@blamejs/exceptd-skills 0.13.109 → 0.13.112

package/data/atlas-ttps.json

@@ -160,6 +160,7 @@
       "CVE-2025-8747",
       "CVE-2026-22778",
       "CVE-2026-30615",
+      "CVE-2026-31229",
       "CVE-2026-39987",
       "CVE-2026-45321",
       "MAL-2024-PYPI-ULTRALYTICS-XMRIG",
@@ -1296,6 +1297,7 @@
       "CVE-2025-32434",
       "CVE-2025-33236",
       "CVE-2025-8747",
+      "CVE-2026-31229",
       "MAL-2024-PYPI-ULTRALYTICS-XMRIG"
     ],
     "description_full": "An adversary may rely upon specific actions by a user in order to gain execution. Users may inadvertently execute unsafe code introduced via [AI Supply Chain Compromise](/techniques/AML.T0010). Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link.",
@@ -1745,6 +1747,7 @@
       "CVE-2023-6019",
       "CVE-2023-6021",
       "CVE-2023-6038",
+      "CVE-2023-6571",
       "CVE-2024-13059",
       "CVE-2024-1561",
       "CVE-2024-21575",
@@ -1758,6 +1761,7 @@
       "CVE-2024-42479",
       "CVE-2024-4889",
       "CVE-2024-6587",
+      "CVE-2024-9526",
       "CVE-2025-25297",
       "CVE-2025-27520",
       "CVE-2025-30202",
@@ -1771,6 +1775,7 @@
       "CVE-2026-24214",
       "CVE-2026-24215",
       "CVE-2026-26190",
+      "CVE-2026-31230",
       "CVE-2026-33017",
       "CVE-2026-34159",
       "CVE-2026-45829"
@@ -2873,6 +2878,7 @@
       "CVE-2025-32434",
       "CVE-2025-33236",
       "CVE-2025-8747",
+      "CVE-2026-31229",
       "CVE-2026-45829"
     ]
   },

package/data/attack-techniques.json

@@ -331,6 +331,8 @@
       "CVE-2026-30623",
       "CVE-2026-30624",
       "CVE-2026-30625",
+      "CVE-2026-31229",
+      "CVE-2026-31230",
       "CVE-2026-32202",
       "CVE-2026-33017",
       "CVE-2026-34159",
@@ -388,6 +390,7 @@
       "CVE-2024-5565",
       "CVE-2025-3248",
       "CVE-2025-49844",
+      "CVE-2026-31230",
       "CVE-2026-33017",
       "MAL-2026-3083"
     ],
@@ -412,10 +415,12 @@
     "version": "v19",
     "cve_refs": [
       "CVE-2021-26829",
+      "CVE-2023-6571",
       "CVE-2024-11182",
       "CVE-2024-27132",
       "CVE-2024-27443",
       "CVE-2024-42009",
+      "CVE-2024-9526",
       "CVE-2025-0133",
       "CVE-2025-27915",
       "CVE-2025-48700",
@@ -1162,6 +1167,7 @@
       "CVE-2025-32434",
       "CVE-2025-33236",
       "CVE-2025-8747",
+      "CVE-2026-31229",
       "CVE-2026-45321",
       "MAL-2024-PYPI-ULTRALYTICS-XMRIG",
       "MAL-2025-PYPI-COLORAMA-SOLANA-STEALER",
@@ -2543,6 +2549,7 @@
     "name": "Drive-by Compromise",
     "version": "v19",
     "cve_refs": [
+      "CVE-2023-6571",
       "CVE-2024-27132",
       "CVE-2025-10585",
       "CVE-2025-14174",
@@ -2661,6 +2668,8 @@
     "name": "Steal Web Session Cookie",
     "version": "v19",
     "cve_refs": [
+      "CVE-2023-6571",
+      "CVE-2024-9526",
       "CVE-2025-0133",
       "CVE-2025-34291"
     ],
@@ -4217,7 +4226,10 @@
       "Windows"
     ],
     "stix_id": "attack-pattern--544b0346-29ad-41e1-a808-501bb4193f47",
-    "is_subtechnique": false
+    "is_subtechnique": false,
+    "cve_refs": [
+      "CVE-2024-9526"
+    ]
   },
   "T1187": {
     "id": "T1187",
@@ -4359,7 +4371,8 @@
       "CVE-2025-1550",
       "CVE-2025-32434",
       "CVE-2025-33236",
-      "CVE-2025-8747"
+      "CVE-2025-8747",
+      "CVE-2026-31229"
     ]
   },
   "T1205": {

package/data/cve-catalog.json

@@ -17297,6 +17297,407 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "Label Studio exposes information enabling account impersonation and escalation to Django superadmin (chained with the ORM leak CVE-2023-47117); CWE-200, fixed in 1.8.2."
