@blamejs/exceptd-skills 0.13.108 → 0.13.110

package/data/atlas-ttps.json

@@ -160,6 +160,7 @@
       "CVE-2025-8747",
       "CVE-2026-22778",
       "CVE-2026-30615",
+      "CVE-2026-31229",
       "CVE-2026-39987",
       "CVE-2026-45321",
       "MAL-2024-PYPI-ULTRALYTICS-XMRIG",
@@ -1296,6 +1297,7 @@
       "CVE-2025-32434",
       "CVE-2025-33236",
       "CVE-2025-8747",
+      "CVE-2026-31229",
       "MAL-2024-PYPI-ULTRALYTICS-XMRIG"
     ],
     "description_full": "An adversary may rely upon specific actions by a user in order to gain execution. Users may inadvertently execute unsafe code introduced via [AI Supply Chain Compromise](/techniques/AML.T0010). Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link.",
@@ -1738,6 +1740,8 @@
     "cve_refs": [
       "CVE-2022-36551",
       "CVE-2023-43654",
+      "CVE-2023-43791",
+      "CVE-2023-47117",
       "CVE-2023-48022",
       "CVE-2023-51449",
       "CVE-2023-6019",
@@ -1769,6 +1773,7 @@
       "CVE-2026-24214",
       "CVE-2026-24215",
       "CVE-2026-26190",
+      "CVE-2026-31230",
       "CVE-2026-33017",
       "CVE-2026-34159",
       "CVE-2026-45829"
@@ -2871,6 +2876,7 @@
       "CVE-2025-32434",
       "CVE-2025-33236",
       "CVE-2025-8747",
+      "CVE-2026-31229",
       "CVE-2026-45829"
     ]
   },

package/data/attack-techniques.json

@@ -331,6 +331,8 @@
       "CVE-2026-30623",
       "CVE-2026-30624",
       "CVE-2026-30625",
+      "CVE-2026-31229",
+      "CVE-2026-31230",
       "CVE-2026-32202",
       "CVE-2026-33017",
       "CVE-2026-34159",
@@ -388,6 +390,7 @@
       "CVE-2024-5565",
       "CVE-2025-3248",
       "CVE-2025-49844",
+      "CVE-2026-31230",
       "CVE-2026-33017",
       "MAL-2026-3083"
     ],
@@ -521,6 +524,7 @@
       "CVE-2020-24363",
       "CVE-2021-32030",
       "CVE-2023-27351",
+      "CVE-2023-43791",
       "CVE-2023-50224",
       "CVE-2024-1709",
       "CVE-2024-54085",
@@ -878,6 +882,8 @@
       "CVE-2023-3519",
       "CVE-2023-39780",
       "CVE-2023-43654",
+      "CVE-2023-43791",
+      "CVE-2023-47117",
       "CVE-2023-48022",
       "CVE-2023-51449",
       "CVE-2023-52163",
@@ -1159,6 +1165,7 @@
       "CVE-2025-32434",
       "CVE-2025-33236",
       "CVE-2025-8747",
+      "CVE-2026-31229",
       "CVE-2026-45321",
       "MAL-2024-PYPI-ULTRALYTICS-XMRIG",
       "MAL-2025-PYPI-COLORAMA-SOLANA-STEALER",
@@ -1255,6 +1262,7 @@
     "name": "Exploitation for Credential Access",
     "version": "v19",
     "cve_refs": [
+      "CVE-2023-43791",
       "CVE-2025-14174"
     ],
     "description_full": "Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain authenticated access to systems. One example of this is `MS14-068`, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.(Citation: Technet MS14-068)(Citation: ADSecurity Detecting Forged Tickets) Another example of this is replay attacks, in which the adversary intercepts data packets sent between parties and then later replays these packets. If services don't properly validate authentication requests, these replayed packets may allow an adversary to impersonate one of the parties and gain unauthorized access or privileges.(Citation: Bugcrowd Replay Attack)(Citation: Comparitech Replay Attack)(Citation: Microsoft Midnight Blizzard Replay Attack) Such exploitation has been demonstrated in cloud environments as well. For example, adversaries have exploited vulnerabilities in public cloud infrastructure that allowed for unintended authentication token creation and renewal.(Citation: Storm-0558 techniques for unauthorized email access) Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.",
@@ -1543,6 +1551,7 @@
     "name": "Unsecured Credentials",
     "version": "v19",
     "cve_refs": [
+      "CVE-2023-47117",
       "CVE-2025-68664",
       "MAL-2025-PYPI-COLORAMA-SOLANA-STEALER",
       "MAL-2026-RUBYGEMS-BUFFERZONECORP-SLEEPER"
@@ -4354,7 +4363,8 @@
       "CVE-2025-1550",
       "CVE-2025-32434",
       "CVE-2025-33236",
-      "CVE-2025-8747"
+      "CVE-2025-8747",
+      "CVE-2026-31229"
     ]
   },
   "T1205": {

package/data/cve-catalog.json

@@ -17090,6 +17090,408 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "Label Studio's Data Import fetches user-supplied URLs without restriction (self-registration on by default), letting a remote attacker read files / reach internal services via the server (CWE-918 SSRF); fixed in 1.6.0."
