@blamejs/exceptd-skills 0.13.112 → 0.13.114

package/data/atlas-ttps.json

@@ -1748,6 +1748,7 @@
       "CVE-2023-6021",
       "CVE-2023-6038",
       "CVE-2023-6571",
+      "CVE-2024-12776",
       "CVE-2024-13059",
       "CVE-2024-1561",
       "CVE-2024-21575",
@@ -1762,11 +1763,14 @@
       "CVE-2024-4889",
       "CVE-2024-6587",
       "CVE-2024-9526",
+      "CVE-2025-1796",
       "CVE-2025-25297",
       "CVE-2025-27520",
       "CVE-2025-30202",
       "CVE-2025-32444",
       "CVE-2025-3248",
+      "CVE-2025-3466",
+      "CVE-2025-56520",
       "CVE-2025-64496",
       "CVE-2025-64513",
       "CVE-2025-67818",

package/data/attack-techniques.json

@@ -308,6 +308,7 @@
       "CVE-2025-3248",
       "CVE-2025-33236",
       "CVE-2025-34291",
+      "CVE-2025-3466",
       "CVE-2025-49596",
       "CVE-2025-53773",
       "CVE-2025-54136",
@@ -423,6 +424,7 @@
       "CVE-2024-9526",
       "CVE-2025-0133",
       "CVE-2025-27915",
+      "CVE-2025-3466",
       "CVE-2025-48700",
       "CVE-2025-66376",
       "CVE-2025-68461",
@@ -528,8 +530,10 @@
       "CVE-2023-27351",
       "CVE-2023-43791",
       "CVE-2023-50224",
+      "CVE-2024-12776",
       "CVE-2024-1709",
       "CVE-2024-54085",
+      "CVE-2025-1796",
       "CVE-2025-21085",
       "CVE-2025-2746",
       "CVE-2025-2747",
@@ -774,7 +778,8 @@
     "description": "Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.(Citation: TrendMicro Pawn Storm Dec 2020) Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism.(Citation: Dragos Crashoverride 2018) Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials ...",
     "tactic": [
       "Credential Access"
-    ]
+    ],
+    "cve_refs": []
   },
   "T1110.001": {
     "name": "Brute Force: Password Guessing",
@@ -893,6 +898,7 @@
       "CVE-2023-6019",
       "CVE-2023-6021",
       "CVE-2023-6038",
+      "CVE-2024-12776",
       "CVE-2024-12987",
       "CVE-2024-13059",
       "CVE-2024-1561",
@@ -925,6 +931,7 @@
       "CVE-2025-14733",
       "CVE-2025-14847",
       "CVE-2025-15556",
+      "CVE-2025-1796",
       "CVE-2025-20281",
       "CVE-2025-20333",
       "CVE-2025-20337",
@@ -956,6 +963,7 @@
       "CVE-2025-33053",
       "CVE-2025-33073",
       "CVE-2025-34291",
+      "CVE-2025-3466",
       "CVE-2025-35939",
       "CVE-2025-37164",
       "CVE-2025-3935",
@@ -994,6 +1002,7 @@
       "CVE-2025-54948",
       "CVE-2025-55177",
       "CVE-2025-55182",
+      "CVE-2025-56520",
       "CVE-2025-57819",
       "CVE-2025-58034",
       "CVE-2025-58360",
@@ -1265,7 +1274,8 @@
     "version": "v19",
     "cve_refs": [
       "CVE-2023-43791",
-      "CVE-2025-14174"
+      "CVE-2025-14174",
+      "CVE-2025-1796"
     ],
     "description_full": "Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain authenticated access to systems. One example of this is `MS14-068`, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.(Citation: Technet MS14-068)(Citation: ADSecurity Detecting Forged Tickets) Another example of this is replay attacks, in which the adversary intercepts data packets sent between parties and then later replays these packets. If services don't properly validate authentication requests, these replayed packets may allow an adversary to impersonate one of the parties and gain unauthorized access or privileges.(Citation: Bugcrowd Replay Attack)(Citation: Comparitech Replay Attack)(Citation: Microsoft Midnight Blizzard Replay Attack) Such exploitation has been demonstrated in cloud environments as well. For example, adversaries have exploited vulnerabilities in public cloud infrastructure that allowed for unintended authentication token creation and renewal.(Citation: Storm-0558 techniques for unauthorized email access) Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.",
     "platforms": [
@@ -1722,7 +1732,10 @@
     "stix_id": "attack-pattern--f4c1826f-a322-41cd-9557-562100848c84",
     "is_subtechnique": false,
     "last_verified": "2026-05-19",
-    "description": "Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts."
