@blamejs/exceptd-skills 0.13.105 → 0.13.107

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (14) hide show
  1. package/CHANGELOG.md +8 -0
  2. package/data/_indexes/_meta.json +9 -9
  3. package/data/_indexes/activity-feed.json +2 -2
  4. package/data/_indexes/catalog-summaries.json +2 -2
  5. package/data/_indexes/chains.json +1712 -0
  6. package/data/atlas-ttps.json +8 -0
  7. package/data/attack-techniques.json +10 -0
  8. package/data/cve-catalog.json +420 -0
  9. package/data/cwe-catalog.json +4 -0
  10. package/data/framework-control-gaps.json +38 -0
  11. package/data/zeroday-lessons.json +200 -0
  12. package/manifest.json +44 -44
  13. package/package.json +2 -2
  14. package/sbom.cdx.json +25 -25
package/data/_indexes/chains.json CHANGED
@@ -41608,6 +41608,1620 @@
41608
41608
  ]
41609
41609
  }
41610
41610
  },
41611
+ "CVE-2024-2912": {
41612
+ "name": "BentoML Insecure Deserialization Unauthenticated Remote Code Execution",
41613
+ "rwep": 33,
41614
+ "cvss": 10,
41615
+ "cisa_kev": false,
41616
+ "epss_score": null,
41617
+ "referencing_skills": [
41618
+ "ai-attack-surface",
41619
+ "mcp-agent-trust",
41620
+ "compliance-theater",
41621
+ "rag-pipeline-security",
41622
+ "ai-c2-detection",
41623
+ "threat-modeling-methodology",
41624
+ "webapp-security",
41625
+ "api-security",
41626
+ "cloud-security",
41627
+ "container-runtime-security",
41628
+ "email-security-anti-phishing"
41629
+ ],
41630
+ "chain": {
41631
+ "cwes": [
41632
+ {
41633
+ "id": "CWE-1039",
41634
+ "name": "Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations",
41635
+ "category": "AI/ML"
41636
+ },
41637
+ {
41638
+ "id": "CWE-1188",
41639
+ "name": "Initialization of a Resource with an Insecure Default",
41640
+ "category": "Configuration"
41641
+ },
41642
+ {
41643
+ "id": "CWE-1395",
41644
+ "name": "Dependency on Vulnerable Third-Party Component",
41645
+ "category": "Supply Chain"
41646
+ },
41647
+ {
41648
+ "id": "CWE-1426",
41649
+ "name": "Improper Validation of Generative AI Output",
41650
+ "category": "AI/ML"
41651
+ },
41652
+ {
41653
+ "id": "CWE-200",
41654
+ "name": "Exposure of Sensitive Information to an Unauthorized Actor",
41655
+ "category": "Information Exposure"
41656
+ },
41657
+ {
41658
+ "id": "CWE-22",
41659
+ "name": "Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)",
41660
+ "category": "Path/Resource"
41661
+ },
41662
+ {
41663
+ "id": "CWE-269",
41664
+ "name": "Improper Privilege Management",
41665
+ "category": "Authorization"
41666
+ },
41667
+ {
41668
+ "id": "CWE-287",
41669
+ "name": "Improper Authentication",
41670
+ "category": "Authentication"
41671
+ },
41672
+ {
41673
+ "id": "CWE-345",
41674
+ "name": "Insufficient Verification of Data Authenticity",
41675
+ "category": "Authenticity / Supply Chain"
41676
+ },
41677
+ {
41678
+ "id": "CWE-352",
41679
+ "name": "Cross-Site Request Forgery (CSRF)",
41680
+ "category": "Session"
41681
+ },
41682
+ {
41683
+ "id": "CWE-434",
41684
+ "name": "Unrestricted Upload of File with Dangerous Type",
41685
+ "category": "File Handling"
41686
+ },
41687
+ {
41688
+ "id": "CWE-494",
41689
+ "name": "Download of Code Without Integrity Check",
41690
+ "category": "Supply Chain"
41691
+ },
41692
+ {
41693
+ "id": "CWE-502",
41694
+ "name": "Deserialization of Untrusted Data",
41695
+ "category": "Serialization"
41696
+ },
41697
+ {
41698
+ "id": "CWE-732",
41699
+ "name": "Incorrect Permission Assignment for Critical Resource",
41700
+ "category": "Authorization"
41701
+ },
41702
+ {
41703
+ "id": "CWE-77",
41704
+ "name": "Improper Neutralization of Special Elements used in a Command (Command Injection)",
41705
+ "category": "Injection"
41706
+ },
41707
+ {
41708
+ "id": "CWE-78",
41709
+ "name": "Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)",
41710
+ "category": "Injection"
41711
+ },
41712
+ {
41713
+ "id": "CWE-787",
41714
+ "name": "Out-of-bounds Write",
41715
+ "category": "Memory Safety"
41716
+ },
41717
+ {
41718
+ "id": "CWE-79",
41719
+ "name": "Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)",
41720
+ "category": "Injection"
41721
+ },
41722
+ {
41723
+ "id": "CWE-798",
41724
+ "name": "Use of Hard-coded Credentials",
41725
+ "category": "Credentials"
41726
+ },
41727
+ {
41728
+ "id": "CWE-862",
41729
+ "name": "Missing Authorization",
41730
+ "category": "Authorization"
41731
+ },
41732
+ {
41733
+ "id": "CWE-863",
41734
+ "name": "Incorrect Authorization",
41735
+ "category": "Authorization"
41736
+ },
41737
+ {
41738
+ "id": "CWE-89",
41739
+ "name": "Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)",
41740
+ "category": "Injection"
41741
+ },
41742
+ {
41743
+ "id": "CWE-918",
41744
+ "name": "Server-Side Request Forgery (SSRF)",
41745
+ "category": "Network"
41746
+ },
41747
+ {
41748
+ "id": "CWE-94",
41749
+ "name": "Improper Control of Generation of Code (Code Injection)",
41750
+ "category": "Injection"
41751
+ }
41752
+ ],
41753
+ "atlas": [
41754
+ {
41755
+ "id": "AML.T0010",
41756
+ "name": "ML Supply Chain Compromise",
41757
+ "tactic": "Initial Access"
41758
+ },
41759
+ {
41760
+ "id": "AML.T0016",
41761
+ "name": "Obtain Capabilities: Develop Capabilities",
41762
+ "tactic": "Resource Development"
41763
+ },
41764
+ {
41765
+ "id": "AML.T0017",
41766
+ "name": "Discover ML Model Ontology",
41767
+ "tactic": "Discovery"
41768
+ },
41769
+ {
41770
+ "id": "AML.T0018",
41771
+ "name": "Backdoor ML Model",
41772
+ "tactic": "Persistence"
41773
+ },
41774
+ {
41775
+ "id": "AML.T0020",
41776
+ "name": "Poison Training Data",
41777
+ "tactic": "ML Attack Staging"
41778
+ },
41779
+ {
41780
+ "id": "AML.T0043",
41781
+ "name": "Craft Adversarial Data",
41782
+ "tactic": "ML Attack Staging"
41783
+ },
41784
+ {
41785
+ "id": "AML.T0051",
41786
+ "name": "LLM Prompt Injection",
41787
+ "tactic": "Execution"
41788
+ },
41789
+ {
41790
+ "id": "AML.T0054",
41791
+ "name": "LLM Jailbreak",
41792
+ "tactic": "Defense Evasion"
41793
+ },
41794
+ {
41795
+ "id": "AML.T0096",
41796
+ "name": "AI API as Covert C2 Channel",
41797
+ "tactic": "Command and Control"
41798
+ }
41799
+ ],
41800
+ "d3fend": [
41801
+ {
41802
+ "id": "D3-CA",
41803
+ "name": "Certificate Analysis",
41804
+ "tactic": "Detect"
41805
+ },
41806
+ {
41807
+ "id": "D3-CBAN",
41808
+ "name": "Certificate-based Authentication",
41809
+ "tactic": "Harden"
41810
+ },
41811
+ {
41812
+ "id": "D3-CSPP",
41813
+ "name": "Client-server Payload Profiling",
41814
+ "tactic": "Detect"
41815
+ },
41816
+ {
41817
+ "id": "D3-DA",
41818
+ "name": "Domain Analysis",
41819
+ "tactic": "Detect"
41820
+ },
41821
+ {
41822
+ "id": "D3-EAL",
41823
+ "name": "Executable Allowlisting",
41824
+ "tactic": "Harden"
41825
+ },
41826
+ {
41827
+ "id": "D3-EHB",
41828
+ "name": "Executable Hashbased Allowlist",
41829
+ "tactic": "Harden"
41830
+ },
41831
+ {
41832
+ "id": "D3-IOPR",
41833
+ "name": "Input/Output Profiling Resource",
41834
+ "tactic": "Detect"
41835
+ },
41836
+ {
41837
+ "id": "D3-MFA",
41838
+ "name": "Multi-factor Authentication",
41839
+ "tactic": "Harden"
41840
+ },
41841
+ {
41842
+ "id": "D3-NI",
41843
+ "name": "Network Isolation",
41844
+ "tactic": "Isolate"
41845
+ },
41846
+ {
41847
+ "id": "D3-NTA",
41848
+ "name": "Network Traffic Analysis",
41849
+ "tactic": "Detect"
41850
+ },
41851
+ {
41852
+ "id": "D3-NTPM",
41853
+ "name": "Network Traffic Policy Mapping",
41854
+ "tactic": "Model"
41855
+ }
41856
+ ],
41857
+ "framework_gaps": [
41858
+ {
41859
+ "id": "ALL-AI-PIPELINE-INTEGRITY",
41860
+ "framework": "ALL",
41861
+ "control_name": "AI Pipeline Integrity"
41862
+ },
41863
+ {
41864
+ "id": "ALL-MCP-TOOL-TRUST",
41865
+ "framework": "ALL",
41866
+ "control_name": "MCP/Agent Tool Trust Boundaries"
