@blamejs/exceptd-skills 0.13.110 → 0.13.112

package/data/atlas-ttps.json

@@ -1747,6 +1747,7 @@
       "CVE-2023-6019",
       "CVE-2023-6021",
       "CVE-2023-6038",
+      "CVE-2023-6571",
       "CVE-2024-13059",
       "CVE-2024-1561",
       "CVE-2024-21575",
@@ -1760,6 +1761,7 @@
       "CVE-2024-42479",
       "CVE-2024-4889",
       "CVE-2024-6587",
+      "CVE-2024-9526",
       "CVE-2025-25297",
       "CVE-2025-27520",
       "CVE-2025-30202",

package/data/attack-techniques.json

@@ -415,10 +415,12 @@
     "version": "v19",
     "cve_refs": [
       "CVE-2021-26829",
+      "CVE-2023-6571",
       "CVE-2024-11182",
       "CVE-2024-27132",
       "CVE-2024-27443",
       "CVE-2024-42009",
+      "CVE-2024-9526",
       "CVE-2025-0133",
       "CVE-2025-27915",
       "CVE-2025-48700",
@@ -2547,6 +2549,7 @@
     "name": "Drive-by Compromise",
     "version": "v19",
     "cve_refs": [
+      "CVE-2023-6571",
       "CVE-2024-27132",
       "CVE-2025-10585",
       "CVE-2025-14174",
@@ -2665,6 +2668,8 @@
     "name": "Steal Web Session Cookie",
     "version": "v19",
     "cve_refs": [
+      "CVE-2023-6571",
+      "CVE-2024-9526",
       "CVE-2025-0133",
       "CVE-2025-34291"
     ],
@@ -4221,7 +4226,10 @@
       "Windows"
     ],
     "stix_id": "attack-pattern--544b0346-29ad-41e1-a808-501bb4193f47",
-    "is_subtechnique": false
+    "is_subtechnique": false,
+    "cve_refs": [
+      "CVE-2024-9526"
+    ]
   },
   "T1187": {
     "id": "T1187",

