@blamejs/exceptd-skills 0.13.109 → 0.13.110

package/data/atlas-ttps.json

@@ -160,6 +160,7 @@
       "CVE-2025-8747",
       "CVE-2026-22778",
       "CVE-2026-30615",
+      "CVE-2026-31229",
       "CVE-2026-39987",
       "CVE-2026-45321",
       "MAL-2024-PYPI-ULTRALYTICS-XMRIG",
@@ -1296,6 +1297,7 @@
       "CVE-2025-32434",
       "CVE-2025-33236",
       "CVE-2025-8747",
+      "CVE-2026-31229",
       "MAL-2024-PYPI-ULTRALYTICS-XMRIG"
     ],
     "description_full": "An adversary may rely upon specific actions by a user in order to gain execution. Users may inadvertently execute unsafe code introduced via [AI Supply Chain Compromise](/techniques/AML.T0010). Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link.",
@@ -1771,6 +1773,7 @@
       "CVE-2026-24214",
       "CVE-2026-24215",
       "CVE-2026-26190",
+      "CVE-2026-31230",
       "CVE-2026-33017",
       "CVE-2026-34159",
       "CVE-2026-45829"
@@ -2873,6 +2876,7 @@
       "CVE-2025-32434",
       "CVE-2025-33236",
       "CVE-2025-8747",
+      "CVE-2026-31229",
       "CVE-2026-45829"
     ]
   },

package/data/attack-techniques.json

@@ -331,6 +331,8 @@
       "CVE-2026-30623",
       "CVE-2026-30624",
       "CVE-2026-30625",
+      "CVE-2026-31229",
+      "CVE-2026-31230",
       "CVE-2026-32202",
       "CVE-2026-33017",
       "CVE-2026-34159",
@@ -388,6 +390,7 @@
       "CVE-2024-5565",
       "CVE-2025-3248",
       "CVE-2025-49844",
+      "CVE-2026-31230",
       "CVE-2026-33017",
       "MAL-2026-3083"
     ],
@@ -1162,6 +1165,7 @@
       "CVE-2025-32434",
       "CVE-2025-33236",
       "CVE-2025-8747",
+      "CVE-2026-31229",
       "CVE-2026-45321",
       "MAL-2024-PYPI-ULTRALYTICS-XMRIG",
       "MAL-2025-PYPI-COLORAMA-SOLANA-STEALER",
@@ -4359,7 +4363,8 @@
       "CVE-2025-1550",
       "CVE-2025-32434",
       "CVE-2025-33236",
-      "CVE-2025-8747"
+      "CVE-2025-8747",
+      "CVE-2026-31229"
     ]
   },
   "T1205": {