41867
+ },
41868
+ {
41869
+ "id": "ALL-PROMPT-INJECTION-ACCESS-CONTROL",
41870
+ "framework": "ALL",
41871
+ "control_name": "Prompt Injection as Access Control Failure"
41872
+ },
41873
+ {
41874
+ "id": "CMMC-2.0-Level-2",
41875
+ "framework": "CMMC 2.0 (Cybersecurity Maturity Model Certification) Level 2",
41876
+ "control_name": "Level 2 — Advanced (110 NIST 800-171 Rev 2 controls)"
41877
+ },
41878
+ {
41879
+ "id": "FedRAMP-Rev5-Moderate",
41880
+ "framework": "FedRAMP Rev 5 Moderate",
41881
+ "control_name": "FedRAMP Moderate baseline (NIST 800-53 Rev 5 tailoring)"
41882
+ },
41883
+ {
41884
+ "id": "ISO-27001-2022-A.8.16",
41885
+ "framework": "ISO/IEC 27001:2022",
41886
+ "control_name": "Monitoring activities"
41887
+ },
41888
+ {
41889
+ "id": "ISO-27001-2022-A.8.28",
41890
+ "framework": "ISO/IEC 27001:2022",
41891
+ "control_name": "Secure coding"
41892
+ },
41893
+ {
41894
+ "id": "ISO-27001-2022-A.8.30",
41895
+ "framework": "ISO/IEC 27001:2022",
41896
+ "control_name": "Outsourced development"
41897
+ },
41898
+ {
41899
+ "id": "ISO-IEC-23894-2023-clause-7",
41900
+ "framework": "ISO/IEC 23894:2023 (AI Risk Management Guidance)",
41901
+ "control_name": "AI risk management process"
41902
+ },
41903
+ {
41904
+ "id": "ISO-IEC-42001-2023-clause-6.1.2",
41905
+ "framework": "ISO/IEC 42001:2023 (AI Management System)",
41906
+ "control_name": "AI risk assessment"
41907
+ },
41908
+ {
41909
+ "id": "NIST-800-218-SSDF",
41910
+ "framework": "NIST SP 800-218 (Secure Software Development Framework v1.1)",
41911
+ "control_name": "Secure Software Development Framework"
41912
+ },
41913
+ {
41914
+ "id": "NIST-800-53-AC-2",
41915
+ "framework": "NIST SP 800-53 Rev 5",
41916
+ "control_name": "Account Management"
41917
+ },
41918
+ {
41919
+ "id": "NIST-800-53-CM-7",
41920
+ "framework": "NIST SP 800-53 Rev 5",
41921
+ "control_name": "Least Functionality"
41922
+ },
41923
+ {
41924
+ "id": "NIST-800-53-SA-12",
41925
+ "framework": "NIST SP 800-53 Rev 5",
41926
+ "control_name": "Supply Chain Protection"
41927
+ },
41928
+ {
41929
+ "id": "NIST-800-53-SC-7",
41930
+ "framework": "NIST SP 800-53 Rev 5",
41931
+ "control_name": "Boundary Protection"
41932
+ },
41933
+ {
41934
+ "id": "NIST-800-53-SI-12",
41935
+ "framework": "NIST SP 800-53 Rev 5",
41936
+ "control_name": "Information Management and Retention"
41937
+ },
41938
+ {
41939
+ "id": "NIST-800-53-SI-3",
41940
+ "framework": "NIST SP 800-53 Rev 5",
41941
+ "control_name": "Malicious Code Protection"
41942
+ },
41943
+ {
41944
+ "id": "NIST-AI-RMF-MEASURE-2.5",
41945
+ "framework": "NIST AI RMF 1.0",
41946
+ "control_name": "AI system to human interaction evaluation"
41947
+ },
41948
+ {
41949
+ "id": "OWASP-ASVS-v5.0-V14",
41950
+ "framework": "OWASP ASVS v5.0",
41951
+ "control_name": "Configuration verification"
41952
+ },
41953
+ {
41954
+ "id": "OWASP-LLM-Top-10-2025-LLM01",
41955
+ "framework": "OWASP Top 10 for LLM Applications 2025",
41956
+ "control_name": "Prompt Injection"
41957
+ },
41958
+ {
41959
+ "id": "OWASP-LLM-Top-10-2025-LLM02",
41960
+ "framework": "OWASP Top 10 for LLM Applications 2025",
41961
+ "control_name": "Sensitive Information Disclosure"
41962
+ },
41963
+ {
41964
+ "id": "OWASP-LLM-Top-10-2025-LLM06",
41965
+ "framework": "OWASP Top 10 for LLM Applications 2025",
41966
+ "control_name": "Excessive Agency"
41967
+ },
41968
+ {
41969
+ "id": "OWASP-LLM-Top-10-2025-LLM08",
41970
+ "framework": "OWASP Top 10 for LLM Applications 2025",
41971
+ "control_name": "Vector and Embedding Weaknesses"
41972
+ },
41973
+ {
41974
+ "id": "SLSA-v1.0-Build-L3",
41975
+ "framework": "SLSA v1.0 (Supply-chain Levels for Software Artifacts) — Build Track",
41976
+ "control_name": "Hardened build platform with non-falsifiable provenance"
41977
+ },
41978
+ {
41979
+ "id": "SOC2-CC6-logical-access",
41980
+ "framework": "SOC 2 (AICPA Trust Services Criteria)",
41981
+ "control_name": "Logical and Physical Access Controls"
41982
+ },
41983
+ {
41984
+ "id": "SOC2-CC7-anomaly-detection",
41985
+ "framework": "SOC 2 (AICPA Trust Services Criteria)",
41986
+ "control_name": "System Operations — Threat and Vulnerability Management"
41987
+ },
41988
+ {
41989
+ "id": "SOC2-CC9-vendor-management",
41990
+ "framework": "SOC 2 (AICPA Trust Services Criteria)",
41991
+ "control_name": "Risk Mitigation — Vendor and Business Partner Risk"
41992
+ },
41993
+ {
41994
+ "id": "SWIFT-CSCF-v2026-1.1",
41995
+ "framework": "SWIFT Customer Security Controls Framework v2026",
41996
+ "control_name": "SWIFT Environment Protection"
41997
+ }
41998
+ ],
41999
+ "attack_refs": [
42000
+ "T1059",
42001
+ "T1068",
42002
+ "T1071",
42003
+ "T1078",
42004
+ "T1102",
42005
+ "T1190",
42006
+ "T1195.001",
42007
+ "T1505",
42008
+ "T1530",
42009
+ "T1552",
42010
+ "T1565",
42011
+ "T1566",
42012
+ "T1566.001",
42013
+ "T1566.002",
42014
+ "T1566.003",
42015
+ "T1567",
42016
+ "T1568",
42017
+ "T1610",
42018
+ "T1611"
42019
+ ],
42020
+ "rfc_refs": [
42021
+ "RFC-6749",
42022
+ "RFC-7519",
42023
+ "RFC-8032",
42024
+ "RFC-8446",
42025
+ "RFC-8725",
42026
+ "RFC-9000",
42027
+ "RFC-9114",
42028
+ "RFC-9180",
42029
+ "RFC-9421",
42030
+ "RFC-9458",
42031
+ "RFC-9700"
42032
+ ]
42033
+ }
42034
+ },
42035
+ "CVE-2025-27520": {
42036
+ "name": "BentoML serde.py Insecure Deserialization Unauthenticated Remote Code Execution",
42037
+ "rwep": 33,
42038
+ "cvss": 9.8,
42039
+ "cisa_kev": false,
42040
+ "epss_score": null,
42041
+ "referencing_skills": [
42042
+ "ai-attack-surface",
42043
+ "mcp-agent-trust",
42044
+ "compliance-theater",
42045
+ "rag-pipeline-security",
42046
+ "ai-c2-detection",
42047
+ "threat-modeling-methodology",
42048
+ "webapp-security",
42049
+ "api-security",
42050
+ "cloud-security",
42051
+ "container-runtime-security",
42052
+ "email-security-anti-phishing"
42053
+ ],
42054
+ "chain": {
42055
+ "cwes": [
42056
+ {
42057
+ "id": "CWE-1039",
42058
+ "name": "Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations",
42059
+ "category": "AI/ML"
42060
+ },
42061
+ {
42062
+ "id": "CWE-1188",
42063
+ "name": "Initialization of a Resource with an Insecure Default",
42064
+ "category": "Configuration"
42065
+ },
42066
+ {
42067
+ "id": "CWE-1395",
42068
+ "name": "Dependency on Vulnerable Third-Party Component",
42069
+ "category": "Supply Chain"
42070
+ },
42071
+ {
42072
+ "id": "CWE-1426",
42073
+ "name": "Improper Validation of Generative AI Output",
42074
+ "category": "AI/ML"
42075
+ },
42076
+ {
42077
+ "id": "CWE-200",
42078
+ "name": "Exposure of Sensitive Information to an Unauthorized Actor",
42079
+ "category": "Information Exposure"
42080
+ },
42081
+ {
42082
+ "id": "CWE-22",
42083
+ "name": "Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)",
42084
+ "category": "Path/Resource"
42085
+ },
42086
+ {
42087
+ "id": "CWE-269",
42088
+ "name": "Improper Privilege Management",
42089
+ "category": "Authorization"
42090
+ },
42091
+ {
42092
+ "id": "CWE-287",
42093
+ "name": "Improper Authentication",
42094
+ "category": "Authentication"
42095
+ },
42096
+ {
42097
+ "id": "CWE-345",
42098
+ "name": "Insufficient Verification of Data Authenticity",
42099
+ "category": "Authenticity / Supply Chain"
42100
+ },
42101
+ {
42102
+ "id": "CWE-352",
42103
+ "name": "Cross-Site Request Forgery (CSRF)",
42104
+ "category": "Session"
42105
+ },
42106
+ {
42107
+ "id": "CWE-434",
42108
+ "name": "Unrestricted Upload of File with Dangerous Type",
42109
+ "category": "File Handling"
42110
+ },
42111
+ {
42112
+ "id": "CWE-494",
42113
+ "name": "Download of Code Without Integrity Check",
42114
+ "category": "Supply Chain"
42115
+ },
42116
+ {
42117
+ "id": "CWE-502",
42118
+ "name": "Deserialization of Untrusted Data",
