@blamejs/exceptd-skills 0.13.103 → 0.13.104

package/data/atlas-ttps.json

@@ -148,6 +148,8 @@
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
+      "CVE-2024-24590",
+      "CVE-2024-24591",
       "CVE-2024-37032",
       "CVE-2025-1550",
       "CVE-2025-32434",
@@ -1283,6 +1285,7 @@
       "CVE-2024-11393",
       "CVE-2024-11394",
       "CVE-2024-21513",
+      "CVE-2024-24590",
       "CVE-2025-1550",
       "CVE-2025-32434",
       "CVE-2025-33236",
@@ -1736,6 +1739,7 @@
       "CVE-2024-1561",
       "CVE-2024-21575",
       "CVE-2024-21576",
+      "CVE-2024-24591",
       "CVE-2024-27132",
       "CVE-2024-37032",
       "CVE-2024-39722",
@@ -2848,6 +2852,7 @@
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
+      "CVE-2024-24590",
       "CVE-2025-1550",
       "CVE-2025-32434",
       "CVE-2025-33236",

package/data/attack-techniques.json

@@ -286,6 +286,7 @@
       "CVE-2024-21513",
       "CVE-2024-21575",
       "CVE-2024-21576",
+      "CVE-2024-24590",
       "CVE-2024-37032",
       "CVE-2024-42479",
       "CVE-2024-4889",
@@ -1139,6 +1140,7 @@
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
+      "CVE-2024-24590",
       "CVE-2024-3094",
       "CVE-2025-1550",
       "CVE-2025-32434",
@@ -3580,6 +3582,7 @@
       "CVE-2023-51449",
       "CVE-2023-6021",
       "CVE-2024-1561",
+      "CVE-2024-24591",
       "CVE-2024-39722",
       "CVE-2026-34926"
     ]
@@ -4325,6 +4328,8 @@
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
+      "CVE-2024-24590",
+      "CVE-2024-24591",
       "CVE-2025-1550",
       "CVE-2025-32434",
       "CVE-2025-33236",
@@ -14875,7 +14880,10 @@
     "stix_id": "attack-pattern--1cfcb312-b8d7-47a4-b560-4b16cc677292",
     "last_verified": "2026-05-19",
     "_auto_imported": true,
-    "_intake_method": "mitre-attack-stix"
+    "_intake_method": "mitre-attack-stix",
+    "cve_refs": [
+      "CVE-2024-24591"
+    ]
   },
   "T1565.002": {
     "id": "T1565.002",

