@blamejs/exceptd-skills 0.13.106 → 0.13.107

package/data/atlas-ttps.json

@@ -152,6 +152,8 @@
       "CVE-2024-24590",
       "CVE-2024-24591",
       "CVE-2024-37032",
+      "CVE-2024-37052",
+      "CVE-2024-37060",
       "CVE-2025-1550",
       "CVE-2025-32434",
       "CVE-2025-33236",
@@ -1288,6 +1290,8 @@
       "CVE-2024-11394",
       "CVE-2024-21513",
       "CVE-2024-24590",
+      "CVE-2024-37052",
+      "CVE-2024-37060",
       "CVE-2025-1550",
       "CVE-2025-32434",
       "CVE-2025-33236",
@@ -2859,6 +2863,8 @@
       "CVE-2024-11393",
       "CVE-2024-11394",
       "CVE-2024-24590",
+      "CVE-2024-37052",
+      "CVE-2024-37060",
       "CVE-2025-1550",
       "CVE-2025-32434",
       "CVE-2025-33236",

package/data/attack-techniques.json

@@ -290,6 +290,8 @@
       "CVE-2024-24590",
       "CVE-2024-2912",
       "CVE-2024-37032",
+      "CVE-2024-37052",
+      "CVE-2024-37060",
       "CVE-2024-42479",
       "CVE-2024-4889",
       "CVE-2024-50050",
@@ -1149,6 +1151,8 @@
       "CVE-2024-11394",
       "CVE-2024-24590",
       "CVE-2024-3094",
+      "CVE-2024-37052",
+      "CVE-2024-37060",
       "CVE-2025-1550",
       "CVE-2025-32434",
       "CVE-2025-33236",
@@ -4339,6 +4343,8 @@
       "CVE-2024-11394",
       "CVE-2024-24590",
       "CVE-2024-24591",
+      "CVE-2024-37052",
+      "CVE-2024-37060",
       "CVE-2025-1550",
       "CVE-2025-32434",
       "CVE-2025-33236",

