@blamejs/exceptd-skills 0.13.101 → 0.13.102

package/data/atlas-ttps.json

@@ -549,7 +549,9 @@
     "last_verified": "2026-05-19",
     "cve_refs": [
       "CVE-2023-44467",
+      "CVE-2024-12366",
       "CVE-2024-21513",
+      "CVE-2024-5565",
       "CVE-2025-53773",
       "CVE-2025-55319",
       "CVE-2025-68664",
@@ -3277,7 +3279,11 @@
       "ATLAS"
     ],
     "stix_id": "attack-pattern--073f16fc-c4c0-5351-8a22-9c77aaaab91f",
-    "is_subtechnique": true
+    "is_subtechnique": true,
+    "cve_refs": [
+      "CVE-2024-12366",
+      "CVE-2024-5565"
+    ]
   },
   "AML.T0051.001": {
     "id": "AML.T0051.001",

package/data/attack-techniques.json

@@ -281,6 +281,7 @@
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
+      "CVE-2024-12366",
       "CVE-2024-13059",
       "CVE-2024-21513",
       "CVE-2024-21575",
@@ -289,6 +290,7 @@
       "CVE-2024-42479",
       "CVE-2024-4889",
       "CVE-2024-50050",
+      "CVE-2024-5565",
       "CVE-2025-1094",
       "CVE-2025-11837",
       "CVE-2025-1550",
@@ -373,7 +375,9 @@
     "version": "v19",
     "cve_refs": [
       "CVE-2023-44467",
+      "CVE-2024-12366",
       "CVE-2024-21513",
+      "CVE-2024-5565",
       "CVE-2025-49844",
       "MAL-2026-3083"
     ],

package/data/cve-catalog.json

@@ -15698,6 +15698,221 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "Weaviate OSS backup restore does not constrain entry paths (CWE-22 ZipSlip), letting a write-capable attacker create/overwrite arbitrary host files; fixed per branch (1.30.20 / 1.31.19 / 1.32.16 / 1.33.4)."
   },
+  "CVE-2024-5565": {
+    "name": "Vanna.AI Prompt Injection to Remote Code Execution",
+    "type": "RCE",
+    "cvss_score": 8.1,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "JFrog (CNA) CVSS v3.1 base 8.1 (HIGH); the GitHub advisory (GHSA-7735-w2jp-gvg6) rates it 9.2 (CRITICAL); NVD has not published its own assessed score. Prompt injection through the text-to-SQL ask method - with visualization enabled, the default - makes the LLM emit attacker-chosen Python that Vanna runs to build the Plotly figure, giving remote code execution (CWE-94 / CWE-77).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "JFrog published a working proof-of-concept (prompt-injection payload through ask yielding host code execution).",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via GitHub Security Advisory (https://github.com/advisories/GHSA-7735-w2jp-gvg6). The abused surface is an LLM natural-language-to-code/SQL data-analysis agent that executes model-generated code by design.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw IS an AI-pipeline flaw - prompt injection drives the agent's own code-generation-and-execution path.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory/research disclosure with a public proof-of-concept; no confirmed in-the-wild exploitation reported as of curation. No fixed release is published, so exposed deployments remain vulnerable.",
+    "affected": "Vanna (pip) 0.5.5 and earlier; no fixed release is published.",
+    "affected_versions": [
+      "Vanna (pip) <= 0.5.5"
+    ],
+    "vector": "Vanna is a text-to-SQL library: a natural-language question is turned into SQL and, with visualization enabled (the default), into Python that Vanna executes to render a Plotly figure. By injecting instructions into the question, an attacker overrides the intended visualization code and runs arbitrary Python on the host - prompt injection to remote code execution. Disclosed by JFrog.",
+    "complexity": "high",
+    "complexity_notes": "JFrog (CNA) AV:N / AC:H / PR:N - network-reachable and unauthenticated, but AC:H reflects that visualization must be enabled (default) and the injected question must reach the code path.",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No fixed release is published as of curation; mitigation is sandboxing the code-execution path and treating natural-language input as untrusted (see vendor_update_paths).",
+    "vendor_update_paths": [
