@blamejs/exceptd-skills 0.13.110 → 0.13.113

package/data/framework-control-gaps.json

@@ -45,6 +45,7 @@
       "CVE-2023-6019",
       "CVE-2023-6021",
       "CVE-2023-6038",
+      "CVE-2023-6571",
       "CVE-2024-0129",
       "CVE-2024-0132",
       "CVE-2024-11392",
@@ -69,6 +70,7 @@
       "CVE-2024-50050",
       "CVE-2024-5565",
       "CVE-2024-6587",
+      "CVE-2024-9526",
       "CVE-2025-1550",
       "CVE-2025-1753",
       "CVE-2025-23254",
@@ -82,8 +84,10 @@
       "CVE-2025-3248",
       "CVE-2025-33236",
       "CVE-2025-34291",
+      "CVE-2025-3466",
       "CVE-2025-49596",
       "CVE-2025-54136",
+      "CVE-2025-56520",
       "CVE-2025-60455",
       "CVE-2025-64496",
       "CVE-2025-64513",
@@ -1248,7 +1252,8 @@
       "CVE-2024-0132",
       "CVE-2024-21626",
       "CVE-2025-23266",
-      "CVE-2025-25297"
+      "CVE-2025-25297",
+      "CVE-2025-56520"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -1282,6 +1287,7 @@
     "evidence_cves": [
       "CVE-2023-43472",
       "CVE-2023-6016",
+      "CVE-2023-6571",
       "CVE-2024-12366",
       "CVE-2024-24590",
       "CVE-2024-24591",
@@ -1289,10 +1295,12 @@
       "CVE-2024-37052",
       "CVE-2024-37060",
       "CVE-2024-5565",
+      "CVE-2024-9526",
       "CVE-2025-0133",
       "CVE-2025-1094",
       "CVE-2025-27520",
       "CVE-2025-3248",
+      "CVE-2025-3466",
       "CVE-2025-6965",
       "CVE-2026-30623",
       "CVE-2026-31229",
@@ -2131,6 +2139,7 @@
       "CVE-2024-5565",
       "CVE-2025-27520",
       "CVE-2025-3248",
+      "CVE-2025-3466",
       "CVE-2025-49844",
       "CVE-2025-53773",
       "CVE-2026-30615",
@@ -2291,6 +2300,7 @@
       "CVE-2025-30202",
       "CVE-2025-32444",
       "CVE-2025-53767",
+      "CVE-2025-56520",
       "CVE-2026-34159",
       "CVE-2026-42897"
     ],
@@ -2361,6 +2371,7 @@
     "evidence_cves": [
       "CVE-2022-36551",
       "CVE-2023-44467",
+      "CVE-2023-6571",
       "CVE-2024-0129",
       "CVE-2024-11392",
       "CVE-2024-11393",
@@ -2378,6 +2389,7 @@
       "CVE-2024-39722",
       "CVE-2024-50050",
       "CVE-2024-5565",
+      "CVE-2024-9526",
       "CVE-2025-0133",
       "CVE-2025-1094",
       "CVE-2025-1550",
@@ -2388,6 +2400,8 @@
       "CVE-2025-30165",
       "CVE-2025-32434",
       "CVE-2025-33236",
+      "CVE-2025-3466",
+      "CVE-2025-56520",
       "CVE-2025-60455",
       "CVE-2025-64496",
       "CVE-2025-67818",
@@ -2842,12 +2856,15 @@
     "evidence_cves": [
       "BUG-2026-NIGHTMARE-ECLIPSE-UNDEFEND",
       "CVE-2023-6016",
+      "CVE-2023-6571",
       "CVE-2024-12366",
       "CVE-2024-2912",
       "CVE-2024-5565",
+      "CVE-2024-9526",
       "CVE-2025-11837",
       "CVE-2025-27520",
       "CVE-2025-3248",
+      "CVE-2025-3466",
       "CVE-2026-22778",
       "CVE-2026-32202",
       "CVE-2026-33017",
@@ -5036,10 +5053,13 @@
     "opened_date": "2026-05-15",
     "evidence_cves": [
       "CVE-2023-3519",
+      "CVE-2023-6571",
       "CVE-2024-12366",
       "CVE-2024-2912",
       "CVE-2024-5565",
+      "CVE-2024-9526",
       "CVE-2025-27520",
+      "CVE-2025-3466",
       "CVE-2026-0300",
       "CVE-2026-42945"
     ],
@@ -5087,6 +5107,7 @@
       "CVE-2023-6019",
       "CVE-2023-6021",
       "CVE-2023-6038",