package/data/cve-catalog.json

@@ -17297,6 +17297,201 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "Label Studio exposes information enabling account impersonation and escalation to Django superadmin (chained with the ORM leak CVE-2023-47117); CWE-200, fixed in 1.8.2."
   },
+  "CVE-2026-31229": {
+    "name": "Adversarial Robustness Toolbox torch.load Model Deserialization RCE",
+    "type": "RCE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "CISA-ADP CVSS v3.1 base 9.8 (CRITICAL); NVD has not yet published its own assessment. ART's Kubeflow model-loading component calls torch.load() WITHOUT weights_only=True, so loading a maliciously crafted model file runs arbitrary code through unsafe object-deserialization (CWE-502).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory; load a crafted PyTorch model through ART's Kubeflow component to run code.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via the GitHub Security Advisory / CISA-ADP. The abused surface is the Adversarial Robustness Toolbox (ART), the Trusted-AI / LF AI library used to defend ML models against adversarial attacks - a defensive-ML tool with an offensive flaw.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is unsafe model deserialization in a defensive-ML library.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure (May 2026) with a documented attack; no confirmed in-the-wild exploitation reported as of curation. No patched version is published (the advisory records 'Patched versions: Unknown'), so exposed usage remains vulnerable.",
+    "affected": "Adversarial Robustness Toolbox (ART) through 1.20.1.",
+    "affected_versions": [
+      "adversarial-robustness-toolbox <= 1.20.1"
+    ],
+    "vector": "The Adversarial Robustness Toolbox (ART) - the Trusted-AI library used to defend ML models against adversarial attacks - loads models in its Kubeflow component via torch.load() without the security-restrictive weights_only=True parameter. A maliciously crafted model file therefore runs arbitrary code on load through unsafe object-deserialization (CWE-502) - the same torch.load weights_only gap as CVE-2025-32434, here in the defensive-ML library itself.",
+    "complexity": "low",
+    "complexity_notes": "CISA-ADP AV:N / AC:L / PR:N / UI:N - loading a crafted model runs code.",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No patched ART version is published as of curation (the GitHub advisory records 'Patched versions: Unknown'). Mitigation is loading models only from trusted sources, sandboxing model loading, and using weights_only=True / safe formats (see vendor_update_paths).",
+    "vendor_update_paths": [
+      "No fixed ART release is published. Load models only from trusted sources, verify provenance, sandbox model loading, and prefer safe-load (weights_only=True) / safetensors; treat every model file as executable code."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw remediation cannot resolve this by patching yet (no fix published); the control is model-artifact provenance + sandboxing.",
+      "NIST-800-53-SI-10": "No input validation distinguishes a benign model from a deserialization payload before ART loads it.",
+      "NIST-800-53-CM-7": "Least-functionality is not enforced: ART deserializes model files through an unsafe loader by default.",
+      "ISO-27001-2022-A.8.28": "Secure-coding expectations do not address loading untrusted model artifacts as host code in an ML security library.",
+      "NIS2-Art21-supply-chain": "Supply-chain-security measures do not treat the defensive-ML library (ART) as a channel that delivers executable model artifacts.",
+      "DORA-Art-9": "ICT protection measures do not model code execution via an ML security library as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for model-artifact provenance / sandboxed loading in ML libraries.",
+      "AU-ISM-1546": "Patch-application control does not address a flaw with no published patch.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats the adversarial-robustness library's model-loading path as a privileged code-execution surface."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0011",
+      "AML.T0011.000"
+    ],
+    "attack_refs": [
+      "T1204",
+      "T1059",
+      "T1195.002"
+    ],
+    "rwep_score": 46,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 26,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Elevated (RWEP 46, \"patch within 7 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, and no patched version published so no patch credit (Hard Rule #3). poc_available=20 + blast_radius=26. The defensive-ML library ART itself carries a code-execution flaw - model-as-code.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-31229",
+    "cwe_refs": [
+      "CWE-502"
+    ],
+    "iocs": {
+      "behavioral": [
+        "ART loading a PyTorch model whose payload contains a deserialization gadget rather than plain weights.",
+        "The ART process spawning shell, network, or file-system child processes during model loading.",
+        "ART <= 1.20.1 loading PyTorch models from an untrusted source via the Kubeflow component - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the GitHub Security Advisory / CISA-ADP record for CVE-2026-31229 (CWE-502) and NVD."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-31229",
+      "https://github.com/Trusted-AI/adversarial-robustness-toolbox"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-31229",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31229",
+        "severity": "critical",
+        "published_date": "2026-05-12"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD / CISA-ADP (CWE-502; CISA-ADP CVSS v3.1 9.8, NVD assessment pending) + the GitHub Security Advisory. Adversarial Robustness Toolbox (ART) flaw; reuses the untrusted-model-artifact-loading control NEW-CTRL-091 - a model file is executable code, the class shared with Keras / Hugging Face / NeMo / PyTorch / H2O / MLflow.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "ART's Kubeflow model loader calls torch.load() without weights_only=True, so a malicious model file runs code on load (CWE-502); no fix published - treat models as untrusted code."
+  },
+  "CVE-2026-31230": {
+    "name": "Adversarial Robustness Toolbox CLI Argument Dynamic-Evaluation Code Execution",