+      "No fixed Vanna release is published. Mitigate by running Vanna in a sandboxed/least-privilege environment, disabling automatic visualization (the code-execution path) for untrusted questions, and treating every natural-language question as untrusted input that must never reach a Python exec/codegen path unsandboxed."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-3": "Malicious-code protection does not cover an AI agent that generates and runs code from natural-language input as a code-execution channel.",
+      "NIST-800-53-SI-10": "Input validation is not applied to the natural-language question (and analyzed data) before the agent turns it into executable code.",
+      "NIST-800-53-CM-7": "Least-functionality is not enforced: the agent's code-execution / visualization path is enabled by default rather than disabled or sandboxed.",
+      "ISO-27001-2022-A.8.28": "Secure-coding expectations do not address LLM-generated code being executed with host privileges.",
+      "NIS2-Art21-vulnerability-management": "Vulnerability-management measures do not enumerate NL-to-code/SQL agents as an unauthenticated RCE surface.",
+      "DORA-Art-9": "ICT protection measures do not model an AI data-analysis agent's codegen path as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for sandboxing LLM-generated code or validating prompt-injectable input.",
+      "AU-ISM-1546": "Application-control / patch guidance does not single out LLM agents that execute generated code.",
+      "ALL-PROMPT-INJECTION-ACCESS-CONTROL": "No framework requires that prompt-injectable natural-language input be denied a path to code execution in NL-to-code/SQL agents.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an LLM data-analysis agent's generate-and-execute-code design as a privileged execution surface that must be sandboxed."
+    },
+    "atlas_refs": [
+      "AML.T0051",
+      "AML.T0051.000"
+    ],
+    "attack_refs": [
+      "T1059",
+      "T1059.006"
+    ],
+    "rwep_score": 40,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 20,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Elevated (RWEP 40, \"patch within 7 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, and no fixed release published so no patch credit (Hard Rule #3) - the high CVSS reflects unauthenticated RCE, while RWEP stays moderate because exploitation needs the agent exposed with codegen enabled and no public mass-exploitation is reported. poc_available=20 + blast_radius=20.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-5565",
+    "cwe_refs": [
+      "CWE-94",
+      "CWE-77"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Natural-language questions to Vanna's ask containing Python/Plotly directives or code-fence payloads rather than analytical questions.",
+        "Vanna executing generated Python that performs file, network, or process operations unrelated to figure rendering.",
+        "Code/process execution spawned from the Vanna visualization path.",
+        "Vanna (pip) <= 0.5.5 reachable with visualization enabled - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-7735-w2jp-gvg6), the disclosing research (https://jfrog.com/blog/prompt-injection-attack-code-execution-in-vanna-ai-cve-2024-5565/), and NVD CVE-2024-5565 (CWE-94/CWE-77)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-5565",
+      "https://github.com/advisories/GHSA-7735-w2jp-gvg6",
+      "https://jfrog.com/blog/prompt-injection-attack-code-execution-in-vanna-ai-cve-2024-5565/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2024-5565",
+        "url": "https://github.com/advisories/GHSA-7735-w2jp-gvg6",
+        "severity": "critical",
+        "published_date": "2024-06-27"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-5565",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5565",
+        "severity": "high",
+        "published_date": "2024-06-27"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-7735-w2jp-gvg6, CWE-94/CWE-77) + the disclosing research (https://jfrog.com/blog/prompt-injection-attack-code-execution-in-vanna-ai-cve-2024-5565/) + JFrog (CNA) CVSS v3.1 8.1 (NVD has not published its own score). LLM natural-language-to-code/SQL agent flaw; shares the codegen-execution-isolation control NEW-CTRL-102.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Vanna.AI text-to-SQL ask runs LLM-generated Python for Plotly visualization, so prompt injection in the question yields RCE (CWE-94/CWE-77); no fixed release - sandbox the codegen path."