42119
+ "category": "Serialization"
42120
+ },
42121
+ {
42122
+ "id": "CWE-732",
42123
+ "name": "Incorrect Permission Assignment for Critical Resource",
42124
+ "category": "Authorization"
42125
+ },
42126
+ {
42127
+ "id": "CWE-77",
42128
+ "name": "Improper Neutralization of Special Elements used in a Command (Command Injection)",
42129
+ "category": "Injection"
42130
+ },
42131
+ {
42132
+ "id": "CWE-78",
42133
+ "name": "Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)",
42134
+ "category": "Injection"
42135
+ },
42136
+ {
42137
+ "id": "CWE-787",
42138
+ "name": "Out-of-bounds Write",
42139
+ "category": "Memory Safety"
42140
+ },
42141
+ {
42142
+ "id": "CWE-79",
42143
+ "name": "Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)",
42144
+ "category": "Injection"
42145
+ },
42146
+ {
42147
+ "id": "CWE-798",
42148
+ "name": "Use of Hard-coded Credentials",
42149
+ "category": "Credentials"
42150
+ },
42151
+ {
42152
+ "id": "CWE-862",
42153
+ "name": "Missing Authorization",
42154
+ "category": "Authorization"
42155
+ },
42156
+ {
42157
+ "id": "CWE-863",
42158
+ "name": "Incorrect Authorization",
42159
+ "category": "Authorization"
42160
+ },
42161
+ {
42162
+ "id": "CWE-89",
42163
+ "name": "Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)",
42164
+ "category": "Injection"
42165
+ },
42166
+ {
42167
+ "id": "CWE-918",
42168
+ "name": "Server-Side Request Forgery (SSRF)",
42169
+ "category": "Network"
42170
+ },
42171
+ {
42172
+ "id": "CWE-94",
42173
+ "name": "Improper Control of Generation of Code (Code Injection)",
42174
+ "category": "Injection"
42175
+ }
42176
+ ],
42177
+ "atlas": [
42178
+ {
42179
+ "id": "AML.T0010",
42180
+ "name": "ML Supply Chain Compromise",
42181
+ "tactic": "Initial Access"
42182
+ },
42183
+ {
42184
+ "id": "AML.T0016",
42185
+ "name": "Obtain Capabilities: Develop Capabilities",
42186
+ "tactic": "Resource Development"
42187
+ },
42188
+ {
42189
+ "id": "AML.T0017",
42190
+ "name": "Discover ML Model Ontology",
42191
+ "tactic": "Discovery"
42192
+ },
42193
+ {
42194
+ "id": "AML.T0018",
42195
+ "name": "Backdoor ML Model",
42196
+ "tactic": "Persistence"
42197
+ },
42198
+ {
42199
+ "id": "AML.T0020",
42200
+ "name": "Poison Training Data",
42201
+ "tactic": "ML Attack Staging"
42202
+ },
42203
+ {
42204
+ "id": "AML.T0043",
42205
+ "name": "Craft Adversarial Data",
42206
+ "tactic": "ML Attack Staging"
42207
+ },
42208
+ {
42209
+ "id": "AML.T0051",
42210
+ "name": "LLM Prompt Injection",
42211
+ "tactic": "Execution"
42212
+ },
42213
+ {
42214
+ "id": "AML.T0054",
42215
+ "name": "LLM Jailbreak",
42216
+ "tactic": "Defense Evasion"
42217
+ },
42218
+ {
42219
+ "id": "AML.T0096",
42220
+ "name": "AI API as Covert C2 Channel",
42221
+ "tactic": "Command and Control"
42222
+ }
42223
+ ],
42224
+ "d3fend": [
42225
+ {
42226
+ "id": "D3-CA",
42227
+ "name": "Certificate Analysis",
42228
+ "tactic": "Detect"
42229
+ },
42230
+ {
42231
+ "id": "D3-CBAN",
42232
+ "name": "Certificate-based Authentication",
42233
+ "tactic": "Harden"
42234
+ },
42235
+ {
42236
+ "id": "D3-CSPP",
42237
+ "name": "Client-server Payload Profiling",
42238
+ "tactic": "Detect"
42239
+ },
42240
+ {
42241
+ "id": "D3-DA",
42242
+ "name": "Domain Analysis",
42243
+ "tactic": "Detect"
42244
+ },
42245
+ {
42246
+ "id": "D3-EAL",
42247
+ "name": "Executable Allowlisting",
42248
+ "tactic": "Harden"
42249
+ },
42250
+ {
42251
+ "id": "D3-EHB",
42252
+ "name": "Executable Hashbased Allowlist",
42253
+ "tactic": "Harden"
42254
+ },
42255
+ {
42256
+ "id": "D3-IOPR",
42257
+ "name": "Input/Output Profiling Resource",
42258
+ "tactic": "Detect"
42259
+ },
42260
+ {
42261
+ "id": "D3-MFA",
42262
+ "name": "Multi-factor Authentication",
42263
+ "tactic": "Harden"
42264
+ },
42265
+ {
42266
+ "id": "D3-NI",
42267
+ "name": "Network Isolation",
42268
+ "tactic": "Isolate"
42269
+ },
42270
+ {
42271
+ "id": "D3-NTA",
42272
+ "name": "Network Traffic Analysis",
42273
+ "tactic": "Detect"
42274
+ },
42275
+ {
42276
+ "id": "D3-NTPM",
42277
+ "name": "Network Traffic Policy Mapping",
42278
+ "tactic": "Model"
42279
+ }
42280
+ ],
42281
+ "framework_gaps": [
42282
+ {
42283
+ "id": "ALL-AI-PIPELINE-INTEGRITY",
42284
+ "framework": "ALL",
42285
+ "control_name": "AI Pipeline Integrity"
42286
+ },
42287
+ {
42288
+ "id": "ALL-MCP-TOOL-TRUST",
42289
+ "framework": "ALL",
42290
+ "control_name": "MCP/Agent Tool Trust Boundaries"
42291
+ },
42292
+ {
42293
+ "id": "ALL-PROMPT-INJECTION-ACCESS-CONTROL",
42294
+ "framework": "ALL",
42295
+ "control_name": "Prompt Injection as Access Control Failure"
42296
+ },
42297
+ {
42298
+ "id": "CMMC-2.0-Level-2",
42299
+ "framework": "CMMC 2.0 (Cybersecurity Maturity Model Certification) Level 2",
42300
+ "control_name": "Level 2 — Advanced (110 NIST 800-171 Rev 2 controls)"
42301
+ },
42302
+ {
42303
+ "id": "FedRAMP-Rev5-Moderate",
42304
+ "framework": "FedRAMP Rev 5 Moderate",
42305
+ "control_name": "FedRAMP Moderate baseline (NIST 800-53 Rev 5 tailoring)"
42306
+ },
42307
+ {
42308
+ "id": "ISO-27001-2022-A.8.16",
42309
+ "framework": "ISO/IEC 27001:2022",
42310
+ "control_name": "Monitoring activities"
42311
+ },
42312
+ {
42313
+ "id": "ISO-27001-2022-A.8.28",
42314
+ "framework": "ISO/IEC 27001:2022",
42315
+ "control_name": "Secure coding"
42316
+ },
42317
+ {
42318
+ "id": "ISO-27001-2022-A.8.30",
42319
+ "framework": "ISO/IEC 27001:2022",
42320
+ "control_name": "Outsourced development"
42321
+ },
42322
+ {
42323
+ "id": "ISO-IEC-23894-2023-clause-7",
42324
+ "framework": "ISO/IEC 23894:2023 (AI Risk Management Guidance)",
42325
+ "control_name": "AI risk management process"
42326
+ },
42327
+ {
42328
+ "id": "ISO-IEC-42001-2023-clause-6.1.2",
42329
+ "framework": "ISO/IEC 42001:2023 (AI Management System)",
42330
+ "control_name": "AI risk assessment"
42331
+ },
42332
+ {
42333
+ "id": "NIST-800-218-SSDF",
42334
+ "framework": "NIST SP 800-218 (Secure Software Development Framework v1.1)",
42335
+ "control_name": "Secure Software Development Framework"
42336
+ },
42337
+ {
42338
+ "id": "NIST-800-53-AC-2",
42339
+ "framework": "NIST SP 800-53 Rev 5",
42340
+ "control_name": "Account Management"
42341
+ },
42342
+ {
42343
+ "id": "NIST-800-53-CM-7",
42344
+ "framework": "NIST SP 800-53 Rev 5",
42345
+ "control_name": "Least Functionality"
42346
+ },
42347
+ {
42348
+ "id": "NIST-800-53-SA-12",
42349
+ "framework": "NIST SP 800-53 Rev 5",
42350
+ "control_name": "Supply Chain Protection"
42351
+ },
42352
+ {
42353
+ "id": "NIST-800-53-SC-7",
42354
+ "framework": "NIST SP 800-53 Rev 5",
42355
+ "control_name": "Boundary Protection"
42356
+ },
42357
+ {
42358
+ "id": "NIST-800-53-SI-12",
42359
+ "framework": "NIST SP 800-53 Rev 5",
42360
+ "control_name": "Information Management and Retention"
42361
+ },
42362
+ {
42363
+ "id": "NIST-800-53-SI-3",
42364
+ "framework": "NIST SP 800-53 Rev 5",
42365
+ "control_name": "Malicious Code Protection"
42366
+ },
42367
+ {
42368
+ "id": "NIST-AI-RMF-MEASURE-2.5",
42369
+ "framework": "NIST AI RMF 1.0",
42370
+ "control_name": "AI system to human interaction evaluation"
42371
+ },
42372
+ {
42373
+ "id": "OWASP-ASVS-v5.0-V14",
42374
+ "framework": "OWASP ASVS v5.0",
42375
+ "control_name": "Configuration verification"
42376
+ },
42377
+ {
42378
+ "id": "OWASP-LLM-Top-10-2025-LLM01",
42379
+ "framework": "OWASP Top 10 for LLM Applications 2025",
42380
+ "control_name": "Prompt Injection"
42381
+ },
42382
+ {
42383
+ "id": "OWASP-LLM-Top-10-2025-LLM02",
42384
+ "framework": "OWASP Top 10 for LLM Applications 2025",
42385
+ "control_name": "Sensitive Information Disclosure"
42386
+ },
42387
+ {
42388
+ "id": "OWASP-LLM-Top-10-2025-LLM06",
42389