   },
+  "CVE-2023-47117": {
+    "name": "Label Studio ORM Filter Manipulation Sensitive-Field Disclosure",
+    "type": "Information Disclosure",
+    "cvss_score": 7.5,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
+    "cvss_note": "GitHub (CNA) CVSS v3.1 base 7.5 (HIGH, confidentiality-only); NVD has not published its own assessed score. Label Studio lets users set task filters that are passed into a Django ORM query without restriction, so an attacker manipulates the filter to read sensitive fields (including password hashes and tokens) from all user accounts (CWE-200 information exposure).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory (https://github.com/advisories/GHSA-6hjj-gq77-j4qw); manipulate the task filter to read password hashes/tokens from all accounts.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via the GitHub Security Advisory (https://github.com/advisories/GHSA-6hjj-gq77-j4qw). The abused surface is Label Studio, a widely used data-labeling / annotation platform in ML pipelines.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is broken object-level authorization / sensitive-field exposure in an ML data-platform API.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Label Studio before 1.9.2post0.",
+    "affected_versions": [
+      "Label Studio < 1.9.2post0"
+    ],
+    "vector": "Label Studio's task-filter feature passes user-controlled filter expressions into a Django ORM query without restricting which fields can be referenced. An attacker crafts a filter that selects sensitive columns (password hashes, auth tokens) across all user accounts and reads them back - a sensitive-field exposure via ORM manipulation (CWE-200) that supplies the material to forge sessions and impersonate users.",
+    "complexity": "low",
+    "complexity_notes": "GitHub CNA AV:N / AC:L / PR:N - unauthenticated field disclosure.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to 1.9.2post0 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Label Studio to 1.9.2post0 or later. Enforce object-level authorization and serializer field allowlists on the API (never let user-controlled filters or responses expose secrets, tokens, or other users' fields), and rotate any exposed session-signing secrets / credentials."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-AC-3": "Access enforcement does not constrain which records/fields a user can read - a user-controlled ORM filter reads other accounts' sensitive fields.",
+      "NIST-800-53-SC-28": "Protection of information at rest is insufficient: sensitive fields (password hashes, tokens) are readable through the API and directly usable once leaked.",
+      "ISO-27001-2022-A.5.15": "Access control does not enforce object-level authorization on the ML data-platform API.",
+      "NIS2-Art21-identity-management": "Identity/access measures do not prevent API-level sensitive-field exposure from enabling account impersonation.",
+      "DORA-Art-9": "ICT protection measures do not model API sensitive-field exposure / account takeover of an ML platform as an ICT-risk event.",
+      "UK-CAF-B2": "Identity and Access Control objective has no objective for object-level authorization on AI data-platform APIs.",
+      "UK-CAF-B4": "System Security objective has no objective for serializer field allowlisting / ORM-filter restriction in ML platforms.",
+      "AU-ISM-1546": "Patch-application control does not single out ML data-labeling platforms.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an ML data-platform API's object-level authorization and sensitive-field exposure as integrity controls whose failure yields account takeover."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1552"
+    ],
+    "rwep_score": 23,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 18,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Moderate (RWEP 23, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3): poc_available=20 + blast_radius=18, minus patch_available 15. This is the first half of a Label Studio privilege-escalation chain - the ORM sensitive-field leak (CVE-2023-47117) supplies the material the impersonation flaw (CVE-2023-43791) replays.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2023-47117",
+    "cwe_refs": [
+      "CWE-200"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Label Studio task-filter requests referencing sensitive columns (password hashes, tokens) or other users' fields.",
+        "API responses returning sensitive fields from accounts other than the requester's.",
+        "Label Studio < 1.9.2post0 with the task-filter API reachable - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the GitHub Security Advisory (https://github.com/advisories/GHSA-6hjj-gq77-j4qw) and NVD CVE-2023-47117 (CWE-200)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2023-47117",
