@blamejs/exceptd-skills 0.13.102 → 0.13.103

package/data/atlas-ttps.json

@@ -1745,6 +1745,7 @@
       "CVE-2024-6587",
       "CVE-2025-30202",
       "CVE-2025-32444",
+      "CVE-2025-3248",
       "CVE-2025-64496",
       "CVE-2025-64513",
       "CVE-2025-67818",
@@ -1753,6 +1754,7 @@
       "CVE-2026-24214",
       "CVE-2026-24215",
       "CVE-2026-26190",
+      "CVE-2026-33017",
       "CVE-2026-34159",
       "CVE-2026-45829"
     ]

package/data/attack-techniques.json

@@ -299,6 +299,7 @@
       "CVE-2025-30165",
       "CVE-2025-32434",
       "CVE-2025-32444",
+      "CVE-2025-3248",
       "CVE-2025-33236",
       "CVE-2025-34291",
       "CVE-2025-49596",
@@ -325,6 +326,7 @@
       "CVE-2026-30624",
       "CVE-2026-30625",
       "CVE-2026-32202",
+      "CVE-2026-33017",
       "CVE-2026-34159",
       "CVE-2026-39884",
       "CVE-2026-39987",
@@ -378,7 +380,9 @@
       "CVE-2024-12366",
       "CVE-2024-21513",
       "CVE-2024-5565",
+      "CVE-2025-3248",
       "CVE-2025-49844",
+      "CVE-2026-33017",
       "MAL-2026-3083"
     ],
     "description_full": "Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the <code>python.exe</code> interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.(Citation: Zscaler APT31 Covid-19 October 2020) Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.",
@@ -926,6 +930,7 @@
       "CVE-2025-32433",
       "CVE-2025-32444",
       "CVE-2025-32463",
+      "CVE-2025-3248",
       "CVE-2025-32706",
       "CVE-2025-32756",
       "CVE-2025-33053",

package/data/cve-catalog.json

@@ -9253,104 +9253,6 @@
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
     "_kev_short_description": "Aquasecurity Trivy contains an embedded malicious code vulnerability that could allow an attacker to gain access to everything in the CI/CD environment, including all tokens, SSH keys, cloud credentials, database passwords, and any sensitive configuration in memory."
   },
-  "CVE-2026-33017": {
-    "name": "Langflow Code Injection Vulnerability",
-    "type": "RCE",
-    "cvss_score": 9.8,
-    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
-    "cvss_note": "Operator estimate inferred from KEV vulnerabilityName + shortDescription classification (no per-CVE NVD lookup at bulk-import time). Refine via `exceptd refresh --advisory <CVE-ID> --apply` for NVD/GHSA/OSV enrichment.",
-    "cisa_kev": true,
-    "cisa_kev_date": "2026-03-25",
-    "cisa_kev_due_date": "2026-04-08",
-    "poc_available": true,
-    "poc_description": "KEV-listed actively-exploited vulnerability. CISA listing 2026-05 catalog version. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable..",
-    "ai_discovered": false,
-    "ai_discovery_source": "unknown",
-    "ai_discovery_notes": "Bulk-imported KEV entry — AI-discovery provenance not surfaced in the KEV record. Refine via NVD/GHSA enrichment if researcher attribution names an AI tool.",
-    "ai_assisted_weaponization": false,
-    "ai_assisted_notes": "Bulk-imported KEV entry — weaponization-channel attribution not in KEV.",
-    "active_exploitation": "confirmed",
-    "active_exploitation_notes": "KEV listing is CISA's confirmed-exploitation attestation. The dateAdded is the formal KEV listing date; the actual in-wild observation may predate it by weeks.",
-    "affected": "Langflow Langflow — see vendor advisory linked in verification_sources for affected version ranges.",
-    "affected_versions": [
-      "Langflow Langflow — versions per vendor advisory"
-    ],
-    "vector": "Langflow contains a code injection vulnerability that could allow building public flows without requiring authentication.",
-    "complexity": "moderate",
-    "complexity_notes": "Bulk-imported — exploitation complexity not extracted from KEV record. Treat as moderate-by-default; refine when researcher writeup published.",
-    "patch_available": true,
-    "patch_required_reboot": true,
-    "live_patch_available": false,
-    "live_patch_tools": [],
-    "live_patch_notes": "No live-patch tool registered for this entry at bulk-import time. Vendor patch typically requires service restart or system reboot per the KEV requiredAction.",
-    "vendor_update_paths": [
-      "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable."