+ "framework": "OWASP Top 10 for LLM Applications 2025",
42390
+ "control_name": "Excessive Agency"
42391
+ },
42392
+ {
42393
+ "id": "OWASP-LLM-Top-10-2025-LLM08",
42394
+ "framework": "OWASP Top 10 for LLM Applications 2025",
42395
+ "control_name": "Vector and Embedding Weaknesses"
42396
+ },
42397
+ {
42398
+ "id": "SLSA-v1.0-Build-L3",
42399
+ "framework": "SLSA v1.0 (Supply-chain Levels for Software Artifacts) — Build Track",
42400
+ "control_name": "Hardened build platform with non-falsifiable provenance"
42401
+ },
42402
+ {
42403
+ "id": "SOC2-CC6-logical-access",
42404
+ "framework": "SOC 2 (AICPA Trust Services Criteria)",
42405
+ "control_name": "Logical and Physical Access Controls"
42406
+ },
42407
+ {
42408
+ "id": "SOC2-CC7-anomaly-detection",
42409
+ "framework": "SOC 2 (AICPA Trust Services Criteria)",
42410
+ "control_name": "System Operations — Threat and Vulnerability Management"
42411
+ },
42412
+ {
42413
+ "id": "SOC2-CC9-vendor-management",
42414
+ "framework": "SOC 2 (AICPA Trust Services Criteria)",
42415
+ "control_name": "Risk Mitigation — Vendor and Business Partner Risk"
42416
+ },
42417
+ {
42418
+ "id": "SWIFT-CSCF-v2026-1.1",
42419
+ "framework": "SWIFT Customer Security Controls Framework v2026",
42420
+ "control_name": "SWIFT Environment Protection"
42421
+ }
42422
+ ],
42423
+ "attack_refs": [
42424
+ "T1059",
42425
+ "T1068",
42426
+ "T1071",
42427
+ "T1078",
42428
+ "T1102",
42429
+ "T1190",
42430
+ "T1195.001",
42431
+ "T1505",
42432
+ "T1530",
42433
+ "T1552",
42434
+ "T1565",
42435
+ "T1566",
42436
+ "T1566.001",
42437
+ "T1566.002",
42438
+ "T1566.003",
42439
+ "T1567",
42440
+ "T1568",
42441
+ "T1610",
42442
+ "T1611"
42443
+ ],
42444
+ "rfc_refs": [
42445
+ "RFC-6749",
42446
+ "RFC-7519",
42447
+ "RFC-8032",
42448
+ "RFC-8446",
42449
+ "RFC-8725",
42450
+ "RFC-9000",
42451
+ "RFC-9114",
42452
+ "RFC-9180",
42453
+ "RFC-9421",
42454
+ "RFC-9458",
42455
+ "RFC-9700"
42456
+ ]
42457
+ }
42458
+ },
42459
+ "CVE-2024-37052": {
42460
+ "name": "MLflow scikit-learn Model Deserialization Remote Code Execution",
42461
+ "rwep": 42,
42462
+ "cvss": 8.8,
42463
+ "cisa_kev": false,
42464
+ "epss_score": null,
42465
+ "referencing_skills": [
42466
+ "kernel-lpe-triage",
42467
+ "ai-attack-surface",
42468
+ "compliance-theater",
42469
+ "rag-pipeline-security",
42470
+ "threat-modeling-methodology",
42471
+ "webapp-security",
42472
+ "api-security",
42473
+ "container-runtime-security"
42474
+ ],
42475
+ "chain": {
42476
+ "cwes": [
42477
+ {
42478
+ "id": "CWE-1039",
42479
+ "name": "Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations",
42480
+ "category": "AI/ML"
42481
+ },
42482
+ {
42483
+ "id": "CWE-1188",
42484
+ "name": "Initialization of a Resource with an Insecure Default",
42485
+ "category": "Configuration"
42486
+ },
42487
+ {
42488
+ "id": "CWE-125",
42489
+ "name": "Out-of-bounds Read",
42490
+ "category": "Memory Safety"
42491
+ },
42492
+ {
42493
+ "id": "CWE-1395",
42494
+ "name": "Dependency on Vulnerable Third-Party Component",
42495
+ "category": "Supply Chain"
42496
+ },
42497
+ {
42498
+ "id": "CWE-1426",
42499
+ "name": "Improper Validation of Generative AI Output",
42500
+ "category": "AI/ML"
42501
+ },
42502
+ {
42503
+ "id": "CWE-200",
42504
+ "name": "Exposure of Sensitive Information to an Unauthorized Actor",
42505
+ "category": "Information Exposure"
42506
+ },
42507
+ {
42508
+ "id": "CWE-22",
42509
+ "name": "Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)",
42510
+ "category": "Path/Resource"
42511
+ },
42512
+ {
42513
+ "id": "CWE-269",
42514
+ "name": "Improper Privilege Management",
42515
+ "category": "Authorization"
42516
+ },
42517
+ {
42518
+ "id": "CWE-287",
42519
+ "name": "Improper Authentication",
42520
+ "category": "Authentication"
42521
+ },
42522
+ {
42523
+ "id": "CWE-352",
42524
+ "name": "Cross-Site Request Forgery (CSRF)",
42525
+ "category": "Session"
42526
+ },
42527
+ {
42528
+ "id": "CWE-362",
42529
+ "name": "Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)",
42530
+ "category": "Concurrency"
42531
+ },
42532
+ {
42533
+ "id": "CWE-416",
42534
+ "name": "Use After Free",
42535
+ "category": "Memory Safety"
42536
+ },
42537
+ {
42538
+ "id": "CWE-434",
42539
+ "name": "Unrestricted Upload of File with Dangerous Type",
42540
+ "category": "File Handling"
42541
+ },
42542
+ {
42543
+ "id": "CWE-502",
42544
+ "name": "Deserialization of Untrusted Data",
42545
+ "category": "Serialization"
42546
+ },
42547
+ {
42548
+ "id": "CWE-672",
42549
+ "name": "Operation on a Resource after Expiration or Release",
42550
+ "category": "Memory Safety"
42551
+ },
42552
+ {
42553
+ "id": "CWE-732",
42554
+ "name": "Incorrect Permission Assignment for Critical Resource",
42555
+ "category": "Authorization"
42556
+ },
42557
+ {
42558
+ "id": "CWE-77",
42559
+ "name": "Improper Neutralization of Special Elements used in a Command (Command Injection)",
42560
+ "category": "Injection"
42561
+ },
42562
+ {
42563
+ "id": "CWE-78",
42564
+ "name": "Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)",
42565
+ "category": "Injection"
42566
+ },
42567
+ {
42568
+ "id": "CWE-787",
42569
+ "name": "Out-of-bounds Write",
42570
+ "category": "Memory Safety"
42571
+ },
42572
+ {
42573
+ "id": "CWE-79",
42574
+ "name": "Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)",
42575
+ "category": "Injection"
42576
+ },
42577
+ {
42578
+ "id": "CWE-862",
42579
+ "name": "Missing Authorization",
42580
+ "category": "Authorization"
42581
+ },
42582
+ {
42583
+ "id": "CWE-863",
42584
+ "name": "Incorrect Authorization",
42585
+ "category": "Authorization"
42586
+ },
42587
+ {
42588
+ "id": "CWE-89",
42589
+ "name": "Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)",
42590
+ "category": "Injection"
42591
+ },
42592
+ {
42593
+ "id": "CWE-918",
42594
+ "name": "Server-Side Request Forgery (SSRF)",
42595
+ "category": "Network"
42596
+ },
42597
+ {
42598
+ "id": "CWE-94",
42599
+ "name": "Improper Control of Generation of Code (Code Injection)",
42600
+ "category": "Injection"
42601
+ }
42602
+ ],
42603
+ "atlas": [
42604
+ {
42605
+ "id": "AML.T0010",
42606
+ "name": "ML Supply Chain Compromise",
42607
+ "tactic": "Initial Access"
42608
+ },
42609
+ {
42610
+ "id": "AML.T0016",
42611
+ "name": "Obtain Capabilities: Develop Capabilities",
42612
+ "tactic": "Resource Development"
42613
+ },
42614
+ {
42615
+ "id": "AML.T0017",
42616
+ "name": "Discover ML Model Ontology",
42617
+ "tactic": "Discovery"
42618
+ },
42619
+ {
42620
+ "id": "AML.T0018",
42621
+ "name": "Backdoor ML Model",
42622
+ "tactic": "Persistence"
42623
+ },
42624
+ {
42625
+ "id": "AML.T0020",
42626
+ "name": "Poison Training Data",
42627
+ "tactic": "ML Attack Staging"
42628
+ },
42629
+ {
42630
+ "id": "AML.T0043",
42631
+ "name": "Craft Adversarial Data",
42632
+ "tactic": "ML Attack Staging"
42633
+ },
42634
+ {
42635
+ "id": "AML.T0051",
42636
+ "name": "LLM Prompt Injection",
42637
+ "tactic": "Execution"
42638
+ },
42639
+ {
42640
+ "id": "AML.T0054",
42641
+ "name": "LLM Jailbreak",
42642
+ "tactic": "Defense Evasion"
42643
+ },
42644
+ {
42645
+ "id": "AML.T0096",
42646
+ "name": "AI API as Covert C2 Channel",
42647
+ "tactic": "Command and Control"
42648
+ }
42649
+ ],
42650
+ "d3fend": [
42651
+ {
42652
+ "id": "D3-ASLR",
42653
+ "name": "Address Space Layout Randomization",
42654
+ "tactic": "Harden"
42655
+ },
42656
+ {
42657
+ "id": "D3-CSPP",
42658
+ "name": "Client-server Payload Profiling",
42659
+ "tactic": "Detect"
42660
+ },
42661
+ {
42662
+ "id": "D3-EAL",
42663
+ "name": "Executable Allowlisting",
42664
+ "tactic": "Harden"
42665
+ },
42666
+ {
42667
+ "id": "D3-IOPR",
42668
+ "name": "Input/Output Profiling Resource",
42669