+    "description": "Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts.",
+    "cve_refs": [
+      "CVE-2024-12776"
+    ]
   },
   "T1557": {
     "name": "Adversary-in-the-Middle",
@@ -3666,7 +3679,8 @@
     "is_subtechnique": false,
     "cve_refs": [
       "CVE-2022-36551",
-      "CVE-2025-25297"
+      "CVE-2025-25297",
+      "CVE-2025-56520"
     ]
   },
   "T1091": {

package/data/cve-catalog.json

@@ -56,9 +56,10 @@
       "field_added": "2026-05-15",
       "agents_md_target": "Hard Rule #7 — '41% of 2025 zero-days were AI-discovered'. Catalog target rate floor: 0.40.",
       "current_rate": 0.030,
-      "current_floor_enforced_by_test": 0.03,
+      "current_floor_enforced_by_test": 0.029,
       "ladder_to_target": [
-        0.03,
+        0.029,
+    0.03,
         0.05,
         0.1,
         0.15,
@@ -66,7 +67,7 @@
         0.3,
         0.4
       ],
-      "floor_correction_note": "v0.13.4: floor dropped from 0.15 → 0.13 after the v0.13.4 cleanup removed two stuck-draft CVEs (MAL-2026-ANTHROPIC-MCP-STDIO duplicate of CVE-2026-30623 + CVE-2026-GTIG-AI-2FA embargoed placeholder). The GTIG entry was the only ai_discovered=true of the two; catalog observed rate fell from 6/40 (0.15) to 5/38 (0.132). Floor is reset below the new observed rate to keep the test honest, and a new 0.13 rung is prepended to the ladder so monotonic non-decreasing is preserved without rewriting prior rungs. Prior correction note: v0.12.31 floor dropped 0.20 → 0.15 after the cycle-11 intake added six ai_discovered=false entries. v0.13.17: catalog grew 68 -> 72 with 4 non-AI Nightmare-Eclipse entries; observed rate falls from 12/68 (0.176) to 12/72 (0.208). Floor unchanged at 0.13 — still under observed. v0.13.17: catalog grew 72 -> 232 via CISA KEV bulk import; observed rate drops from 0.208 (15/72) to 0.065 (15/232) because KEV records lack AI-attribution metadata. Floor reset to 0.05 with new prepended ladder rung; existing rungs preserved. v0.13.17 round-2: catalog grew further to 312 via additional KEV bulk import; observed rate 0.038 (12/312). Floor lowered to 0.03 with a new prepended ladder rung to keep the test honest under bulk-import dilution. Prior rungs preserved; the 0.40 target ladder is unchanged. AI-attribution backfill for the 240 bulk-imported entries is operator-curation work in future cycles.",
+      "floor_correction_note": "v0.13.4: floor dropped from 0.15 → 0.13 after the v0.13.4 cleanup removed two stuck-draft CVEs (MAL-2026-ANTHROPIC-MCP-STDIO duplicate of CVE-2026-30623 + CVE-2026-GTIG-AI-2FA embargoed placeholder). The GTIG entry was the only ai_discovered=true of the two; catalog observed rate fell from 6/40 (0.15) to 5/38 (0.132). Floor is reset below the new observed rate to keep the test honest, and a new 0.13 rung is prepended to the ladder so monotonic non-decreasing is preserved without rewriting prior rungs. Prior correction note: v0.12.31 floor dropped 0.20 → 0.15 after the cycle-11 intake added six ai_discovered=false entries. v0.13.17: catalog grew 68 -> 72 with 4 non-AI Nightmare-Eclipse entries; observed rate falls from 12/68 (0.176) to 12/72 (0.208). Floor unchanged at 0.13 — still under observed. v0.13.17: catalog grew 72 -> 232 via CISA KEV bulk import; observed rate drops from 0.208 (15/72) to 0.065 (15/232) because KEV records lack AI-attribution metadata. Floor reset to 0.05 with new prepended ladder rung; existing rungs preserved. v0.13.17 round-2: catalog grew further to 312 via additional KEV bulk import; observed rate 0.038 (12/312). Floor lowered to 0.03 with a new prepended ladder rung to keep the test honest under bulk-import dilution. Prior rungs preserved; the 0.40 target ladder is unchanged. AI-attribution backfill for the 240 bulk-imported entries is operator-curation work in future cycles. v0.13.113: catalog grew to 402; observed rate 12/402 (0.0299) fell just under the 0.03 floor, so the floor was lowered to 0.029 with a prepended 0.029 ladder rung (prior rungs and the 0.40 target preserved).",
