@blamejs/exceptd-skills 0.13.101 → 0.13.103

package/data/cve-catalog.json

@@ -9253,104 +9253,6 @@
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
     "_kev_short_description": "Aquasecurity Trivy contains an embedded malicious code vulnerability that could allow an attacker to gain access to everything in the CI/CD environment, including all tokens, SSH keys, cloud credentials, database passwords, and any sensitive configuration in memory."
   },
-  "CVE-2026-33017": {
-    "name": "Langflow Code Injection Vulnerability",
-    "type": "RCE",
-    "cvss_score": 9.8,
-    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
-    "cvss_note": "Operator estimate inferred from KEV vulnerabilityName + shortDescription classification (no per-CVE NVD lookup at bulk-import time). Refine via `exceptd refresh --advisory <CVE-ID> --apply` for NVD/GHSA/OSV enrichment.",
-    "cisa_kev": true,
-    "cisa_kev_date": "2026-03-25",
-    "cisa_kev_due_date": "2026-04-08",
-    "poc_available": true,
-    "poc_description": "KEV-listed actively-exploited vulnerability. CISA listing 2026-05 catalog version. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable..",
-    "ai_discovered": false,
-    "ai_discovery_source": "unknown",
-    "ai_discovery_notes": "Bulk-imported KEV entry — AI-discovery provenance not surfaced in the KEV record. Refine via NVD/GHSA enrichment if researcher attribution names an AI tool.",
-    "ai_assisted_weaponization": false,
-    "ai_assisted_notes": "Bulk-imported KEV entry — weaponization-channel attribution not in KEV.",
-    "active_exploitation": "confirmed",
-    "active_exploitation_notes": "KEV listing is CISA's confirmed-exploitation attestation. The dateAdded is the formal KEV listing date; the actual in-wild observation may predate it by weeks.",
-    "affected": "Langflow Langflow — see vendor advisory linked in verification_sources for affected version ranges.",
-    "affected_versions": [
-      "Langflow Langflow — versions per vendor advisory"
-    ],
-    "vector": "Langflow contains a code injection vulnerability that could allow building public flows without requiring authentication.",
-    "complexity": "moderate",
-    "complexity_notes": "Bulk-imported — exploitation complexity not extracted from KEV record. Treat as moderate-by-default; refine when researcher writeup published.",
-    "patch_available": true,
-    "patch_required_reboot": true,
-    "live_patch_available": false,
-    "live_patch_tools": [],
-    "live_patch_notes": "No live-patch tool registered for this entry at bulk-import time. Vendor patch typically requires service restart or system reboot per the KEV requiredAction.",
-    "vendor_update_paths": [
-      "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable."
-    ],
-    "framework_control_gaps": {
-      "NIST-800-53-SI-2": "30-day flaw-remediation SLA inadequate for CISA-KEV-listed actively-exploited CVE. CISA due date is the operationally-meaningful clock — typically 14-21 days for new KEV listings.",
-      "ISO-27001-2022-A.8.8": "Vulnerability management standard does not differentiate between routinely-disclosed CVEs and actively-exploited KEV-listed CVEs. KEV listing collapses 'patch-cycle response' to 'incident-speed response'.",
-      "NIST-800-53-AC-6": "Least-privilege presumes a working authentication / authorization boundary. The KEV-listed exploit demonstrates the boundary is breakable from a baseline context."