+  },
+  "CVE-2024-12366": {
+    "name": "PandasAI Prompt Injection to Remote Code Execution",
+    "type": "RCE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "CISA-ADP CVSS v3.1 base 9.8 (CRITICAL); the GitHub advisory (GHSA-vv2h-2w3q-3fx7) also rates it Critical; NVD has not published its own assessed score. PandasAI's interactive prompt (chat) fails to distinguish legitimate from malicious input, so prompt injection drives the natural-language interface into executing arbitrary Python - remote code execution (CWE-94), no authentication or user interaction required.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Proof-of-concept documented via the CERT/CC note (VU#148244) and the disclosing advisory.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via GitHub Security Advisory (https://github.com/advisories/GHSA-vv2h-2w3q-3fx7). The abused surface is an LLM natural-language-to-code/SQL data-analysis agent that executes model-generated code by design.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw IS an AI-pipeline flaw - prompt injection drives the agent's own code-generation-and-execution path.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory/research disclosure with a public proof-of-concept; no confirmed in-the-wild exploitation reported as of curation. No fixed release is published, so exposed deployments remain vulnerable.",
+    "affected": "PandasAI (pip) 2.4.2 and earlier; no fixed release is published (the v3 advanced-security-agent is a mitigation, not a backport).",
+    "affected_versions": [
+      "PandasAI (pip) <= 2.4.2"
+    ],
+    "vector": "PandasAI lets users query DataFrames in natural language; the chat interface turns the question into Python that PandasAI runs. Because it does not distinguish legitimate analytical input from injected instructions, an attacker uses prompt injection to make it generate and execute arbitrary Python, escaping the intended sandbox and achieving remote code execution. Tracked by CERT/CC as VU#148244.",
+    "complexity": "low",
+    "complexity_notes": "CISA-ADP AV:N / AC:L / PR:N / UI:N - unauthenticated, no user interaction; the natural-language interface itself is the exec path.",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No fixed release is published as of curation; mitigation is sandboxing the code-execution path and treating natural-language input as untrusted (see vendor_update_paths).",
+    "vendor_update_paths": [
+      "No fixed PandasAI release is published; the v3 advanced security agent (docs.pandas-ai.com/advanced-security-agent) is a mitigation layer. Run PandasAI in a hardened sandbox with no host/network privileges, enable the security agent, and treat both the question and any analyzed data as untrusted input that must not reach an unsandboxed Python exec path."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-3": "Malicious-code protection does not cover an AI agent that generates and runs code from natural-language input as a code-execution channel.",
+      "NIST-800-53-SI-10": "Input validation is not applied to the natural-language question (and analyzed data) before the agent turns it into executable code.",
+      "NIST-800-53-CM-7": "Least-functionality is not enforced: the agent's code-execution / visualization path is enabled by default rather than disabled or sandboxed.",
+      "ISO-27001-2022-A.8.28": "Secure-coding expectations do not address LLM-generated code being executed with host privileges.",
+      "NIS2-Art21-vulnerability-management": "Vulnerability-management measures do not enumerate NL-to-code/SQL agents as an unauthenticated RCE surface.",
+      "DORA-Art-9": "ICT protection measures do not model an AI data-analysis agent's codegen path as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for sandboxing LLM-generated code or validating prompt-injectable input.",
+      "AU-ISM-1546": "Application-control / patch guidance does not single out LLM agents that execute generated code.",
+      "ALL-PROMPT-INJECTION-ACCESS-CONTROL": "No framework requires that prompt-injectable natural-language input be denied a path to code execution in NL-to-code/SQL agents.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an LLM data-analysis agent's generate-and-execute-code design as a privileged execution surface that must be sandboxed."
