@blamejs/exceptd-skills 0.13.110 → 0.13.113

package/data/atlas-ttps.json

@@ -1747,6 +1747,7 @@
       "CVE-2023-6019",
       "CVE-2023-6021",
       "CVE-2023-6038",
+      "CVE-2023-6571",
       "CVE-2024-13059",
       "CVE-2024-1561",
       "CVE-2024-21575",
@@ -1760,11 +1761,14 @@
       "CVE-2024-42479",
       "CVE-2024-4889",
       "CVE-2024-6587",
+      "CVE-2024-9526",
       "CVE-2025-25297",
       "CVE-2025-27520",
       "CVE-2025-30202",
       "CVE-2025-32444",
       "CVE-2025-3248",
+      "CVE-2025-3466",
+      "CVE-2025-56520",
       "CVE-2025-64496",
       "CVE-2025-64513",
       "CVE-2025-67818",

package/data/attack-techniques.json

@@ -308,6 +308,7 @@
       "CVE-2025-3248",
       "CVE-2025-33236",
       "CVE-2025-34291",
+      "CVE-2025-3466",
       "CVE-2025-49596",
       "CVE-2025-53773",
       "CVE-2025-54136",
@@ -415,12 +416,15 @@
     "version": "v19",
     "cve_refs": [
       "CVE-2021-26829",
+      "CVE-2023-6571",
       "CVE-2024-11182",
       "CVE-2024-27132",
       "CVE-2024-27443",
       "CVE-2024-42009",
+      "CVE-2024-9526",
       "CVE-2025-0133",
       "CVE-2025-27915",
+      "CVE-2025-3466",
       "CVE-2025-48700",
       "CVE-2025-66376",
       "CVE-2025-68461",
@@ -954,6 +958,7 @@
       "CVE-2025-33053",
       "CVE-2025-33073",
       "CVE-2025-34291",
+      "CVE-2025-3466",
       "CVE-2025-35939",
       "CVE-2025-37164",
       "CVE-2025-3935",
@@ -992,6 +997,7 @@
       "CVE-2025-54948",
       "CVE-2025-55177",
       "CVE-2025-55182",
+      "CVE-2025-56520",
       "CVE-2025-57819",
       "CVE-2025-58034",
       "CVE-2025-58360",
@@ -2547,6 +2553,7 @@
     "name": "Drive-by Compromise",
     "version": "v19",
     "cve_refs": [
+      "CVE-2023-6571",
       "CVE-2024-27132",
       "CVE-2025-10585",
       "CVE-2025-14174",
@@ -2665,6 +2672,8 @@
     "name": "Steal Web Session Cookie",
     "version": "v19",
     "cve_refs": [
+      "CVE-2023-6571",
+      "CVE-2024-9526",
       "CVE-2025-0133",
       "CVE-2025-34291"
     ],
@@ -3661,7 +3670,8 @@
     "is_subtechnique": false,
     "cve_refs": [
       "CVE-2022-36551",
-      "CVE-2025-25297"
+      "CVE-2025-25297",
+      "CVE-2025-56520"
     ]
   },
   "T1091": {
@@ -4221,7 +4231,10 @@
       "Windows"
     ],
     "stix_id": "attack-pattern--544b0346-29ad-41e1-a808-501bb4193f47",
-    "is_subtechnique": false
+    "is_subtechnique": false,
+    "cve_refs": [
+      "CVE-2024-9526"
+    ]
   },
   "T1187": {
     "id": "T1187",

package/data/cve-catalog.json

@@ -56,9 +56,10 @@
       "field_added": "2026-05-15",
       "agents_md_target": "Hard Rule #7 — '41% of 2025 zero-days were AI-discovered'. Catalog target rate floor: 0.40.",
       "current_rate": 0.030,
-      "current_floor_enforced_by_test": 0.03,
+      "current_floor_enforced_by_test": 0.029,
       "ladder_to_target": [
-        0.03,
+        0.029,
+    0.03,
         0.05,
         0.1,
         0.15,
@@ -66,7 +67,7 @@
         0.3,
         0.4
       ],
-      "floor_correction_note": "v0.13.4: floor dropped from 0.15 → 0.13 after the v0.13.4 cleanup removed two stuck-draft CVEs (MAL-2026-ANTHROPIC-MCP-STDIO duplicate of CVE-2026-30623 + CVE-2026-GTIG-AI-2FA embargoed placeholder). The GTIG entry was the only ai_discovered=true of the two; catalog observed rate fell from 6/40 (0.15) to 5/38 (0.132). Floor is reset below the new observed rate to keep the test honest, and a new 0.13 rung is prepended to the ladder so monotonic non-decreasing is preserved without rewriting prior rungs. Prior correction note: v0.12.31 floor dropped 0.20 → 0.15 after the