+      "CVE-2023-6571",
       "CVE-2024-0129",
       "CVE-2024-0132",
       "CVE-2024-11392",
@@ -5113,6 +5134,7 @@
       "CVE-2024-50050",
       "CVE-2024-5565",
       "CVE-2024-6587",
+      "CVE-2024-9526",
       "CVE-2025-1550",
       "CVE-2025-1753",
       "CVE-2025-23254",
@@ -5126,8 +5148,10 @@
       "CVE-2025-3248",
       "CVE-2025-33236",
       "CVE-2025-34291",
+      "CVE-2025-3466",
       "CVE-2025-49596",
       "CVE-2025-54136",
+      "CVE-2025-56520",
       "CVE-2025-60455",
       "CVE-2025-64496",
       "CVE-2025-64513",
@@ -5204,6 +5228,8 @@
       "CVE-2024-1709",
       "CVE-2025-25297",
       "CVE-2025-3248",
+      "CVE-2025-3466",
+      "CVE-2025-56520",
       "CVE-2026-33017",
       "CVE-2026-39987",
       "CVE-2026-7482"
@@ -5668,6 +5694,7 @@
       "CVE-2023-51449",
       "CVE-2023-6016",
       "CVE-2023-6038",
+      "CVE-2023-6571",
       "CVE-2024-0129",
       "CVE-2024-0132",
       "CVE-2024-11392",
@@ -5692,6 +5719,7 @@
       "CVE-2024-42479",
       "CVE-2024-50050",
       "CVE-2024-5565",
+      "CVE-2024-9526",
       "CVE-2025-1550",
       "CVE-2025-1753",
       "CVE-2025-23254",
@@ -5705,8 +5733,10 @@
       "CVE-2025-3248",
       "CVE-2025-33236",
       "CVE-2025-34291",
+      "CVE-2025-3466",
       "CVE-2025-49596",
       "CVE-2025-54136",
+      "CVE-2025-56520",
       "CVE-2025-60455",
       "CVE-2025-64496",
       "CVE-2025-67818",
@@ -5778,6 +5808,7 @@
       "CVE-2023-6019",
       "CVE-2023-6021",
       "CVE-2023-6038",
+      "CVE-2023-6571",
       "CVE-2024-0129",
       "CVE-2024-0132",
       "CVE-2024-11392",
@@ -5804,6 +5835,7 @@
       "CVE-2024-50050",
       "CVE-2024-5565",
       "CVE-2024-6587",
+      "CVE-2024-9526",
       "CVE-2025-1550",
       "CVE-2025-1753",
       "CVE-2025-23254",
@@ -5817,8 +5849,10 @@
       "CVE-2025-3248",
       "CVE-2025-33236",
       "CVE-2025-34291",
+      "CVE-2025-3466",
       "CVE-2025-49596",
       "CVE-2025-54136",
+      "CVE-2025-56520",
       "CVE-2025-60455",
       "CVE-2025-64496",
       "CVE-2025-64513",
@@ -6263,6 +6297,7 @@
       "CVE-2022-36551",
       "CVE-2024-21762",
       "CVE-2025-25297",
+      "CVE-2025-56520",
       "CVE-2026-20182"
     ],
     "atlas_refs": [],

package/data/zeroday-lessons.json

@@ -4711,6 +4711,206 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2024-9526": {
+    "name": "Kubeflow Pipelines Stored XSS in Pipeline View",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Kubeflow Pipelines renders the pipeline description field without neutralizing HTML, so attacker-stored markup executes in the browser of every user who views the pipeline.",
+      "privileges_required": "low (a user who can create/edit a pipeline; payload then fires for all viewers)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is the Kubeflow MLOps console - the control plane operators use to run ML pipelines. The lesson: an MLOps console is a multi-user trust boundary; unencoded user fields let one user's stored markup hijack every operator's authenticated session and act in the ML control plane as them."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "User-controlled fields are not neutralized/encoded before the MLOps console renders them."