-    },
-    "atlas_refs": [],
-    "attack_refs": [
-      "T1190"
-    ],
-    "rwep_score": 77,
-    "rwep_factors": {
-      "cisa_kev": 25,
-      "poc_available": 20,
-      "ai_factor": 0,
-      "active_exploitation": 20,
-      "blast_radius": 22,
-      "patch_available": -15,
-      "live_patch_available": 0,
-      "reboot_required": 5
-    },
-    "rwep_notes": "P1 — KEV-listed confirmed exploitation. blast_radius=22 (standard vendor-product scope). Bulk-imported via v0.13.17 KEV intake — score reflects KEV+PoC+active_exploitation contributions; refine factors when per-CVE research publishes.",
-    "epss_score": null,
-    "epss_date": "2026-05-18",
-    "epss_note": "EPSS not refreshed at bulk-import. Pull via FIRST EPSS API per-CVE in a future refresh.",
-    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-33017",
-    "cwe_refs": [
-      "CWE-94",
-      "CWE-95",
-      "CWE-306"
-    ],
-    "source_verified": "2026-05-18",
-    "verification_sources": [
-      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
-      "https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx",
-      "https://nvd.nist.gov/vuln/detail/CVE-2026-33017"
-    ],
-    "vendor_advisories": [
-      {
-        "vendor": "CISA KEV",
-        "advisory_id": "CVE-2026-33017",
-        "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
-        "severity": "high",
-        "published_date": "2026-03-25"
-      },
-      {
-        "vendor": "Langflow",
-        "advisory_id": null,
-        "url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx",
-        "severity": "high",
-        "published_date": "2026-03-25"
-      },
-      {
-        "vendor": "Langflow",
-        "advisory_id": null,
-        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33017",
-        "severity": "high",
-        "published_date": "2026-03-25"
-      }
-    ],
-    "last_updated": "2026-05-18",
-    "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-25; due date 2026-04-08. Notes reference: https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx ; https://nvd.nist.gov/vuln/detail/CVE-2026-33017",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Langflow contains a code injection vulnerability that could allow building public flows without requiring authentication."
-  },
   "CVE-2025-34291": {
     "name": "Langflow Account Takeover + RCE (CORS / refresh-token chain)",
     "type": "RCE",
@@ -15698,6 +15600,444 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "Weaviate OSS backup restore does not constrain entry paths (CWE-22 ZipSlip), letting a write-capable attacker create/overwrite arbitrary host files; fixed per branch (1.30.20 / 1.31.19 / 1.32.16 / 1.33.4)."
   },
+  "CVE-2024-5565": {
+    "name": "Vanna.AI Prompt Injection to Remote Code Execution",
+    "type": "RCE",
+    "cvss_score": 8.1,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "JFrog (CNA) CVSS v3.1 base 8.1 (HIGH); the GitHub advisory (GHSA-7735-w2jp-gvg6) rates it 9.2 (CRITICAL); NVD has not published its own assessed score. Prompt injection through the text-to-SQL ask method - with visualization enabled, the default - makes the LLM emit attacker-chosen Python that Vanna runs to build the Plotly figure, giving remote code execution (CWE-94 / CWE-77).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "JFrog published a working proof-of-concept (prompt-injection payload through ask yielding host code execution).",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via GitHub Security Advisory (https://github.com/advisories/GHSA-7735-w2jp-gvg6). The abused surface is an LLM natural-language-to-code/SQL data-analysis agent that executes model-generated code by design.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw IS an AI-pipeline flaw - prompt injection drives the agent's own code-generation-and-execution path.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory/research disclosure with a public proof-of-concept; no confirmed in-the-wild exploitation reported as of curation. No fixed release is published, so exposed deployments remain vulnerable.",
+    "affected": "Vanna (pip) 0.5.5 and earlier; no fixed release is published.",
+    "affected_versions": [
+      "Vanna (pip) <= 0.5.5"
+    ],
+    "vector": "Vanna is a text-to-SQL library: a natural-language question is turned into SQL and, with visualization enabled (the default), into Python that Vanna executes to render a Plotly figure. By injecting instructions into the question, an attacker overrides the intended visualization code and runs arbitrary Python on the host - prompt injection to remote code execution. Disclosed by JFrog.",
+    "complexity": "high",