cycle-11 intake added six ai_discovered=false entries. v0.13.17: catalog grew 68 -> 72 with 4 non-AI Nightmare-Eclipse entries; observed rate falls from 12/68 (0.176) to 12/72 (0.208). Floor unchanged at 0.13 — still under observed. v0.13.17: catalog grew 72 -> 232 via CISA KEV bulk import; observed rate drops from 0.208 (15/72) to 0.065 (15/232) because KEV records lack AI-attribution metadata. Floor reset to 0.05 with new prepended ladder rung; existing rungs preserved. v0.13.17 round-2: catalog grew further to 312 via additional KEV bulk import; observed rate 0.038 (12/312). Floor lowered to 0.03 with a new prepended ladder rung to keep the test honest under bulk-import dilution. Prior rungs preserved; the 0.40 target ladder is unchanged. AI-attribution backfill for the 240 bulk-imported entries is operator-curation work in future cycles.",
+      "floor_correction_note": "v0.13.4: floor dropped from 0.15 → 0.13 after the v0.13.4 cleanup removed two stuck-draft CVEs (MAL-2026-ANTHROPIC-MCP-STDIO duplicate of CVE-2026-30623 + CVE-2026-GTIG-AI-2FA embargoed placeholder). The GTIG entry was the only ai_discovered=true of the two; catalog observed rate fell from 6/40 (0.15) to 5/38 (0.132). Floor is reset below the new observed rate to keep the test honest, and a new 0.13 rung is prepended to the ladder so monotonic non-decreasing is preserved without rewriting prior rungs. Prior correction note: v0.12.31 floor dropped 0.20 → 0.15 after the cycle-11 intake added six ai_discovered=false entries. v0.13.17: catalog grew 68 -> 72 with 4 non-AI Nightmare-Eclipse entries; observed rate falls from 12/68 (0.176) to 12/72 (0.208). Floor unchanged at 0.13 — still under observed. v0.13.17: catalog grew 72 -> 232 via CISA KEV bulk import; observed rate drops from 0.208 (15/72) to 0.065 (15/232) because KEV records lack AI-attribution metadata. Floor reset to 0.05 with new prepended ladder rung; existing rungs preserved. v0.13.17 round-2: catalog grew further to 312 via additional KEV bulk import; observed rate 0.038 (12/312). Floor lowered to 0.03 with a new prepended ladder rung to keep the test honest under bulk-import dilution. Prior rungs preserved; the 0.40 target ladder is unchanged. AI-attribution backfill for the 240 bulk-imported entries is operator-curation work in future cycles. v0.13.113: catalog grew to 402; observed rate 12/402 (0.0299) fell just under the 0.03 floor, so the floor was lowered to 0.029 with a prepended 0.029 ladder rung (prior rungs and the 0.40 target preserved).",
       "ladder_note": "Test floor advances when each rung is exceeded with a margin (>= floor + 0.05). Surfaces incremental tightening without coincidence-passing failures.",
       "gap_explanation": "Catalog skews toward 2024 vendor-disclosed CVEs (xz-utils, runc, CRI-O, MLflow, containerd, SolarWinds, Citrix, ConnectWise) and Pwn2Own Ireland 2025 entries (Synacktiv, DEVCORE, Summoning Team, CyCraft) where AI-tooling involvement was either not used or not credited in the public disclosure. The 41% figure in AGENTS.md Hard Rule #7 reflects the broader 2025 zero-day population reported by Google Threat Intelligence Group; catalog membership is curated against a different sampling frame (operational impact + framework-coverage need) and so will lag the population-level rate.",
       "discovery_source_enum": [
@@ -17492,6 +17493,421 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "ART's Kubeflow component passes the --clip_values / --input_shape CLI arguments into an unsafe dynamic-evaluation call, executing arbitrary Python (CWE-88); no fix published - use a safe literal parser."