   },
+  "CVE-2026-31229": {
+    "name": "Adversarial Robustness Toolbox torch.load Model Deserialization RCE",
+    "type": "RCE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "CISA-ADP CVSS v3.1 base 9.8 (CRITICAL); NVD has not yet published its own assessment. ART's Kubeflow model-loading component calls torch.load() WITHOUT weights_only=True, so loading a maliciously crafted model file runs arbitrary code through unsafe object-deserialization (CWE-502).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory; load a crafted PyTorch model through ART's Kubeflow component to run code.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via the GitHub Security Advisory / CISA-ADP. The abused surface is the Adversarial Robustness Toolbox (ART), the Trusted-AI / LF AI library used to defend ML models against adversarial attacks - a defensive-ML tool with an offensive flaw.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is unsafe model deserialization in a defensive-ML library.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure (May 2026) with a documented attack; no confirmed in-the-wild exploitation reported as of curation. No patched version is published (the advisory records 'Patched versions: Unknown'), so exposed usage remains vulnerable.",
+    "affected": "Adversarial Robustness Toolbox (ART) through 1.20.1.",
+    "affected_versions": [
+      "adversarial-robustness-toolbox <= 1.20.1"
+    ],
+    "vector": "The Adversarial Robustness Toolbox (ART) - the Trusted-AI library used to defend ML models against adversarial attacks - loads models in its Kubeflow component via torch.load() without the security-restrictive weights_only=True parameter. A maliciously crafted model file therefore runs arbitrary code on load through unsafe object-deserialization (CWE-502) - the same torch.load weights_only gap as CVE-2025-32434, here in the defensive-ML library itself.",
+    "complexity": "low",
+    "complexity_notes": "CISA-ADP AV:N / AC:L / PR:N / UI:N - loading a crafted model runs code.",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No patched ART version is published as of curation (the GitHub advisory records 'Patched versions: Unknown'). Mitigation is loading models only from trusted sources, sandboxing model loading, and using weights_only=True / safe formats (see vendor_update_paths).",
+    "vendor_update_paths": [
+      "No fixed ART release is published. Load models only from trusted sources, verify provenance, sandbox model loading, and prefer safe-load (weights_only=True) / safetensors; treat every model file as executable code."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw remediation cannot resolve this by patching yet (no fix published); the control is model-artifact provenance + sandboxing.",
+      "NIST-800-53-SI-10": "No input validation distinguishes a benign model from a deserialization payload before ART loads it.",
+      "NIST-800-53-CM-7": "Least-functionality is not enforced: ART deserializes model files through an unsafe loader by default.",
+      "ISO-27001-2022-A.8.28": "Secure-coding expectations do not address loading untrusted model artifacts as host code in an ML security library.",
+      "NIS2-Art21-supply-chain": "Supply-chain-security measures do not treat the defensive-ML library (ART) as a channel that delivers executable model artifacts.",
+      "DORA-Art-9": "ICT protection measures do not model code execution via an ML security library as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for model-artifact provenance / sandboxed loading in ML libraries.",
+      "AU-ISM-1546": "Patch-application control does not address a flaw with no published patch.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats the adversarial-robustness library's model-loading path as a privileged code-execution surface."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0011",
+      "AML.T0011.000"
+    ],
+    "attack_refs": [
+      "T1204",
+      "T1059",
+      "T1195.002"
+    ],
+    "rwep_score": 46,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 26,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Elevated (RWEP 46, \"patch within 7 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, and no patched version published so no patch credit (Hard Rule #3). poc_available=20 + blast_radius=26. The defensive-ML library ART itself carries a code-execution flaw - model-as-code.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-31229",