-    ],
-    "framework_control_gaps": {
-      "NIST-800-53-SI-2": "30-day flaw-remediation SLA inadequate for CISA-KEV-listed actively-exploited CVE. CISA due date is the operationally-meaningful clock — typically 14-21 days for new KEV listings.",
-      "ISO-27001-2022-A.8.8": "Vulnerability management standard does not differentiate between routinely-disclosed CVEs and actively-exploited KEV-listed CVEs. KEV listing collapses 'patch-cycle response' to 'incident-speed response'.",
-      "NIST-800-53-AC-6": "Least-privilege presumes a working authentication / authorization boundary. The KEV-listed exploit demonstrates the boundary is breakable from a baseline context."
-    },
-    "atlas_refs": [],
-    "attack_refs": [
-      "T1190"
-    ],
-    "rwep_score": 77,
-    "rwep_factors": {
-      "cisa_kev": 25,
-      "poc_available": 20,
-      "ai_factor": 0,
-      "active_exploitation": 20,
-      "blast_radius": 22,
-      "patch_available": -15,
-      "live_patch_available": 0,
-      "reboot_required": 5
-    },
-    "rwep_notes": "P1 — KEV-listed confirmed exploitation. blast_radius=22 (standard vendor-product scope). Bulk-imported via v0.13.17 KEV intake — score reflects KEV+PoC+active_exploitation contributions; refine factors when per-CVE research publishes.",
-    "epss_score": null,
-    "epss_date": "2026-05-18",
-    "epss_note": "EPSS not refreshed at bulk-import. Pull via FIRST EPSS API per-CVE in a future refresh.",
-    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-33017",
-    "cwe_refs": [
-      "CWE-94",
-      "CWE-95",
-      "CWE-306"
-    ],
-    "source_verified": "2026-05-18",
-    "verification_sources": [
-      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
-      "https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx",
-      "https://nvd.nist.gov/vuln/detail/CVE-2026-33017"
-    ],
-    "vendor_advisories": [
-      {
-        "vendor": "CISA KEV",
-        "advisory_id": "CVE-2026-33017",
-        "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
-        "severity": "high",
-        "published_date": "2026-03-25"
-      },
-      {
-        "vendor": "Langflow",
-        "advisory_id": null,
-        "url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx",
-        "severity": "high",
-        "published_date": "2026-03-25"
-      },
-      {
-        "vendor": "Langflow",
-        "advisory_id": null,
-        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33017",
-        "severity": "high",
-        "published_date": "2026-03-25"
-      }
-    ],
-    "last_updated": "2026-05-18",
-    "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-25; due date 2026-04-08. Notes reference: https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx ; https://nvd.nist.gov/vuln/detail/CVE-2026-33017",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Langflow contains a code injection vulnerability that could allow building public flows without requiring authentication."
-  },
   "CVE-2025-34291": {
     "name": "Langflow Account Takeover + RCE (CORS / refresh-token chain)",
     "type": "RCE",
@@ -15913,6 +15815,229 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "PandasAI chat natural-language interface runs LLM-generated Python without separating malicious input, so prompt injection yields unauthenticated RCE / sandbox escape (CWE-94); no fixed release - enable the security agent + sandbox."