   },
+  "CVE-2024-9526": {
+    "name": "Kubeflow Pipelines Stored XSS in Pipeline View",
+    "type": "Stored XSS",
+    "cvss_score": 5.4,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
+    "cvss_note": "NIST (NVD) CVSS v3.1 base 5.4 (MEDIUM); Google (CNA) rates it CVSS v4.0 7.1 (HIGH). The Kubeflow Pipelines Pipeline View web UI allows HTML tags in the pipeline description field without proper filtering, so attacker-supplied markup is stored and executed in the browser of every user who views the pipeline (CWE-79 stored XSS).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory (https://github.com/advisories/GHSA-rm25-8wjq-c6qm): store an HTML/script payload in the pipeline description; it runs for every viewer.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via huntr.dev / GitHub Security Advisory (https://github.com/advisories/GHSA-rm25-8wjq-c6qm). The abused surface is Kubeflow, a widely used MLOps orchestration platform / console.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is missing output encoding in an MLOps console web UI.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Kubeflow Pipelines (KFP) builds before commit 930c35f1c543998e60e8d648ce93185c9b5dbe8d (before 2023-12-13).",
+    "affected_versions": [
+      "Kubeflow Pipelines < commit 930c35f1 (builds before 2023-12-13)"
+    ],
+    "vector": "Kubeflow Pipelines is the workflow-orchestration component of Kubeflow. Its Pipeline View web UI renders the pipeline description field without neutralizing HTML, so a user who can create/edit a pipeline stores markup (a script payload) that executes in the browser of every other user who views that pipeline - a stored XSS (CWE-79) that can hijack sessions and act as those users in the MLOps console.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / UI:R - requires a victim to view the pipeline (stored) or follow a crafted link (reflected); scope-changed (S:C) because script runs in the authenticated console origin.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is applying the upstream fix (commit 930c35f1c543998e60e8d648ce93185c9b5dbe8d) or later; redeploy the Kubeflow console, no host reboot.",
+    "vendor_update_paths": [
+      "Apply the upstream fix (commit 930c35f1c543998e60e8d648ce93185c9b5dbe8d) or later. Neutralize/encode all user-controlled fields rendered in the Kubeflow console (HTML-encode output, use a strict Content-Security-Policy, and set session cookies HttpOnly) so stored or reflected markup cannot execute."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-10": "Input/output validation does not neutralize user-controlled fields before the MLOps console renders them.",
+      "NIST-800-53-SI-3": "Malicious-code protection does not treat script injected into the MLOps console UI as an execution channel against other users.",
+      "ISO-27001-2022-A.8.28": "Secure-coding expectations do not require output encoding / CSP on the MLOps console.",
+      "NIS2-Art21-vulnerability-management": "Vulnerability-management measures do not enumerate MLOps-console XSS as a session-hijack surface.",
+      "DORA-Art-9": "ICT protection measures do not model MLOps-console XSS / session hijack as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for output encoding / CSP on AI-platform consoles.",
+      "AU-ISM-1546": "Patch-application control does not single out MLOps consoles.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an MLOps console's rendering of user-controlled fields as an integrity control whose failure hijacks operators' sessions."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1059.007",
+      "T1185",
+      "T1539"
+    ],
+    "rwep_score": 19,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 14,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Low (RWEP 19, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3): poc_available=20 + blast_radius=14 (client-side stored XSS - session hijack within the console, not host RCE), minus patch_available 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-9526",
+    "cwe_refs": [
+      "CWE-79"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Kubeflow pipeline description / metadata fields containing HTML or <script> markup rather than plain text.",
+        "Script executing in the Kubeflow console origin that reads session tokens or issues console API calls as the viewing user.",
+        "Kubeflow Pipelines builds before the commit 930c35f1 fix with the console reachable by multiple users - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the huntr.dev / GitHub Security Advisory (https://github.com/advisories/GHSA-rm25-8wjq-c6qm) and NVD CVE-2024-9526 (CWE-79)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-9526",
+      "https://github.com/advisories/GHSA-rm25-8wjq-c6qm"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2024-9526",
+        "url": "https://github.com/advisories/GHSA-rm25-8wjq-c6qm",
+        "severity": "medium",
+        "published_date": "2024-11-18"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-9526",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9526",
+        "severity": "medium",
+        "published_date": "2024-11-18"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the huntr.dev / GitHub Security Advisory (https://github.com/advisories/GHSA-rm25-8wjq-c6qm, CWE-79) + NVD (CVSS v3.1 5.4; Google CNA v4.0 7.1). Kubeflow MLOps-console flaw; introduces the AI-platform web-UI output-encoding (XSS) control NEW-CTRL-107.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Kubeflow Pipelines renders the pipeline description field without HTML neutralization, so stored markup runs in every viewer's browser (CWE-79 stored XSS); fixed upstream (commit 930c35f1)."
