@blamejs/exceptd-skills 0.13.101 → 0.13.103

package/data/framework-control-gaps.json

@@ -45,6 +45,7 @@
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
+      "CVE-2024-12366",
       "CVE-2024-13059",
       "CVE-2024-1561",
       "CVE-2024-21575",
@@ -56,6 +57,7 @@
       "CVE-2024-42479",
       "CVE-2024-4889",
       "CVE-2024-50050",
+      "CVE-2024-5565",
       "CVE-2024-6587",
       "CVE-2025-1550",
       "CVE-2025-1753",
@@ -65,6 +67,7 @@
       "CVE-2025-30202",
       "CVE-2025-32434",
       "CVE-2025-32444",
+      "CVE-2025-3248",
       "CVE-2025-33236",
       "CVE-2025-34291",
       "CVE-2025-49596",
@@ -88,6 +91,7 @@
       "CVE-2026-30617",
       "CVE-2026-30624",
       "CVE-2026-30625",
+      "CVE-2026-33017",
       "CVE-2026-34159",
       "CVE-2026-40933",
       "CVE-2026-45829"
@@ -159,7 +163,9 @@
     "opened_date": "2026-01-01",
     "evidence_cves": [
       "CVE-2023-44467",
+      "CVE-2024-12366",
       "CVE-2024-21513",
+      "CVE-2024-5565",
       "CVE-2026-25592"
     ],
     "atlas_refs": [
@@ -1259,10 +1265,14 @@
     "opened_date": "2026-01-01",
     "evidence_cves": [
       "CVE-2023-43472",
+      "CVE-2024-12366",
+      "CVE-2024-5565",
       "CVE-2025-0133",
       "CVE-2025-1094",
+      "CVE-2025-3248",
       "CVE-2025-6965",
-      "CVE-2026-30623"
+      "CVE-2026-30623",
+      "CVE-2026-33017"
     ],
     "atlas_refs": [
       "AML.T0051",
@@ -1631,7 +1641,6 @@
       "CVE-2026-31431",
       "CVE-2026-31635",
       "CVE-2026-32201",
-      "CVE-2026-33017",
       "CVE-2026-33634",
       "CVE-2026-34159",
       "CVE-2026-34197",
@@ -2088,10 +2097,14 @@
     "opened_date": "2026-04-01",
     "evidence_cves": [
       "BUG-2026-NIGHTMARE-ECLIPSE-GREENPLASMA",
+      "CVE-2024-12366",
       "CVE-2024-3154",
+      "CVE-2024-5565",
+      "CVE-2025-3248",
       "CVE-2025-49844",
       "CVE-2025-53773",
-      "CVE-2026-30615"
+      "CVE-2026-30615",
+      "CVE-2026-33017"
     ],
     "atlas_refs": [
       "AML.T0010"
@@ -2314,12 +2327,14 @@
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
+      "CVE-2024-12366",
       "CVE-2024-13059",
       "CVE-2024-21513",
       "CVE-2024-27132",
       "CVE-2024-37032",
       "CVE-2024-39722",
       "CVE-2024-50050",
+      "CVE-2024-5565",
       "CVE-2025-0133",
       "CVE-2025-1094",
       "CVE-2025-1550",
@@ -2720,7 +2735,6 @@
       "CVE-2026-31635",
       "CVE-2026-32201",
       "CVE-2026-32202",
-      "CVE-2026-33017",
       "CVE-2026-33634",
       "CVE-2026-33825",
       "CVE-2026-34159",
@@ -2776,9 +2790,13 @@
     "opened_date": "2026-02-01",
     "evidence_cves": [
       "BUG-2026-NIGHTMARE-ECLIPSE-UNDEFEND",
+      "CVE-2024-12366",
+      "CVE-2024-5565",
       "CVE-2025-11837",
+      "CVE-2025-3248",
       "CVE-2026-22778",
       "CVE-2026-32202",
+      "CVE-2026-33017",
       "CVE-2026-33825"
     ],
     "atlas_refs": [
@@ -4958,6 +4976,8 @@
     "opened_date": "2026-05-15",
     "evidence_cves": [
       "CVE-2023-3519",
+      "CVE-2024-12366",
+      "CVE-2024-5565",
       "CVE-2026-0300",
       "CVE-2026-42945"
     ],
@@ -5005,6 +5025,7 @@
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
+      "CVE-2024-12366",
       "CVE-2024-13059",
       "CVE-2024-1561",
       "CVE-2024-21513",
@@ -5018,6 +5039,7 @@
       "CVE-2024-42479",
       "CVE-2024-4889",
       "CVE-2024-50050",
+      "CVE-2024-5565",
       "CVE-2024-6587",
       "CVE-2025-1550",
       "CVE-2025-1753",
@@ -5027,6 +5049,7 @@
       "CVE-2025-30202",
       "CVE-2025-32434",