   },
+  "CVE-2025-3248": {
+    "name": "Langflow /api/v1/validate/code Unauthenticated Code Injection (CISA KEV)",
+    "type": "RCE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "VulnCheck (CNA) CVSS v3.1 base 9.8 (CRITICAL). The /api/v1/validate/code endpoint compiles and runs attacker-supplied Python with no authentication, so a crafted HTTP request runs arbitrary code on the host (CWE-94 + CWE-306).",
+    "cisa_kev": true,
+    "cisa_kev_date": "2025-05-05",
+    "cisa_kev_due_date": "2025-05-26",
+    "poc_available": true,
+    "poc_description": "VulnCheck published a working proof-of-concept and analysis; exploitation is a single unauthenticated POST to /api/v1/validate/code.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via GitHub Security Advisory (https://github.com/advisories/GHSA-rvqx-wpfh-mfx7). The abused surface is a widely used visual LLM app/agent builder (Langflow).",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; an unauthenticated endpoint on an LLM app builder reaches a code-execution sink.",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "CISA added CVE-2025-3248 to the Known Exploited Vulnerabilities catalog on 2025-05-05 (due 2025-05-26) - confirmed active exploitation. Mass scanning and botnet activity against internet-exposed Langflow instances was reported following VulnCheck's public proof-of-concept; Sysdig documented an end-to-end compromise of an exposed Langflow instance within hours.",
+    "affected": "Langflow before 1.3.0.",
+    "affected_versions": [
+      "Langflow < 1.3.0"
+    ],
+    "vector": "Langflow is a popular visual builder for LLM agents and flows. Before 1.3.0 its /api/v1/validate/code endpoint accepts code in an HTTP request and runs it through a Python compile-and-run path to 'validate' it, but the endpoint requires no authentication - so any remote attacker who can reach the server runs arbitrary code (CWE-94 code injection + CWE-306 missing authentication). VulnCheck published the analysis and PoC; CISA KEV-listed it.",
+    "complexity": "low",
+    "complexity_notes": "AV:N / AC:L / PR:N / UI:N - network-reachable, unauthenticated, no user interaction; a single crafted request to the validate-code endpoint runs code.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to 1.3.0 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Langflow to the latest release (1.3.0 closed this route; 1.9.0+ closes the sibling flow-build route in CVE-2026-33017). Do not expose Langflow to untrusted networks, place it behind authenticated reverse-proxy access control, and treat every flow validate/build/run endpoint as a code-execution surface."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-AC-3": "Access enforcement is missing on a code-execution endpoint - the flow validate/build path is reachable without authentication (CWE-306).",
+      "NIST-800-53-IA-2": "The LLM app builder does not authenticate callers before reaching a code-execution endpoint.",
+      "NIST-800-53-SI-3": "Malicious-code protection does not treat the app builder's code validate/build endpoint as an attacker-reachable execution channel.",
+      "NIST-800-53-CM-7": "Least-functionality is not enforced: a public endpoint runs flow-supplied / submitted code through a compile-and-run path without sandboxing.",
+      "ISO-27001-2022-A.5.15": "Access control does not gate the LLM app builder's code-execution endpoints.",
+      "ISO-27001-2022-A.8.28": "Secure-coding expectations do not address running externally supplied code through a dynamic-execution sink on a public endpoint.",
+      "NIS2-Art21-identity-management": "Article 21 access-control measures do not reach the LLM app builder's unauthenticated execution endpoints.",
+      "DORA-Art-9": "ICT protection measures do not model an LLM app builder's public code endpoint as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for authenticating and sandboxing LLM app-builder execution endpoints.",
+      "AU-ISM-1546": "Patch-application control does not single out LLM app builders.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats a visual LLM app/agent builder's flow validate/build endpoints as privileged execution surfaces that must authenticate and sandbox submitted code."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1059",
+      "T1059.006"
+    ],
+    "rwep_score": 78,
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 28,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Critical (RWEP 78, \"patch within 24 hours\" band per lib/scoring.js timeline). CISA KEV-listed (added 2025-05-05) and actively exploited: cisa_kev=25 + active_exploitation(confirmed)=20 + poc_available=20 + blast_radius=28, minus patch_available 15. The patch credit does not pull it out of the P1 band because real-world exploitation is confirmed. This is the first of two Langflow flow-execution endpoints KEV-listed for the same unauthenticated code-injection class - its sibling CVE-2026-33017 (the public flow-build endpoint, KEV 2026-03-25) also scores P1, which is the lesson: the first fix closed one route but not the class.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-3248",
+    "cwe_refs": [
+      "CWE-94",
+      "CWE-306"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Unauthenticated POST requests to /api/v1/validate/code carrying Python payloads (decorators, imports, or default-argument tricks that run at compile time).",
+        "Langflow process spawning shell, network, or file-system child processes from the code-validation path.",
+        "Internet-exposed Langflow ( /api/v1/validate/code reachable without auth) being scanned or hit by known PoC payloads."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-rvqx-wpfh-mfx7), VulnCheck's research (https://www.vulncheck.com/blog/langflow-rce), the CISA KEV listing, and CWE-94/CWE-306."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-3248",
+      "https://github.com/advisories/GHSA-rvqx-wpfh-mfx7",
+      "https://www.vulncheck.com/blog/langflow-rce",
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2025-3248",
+        "url": "https://github.com/advisories/GHSA-rvqx-wpfh-mfx7",
+        "severity": "critical",
+        "published_date": "2025-06-17"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-3248",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3248",
+        "severity": "critical",
+        "published_date": "2025-06-17"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-rvqx-wpfh-mfx7, CWE-94/CWE-306) + NVD + VulnCheck (CNA, CVSS v3.1 9.8) + the CISA KEV listing (added 2025-05-05). Visual LLM app/agent-builder flaw (Langflow); shares the app-builder execution-endpoint control NEW-CTRL-103.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Langflow's /api/v1/validate/code endpoint runs attacker-supplied Python with no authentication (CWE-94/CWE-306), giving unauthenticated RCE; CISA KEV (added 2025-05-05, actively exploited), fixed in 1.3.0."