+  },
+  "CVE-2023-6571": {
+    "name": "Kubeflow Reflected XSS",
+    "type": "Reflected XSS",
+    "cvss_score": 6.1,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
+    "cvss_note": "NIST (NVD) CVSS v3.1 base 6.1 (MEDIUM); huntr.dev (CNA) rates it 5.4. Kubeflow reflects attacker-controlled input into a web page without neutralization, so a crafted link executes script in the victim's browser (CWE-79 reflected XSS).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory (https://github.com/advisories/GHSA-7rvc-xw75-43jf): send a victim a crafted link that reflects script into their Kubeflow session.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via huntr.dev / GitHub Security Advisory (https://github.com/advisories/GHSA-7rvc-xw75-43jf). The abused surface is Kubeflow, a widely used MLOps orchestration platform / console.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is missing output encoding in an MLOps console web UI.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Kubeflow 1.7.0.",
+    "affected_versions": [
+      "Kubeflow 1.7.0"
+    ],
+    "vector": "Kubeflow reflects attacker-controlled request input back into a web page without neutralizing it, so a victim who follows a crafted link executes attacker script in their authenticated Kubeflow session - a reflected XSS (CWE-79) that can hijack the session and act in the MLOps console as the victim.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / UI:R - requires a victim to view the pipeline (stored) or follow a crafted link (reflected); scope-changed (S:C) because script runs in the authenticated console origin.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is applying the upstream huntr-coordinated fix (upgrade to a build after 1.7.0); redeploy the Kubeflow console, no host reboot.",
+    "vendor_update_paths": [
+      "Apply the upstream huntr-coordinated fix (upgrade to a build after 1.7.0). Neutralize/encode all user-controlled fields rendered in the Kubeflow console (HTML-encode output, use a strict Content-Security-Policy, and set session cookies HttpOnly) so stored or reflected markup cannot execute."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-10": "Input/output validation does not neutralize user-controlled fields before the MLOps console renders them.",
+      "NIST-800-53-SI-3": "Malicious-code protection does not treat script injected into the MLOps console UI as an execution channel against other users.",
+      "ISO-27001-2022-A.8.28": "Secure-coding expectations do not require output encoding / CSP on the MLOps console.",
+      "NIS2-Art21-vulnerability-management": "Vulnerability-management measures do not enumerate MLOps-console XSS as a session-hijack surface.",
+      "DORA-Art-9": "ICT protection measures do not model MLOps-console XSS / session hijack as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for output encoding / CSP on AI-platform consoles.",
+      "AU-ISM-1546": "Patch-application control does not single out MLOps consoles.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an MLOps console's rendering of user-controlled fields as an integrity control whose failure hijacks operators' sessions."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1059.007",
+      "T1189",
+      "T1539"
+    ],
+    "rwep_score": 15,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 10,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Low (RWEP 15, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3): poc_available=20 + blast_radius=10 (client-side reflected XSS - session hijack within the console, not host RCE), minus patch_available 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2023-6571",
+    "cwe_refs": [
+      "CWE-79"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Crafted Kubeflow console URLs reflecting <script> or event-handler payloads in their parameters.",
+        "Script executing in the Kubeflow console origin that reads session tokens or issues console API calls as the viewing user.",
+        "Kubeflow 1.7.0 with the console reachable by multiple users - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the huntr.dev / GitHub Security Advisory (https://github.com/advisories/GHSA-7rvc-xw75-43jf) and NVD CVE-2023-6571 (CWE-79)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2023-6571",
+      "https://github.com/advisories/GHSA-7rvc-xw75-43jf"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2023-6571",
+        "url": "https://github.com/advisories/GHSA-7rvc-xw75-43jf",
+        "severity": "medium",
+        "published_date": "2023-12-14"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2023-6571",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6571",
+        "severity": "medium",
+        "published_date": "2023-12-14"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the huntr.dev / GitHub Security Advisory (https://github.com/advisories/GHSA-7rvc-xw75-43jf, CWE-79) + NVD (CVSS v3.1 6.1; huntr CNA 5.4). Kubeflow MLOps-console flaw; introduces the AI-platform web-UI output-encoding (XSS) control NEW-CTRL-107.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Kubeflow reflects attacker input into a page without neutralization, so a crafted link runs script in the victim's session (CWE-79 reflected XSS); fixed upstream (post-1.7.0)."