+    "cwe_refs": [
+      "CWE-502"
+    ],
+    "iocs": {
+      "behavioral": [
+        "ART loading a PyTorch model whose payload contains a deserialization gadget rather than plain weights.",
+        "The ART process spawning shell, network, or file-system child processes during model loading.",
+        "ART <= 1.20.1 loading PyTorch models from an untrusted source via the Kubeflow component - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the GitHub Security Advisory / CISA-ADP record for CVE-2026-31229 (CWE-502) and NVD."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-31229",
+      "https://github.com/Trusted-AI/adversarial-robustness-toolbox"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-31229",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31229",
+        "severity": "critical",
+        "published_date": "2026-05-12"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD / CISA-ADP (CWE-502; CISA-ADP CVSS v3.1 9.8, NVD assessment pending) + the GitHub Security Advisory. Adversarial Robustness Toolbox (ART) flaw; reuses the untrusted-model-artifact-loading control NEW-CTRL-091 - a model file is executable code, the class shared with Keras / Hugging Face / NeMo / PyTorch / H2O / MLflow.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "ART's Kubeflow model loader calls torch.load() without weights_only=True, so a malicious model file runs code on load (CWE-502); no fix published - treat models as untrusted code."
+  },
+  "CVE-2026-31230": {
+    "name": "Adversarial Robustness Toolbox CLI Argument Dynamic-Evaluation Code Execution",
+    "type": "RCE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "CISA-ADP CVSS v3.1 base 9.8 (CRITICAL); NVD has not yet published its own assessment. ART's Kubeflow component parses the --clip_values and --input_shape command-line arguments through an unsafe dynamic-evaluation call, so attacker-controlled argument values execute arbitrary Python (CWE-88 argument-delimiter injection / code injection).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory; supply a crafted --clip_values / --input_shape value to ART's Kubeflow CLI to run code.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via the GitHub Security Advisory / CISA-ADP. The abused surface is the Adversarial Robustness Toolbox (ART), the Trusted-AI / LF AI library used to defend ML models against adversarial attacks - a defensive-ML tool with an offensive flaw.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is unsafe dynamic-evaluation of CLI arguments in a defensive-ML library.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure (May 2026) with a documented attack; no confirmed in-the-wild exploitation reported as of curation. No patched version is published (the advisory records 'Patched versions: Unknown'), so exposed usage remains vulnerable.",
+    "affected": "Adversarial Robustness Toolbox (ART) through 1.20.1.",
+    "affected_versions": [
+      "adversarial-robustness-toolbox <= 1.20.1"
+    ],
+    "vector": "ART's Kubeflow component parses the --clip_values and --input_shape command-line arguments by passing their string values into an unsafe dynamic-evaluation call rather than a safe literal parser. An attacker who controls those argument values executes arbitrary Python (CWE-88) - the same build-a-command-from-arguments root cause as the LlamaIndex CLI injection, here in the defensive-ML toolkit.",
+    "complexity": "low",
+    "complexity_notes": "CISA-ADP AV:N / AC:L / PR:N / UI:N - controlling the CLI argument value runs code.",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No patched ART version is published as of curation (the GitHub advisory records 'Patched versions: Unknown'). Mitigation is never passing untrusted values to the affected CLI arguments and using a safe literal parser (see vendor_update_paths).",
+    "vendor_update_paths": [
+      "No fixed ART release is published. Do not pass untrusted values to ART's --clip_values / --input_shape arguments; the fix is to parse them with a safe literal parser (e.g. ast.literal_eval) rather than a dynamic-evaluation call."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw remediation cannot resolve this by patching yet (no fix published); the control is safe argument parsing.",
+      "NIST-800-53-SI-10": "No input validation distinguishes a safe CLI argument value from injected code before ART evaluates it.",