package/data/cve-catalog.json

@@ -16672,6 +16672,218 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "BentoML's serde.py deserializes attacker-supplied serialized objects from requests without validation, giving unauthenticated RCE (CWE-502); fixed in 1.4.3 - the deserialization-RCE class recurred after the 1.2.5 fix."
   },
+  "CVE-2024-37052": {
+    "name": "MLflow scikit-learn Model Deserialization Remote Code Execution",
+    "type": "RCE",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+    "cvss_note": "HiddenLayer (CNA) CVSS v3.1 base 8.8 (HIGH); NVD has not published its own assessed score. A maliciously crafted scikit-learn model stored in MLflow runs arbitrary code when a user loads/interacts with it, because the model object is reconstructed through unsafe deserialization (CWE-502).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "HiddenLayer published the analysis: a scikit-learn model stored in MLflow runs code when a user loads/runs it.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by HiddenLayer (https://github.com/advisories/GHSA-76cg-cfhx-373f). The abused surface is MLflow, a widely used MLOps / model-registry platform - one of the Protect AI / HiddenLayer model-flavor deserialization findings.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is that an MLflow scikit-learn model is executable code reconstructed through unsafe deserialization when loaded.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research disclosure with a documented attack chain; no confirmed in-the-wild exploitation reported as of curation. No patched MLflow version is published (loading an untrusted model is inherently unsafe), so exposure persists when untrusted models/recipes are loaded.",
+    "affected": "MLflow 1.1.0 through 2.14.1.",
+    "affected_versions": [
+      "MLflow >= 1.1.0, <= 2.14.1"
+    ],
+    "vector": "MLflow stores and loads ML models and Recipes by flavor. A scikit-learn model is reconstructed through an unsafe deserialization path, so loading or running it executes embedded attacker code on the user's system (CWE-502). The model artifact IS executable code. Disclosed by HiddenLayer as part of the MLflow model-flavor deserialization set.",
+    "complexity": "low",
+    "complexity_notes": "HiddenLayer (CNA) AV:N / AC:L / PR:N / UI:R - network-delivered via an uploaded model/recipe, but requires the victim to load/run it (UI:R).",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No patched MLflow version is published (the GitHub advisory records 'Patched versions: None'); loading an untrusted model artifact is inherently code execution. Mitigation is provenance verification + sandboxing (see vendor_update_paths).",
+    "vendor_update_paths": [
+      "No fixed MLflow version is published. Only load models and Recipes from trusted sources, verify artifact provenance, run model loading in a sandboxed/least-privilege environment, and prefer safe serialization formats; treat every MLflow model artifact as executable code."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw remediation cannot resolve this by patching - loading an untrusted model is inherently code execution; the control must be artifact provenance + sandboxing.",
+      "NIST-800-53-SI-10": "No input validation distinguishes a benign model artifact from one carrying a deserialization payload before MLflow loads it.",
+      "NIST-800-53-SR-3": "Supply-chain controls do not treat MLflow model artifacts / Recipes as untrusted third-party executable content.",
+      "ISO-27001-2022-A.8.28": "Secure-coding expectations do not address loading an untrusted model artifact as host code.",
+      "NIS2-Art21-supply-chain": "Supply-chain-security measures do not reach the MLflow model registry as a channel that delivers executable model artifacts.",
+      "DORA-Art-9": "ICT protection measures do not model untrusted model-artifact loading as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for verifying model-artifact provenance before loading.",
+      "AU-ISM-1546": "Patch-application control does not address a flaw with no patch - the model format is inherently executable.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an MLflow model artifact / Recipe as untrusted executable code requiring provenance verification and sandboxed loading."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0011",
+      "AML.T0011.000"
+    ],
+    "attack_refs": [
+      "T1204",
+      "T1059",
+      "T1195.002"
+    ],
+    "rwep_score": 42,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 22,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Elevated (RWEP 42, \"patch within 7 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, and no patched version exists so no patch credit (Hard Rule #3) - this is a model-artifact-as-code flaw that no patch can close, only provenance + sandboxing. The UI:R requirement (victim must load the model) keeps blast moderate. poc_available=20 + blast_radius=22.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-37052",
+    "cwe_refs": [
+      "CWE-502"
+    ],
+    "iocs": {
+      "behavioral": [
+        "MLflow scikit-learn model artifacts whose stored payload contains a deserialization gadget rather than a plain model.",
+        "The MLflow process or client spawning shell, network, or file-system child processes when a model/recipe is loaded or run.",
+        "MLflow 1.1.0-2.14.1 loading scikit-learn models from an untrusted registry/run - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the HiddenLayer disclosure / GitHub advisory (https://github.com/advisories/GHSA-76cg-cfhx-373f) and NVD CVE-2024-37052 (CWE-502)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-37052",
+      "https://github.com/advisories/GHSA-76cg-cfhx-373f"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2024-37052",
+        "url": "https://github.com/advisories/GHSA-76cg-cfhx-373f",
+        "severity": "high",
+        "published_date": "2024-06-04"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-37052",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37052",
+        "severity": "high",
+        "published_date": "2024-06-04"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the HiddenLayer / GitHub Security Advisory (https://github.com/advisories/GHSA-76cg-cfhx-373f, CWE-502) + HiddenLayer (CNA, CVSS v3.1 8.8); NVD has not published its own score. MLflow model-flavor deserialization (Protect AI / HiddenLayer set); reuses the untrusted-model-artifact-loading control NEW-CTRL-091 - a model artifact is executable code, the class shared with Keras / Hugging Face / NeMo / PyTorch / H2O.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "A malicious scikit-learn model in MLflow runs code when loaded (CWE-502 unsafe deserialization); no patched version - treat MLflow models as untrusted code."