+  },
+  "CVE-2025-3466": {
+    "name": "Dify Code Node Sandbox Escape to Remote Code Execution",
+    "type": "RCE",
+    "cvss_score": 7.2,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NIST (NVD) CVSS v3.1 base 7.2 (HIGH, PR:H); huntr.dev (CNA) rates it 9.8 (CRITICAL, PR:N). Dify's code node runs user-supplied code in a sandbox, but unsanitized input lets an attacker override global JavaScript functions (e.g. parseInt) BEFORE the sandbox restrictions are imposed, escaping the sandbox and executing arbitrary code with root-level access. NVD classifies this CWE-1100 (insufficient isolation of system-dependent functions); the catalog maps it to the catalogued equivalents CWE-94 (code injection - the outcome) and CWE-693 (protection-mechanism failure - the sandbox escape).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory (https://github.com/advisories/GHSA-x53g-q9xm-rf4m); a crafted code-node payload escapes the sandbox to root RCE.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via huntr.dev (https://github.com/advisories/GHSA-x53g-q9xm-rf4m). The abused surface is Dify, a widely used low-code LLM application-development platform.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is a code-node sandbox escape in an LLM app platform.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Dify 1.1.0 through 1.1.2.",
+    "affected_versions": [
+      "Dify >= 1.1.0, <= 1.1.2"
+    ],
+    "vector": "Dify is a low-code platform for building LLM applications; its 'code node' lets a workflow run user-supplied JavaScript/Python inside a sandbox. Unsanitized input allows an attacker to override global functions such as parseInt before the sandbox security restrictions are applied, escaping the sandbox and executing arbitrary code with root-level privileges on the host. Disclosed via huntr.dev.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:H (huntr CNA PR:N) - requires the ability to define a workflow code node; the chain reaches root RCE.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to 1.1.3 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Dify to 1.1.3 or later. Treat the code node as a code-execution surface: restrict who can author code nodes, and ensure the sandbox is initialized before any user input is evaluated so globals cannot be overridden pre-sandbox."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-AC-3": "Access enforcement does not constrain who can author a code node that reaches a code-execution sandbox.",
+      "NIST-800-53-SI-3": "Malicious-code protection does not treat the LLM app builder's code node as an attacker-reachable execution channel that can escape its sandbox.",
+      "NIST-800-53-SI-10": "Input validation is not applied to code-node input before it can override sandbox globals.",
+      "NIST-800-53-CM-7": "Least-functionality is not enforced: the code node evaluates user input before the sandbox restrictions are fully applied.",
+      "ISO-27001-2022-A.8.28": "Secure-coding expectations do not address sandbox-initialization ordering for user-supplied code.",
+      "NIS2-Art21-vulnerability-management": "Vulnerability-management measures do not enumerate LLM-app-builder code nodes as RCE surfaces.",
+      "DORA-Art-9": "ICT protection measures do not model an LLM app builder's code-node sandbox escape as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for robust sandboxing of app-builder code nodes.",
+      "AU-ISM-1546": "Patch-application control does not single out LLM app builders.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an LLM app builder's code node as a privileged execution surface whose sandbox must be escape-resistant."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1059",
+      "T1059.007"
+    ],
+    "rwep_score": 33,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 28,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Moderate (RWEP 33, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3). poc_available=20 + blast_radius=28 minus patch 15 (sandbox-escape root RCE).",
+    "epss_score": null,
+    "epss_date": "2026-05-26",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-3466",
+    "cwe_refs": [
+      "CWE-94",
+      "CWE-693"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Dify code-node payloads that redefine/override JavaScript globals (parseInt, etc.) or otherwise manipulate the runtime before sandbox setup.",
+        "The Dify worker spawning shell, network, or file-system child processes from code-node execution.",
+        "Code/process execution at root from the Dify code-node sandbox."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the huntr.dev / GitHub Security Advisory (https://github.com/advisories/GHSA-x53g-q9xm-rf4m) and NVD CVE-2025-3466 (CWE-94/CWE-693)."