+    },
+    "atlas_refs": [
+      "AML.T0051",
+      "AML.T0051.000"
+    ],
+    "attack_refs": [
+      "T1059",
+      "T1059.006"
+    ],
+    "rwep_score": 46,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 26,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Elevated (RWEP 46, \"patch within 7 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, and no fixed release published so no patch credit (Hard Rule #3) - the high CVSS reflects unauthenticated RCE, while RWEP stays moderate because exploitation needs the agent exposed with codegen enabled and no public mass-exploitation is reported. poc_available=20 + blast_radius=26.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-12366",
+    "cwe_refs": [
+      "CWE-94"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Natural-language chat inputs to PandasAI carrying Python directives, imports, or code-fence payloads instead of analytical questions.",
+        "PandasAI executing generated Python that touches the filesystem, network, or spawns processes beyond DataFrame operations.",
+        "Sandbox-escape or unexpected process execution originating from the PandasAI codegen path.",
+        "PandasAI (pip) <= 2.4.2 reachable without the security agent / sandbox - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-vv2h-2w3q-3fx7), the disclosing research (https://www.kb.cert.org/vuls/id/148244), and NVD CVE-2024-12366 (CWE-94)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-12366",
+      "https://github.com/advisories/GHSA-vv2h-2w3q-3fx7",
+      "https://www.kb.cert.org/vuls/id/148244"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2024-12366",
+        "url": "https://github.com/advisories/GHSA-vv2h-2w3q-3fx7",
+        "severity": "critical",
+        "published_date": "2025-02-11"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-12366",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12366",
+        "severity": "high",
+        "published_date": "2025-02-11"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-vv2h-2w3q-3fx7, CWE-94) + the disclosing research (https://www.kb.cert.org/vuls/id/148244) + CISA-ADP CVSS v3.1 9.8 (NVD has not published its own score). LLM natural-language-to-code/SQL agent flaw; shares the codegen-execution-isolation control NEW-CTRL-102.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "PandasAI chat natural-language interface runs LLM-generated Python without separating malicious input, so prompt injection yields unauthenticated RCE / sandbox escape (CWE-94); no fixed release - enable the security agent + sandbox."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -149,6 +149,7 @@
       "CVE-2016-10033",
       "CVE-2020-25079",
       "CVE-2023-33538",
+      "CVE-2024-5565",
       "CVE-2025-10035",
       "CVE-2025-29635",
       "CVE-2025-4008",
@@ -380,10 +381,12 @@
       "CVE-2020-25078",
       "CVE-2022-48503",
       "CVE-2023-44467",
+      "CVE-2024-12366",
       "CVE-2024-21513",
       "CVE-2024-21576",
       "CVE-2024-27132",
       "CVE-2024-4889",
+      "CVE-2024-5565",
       "CVE-2024-56145",
       "CVE-2025-11837",
       "CVE-2025-1550",

package/data/framework-control-gaps.json

@@ -45,6 +45,7 @@
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
+      "CVE-2024-12366",
       "CVE-2024-13059",
       "CVE-2024-1561",
       "CVE-2024-21575",
@@ -56,6 +57,7 @@
       "CVE-2024-42479",
       "CVE-2024-4889",
       "CVE-2024-50050",
+      "CVE-2024-5565",
       "CVE-2024-6587",
       "CVE-2025-1550",
       "CVE-2025-1753",
@@ -159,7 +161,9 @@
     "opened_date": "2026-01-01",
     "evidence_cves": [
       "CVE-2023-44467",
+      "CVE-2024-12366",
       "CVE-2024-21513",
+      "CVE-2024-5565",
       "CVE-2026-25592"