+  },
+  "CVE-2024-37060": {
+    "name": "MLflow Recipe Deserialization Remote Code Execution",
+    "type": "RCE",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+    "cvss_note": "HiddenLayer (CNA) CVSS v3.1 base 8.8 (HIGH); NVD has not published its own assessed score. A maliciously crafted MLflow Recipe runs arbitrary code when executed, because it is reconstructed through unsafe deserialization (CWE-502).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "HiddenLayer published the analysis: a malicious MLflow Recipe stored in MLflow runs code when a user loads/runs it.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by HiddenLayer (https://github.com/advisories/GHSA-cv6c-7963-wxcg). The abused surface is MLflow, a widely used MLOps / model-registry platform - one of the Protect AI / HiddenLayer model-flavor deserialization findings.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is that an MLflow Recipe is executable code reconstructed through unsafe deserialization when loaded.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research disclosure with a documented attack chain; no confirmed in-the-wild exploitation reported as of curation. No patched MLflow version is published (loading an untrusted model is inherently unsafe), so exposure persists when untrusted models/recipes are loaded.",
+    "affected": "MLflow 1.27.0 through 2.14.1.",
+    "affected_versions": [
+      "MLflow >= 1.27.0, <= 2.14.1"
+    ],
+    "vector": "MLflow stores and loads ML models and Recipes by flavor. A malicious MLflow Recipe is reconstructed through an unsafe deserialization path, so loading or running it executes embedded attacker code on the user's system (CWE-502). The model artifact IS executable code. Disclosed by HiddenLayer as part of the MLflow model-flavor deserialization set.",
+    "complexity": "low",
+    "complexity_notes": "HiddenLayer (CNA) AV:N / AC:L / PR:N / UI:R - network-delivered via an uploaded model/recipe, but requires the victim to load/run it (UI:R).",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No patched MLflow version is published (the GitHub advisory records 'Patched versions: None'); loading an untrusted model artifact is inherently code execution. Mitigation is provenance verification + sandboxing (see vendor_update_paths).",
+    "vendor_update_paths": [
+      "No fixed MLflow version is published. Only load models and Recipes from trusted sources, verify artifact provenance, run model loading in a sandboxed/least-privilege environment, and prefer safe serialization formats; treat every MLflow model artifact as executable code."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw remediation cannot resolve this by patching - loading an untrusted model is inherently code execution; the control must be artifact provenance + sandboxing.",
+      "NIST-800-53-SI-10": "No input validation distinguishes a benign model artifact from one carrying a deserialization payload before MLflow loads it.",
+      "NIST-800-53-SR-3": "Supply-chain controls do not treat MLflow model artifacts / Recipes as untrusted third-party executable content.",
+      "ISO-27001-2022-A.8.28": "Secure-coding expectations do not address loading an untrusted model artifact as host code.",
+      "NIS2-Art21-supply-chain": "Supply-chain-security measures do not reach the MLflow model registry as a channel that delivers executable model artifacts.",
+      "DORA-Art-9": "ICT protection measures do not model untrusted model-artifact loading as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for verifying model-artifact provenance before loading.",
+      "AU-ISM-1546": "Patch-application control does not address a flaw with no patch - the model format is inherently executable.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an MLflow model artifact / Recipe as untrusted executable code requiring provenance verification and sandboxed loading."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0011",
+      "AML.T0011.000"
+    ],
+    "attack_refs": [
+      "T1204",
+      "T1059",
+      "T1195.002"
+    ],
+    "rwep_score": 42,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 22,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Elevated (RWEP 42, \"patch within 7 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, and no patched version exists so no patch credit (Hard Rule #3) - this is a model-artifact-as-code flaw that no patch can close, only provenance + sandboxing. The UI:R requirement (victim must load the model) keeps blast moderate. poc_available=20 + blast_radius=22.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-37060",
+    "cwe_refs": [
+      "CWE-502"
+    ],
+    "iocs": {
+      "behavioral": [
+        "MLflow Recipe artifacts whose stored payload contains a deserialization gadget rather than a plain model.",
+        "The MLflow process or client spawning shell, network, or file-system child processes when a model/recipe is loaded or run.",
+        "MLflow 1.27.0-2.14.1 running Recipes from an untrusted source - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the HiddenLayer disclosure / GitHub advisory (https://github.com/advisories/GHSA-cv6c-7963-wxcg) and NVD CVE-2024-37060 (CWE-502)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-37060",
+      "https://github.com/advisories/GHSA-cv6c-7963-wxcg"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2024-37060",
+        "url": "https://github.com/advisories/GHSA-cv6c-7963-wxcg",
+        "severity": "high",
+        "published_date": "2024-06-04"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-37060",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37060",
+        "severity": "high",
+        "published_date": "2024-06-04"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the HiddenLayer / GitHub Security Advisory (https://github.com/advisories/GHSA-cv6c-7963-wxcg, CWE-502) + HiddenLayer (CNA, CVSS v3.1 8.8); NVD has not published its own score. MLflow model-flavor deserialization (Protect AI / HiddenLayer set); reuses the untrusted-model-artifact-loading control NEW-CTRL-091 - a model artifact is executable code, the class shared with Keras / Hugging Face / NeMo / PyTorch / H2O.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "A malicious MLflow Recipe runs code when executed (CWE-502 unsafe deserialization); no patched version - treat MLflow artifacts as untrusted code."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -1338,6 +1338,8 @@
       "CVE-2024-11393",
       "CVE-2024-11394",
       "CVE-2024-24590",
+      "CVE-2024-37052",
+      "CVE-2024-37060",
       "CVE-2024-50050",
       "CVE-2024-8069",
       "CVE-2025-10035",