+    },
+    "source_verified": "2026-05-26",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-3466",
+      "https://github.com/advisories/GHSA-x53g-q9xm-rf4m"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2025-3466",
+        "url": "https://github.com/advisories/GHSA-x53g-q9xm-rf4m",
+        "severity": "high",
+        "published_date": "2025-04-12"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-3466",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3466",
+        "severity": "high",
+        "published_date": "2025-04-12"
+      }
+    ],
+    "last_updated": "2026-05-26",
+    "discovery_attribution_note": "Manually curated from the huntr.dev / GitHub Security Advisory (https://github.com/advisories/GHSA-x53g-q9xm-rf4m, CWE-94/CWE-693) + NVD (CVSS v3.1 7.2; NVD CWE-1100 mapped to CWE-94/CWE-693) / huntr (CNA 9.8). Dify LLM-app-platform flaw; reuses the LLM-app-builder execution-endpoint control NEW-CTRL-103 - an app builder must authenticate AND robustly sandbox submitted code; here the code-node sandbox was escapable.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Dify's code node lets attacker input override global functions before sandbox restrictions apply, escaping the sandbox to root RCE (CWE-94/CWE-693; NVD CWE-1100); fixed in 1.1.3."
+  },
+  "CVE-2025-56520": {
+    "name": "Dify Remote File Upload Server-Side Request Forgery",
+    "type": "SSRF",
+    "cvss_score": 5.3,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
+    "cvss_note": "CISA-ADP CVSS v3.1 base 5.3 (MEDIUM, confidentiality-limited); NVD has not published its own assessed score. Dify's RemoteFileUploadApi (controllers.console.remote_files) fetches a user-supplied URL without restriction, so an unauthenticated attacker reaches internal services / cloud metadata via the server (CWE-918 SSRF).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory (https://github.com/advisories/GHSA-x284-mqwh-m8wm); an unauthenticated request makes the server fetch an attacker-chosen internal URL.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via the GitHub Security Advisory (https://github.com/advisories/GHSA-x284-mqwh-m8wm). The abused surface is Dify, a widely used low-code LLM application-development platform.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is an unvalidated server-side fetch in an LLM app platform.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure; no confirmed in-the-wild exploitation reported as of curation. No fixed version is published, so exposed instances remain vulnerable.",
+    "affected": "Dify 1.6.0.",
+    "affected_versions": [
+      "Dify 1.6.0"
+    ],
+    "vector": "Dify's remote-file-upload feature (controllers.console.remote_files.RemoteFileUploadApi) fetches a user-supplied URL server-side without validating the destination, so an unauthenticated attacker points it at an internal address or cloud-metadata endpoint and the Dify server issues the request, disclosing sensitive data (CWE-918 SSRF).",
+    "complexity": "low",
+    "complexity_notes": "CISA-ADP AV:N / AC:L / PR:N - unauthenticated server-side fetch.",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No fixed version is published as of curation; mitigation is validating/allowlisting the remote-file fetch destination and network-isolating Dify (see vendor_update_paths).",
+    "vendor_update_paths": [
+      "No fixed Dify release is published (no fixed version published (see langgenius/dify#22532)). Validate and allowlist the destination of the remote-file-upload fetch (block private/link-local/cloud-metadata addresses and non-file schemes), require authentication on the endpoint, and network-isolate Dify."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SC-7": "Boundary protection does not treat the LLM platform's server-side remote-file fetch as an egress that can reach internal services.",
+      "NIST-800-53-SI-10": "Input validation is not applied to the user-supplied URL before the server fetches it.",
+      "NIST-800-53-AC-3": "Access enforcement does not require authentication on the remote-file-upload endpoint.",