package/data/cve-catalog.json

@@ -16038,6 +16038,221 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "Langflow's unauthenticated public flow-build endpoint runs flow-supplied Python through an unsandboxed dynamic-execution sink (CWE-94/CWE-95/CWE-306), giving unauthenticated RCE; CISA KEV (added 2026-03-25, actively exploited), fixed in 1.9.0."
   },
+  "CVE-2024-24590": {
+    "name": "ClearML Client SDK Artifact Deserialization Remote Code Execution",
+    "type": "RCE",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+    "cvss_note": "NIST (NVD) CVSS v3.1 base 8.8 (HIGH); HiddenLayer (CNA) rates it 8.0 (HIGH, PR:L). The ClearML client SDK deserializes a stored artifact through an unsafe Python object-deserialization path when a user retrieves it, so a maliciously uploaded artifact runs arbitrary code on the retrieving user's system (CWE-502).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "HiddenLayer published the analysis and attack chain (a malicious artifact runs code when a victim retrieves it).",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by HiddenLayer (https://hiddenlayer.com/innovation-hub/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/). The abused surface is a widely used MLOps / experiment-tracking platform (ClearML) - the AI supply-chain layer between data scientists.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is in how an MLOps platform handles uploaded experiment artifacts.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research disclosure with a documented attack chain; no confirmed in-the-wild exploitation reported as of curation. No fixed SDK version is published in the advisory, so users on the affected range remain exposed when retrieving untrusted artifacts.",
+    "affected": "ClearML client SDK 0.17.0 through 1.14.2.",
+    "affected_versions": [
+      "ClearML (pip) >= 0.17.0, <= 1.14.2"
+    ],
+    "vector": "ClearML is an MLOps / experiment-tracking platform. Its client SDK stores experiment artifacts and reconstructs them on retrieval using an unsafe Python object-deserialization routine. An attacker who can upload an artifact to a project a victim will open embeds a malicious serialized object; when the victim's SDK retrieves and interacts with that artifact, the object's deserialization runs attacker code on the victim's machine (CWE-502). Disclosed by HiddenLayer.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N / UI:R - network-delivered via an uploaded artifact, but requires the victim to retrieve/interact with it (UI:R). HiddenLayer's CNA vector marks PR:L (an account that can upload to the shared project).",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No fixed SDK version is listed in the advisory as of curation; mitigation is retrieving artifacts/datasets only from trusted projects and treating retrieved content as untrusted (see vendor_update_paths).",
+    "vendor_update_paths": [
+      "No fixed ClearML SDK version is listed in the GitHub advisory or NVD as of curation (HiddenLayer states the issues were resolved with the vendor within the disclosure window, but no specific fixed version is published). Only retrieve artifacts/datasets from trusted ClearML projects, run the SDK with least privilege, and treat every retrieved artifact as untrusted until the deployed SDK version is confirmed to refuse unsafe deserialization."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-10": "Input validation is not applied to an uploaded experiment artifact/dataset before the MLOps SDK deserializes it.",
+      "NIST-800-53-CM-7": "Least-functionality is not enforced: the SDK auto-deserializes artifacts through an unsafe routine on retrieval.",
+      "NIST-800-53-SR-3": "Supply-chain controls do not treat MLOps experiment artifacts/datasets as untrusted third-party content delivered between collaborators.",
+      "ISO-27001-2022-A.8.28": "Secure-coding expectations do not address unsafe deserialization of stored artifacts in an MLOps SDK.",
+      "NIS2-Art21-supply-chain": "Supply-chain-security measures do not reach the MLOps platform as a channel that delivers executable artifacts between data scientists.",
+      "DORA-Art-9": "ICT protection measures do not model MLOps-artifact retrieval as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for validating MLOps artifacts/datasets before deserialization or extraction.",
+      "AU-ISM-1546": "Patch-application control does not single out MLOps client SDKs.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an MLOps / experiment-tracking platform's uploaded artifacts and datasets as an untrusted code/file-delivery surface."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0011",
+      "AML.T0011.000"
+    ],
+    "attack_refs": [
+      "T1204",
+      "T1059",
+      "T1195.002"
+    ],
+    "rwep_score": 42,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 22,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Elevated (RWEP 42, \"patch within 7 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, and no fixed SDK version published so no patch credit (Hard Rule #3); the UI:R requirement (victim must retrieve the malicious artifact) keeps blast moderate. poc_available=20 + blast_radius=22.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-24590",
+    "cwe_refs": [
+      "CWE-502"
+    ],
+    "iocs": {
+      "behavioral": [
+        "ClearML artifacts whose stored payload is a serialized object rather than the expected data type (a deserialization-gadget payload).",
+        "The ClearML client SDK spawning shell, network, or file-system child processes immediately after an artifact is retrieved or previewed.",
+        "Uploads to shared ClearML projects from accounts/users that should not be contributing artifacts.",
+        "ClearML (pip) 0.17.0-1.14.2 retrieving artifacts/datasets from projects that accept untrusted uploads - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the HiddenLayer disclosure (https://hiddenlayer.com/innovation-hub/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/), the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-cpcw-9h9m-wqw9), and NVD CVE-2024-24590 (CWE-502)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-24590",
+      "https://github.com/advisories/GHSA-cpcw-9h9m-wqw9",
+      "https://hiddenlayer.com/innovation-hub/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2024-24590",
+        "url": "https://github.com/advisories/GHSA-cpcw-9h9m-wqw9",
+        "severity": "high",
+        "published_date": "2024-06-27"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-24590",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24590",
+        "severity": "high",
+        "published_date": "2024-06-27"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the HiddenLayer disclosure (https://hiddenlayer.com/innovation-hub/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/) + the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-cpcw-9h9m-wqw9, CWE-502) + NVD (CVSS v3.1 8.8) / HiddenLayer (CNA 8.0). MLOps / experiment-tracking platform flaw (ClearML); introduces the MLOps-artifact trust-boundary control NEW-CTRL-104.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "ClearML client SDK reconstructs stored artifacts through unsafe Python object-deserialization on retrieval, so a malicious artifact runs code on the retrieving user (CWE-502); no fixed SDK version is listed in the advisory - treat retrieved artifacts as untrusted."