+      },
+      "NIST-800-53-SI-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Script injected into the console UI is not treated as an execution channel against other operators."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an MLOps console's rendering of user-controlled fields as an integrity control whose failure hijacks operators' sessions."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 76,
+      "basis": "MLOps consoles are deployed on trusted-team assumptions and render user-supplied pipeline metadata; output encoding and CSP are frequently missing, and audits rarely test console XSS.",
+      "theater_pattern": "mlops_console_xss"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-107",
+        "name": "AI-PLATFORM-WEB-UI-OUTPUT-ENCODING-XSS",
+        "description": "An AI/MLOps platform console (Kubeflow, pipeline dashboards, experiment UIs) must neutralize every user-controlled field it renders: HTML-encode output, never render stored description/metadata fields as raw HTML, set a strict Content-Security-Policy, and mark session cookies HttpOnly so injected script cannot read them. Treat the console as a multi-user trust boundary - one user's stored input is rendered in every other operator's authenticated session. The distinguishing test: store an HTML/script payload in a pipeline description (or craft a reflecting link) on a staging console and confirm it renders inert text, not executing script - a console that executes stored or reflected markup lets an attacker hijack operators' sessions and act in the MLOps control plane as them.",
+        "evidence": "https://github.com/advisories/GHSA-rm25-8wjq-c6qm",
+        "gap_closes": [
+          "NIST-800-53-SI-10",
+          "NIST-800-53-SI-3",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2025-3466": {
+    "name": "Dify Code Node Sandbox Escape to Remote Code Execution",
+    "lesson_date": "2026-05-26",
+    "attack_vector": {
+      "description": "Dify's code node runs user-supplied code in a sandbox, but unsanitized input lets an attacker override global functions (e.g. parseInt) before the sandbox restrictions are imposed, escaping the sandbox and executing arbitrary code with root-level access.",
+      "privileges_required": "low (author a workflow code node; the chain reaches root)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is Dify, a low-code LLM application-development platform. The lesson: an app builder's code node is a code-execution surface whose sandbox must be initialized before any user input is evaluated and must resist escape."
+    },
+    "framework_coverage": {
+      "NIST-800-53-AC-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Access enforcement does not constrain who can author a code node reaching a code-execution sandbox."
+      },
+      "NIST-800-53-SI-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Malicious-code protection does not treat the LLM app builder's code node as an escapable execution sandbox."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an LLM app builder's code node as a privileged execution surface whose sandbox must be escape-resistant."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 80,
+      "basis": "Low-code LLM platforms expose code nodes for flexibility; sandbox-initialization ordering and authorship restrictions are rarely audited.",
+      "theater_pattern": "ai_app_builder_unauth_exec"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-103",
+        "name": "AI-APP-BUILDER-EXECUTION-ENDPOINT-AUTH-AND-SANDBOX",
+        "description": "A visual LLM app/agent builder (Langflow, Flowise, and similar) must authenticate every endpoint that can reach a code-execution path - validate-code, flow-build, flow-run, public-flow endpoints - and must never run flow-supplied or request-supplied code through a compile-and-run / dynamic-evaluation path with host privileges. Place the builder behind authenticated access control, never expose it to untrusted networks, and sandbox any code the platform executes on a user's behalf (no filesystem/network/process access beyond the flow's intent). The distinguishing test: send an unauthenticated request to each flow validate/build/run endpoint on a staging instance with a payload that attempts a non-flow action (a shell or network call) and confirm it is refused before any code runs - paper 'AI platform' policies that leave a public endpoint wired to a code-execution sink still permit unauthenticated RCE.",
+        "evidence": "https://www.vulncheck.com/blog/langflow-rce",
+        "gap_closes": [
+          "NIST-800-53-AC-3",
+          "NIST-800-53-SI-3",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2025-56520": {
+    "name": "Dify Remote File Upload Server-Side Request Forgery",
+    "lesson_date": "2026-05-26",
+    "attack_vector": {
+      "description": "Dify's RemoteFileUploadApi fetches a user-supplied URL server-side without validating the destination, so an unauthenticated attacker reaches internal services or cloud metadata via the Dify server.",