+    "complexity_notes": "JFrog (CNA) AV:N / AC:H / PR:N - network-reachable and unauthenticated, but AC:H reflects that visualization must be enabled (default) and the injected question must reach the code path.",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No fixed release is published as of curation; mitigation is sandboxing the code-execution path and treating natural-language input as untrusted (see vendor_update_paths).",
+    "vendor_update_paths": [
+      "No fixed Vanna release is published. Mitigate by running Vanna in a sandboxed/least-privilege environment, disabling automatic visualization (the code-execution path) for untrusted questions, and treating every natural-language question as untrusted input that must never reach a Python exec/codegen path unsandboxed."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-3": "Malicious-code protection does not cover an AI agent that generates and runs code from natural-language input as a code-execution channel.",
+      "NIST-800-53-SI-10": "Input validation is not applied to the natural-language question (and analyzed data) before the agent turns it into executable code.",
+      "NIST-800-53-CM-7": "Least-functionality is not enforced: the agent's code-execution / visualization path is enabled by default rather than disabled or sandboxed.",
+      "ISO-27001-2022-A.8.28": "Secure-coding expectations do not address LLM-generated code being executed with host privileges.",
+      "NIS2-Art21-vulnerability-management": "Vulnerability-management measures do not enumerate NL-to-code/SQL agents as an unauthenticated RCE surface.",
+      "DORA-Art-9": "ICT protection measures do not model an AI data-analysis agent's codegen path as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for sandboxing LLM-generated code or validating prompt-injectable input.",
+      "AU-ISM-1546": "Application-control / patch guidance does not single out LLM agents that execute generated code.",
+      "ALL-PROMPT-INJECTION-ACCESS-CONTROL": "No framework requires that prompt-injectable natural-language input be denied a path to code execution in NL-to-code/SQL agents.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an LLM data-analysis agent's generate-and-execute-code design as a privileged execution surface that must be sandboxed."
+    },
+    "atlas_refs": [
+      "AML.T0051",
+      "AML.T0051.000"
+    ],
+    "attack_refs": [
+      "T1059",
+      "T1059.006"
+    ],
+    "rwep_score": 40,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 20,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Elevated (RWEP 40, \"patch within 7 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, and no fixed release published so no patch credit (Hard Rule #3) - the high CVSS reflects unauthenticated RCE, while RWEP stays moderate because exploitation needs the agent exposed with codegen enabled and no public mass-exploitation is reported. poc_available=20 + blast_radius=20.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-5565",
+    "cwe_refs": [
+      "CWE-94",
+      "CWE-77"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Natural-language questions to Vanna's ask containing Python/Plotly directives or code-fence payloads rather than analytical questions.",
+        "Vanna executing generated Python that performs file, network, or process operations unrelated to figure rendering.",
+        "Code/process execution spawned from the Vanna visualization path.",
+        "Vanna (pip) <= 0.5.5 reachable with visualization enabled - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-7735-w2jp-gvg6), the disclosing research (https://jfrog.com/blog/prompt-injection-attack-code-execution-in-vanna-ai-cve-2024-5565/), and NVD CVE-2024-5565 (CWE-94/CWE-77)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-5565",
+      "https://github.com/advisories/GHSA-7735-w2jp-gvg6",
+      "https://jfrog.com/blog/prompt-injection-attack-code-execution-in-vanna-ai-cve-2024-5565/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2024-5565",
+        "url": "https://github.com/advisories/GHSA-7735-w2jp-gvg6",
+        "severity": "critical",
+        "published_date": "2024-06-27"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-5565",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5565",
+        "severity": "high",
+        "published_date": "2024-06-27"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-7735-w2jp-gvg6, CWE-94/CWE-77) + the disclosing research (https://jfrog.com/blog/prompt-injection-attack-code-execution-in-vanna-ai-cve-2024-5565/) + JFrog (CNA) CVSS v3.1 8.1 (NVD has not published its own score). LLM natural-language-to-code/SQL agent flaw; shares the codegen-execution-isolation control NEW-CTRL-102.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Vanna.AI text-to-SQL ask runs LLM-generated Python for Plotly visualization, so prompt injection in the question yields RCE (CWE-94/CWE-77); no fixed release - sandbox the codegen path."