package/data/cve-catalog.json

@@ -17492,6 +17492,212 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "ART's Kubeflow component passes the --clip_values / --input_shape CLI arguments into an unsafe dynamic-evaluation call, executing arbitrary Python (CWE-88); no fix published - use a safe literal parser."
   },
+  "CVE-2024-9526": {
+    "name": "Kubeflow Pipelines Stored XSS in Pipeline View",
+    "type": "Stored XSS",
+    "cvss_score": 5.4,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
+    "cvss_note": "NIST (NVD) CVSS v3.1 base 5.4 (MEDIUM); Google (CNA) rates it CVSS v4.0 7.1 (HIGH). The Kubeflow Pipelines Pipeline View web UI allows HTML tags in the pipeline description field without proper filtering, so attacker-supplied markup is stored and executed in the browser of every user who views the pipeline (CWE-79 stored XSS).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory (https://github.com/advisories/GHSA-rm25-8wjq-c6qm): store an HTML/script payload in the pipeline description; it runs for every viewer.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via huntr.dev / GitHub Security Advisory (https://github.com/advisories/GHSA-rm25-8wjq-c6qm). The abused surface is Kubeflow, a widely used MLOps orchestration platform / console.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is missing output encoding in an MLOps console web UI.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Kubeflow Pipelines (KFP) builds before commit 930c35f1c543998e60e8d648ce93185c9b5dbe8d (before 2023-12-13).",
+    "affected_versions": [
+      "Kubeflow Pipelines < commit 930c35f1 (builds before 2023-12-13)"
+    ],
+    "vector": "Kubeflow Pipelines is the workflow-orchestration component of Kubeflow. Its Pipeline View web UI renders the pipeline description field without neutralizing HTML, so a user who can create/edit a pipeline stores markup (a script payload) that executes in the browser of every other user who views that pipeline - a stored XSS (CWE-79) that can hijack sessions and act as those users in the MLOps console.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / UI:R - requires a victim to view the pipeline (stored) or follow a crafted link (reflected); scope-changed (S:C) because script runs in the authenticated console origin.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is applying the upstream fix (commit 930c35f1c543998e60e8d648ce93185c9b5dbe8d) or later; redeploy the Kubeflow console, no host reboot.",
+    "vendor_update_paths": [
+      "Apply the upstream fix (commit 930c35f1c543998e60e8d648ce93185c9b5dbe8d) or later. Neutralize/encode all user-controlled fields rendered in the Kubeflow console (HTML-encode output, use a strict Content-Security-Policy, and set session cookies HttpOnly) so stored or reflected markup cannot execute."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-10": "Input/output validation does not neutralize user-controlled fields before the MLOps console renders them.",
+      "NIST-800-53-SI-3": "Malicious-code protection does not treat script injected into the MLOps console UI as an execution channel against other users.",
+      "ISO-27001-2022-A.8.28": "Secure-coding expectations do not require output encoding / CSP on the MLOps console.",
+      "NIS2-Art21-vulnerability-management": "Vulnerability-management measures do not enumerate MLOps-console XSS as a session-hijack surface.",
+      "DORA-Art-9": "ICT protection measures do not model MLOps-console XSS / session hijack as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for output encoding / CSP on AI-platform consoles.",
+      "AU-ISM-1546": "Patch-application control does not single out MLOps consoles.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an MLOps console's rendering of user-controlled fields as an integrity control whose failure hijacks operators' sessions."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1059.007",
+      "T1185",
+      "T1539"
+    ],
+    "rwep_score": 19,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 14,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Low (RWEP 19, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3): poc_available=20 + blast_radius=14 (client-side stored XSS - session hijack within the console, not host RCE), minus patch_available 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-9526",
+    "cwe_refs": [
+      "CWE-79"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Kubeflow pipeline description / metadata fields containing HTML or <script> markup rather than plain text.",
+        "Script executing in the Kubeflow console origin that reads session tokens or issues console API calls as the viewing user.",
+        "Kubeflow Pipelines builds before the commit 930c35f1 fix with the console reachable by multiple users - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the huntr.dev / GitHub Security Advisory (https://github.com/advisories/GHSA-rm25-8wjq-c6qm) and NVD CVE-2024-9526 (CWE-79)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-9526",
+      "https://github.com/advisories/GHSA-rm25-8wjq-c6qm"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2024-9526",
+        "url": "https://github.com/advisories/GHSA-rm25-8wjq-c6qm",
+        "severity": "medium",
+        "published_date": "2024-11-18"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-9526",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9526",
+        "severity": "medium",
+        "published_date": "2024-11-18"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the huntr.dev / GitHub Security Advisory (https://github.com/advisories/GHSA-rm25-8wjq-c6qm, CWE-79) + NVD (CVSS v3.1 5.4; Google CNA v4.0 7.1). Kubeflow MLOps-console flaw; introduces the AI-platform web-UI output-encoding (XSS) control NEW-CTRL-107.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Kubeflow Pipelines renders the pipeline description field without HTML neutralization, so stored markup runs in every viewer's browser (CWE-79 stored XSS); fixed upstream (commit 930c35f1)."