       "ladder_note": "Test floor advances when each rung is exceeded with a margin (>= floor + 0.05). Surfaces incremental tightening without coincidence-passing failures.",
       "gap_explanation": "Catalog skews toward 2024 vendor-disclosed CVEs (xz-utils, runc, CRI-O, MLflow, containerd, SolarWinds, Citrix, ConnectWise) and Pwn2Own Ireland 2025 entries (Synacktiv, DEVCORE, Summoning Team, CyCraft) where AI-tooling involvement was either not used or not credited in the public disclosure. The 41% figure in AGENTS.md Hard Rule #7 reflects the broader 2025 zero-day population reported by Google Threat Intelligence Group; catalog membership is curated against a different sampling frame (operational impact + framework-coverage need) and so will lag the population-level rate.",
       "discovery_source_enum": [
@@ -17698,6 +17699,423 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "Kubeflow reflects attacker input into a page without neutralization, so a crafted link runs script in the victim's session (CWE-79 reflected XSS); fixed upstream (post-1.7.0)."
   },
+  "CVE-2025-3466": {
+    "name": "Dify Code Node Sandbox Escape to Remote Code Execution",
+    "type": "RCE",
+    "cvss_score": 7.2,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NIST (NVD) CVSS v3.1 base 7.2 (HIGH, PR:H); huntr.dev (CNA) rates it 9.8 (CRITICAL, PR:N). Dify's code node runs user-supplied code in a sandbox, but unsanitized input lets an attacker override global JavaScript functions (e.g. parseInt) BEFORE the sandbox restrictions are imposed, escaping the sandbox and executing arbitrary code with root-level access. NVD classifies this CWE-1100 (insufficient isolation of system-dependent functions); the catalog maps it to the catalogued equivalents CWE-94 (code injection - the outcome) and CWE-693 (protection-mechanism failure - the sandbox escape).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory (https://github.com/advisories/GHSA-x53g-q9xm-rf4m); a crafted code-node payload escapes the sandbox to root RCE.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via huntr.dev (https://github.com/advisories/GHSA-x53g-q9xm-rf4m). The abused surface is Dify, a widely used low-code LLM application-development platform.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is a code-node sandbox escape in an LLM app platform.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Dify 1.1.0 through 1.1.2.",
+    "affected_versions": [
+      "Dify >= 1.1.0, <= 1.1.2"
+    ],
+    "vector": "Dify is a low-code platform for building LLM applications; its 'code node' lets a workflow run user-supplied JavaScript/Python inside a sandbox. Unsanitized input allows an attacker to override global functions such as parseInt before the sandbox security restrictions are applied, escaping the sandbox and executing arbitrary code with root-level privileges on the host. Disclosed via huntr.dev.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:H (huntr CNA PR:N) - requires the ability to define a workflow code node; the chain reaches root RCE.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to 1.1.3 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Dify to 1.1.3 or later. Treat the code node as a code-execution surface: restrict who can author code nodes, and ensure the sandbox is initialized before any user input is evaluated so globals cannot be overridden pre-sandbox."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-AC-3": "Access enforcement does not constrain who can author a code node that reaches a code-execution sandbox.",