+      "NIST-800-53-CM-7": "Least-functionality is not enforced: ART evaluates CLI argument strings through a dynamic-evaluation call.",
+      "ISO-27001-2022-A.8.28": "Secure-coding expectations do not address dynamic evaluation of CLI argument strings in an ML security library.",
+      "NIS2-Art21-supply-chain": "Supply-chain-security measures do not treat the defensive-ML library (ART) as a channel that executes attacker-influenced arguments.",
+      "DORA-Art-9": "ICT protection measures do not model code execution via an ML security library as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for safe CLI argument parsing in ML libraries.",
+      "AU-ISM-1546": "Patch-application control does not address a flaw with no published patch.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats the adversarial-robustness library's CLI argument parsing as a privileged code-execution surface."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1059",
+      "T1059.006"
+    ],
+    "rwep_score": 42,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 22,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Elevated (RWEP 42, \"patch within 7 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, and no patched version published so no patch credit (Hard Rule #3). poc_available=20 + blast_radius=22. The defensive-ML library ART itself carries a code-execution flaw - unsafe CLI eval.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-31230",
+    "cwe_refs": [
+      "CWE-88"
+    ],
+    "iocs": {
+      "behavioral": [
+        "ART invoked with --clip_values / --input_shape values containing Python expressions or code rather than numeric literals.",
+        "The ART process spawning shell, network, or file-system child processes during argument parsing.",
+        "ART <= 1.20.1 invoked with attacker-influenced --clip_values / --input_shape arguments - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the GitHub Security Advisory / CISA-ADP record for CVE-2026-31230 (CWE-88) and NVD."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-31230",
+      "https://github.com/Trusted-AI/adversarial-robustness-toolbox"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-31230",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31230",
+        "severity": "critical",
+        "published_date": "2026-05-12"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD / CISA-ADP (CWE-88; CISA-ADP CVSS v3.1 9.8, NVD assessment pending) + the GitHub Security Advisory. Adversarial Robustness Toolbox (ART) flaw; reuses the AI-framework CLI input-neutralization control NEW-CTRL-100 - an AI framework's CLI must parse argument values with a safe literal parser, not a dynamic-evaluation call, the class shared with the LlamaIndex CLI entry.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "ART's Kubeflow component passes the --clip_values / --input_shape CLI arguments into an unsafe dynamic-evaluation call, executing arbitrary Python (CWE-88); no fix published - use a safe literal parser."
+  },
+  "CVE-2024-9526": {
+    "name": "Kubeflow Pipelines Stored XSS in Pipeline View",
+    "type": "Stored XSS",
+    "cvss_score": 5.4,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
+    "cvss_note": "NIST (NVD) CVSS v3.1 base 5.4 (MEDIUM); Google (CNA) rates it CVSS v4.0 7.1 (HIGH). The Kubeflow Pipelines Pipeline View web UI allows HTML tags in the pipeline description field without proper filtering, so attacker-supplied markup is stored and executed in the browser of every user who views the pipeline (CWE-79 stored XSS).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory (https://github.com/advisories/GHSA-rm25-8wjq-c6qm): store an HTML/script payload in the pipeline description; it runs for every viewer.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via huntr.dev / GitHub Security Advisory (https://github.com/advisories/GHSA-rm25-8wjq-c6qm). The abused surface is Kubeflow, a widely used MLOps orchestration platform / console.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is missing output encoding in an MLOps console web UI.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Kubeflow Pipelines (KFP) builds before commit 930c35f1c543998e60e8d648ce93185c9b5dbe8d (before 2023-12-13).",
+    "affected_versions": [
+      "Kubeflow Pipelines < commit 930c35f1 (builds before 2023-12-13)"