+      "privileges_required": "none (unauthenticated)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is Dify, a low-code LLM application-development platform. The lesson: an LLM platform's server-side fetches must validate and allowlist destinations or become an SSRF pivot."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SC-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Boundary protection does not treat the LLM platform's server-side remote-file fetch as an egress that can reach internal services."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No input validation is applied to the user-supplied URL before the server fetches it."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an LLM platform's remote-file fetch as an egress that must validate and allowlist destinations."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 78,
+      "basis": "LLM platforms fetch from user-supplied URLs (remote file upload) on trusted-network assumptions; the fetch destination is not validated.",
+      "theater_pattern": "ai_data_pipeline_ssrf_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-105",
+        "name": "AI-DATA-PIPELINE-IMPORT-SSRF-PROTECTION",
+        "description": "An AI data-pipeline platform that fetches from caller-supplied URLs or endpoints (data import, cloud-storage endpoint configuration, webhook/annotation sources) must validate and allowlist the destination before issuing the request: reject private, link-local, and cloud-metadata addresses (169.254.169.254), reject file:// and non-HTTP schemes, and resolve+pin the host to prevent DNS-rebinding. Restrict who can configure server-side fetches and disable self-registration if not required. The distinguishing test: configure the import/storage URL to an internal or cloud-metadata address on a staging instance and confirm the server refuses the fetch - a platform that issues the request and returns the response is exploitable for SSRF / internal pivot, regardless of authentication posture.",
+        "evidence": "https://github.com/advisories/GHSA-m238-fmcw-wh58",
+        "gap_closes": [
+          "NIST-800-53-SC-7",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2023-6571": {
+    "name": "Kubeflow Reflected XSS",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Kubeflow reflects attacker-controlled request input into a web page without neutralization, so a victim who follows a crafted link executes attacker script in their authenticated Kubeflow session.",
+      "privileges_required": "none (the victim follows a crafted link)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is the Kubeflow MLOps console - the control plane operators use to run ML pipelines. The lesson: an MLOps console is a multi-user trust boundary; unencoded user fields let one user's reflected markup hijack every operator's authenticated session and act in the ML control plane as them."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "User-controlled fields are not neutralized/encoded before the MLOps console renders them."
+      },
+      "NIST-800-53-SI-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Script injected into the console UI is not treated as an execution channel against other operators."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an MLOps console's rendering of user-controlled fields as an integrity control whose failure hijacks operators' sessions."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 74,
+      "basis": "MLOps consoles are deployed on trusted-team assumptions and render user-supplied pipeline metadata; output encoding and CSP are frequently missing, and audits rarely test console XSS.",
+      "theater_pattern": "mlops_console_xss"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-107",
+        "name": "AI-PLATFORM-WEB-UI-OUTPUT-ENCODING-XSS",
+        "description": "An AI/MLOps platform console (Kubeflow, pipeline dashboards, experiment UIs) must neutralize every user-controlled field it renders: HTML-encode output, never render stored description/metadata fields as raw HTML, set a strict Content-Security-Policy, and mark session cookies HttpOnly so injected script cannot read them. Treat the console as a multi-user trust boundary - one user's stored input is rendered in every other operator's authenticated session. The distinguishing test: store an HTML/script payload in a pipeline description (or craft a reflecting link) on a staging console and confirm it renders inert text, not executing script - a console that executes stored or reflected markup lets an attacker hijack operators' sessions and act in the MLOps control plane as them.",
+        "evidence": "https://github.com/advisories/GHSA-7rvc-xw75-43jf",
+        "gap_closes": [
+          "NIST-800-53-SI-10",
+          "NIST-800-53-SI-3",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2026-31230": {
     "name": "Adversarial Robustness Toolbox CLI Argument Dynamic-Evaluation Code Execution",
     "lesson_date": "2026-05-25",