+  },
+  "CVE-2026-33017": {
+    "name": "Langflow Public Flow-Build Endpoint Unauthenticated Remote Code Execution (CISA KEV)",
+    "type": "RCE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NIST (NVD) CVSS v3.1 base 9.8 (CRITICAL); the GitHub (CNA) advisory rates it CVSS v4.0 9.3 (CRITICAL). The unauthenticated POST /api/v1/build_public_tmp/{flow_id}/flow endpoint accepts attacker-controlled flow data containing Python that runs through an unsandboxed dynamic-execution sink (CWE-94 / CWE-95 / CWE-306).",
+    "cisa_kev": true,
+    "cisa_kev_date": "2026-03-25",
+    "cisa_kev_due_date": "2026-04-08",
+    "poc_available": true,
+    "poc_description": "The advisory ships a full proof-of-concept: obtain a public flow id via AUTO_LOGIN, then POST attacker-controlled flow data with embedded Python to /api/v1/build_public_tmp/{flow_id}/flow; the advisory documents a confirmed end-to-end RCE.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via GitHub Security Advisory (https://github.com/advisories/GHSA-vwmf-pq79-vjvx). The abused surface is a widely used visual LLM app/agent builder (Langflow).",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; an unauthenticated endpoint on an LLM app builder reaches a code-execution sink.",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "CISA added CVE-2026-33017 to the Known Exploited Vulnerabilities catalog on 2026-03-25 (due 2026-04-08) - confirmed active exploitation. This is the SECOND Langflow flow-execution endpoint to be KEV-listed: the CVE-2025-3248 fix (1.3.0) closed /api/v1/validate/code, but the public flow-build route remained an unauthenticated code-execution path and was itself exploited in the wild. A full proof-of-concept ships in the advisory.",
+    "affected": "Langflow through 1.8.2.",
+    "affected_versions": [
+      "Langflow <= 1.8.2"
+    ],
+    "vector": "After the CVE-2025-3248 fix, Langflow's public flow execution surface remained exploitable through a different route: the unauthenticated POST /api/v1/build_public_tmp/{flow_id}/flow endpoint accepts attacker-controlled flow definitions whose embedded Python runs through an unsandboxed dynamic-execution sink. A remote unauthenticated attacker reaches code execution again - the same code-injection class recurring on a new endpoint, and CISA KEV-listed a second time. Fixed in 1.9.0.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N / UI:N - the public flow-build endpoint is reachable unauthenticated and runs flow-supplied code.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to 1.9.0 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Langflow to 1.9.0 or later. Do not expose Langflow to untrusted networks; every public flow-build/validate/run endpoint must authenticate and must not run flow-supplied code unsandboxed - the 1.3.0 fix for CVE-2025-3248 did not cover this route."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-AC-3": "Access enforcement is missing on a code-execution endpoint - the flow validate/build path is reachable without authentication (CWE-306).",
+      "NIST-800-53-IA-2": "The LLM app builder does not authenticate callers before reaching a code-execution endpoint.",
+      "NIST-800-53-SI-3": "Malicious-code protection does not treat the app builder's code validate/build endpoint as an attacker-reachable execution channel.",
+      "NIST-800-53-CM-7": "Least-functionality is not enforced: a public endpoint runs flow-supplied / submitted code through a compile-and-run path without sandboxing.",
+      "ISO-27001-2022-A.5.15": "Access control does not gate the LLM app builder's code-execution endpoints.",
+      "ISO-27001-2022-A.8.28": "Secure-coding expectations do not address running externally supplied code through a dynamic-execution sink on a public endpoint.",
+      "NIS2-Art21-identity-management": "Article 21 access-control measures do not reach the LLM app builder's unauthenticated execution endpoints.",