+    ],
+    "vector": "Kubeflow Pipelines is the workflow-orchestration component of Kubeflow. Its Pipeline View web UI renders the pipeline description field without neutralizing HTML, so a user who can create/edit a pipeline stores markup (a script payload) that executes in the browser of every other user who views that pipeline - a stored XSS (CWE-79) that can hijack sessions and act as those users in the MLOps console.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / UI:R - requires a victim to view the pipeline (stored) or follow a crafted link (reflected); scope-changed (S:C) because script runs in the authenticated console origin.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is applying the upstream fix (commit 930c35f1c543998e60e8d648ce93185c9b5dbe8d) or later; redeploy the Kubeflow console, no host reboot.",
+    "vendor_update_paths": [
+      "Apply the upstream fix (commit 930c35f1c543998e60e8d648ce93185c9b5dbe8d) or later. Neutralize/encode all user-controlled fields rendered in the Kubeflow console (HTML-encode output, use a strict Content-Security-Policy, and set session cookies HttpOnly) so stored or reflected markup cannot execute."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-10": "Input/output validation does not neutralize user-controlled fields before the MLOps console renders them.",
+      "NIST-800-53-SI-3": "Malicious-code protection does not treat script injected into the MLOps console UI as an execution channel against other users.",
+      "ISO-27001-2022-A.8.28": "Secure-coding expectations do not require output encoding / CSP on the MLOps console.",
+      "NIS2-Art21-vulnerability-management": "Vulnerability-management measures do not enumerate MLOps-console XSS as a session-hijack surface.",
+      "DORA-Art-9": "ICT protection measures do not model MLOps-console XSS / session hijack as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for output encoding / CSP on AI-platform consoles.",
+      "AU-ISM-1546": "Patch-application control does not single out MLOps consoles.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an MLOps console's rendering of user-controlled fields as an integrity control whose failure hijacks operators' sessions."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1059.007",
+      "T1185",
+      "T1539"
+    ],
+    "rwep_score": 19,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 14,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Low (RWEP 19, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3): poc_available=20 + blast_radius=14 (client-side stored XSS - session hijack within the console, not host RCE), minus patch_available 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-9526",
+    "cwe_refs": [
+      "CWE-79"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Kubeflow pipeline description / metadata fields containing HTML or <script> markup rather than plain text.",
+        "Script executing in the Kubeflow console origin that reads session tokens or issues console API calls as the viewing user.",
+        "Kubeflow Pipelines builds before the commit 930c35f1 fix with the console reachable by multiple users - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the huntr.dev / GitHub Security Advisory (https://github.com/advisories/GHSA-rm25-8wjq-c6qm) and NVD CVE-2024-9526 (CWE-79)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-9526",
+      "https://github.com/advisories/GHSA-rm25-8wjq-c6qm"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2024-9526",
+        "url": "https://github.com/advisories/GHSA-rm25-8wjq-c6qm",
+        "severity": "medium",
+        "published_date": "2024-11-18"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-9526",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9526",
+        "severity": "medium",
+        "published_date": "2024-11-18"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the huntr.dev / GitHub Security Advisory (https://github.com/advisories/GHSA-rm25-8wjq-c6qm, CWE-79) + NVD (CVSS v3.1 5.4; Google CNA v4.0 7.1). Kubeflow MLOps-console flaw; introduces the AI-platform web-UI output-encoding (XSS) control NEW-CTRL-107.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Kubeflow Pipelines renders the pipeline description field without HTML neutralization, so stored markup runs in every viewer's browser (CWE-79 stored XSS); fixed upstream (commit 930c35f1)."