       "CVE-2025-32444",
+      "CVE-2025-3248",
       "CVE-2025-33236",
       "CVE-2025-34291",
       "CVE-2025-49596",
@@ -5053,6 +5076,7 @@
       "CVE-2026-30617",
       "CVE-2026-30624",
       "CVE-2026-30625",
+      "CVE-2026-33017",
       "CVE-2026-34159",
       "CVE-2026-34926",
       "CVE-2026-40933",
@@ -5098,6 +5122,8 @@
     "opened_date": "2026-05-15",
     "evidence_cves": [
       "CVE-2024-1709",
+      "CVE-2025-3248",
+      "CVE-2026-33017",
       "CVE-2026-39987",
       "CVE-2026-7482"
     ],
@@ -5347,7 +5373,6 @@
       "CVE-2026-24858",
       "CVE-2026-25108",
       "CVE-2026-32201",
-      "CVE-2026-33017",
       "CVE-2026-33634",
       "CVE-2026-33825",
       "CVE-2026-34197",
@@ -5390,6 +5415,8 @@
     "status": "open",
     "opened_date": "2026-05-15",
     "evidence_cves": [
+      "CVE-2025-3248",
+      "CVE-2026-33017",
       "CVE-2026-6973"
     ],
     "atlas_refs": [],
@@ -5556,6 +5583,7 @@
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
+      "CVE-2024-12366",
       "CVE-2024-13059",
       "CVE-2024-1561",
       "CVE-2024-21513",
@@ -5568,6 +5596,7 @@
       "CVE-2024-42478",
       "CVE-2024-42479",
       "CVE-2024-50050",
+      "CVE-2024-5565",
       "CVE-2025-1550",
       "CVE-2025-1753",
       "CVE-2025-23254",
@@ -5576,6 +5605,7 @@
       "CVE-2025-30202",
       "CVE-2025-32434",
       "CVE-2025-32444",
+      "CVE-2025-3248",
       "CVE-2025-33236",
       "CVE-2025-34291",
       "CVE-2025-49596",
@@ -5596,6 +5626,7 @@
       "CVE-2026-30617",
       "CVE-2026-30624",
       "CVE-2026-30625",
+      "CVE-2026-33017",
       "CVE-2026-34159",
       "CVE-2026-34926",
       "CVE-2026-40933",
@@ -5648,6 +5679,7 @@
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
+      "CVE-2024-12366",
       "CVE-2024-13059",
       "CVE-2024-1561",
       "CVE-2024-21513",
@@ -5661,6 +5693,7 @@
       "CVE-2024-42479",
       "CVE-2024-4889",
       "CVE-2024-50050",
+      "CVE-2024-5565",
       "CVE-2024-6587",
       "CVE-2025-1550",
       "CVE-2025-1753",
@@ -5670,6 +5703,7 @@
       "CVE-2025-30202",
       "CVE-2025-32434",
       "CVE-2025-32444",
+      "CVE-2025-3248",
       "CVE-2025-33236",
       "CVE-2025-34291",
       "CVE-2025-49596",
@@ -5694,6 +5728,7 @@
       "CVE-2026-30617",
       "CVE-2026-30624",
       "CVE-2026-30625",
+      "CVE-2026-33017",
       "CVE-2026-34159",
       "CVE-2026-34926",
       "CVE-2026-40933",
@@ -5906,9 +5941,11 @@
     "evidence_cves": [
       "CVE-2020-10148",
       "CVE-2023-48022",
+      "CVE-2025-3248",
       "CVE-2025-55241",
       "CVE-2026-24206",
-      "CVE-2026-24207"
+      "CVE-2026-24207",
+      "CVE-2026-33017"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -5981,12 +6018,14 @@
       "CVE-2024-1709",
       "CVE-2024-4889",
       "CVE-2024-6587",
+      "CVE-2025-3248",
       "CVE-2025-64513",
       "CVE-2025-67818",
       "CVE-2026-20182",
       "CVE-2026-24206",
       "CVE-2026-24207",
       "CVE-2026-26190",
+      "CVE-2026-33017",
       "CVE-2026-45829"
     ],
     "atlas_refs": [],

package/data/zeroday-lessons.json

@@ -4261,6 +4261,206 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2024-5565": {
+    "name": "Vanna.AI Prompt Injection to Remote Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Vanna's text-to-SQL ask method turns a natural-language question into Python and runs it to render a Plotly visualization (default-on), so prompt injection in the question overrides the visualization code and executes arbitrary Python on the host.",