+ "tactic": "Detect"
42670
+ },
42671
+ {
42672
+ "id": "D3-NTA",
42673
+ "name": "Network Traffic Analysis",
42674
+ "tactic": "Detect"
42675
+ },
42676
+ {
42677
+ "id": "D3-PHRA",
42678
+ "name": "Process Hardware Resource Access",
42679
+ "tactic": "Isolate"
42680
+ },
42681
+ {
42682
+ "id": "D3-PSEP",
42683
+ "name": "Process Segment Execution Prevention",
42684
+ "tactic": "Harden"
42685
+ }
42686
+ ],
42687
+ "framework_gaps": [
42688
+ {
42689
+ "id": "ALL-AI-PIPELINE-INTEGRITY",
42690
+ "framework": "ALL",
42691
+ "control_name": "AI Pipeline Integrity"
42692
+ },
42693
+ {
42694
+ "id": "ALL-PROMPT-INJECTION-ACCESS-CONTROL",
42695
+ "framework": "ALL",
42696
+ "control_name": "Prompt Injection as Access Control Failure"
42697
+ },
42698
+ {
42699
+ "id": "CIS-Controls-v8-Control7",
42700
+ "framework": "CIS Controls v8",
42701
+ "control_name": "Continuous Vulnerability Management"
42702
+ },
42703
+ {
42704
+ "id": "CMMC-2.0-Level-2",
42705
+ "framework": "CMMC 2.0 (Cybersecurity Maturity Model Certification) Level 2",
42706
+ "control_name": "Level 2 — Advanced (110 NIST 800-171 Rev 2 controls)"
42707
+ },
42708
+ {
42709
+ "id": "FedRAMP-Rev5-Moderate",
42710
+ "framework": "FedRAMP Rev 5 Moderate",
42711
+ "control_name": "FedRAMP Moderate baseline (NIST 800-53 Rev 5 tailoring)"
42712
+ },
42713
+ {
42714
+ "id": "ISO-27001-2022-A.8.28",
42715
+ "framework": "ISO/IEC 27001:2022",
42716
+ "control_name": "Secure coding"
42717
+ },
42718
+ {
42719
+ "id": "ISO-27001-2022-A.8.8",
42720
+ "framework": "ISO/IEC 27001:2022",
42721
+ "control_name": "Management of technical vulnerabilities"
42722
+ },
42723
+ {
42724
+ "id": "ISO-IEC-23894-2023-clause-7",
42725
+ "framework": "ISO/IEC 23894:2023 (AI Risk Management Guidance)",
42726
+ "control_name": "AI risk management process"
42727
+ },
42728
+ {
42729
+ "id": "ISO-IEC-42001-2023-clause-6.1.2",
42730
+ "framework": "ISO/IEC 42001:2023 (AI Management System)",
42731
+ "control_name": "AI risk assessment"
42732
+ },
42733
+ {
42734
+ "id": "NIS2-Art21-patch-management",
42735
+ "framework": "EU NIS2 Directive",
42736
+ "control_name": "Vulnerability handling and disclosure"
42737
+ },
42738
+ {
42739
+ "id": "NIST-800-218-SSDF",
42740
+ "framework": "NIST SP 800-218 (Secure Software Development Framework v1.1)",
42741
+ "control_name": "Secure Software Development Framework"
42742
+ },
42743
+ {
42744
+ "id": "NIST-800-53-AC-2",
42745
+ "framework": "NIST SP 800-53 Rev 5",
42746
+ "control_name": "Account Management"
42747
+ },
42748
+ {
42749
+ "id": "NIST-800-53-CM-7",
42750
+ "framework": "NIST SP 800-53 Rev 5",
42751
+ "control_name": "Least Functionality"
42752
+ },
42753
+ {
42754
+ "id": "NIST-800-53-SC-8",
42755
+ "framework": "NIST SP 800-53 Rev 5",
42756
+ "control_name": "Transmission Confidentiality and Integrity"
42757
+ },
42758
+ {
42759
+ "id": "NIST-800-53-SI-12",
42760
+ "framework": "NIST SP 800-53 Rev 5",
42761
+ "control_name": "Information Management and Retention"
42762
+ },
42763
+ {
42764
+ "id": "NIST-800-53-SI-2",
42765
+ "framework": "NIST SP 800-53 Rev 5",
42766
+ "control_name": "Flaw Remediation"
42767
+ },
42768
+ {
42769
+ "id": "NIST-800-53-SI-3",
42770
+ "framework": "NIST SP 800-53 Rev 5",
42771
+ "control_name": "Malicious Code Protection"
42772
+ },
42773
+ {
42774
+ "id": "NIST-AI-RMF-MEASURE-2.5",
42775
+ "framework": "NIST AI RMF 1.0",
42776
+ "control_name": "AI system to human interaction evaluation"
42777
+ },
42778
+ {
42779
+ "id": "OWASP-ASVS-v5.0-V14",
42780
+ "framework": "OWASP ASVS v5.0",
42781
+ "control_name": "Configuration verification"
42782
+ },
42783
+ {
42784
+ "id": "OWASP-LLM-Top-10-2025-LLM01",
42785
+ "framework": "OWASP Top 10 for LLM Applications 2025",
42786
+ "control_name": "Prompt Injection"
42787
+ },
42788
+ {
42789
+ "id": "OWASP-LLM-Top-10-2025-LLM02",
42790
+ "framework": "OWASP Top 10 for LLM Applications 2025",
42791
+ "control_name": "Sensitive Information Disclosure"
42792
+ },
42793
+ {
42794
+ "id": "OWASP-LLM-Top-10-2025-LLM08",
42795
+ "framework": "OWASP Top 10 for LLM Applications 2025",
42796
+ "control_name": "Vector and Embedding Weaknesses"
42797
+ },
42798
+ {
42799
+ "id": "PCI-DSS-4.0-6.3.3",
42800
+ "framework": "PCI DSS 4.0",
42801
+ "control_name": "All system components are protected from known vulnerabilities by installing applicable security patches/updates"
42802
+ },
42803
+ {
42804
+ "id": "SLSA-v1.0-Build-L3",
42805
+ "framework": "SLSA v1.0 (Supply-chain Levels for Software Artifacts) — Build Track",
42806
+ "control_name": "Hardened build platform with non-falsifiable provenance"
42807
+ },
42808
+ {
42809
+ "id": "SOC2-CC6-logical-access",
42810
+ "framework": "SOC 2 (AICPA Trust Services Criteria)",
42811
+ "control_name": "Logical and Physical Access Controls"
42812
+ }
42813
+ ],
42814
+ "attack_refs": [
42815
+ "T1059",
42816
+ "T1068",
42817
+ "T1078",
42818
+ "T1190",
42819
+ "T1505",
42820
+ "T1548.001",
42821
+ "T1565",
42822
+ "T1566",
42823
+ "T1567",
42824
+ "T1610",
42825
+ "T1611"
42826
+ ],
42827
+ "rfc_refs": [
42828
+ "RFC-4301",
42829
+ "RFC-4303",
42830
+ "RFC-6749",
42831
+ "RFC-7296",
42832
+ "RFC-7519",
42833
+ "RFC-8032",
42834
+ "RFC-8446",
42835
+ "RFC-8725",
42836
+ "RFC-9114",
42837
+ "RFC-9421",
42838
+ "RFC-9700"
42839
+ ]
42840
+ }
42841
+ },
42842
+ "CVE-2024-37060": {
42843
+ "name": "MLflow Recipe Deserialization Remote Code Execution",
42844
+ "rwep": 42,
42845
+ "cvss": 8.8,
42846
+ "cisa_kev": false,
42847
+ "epss_score": null,
42848
+ "referencing_skills": [
42849
+ "kernel-lpe-triage",
42850
+ "ai-attack-surface",
42851
+ "compliance-theater",
42852
+ "rag-pipeline-security",
42853
+ "threat-modeling-methodology",
42854
+ "webapp-security",
42855
+ "api-security",
42856
+ "container-runtime-security"
42857
+ ],
42858
+ "chain": {
42859
+ "cwes": [
42860
+ {
42861
+ "id": "CWE-1039",
42862
+ "name": "Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations",
42863
+ "category": "AI/ML"
42864
+ },
42865
+ {
42866
+ "id": "CWE-1188",
42867
+ "name": "Initialization of a Resource with an Insecure Default",
42868
+ "category": "Configuration"
42869
+ },
42870
+ {
42871
+ "id": "CWE-125",
42872
+ "name": "Out-of-bounds Read",
42873
+ "category": "Memory Safety"
42874
+ },
42875
+ {
42876
+ "id": "CWE-1395",
42877
+ "name": "Dependency on Vulnerable Third-Party Component",
42878
+ "category": "Supply Chain"
42879
+ },
42880
+ {
42881
+ "id": "CWE-1426",
42882
+ "name": "Improper Validation of Generative AI Output",
42883
+ "category": "AI/ML"
42884
+ },
42885
+ {
42886
+ "id": "CWE-200",
42887
+ "name": "Exposure of Sensitive Information to an Unauthorized Actor",
42888
+ "category": "Information Exposure"
42889
+ },
42890
+ {
42891
+ "id": "CWE-22",
42892
+ "name": "Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)",
42893
+ "category": "Path/Resource"
42894
+ },
42895
+ {
42896
+ "id": "CWE-269",
42897
+ "name": "Improper Privilege Management",
42898
+ "category": "Authorization"
42899
+ },
42900
+ {
42901
+ "id": "CWE-287",
42902
+ "name": "Improper Authentication",
42903
+ "category": "Authentication"
42904
+ },
42905
+ {
42906
+ "id": "CWE-352",
42907
+ "name": "Cross-Site Request Forgery (CSRF)",
42908
+ "category": "Session"
42909
+ },
42910
+ {
42911
+ "id": "CWE-362",
42912
+ "name": "Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)",
42913
+ "category": "Concurrency"
42914
+ },
42915
+ {
42916
+ "id": "CWE-416",
42917
+ "name": "Use After Free",
42918
+ "category": "Memory Safety"
42919
+ },
42920
+ {
42921
+ "id": "CWE-434",
42922
+ "name": "Unrestricted Upload of File with Dangerous Type",
42923
+ "category": "File Handling"
42924
+ },
42925
+ {
42926