+  },
+  "CVE-2023-6571": {
+    "name": "Kubeflow Reflected XSS",
+    "type": "Reflected XSS",
+    "cvss_score": 6.1,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
+    "cvss_note": "NIST (NVD) CVSS v3.1 base 6.1 (MEDIUM); huntr.dev (CNA) rates it 5.4. Kubeflow reflects attacker-controlled input into a web page without neutralization, so a crafted link executes script in the victim's browser (CWE-79 reflected XSS).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory (https://github.com/advisories/GHSA-7rvc-xw75-43jf): send a victim a crafted link that reflects script into their Kubeflow session.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via huntr.dev / GitHub Security Advisory (https://github.com/advisories/GHSA-7rvc-xw75-43jf). The abused surface is Kubeflow, a widely used MLOps orchestration platform / console.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is missing output encoding in an MLOps console web UI.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Kubeflow 1.7.0.",
+    "affected_versions": [
+      "Kubeflow 1.7.0"
+    ],
+    "vector": "Kubeflow reflects attacker-controlled request input back into a web page without neutralizing it, so a victim who follows a crafted link executes attacker script in their authenticated Kubeflow session - a reflected XSS (CWE-79) that can hijack the session and act in the MLOps console as the victim.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / UI:R - requires a victim to view the pipeline (stored) or follow a crafted link (reflected); scope-changed (S:C) because script runs in the authenticated console origin.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is applying the upstream huntr-coordinated fix (upgrade to a build after 1.7.0); redeploy the Kubeflow console, no host reboot.",
+    "vendor_update_paths": [
+      "Apply the upstream huntr-coordinated fix (upgrade to a build after 1.7.0). Neutralize/encode all user-controlled fields rendered in the Kubeflow console (HTML-encode output, use a strict Content-Security-Policy, and set session cookies HttpOnly) so stored or reflected markup cannot execute."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-10": "Input/output validation does not neutralize user-controlled fields before the MLOps console renders them.",
+      "NIST-800-53-SI-3": "Malicious-code protection does not treat script injected into the MLOps console UI as an execution channel against other users.",
+      "ISO-27001-2022-A.8.28": "Secure-coding expectations do not require output encoding / CSP on the MLOps console.",
+      "NIS2-Art21-vulnerability-management": "Vulnerability-management measures do not enumerate MLOps-console XSS as a session-hijack surface.",
+      "DORA-Art-9": "ICT protection measures do not model MLOps-console XSS / session hijack as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for output encoding / CSP on AI-platform consoles.",
+      "AU-ISM-1546": "Patch-application control does not single out MLOps consoles.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an MLOps console's rendering of user-controlled fields as an integrity control whose failure hijacks operators' sessions."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1059.007",
+      "T1189",
+      "T1539"
+    ],
+    "rwep_score": 15,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 10,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Low (RWEP 15, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3): poc_available=20 + blast_radius=10 (client-side reflected XSS - session hijack within the console, not host RCE), minus patch_available 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2023-6571",
+    "cwe_refs": [
+      "CWE-79"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Crafted Kubeflow console URLs reflecting <script> or event-handler payloads in their parameters.",
+        "Script executing in the Kubeflow console origin that reads session tokens or issues console API calls as the viewing user.",
+        "Kubeflow 1.7.0 with the console reachable by multiple users - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the huntr.dev / GitHub Security Advisory (https://github.com/advisories/GHSA-7rvc-xw75-43jf) and NVD CVE-2023-6571 (CWE-79)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2023-6571",
+      "https://github.com/advisories/GHSA-7rvc-xw75-43jf"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2023-6571",
+        "url": "https://github.com/advisories/GHSA-7rvc-xw75-43jf",
+        "severity": "medium",
+        "published_date": "2023-12-14"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2023-6571",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6571",
+        "severity": "medium",
+        "published_date": "2023-12-14"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the huntr.dev / GitHub Security Advisory (https://github.com/advisories/GHSA-7rvc-xw75-43jf, CWE-79) + NVD (CVSS v3.1 6.1; huntr CNA 5.4). Kubeflow MLOps-console flaw; introduces the AI-platform web-UI output-encoding (XSS) control NEW-CTRL-107.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Kubeflow reflects attacker input into a page without neutralization, so a crafted link runs script in the victim's session (CWE-79 reflected XSS); fixed upstream (post-1.7.0)."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -259,10 +259,12 @@
     ],
     "evidence_cves": [
       "CVE-2021-26829",
+      "CVE-2023-6571",
       "CVE-2024-11182",
       "CVE-2024-27132",
       "CVE-2024-27443",
       "CVE-2024-42009",
+      "CVE-2024-9526",
       "CVE-2025-27915",
       "CVE-2025-48700",
       "CVE-2025-66376",