+      "https://github.com/advisories/GHSA-6hjj-gq77-j4qw"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2023-47117",
+        "url": "https://github.com/advisories/GHSA-6hjj-gq77-j4qw",
+        "severity": "high",
+        "published_date": "2023-11-14"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2023-47117",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47117",
+        "severity": "high",
+        "published_date": "2023-11-14"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the GitHub Security Advisory (https://github.com/advisories/GHSA-6hjj-gq77-j4qw, CWE-200) + NVD (CVSS v3.1 7.5). Label Studio privilege-escalation chain (47117 ORM leak -> 43791 impersonation); introduces the AI-app API object-authorization / field-exposure control NEW-CTRL-106.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Label Studio's task-filter feature passes user input into a Django ORM query unrestricted, leaking sensitive fields (password hashes, tokens) from all accounts (CWE-200); fixed in 1.9.2post0."
+  },
+  "CVE-2023-43791": {
+    "name": "Label Studio Account Impersonation and Privilege Escalation",
+    "type": "Privilege Escalation",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NIST (NVD) CVSS v3.1 base 8.8 (HIGH, PR:L); the GitHub (CNA) advisory rates it 9.8 (CRITICAL, PR:N). Label Studio exposes information that lets an attacker impersonate any account and escalate from a low-privilege user to a Django super administrator - chained with the ORM sensitive-field leak (CVE-2023-47117), the exposed secrets/tokens are used to forge authenticated sessions (CWE-200).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory (https://github.com/advisories/GHSA-f475-x83m-rx5m); chain the ORM leak to forge a session and impersonate / escalate to superadmin.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via the GitHub Security Advisory (https://github.com/advisories/GHSA-f475-x83m-rx5m). The abused surface is Label Studio, a widely used data-labeling / annotation platform in ML pipelines.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is broken object-level authorization / sensitive-field exposure in an ML data-platform API.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Label Studio before 1.8.2.",
+    "affected_versions": [
+      "Label Studio < 1.8.2"
+    ],
+    "vector": "Label Studio exposes sensitive information that, chained with the ORM sensitive-field leak (CVE-2023-47117), lets an attacker impersonate any account and escalate from a low-privilege user to a Django super administrator. The leaked secrets/tokens are used to forge authenticated sessions and take over accounts (CWE-200 leading to broken object-level authorization).",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:L (GitHub CNA marks PR:N) - a low-privilege account suffices, and the chain reaches Django superadmin.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to 1.8.2 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Label Studio to 1.8.2 or later. Enforce object-level authorization and serializer field allowlists on the API (never let user-controlled filters or responses expose secrets, tokens, or other users' fields), and rotate any exposed session-signing secrets / credentials."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-AC-3": "Access enforcement does not constrain which records/fields a user can read - leaked material is replayed to impersonate any account.",
+      "NIST-800-53-SC-28": "Protection of information at rest is insufficient: sensitive fields (password hashes, tokens) are readable through the API and directly usable once leaked.",
+      "ISO-27001-2022-A.5.15": "Access control does not enforce object-level authorization on the ML data-platform API.",
+      "NIS2-Art21-identity-management": "Identity/access measures do not prevent API-level sensitive-field exposure from enabling account impersonation.",
+      "DORA-Art-9": "ICT protection measures do not model API sensitive-field exposure / account takeover of an ML platform as an ICT-risk event.",
+      "UK-CAF-B2": "Identity and Access Control objective has no objective for object-level authorization on AI data-platform APIs.",
+      "UK-CAF-B4": "System Security objective has no objective for serializer field allowlisting / ORM-filter restriction in ML platforms.",
+      "AU-ISM-1546": "Patch-application control does not single out ML data-labeling platforms.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an ML data-platform API's object-level authorization and sensitive-field exposure as integrity controls whose failure yields account takeover."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1078",
+      "T1212"
+    ],