+      "DORA-Art-9": "ICT protection measures do not model an LLM app builder's public code endpoint as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for authenticating and sandboxing LLM app-builder execution endpoints.",
+      "AU-ISM-1546": "Patch-application control does not single out LLM app builders.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats a visual LLM app/agent builder's flow validate/build endpoints as privileged execution surfaces that must authenticate and sandbox submitted code."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1059",
+      "T1059.006"
+    ],
+    "rwep_score": 78,
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 28,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Critical (RWEP 78, \"patch within 24 hours\" band per lib/scoring.js timeline). CISA KEV-listed (added 2026-03-25) and actively exploited: cisa_kev=25 + active_exploitation(confirmed)=20 + poc_available=20 + blast_radius=28, minus patch_available 15. The patch credit does not pull it out of the P1 band because real-world exploitation is confirmed. This is the second of two Langflow flow-execution endpoints KEV-listed for the same unauthenticated code-injection class - its sibling CVE-2025-3248 (the /api/v1/validate/code endpoint, KEV 2025-05-05) also scores P1, which is the lesson: the first fix closed one route but not the class.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-33017",
+    "cwe_refs": [
+      "CWE-94",
+      "CWE-95",
+      "CWE-306"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Unauthenticated POST requests to /api/v1/build_public_tmp/{flow_id}/flow carrying flow definitions with embedded Python / dynamic-evaluation payloads.",
+        "Langflow running flow-supplied Python that performs file, network, or process operations.",
+        "Langflow <= 1.8.2 with the public flow-build endpoint reachable without authentication - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-vwmf-pq79-vjvx), NVD CVE-2026-33017 (https://nvd.nist.gov/vuln/detail/CVE-2026-33017), the CISA KEV listing, and CWE-94/CWE-95/CWE-306."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-33017",
+      "https://github.com/advisories/GHSA-vwmf-pq79-vjvx",
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-33017",
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2026-33017",
+        "url": "https://github.com/advisories/GHSA-vwmf-pq79-vjvx",
+        "severity": "critical",
+        "published_date": "2026-03-17"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-33017",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33017",
+        "severity": "critical",
+        "published_date": "2026-03-17"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-vwmf-pq79-vjvx, CWE-94/CWE-95/CWE-306) + NVD (CVSS v3.1 9.8; GitHub CNA CVSS v4.0 9.3) + the CISA KEV listing (added 2026-03-25). Visual LLM app/agent-builder flaw (Langflow); shares the app-builder execution-endpoint control NEW-CTRL-103.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Langflow's unauthenticated public flow-build endpoint runs flow-supplied Python through an unsandboxed dynamic-execution sink (CWE-94/CWE-95/CWE-306), giving unauthenticated RCE; CISA KEV (added 2026-03-25, actively exploited), fixed in 1.9.0."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -391,6 +391,7 @@
       "CVE-2025-11837",
       "CVE-2025-1550",
       "CVE-2025-32432",
+      "CVE-2025-3248",
       "CVE-2025-33236",
       "CVE-2025-37164",
       "CVE-2025-43200",
@@ -750,6 +751,7 @@
     "evidence_cves": [
       "CVE-2020-24363",
       "CVE-2025-32433",
+      "CVE-2025-3248",
       "CVE-2025-4008",
       "CVE-2025-49596",
       "CVE-2025-61757",

package/data/framework-control-gaps.json

@@ -67,6 +67,7 @@
       "CVE-2025-30202",
       "CVE-2025-32434",
       "CVE-2025-32444",
+      "CVE-2025-3248",