package/data/framework-control-gaps.json

@@ -45,6 +45,7 @@
       "CVE-2023-6019",
       "CVE-2023-6021",
       "CVE-2023-6038",
+      "CVE-2023-6571",
       "CVE-2024-0129",
       "CVE-2024-0132",
       "CVE-2024-11392",
@@ -69,6 +70,7 @@
       "CVE-2024-50050",
       "CVE-2024-5565",
       "CVE-2024-6587",
+      "CVE-2024-9526",
       "CVE-2025-1550",
       "CVE-2025-1753",
       "CVE-2025-23254",
@@ -1282,6 +1284,7 @@
     "evidence_cves": [
       "CVE-2023-43472",
       "CVE-2023-6016",
+      "CVE-2023-6571",
       "CVE-2024-12366",
       "CVE-2024-24590",
       "CVE-2024-24591",
@@ -1289,6 +1292,7 @@
       "CVE-2024-37052",
       "CVE-2024-37060",
       "CVE-2024-5565",
+      "CVE-2024-9526",
       "CVE-2025-0133",
       "CVE-2025-1094",
       "CVE-2025-27520",
@@ -2361,6 +2365,7 @@
     "evidence_cves": [
       "CVE-2022-36551",
       "CVE-2023-44467",
+      "CVE-2023-6571",
       "CVE-2024-0129",
       "CVE-2024-11392",
       "CVE-2024-11393",
@@ -2378,6 +2383,7 @@
       "CVE-2024-39722",
       "CVE-2024-50050",
       "CVE-2024-5565",
+      "CVE-2024-9526",
       "CVE-2025-0133",
       "CVE-2025-1094",
       "CVE-2025-1550",
@@ -2842,9 +2848,11 @@
     "evidence_cves": [
       "BUG-2026-NIGHTMARE-ECLIPSE-UNDEFEND",
       "CVE-2023-6016",
+      "CVE-2023-6571",
       "CVE-2024-12366",
       "CVE-2024-2912",
       "CVE-2024-5565",
+      "CVE-2024-9526",
       "CVE-2025-11837",
       "CVE-2025-27520",
       "CVE-2025-3248",
@@ -5036,9 +5044,11 @@
     "opened_date": "2026-05-15",
     "evidence_cves": [
       "CVE-2023-3519",
+      "CVE-2023-6571",
       "CVE-2024-12366",
       "CVE-2024-2912",
       "CVE-2024-5565",
+      "CVE-2024-9526",
       "CVE-2025-27520",
       "CVE-2026-0300",
       "CVE-2026-42945"
@@ -5087,6 +5097,7 @@
       "CVE-2023-6019",
       "CVE-2023-6021",
       "CVE-2023-6038",
+      "CVE-2023-6571",
       "CVE-2024-0129",
       "CVE-2024-0132",
       "CVE-2024-11392",
@@ -5113,6 +5124,7 @@
       "CVE-2024-50050",
       "CVE-2024-5565",
       "CVE-2024-6587",
+      "CVE-2024-9526",
       "CVE-2025-1550",
       "CVE-2025-1753",
       "CVE-2025-23254",
@@ -5668,6 +5680,7 @@
       "CVE-2023-51449",
       "CVE-2023-6016",
       "CVE-2023-6038",
+      "CVE-2023-6571",
       "CVE-2024-0129",
       "CVE-2024-0132",
       "CVE-2024-11392",
@@ -5692,6 +5705,7 @@
       "CVE-2024-42479",
       "CVE-2024-50050",
       "CVE-2024-5565",
+      "CVE-2024-9526",
       "CVE-2025-1550",
       "CVE-2025-1753",
       "CVE-2025-23254",
@@ -5778,6 +5792,7 @@
       "CVE-2023-6019",
       "CVE-2023-6021",
       "CVE-2023-6038",
+      "CVE-2023-6571",
       "CVE-2024-0129",
       "CVE-2024-0132",
       "CVE-2024-11392",
@@ -5804,6 +5819,7 @@
       "CVE-2024-50050",
       "CVE-2024-5565",
       "CVE-2024-6587",
+      "CVE-2024-9526",
       "CVE-2025-1550",
       "CVE-2025-1753",
       "CVE-2025-23254",