+    "rwep_score": 29,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 24,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Moderate (RWEP 29, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3): poc_available=20 + blast_radius=24, minus patch_available 15. This is the second half of a Label Studio privilege-escalation chain - the ORM sensitive-field leak (CVE-2023-47117) supplies the material the impersonation flaw (CVE-2023-43791) replays.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2023-43791",
+    "cwe_refs": [
+      "CWE-200"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Authenticated sessions in Label Studio minted/used for accounts the requester should not control, or sudden escalation to Django superadmin.",
+        "Use of leaked password hashes / tokens to forge or replay Label Studio sessions.",
+        "Label Studio < 1.8.2 reachable by a low-privilege user - the exposed precondition for the privesc chain."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the GitHub Security Advisory (https://github.com/advisories/GHSA-f475-x83m-rx5m) and NVD CVE-2023-43791 (CWE-200)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2023-43791",
+      "https://github.com/advisories/GHSA-f475-x83m-rx5m"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2023-43791",
+        "url": "https://github.com/advisories/GHSA-f475-x83m-rx5m",
+        "severity": "critical",
+        "published_date": "2023-11-09"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2023-43791",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43791",
+        "severity": "high",
+        "published_date": "2023-11-09"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the GitHub Security Advisory (https://github.com/advisories/GHSA-f475-x83m-rx5m, CWE-200) + NVD (CVSS v3.1 8.8; GitHub CNA 9.8). Label Studio privilege-escalation chain (47117 ORM leak -> 43791 impersonation); introduces the AI-app API object-authorization / field-exposure control NEW-CTRL-106.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Label Studio exposes information enabling account impersonation and escalation to Django superadmin (chained with the ORM leak CVE-2023-47117); CWE-200, fixed in 1.8.2."
+  },
+  "CVE-2026-31229": {
+    "name": "Adversarial Robustness Toolbox torch.load Model Deserialization RCE",
+    "type": "RCE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "CISA-ADP CVSS v3.1 base 9.8 (CRITICAL); NVD has not yet published its own assessment. ART's Kubeflow model-loading component calls torch.load() WITHOUT weights_only=True, so loading a maliciously crafted model file runs arbitrary code through unsafe object-deserialization (CWE-502).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory; load a crafted PyTorch model through ART's Kubeflow component to run code.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via the GitHub Security Advisory / CISA-ADP. The abused surface is the Adversarial Robustness Toolbox (ART), the Trusted-AI / LF AI library used to defend ML models against adversarial attacks - a defensive-ML tool with an offensive flaw.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is unsafe model deserialization in a defensive-ML library.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure (May 2026) with a documented attack; no confirmed in-the-wild exploitation reported as of curation. No patched version is published (the advisory records 'Patched versions: Unknown'), so exposed usage remains vulnerable.",
+    "affected": "Adversarial Robustness Toolbox (ART) through 1.20.1.",
+    "affected_versions": [
+      "adversarial-robustness-toolbox <= 1.20.1"
+    ],
+    "vector": "The Adversarial Robustness Toolbox (ART) - the Trusted-AI library used to defend ML models against adversarial attacks - loads models in its Kubeflow component via torch.load() without the security-restrictive weights_only=True parameter. A maliciously crafted model file therefore runs arbitrary code on load through unsafe object-deserialization (CWE-502) - the same torch.load weights_only gap as CVE-2025-32434, here in the defensive-ML library itself.",
+    "complexity": "low",
+    "complexity_notes": "CISA-ADP AV:N / AC:L / PR:N / UI:N - loading a crafted model runs code.",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No patched ART version is published as of curation (the GitHub advisory records 'Patched versions: Unknown'). Mitigation is loading models only from trusted sources, sandboxing model loading, and using weights_only=True / safe formats (see vendor_update_paths).",
+    "vendor_update_paths": [
+      "No fixed ART release is published. Load models only from trusted sources, verify provenance, sandbox model loading, and prefer safe-load (weights_only=True) / safetensors; treat every model file as executable code."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw remediation cannot resolve this by patching yet (no fix published); the control is model-artifact provenance + sandboxing.",