     ],
     "atlas_refs": [
@@ -1259,6 +1263,8 @@
     "opened_date": "2026-01-01",
     "evidence_cves": [
       "CVE-2023-43472",
+      "CVE-2024-12366",
+      "CVE-2024-5565",
       "CVE-2025-0133",
       "CVE-2025-1094",
       "CVE-2025-6965",
@@ -2088,7 +2094,9 @@
     "opened_date": "2026-04-01",
     "evidence_cves": [
       "BUG-2026-NIGHTMARE-ECLIPSE-GREENPLASMA",
+      "CVE-2024-12366",
       "CVE-2024-3154",
+      "CVE-2024-5565",
       "CVE-2025-49844",
       "CVE-2025-53773",
       "CVE-2026-30615"
@@ -2314,12 +2322,14 @@
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
+      "CVE-2024-12366",
       "CVE-2024-13059",
       "CVE-2024-21513",
       "CVE-2024-27132",
       "CVE-2024-37032",
       "CVE-2024-39722",
       "CVE-2024-50050",
+      "CVE-2024-5565",
       "CVE-2025-0133",
       "CVE-2025-1094",
       "CVE-2025-1550",
@@ -2776,6 +2786,8 @@
     "opened_date": "2026-02-01",
     "evidence_cves": [
       "BUG-2026-NIGHTMARE-ECLIPSE-UNDEFEND",
+      "CVE-2024-12366",
+      "CVE-2024-5565",
       "CVE-2025-11837",
       "CVE-2026-22778",
       "CVE-2026-32202",
@@ -4958,6 +4970,8 @@
     "opened_date": "2026-05-15",
     "evidence_cves": [
       "CVE-2023-3519",
+      "CVE-2024-12366",
+      "CVE-2024-5565",
       "CVE-2026-0300",
       "CVE-2026-42945"
     ],
@@ -5005,6 +5019,7 @@
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
+      "CVE-2024-12366",
       "CVE-2024-13059",
       "CVE-2024-1561",
       "CVE-2024-21513",
@@ -5018,6 +5033,7 @@
       "CVE-2024-42479",
       "CVE-2024-4889",
       "CVE-2024-50050",
+      "CVE-2024-5565",
       "CVE-2024-6587",
       "CVE-2025-1550",
       "CVE-2025-1753",
@@ -5556,6 +5572,7 @@
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
+      "CVE-2024-12366",
       "CVE-2024-13059",
       "CVE-2024-1561",
       "CVE-2024-21513",
@@ -5568,6 +5585,7 @@
       "CVE-2024-42478",
       "CVE-2024-42479",
       "CVE-2024-50050",
+      "CVE-2024-5565",
       "CVE-2025-1550",
       "CVE-2025-1753",
       "CVE-2025-23254",
@@ -5648,6 +5666,7 @@
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
+      "CVE-2024-12366",
       "CVE-2024-13059",
       "CVE-2024-1561",
       "CVE-2024-21513",
@@ -5661,6 +5680,7 @@
       "CVE-2024-42479",
       "CVE-2024-4889",
       "CVE-2024-50050",
+      "CVE-2024-5565",
       "CVE-2024-6587",
       "CVE-2025-1550",
       "CVE-2025-1753",

package/data/zeroday-lessons.json

@@ -4261,6 +4261,106 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2024-5565": {
+    "name": "Vanna.AI Prompt Injection to Remote Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Vanna's text-to-SQL ask method turns a natural-language question into Python and runs it to render a Plotly visualization (default-on), so prompt injection in the question overrides the visualization code and executes arbitrary Python on the host.",
+      "privileges_required": "none (unauthenticated; AC:H - visualization enabled + injected question)",
+      "complexity": "high",
+      "ai_factor": "The flaw is intrinsic to the AI pipeline: the agent's purpose is to turn natural language into executed code, so prompt injection is the exploit primitive. The lesson - LLM-generated code is attacker-controllable code and must be sandboxed, never run with host privileges."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Malicious-code protection does not treat an LLM agent's generate-and-run-code path as a code-execution channel."
+      },
+      "NIST-800-53-CM-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Least-functionality is not enforced - the code-execution / visualization path is on by default rather than sandboxed or disabled for untrusted input."