+ "id": "CWE-502",
42927
+ "name": "Deserialization of Untrusted Data",
42928
+ "category": "Serialization"
42929
+ },
42930
+ {
42931
+ "id": "CWE-672",
42932
+ "name": "Operation on a Resource after Expiration or Release",
42933
+ "category": "Memory Safety"
42934
+ },
42935
+ {
42936
+ "id": "CWE-732",
42937
+ "name": "Incorrect Permission Assignment for Critical Resource",
42938
+ "category": "Authorization"
42939
+ },
42940
+ {
42941
+ "id": "CWE-77",
42942
+ "name": "Improper Neutralization of Special Elements used in a Command (Command Injection)",
42943
+ "category": "Injection"
42944
+ },
42945
+ {
42946
+ "id": "CWE-78",
42947
+ "name": "Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)",
42948
+ "category": "Injection"
42949
+ },
42950
+ {
42951
+ "id": "CWE-787",
42952
+ "name": "Out-of-bounds Write",
42953
+ "category": "Memory Safety"
42954
+ },
42955
+ {
42956
+ "id": "CWE-79",
42957
+ "name": "Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)",
42958
+ "category": "Injection"
42959
+ },
42960
+ {
42961
+ "id": "CWE-862",
42962
+ "name": "Missing Authorization",
42963
+ "category": "Authorization"
42964
+ },
42965
+ {
42966
+ "id": "CWE-863",
42967
+ "name": "Incorrect Authorization",
42968
+ "category": "Authorization"
42969
+ },
42970
+ {
42971
+ "id": "CWE-89",
42972
+ "name": "Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)",
42973
+ "category": "Injection"
42974
+ },
42975
+ {
42976
+ "id": "CWE-918",
42977
+ "name": "Server-Side Request Forgery (SSRF)",
42978
+ "category": "Network"
42979
+ },
42980
+ {
42981
+ "id": "CWE-94",
42982
+ "name": "Improper Control of Generation of Code (Code Injection)",
42983
+ "category": "Injection"
42984
+ }
42985
+ ],
42986
+ "atlas": [
42987
+ {
42988
+ "id": "AML.T0010",
42989
+ "name": "ML Supply Chain Compromise",
42990
+ "tactic": "Initial Access"
42991
+ },
42992
+ {
42993
+ "id": "AML.T0016",
42994
+ "name": "Obtain Capabilities: Develop Capabilities",
42995
+ "tactic": "Resource Development"
42996
+ },
42997
+ {
42998
+ "id": "AML.T0017",
42999
+ "name": "Discover ML Model Ontology",
43000
+ "tactic": "Discovery"
43001
+ },
43002
+ {
43003
+ "id": "AML.T0018",
43004
+ "name": "Backdoor ML Model",
43005
+ "tactic": "Persistence"
43006
+ },
43007
+ {
43008
+ "id": "AML.T0020",
43009
+ "name": "Poison Training Data",
43010
+ "tactic": "ML Attack Staging"
43011
+ },
43012
+ {
43013
+ "id": "AML.T0043",
43014
+ "name": "Craft Adversarial Data",
43015
+ "tactic": "ML Attack Staging"
43016
+ },
43017
+ {
43018
+ "id": "AML.T0051",
43019
+ "name": "LLM Prompt Injection",
43020
+ "tactic": "Execution"
43021
+ },
43022
+ {
43023
+ "id": "AML.T0054",
43024
+ "name": "LLM Jailbreak",
43025
+ "tactic": "Defense Evasion"
43026
+ },
43027
+ {
43028
+ "id": "AML.T0096",
43029
+ "name": "AI API as Covert C2 Channel",
43030
+ "tactic": "Command and Control"
43031
+ }
43032
+ ],
43033
+ "d3fend": [
43034
+ {
43035
+ "id": "D3-ASLR",
43036
+ "name": "Address Space Layout Randomization",
43037
+ "tactic": "Harden"
43038
+ },
43039
+ {
43040
+ "id": "D3-CSPP",
43041
+ "name": "Client-server Payload Profiling",
43042
+ "tactic": "Detect"
43043
+ },
43044
+ {
43045
+ "id": "D3-EAL",
43046
+ "name": "Executable Allowlisting",
43047
+ "tactic": "Harden"
43048
+ },
43049
+ {
43050
+ "id": "D3-IOPR",
43051
+ "name": "Input/Output Profiling Resource",
43052
+ "tactic": "Detect"
43053
+ },
43054
+ {
43055
+ "id": "D3-NTA",
43056
+ "name": "Network Traffic Analysis",
43057
+ "tactic": "Detect"
43058
+ },
43059
+ {
43060
+ "id": "D3-PHRA",
43061
+ "name": "Process Hardware Resource Access",
43062
+ "tactic": "Isolate"
43063
+ },
43064
+ {
43065
+ "id": "D3-PSEP",
43066
+ "name": "Process Segment Execution Prevention",
43067
+ "tactic": "Harden"
43068
+ }
43069
+ ],
43070
+ "framework_gaps": [
43071
+ {
43072
+ "id": "ALL-AI-PIPELINE-INTEGRITY",
43073
+ "framework": "ALL",
43074
+ "control_name": "AI Pipeline Integrity"
43075
+ },
43076
+ {
43077
+ "id": "ALL-PROMPT-INJECTION-ACCESS-CONTROL",
43078
+ "framework": "ALL",
43079
+ "control_name": "Prompt Injection as Access Control Failure"
43080
+ },
43081
+ {
43082
+ "id": "CIS-Controls-v8-Control7",
43083
+ "framework": "CIS Controls v8",
43084
+ "control_name": "Continuous Vulnerability Management"
43085
+ },
43086
+ {
43087
+ "id": "CMMC-2.0-Level-2",
43088
+ "framework": "CMMC 2.0 (Cybersecurity Maturity Model Certification) Level 2",
43089
+ "control_name": "Level 2 — Advanced (110 NIST 800-171 Rev 2 controls)"
43090
+ },
43091
+ {
43092
+ "id": "FedRAMP-Rev5-Moderate",
43093
+ "framework": "FedRAMP Rev 5 Moderate",
43094
+ "control_name": "FedRAMP Moderate baseline (NIST 800-53 Rev 5 tailoring)"
43095
+ },
43096
+ {
43097
+ "id": "ISO-27001-2022-A.8.28",
43098
+ "framework": "ISO/IEC 27001:2022",
43099
+ "control_name": "Secure coding"
43100
+ },
43101
+ {
43102
+ "id": "ISO-27001-2022-A.8.8",
43103
+ "framework": "ISO/IEC 27001:2022",
43104
+ "control_name": "Management of technical vulnerabilities"
43105
+ },
43106
+ {
43107
+ "id": "ISO-IEC-23894-2023-clause-7",
43108
+ "framework": "ISO/IEC 23894:2023 (AI Risk Management Guidance)",
43109
+ "control_name": "AI risk management process"
43110
+ },
43111
+ {
43112
+ "id": "ISO-IEC-42001-2023-clause-6.1.2",
43113
+ "framework": "ISO/IEC 42001:2023 (AI Management System)",
43114
+ "control_name": "AI risk assessment"
43115
+ },
43116
+ {
43117
+ "id": "NIS2-Art21-patch-management",
43118
+ "framework": "EU NIS2 Directive",
43119
+ "control_name": "Vulnerability handling and disclosure"
43120
+ },
43121
+ {
43122
+ "id": "NIST-800-218-SSDF",
43123
+ "framework": "NIST SP 800-218 (Secure Software Development Framework v1.1)",
43124
+ "control_name": "Secure Software Development Framework"
43125
+ },
43126
+ {
43127
+ "id": "NIST-800-53-AC-2",
43128
+ "framework": "NIST SP 800-53 Rev 5",
43129
+ "control_name": "Account Management"
43130
+ },
43131
+ {
43132
+ "id": "NIST-800-53-CM-7",
43133
+ "framework": "NIST SP 800-53 Rev 5",
43134
+ "control_name": "Least Functionality"
43135
+ },
43136
+ {
43137
+ "id": "NIST-800-53-SC-8",
43138
+ "framework": "NIST SP 800-53 Rev 5",
43139
+ "control_name": "Transmission Confidentiality and Integrity"
43140
+ },
43141
+ {
43142
+ "id": "NIST-800-53-SI-12",
43143
+ "framework": "NIST SP 800-53 Rev 5",
43144
+ "control_name": "Information Management and Retention"
43145
+ },
43146
+ {
43147
+ "id": "NIST-800-53-SI-2",
43148
+ "framework": "NIST SP 800-53 Rev 5",
43149
+ "control_name": "Flaw Remediation"
43150
+ },
43151
+ {
43152
+ "id": "NIST-800-53-SI-3",
43153
+ "framework": "NIST SP 800-53 Rev 5",
43154
+ "control_name": "Malicious Code Protection"
43155
+ },
43156
+ {
43157
+ "id": "NIST-AI-RMF-MEASURE-2.5",
43158
+ "framework": "NIST AI RMF 1.0",
43159
+ "control_name": "AI system to human interaction evaluation"
43160
+ },
43161
+ {
43162
+ "id": "OWASP-ASVS-v5.0-V14",
43163
+ "framework": "OWASP ASVS v5.0",
43164
+ "control_name": "Configuration verification"
43165
+ },
43166
+ {
43167
+ "id": "OWASP-LLM-Top-10-2025-LLM01",
43168
+ "framework": "OWASP Top 10 for LLM Applications 2025",
43169
+ "control_name": "Prompt Injection"
43170
+ },
43171
+ {
43172
+ "id": "OWASP-LLM-Top-10-2025-LLM02",
43173
+ "framework": "OWASP Top 10 for LLM Applications 2025",
43174
+ "control_name": "Sensitive Information Disclosure"
43175
+ },
43176
+ {
43177
+ "id": "OWASP-LLM-Top-10-2025-LLM08",
43178
+ "framework": "OWASP Top 10 for LLM Applications 2025",
43179
+ "control_name": "Vector and Embedding Weaknesses"
43180
+ },
43181
+ {
43182
+ "id": "PCI-DSS-4.0-6.3.3",
43183
+ "framework": "PCI DSS 4.0",
43184
+ "control_name": "All system components are protected from known vulnerabilities by installing applicable security patches/updates"