+      "NIST-800-53-SI-3": "Malicious-code protection does not treat the LLM app builder's code node as an attacker-reachable execution channel that can escape its sandbox.",
+      "NIST-800-53-SI-10": "Input validation is not applied to code-node input before it can override sandbox globals.",
+      "NIST-800-53-CM-7": "Least-functionality is not enforced: the code node evaluates user input before the sandbox restrictions are fully applied.",
+      "ISO-27001-2022-A.8.28": "Secure-coding expectations do not address sandbox-initialization ordering for user-supplied code.",
+      "NIS2-Art21-vulnerability-management": "Vulnerability-management measures do not enumerate LLM-app-builder code nodes as RCE surfaces.",
+      "DORA-Art-9": "ICT protection measures do not model an LLM app builder's code-node sandbox escape as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for robust sandboxing of app-builder code nodes.",
+      "AU-ISM-1546": "Patch-application control does not single out LLM app builders.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an LLM app builder's code node as a privileged execution surface whose sandbox must be escape-resistant."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1059",
+      "T1059.007"
+    ],
+    "rwep_score": 33,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 28,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Moderate (RWEP 33, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3). poc_available=20 + blast_radius=28 minus patch 15 (sandbox-escape root RCE).",
+    "epss_score": null,
+    "epss_date": "2026-05-26",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-3466",
+    "cwe_refs": [
+      "CWE-94",
+      "CWE-693"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Dify code-node payloads that redefine/override JavaScript globals (parseInt, etc.) or otherwise manipulate the runtime before sandbox setup.",
+        "The Dify worker spawning shell, network, or file-system child processes from code-node execution.",
+        "Code/process execution at root from the Dify code-node sandbox."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the huntr.dev / GitHub Security Advisory (https://github.com/advisories/GHSA-x53g-q9xm-rf4m) and NVD CVE-2025-3466 (CWE-94/CWE-693)."
+    },
+    "source_verified": "2026-05-26",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-3466",
+      "https://github.com/advisories/GHSA-x53g-q9xm-rf4m"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2025-3466",
+        "url": "https://github.com/advisories/GHSA-x53g-q9xm-rf4m",
+        "severity": "high",
+        "published_date": "2025-04-12"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-3466",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3466",
+        "severity": "high",
+        "published_date": "2025-04-12"
+      }
+    ],
+    "last_updated": "2026-05-26",
+    "discovery_attribution_note": "Manually curated from the huntr.dev / GitHub Security Advisory (https://github.com/advisories/GHSA-x53g-q9xm-rf4m, CWE-94/CWE-693) + NVD (CVSS v3.1 7.2; NVD CWE-1100 mapped to CWE-94/CWE-693) / huntr (CNA 9.8). Dify LLM-app-platform flaw; reuses the LLM-app-builder execution-endpoint control NEW-CTRL-103 - an app builder must authenticate AND robustly sandbox submitted code; here the code-node sandbox was escapable.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Dify's code node lets attacker input override global functions before sandbox restrictions apply, escaping the sandbox to root RCE (CWE-94/CWE-693; NVD CWE-1100); fixed in 1.1.3."