+      "NIST-800-53-SI-10": "No input validation distinguishes a benign model from a deserialization payload before ART loads it.",
+      "NIST-800-53-CM-7": "Least-functionality is not enforced: ART deserializes model files through an unsafe loader by default.",
+      "ISO-27001-2022-A.8.28": "Secure-coding expectations do not address loading untrusted model artifacts as host code in an ML security library.",
+      "NIS2-Art21-supply-chain": "Supply-chain-security measures do not treat the defensive-ML library (ART) as a channel that delivers executable model artifacts.",
+      "DORA-Art-9": "ICT protection measures do not model code execution via an ML security library as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for model-artifact provenance / sandboxed loading in ML libraries.",
+      "AU-ISM-1546": "Patch-application control does not address a flaw with no published patch.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats the adversarial-robustness library's model-loading path as a privileged code-execution surface."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0011",
+      "AML.T0011.000"
+    ],
+    "attack_refs": [
+      "T1204",
+      "T1059",
+      "T1195.002"
+    ],
+    "rwep_score": 46,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 26,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Elevated (RWEP 46, \"patch within 7 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, and no patched version published so no patch credit (Hard Rule #3). poc_available=20 + blast_radius=26. The defensive-ML library ART itself carries a code-execution flaw - model-as-code.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-31229",
+    "cwe_refs": [
+      "CWE-502"
+    ],
+    "iocs": {
+      "behavioral": [
+        "ART loading a PyTorch model whose payload contains a deserialization gadget rather than plain weights.",
+        "The ART process spawning shell, network, or file-system child processes during model loading.",
+        "ART <= 1.20.1 loading PyTorch models from an untrusted source via the Kubeflow component - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the GitHub Security Advisory / CISA-ADP record for CVE-2026-31229 (CWE-502) and NVD."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-31229",
+      "https://github.com/Trusted-AI/adversarial-robustness-toolbox"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-31229",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31229",
+        "severity": "critical",
+        "published_date": "2026-05-12"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD / CISA-ADP (CWE-502; CISA-ADP CVSS v3.1 9.8, NVD assessment pending) + the GitHub Security Advisory. Adversarial Robustness Toolbox (ART) flaw; reuses the untrusted-model-artifact-loading control NEW-CTRL-091 - a model file is executable code, the class shared with Keras / Hugging Face / NeMo / PyTorch / H2O / MLflow.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "ART's Kubeflow model loader calls torch.load() without weights_only=True, so a malicious model file runs code on load (CWE-502); no fix published - treat models as untrusted code."
+  },
+  "CVE-2026-31230": {
+    "name": "Adversarial Robustness Toolbox CLI Argument Dynamic-Evaluation Code Execution",
+    "type": "RCE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "CISA-ADP CVSS v3.1 base 9.8 (CRITICAL); NVD has not yet published its own assessment. ART's Kubeflow component parses the --clip_values and --input_shape command-line arguments through an unsafe dynamic-evaluation call, so attacker-controlled argument values execute arbitrary Python (CWE-88 argument-delimiter injection / code injection).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory; supply a crafted --clip_values / --input_shape value to ART's Kubeflow CLI to run code.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via the GitHub Security Advisory / CISA-ADP. The abused surface is the Adversarial Robustness Toolbox (ART), the Trusted-AI / LF AI library used to defend ML models against adversarial attacks - a defensive-ML tool with an offensive flaw.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is unsafe dynamic-evaluation of CLI arguments in a defensive-ML library.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure (May 2026) with a documented attack; no confirmed in-the-wild exploitation reported as of curation. No patched version is published (the advisory records 'Patched versions: Unknown'), so exposed usage remains vulnerable.",
+    "affected": "Adversarial Robustness Toolbox (ART) through 1.20.1.",
+    "affected_versions": [
+      "adversarial-robustness-toolbox <= 1.20.1"
+    ],
+    "vector": "ART's Kubeflow component parses the --clip_values and --input_shape command-line arguments by passing their string values into an unsafe dynamic-evaluation call rather than a safe literal parser. An attacker who controls those argument values executes arbitrary Python (CWE-88) - the same build-a-command-from-arguments root cause as the LlamaIndex CLI injection, here in the defensive-ML toolkit.",