43185
+ },
43186
+ {
43187
+ "id": "SLSA-v1.0-Build-L3",
43188
+ "framework": "SLSA v1.0 (Supply-chain Levels for Software Artifacts) — Build Track",
43189
+ "control_name": "Hardened build platform with non-falsifiable provenance"
43190
+ },
43191
+ {
43192
+ "id": "SOC2-CC6-logical-access",
43193
+ "framework": "SOC 2 (AICPA Trust Services Criteria)",
43194
+ "control_name": "Logical and Physical Access Controls"
43195
+ }
43196
+ ],
43197
+ "attack_refs": [
43198
+ "T1059",
43199
+ "T1068",
43200
+ "T1078",
43201
+ "T1190",
43202
+ "T1505",
43203
+ "T1548.001",
43204
+ "T1565",
43205
+ "T1566",
43206
+ "T1567",
43207
+ "T1610",
43208
+ "T1611"
43209
+ ],
43210
+ "rfc_refs": [
43211
+ "RFC-4301",
43212
+ "RFC-4303",
43213
+ "RFC-6749",
43214
+ "RFC-7296",
43215
+ "RFC-7519",
43216
+ "RFC-8032",
43217
+ "RFC-8446",
43218
+ "RFC-8725",
43219
+ "RFC-9114",
43220
+ "RFC-9421",
43221
+ "RFC-9700"
43222
+ ]
43223
+ }
43224
+ },
41611
43225
  "CVE-2026-41091": {
41612
43226
  "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
41613
43227
  "rwep": 45,
@@ -68006,9 +69620,12 @@
68006
69620
  "CVE-2024-24590",
68007
69621
  "CVE-2024-24591",
68008
69622
  "CVE-2024-27132",
69623
+ "CVE-2024-2912",
68009
69624
  "CVE-2024-3094",
68010
69625
  "CVE-2024-3154",
68011
69626
  "CVE-2024-37032",
69627
+ "CVE-2024-37052",
69628
+ "CVE-2024-37060",
68012
69629
  "CVE-2024-39722",
68013
69630
  "CVE-2024-42478",
68014
69631
  "CVE-2024-42479",
@@ -68024,6 +69641,7 @@
68024
69641
  "CVE-2025-1753",
68025
69642
  "CVE-2025-23254",
68026
69643
  "CVE-2025-23266",
69644
+ "CVE-2025-27520",
68027
69645
  "CVE-2025-30165",
68028
69646
  "CVE-2025-30202",
68029
69647
  "CVE-2025-32434",
@@ -68258,11 +69876,15 @@
68258
69876
  "CVE-2024-12366",
68259
69877
  "CVE-2024-24590",
68260
69878
  "CVE-2024-24591",
69879
+ "CVE-2024-2912",
68261
69880
  "CVE-2024-3094",
68262
69881
  "CVE-2024-3154",
69882
+ "CVE-2024-37052",
69883
+ "CVE-2024-37060",
68263
69884
  "CVE-2024-5565",
68264
69885
  "CVE-2025-0133",
68265
69886
  "CVE-2025-1094",
69887
+ "CVE-2025-27520",
68266
69888
  "CVE-2025-3248",
68267
69889
  "CVE-2025-49844",
68268
69890
  "CVE-2025-53773",
@@ -68428,7 +70050,10 @@
68428
70050
  "CVE-2024-24590",
68429
70051
  "CVE-2024-24591",
68430
70052
  "CVE-2024-27132",
70053
+ "CVE-2024-2912",
68431
70054
  "CVE-2024-37032",
70055
+ "CVE-2024-37052",
70056
+ "CVE-2024-37060",
68432
70057
  "CVE-2024-39722",
68433
70058
  "CVE-2024-42478",
68434
70059
  "CVE-2024-42479",
@@ -68444,6 +70069,7 @@
68444
70069
  "CVE-2025-1753",
68445
70070
  "CVE-2025-23254",
68446
70071
  "CVE-2025-23266",
70072
+ "CVE-2025-27520",
68447
70073
  "CVE-2025-30165",
68448
70074
  "CVE-2025-30202",
68449
70075
  "CVE-2025-32434",
@@ -68634,7 +70260,10 @@
68634
70260
  "CVE-2024-24590",
68635
70261
  "CVE-2024-24591",
68636
70262
  "CVE-2024-27132",
70263
+ "CVE-2024-2912",
68637
70264
  "CVE-2024-37032",
70265
+ "CVE-2024-37052",
70266
+ "CVE-2024-37060",
68638
70267
  "CVE-2024-39722",
68639
70268
  "CVE-2024-42478",
68640
70269
  "CVE-2024-42479",
@@ -68650,6 +70279,7 @@
68650
70279
  "CVE-2025-1753",
68651
70280
  "CVE-2025-23254",
68652
70281
  "CVE-2025-23266",
70282
+ "CVE-2025-27520",
68653
70283
  "CVE-2025-30165",
68654
70284
  "CVE-2025-30202",
68655
70285
  "CVE-2025-32434",
@@ -68854,7 +70484,10 @@
68854
70484
  "CVE-2024-24590",
68855
70485
  "CVE-2024-24591",
68856
70486
  "CVE-2024-27132",
70487
+ "CVE-2024-2912",
68857
70488
  "CVE-2024-37032",
70489
+ "CVE-2024-37052",
70490
+ "CVE-2024-37060",
68858
70491
  "CVE-2024-39722",
68859
70492
  "CVE-2024-42478",
68860
70493
  "CVE-2024-42479",
@@ -68870,6 +70503,7 @@
68870
70503
  "CVE-2025-1753",
68871
70504
  "CVE-2025-23254",
68872
70505
  "CVE-2025-23266",
70506
+ "CVE-2025-27520",
68873
70507
  "CVE-2025-30165",
68874
70508
  "CVE-2025-30202",
68875
70509
  "CVE-2025-32434",
@@ -69179,9 +70813,12 @@
69179
70813
  "CVE-2024-24590",
69180
70814
  "CVE-2024-24591",
69181
70815
  "CVE-2024-27132",
70816
+ "CVE-2024-2912",
69182
70817
  "CVE-2024-3094",
69183
70818
  "CVE-2024-3154",
69184
70819
  "CVE-2024-37032",
70820
+ "CVE-2024-37052",
70821
+ "CVE-2024-37060",
69185
70822
  "CVE-2024-39722",
69186
70823
  "CVE-2024-42478",
69187
70824
  "CVE-2024-42479",
@@ -69196,6 +70833,7 @@
69196
70833
  "CVE-2025-1753",
69197
70834
  "CVE-2025-23254",
69198
70835
  "CVE-2025-23266",
70836
+ "CVE-2025-27520",
69199
70837
  "CVE-2025-30165",
69200
70838
  "CVE-2025-30202",
69201
70839
  "CVE-2025-32434",
@@ -69463,6 +71101,8 @@
69463
71101
  "CVE-2024-27199",
69464
71102
  "CVE-2024-27443",
69465
71103
  "CVE-2024-37032",
71104
+ "CVE-2024-37052",
71105
+ "CVE-2024-37060",
69466
71106
  "CVE-2024-37079",
69467
71107
  "CVE-2024-39722",
69468
71108
  "CVE-2024-42009",
@@ -69940,8 +71580,11 @@
69940
71580
  "CVE-2024-21576",
69941
71581
  "CVE-2024-24590",
69942
71582
  "CVE-2024-24591",
71583
+ "CVE-2024-2912",
69943
71584
  "CVE-2024-3094",
69944
71585
  "CVE-2024-3154",
71586
+ "CVE-2024-37052",
71587
+ "CVE-2024-37060",
69945
71588
  "CVE-2024-40635",
69946
71589
  "CVE-2024-42478",
69947
71590
  "CVE-2024-42479",
@@ -69951,6 +71594,7 @@
69951
71594
  "CVE-2025-14847",
69952
71595
  "CVE-2025-22226",
69953
71596
  "CVE-2025-23266",
71597
+ "CVE-2025-27520",
69954
71598
  "CVE-2025-30202",
69955
71599
  "CVE-2025-32444",
69956
71600
  "CVE-2025-3248",
@@ -70327,9 +71971,12 @@
70327
71971
  "CVE-2024-24590",
70328
71972
  "CVE-2024-24591",
70329
71973
  "CVE-2024-27132",
71974
+ "CVE-2024-2912",
70330
71975
  "CVE-2024-3094",
70331
71976
  "CVE-2024-3154",
70332
71977
  "CVE-2024-37032",
71978
+ "CVE-2024-37052",
71979
+ "CVE-2024-37060",
70333
71980
  "CVE-2024-39722",
70334
71981
  "CVE-2024-42478",
70335
71982
  "CVE-2024-42479",
@@ -70345,6 +71992,7 @@
70345
71992
  "CVE-2025-1753",
70346
71993
  "CVE-2025-23254",
70347
71994
  "CVE-2025-23266",
71995
+ "CVE-2025-27520",
70348
71996
  "CVE-2025-30165",
70349
71997
  "CVE-2025-30202",
70350
71998
  "CVE-2025-32434",
@@ -70972,9 +72620,12 @@
70972
72620
  "CVE-2024-24590",
70973
72621
  "CVE-2024-24591",
70974
72622
  "CVE-2024-27132",
72623
+ "CVE-2024-2912",
70975
72624
  "CVE-2024-3094",
70976
72625
  "CVE-2024-3154",
70977
72626
  "CVE-2024-37032",
72627
+ "CVE-2024-37052",
72628
+ "CVE-2024-37060",
70978
72629
  "CVE-2024-39722",
70979
72630
  "CVE-2024-42478",
70980
72631
  "CVE-2024-42479",
@@ -70990,6 +72641,7 @@
70990
72641
  "CVE-2025-1753",
70991
72642
  "CVE-2025-23254",
70992
72643
  "CVE-2025-23266",
72644
+ "CVE-2025-27520",
70993
72645
  "CVE-2025-30165",
70994
72646
  "CVE-2025-30202",
70995
72647
  "CVE-2025-32434",
@@ -71709,9 +73361,11 @@
71709
73361
  "CVE-2024-12366",
71710
73362
  "CVE-2024-24590",
71711
73363
  "CVE-2024-24591",
73364
+ "CVE-2024-2912",
71712
73365
  "CVE-2024-3094",
71713
73366
  "CVE-2024-3154",
71714
73367
  "CVE-2024-5565",
73368
+ "CVE-2025-27520",
71715
73369
  "CVE-2025-3248",
71716
73370
  "CVE-2025-49844",
71717
73371
  "CVE-2025-53773",
@@ -71964,9 +73618,12 @@
71964
73618
  "CVE-2024-24590",
71965
73619
  "CVE-2024-24591",
71966
73620
  "CVE-2024-27132",
73621
+ "CVE-2024-2912",
71967
73622
  "CVE-2024-3094",
71968
73623
  "CVE-2024-3154",
71969
73624
  "CVE-2024-37032",
73625
+ "CVE-2024-37052",
73626
+ "CVE-2024-37060",
71970
73627
  "CVE-2024-39722",
71971
73628
  "CVE-2024-42478",
71972
73629
  "CVE-2024-42479",
@@ -71982,6 +73639,7 @@
71982
73639
  "CVE-2025-1753",
71983
73640
  "CVE-2025-23254",
71984
73641
  "CVE-2025-23266",
73642
+ "CVE-2025-27520",
71985
73643
  "CVE-2025-30165",
71986
73644
  "CVE-2025-30202",
71987
73645
  "CVE-2025-32434",
@@ -72255,6 +73913,8 @@
72255
73913
  "CVE-2024-27199",
72256
73914