+      },
+      "ALL-PROMPT-INJECTION-ACCESS-CONTROL": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework requires that prompt-injectable natural-language input be denied a path to code execution in NL-to-code/SQL agents."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 80,
+      "basis": "NL-to-code/SQL agents are adopted for analyst productivity and run model-generated code by design; their codegen path is rarely sandboxed and the natural-language input is not treated as untrusted.",
+      "theater_pattern": "ai_agent_codegen_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-102",
+        "name": "AI-NL-TO-CODE-AGENT-EXECUTION-ISOLATION",
+        "description": "An LLM data-analysis agent that generates and executes code or SQL from natural language (text-to-SQL, text-to-Python, charting agents) must treat BOTH the natural-language question and any analyzed data as untrusted, prompt-injectable input, and must never run model-generated code with host or network privileges. Disable code-execution/visualization paths by default for untrusted input, run generated code only in a hardened sandbox (no filesystem/network/process access beyond the dataset), enforce least functionality, and validate or constrain the generated artifact before execution. The distinguishing test: send an analytical question containing an injected instruction to emit non-analytical code (e.g. a shell/file/network call) on a staging agent and confirm the agent refuses to execute it - paper 'AI security' policies that do not sandbox the generate-and-run path still permit RCE.",
+        "evidence": "https://jfrog.com/blog/prompt-injection-attack-code-execution-in-vanna-ai-cve-2024-5565/",
+        "gap_closes": [
+          "NIST-800-53-SI-3",
+          "NIST-800-53-CM-7",
+          "ALL-PROMPT-INJECTION-ACCESS-CONTROL"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2024-12366": {
+    "name": "PandasAI Prompt Injection to Remote Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "PandasAI's chat interface turns a natural-language question into Python and runs it against DataFrames; it does not separate analytical input from injected instructions, so prompt injection generates and executes arbitrary Python, escaping the intended sandbox (RCE).",
+      "privileges_required": "none (unauthenticated, no user interaction)",
+      "complexity": "low",
+      "ai_factor": "The flaw is intrinsic to the AI pipeline: the agent's purpose is to turn natural language into executed code, so prompt injection is the exploit primitive. The lesson - LLM-generated code is attacker-controllable code and must be sandboxed, never run with host privileges."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Malicious-code protection does not treat an LLM agent's generate-and-run-code path as a code-execution channel."
+      },
+      "NIST-800-53-CM-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Least-functionality is not enforced - the code-execution / visualization path is on by default rather than sandboxed or disabled for untrusted input."
+      },
+      "ALL-PROMPT-INJECTION-ACCESS-CONTROL": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework requires that prompt-injectable natural-language input be denied a path to code execution in NL-to-code/SQL agents."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 82,
+      "basis": "NL-to-code/SQL agents are adopted for analyst productivity and run model-generated code by design; their codegen path is rarely sandboxed and the natural-language input is not treated as untrusted.",
+      "theater_pattern": "ai_agent_codegen_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-102",
+        "name": "AI-NL-TO-CODE-AGENT-EXECUTION-ISOLATION",
+        "description": "An LLM data-analysis agent that generates and executes code or SQL from natural language (text-to-SQL, text-to-Python, charting agents) must treat BOTH the natural-language question and any analyzed data as untrusted, prompt-injectable input, and must never run model-generated code with host or network privileges. Disable code-execution/visualization paths by default for untrusted input, run generated code only in a hardened sandbox (no filesystem/network/process access beyond the dataset), enforce least functionality, and validate or constrain the generated artifact before execution. The distinguishing test: send an analytical question containing an injected instruction to emit non-analytical code (e.g. a shell/file/network call) on a staging agent and confirm the agent refuses to execute it - paper 'AI security' policies that do not sandbox the generate-and-run path still permit RCE.",
+        "evidence": "https://www.kb.cert.org/vuls/id/148244",
+        "gap_closes": [
+          "NIST-800-53-SI-3",
+          "NIST-800-53-CM-7",
+          "ALL-PROMPT-INJECTION-ACCESS-CONTROL"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2025-67818": {
     "name": "Weaviate Backup Restore ZipSlip Path Traversal",
     "lesson_date": "2026-05-25",