@blamejs/exceptd-skills 0.13.109 → 0.13.112

package/data/framework-control-gaps.json

@@ -45,6 +45,7 @@
       "CVE-2023-6019",
       "CVE-2023-6021",
       "CVE-2023-6038",
+      "CVE-2023-6571",
       "CVE-2024-0129",
       "CVE-2024-0132",
       "CVE-2024-11392",
@@ -69,6 +70,7 @@
       "CVE-2024-50050",
       "CVE-2024-5565",
       "CVE-2024-6587",
+      "CVE-2024-9526",
       "CVE-2025-1550",
       "CVE-2025-1753",
       "CVE-2025-23254",
@@ -103,6 +105,8 @@
       "CVE-2026-30617",
       "CVE-2026-30624",
       "CVE-2026-30625",
+      "CVE-2026-31229",
+      "CVE-2026-31230",
       "CVE-2026-33017",
       "CVE-2026-34159",
       "CVE-2026-40933",
@@ -1280,6 +1284,7 @@
     "evidence_cves": [
       "CVE-2023-43472",
       "CVE-2023-6016",
+      "CVE-2023-6571",
       "CVE-2024-12366",
       "CVE-2024-24590",
       "CVE-2024-24591",
@@ -1287,12 +1292,15 @@
       "CVE-2024-37052",
       "CVE-2024-37060",
       "CVE-2024-5565",
+      "CVE-2024-9526",
       "CVE-2025-0133",
       "CVE-2025-1094",
       "CVE-2025-27520",
       "CVE-2025-3248",
       "CVE-2025-6965",
       "CVE-2026-30623",
+      "CVE-2026-31229",
+      "CVE-2026-31230",
       "CVE-2026-33017"
     ],
     "atlas_refs": [
@@ -2130,6 +2138,8 @@
       "CVE-2025-49844",
       "CVE-2025-53773",
       "CVE-2026-30615",
+      "CVE-2026-31229",
+      "CVE-2026-31230",
       "CVE-2026-33017"
     ],
     "atlas_refs": [
@@ -2355,6 +2365,7 @@
     "evidence_cves": [
       "CVE-2022-36551",
       "CVE-2023-44467",
+      "CVE-2023-6571",
       "CVE-2024-0129",
       "CVE-2024-11392",
       "CVE-2024-11393",
@@ -2372,6 +2383,7 @@
       "CVE-2024-39722",
       "CVE-2024-50050",
       "CVE-2024-5565",
+      "CVE-2024-9526",
       "CVE-2025-0133",
       "CVE-2025-1094",
       "CVE-2025-1550",
@@ -2391,6 +2403,8 @@
       "CVE-2026-24213",
       "CVE-2026-24214",
       "CVE-2026-24215",
+      "CVE-2026-31229",
+      "CVE-2026-31230",
       "CVE-2026-39884",
       "CVE-2026-42208",
       "CVE-2026-45829",
@@ -2772,6 +2786,8 @@
       "CVE-2026-30617",
       "CVE-2026-30624",
       "CVE-2026-30625",
+      "CVE-2026-31229",
+      "CVE-2026-31230",
       "CVE-2026-31431",
       "CVE-2026-31635",
       "CVE-2026-32201",
@@ -2832,9 +2848,11 @@
     "evidence_cves": [
       "BUG-2026-NIGHTMARE-ECLIPSE-UNDEFEND",
       "CVE-2023-6016",
+      "CVE-2023-6571",
       "CVE-2024-12366",
       "CVE-2024-2912",
       "CVE-2024-5565",
+      "CVE-2024-9526",
       "CVE-2025-11837",
       "CVE-2025-27520",
       "CVE-2025-3248",
@@ -5026,9 +5044,11 @@
     "opened_date": "2026-05-15",
     "evidence_cves": [
       "CVE-2023-3519",
+      "CVE-2023-6571",
       "CVE-2024-12366",
       "CVE-2024-2912",
       "CVE-2024-5565",
+      "CVE-2024-9526",
       "CVE-2025-27520",
       "CVE-2026-0300",
       "CVE-2026-42945"
@@ -5077,6 +5097,7 @@
       "CVE-2023-6019",
       "CVE-2023-6021",
       "CVE-2023-6038",
+      "CVE-2023-6571",
       "CVE-2024-0129",
       "CVE-2024-0132",
       "CVE-2024-11392",
@@ -5103,6 +5124,7 @@
       "CVE-2024-50050",
       "CVE-2024-5565",
       "CVE-2024-6587",
+      "CVE-2024-9526",
       "CVE-2025-1550",
       "CVE-2025-1753",
       "CVE-2025-23254",
@@ -5140,6 +5162,8 @@
       "CVE-2026-30617",
       "CVE-2026-30624",
       "CVE-2026-30625",
+      "CVE-2026-31229",
+      "CVE-2026-31230",
       "CVE-2026-33017",
       "CVE-2026-34159",
       "CVE-2026-34926",
@@ -5656,6 +5680,7 @@
       "CVE-2023-51449",
       "CVE-2023-6016",
       "CVE-2023-6038",
+      "CVE-2023-6571",
       "CVE-2024-0129",
       "CVE-2024-0132",
       "CVE-2024-11392",
@@ -5680,6 +5705,7 @@
       "CVE-2024-42479",
       "CVE-2024-50050",
       "CVE-2024-5565",
+      "CVE-2024-9526",
       "CVE-2025-1550",
       "CVE-2025-1753",
       "CVE-2025-23254",
@@ -5711,6 +5737,8 @@
       "CVE-2026-30617",
       "CVE-2026-30624",
       "CVE-2026-30625",
+      "CVE-2026-31229",
+      "CVE-2026-31230",
       "CVE-2026-33017",
       "CVE-2026-34159",
       "CVE-2026-34926",
@@ -5764,6 +5792,7 @@
       "CVE-2023-6019",
       "CVE-2023-6021",
       "CVE-2023-6038",
+      "CVE-2023-6571",