+      "ISO-27001-2022-A.8.22": "Network segregation is bypassed: the platform fetches attacker-chosen internal URLs server-side.",
+      "NIS2-Art21-network-security": "Network-security measures do not enumerate LLM-platform SSRF as an internal-pivot surface.",
+      "DORA-Art-9": "ICT protection measures do not model server-side request forgery from an LLM platform as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for validating server-side fetch destinations in LLM platforms.",
+      "AU-ISM-1546": "Patch-application control does not single out LLM app platforms.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an LLM platform's remote-file fetch as an egress that must validate and allowlist destinations."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1090"
+    ],
+    "rwep_score": 30,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 10,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Moderate (RWEP 30, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation; no fixed version published so no patch credit. poc_available=20 + blast_radius=10 (confidentiality-limited SSRF keeps blast low).",
+    "epss_score": null,
+    "epss_date": "2026-05-26",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-56520",
+    "cwe_refs": [
+      "CWE-918"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Dify remote-file-upload requests whose URL targets an internal/private address, 169.254.169.254, or a non-file scheme.",
+        "Outbound requests from the Dify server to internal services / cloud metadata not part of normal file fetching.",
+        "Dify 1.6.0 with controllers.console.remote_files.RemoteFileUploadApi reachable - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the GitHub Security Advisory (https://github.com/advisories/GHSA-x284-mqwh-m8wm) and NVD CVE-2025-56520 (CWE-918)."
+    },
+    "source_verified": "2026-05-26",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-56520",
+      "https://github.com/advisories/GHSA-x284-mqwh-m8wm"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2025-56520",
+        "url": "https://github.com/advisories/GHSA-x284-mqwh-m8wm",
+        "severity": "medium",
+        "published_date": "2025-09-30"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-56520",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-56520",
+        "severity": "medium",
+        "published_date": "2025-09-30"
+      }
+    ],
+    "last_updated": "2026-05-26",
+    "discovery_attribution_note": "Manually curated from the GitHub Security Advisory (https://github.com/advisories/GHSA-x284-mqwh-m8wm, CWE-918) + CISA-ADP (CVSS v3.1 5.3; NVD unscored). Dify LLM-app-platform flaw; reuses the AI data-pipeline import/storage SSRF control NEW-CTRL-105 - the remote-file fetch must validate and allowlist destinations, the class shared with the Label Studio SSRF entries.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Dify's RemoteFileUploadApi fetches user-supplied URLs without destination validation, letting an unauthenticated attacker reach internal/cloud-metadata services (CWE-918 SSRF); no fixed version published - validate/allowlist the fetch destination."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -259,10 +259,12 @@
     ],
     "evidence_cves": [
       "CVE-2021-26829",
+      "CVE-2023-6571",
       "CVE-2024-11182",
       "CVE-2024-27132",
       "CVE-2024-27443",
       "CVE-2024-42009",
+      "CVE-2024-9526",
       "CVE-2025-27915",
       "CVE-2025-48700",
       "CVE-2025-66376",
@@ -396,6 +398,7 @@
       "CVE-2025-32432",
       "CVE-2025-3248",
       "CVE-2025-33236",
+      "CVE-2025-3466",
       "CVE-2025-37164",
       "CVE-2025-43200",
       "CVE-2025-4428",
@@ -1878,6 +1881,7 @@
       "CVE-2023-51449",
       "CVE-2024-6587",
       "CVE-2025-25297",
+      "CVE-2025-56520",
       "CVE-2025-61884"
     ],
     "framework_controls_partially_addressing": [
@@ -2178,6 +2182,7 @@
     ],
     "evidence_cves": [
       "BUG-2026-NIGHTMARE-ECLIPSE-UNDEFEND",
+      "CVE-2025-3466",
       "CVE-2025-40536",
       "CVE-2026-21510",
       "CVE-2026-21513"