package/data/framework-control-gaps.json

@@ -57,6 +57,8 @@
       "CVE-2024-27132",
       "CVE-2024-2912",
       "CVE-2024-37032",
+      "CVE-2024-37052",
+      "CVE-2024-37060",
       "CVE-2024-39722",
       "CVE-2024-42478",
       "CVE-2024-42479",
@@ -1276,6 +1278,8 @@
       "CVE-2024-24590",
       "CVE-2024-24591",
       "CVE-2024-2912",
+      "CVE-2024-37052",
+      "CVE-2024-37060",
       "CVE-2024-5565",
       "CVE-2025-0133",
       "CVE-2025-1094",
@@ -2352,6 +2356,8 @@
       "CVE-2024-27132",
       "CVE-2024-2912",
       "CVE-2024-37032",
+      "CVE-2024-37052",
+      "CVE-2024-37060",
       "CVE-2024-39722",
       "CVE-2024-50050",
       "CVE-2024-5565",
@@ -2534,6 +2540,8 @@
       "CVE-2024-27199",
       "CVE-2024-27443",
       "CVE-2024-37032",
+      "CVE-2024-37052",
+      "CVE-2024-37060",
       "CVE-2024-37079",
       "CVE-2024-39722",
       "CVE-2024-42009",
@@ -2857,6 +2865,8 @@
       "CVE-2024-24590",
       "CVE-2024-24591",
       "CVE-2024-3094",
+      "CVE-2024-37052",
+      "CVE-2024-37060",
       "MAL-2026-SHAI-HULUD-OSS"
     ],
     "atlas_refs": [
@@ -5067,6 +5077,8 @@
       "CVE-2024-27132",
       "CVE-2024-2912",
       "CVE-2024-37032",
+      "CVE-2024-37052",
+      "CVE-2024-37060",
       "CVE-2024-39722",
       "CVE-2024-42478",
       "CVE-2024-42479",
@@ -5634,6 +5646,8 @@
       "CVE-2024-27132",
       "CVE-2024-2912",
       "CVE-2024-37032",
+      "CVE-2024-37052",
+      "CVE-2024-37060",
       "CVE-2024-39722",
       "CVE-2024-42478",
       "CVE-2024-42479",
@@ -5736,6 +5750,8 @@
       "CVE-2024-27132",
       "CVE-2024-2912",
       "CVE-2024-37032",
+      "CVE-2024-37052",
+      "CVE-2024-37060",
       "CVE-2024-39722",
       "CVE-2024-42478",
       "CVE-2024-42479",
@@ -5855,6 +5871,8 @@
       "CVE-2024-24590",
       "CVE-2024-24591",
       "CVE-2024-3154",
+      "CVE-2024-37052",
+      "CVE-2024-37060",
       "MAL-2026-NODE-IPC-STEALER",
       "MAL-2026-RUBYGEMS-BUFFERZONECORP-SLEEPER",
       "MAL-2026-SHAI-HULUD-OSS",