  "CVE-2024-27443",
72257
73915
  "CVE-2024-37032",
73916
+ "CVE-2024-37052",
73917
+ "CVE-2024-37060",
72258
73918
  "CVE-2024-37079",
72259
73919
  "CVE-2024-39722",
72260
73920
  "CVE-2024-42009",
@@ -72713,6 +74373,8 @@
72713
74373
  "CVE-2024-27199",
72714
74374
  "CVE-2024-27443",
72715
74375
  "CVE-2024-37032",
74376
+ "CVE-2024-37052",
74377
+ "CVE-2024-37060",
72716
74378
  "CVE-2024-37079",
72717
74379
  "CVE-2024-39722",
72718
74380
  "CVE-2024-42009",
@@ -73198,9 +74860,12 @@
73198
74860
  "CVE-2024-24590",
73199
74861
  "CVE-2024-24591",
73200
74862
  "CVE-2024-27132",
74863
+ "CVE-2024-2912",
73201
74864
  "CVE-2024-3094",
73202
74865
  "CVE-2024-3154",
73203
74866
  "CVE-2024-37032",
74867
+ "CVE-2024-37052",
74868
+ "CVE-2024-37060",
73204
74869
  "CVE-2024-39722",
73205
74870
  "CVE-2024-42478",
73206
74871
  "CVE-2024-42479",
@@ -73216,6 +74881,7 @@
73216
74881
  "CVE-2025-1753",
73217
74882
  "CVE-2025-23254",
73218
74883
  "CVE-2025-23266",
74884
+ "CVE-2025-27520",
73219
74885
  "CVE-2025-30165",
73220
74886
  "CVE-2025-30202",
73221
74887
  "CVE-2025-32434",
@@ -73462,9 +75128,11 @@
73462
75128
  "CVE-2024-12366",
73463
75129
  "CVE-2024-24590",
73464
75130
  "CVE-2024-24591",
75131
+ "CVE-2024-2912",
73465
75132
  "CVE-2024-3094",
73466
75133
  "CVE-2024-3154",
73467
75134
  "CVE-2024-5565",
75135
+ "CVE-2025-27520",
73468
75136
  "CVE-2025-3248",
73469
75137
  "CVE-2025-49844",
73470
75138
  "CVE-2025-53773",
@@ -73661,10 +75329,14 @@
73661
75329
  "CVE-2024-12366",
73662
75330
  "CVE-2024-24590",
73663
75331
  "CVE-2024-24591",
75332
+ "CVE-2024-2912",
73664
75333
  "CVE-2024-3094",
75334
+ "CVE-2024-37052",
75335
+ "CVE-2024-37060",
73665
75336
  "CVE-2024-5565",
73666
75337
  "CVE-2025-0133",
73667
75338
  "CVE-2025-1094",
75339
+ "CVE-2025-27520",
73668
75340
  "CVE-2025-3248",
73669
75341
  "CVE-2025-6965",
73670
75342
  "CVE-2026-30615",
@@ -74055,6 +75727,8 @@
74055
75727
  "CVE-2024-27199",
74056
75728
  "CVE-2024-27443",
74057
75729
  "CVE-2024-37032",
75730
+ "CVE-2024-37052",
75731
+ "CVE-2024-37060",
74058
75732
  "CVE-2024-37079",
74059
75733
  "CVE-2024-39722",
74060
75734
  "CVE-2024-42009",
@@ -74604,9 +76278,12 @@
74604
76278
  "CVE-2024-24590",
74605
76279
  "CVE-2024-24591",
74606
76280
  "CVE-2024-27132",
76281
+ "CVE-2024-2912",
74607
76282
  "CVE-2024-3094",
74608
76283
  "CVE-2024-3154",
74609
76284
  "CVE-2024-37032",
76285
+ "CVE-2024-37052",
76286
+ "CVE-2024-37060",
74610
76287
  "CVE-2024-39722",
74611
76288
  "CVE-2024-42478",
74612
76289
  "CVE-2024-42479",
@@ -74622,6 +76299,7 @@
74622
76299
  "CVE-2025-1753",
74623
76300
  "CVE-2025-23254",
74624
76301
  "CVE-2025-23266",
76302
+ "CVE-2025-27520",
74625
76303
  "CVE-2025-30165",
74626
76304
  "CVE-2025-30202",
74627
76305
  "CVE-2025-32434",
@@ -74976,9 +76654,12 @@
74976
76654
  "CVE-2024-27132",
74977
76655
  "CVE-2024-27199",
74978
76656
  "CVE-2024-27443",
76657
+ "CVE-2024-2912",
74979
76658
  "CVE-2024-3094",
74980
76659
  "CVE-2024-3154",
74981
76660
  "CVE-2024-37032",
76661
+ "CVE-2024-37052",
76662
+ "CVE-2024-37060",
74982
76663
  "CVE-2024-37079",
74983
76664
  "CVE-2024-39722",
74984
76665
  "CVE-2024-42009",
@@ -75034,6 +76715,7 @@
75034
76715
  "CVE-2025-2746",
75035
76716
  "CVE-2025-2747",
75036
76717
  "CVE-2025-2749",
76718
+ "CVE-2025-27520",
75037
76719
  "CVE-2025-2775",
75038
76720
  "CVE-2025-2776",
75039
76721
  "CVE-2025-27915",
@@ -75548,6 +77230,7 @@
75548
77230
  "CVE-2024-24590",
75549
77231
  "CVE-2024-24591",
75550
77232
  "CVE-2024-27132",
77233
+ "CVE-2024-2912",
75551
77234
  "CVE-2024-3094",
75552
77235
  "CVE-2024-3154",
75553
77236
  "CVE-2024-37032",
@@ -75565,6 +77248,7 @@
75565
77248
  "CVE-2025-1753",
75566
77249
  "CVE-2025-23254",
75567
77250
  "CVE-2025-23266",
77251
+ "CVE-2025-27520",
75568
77252
  "CVE-2025-30165",
75569
77253
  "CVE-2025-30202",
75570
77254
  "CVE-2025-32434",
@@ -75915,11 +77599,15 @@
75915
77599
  "CVE-2024-12366",
75916
77600
  "CVE-2024-24590",
75917
77601
  "CVE-2024-24591",
77602
+ "CVE-2024-2912",
75918
77603
  "CVE-2024-3094",
75919
77604
  "CVE-2024-3154",
77605
+ "CVE-2024-37052",
77606
+ "CVE-2024-37060",
75920
77607
  "CVE-2024-5565",
75921
77608
  "CVE-2025-0133",
75922
77609
  "CVE-2025-1094",
77610
+ "CVE-2025-27520",
75923
77611
  "CVE-2025-3248",
75924
77612
  "CVE-2025-49844",
75925
77613
  "CVE-2025-53773",
@@ -76206,10 +77894,14 @@
76206
77894
  "CVE-2024-12366",
76207
77895
  "CVE-2024-24590",
76208
77896
  "CVE-2024-24591",
77897
+ "CVE-2024-2912",
76209
77898
  "CVE-2024-3094",
77899
+ "CVE-2024-37052",
77900
+ "CVE-2024-37060",
76210
77901
  "CVE-2024-5565",
76211
77902
  "CVE-2025-0133",
76212
77903
  "CVE-2025-1094",
77904
+ "CVE-2025-27520",
76213
77905
  "CVE-2025-3248",
76214
77906
  "CVE-2025-53773",
76215
77907
  "CVE-2025-6965",
@@ -76542,9 +78234,12 @@
76542
78234
  "CVE-2024-24590",
76543
78235
  "CVE-2024-24591",
76544
78236
  "CVE-2024-27132",
78237
+ "CVE-2024-2912",
76545
78238
  "CVE-2024-3094",
76546
78239
  "CVE-2024-3154",
76547
78240
  "CVE-2024-37032",
78241
+ "CVE-2024-37052",
78242
+ "CVE-2024-37060",
76548
78243
  "CVE-2024-39722",
76549
78244
  "CVE-2024-42478",
76550
78245
  "CVE-2024-42479",
@@ -76560,6 +78255,7 @@
76560
78255
  "CVE-2025-1753",
76561
78256
  "CVE-2025-23254",
76562
78257
  "CVE-2025-23266",
78258
+ "CVE-2025-27520",
76563
78259
  "CVE-2025-30165",
76564
78260
  "CVE-2025-30202",
76565
78261
  "CVE-2025-32434",
@@ -76894,7 +78590,10 @@
76894
78590
  "CVE-2024-24590",
76895
78591
  "CVE-2024-24591",
76896
78592
  "CVE-2024-27132",
78593
+ "CVE-2024-2912",
76897
78594
  "CVE-2024-37032",
78595
+ "CVE-2024-37052",
78596
+ "CVE-2024-37060",
76898
78597
  "CVE-2024-39722",
76899
78598
  "CVE-2024-42478",
76900
78599
  "CVE-2024-42479",
@@ -76909,6 +78608,7 @@
76909
78608
  "CVE-2025-1753",
76910
78609
  "CVE-2025-23254",
76911
78610
  "CVE-2025-23266",
78611
+ "CVE-2025-27520",
76912
78612
  "CVE-2025-30165",
76913
78613
  "CVE-2025-30202",
76914
78614
  "CVE-2025-32434",
@@ -77107,11 +78807,15 @@
77107
78807
  "CVE-2024-12366",
77108
78808
  "CVE-2024-24590",
77109
78809
  "CVE-2024-24591",
78810
+ "CVE-2024-2912",
77110
78811
  "CVE-2024-3094",
77111
78812
  "CVE-2024-3154",
78813
+ "CVE-2024-37052",
78814
+ "CVE-2024-37060",
77112
78815
  "CVE-2024-5565",
77113
78816
  "CVE-2025-0133",
77114
78817
  "CVE-2025-1094",
78818
+ "CVE-2025-27520",
77115
78819
  "CVE-2025-3248",
77116
78820
  "CVE-2025-49844",
77117
78821
  "CVE-2025-53773",
@@ -77843,9 +79547,12 @@
77843
79547
  "CVE-2024-24590",
77844
79548
  "CVE-2024-24591",
77845
79549
  "CVE-2024-27132",
79550
+ "CVE-2024-2912",
77846
79551
  "CVE-2024-3094",
77847
79552
  "CVE-2024-3154",
77848
79553
  "CVE-2024-37032",
79554
+ "CVE-2024-37052",
79555
+ "CVE-2024-37060",
77849
79556
  "CVE-2024-39722",
77850
79557
  "CVE-2024-42478",
77851
79558
  "CVE-2024-42479",
@@ -77861,6 +79568,7 @@
77861
79568
  "CVE-2025-1753",
77862
79569
  "CVE-2025-23254",
77863
79570
  "CVE-2025-23266",
79571
+ "CVE-2025-27520",
77864
79572
  "CVE-2025-30165",
77865
79573
  "CVE-2025-30202",
77866
79574
  "CVE-2025-32434",
@@ -78181,8 +79889,11 @@
78181
79889
  "CVE-2024-24590",
78182
79890
  "CVE-2024-24591",
78183
79891
  "CVE-2024-27132",
79892
+ "CVE-2024-2912",
78184
79893
  "CVE-2024-3094",
78185
79894
  "CVE-2024-37032",
79895
+ "CVE-2024-37052",
79896
+ "CVE-2024-37060",
78186
79897
  "CVE-2024-39722",
78187
79898
  "CVE-2024-40635",
78188
79899
  "CVE-2024-42478",
@@ -78200,6 +79911,7 @@
78200
79911
  "CVE-2025-22226",
78201
79912
  "CVE-2025-23254",
78202
79913
  "CVE-2025-23266",
79914
+ "CVE-2025-27520",
78203
79915
  "CVE-2025-30165",
78204
79916
  "CVE-2025-30202",
78205
79917
  "CVE-2025-32434",