+    "type": "RCE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "CISA-ADP CVSS v3.1 base 9.8 (CRITICAL); NVD has not yet published its own assessment. ART's Kubeflow component parses the --clip_values and --input_shape command-line arguments through an unsafe dynamic-evaluation call, so attacker-controlled argument values execute arbitrary Python (CWE-88 argument-delimiter injection / code injection).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory; supply a crafted --clip_values / --input_shape value to ART's Kubeflow CLI to run code.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via the GitHub Security Advisory / CISA-ADP. The abused surface is the Adversarial Robustness Toolbox (ART), the Trusted-AI / LF AI library used to defend ML models against adversarial attacks - a defensive-ML tool with an offensive flaw.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is unsafe dynamic-evaluation of CLI arguments in a defensive-ML library.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure (May 2026) with a documented attack; no confirmed in-the-wild exploitation reported as of curation. No patched version is published (the advisory records 'Patched versions: Unknown'), so exposed usage remains vulnerable.",
+    "affected": "Adversarial Robustness Toolbox (ART) through 1.20.1.",
+    "affected_versions": [
+      "adversarial-robustness-toolbox <= 1.20.1"
+    ],
+    "vector": "ART's Kubeflow component parses the --clip_values and --input_shape command-line arguments by passing their string values into an unsafe dynamic-evaluation call rather than a safe literal parser. An attacker who controls those argument values executes arbitrary Python (CWE-88) - the same build-a-command-from-arguments root cause as the LlamaIndex CLI injection, here in the defensive-ML toolkit.",
+    "complexity": "low",
+    "complexity_notes": "CISA-ADP AV:N / AC:L / PR:N / UI:N - controlling the CLI argument value runs code.",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No patched ART version is published as of curation (the GitHub advisory records 'Patched versions: Unknown'). Mitigation is never passing untrusted values to the affected CLI arguments and using a safe literal parser (see vendor_update_paths).",
+    "vendor_update_paths": [
+      "No fixed ART release is published. Do not pass untrusted values to ART's --clip_values / --input_shape arguments; the fix is to parse them with a safe literal parser (e.g. ast.literal_eval) rather than a dynamic-evaluation call."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw remediation cannot resolve this by patching yet (no fix published); the control is safe argument parsing.",
+      "NIST-800-53-SI-10": "No input validation distinguishes a safe CLI argument value from injected code before ART evaluates it.",
+      "NIST-800-53-CM-7": "Least-functionality is not enforced: ART evaluates CLI argument strings through a dynamic-evaluation call.",
+      "ISO-27001-2022-A.8.28": "Secure-coding expectations do not address dynamic evaluation of CLI argument strings in an ML security library.",
+      "NIS2-Art21-supply-chain": "Supply-chain-security measures do not treat the defensive-ML library (ART) as a channel that executes attacker-influenced arguments.",
+      "DORA-Art-9": "ICT protection measures do not model code execution via an ML security library as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for safe CLI argument parsing in ML libraries.",
+      "AU-ISM-1546": "Patch-application control does not address a flaw with no published patch.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats the adversarial-robustness library's CLI argument parsing as a privileged code-execution surface."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1059",
+      "T1059.006"
+    ],
+    "rwep_score": 42,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 22,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Elevated (RWEP 42, \"patch within 7 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, and no patched version published so no patch credit (Hard Rule #3). poc_available=20 + blast_radius=22. The defensive-ML library ART itself carries a code-execution flaw - unsafe CLI eval.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-31230",
+    "cwe_refs": [
+      "CWE-88"
+    ],
+    "iocs": {
+      "behavioral": [
+        "ART invoked with --clip_values / --input_shape values containing Python expressions or code rather than numeric literals.",
+        "The ART process spawning shell, network, or file-system child processes during argument parsing.",
+        "ART <= 1.20.1 invoked with attacker-influenced --clip_values / --input_shape arguments - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the GitHub Security Advisory / CISA-ADP record for CVE-2026-31230 (CWE-88) and NVD."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-31230",
+      "https://github.com/Trusted-AI/adversarial-robustness-toolbox"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-31230",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31230",
+        "severity": "critical",
+        "published_date": "2026-05-12"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD / CISA-ADP (CWE-88; CISA-ADP CVSS v3.1 9.8, NVD assessment pending) + the GitHub Security Advisory. Adversarial Robustness Toolbox (ART) flaw; reuses the AI-framework CLI input-neutralization control NEW-CTRL-100 - an AI framework's CLI must parse argument values with a safe literal parser, not a dynamic-evaluation call, the class shared with the LlamaIndex CLI entry.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "ART's Kubeflow component passes the --clip_values / --input_shape CLI arguments into an unsafe dynamic-evaluation call, executing arbitrary Python (CWE-88); no fix published - use a safe literal parser."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -299,6 +299,7 @@
       "CVE-2016-10033",
       "CVE-2026-24061",
       "CVE-2026-30623",
+      "CVE-2026-31230",
       "CVE-2026-39884"
     ],
     "framework_controls_partially_addressing": [
@@ -1363,7 +1364,8 @@
       "CVE-2025-68664",
       "CVE-2025-8747",
       "CVE-2026-20131",
-      "CVE-2026-20963"
+      "CVE-2026-20963",
+      "CVE-2026-31229"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SI-10",