+  },
+  "CVE-2024-12366": {
+    "name": "PandasAI Prompt Injection to Remote Code Execution",
+    "type": "RCE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "CISA-ADP CVSS v3.1 base 9.8 (CRITICAL); the GitHub advisory (GHSA-vv2h-2w3q-3fx7) also rates it Critical; NVD has not published its own assessed score. PandasAI's interactive prompt (chat) fails to distinguish legitimate from malicious input, so prompt injection drives the natural-language interface into executing arbitrary Python - remote code execution (CWE-94), no authentication or user interaction required.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Proof-of-concept documented via the CERT/CC note (VU#148244) and the disclosing advisory.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via GitHub Security Advisory (https://github.com/advisories/GHSA-vv2h-2w3q-3fx7). The abused surface is an LLM natural-language-to-code/SQL data-analysis agent that executes model-generated code by design.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw IS an AI-pipeline flaw - prompt injection drives the agent's own code-generation-and-execution path.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory/research disclosure with a public proof-of-concept; no confirmed in-the-wild exploitation reported as of curation. No fixed release is published, so exposed deployments remain vulnerable.",
+    "affected": "PandasAI (pip) 2.4.2 and earlier; no fixed release is published (the v3 advanced-security-agent is a mitigation, not a backport).",
+    "affected_versions": [
+      "PandasAI (pip) <= 2.4.2"
+    ],
+    "vector": "PandasAI lets users query DataFrames in natural language; the chat interface turns the question into Python that PandasAI runs. Because it does not distinguish legitimate analytical input from injected instructions, an attacker uses prompt injection to make it generate and execute arbitrary Python, escaping the intended sandbox and achieving remote code execution. Tracked by CERT/CC as VU#148244.",
+    "complexity": "low",
+    "complexity_notes": "CISA-ADP AV:N / AC:L / PR:N / UI:N - unauthenticated, no user interaction; the natural-language interface itself is the exec path.",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No fixed release is published as of curation; mitigation is sandboxing the code-execution path and treating natural-language input as untrusted (see vendor_update_paths).",
+    "vendor_update_paths": [
+      "No fixed PandasAI release is published; the v3 advanced security agent (docs.pandas-ai.com/advanced-security-agent) is a mitigation layer. Run PandasAI in a hardened sandbox with no host/network privileges, enable the security agent, and treat both the question and any analyzed data as untrusted input that must not reach an unsandboxed Python exec path."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-3": "Malicious-code protection does not cover an AI agent that generates and runs code from natural-language input as a code-execution channel.",
+      "NIST-800-53-SI-10": "Input validation is not applied to the natural-language question (and analyzed data) before the agent turns it into executable code.",
+      "NIST-800-53-CM-7": "Least-functionality is not enforced: the agent's code-execution / visualization path is enabled by default rather than disabled or sandboxed.",
+      "ISO-27001-2022-A.8.28": "Secure-coding expectations do not address LLM-generated code being executed with host privileges.",
+      "NIS2-Art21-vulnerability-management": "Vulnerability-management measures do not enumerate NL-to-code/SQL agents as an unauthenticated RCE surface.",
+      "DORA-Art-9": "ICT protection measures do not model an AI data-analysis agent's codegen path as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for sandboxing LLM-generated code or validating prompt-injectable input.",
+      "AU-ISM-1546": "Application-control / patch guidance does not single out LLM agents that execute generated code.",
+      "ALL-PROMPT-INJECTION-ACCESS-CONTROL": "No framework requires that prompt-injectable natural-language input be denied a path to code execution in NL-to-code/SQL agents.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an LLM data-analysis agent's generate-and-execute-code design as a privileged execution surface that must be sandboxed."