       "CVE-2025-33236",
       "CVE-2025-34291",
       "CVE-2025-49596",
@@ -90,6 +91,7 @@
       "CVE-2026-30617",
       "CVE-2026-30624",
       "CVE-2026-30625",
+      "CVE-2026-33017",
       "CVE-2026-34159",
       "CVE-2026-40933",
       "CVE-2026-45829"
@@ -1267,8 +1269,10 @@
       "CVE-2024-5565",
       "CVE-2025-0133",
       "CVE-2025-1094",
+      "CVE-2025-3248",
       "CVE-2025-6965",
-      "CVE-2026-30623"
+      "CVE-2026-30623",
+      "CVE-2026-33017"
     ],
     "atlas_refs": [
       "AML.T0051",
@@ -1637,7 +1641,6 @@
       "CVE-2026-31431",
       "CVE-2026-31635",
       "CVE-2026-32201",
-      "CVE-2026-33017",
       "CVE-2026-33634",
       "CVE-2026-34159",
       "CVE-2026-34197",
@@ -2097,9 +2100,11 @@
       "CVE-2024-12366",
       "CVE-2024-3154",
       "CVE-2024-5565",
+      "CVE-2025-3248",
       "CVE-2025-49844",
       "CVE-2025-53773",
-      "CVE-2026-30615"
+      "CVE-2026-30615",
+      "CVE-2026-33017"
     ],
     "atlas_refs": [
       "AML.T0010"
@@ -2730,7 +2735,6 @@
       "CVE-2026-31635",
       "CVE-2026-32201",
       "CVE-2026-32202",
-      "CVE-2026-33017",
       "CVE-2026-33634",
       "CVE-2026-33825",
       "CVE-2026-34159",
@@ -2789,8 +2793,10 @@
       "CVE-2024-12366",
       "CVE-2024-5565",
       "CVE-2025-11837",
+      "CVE-2025-3248",
       "CVE-2026-22778",
       "CVE-2026-32202",
+      "CVE-2026-33017",
       "CVE-2026-33825"
     ],
     "atlas_refs": [
@@ -5043,6 +5049,7 @@
       "CVE-2025-30202",
       "CVE-2025-32434",
       "CVE-2025-32444",
+      "CVE-2025-3248",
       "CVE-2025-33236",
       "CVE-2025-34291",
       "CVE-2025-49596",
@@ -5069,6 +5076,7 @@
       "CVE-2026-30617",
       "CVE-2026-30624",
       "CVE-2026-30625",
+      "CVE-2026-33017",
       "CVE-2026-34159",
       "CVE-2026-34926",
       "CVE-2026-40933",
@@ -5114,6 +5122,8 @@
     "opened_date": "2026-05-15",
     "evidence_cves": [
       "CVE-2024-1709",
+      "CVE-2025-3248",
+      "CVE-2026-33017",
       "CVE-2026-39987",
       "CVE-2026-7482"
     ],
@@ -5363,7 +5373,6 @@
       "CVE-2026-24858",
       "CVE-2026-25108",
       "CVE-2026-32201",
-      "CVE-2026-33017",
       "CVE-2026-33634",
       "CVE-2026-33825",
       "CVE-2026-34197",
@@ -5406,6 +5415,8 @@
     "status": "open",
     "opened_date": "2026-05-15",
     "evidence_cves": [
+      "CVE-2025-3248",
+      "CVE-2026-33017",
       "CVE-2026-6973"
     ],
     "atlas_refs": [],
@@ -5594,6 +5605,7 @@
       "CVE-2025-30202",
       "CVE-2025-32434",
       "CVE-2025-32444",
+      "CVE-2025-3248",
       "CVE-2025-33236",
       "CVE-2025-34291",
       "CVE-2025-49596",
@@ -5614,6 +5626,7 @@
       "CVE-2026-30617",
       "CVE-2026-30624",
       "CVE-2026-30625",
+      "CVE-2026-33017",
       "CVE-2026-34159",
       "CVE-2026-34926",
       "CVE-2026-40933",
@@ -5690,6 +5703,7 @@
       "CVE-2025-30202",
       "CVE-2025-32434",
       "CVE-2025-32444",
+      "CVE-2025-3248",
       "CVE-2025-33236",
       "CVE-2025-34291",
       "CVE-2025-49596",
@@ -5714,6 +5728,7 @@
       "CVE-2026-30617",
       "CVE-2026-30624",
       "CVE-2026-30625",
+      "CVE-2026-33017",
       "CVE-2026-34159",
       "CVE-2026-34926",
       "CVE-2026-40933",
@@ -5926,9 +5941,11 @@
     "evidence_cves": [
       "CVE-2020-10148",
       "CVE-2023-48022",
+      "CVE-2025-3248",
       "CVE-2025-55241",
       "CVE-2026-24206",
-      "CVE-2026-24207"
+      "CVE-2026-24207",
+      "CVE-2026-33017"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -6001,12 +6018,14 @@
       "CVE-2024-1709",
       "CVE-2024-4889",
       "CVE-2024-6587",
+      "CVE-2025-3248",
       "CVE-2025-64513",
       "CVE-2025-67818",
       "CVE-2026-20182",
       "CVE-2026-24206",
       "CVE-2026-24207",
       "CVE-2026-26190",
+      "CVE-2026-33017",
       "CVE-2026-45829"
     ],
     "atlas_refs": [],