+  },
+  "CVE-2024-24591": {
+    "name": "ClearML Client SDK Dataset Path Traversal Arbitrary File Write",
+    "type": "Arbitrary File Write",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+    "cvss_note": "NIST (NVD) CVSS v3.1 base 8.8 (HIGH); HiddenLayer (CNA) rates it 8.0 (HIGH, PR:L). The ClearML client SDK does not constrain dataset entry paths, so a maliciously uploaded dataset writes files to an arbitrary local or remote location on the retrieving user's system (CWE-22 path traversal).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "HiddenLayer published the analysis and attack chain (a malicious dataset writes to arbitrary paths on retrieval).",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by HiddenLayer (https://hiddenlayer.com/innovation-hub/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/). The abused surface is a widely used MLOps / experiment-tracking platform (ClearML) - the AI supply-chain layer between data scientists.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is in how an MLOps platform handles uploaded experiment artifacts.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research disclosure with a documented attack chain; no confirmed in-the-wild exploitation reported as of curation. No fixed SDK version is published in the advisory, so users on the affected range remain exposed when retrieving untrusted artifacts.",
+    "affected": "ClearML client SDK 1.4.0 through 1.14.1.",
+    "affected_versions": [
+      "ClearML (pip) >= 1.4.0, <= 1.14.1"
+    ],
+    "vector": "When the ClearML client SDK retrieves a dataset, it writes the dataset's entries to disk without constraining their paths. A maliciously uploaded dataset whose entries use absolute or ../ traversal paths therefore writes files to arbitrary locations on the retrieving user's system (CWE-22) - which, by overwriting startup or configuration files, can escalate to code execution. Disclosed by HiddenLayer.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N / UI:R - network-delivered via an uploaded artifact, but requires the victim to retrieve/interact with it (UI:R). HiddenLayer's CNA vector marks PR:L (an account that can upload to the shared project).",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No fixed SDK version is listed in the advisory as of curation; mitigation is retrieving artifacts/datasets only from trusted projects and treating retrieved content as untrusted (see vendor_update_paths).",
+    "vendor_update_paths": [
+      "No fixed ClearML SDK version is listed in the GitHub advisory or NVD as of curation. Only retrieve datasets from trusted ClearML projects, run the SDK as a least-privilege user, and treat dataset extraction paths as untrusted (reject absolute / ../ traversal entries) until the deployed SDK version is confirmed to contain extraction."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-10": "Input validation is not applied to an uploaded experiment artifact/dataset before the MLOps SDK extracts it.",
+      "NIST-800-53-CM-7": "Least-functionality is not enforced: the SDK writes dataset entries without path containment on retrieval.",
+      "NIST-800-53-SR-3": "Supply-chain controls do not treat MLOps experiment artifacts/datasets as untrusted third-party content delivered between collaborators.",
+      "ISO-27001-2022-A.8.28": "Secure-coding expectations do not address uncontained extraction of dataset entries in an MLOps SDK.",
+      "NIS2-Art21-supply-chain": "Supply-chain-security measures do not reach the MLOps platform as a channel that delivers executable artifacts between data scientists.",
+      "DORA-Art-9": "ICT protection measures do not model MLOps-artifact retrieval as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for validating MLOps artifacts/datasets before deserialization or extraction.",
+      "AU-ISM-1546": "Patch-application control does not single out MLOps client SDKs.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an MLOps / experiment-tracking platform's uploaded artifacts and datasets as an untrusted code/file-delivery surface."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1204",
+      "T1083",
+      "T1565.001"
+    ],
+    "rwep_score": 38,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 18,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 38, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, and no fixed SDK version published so no patch credit (Hard Rule #3); the UI:R requirement (victim must retrieve the malicious artifact) keeps blast moderate. poc_available=20 + blast_radius=18.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-24591",
+    "cwe_refs": [
+      "CWE-22"
+    ],
+    "iocs": {
+      "behavioral": [
+        "ClearML datasets whose entries contain absolute paths or ../ traversal sequences.",
+        "Files written by the ClearML client SDK outside the intended dataset cache/extraction directory during a dataset get.",
+        "Unexpected modification of startup, configuration, or credential files following a ClearML dataset retrieval.",
+        "ClearML (pip) 1.4.0-1.14.1 retrieving artifacts/datasets from projects that accept untrusted uploads - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the HiddenLayer disclosure (https://hiddenlayer.com/innovation-hub/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/), the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-m95h-p4gg-wfw3), and NVD CVE-2024-24591 (CWE-22)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-24591",
+      "https://github.com/advisories/GHSA-m95h-p4gg-wfw3",
+      "https://hiddenlayer.com/innovation-hub/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2024-24591",
+        "url": "https://github.com/advisories/GHSA-m95h-p4gg-wfw3",
+        "severity": "high",
+        "published_date": "2024-06-27"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-24591",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24591",
+        "severity": "high",
+        "published_date": "2024-06-27"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the HiddenLayer disclosure (https://hiddenlayer.com/innovation-hub/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/) + the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-m95h-p4gg-wfw3, CWE-22) + NVD (CVSS v3.1 8.8) / HiddenLayer (CNA 8.0). MLOps / experiment-tracking platform flaw (ClearML); introduces the MLOps-artifact trust-boundary control NEW-CTRL-104.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "ClearML client SDK writes dataset entries without path containment, so a malicious dataset writes files to arbitrary paths on the retrieving user (CWE-22 path traversal); no fixed SDK version is listed in the advisory - retrieve datasets only from trusted projects."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -101,6 +101,7 @@
       "CVE-2024-13059",
       "CVE-2024-1561",
       "CVE-2024-1708",
+      "CVE-2024-24591",
       "CVE-2024-37032",
       "CVE-2024-39722",
       "CVE-2024-57728",
@@ -1335,6 +1336,7 @@
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
+      "CVE-2024-24590",
       "CVE-2024-50050",
       "CVE-2024-8069",
       "CVE-2025-10035",