package/data/zeroday-lessons.json

@@ -4511,6 +4511,106 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2024-37052": {
+    "name": "MLflow scikit-learn Model Deserialization Remote Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "A maliciously crafted scikit-learn model stored in MLflow (1.1.0-2.14.1) runs arbitrary code when a user loads or interacts with it, because the model object is reconstructed through unsafe deserialization.",
+      "privileges_required": "low-to-none (upload to a registry the victim uses; victim must load/run the artifact - UI:R)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is MLflow, an MLOps / model-registry platform. The lesson: an MLflow model artifact or Recipe is executable code - loading an untrusted one is code execution, so there is no patch, only provenance verification and sandboxed loading. One of the Protect AI / HiddenLayer model-flavor deserialization findings."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Flaw remediation cannot patch this - loading an untrusted model is inherently code execution; the control is artifact provenance + sandboxing."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No input validation distinguishes a benign model artifact from a deserialization payload before MLflow loads it."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an MLflow model artifact / Recipe as untrusted executable code requiring provenance verification and sandboxed loading."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 82,
+      "basis": "MLflow model registries are shared across teams on trusted-collaborator assumptions; model artifacts are loaded without provenance verification or sandboxing, and no patch exists because the format is inherently executable.",
+      "theater_pattern": "untrusted_model_artifact_as_code"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-091",
+        "name": "UNTRUSTED-MODEL-ARTIFACT-LOADING",
+        "description": "Treat ML model artifacts as untrusted code: never load .keras / pickle-based models from untrusted sources, verify provenance, prefer safe formats (e.g. safetensors), and load untrusted models only in a sandboxed, network-isolated, least-privilege environment. Upgrade Keras to the fixed release (>= 3.8.0 for CVE-2025-1550; past 3.10.0 for the CVE-2025-8747 safe_mode bypass) and do not rely on safe_mode alone — it was bypassable. The distinguishing test: load an attacker-crafted .keras archive with safe_mode enabled on a sandboxed instance and confirm no code executes.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2025-1550",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2024-37060": {
+    "name": "MLflow Recipe Deserialization Remote Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "A maliciously crafted MLflow Recipe (1.27.0-2.14.1) runs arbitrary code when executed, because it is reconstructed through unsafe deserialization.",
+      "privileges_required": "low-to-none (upload to a registry the victim uses; victim must load/run the artifact - UI:R)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is MLflow, an MLOps / model-registry platform. The lesson: an MLflow model artifact or Recipe is executable code - loading an untrusted one is code execution, so there is no patch, only provenance verification and sandboxed loading. One of the Protect AI / HiddenLayer model-flavor deserialization findings."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Flaw remediation cannot patch this - loading an untrusted model is inherently code execution; the control is artifact provenance + sandboxing."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No input validation distinguishes a benign model artifact from a deserialization payload before MLflow loads it."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an MLflow model artifact / Recipe as untrusted executable code requiring provenance verification and sandboxed loading."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 82,
+      "basis": "MLflow model registries are shared across teams on trusted-collaborator assumptions; model artifacts are loaded without provenance verification or sandboxing, and no patch exists because the format is inherently executable.",
+      "theater_pattern": "untrusted_model_artifact_as_code"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-091",
+        "name": "UNTRUSTED-MODEL-ARTIFACT-LOADING",
+        "description": "Treat ML model artifacts as untrusted code: never load .keras / pickle-based models from untrusted sources, verify provenance, prefer safe formats (e.g. safetensors), and load untrusted models only in a sandboxed, network-isolated, least-privilege environment. Upgrade Keras to the fixed release (>= 3.8.0 for CVE-2025-1550; past 3.10.0 for the CVE-2025-8747 safe_mode bypass) and do not rely on safe_mode alone — it was bypassable. The distinguishing test: load an attacker-crafted .keras archive with safe_mode enabled on a sandboxed instance and confirm no code executes.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2025-1550",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2025-27520": {
     "name": "BentoML serde.py Insecure Deserialization Unauthenticated Remote Code Execution",
     "lesson_date": "2026-05-25",