+      "privileges_required": "none (unauthenticated; AC:H - visualization enabled + injected question)",
+      "complexity": "high",
+      "ai_factor": "The flaw is intrinsic to the AI pipeline: the agent's purpose is to turn natural language into executed code, so prompt injection is the exploit primitive. The lesson - LLM-generated code is attacker-controllable code and must be sandboxed, never run with host privileges."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Malicious-code protection does not treat an LLM agent's generate-and-run-code path as a code-execution channel."
+      },
+      "NIST-800-53-CM-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Least-functionality is not enforced - the code-execution / visualization path is on by default rather than sandboxed or disabled for untrusted input."
+      },
+      "ALL-PROMPT-INJECTION-ACCESS-CONTROL": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework requires that prompt-injectable natural-language input be denied a path to code execution in NL-to-code/SQL agents."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 80,
+      "basis": "NL-to-code/SQL agents are adopted for analyst productivity and run model-generated code by design; their codegen path is rarely sandboxed and the natural-language input is not treated as untrusted.",
+      "theater_pattern": "ai_agent_codegen_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-102",
+        "name": "AI-NL-TO-CODE-AGENT-EXECUTION-ISOLATION",
+        "description": "An LLM data-analysis agent that generates and executes code or SQL from natural language (text-to-SQL, text-to-Python, charting agents) must treat BOTH the natural-language question and any analyzed data as untrusted, prompt-injectable input, and must never run model-generated code with host or network privileges. Disable code-execution/visualization paths by default for untrusted input, run generated code only in a hardened sandbox (no filesystem/network/process access beyond the dataset), enforce least functionality, and validate or constrain the generated artifact before execution. The distinguishing test: send an analytical question containing an injected instruction to emit non-analytical code (e.g. a shell/file/network call) on a staging agent and confirm the agent refuses to execute it - paper 'AI security' policies that do not sandbox the generate-and-run path still permit RCE.",
+        "evidence": "https://jfrog.com/blog/prompt-injection-attack-code-execution-in-vanna-ai-cve-2024-5565/",
+        "gap_closes": [
+          "NIST-800-53-SI-3",
+          "NIST-800-53-CM-7",
+          "ALL-PROMPT-INJECTION-ACCESS-CONTROL"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2025-3248": {
+    "name": "Langflow /api/v1/validate/code Unauthenticated Code Injection (CISA KEV)",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Langflow before 1.3.0 runs attacker-supplied Python submitted to the unauthenticated /api/v1/validate/code endpoint, so a single crafted request gives remote code execution; CISA KEV-listed (actively exploited).",
+      "privileges_required": "none (unauthenticated, single request)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is a widely deployed visual LLM app/agent builder. The lesson: an LLM app builder's flow endpoints are code-execution surfaces, so every one must authenticate and sandbox - and the fix must cover the whole class of endpoints, not the single route that was reported (the Langflow pattern recurred on a new endpoint after the first KEV-listed fix)."