+    "complexity": "low",
+    "complexity_notes": "CISA-ADP AV:N / AC:L / PR:N / UI:N - controlling the CLI argument value runs code.",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No patched ART version is published as of curation (the GitHub advisory records 'Patched versions: Unknown'). Mitigation is never passing untrusted values to the affected CLI arguments and using a safe literal parser (see vendor_update_paths).",
+    "vendor_update_paths": [
+      "No fixed ART release is published. Do not pass untrusted values to ART's --clip_values / --input_shape arguments; the fix is to parse them with a safe literal parser (e.g. ast.literal_eval) rather than a dynamic-evaluation call."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw remediation cannot resolve this by patching yet (no fix published); the control is safe argument parsing.",
+      "NIST-800-53-SI-10": "No input validation distinguishes a safe CLI argument value from injected code before ART evaluates it.",
+      "NIST-800-53-CM-7": "Least-functionality is not enforced: ART evaluates CLI argument strings through a dynamic-evaluation call.",
+      "ISO-27001-2022-A.8.28": "Secure-coding expectations do not address dynamic evaluation of CLI argument strings in an ML security library.",
+      "NIS2-Art21-supply-chain": "Supply-chain-security measures do not treat the defensive-ML library (ART) as a channel that executes attacker-influenced arguments.",
+      "DORA-Art-9": "ICT protection measures do not model code execution via an ML security library as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for safe CLI argument parsing in ML libraries.",
+      "AU-ISM-1546": "Patch-application control does not address a flaw with no published patch.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats the adversarial-robustness library's CLI argument parsing as a privileged code-execution surface."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1059",
+      "T1059.006"
+    ],
+    "rwep_score": 42,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 22,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Elevated (RWEP 42, \"patch within 7 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, and no patched version published so no patch credit (Hard Rule #3). poc_available=20 + blast_radius=22. The defensive-ML library ART itself carries a code-execution flaw - unsafe CLI eval.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-31230",
+    "cwe_refs": [
+      "CWE-88"
+    ],
+    "iocs": {
+      "behavioral": [
+        "ART invoked with --clip_values / --input_shape values containing Python expressions or code rather than numeric literals.",
+        "The ART process spawning shell, network, or file-system child processes during argument parsing.",
+        "ART <= 1.20.1 invoked with attacker-influenced --clip_values / --input_shape arguments - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the GitHub Security Advisory / CISA-ADP record for CVE-2026-31230 (CWE-88) and NVD."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-31230",
+      "https://github.com/Trusted-AI/adversarial-robustness-toolbox"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-31230",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31230",
+        "severity": "critical",
+        "published_date": "2026-05-12"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD / CISA-ADP (CWE-88; CISA-ADP CVSS v3.1 9.8, NVD assessment pending) + the GitHub Security Advisory. Adversarial Robustness Toolbox (ART) flaw; reuses the AI-framework CLI input-neutralization control NEW-CTRL-100 - an AI framework's CLI must parse argument values with a safe literal parser, not a dynamic-evaluation call, the class shared with the LlamaIndex CLI entry.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "ART's Kubeflow component passes the --clip_values / --input_shape CLI arguments into an unsafe dynamic-evaluation call, executing arbitrary Python (CWE-88); no fix published - use a safe literal parser."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -299,6 +299,7 @@
       "CVE-2016-10033",
       "CVE-2026-24061",
       "CVE-2026-30623",
+      "CVE-2026-31230",
       "CVE-2026-39884"
     ],
     "framework_controls_partially_addressing": [
@@ -521,6 +522,8 @@
       "webapp-security"
     ],
     "evidence_cves": [
+      "CVE-2023-43791",
+      "CVE-2023-47117",
       "CVE-2024-40635",
       "CVE-2025-31125",
       "CVE-2026-20133",
@@ -1361,7 +1364,8 @@
       "CVE-2025-68664",
       "CVE-2025-8747",
       "CVE-2026-20131",
-      "CVE-2026-20963"
+      "CVE-2026-20963",
+      "CVE-2026-31229"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SI-10",