package/data/framework-control-gaps.json

@@ -50,6 +50,8 @@
       "CVE-2024-1561",
       "CVE-2024-21575",
       "CVE-2024-21576",
+      "CVE-2024-24590",
+      "CVE-2024-24591",
       "CVE-2024-27132",
       "CVE-2024-37032",
       "CVE-2024-39722",
@@ -1266,6 +1268,8 @@
     "evidence_cves": [
       "CVE-2023-43472",
       "CVE-2024-12366",
+      "CVE-2024-24590",
+      "CVE-2024-24591",
       "CVE-2024-5565",
       "CVE-2025-0133",
       "CVE-2025-1094",
@@ -2098,6 +2102,8 @@
     "evidence_cves": [
       "BUG-2026-NIGHTMARE-ECLIPSE-GREENPLASMA",
       "CVE-2024-12366",
+      "CVE-2024-24590",
+      "CVE-2024-24591",
       "CVE-2024-3154",
       "CVE-2024-5565",
       "CVE-2025-3248",
@@ -2330,6 +2336,8 @@
       "CVE-2024-12366",
       "CVE-2024-13059",
       "CVE-2024-21513",
+      "CVE-2024-24590",
+      "CVE-2024-24591",
       "CVE-2024-27132",
       "CVE-2024-37032",
       "CVE-2024-39722",
@@ -2830,6 +2838,8 @@
     "status": "open",
     "opened_date": "2026-05-17",
     "evidence_cves": [
+      "CVE-2024-24590",
+      "CVE-2024-24591",
       "CVE-2024-3094",
       "MAL-2026-SHAI-HULUD-OSS"
     ],
@@ -5032,6 +5042,8 @@
       "CVE-2024-21575",
       "CVE-2024-21576",
       "CVE-2024-21762",
+      "CVE-2024-24590",
+      "CVE-2024-24591",
       "CVE-2024-27132",
       "CVE-2024-37032",
       "CVE-2024-39722",
@@ -5590,6 +5602,8 @@
       "CVE-2024-21575",
       "CVE-2024-21576",
       "CVE-2024-21762",
+      "CVE-2024-24590",
+      "CVE-2024-24591",
       "CVE-2024-27132",
       "CVE-2024-37032",
       "CVE-2024-39722",
@@ -5686,6 +5700,8 @@
       "CVE-2024-21575",
       "CVE-2024-21576",
       "CVE-2024-21762",
+      "CVE-2024-24590",
+      "CVE-2024-24591",
       "CVE-2024-27132",
       "CVE-2024-37032",
       "CVE-2024-39722",
@@ -5803,6 +5819,8 @@
     "status": "open",
     "opened_date": "2026-05-17",
     "evidence_cves": [
+      "CVE-2024-24590",
+      "CVE-2024-24591",
       "CVE-2024-3154",
       "MAL-2026-NODE-IPC-STEALER",
       "MAL-2026-RUBYGEMS-BUFFERZONECORP-SLEEPER",

