injection-attack-code-execution-in-vanna-ai-cve-2024-5565/",
+        "gap_closes": [
+          "NIST-800-53-SI-3",
+          "NIST-800-53-CM-7",
+          "ALL-PROMPT-INJECTION-ACCESS-CONTROL"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2024-12366": {
+    "name": "PandasAI Prompt Injection to Remote Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "PandasAI's chat interface turns a natural-language question into Python and runs it against DataFrames; it does not separate analytical input from injected instructions, so prompt injection generates and executes arbitrary Python, escaping the intended sandbox (RCE).",
+      "privileges_required": "none (unauthenticated, no user interaction)",
+      "complexity": "low",
+      "ai_factor": "The flaw is intrinsic to the AI pipeline: the agent's purpose is to turn natural language into executed code, so prompt injection is the exploit primitive. The lesson - LLM-generated code is attacker-controllable code and must be sandboxed, never run with host privileges."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Malicious-code protection does not treat an LLM agent's generate-and-run-code path as a code-execution channel."
+      },
+      "NIST-800-53-CM-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Least-functionality is not enforced - the code-execution / visualization path is on by default rather than sandboxed or disabled for untrusted input."
+      },
+      "ALL-PROMPT-INJECTION-ACCESS-CONTROL": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework requires that prompt-injectable natural-language input be denied a path to code execution in NL-to-code/SQL agents."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 82,
+      "basis": "NL-to-code/SQL agents are adopted for analyst productivity and run model-generated code by design; their codegen path is rarely sandboxed and the natural-language input is not treated as untrusted.",
+      "theater_pattern": "ai_agent_codegen_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-102",
+        "name": "AI-NL-TO-CODE-AGENT-EXECUTION-ISOLATION",
+        "description": "An LLM data-analysis agent that generates and executes code or SQL from natural language (text-to-SQL, text-to-Python, charting agents) must treat BOTH the natural-language question and any analyzed data as untrusted, prompt-injectable input, and must never run model-generated code with host or network privileges. Disable code-execution/visualization paths by default for untrusted input, run generated code only in a hardened sandbox (no filesystem/network/process access beyond the dataset), enforce least functionality, and validate or constrain the generated artifact before execution. The distinguishing test: send an analytical question containing an injected instruction to emit non-analytical code (e.g. a shell/file/network call) on a staging agent and confirm the agent refuses to execute it - paper 'AI security' policies that do not sandbox the generate-and-run path still permit RCE.",
+        "evidence": "https://www.kb.cert.org/vuls/id/148244",
+        "gap_closes": [
+          "NIST-800-53-SI-3",
+          "NIST-800-53-CM-7",
+          "ALL-PROMPT-INJECTION-ACCESS-CONTROL"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2025-67818": {
+    "name": "Weaviate Backup Restore ZipSlip Path Traversal",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Weaviate OSS does not constrain backup entry paths on restore, so a write-capable attacker uses absolute / ../ paths to escape the restore root (CWE-22 ZipSlip) and create or overwrite arbitrary host files.",
+      "privileges_required": "data-write access (NVD PR:H)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is a widely used vector database - the RAG persistence layer that stores embeddings and source data behind LLM applications. The lesson: vector databases are sensitive, RCE-bearing data stores; their file/archive-handling paths must be containment-checked."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the vector database (RAG persistence layer) as managed, RCE-bearing software."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Path validation is not applied to backup entry paths on restore."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats the vector database as a sensitive RAG store whose backup/file paths must be containment-checked."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 64,
+      "basis": "Vector databases are deployed as convenience RAG infrastructure on trusted-network assumptions; their request and backup paths are not hardened.",
+      "theater_pattern": "ai_demo_framework_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-094",
+        "name": "AI-RUNTIME-API-PATH-TRAVERSAL-VALIDATION",
+        "description": "An AI application's file/path-bearing inputs - including archive (backup) entry paths on extraction - must be canonicalized and constrained to the intended directory before any write (reject absolute paths and ../ traversal / ZipSlip). Upgrade Weaviate OSS to the fixed release on your maintained branch (1.30.20 / 1.31.19 / 1.32.16 / 1.33.4), restrict who can insert data or trigger restores, and run least-privilege. This is the same path-traversal class as the Ollama / AnythingLLM entries. The distinguishing test: restore a backup containing a ../ entry on a staging instance and confirm it is rejected, not written outside the restore root.",
+        "evidence": "https://github.com/advisories/GHSA-7v39-2hx7-7c43",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2026-26190": {
     "name": "Milvus Port 9091 Missing Authentication / Weak Default Token",
     "lesson_date": "2026-05-25",