+    },
+    "framework_coverage": {
+      "NIST-800-53-AC-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Access enforcement is absent on a code-execution endpoint - the validate-code path is reachable without authentication."
+      },
+      "NIST-800-53-SI-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Malicious-code protection does not treat the LLM app builder's validate-code endpoint as an attacker-reachable execution channel."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats a visual LLM app builder's code endpoints as privileged execution surfaces that must authenticate and sandbox."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 88,
+      "basis": "LLM app builders are stood up for rapid prototyping on trusted-network assumptions and exposed without authentication; their flow endpoints are not treated as code-execution surfaces.",
+      "theater_pattern": "ai_app_builder_unauth_exec"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-103",
+        "name": "AI-APP-BUILDER-EXECUTION-ENDPOINT-AUTH-AND-SANDBOX",
+        "description": "A visual LLM app/agent builder (Langflow, Flowise, and similar) must authenticate every endpoint that can reach a code-execution path - validate-code, flow-build, flow-run, public-flow endpoints - and must never run flow-supplied or request-supplied code through a compile-and-run / dynamic-evaluation path with host privileges. Place the builder behind authenticated access control, never expose it to untrusted networks, and sandbox any code the platform executes on a user's behalf (no filesystem/network/process access beyond the flow's intent). The distinguishing test: send an unauthenticated request to each flow validate/build/run endpoint on a staging instance with a payload that attempts a non-flow action (a shell or network call) and confirm it is refused before any code runs - paper 'AI platform' policies that leave a public endpoint wired to a code-execution sink still permit unauthenticated RCE.",
+        "evidence": "https://www.vulncheck.com/blog/langflow-rce",
+        "gap_closes": [
+          "NIST-800-53-AC-3",
+          "NIST-800-53-SI-3",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2026-33017": {
+    "name": "Langflow Public Flow-Build Endpoint Unauthenticated Remote Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "After the CVE-2025-3248 fix, Langflow's public flow execution surface remained exploitable: the unauthenticated /api/v1/build_public_tmp/{flow_id}/flow endpoint runs flow-supplied Python through an unsandboxed dynamic-execution sink, giving remote code execution again; fixed in 1.9.0.",
+      "privileges_required": "none (unauthenticated public endpoint)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is a widely deployed visual LLM app/agent builder. The lesson: an LLM app builder's flow endpoints are code-execution surfaces, so every one must authenticate and sandbox - and the fix must cover the whole class of endpoints, not the single route that was reported (the Langflow pattern recurred on a new endpoint after the first KEV-listed fix)."
+    },
+    "framework_coverage": {
+      "NIST-800-53-AC-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "A second public flow endpoint reaches a code-execution sink without authentication - the access-control gap recurred on a new route after the first fix."