package/data/zeroday-lessons.json

@@ -4361,6 +4361,106 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2024-24590": {
+    "name": "ClearML Client SDK Artifact Deserialization Remote Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "ClearML's client SDK reconstructs stored experiment artifacts through an unsafe object-deserialization routine on retrieval, so a maliciously uploaded artifact runs arbitrary code on the retrieving user's system.",
+      "privileges_required": "low-to-none (upload access to a shared project; victim must retrieve the artifact - UI:R)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is the MLOps / experiment-tracking layer that moves artifacts and datasets between data scientists. The lesson: an MLOps platform is a supply-chain channel - uploaded artifacts are untrusted code/file payloads and must never be auto-deserialized or extracted without containment."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No input validation is applied to an uploaded artifact before the MLOps SDK deserializes it."
+      },
+      "NIST-800-53-SR-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Supply-chain controls do not treat MLOps experiment artifacts as untrusted third-party content moving between collaborators."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an MLOps platform's uploaded artifacts as an untrusted code-delivery surface."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 80,
+      "basis": "MLOps platforms are deployed for collaboration on trusted-team assumptions; their artifact/dataset retrieval paths are not treated as untrusted-content boundaries.",
+      "theater_pattern": "mlops_artifact_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-104",
+        "name": "MLOPS-EXPERIMENT-ARTIFACT-TRUST-BOUNDARY",
+        "description": "An MLOps / experiment-tracking platform (ClearML, and the class: Weights & Biases, MLflow artifact stores, model registries) must treat every uploaded artifact and dataset as untrusted third-party content, because these platforms move artifacts between collaborators automatically. On retrieval the client SDK must NOT reconstruct artifacts through an unsafe object-deserialization routine (use a safe loader / explicit schema, or sandbox the deserialization), and must constrain dataset extraction to a contained directory (reject absolute and ../ traversal entries). Run the SDK least-privilege and only pull from trusted projects. The distinguishing test: upload an artifact carrying a deserialization-gadget payload and a dataset with a ../ entry to a staging project, retrieve them from a separate client, and confirm neither runs code nor writes outside the cache directory - a 'secured MLOps' posture that still auto-deserializes or extracts uploaded content without containment is exposed.",
+        "evidence": "https://hiddenlayer.com/innovation-hub/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/",
+        "gap_closes": [
+          "NIST-800-53-SI-10",
+          "NIST-800-53-CM-7",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2024-24591": {
+    "name": "ClearML Client SDK Dataset Path Traversal Arbitrary File Write",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "ClearML's client SDK writes dataset entries without path containment on retrieval, so a maliciously uploaded dataset with absolute / ../ entries writes files to arbitrary locations on the retrieving user's system (escalating to code execution by overwriting startup/config files).",
+      "privileges_required": "low-to-none (upload access to a shared project; victim must retrieve the artifact - UI:R)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is the MLOps / experiment-tracking layer that moves artifacts and datasets between data scientists. The lesson: an MLOps platform is a supply-chain channel - uploaded artifacts are untrusted code/file payloads and must never be auto-deserialized or extracted without containment."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No path validation is applied to dataset entries before the MLOps SDK extracts them."
+      },
+      "NIST-800-53-CM-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Least-functionality is not enforced: dataset extraction writes entries without containing them to the cache directory."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an MLOps platform's uploaded datasets as an untrusted file-write surface."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 78,
+      "basis": "MLOps platforms are deployed for collaboration on trusted-team assumptions; their artifact/dataset retrieval paths are not treated as untrusted-content boundaries.",
+      "theater_pattern": "mlops_artifact_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-104",
+        "name": "MLOPS-EXPERIMENT-ARTIFACT-TRUST-BOUNDARY",
+        "description": "An MLOps / experiment-tracking platform (ClearML, and the class: Weights & Biases, MLflow artifact stores, model registries) must treat every uploaded artifact and dataset as untrusted third-party content, because these platforms move artifacts between collaborators automatically. On retrieval the client SDK must NOT reconstruct artifacts through an unsafe object-deserialization routine (use a safe loader / explicit schema, or sandbox the deserialization), and must constrain dataset extraction to a contained directory (reject absolute and ../ traversal entries). Run the SDK least-privilege and only pull from trusted projects. The distinguishing test: upload an artifact carrying a deserialization-gadget payload and a dataset with a ../ entry to a staging project, retrieve them from a separate client, and confirm neither runs code nor writes outside the cache directory - a 'secured MLOps' posture that still auto-deserializes or extracts uploaded content without containment is exposed.",
+        "evidence": "https://hiddenlayer.com/innovation-hub/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/",
+        "gap_closes": [
+          "NIST-800-53-SI-10",
+          "NIST-800-53-CM-7",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2026-33017": {
     "name": "Langflow Public Flow-Build Endpoint Unauthenticated Remote Code Execution",
     "lesson_date": "2026-05-25",