+    },
+    "atlas_refs": [
+      "AML.T0051",
+      "AML.T0051.000"
+    ],
+    "attack_refs": [
+      "T1059",
+      "T1059.006"
+    ],
+    "rwep_score": 46,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 26,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Elevated (RWEP 46, \"patch within 7 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, and no fixed release published so no patch credit (Hard Rule #3) - the high CVSS reflects unauthenticated RCE, while RWEP stays moderate because exploitation needs the agent exposed with codegen enabled and no public mass-exploitation is reported. poc_available=20 + blast_radius=26.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-12366",
+    "cwe_refs": [
+      "CWE-94"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Natural-language chat inputs to PandasAI carrying Python directives, imports, or code-fence payloads instead of analytical questions.",
+        "PandasAI executing generated Python that touches the filesystem, network, or spawns processes beyond DataFrame operations.",
+        "Sandbox-escape or unexpected process execution originating from the PandasAI codegen path.",
+        "PandasAI (pip) <= 2.4.2 reachable without the security agent / sandbox - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-vv2h-2w3q-3fx7), the disclosing research (https://www.kb.cert.org/vuls/id/148244), and NVD CVE-2024-12366 (CWE-94)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-12366",
+      "https://github.com/advisories/GHSA-vv2h-2w3q-3fx7",
+      "https://www.kb.cert.org/vuls/id/148244"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2024-12366",
+        "url": "https://github.com/advisories/GHSA-vv2h-2w3q-3fx7",
+        "severity": "critical",
+        "published_date": "2025-02-11"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-12366",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12366",
+        "severity": "high",
+        "published_date": "2025-02-11"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-vv2h-2w3q-3fx7, CWE-94) + the disclosing research (https://www.kb.cert.org/vuls/id/148244) + CISA-ADP CVSS v3.1 9.8 (NVD has not published its own score). LLM natural-language-to-code/SQL agent flaw; shares the codegen-execution-isolation control NEW-CTRL-102.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "PandasAI chat natural-language interface runs LLM-generated Python without separating malicious input, so prompt injection yields unauthenticated RCE / sandbox escape (CWE-94); no fixed release - enable the security agent + sandbox."
+  },
+  "CVE-2025-3248": {
+    "name": "Langflow /api/v1/validate/code Unauthenticated Code Injection (CISA KEV)",
+    "type": "RCE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "VulnCheck (CNA) CVSS v3.1 base 9.8 (CRITICAL). The /api/v1/validate/code endpoint compiles and runs attacker-supplied Python with no authentication, so a crafted HTTP request runs arbitrary code on the host (CWE-94 + CWE-306).",
+    "cisa_kev": true,
+    "cisa_kev_date": "2025-05-05",
+    "cisa_kev_due_date": "2025-05-26",
+    "poc_available": true,
+    "poc_description": "VulnCheck published a working proof-of-concept and analysis; exploitation is a single unauthenticated POST to /api/v1/validate/code.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via GitHub Security Advisory (https://github.com/advisories/GHSA-rvqx-wpfh-mfx7). The abused surface is a widely used visual LLM app/agent builder (Langflow).",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; an unauthenticated endpoint on an LLM app builder reaches a code-execution sink.",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "CISA added CVE-2025-3248 to the Known Exploited Vulnerabilities catalog on 2025-05-05 (due 2025-05-26) - confirmed active exploitation. Mass scanning and botnet activity against internet-exposed Langflow instances was reported following VulnCheck's public proof-of-concept; Sysdig documented an end-to-end compromise of an exposed Langflow instance within hours.",
+    "affected": "Langflow before 1.3.0.",
+    "affected_versions": [
+      "Langflow < 1.3.0"
+    ],
+    "vector": "Langflow is a popular visual builder for LLM agents and flows. Before 1.3.0 its /api/v1/validate/code endpoint accepts code in an HTTP request and runs it through a Python compile-and-run path to 'validate' it, but the endpoint requires no authentication - so any remote attacker who can reach the server runs arbitrary code (CWE-94 code injection + CWE-306 missing authentication). VulnCheck published the analysis and PoC; CISA KEV-listed it.",
+    "complexity": "low",