package/data/framework-control-gaps.json

@@ -103,6 +103,8 @@
       "CVE-2026-30617",
       "CVE-2026-30624",
       "CVE-2026-30625",
+      "CVE-2026-31229",
+      "CVE-2026-31230",
       "CVE-2026-33017",
       "CVE-2026-34159",
       "CVE-2026-40933",
@@ -1293,6 +1295,8 @@
       "CVE-2025-3248",
       "CVE-2025-6965",
       "CVE-2026-30623",
+      "CVE-2026-31229",
+      "CVE-2026-31230",
       "CVE-2026-33017"
     ],
     "atlas_refs": [
@@ -2130,6 +2134,8 @@
       "CVE-2025-49844",
       "CVE-2025-53773",
       "CVE-2026-30615",
+      "CVE-2026-31229",
+      "CVE-2026-31230",
       "CVE-2026-33017"
     ],
     "atlas_refs": [
@@ -2391,6 +2397,8 @@
       "CVE-2026-24213",
       "CVE-2026-24214",
       "CVE-2026-24215",
+      "CVE-2026-31229",
+      "CVE-2026-31230",
       "CVE-2026-39884",
       "CVE-2026-42208",
       "CVE-2026-45829",
@@ -2772,6 +2780,8 @@
       "CVE-2026-30617",
       "CVE-2026-30624",
       "CVE-2026-30625",
+      "CVE-2026-31229",
+      "CVE-2026-31230",
       "CVE-2026-31431",
       "CVE-2026-31635",
       "CVE-2026-32201",
@@ -5140,6 +5150,8 @@
       "CVE-2026-30617",
       "CVE-2026-30624",
       "CVE-2026-30625",
+      "CVE-2026-31229",
+      "CVE-2026-31230",
       "CVE-2026-33017",
       "CVE-2026-34159",
       "CVE-2026-34926",
@@ -5711,6 +5723,8 @@
       "CVE-2026-30617",
       "CVE-2026-30624",
       "CVE-2026-30625",
+      "CVE-2026-31229",
+      "CVE-2026-31230",
       "CVE-2026-33017",
       "CVE-2026-34159",
       "CVE-2026-34926",
@@ -5825,6 +5839,8 @@
       "CVE-2026-30617",
       "CVE-2026-30624",
       "CVE-2026-30625",
+      "CVE-2026-31229",
+      "CVE-2026-31230",
       "CVE-2026-33017",
       "CVE-2026-34159",
       "CVE-2026-34926",
@@ -5905,6 +5921,8 @@
       "CVE-2024-3154",
       "CVE-2024-37052",
       "CVE-2024-37060",
+      "CVE-2026-31229",
+      "CVE-2026-31230",
       "MAL-2026-NODE-IPC-STEALER",
       "MAL-2026-RUBYGEMS-BUFFERZONECORP-SLEEPER",
       "MAL-2026-SHAI-HULUD-OSS",