+      },
+      "NIST-800-53-CM-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Least-functionality is not enforced: a public endpoint runs flow-supplied code through a dynamic-execution sink without sandboxing."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework requires enumerating EVERY flow validate/build/run endpoint of an LLM app builder as an execution surface - so the same class recurred on a new endpoint."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 86,
+      "basis": "LLM app builders are stood up for rapid prototyping on trusted-network assumptions and exposed without authentication; their flow endpoints are not treated as code-execution surfaces.",
+      "theater_pattern": "ai_app_builder_unauth_exec"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-103",
+        "name": "AI-APP-BUILDER-EXECUTION-ENDPOINT-AUTH-AND-SANDBOX",
+        "description": "A visual LLM app/agent builder (Langflow, Flowise, and similar) must authenticate every endpoint that can reach a code-execution path - validate-code, flow-build, flow-run, public-flow endpoints - and must never run flow-supplied or request-supplied code through a compile-and-run / dynamic-evaluation path with host privileges. Place the builder behind authenticated access control, never expose it to untrusted networks, and sandbox any code the platform executes on a user's behalf (no filesystem/network/process access beyond the flow's intent). The distinguishing test: send an unauthenticated request to each flow validate/build/run endpoint on a staging instance with a payload that attempts a non-flow action (a shell or network call) and confirm it is refused before any code runs - paper 'AI platform' policies that leave a public endpoint wired to a code-execution sink still permit unauthenticated RCE.",
+        "evidence": "https://github.com/advisories/GHSA-vwmf-pq79-vjvx",
+        "gap_closes": [
+          "NIST-800-53-AC-3",
+          "NIST-800-53-SI-3",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2024-12366": {
+    "name": "PandasAI Prompt Injection to Remote Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "PandasAI's chat interface turns a natural-language question into Python and runs it against DataFrames; it does not separate analytical input from injected instructions, so prompt injection generates and executes arbitrary Python, escaping the intended sandbox (RCE).",
+      "privileges_required": "none (unauthenticated, no user interaction)",
+      "complexity": "low",
+      "ai_factor": "The flaw is intrinsic to the AI pipeline: the agent's purpose is to turn natural language into executed code, so prompt injection is the exploit primitive. The lesson - LLM-generated code is attacker-controllable code and must be sandboxed, never run with host privileges."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Malicious-code protection does not treat an LLM agent's generate-and-run-code path as a code-execution channel."
+      },
+      "NIST-800-53-CM-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Least-functionality is not enforced - the code-execution / visualization path is on by default rather than sandboxed or disabled for untrusted input."
+      },
+      "ALL-PROMPT-INJECTION-ACCESS-CONTROL": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework requires that prompt-injectable natural-language input be denied a path to code execution in NL-to-code/SQL agents."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 82,
+      "basis": "NL-to-code/SQL agents are adopted for analyst productivity and run model-generated code by design; their codegen path is rarely sandboxed and the natural-language input is not treated as untrusted.",
+      "theater_pattern": "ai_agent_codegen_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-102",
+        "name": "AI-NL-TO-CODE-AGENT-EXECUTION-ISOLATION",
+        "description": "An LLM data-analysis agent that generates and executes code or SQL from natural language (text-to-SQL, text-to-Python, charting agents) must treat BOTH the natural-language question and any analyzed data as untrusted, prompt-injectable input, and must never run model-generated code with host or network privileges. Disable code-execution/visualization paths by default for untrusted input, run generated code only in a hardened sandbox (no filesystem/network/process access beyond the dataset), enforce least functionality, and validate or constrain the generated artifact before execution. The distinguishing test: send an analytical question containing an injected instruction to emit non-analytical code (e.g. a shell/file/network call) on a staging agent and confirm the agent refuses to execute it - paper 'AI security' policies that do not sandbox the generate-and-run path still permit RCE.",
+        "evidence": "https://www.kb.cert.org/vuls/id/148244",
+        "gap_closes": [
+          "NIST-800-53-SI-3",
+          "NIST-800-53-CM-7",
+          "ALL-PROMPT-INJECTION-ACCESS-CONTROL"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2025-67818": {
     "name": "Weaviate Backup Restore ZipSlip Path Traversal",
     "lesson_date": "2026-05-25",
@@ -6501,38 +6701,6 @@
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import"
   },
-  "CVE-2026-33017": {
-    "name": "Langflow Code Injection Vulnerability",
-    "lesson_date": "2026-05-18",
-    "attack_vector": {
-      "description": "Langflow contains a code injection vulnerability that could allow building public flows without requiring authentication.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
-    },
-    "framework_coverage": {
-      "NIST-800-53-SI-2": {
-        "covered": true,
-        "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
-      },
-      "ISO-27001-2022-A.8.8": {
-        "covered": true,
-        "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
-      }
-    },
-    "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
-      "theater_pattern": "patch_management"
-    },
-    "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
-  },
   "CVE-2026-25592": {
     "name": "Microsoft Semantic Kernel SessionsPythonPlugin Path Traversal — Prompt-Injection to Host RCE",
     "lesson_date": "2026-05-25",