+    "complexity_notes": "AV:N / AC:L / PR:N / UI:N - network-reachable, unauthenticated, no user interaction; a single crafted request to the validate-code endpoint runs code.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to 1.3.0 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Langflow to the latest release (1.3.0 closed this route; 1.9.0+ closes the sibling flow-build route in CVE-2026-33017). Do not expose Langflow to untrusted networks, place it behind authenticated reverse-proxy access control, and treat every flow validate/build/run endpoint as a code-execution surface."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-AC-3": "Access enforcement is missing on a code-execution endpoint - the flow validate/build path is reachable without authentication (CWE-306).",
+      "NIST-800-53-IA-2": "The LLM app builder does not authenticate callers before reaching a code-execution endpoint.",
+      "NIST-800-53-SI-3": "Malicious-code protection does not treat the app builder's code validate/build endpoint as an attacker-reachable execution channel.",
+      "NIST-800-53-CM-7": "Least-functionality is not enforced: a public endpoint runs flow-supplied / submitted code through a compile-and-run path without sandboxing.",
+      "ISO-27001-2022-A.5.15": "Access control does not gate the LLM app builder's code-execution endpoints.",
+      "ISO-27001-2022-A.8.28": "Secure-coding expectations do not address running externally supplied code through a dynamic-execution sink on a public endpoint.",
+      "NIS2-Art21-identity-management": "Article 21 access-control measures do not reach the LLM app builder's unauthenticated execution endpoints.",
+      "DORA-Art-9": "ICT protection measures do not model an LLM app builder's public code endpoint as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for authenticating and sandboxing LLM app-builder execution endpoints.",
+      "AU-ISM-1546": "Patch-application control does not single out LLM app builders.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats a visual LLM app/agent builder's flow validate/build endpoints as privileged execution surfaces that must authenticate and sandbox submitted code."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1059",
+      "T1059.006"
+    ],
+    "rwep_score": 78,
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 28,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Critical (RWEP 78, \"patch within 24 hours\" band per lib/scoring.js timeline). CISA KEV-listed (added 2025-05-05) and actively exploited: cisa_kev=25 + active_exploitation(confirmed)=20 + poc_available=20 + blast_radius=28, minus patch_available 15. The patch credit does not pull it out of the P1 band because real-world exploitation is confirmed. This is the first of two Langflow flow-execution endpoints KEV-listed for the same unauthenticated code-injection class - its sibling CVE-2026-33017 (the public flow-build endpoint, KEV 2026-03-25) also scores P1, which is the lesson: the first fix closed one route but not the class.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-3248",
+    "cwe_refs": [
+      "CWE-94",
+      "CWE-306"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Unauthenticated POST requests to /api/v1/validate/code carrying Python payloads (decorators, imports, or default-argument tricks that run at compile time).",
+        "Langflow process spawning shell, network, or file-system child processes from the code-validation path.",
+        "Internet-exposed Langflow ( /api/v1/validate/code reachable without auth) being scanned or hit by known PoC payloads."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-rvqx-wpfh-mfx7), VulnCheck's research (https://www.vulncheck.com/blog/langflow-rce), the CISA KEV listing, and CWE-94/CWE-306."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-3248",
+      "https://github.com/advisories/GHSA-rvqx-wpfh-mfx7",
+      "https://www.vulncheck.com/blog/langflow-rce",
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2025-3248",
+        "url": "https://github.com/advisories/GHSA-rvqx-wpfh-mfx7",
+        "severity": "critical",
+        "published_date": "2025-06-17"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-3248",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3248",
+        "severity": "critical",
+        "published_date": "2025-06-17"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-rvqx-wpfh-mfx7, CWE-94/CWE-306) + NVD + VulnCheck (CNA, CVSS v3.1 9.8) + the CISA KEV listing (added 2025-05-05). Visual LLM app/agent-builder flaw (Langflow); shares the app-builder execution-endpoint control NEW-CTRL-103.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Langflow's /api/v1/validate/code endpoint runs attacker-supplied Python with no authentication (CWE-94/CWE-306), giving unauthenticated RCE; CISA KEV (added 2025-05-05, actively exploited), fixed in 1.3.0."