package/data/zeroday-lessons.json

@@ -4661,6 +4661,106 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2026-31229": {
+    "name": "Adversarial Robustness Toolbox torch.load Model Deserialization RCE",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "ART's Kubeflow model-loading component calls torch.load() without weights_only=True, so loading a maliciously crafted model file runs arbitrary code through unsafe object-deserialization (the same weights_only gap as CVE-2025-32434, here in the defensive-ML library).",
+      "privileges_required": "none-to-low (control the loaded model / the affected CLI argument value)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is the Adversarial Robustness Toolbox (ART) - the Trusted-AI library used to DEFEND ML models against adversarial attacks. The lesson: defensive-ML tooling is code-bearing infrastructure too; a model file it loads is executable code."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No fix is published; loading an untrusted model is inherently code execution - the control is provenance + sandboxing, not patching."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No input validation distinguishes a benign model from a deserialization payload before ART loads it."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats the adversarial-robustness library's model-loading path as a privileged code-execution surface."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 82,
+      "basis": "Defensive-ML libraries are trusted by assumption and run inside ML pipelines; their model-loading and CLI-parsing paths are not treated as code-execution surfaces, and no patch is published.",
+      "theater_pattern": "untrusted_model_artifact_as_code"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-091",
+        "name": "UNTRUSTED-MODEL-ARTIFACT-LOADING",
+        "description": "Treat ML model artifacts as untrusted code: never load .keras / pickle-based models from untrusted sources, verify provenance, prefer safe formats (e.g. safetensors), and load untrusted models only in a sandboxed, network-isolated, least-privilege environment. Upgrade Keras to the fixed release (>= 3.8.0 for CVE-2025-1550; past 3.10.0 for the CVE-2025-8747 safe_mode bypass) and do not rely on safe_mode alone — it was bypassable. The distinguishing test: load an attacker-crafted .keras archive with safe_mode enabled on a sandboxed instance and confirm no code executes.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2025-1550",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2026-31230": {
+    "name": "Adversarial Robustness Toolbox CLI Argument Dynamic-Evaluation Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "ART's Kubeflow component parses the --clip_values and --input_shape command-line arguments through an unsafe dynamic-evaluation call, so attacker-controlled argument values execute arbitrary Python (the same build-from-arguments root cause as the LlamaIndex CLI injection).",
+      "privileges_required": "none-to-low (control the loaded model / the affected CLI argument value)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is the Adversarial Robustness Toolbox (ART) - the Trusted-AI library used to DEFEND ML models against adversarial attacks. The lesson: defensive-ML tooling is code-bearing infrastructure too; its CLI must parse arguments with a safe literal parser, never a dynamic-evaluation call."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No fix is published; the control is parsing CLI arguments with a safe literal parser rather than a dynamic-evaluation call."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No input validation distinguishes a safe CLI argument value from injected code before ART evaluates it."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an ML library's CLI argument parsing as a privileged code-execution surface."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 82,
+      "basis": "Defensive-ML libraries are trusted by assumption and run inside ML pipelines; their model-loading and CLI-parsing paths are not treated as code-execution surfaces, and no patch is published.",
+      "theater_pattern": "ai_framework_cli_eval"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-100",
+        "name": "AI-FRAMEWORK-CLI-SHELL-INPUT-NEUTRALIZATION",
+        "description": "AI-framework CLIs and tools that invoke external commands must never build a shell string from user-supplied arguments or config: use argv-array execution (no shell), or neutralize input with shlex/equivalent. Upgrade llama-index-cli past 0.12.20 to the shlex-escaped release, and in any wrapper/automation pass arguments as a list rather than a shell string. The distinguishing test: pass a --files value containing shell metacharacters to a staging CLI and confirm no subcommand executes.",
+        "evidence": "https://huntr.com/bounties/19e1c67e-1d77-451d-b10b-acbe99900b22",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2023-43791": {
     "name": "Label Studio Account Impersonation and Privilege Escalation",
     "lesson_date": "2026-05-25",