       "CVE-2024-0129",
       "CVE-2024-0132",
       "CVE-2024-11392",
@@ -5790,6 +5819,7 @@
       "CVE-2024-50050",
       "CVE-2024-5565",
       "CVE-2024-6587",
+      "CVE-2024-9526",
       "CVE-2025-1550",
       "CVE-2025-1753",
       "CVE-2025-23254",
@@ -5825,6 +5855,8 @@
       "CVE-2026-30617",
       "CVE-2026-30624",
       "CVE-2026-30625",
+      "CVE-2026-31229",
+      "CVE-2026-31230",
       "CVE-2026-33017",
       "CVE-2026-34159",
       "CVE-2026-34926",
@@ -5905,6 +5937,8 @@
       "CVE-2024-3154",
       "CVE-2024-37052",
       "CVE-2024-37060",
+      "CVE-2026-31229",
+      "CVE-2026-31230",
       "MAL-2026-NODE-IPC-STEALER",
       "MAL-2026-RUBYGEMS-BUFFERZONECORP-SLEEPER",
       "MAL-2026-SHAI-HULUD-OSS",

package/data/zeroday-lessons.json

@@ -4661,6 +4661,206 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2026-31229": {
+    "name": "Adversarial Robustness Toolbox torch.load Model Deserialization RCE",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "ART's Kubeflow model-loading component calls torch.load() without weights_only=True, so loading a maliciously crafted model file runs arbitrary code through unsafe object-deserialization (the same weights_only gap as CVE-2025-32434, here in the defensive-ML library).",
+      "privileges_required": "none-to-low (control the loaded model / the affected CLI argument value)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is the Adversarial Robustness Toolbox (ART) - the Trusted-AI library used to DEFEND ML models against adversarial attacks. The lesson: defensive-ML tooling is code-bearing infrastructure too; a model file it loads is executable code."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No fix is published; loading an untrusted model is inherently code execution - the control is provenance + sandboxing, not patching."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No input validation distinguishes a benign model from a deserialization payload before ART loads it."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats the adversarial-robustness library's model-loading path as a privileged code-execution surface."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 82,
+      "basis": "Defensive-ML libraries are trusted by assumption and run inside ML pipelines; their model-loading and CLI-parsing paths are not treated as code-execution surfaces, and no patch is published.",
+      "theater_pattern": "untrusted_model_artifact_as_code"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-091",
+        "name": "UNTRUSTED-MODEL-ARTIFACT-LOADING",
+        "description": "Treat ML model artifacts as untrusted code: never load .keras / pickle-based models from untrusted sources, verify provenance, prefer safe formats (e.g. safetensors), and load untrusted models only in a sandboxed, network-isolated, least-privilege environment. Upgrade Keras to the fixed release (>= 3.8.0 for CVE-2025-1550; past 3.10.0 for the CVE-2025-8747 safe_mode bypass) and do not rely on safe_mode alone — it was bypassable. The distinguishing test: load an attacker-crafted .keras archive with safe_mode enabled on a sandboxed instance and confirm no code executes.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2025-1550",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2024-9526": {
+    "name": "Kubeflow Pipelines Stored XSS in Pipeline View",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Kubeflow Pipelines renders the pipeline description field without neutralizing HTML, so attacker-stored markup executes in the browser of every user who views the pipeline.",
+      "privileges_required": "low (a user who can create/edit a pipeline; payload then fires for all viewers)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is the Kubeflow MLOps console - the control plane operators use to run ML pipelines. The lesson: an MLOps console is a multi-user trust boundary; unencoded user fields let one user's stored markup hijack every operator's authenticated session and act in the ML control plane as them."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "User-controlled fields are not neutralized/encoded before the MLOps console renders them."