+  },
+  "CVE-2026-33017": {
+    "name": "Langflow Public Flow-Build Endpoint Unauthenticated Remote Code Execution (CISA KEV)",
+    "type": "RCE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NIST (NVD) CVSS v3.1 base 9.8 (CRITICAL); the GitHub (CNA) advisory rates it CVSS v4.0 9.3 (CRITICAL). The unauthenticated POST /api/v1/build_public_tmp/{flow_id}/flow endpoint accepts attacker-controlled flow data containing Python that runs through an unsandboxed dynamic-execution sink (CWE-94 / CWE-95 / CWE-306).",
+    "cisa_kev": true,
+    "cisa_kev_date": "2026-03-25",
+    "cisa_kev_due_date": "2026-04-08",
+    "poc_available": true,
+    "poc_description": "The advisory ships a full proof-of-concept: obtain a public flow id via AUTO_LOGIN, then POST attacker-controlled flow data with embedded Python to /api/v1/build_public_tmp/{flow_id}/flow; the advisory documents a confirmed end-to-end RCE.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via GitHub Security Advisory (https://github.com/advisories/GHSA-vwmf-pq79-vjvx). The abused surface is a widely used visual LLM app/agent builder (Langflow).",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; an unauthenticated endpoint on an LLM app builder reaches a code-execution sink.",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "CISA added CVE-2026-33017 to the Known Exploited Vulnerabilities catalog on 2026-03-25 (due 2026-04-08) - confirmed active exploitation. This is the SECOND Langflow flow-execution endpoint to be KEV-listed: the CVE-2025-3248 fix (1.3.0) closed /api/v1/validate/code, but the public flow-build route remained an unauthenticated code-execution path and was itself exploited in the wild. A full proof-of-concept ships in the advisory.",
+    "affected": "Langflow through 1.8.2.",
+    "affected_versions": [
+      "Langflow <= 1.8.2"
+    ],
+    "vector": "After the CVE-2025-3248 fix, Langflow's public flow execution surface remained exploitable through a different route: the unauthenticated POST /api/v1/build_public_tmp/{flow_id}/flow endpoint accepts attacker-controlled flow definitions whose embedded Python runs through an unsandboxed dynamic-execution sink. A remote unauthenticated attacker reaches code execution again - the same code-injection class recurring on a new endpoint, and CISA KEV-listed a second time. Fixed in 1.9.0.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N / UI:N - the public flow-build endpoint is reachable unauthenticated and runs flow-supplied code.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to 1.9.0 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Langflow to 1.9.0 or later. Do not expose Langflow to untrusted networks; every public flow-build/validate/run endpoint must authenticate and must not run flow-supplied code unsandboxed - the 1.3.0 fix for CVE-2025-3248 did not cover this route."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-AC-3": "Access enforcement is missing on a code-execution endpoint - the flow validate/build path is reachable without authentication (CWE-306).",
+      "NIST-800-53-IA-2": "The LLM app builder does not authenticate callers before reaching a code-execution endpoint.",
+      "NIST-800-53-SI-3": "Malicious-code protection does not treat the app builder's code validate/build endpoint as an attacker-reachable execution channel.",
+      "NIST-800-53-CM-7": "Least-functionality is not enforced: a public endpoint runs flow-supplied / submitted code through a compile-and-run path without sandboxing.",
+      "ISO-27001-2022-A.5.15": "Access control does not gate the LLM app builder's code-execution endpoints.",
+      "ISO-27001-2022-A.8.28": "Secure-coding expectations do not address running externally supplied code through a dynamic-execution sink on a public endpoint.",
+      "NIS2-Art21-identity-management": "Article 21 access-control measures do not reach the LLM app builder's unauthenticated execution endpoints.",