package/data/zeroday-lessons.json

@@ -4711,6 +4711,106 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2024-9526": {
+    "name": "Kubeflow Pipelines Stored XSS in Pipeline View",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Kubeflow Pipelines renders the pipeline description field without neutralizing HTML, so attacker-stored markup executes in the browser of every user who views the pipeline.",
+      "privileges_required": "low (a user who can create/edit a pipeline; payload then fires for all viewers)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is the Kubeflow MLOps console - the control plane operators use to run ML pipelines. The lesson: an MLOps console is a multi-user trust boundary; unencoded user fields let one user's stored markup hijack every operator's authenticated session and act in the ML control plane as them."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "User-controlled fields are not neutralized/encoded before the MLOps console renders them."
+      },
+      "NIST-800-53-SI-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Script injected into the console UI is not treated as an execution channel against other operators."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an MLOps console's rendering of user-controlled fields as an integrity control whose failure hijacks operators' sessions."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 76,
+      "basis": "MLOps consoles are deployed on trusted-team assumptions and render user-supplied pipeline metadata; output encoding and CSP are frequently missing, and audits rarely test console XSS.",
+      "theater_pattern": "mlops_console_xss"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-107",
+        "name": "AI-PLATFORM-WEB-UI-OUTPUT-ENCODING-XSS",
+        "description": "An AI/MLOps platform console (Kubeflow, pipeline dashboards, experiment UIs) must neutralize every user-controlled field it renders: HTML-encode output, never render stored description/metadata fields as raw HTML, set a strict Content-Security-Policy, and mark session cookies HttpOnly so injected script cannot read them. Treat the console as a multi-user trust boundary - one user's stored input is rendered in every other operator's authenticated session. The distinguishing test: store an HTML/script payload in a pipeline description (or craft a reflecting link) on a staging console and confirm it renders inert text, not executing script - a console that executes stored or reflected markup lets an attacker hijack operators' sessions and act in the MLOps control plane as them.",
+        "evidence": "https://github.com/advisories/GHSA-rm25-8wjq-c6qm",
+        "gap_closes": [
+          "NIST-800-53-SI-10",
+          "NIST-800-53-SI-3",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2023-6571": {
+    "name": "Kubeflow Reflected XSS",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Kubeflow reflects attacker-controlled request input into a web page without neutralization, so a victim who follows a crafted link executes attacker script in their authenticated Kubeflow session.",
+      "privileges_required": "none (the victim follows a crafted link)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is the Kubeflow MLOps console - the control plane operators use to run ML pipelines. The lesson: an MLOps console is a multi-user trust boundary; unencoded user fields let one user's reflected markup hijack every operator's authenticated session and act in the ML control plane as them."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "User-controlled fields are not neutralized/encoded before the MLOps console renders them."
+      },
+      "NIST-800-53-SI-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Script injected into the console UI is not treated as an execution channel against other operators."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an MLOps console's rendering of user-controlled fields as an integrity control whose failure hijacks operators' sessions."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 74,
+      "basis": "MLOps consoles are deployed on trusted-team assumptions and render user-supplied pipeline metadata; output encoding and CSP are frequently missing, and audits rarely test console XSS.",
+      "theater_pattern": "mlops_console_xss"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-107",
+        "name": "AI-PLATFORM-WEB-UI-OUTPUT-ENCODING-XSS",
+        "description": "An AI/MLOps platform console (Kubeflow, pipeline dashboards, experiment UIs) must neutralize every user-controlled field it renders: HTML-encode output, never render stored description/metadata fields as raw HTML, set a strict Content-Security-Policy, and mark session cookies HttpOnly so injected script cannot read them. Treat the console as a multi-user trust boundary - one user's stored input is rendered in every other operator's authenticated session. The distinguishing test: store an HTML/script payload in a pipeline description (or craft a reflecting link) on a staging console and confirm it renders inert text, not executing script - a console that executes stored or reflected markup lets an attacker hijack operators' sessions and act in the MLOps control plane as them.",
+        "evidence": "https://github.com/advisories/GHSA-7rvc-xw75-43jf",
+        "gap_closes": [
+          "NIST-800-53-SI-10",
+          "NIST-800-53-SI-3",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2026-31230": {
     "name": "Adversarial Robustness Toolbox CLI Argument Dynamic-Evaluation Code Execution",
     "lesson_date": "2026-05-25",