+      },
+      "NIST-800-53-SI-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Script injected into the console UI is not treated as an execution channel against other operators."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an MLOps console's rendering of user-controlled fields as an integrity control whose failure hijacks operators' sessions."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 76,
+      "basis": "MLOps consoles are deployed on trusted-team assumptions and render user-supplied pipeline metadata; output encoding and CSP are frequently missing, and audits rarely test console XSS.",
+      "theater_pattern": "mlops_console_xss"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-107",
+        "name": "AI-PLATFORM-WEB-UI-OUTPUT-ENCODING-XSS",
+        "description": "An AI/MLOps platform console (Kubeflow, pipeline dashboards, experiment UIs) must neutralize every user-controlled field it renders: HTML-encode output, never render stored description/metadata fields as raw HTML, set a strict Content-Security-Policy, and mark session cookies HttpOnly so injected script cannot read them. Treat the console as a multi-user trust boundary - one user's stored input is rendered in every other operator's authenticated session. The distinguishing test: store an HTML/script payload in a pipeline description (or craft a reflecting link) on a staging console and confirm it renders inert text, not executing script - a console that executes stored or reflected markup lets an attacker hijack operators' sessions and act in the MLOps control plane as them.",
+        "evidence": "https://github.com/advisories/GHSA-rm25-8wjq-c6qm",
+        "gap_closes": [
+          "NIST-800-53-SI-10",
+          "NIST-800-53-SI-3",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2023-6571": {
+    "name": "Kubeflow Reflected XSS",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Kubeflow reflects attacker-controlled request input into a web page without neutralization, so a victim who follows a crafted link executes attacker script in their authenticated Kubeflow session.",
+      "privileges_required": "none (the victim follows a crafted link)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is the Kubeflow MLOps console - the control plane operators use to run ML pipelines. The lesson: an MLOps console is a multi-user trust boundary; unencoded user fields let one user's reflected markup hijack every operator's authenticated session and act in the ML control plane as them."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "User-controlled fields are not neutralized/encoded before the MLOps console renders them."
+      },
+      "NIST-800-53-SI-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Script injected into the console UI is not treated as an execution channel against other operators."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an MLOps console's rendering of user-controlled fields as an integrity control whose failure hijacks operators' sessions."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 74,
+      "basis": "MLOps consoles are deployed on trusted-team assumptions and render user-supplied pipeline metadata; output encoding and CSP are frequently missing, and audits rarely test console XSS.",
+      "theater_pattern": "mlops_console_xss"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-107",
+        "name": "AI-PLATFORM-WEB-UI-OUTPUT-ENCODING-XSS",
+        "description": "An AI/MLOps platform console (Kubeflow, pipeline dashboards, experiment UIs) must neutralize every user-controlled field it renders: HTML-encode output, never render stored description/metadata fields as raw HTML, set a strict Content-Security-Policy, and mark session cookies HttpOnly so injected script cannot read them. Treat the console as a multi-user trust boundary - one user's stored input is rendered in every other operator's authenticated session. The distinguishing test: store an HTML/script payload in a pipeline description (or craft a reflecting link) on a staging console and confirm it renders inert text, not executing script - a console that executes stored or reflected markup lets an attacker hijack operators' sessions and act in the MLOps control plane as them.",
+        "evidence": "https://github.com/advisories/GHSA-7rvc-xw75-43jf",
+        "gap_closes": [
+          "NIST-800-53-SI-10",
+          "NIST-800-53-SI-3",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2026-31230": {
+    "name": "Adversarial Robustness Toolbox CLI Argument Dynamic-Evaluation Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "ART's Kubeflow component parses the --clip_values and --input_shape command-line arguments through an unsafe dynamic-evaluation call, so attacker-controlled argument values execute arbitrary Python (the same build-from-arguments root cause as the LlamaIndex CLI injection).",
+      "privileges_required": "none-to-low (control the loaded model / the affected CLI argument value)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is the Adversarial Robustness Toolbox (ART) - the Trusted-AI library used to DEFEND ML models against adversarial attacks. The lesson: defensive-ML tooling is code-bearing infrastructure too; its CLI must parse arguments with a safe literal parser, never a dynamic-evaluation call."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No fix is published; the control is parsing CLI arguments with a safe literal parser rather than a dynamic-evaluation call."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No input validation distinguishes a safe CLI argument value from injected code before ART evaluates it."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an ML library's CLI argument parsing as a privileged code-execution surface."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 82,
+      "basis": "Defensive-ML libraries are trusted by assumption and run inside ML pipelines; their model-loading and CLI-parsing paths are not treated as code-execution surfaces, and no patch is published.",
+      "theater_pattern": "ai_framework_cli_eval"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-100",
+        "name": "AI-FRAMEWORK-CLI-SHELL-INPUT-NEUTRALIZATION",
+        "description": "AI-framework CLIs and tools that invoke external commands must never build a shell string from user-supplied arguments or config: use argv-array execution (no shell), or neutralize input with shlex/equivalent. Upgrade llama-index-cli past 0.12.20 to the shlex-escaped release, and in any wrapper/automation pass arguments as a list rather than a shell string. The distinguishing test: pass a --files value containing shell metacharacters to a staging CLI and confirm no subcommand executes.",
+        "evidence": "https://huntr.com/bounties/19e1c67e-1d77-451d-b10b-acbe99900b22",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2023-43791": {
     "name": "Label Studio Account Impersonation and Privilege Escalation",
     "lesson_date": "2026-05-25",