+      "DORA-Art-9": "ICT protection measures do not model an LLM app builder's public code endpoint as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for authenticating and sandboxing LLM app-builder execution endpoints.",
+      "AU-ISM-1546": "Patch-application control does not single out LLM app builders.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats a visual LLM app/agent builder's flow validate/build endpoints as privileged execution surfaces that must authenticate and sandbox submitted code."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1059",
+      "T1059.006"
+    ],
+    "rwep_score": 78,
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 28,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Critical (RWEP 78, \"patch within 24 hours\" band per lib/scoring.js timeline). CISA KEV-listed (added 2026-03-25) and actively exploited: cisa_kev=25 + active_exploitation(confirmed)=20 + poc_available=20 + blast_radius=28, minus patch_available 15. The patch credit does not pull it out of the P1 band because real-world exploitation is confirmed. This is the second of two Langflow flow-execution endpoints KEV-listed for the same unauthenticated code-injection class - its sibling CVE-2025-3248 (the /api/v1/validate/code endpoint, KEV 2025-05-05) also scores P1, which is the lesson: the first fix closed one route but not the class.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-33017",
+    "cwe_refs": [
+      "CWE-94",
+      "CWE-95",
+      "CWE-306"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Unauthenticated POST requests to /api/v1/build_public_tmp/{flow_id}/flow carrying flow definitions with embedded Python / dynamic-evaluation payloads.",
+        "Langflow running flow-supplied Python that performs file, network, or process operations.",
+        "Langflow <= 1.8.2 with the public flow-build endpoint reachable without authentication - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-vwmf-pq79-vjvx), NVD CVE-2026-33017 (https://nvd.nist.gov/vuln/detail/CVE-2026-33017), the CISA KEV listing, and CWE-94/CWE-95/CWE-306."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-33017",
+      "https://github.com/advisories/GHSA-vwmf-pq79-vjvx",
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-33017",
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2026-33017",
+        "url": "https://github.com/advisories/GHSA-vwmf-pq79-vjvx",
+        "severity": "critical",
+        "published_date": "2026-03-17"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-33017",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33017",
+        "severity": "critical",
+        "published_date": "2026-03-17"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-vwmf-pq79-vjvx, CWE-94/CWE-95/CWE-306) + NVD (CVSS v3.1 9.8; GitHub CNA CVSS v4.0 9.3) + the CISA KEV listing (added 2026-03-25). Visual LLM app/agent-builder flaw (Langflow); shares the app-builder execution-endpoint control NEW-CTRL-103.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Langflow's unauthenticated public flow-build endpoint runs flow-supplied Python through an unsandboxed dynamic-execution sink (CWE-94/CWE-95/CWE-306), giving unauthenticated RCE; CISA KEV (added 2026-03-25, actively exploited), fixed in 1.9.0."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -149,6 +149,7 @@
       "CVE-2016-10033",
       "CVE-2020-25079",
       "CVE-2023-33538",
+      "CVE-2024-5565",
       "CVE-2025-10035",
       "CVE-2025-29635",
       "CVE-2025-4008",
@@ -380,14 +381,17 @@
       "CVE-2020-25078",
       "CVE-2022-48503",
       "CVE-2023-44467",
+      "CVE-2024-12366",
       "CVE-2024-21513",
       "CVE-2024-21576",
       "CVE-2024-27132",
       "CVE-2024-4889",
+      "CVE-2024-5565",
       "CVE-2024-56145",
       "CVE-2025-11837",
       "CVE-2025-1550",
       "CVE-2025-32432",
+      "CVE-2025-3248",
       "CVE-2025-33236",
       "CVE-2025-37164",
       "CVE-2025-43200",
@@ -747,6 +751,7 @@
     "evidence_cves": [
       "CVE-2020-24363",
       "CVE-2025-32433",
+      "CVE-2025-3248",
       "CVE-2025-4008",
       "CVE-2025-49596",
       "CVE-2025-61757",