+  },
+  "CVE-2023-6571": {
+    "name": "Kubeflow Reflected XSS",
+    "type": "Reflected XSS",
+    "cvss_score": 6.1,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
+    "cvss_note": "NIST (NVD) CVSS v3.1 base 6.1 (MEDIUM); huntr.dev (CNA) rates it 5.4. Kubeflow reflects attacker-controlled input into a web page without neutralization, so a crafted link executes script in the victim's browser (CWE-79 reflected XSS).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory (https://github.com/advisories/GHSA-7rvc-xw75-43jf): send a victim a crafted link that reflects script into their Kubeflow session.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via huntr.dev / GitHub Security Advisory (https://github.com/advisories/GHSA-7rvc-xw75-43jf). The abused surface is Kubeflow, a widely used MLOps orchestration platform / console.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is missing output encoding in an MLOps console web UI.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Kubeflow 1.7.0.",
+    "affected_versions": [
+      "Kubeflow 1.7.0"
+    ],
+    "vector": "Kubeflow reflects attacker-controlled request input back into a web page without neutralizing it, so a victim who follows a crafted link executes attacker script in their authenticated Kubeflow session - a reflected XSS (CWE-79) that can hijack the session and act in the MLOps console as the victim.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / UI:R - requires a victim to view the pipeline (stored) or follow a crafted link (reflected); scope-changed (S:C) because script runs in the authenticated console origin.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is applying the upstream huntr-coordinated fix (upgrade to a build after 1.7.0); redeploy the Kubeflow console, no host reboot.",
+    "vendor_update_paths": [
+      "Apply the upstream huntr-coordinated fix (upgrade to a build after 1.7.0). Neutralize/encode all user-controlled fields rendered in the Kubeflow console (HTML-encode output, use a strict Content-Security-Policy, and set session cookies HttpOnly) so stored or reflected markup cannot execute."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-10": "Input/output validation does not neutralize user-controlled fields before the MLOps console renders them.",
+      "NIST-800-53-SI-3": "Malicious-code protection does not treat script injected into the MLOps console UI as an execution channel against other users.",
+      "ISO-27001-2022-A.8.28": "Secure-coding expectations do not require output encoding / CSP on the MLOps console.",
+      "NIS2-Art21-vulnerability-management": "Vulnerability-management measures do not enumerate MLOps-console XSS as a session-hijack surface.",
+      "DORA-Art-9": "ICT protection measures do not model MLOps-console XSS / session hijack as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for output encoding / CSP on AI-platform consoles.",
+      "AU-ISM-1546": "Patch-application control does not single out MLOps consoles.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an MLOps console's rendering of user-controlled fields as an integrity control whose failure hijacks operators' sessions."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1059.007",
+      "T1189",
+      "T1539"
+    ],
+    "rwep_score": 15,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 10,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Low (RWEP 15, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3): poc_available=20 + blast_radius=10 (client-side reflected XSS - session hijack within the console, not host RCE), minus patch_available 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2023-6571",
+    "cwe_refs": [
+      "CWE-79"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Crafted Kubeflow console URLs reflecting <script> or event-handler payloads in their parameters.",
+        "Script executing in the Kubeflow console origin that reads session tokens or issues console API calls as the viewing user.",
+        "Kubeflow 1.7.0 with the console reachable by multiple users - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the huntr.dev / GitHub Security Advisory (https://github.com/advisories/GHSA-7rvc-xw75-43jf) and NVD CVE-2023-6571 (CWE-79)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2023-6571",
+      "https://github.com/advisories/GHSA-7rvc-xw75-43jf"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2023-6571",
+        "url": "https://github.com/advisories/GHSA-7rvc-xw75-43jf",
+        "severity": "medium",
+        "published_date": "2023-12-14"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2023-6571",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6571",
+        "severity": "medium",
+        "published_date": "2023-12-14"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the huntr.dev / GitHub Security Advisory (https://github.com/advisories/GHSA-7rvc-xw75-43jf, CWE-79) + NVD (CVSS v3.1 6.1; huntr CNA 5.4). Kubeflow MLOps-console flaw; introduces the AI-platform web-UI output-encoding (XSS) control NEW-CTRL-107.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Kubeflow reflects attacker input into a page without neutralization, so a crafted link runs script in the victim's session (CWE-79 reflected XSS); fixed upstream (post-1.7.0)."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -259,10 +259,12 @@
     ],
     "evidence_cves": [
       "CVE-2021-26829",
+      "CVE-2023-6571",
       "CVE-2024-11182",
       "CVE-2024-27132",
       "CVE-2024-27443",
       "CVE-2024-42009",
+      "CVE-2024-9526",
       "CVE-2025-27915",
       "CVE-2025-48700",
       "CVE-2025-66376",
@@ -299,6 +301,7 @@
       "CVE-2016-10033",
       "CVE-2026-24061",
       "CVE-2026-30623",
+      "CVE-2026-31230",
       "CVE-2026-39884"
     ],
     "framework_controls_partially_addressing": [
@@ -1363,7 +1366,8 @@
       "CVE-2025-68664",
       "CVE-2025-8747",
       "CVE-2026-20131",
-      "CVE-2026-20963"
+      "CVE-2026-20963",
+      "CVE-2026-31229"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SI-10",