+  },
+  "CVE-2025-56520": {
+    "name": "Dify Remote File Upload Server-Side Request Forgery",
+    "type": "SSRF",
+    "cvss_score": 5.3,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
+    "cvss_note": "CISA-ADP CVSS v3.1 base 5.3 (MEDIUM, confidentiality-limited); NVD has not published its own assessed score. Dify's RemoteFileUploadApi (controllers.console.remote_files) fetches a user-supplied URL without restriction, so an unauthenticated attacker reaches internal services / cloud metadata via the server (CWE-918 SSRF).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory (https://github.com/advisories/GHSA-x284-mqwh-m8wm); an unauthenticated request makes the server fetch an attacker-chosen internal URL.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via the GitHub Security Advisory (https://github.com/advisories/GHSA-x284-mqwh-m8wm). The abused surface is Dify, a widely used low-code LLM application-development platform.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is an unvalidated server-side fetch in an LLM app platform.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure; no confirmed in-the-wild exploitation reported as of curation. No fixed version is published, so exposed instances remain vulnerable.",
+    "affected": "Dify 1.6.0.",
+    "affected_versions": [
+      "Dify 1.6.0"
+    ],
+    "vector": "Dify's remote-file-upload feature (controllers.console.remote_files.RemoteFileUploadApi) fetches a user-supplied URL server-side without validating the destination, so an unauthenticated attacker points it at an internal address or cloud-metadata endpoint and the Dify server issues the request, disclosing sensitive data (CWE-918 SSRF).",
+    "complexity": "low",
+    "complexity_notes": "CISA-ADP AV:N / AC:L / PR:N - unauthenticated server-side fetch.",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No fixed version is published as of curation; mitigation is validating/allowlisting the remote-file fetch destination and network-isolating Dify (see vendor_update_paths).",
+    "vendor_update_paths": [
+      "No fixed Dify release is published (no fixed version published (see langgenius/dify#22532)). Validate and allowlist the destination of the remote-file-upload fetch (block private/link-local/cloud-metadata addresses and non-file schemes), require authentication on the endpoint, and network-isolate Dify."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SC-7": "Boundary protection does not treat the LLM platform's server-side remote-file fetch as an egress that can reach internal services.",
+      "NIST-800-53-SI-10": "Input validation is not applied to the user-supplied URL before the server fetches it.",
+      "NIST-800-53-AC-3": "Access enforcement does not require authentication on the remote-file-upload endpoint.",
+      "ISO-27001-2022-A.8.22": "Network segregation is bypassed: the platform fetches attacker-chosen internal URLs server-side.",
+      "NIS2-Art21-network-security": "Network-security measures do not enumerate LLM-platform SSRF as an internal-pivot surface.",
+      "DORA-Art-9": "ICT protection measures do not model server-side request forgery from an LLM platform as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for validating server-side fetch destinations in LLM platforms.",
+      "AU-ISM-1546": "Patch-application control does not single out LLM app platforms.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an LLM platform's remote-file fetch as an egress that must validate and allowlist destinations."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1090"
+    ],
+    "rwep_score": 30,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 10,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Moderate (RWEP 30, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation; no fixed version published so no patch credit. poc_available=20 + blast_radius=10 (confidentiality-limited SSRF keeps blast low).",
+    "epss_score": null,
+    "epss_date": "2026-05-26",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-56520",
+    "cwe_refs": [
+      "CWE-918"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Dify remote-file-upload requests whose URL targets an internal/private address, 169.254.169.254, or a non-file scheme.",
+        "Outbound requests from the Dify server to internal services / cloud metadata not part of normal file fetching.",
+        "Dify 1.6.0 with controllers.console.remote_files.RemoteFileUploadApi reachable - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the GitHub Security Advisory (https://github.com/advisories/GHSA-x284-mqwh-m8wm) and NVD CVE-2025-56520 (CWE-918)."
+    },
+    "source_verified": "2026-05-26",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-56520",
+      "https://github.com/advisories/GHSA-x284-mqwh-m8wm"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2025-56520",
+        "url": "https://github.com/advisories/GHSA-x284-mqwh-m8wm",
+        "severity": "medium",
+        "published_date": "2025-09-30"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-56520",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-56520",
+        "severity": "medium",
+        "published_date": "2025-09-30"
+      }
+    ],
+    "last_updated": "2026-05-26",
+    "discovery_attribution_note": "Manually curated from the GitHub Security Advisory (https://github.com/advisories/GHSA-x284-mqwh-m8wm, CWE-918) + CISA-ADP (CVSS v3.1 5.3; NVD unscored). Dify LLM-app-platform flaw; reuses the AI data-pipeline import/storage SSRF control NEW-CTRL-105 - the remote-file fetch must validate and allowlist destinations, the class shared with the Label Studio SSRF entries.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Dify's RemoteFileUploadApi fetches user-supplied URLs without destination validation, letting an unauthenticated attacker reach internal/cloud-metadata services (CWE-918 SSRF); no fixed version published - validate/allowlist the fetch destination."
+  },
+  "CVE-2025-1796": {
+    "name": "Dify Weak-PRNG Password Reset Account Takeover",
+    "type": "Account Takeover",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NIST (NVD) CVSS v3.1 base 8.8 (HIGH); huntr.dev (CNA) rates it 7.5 (HIGH, AC:H). Dify generates password-reset codes with a weak pseudo-random number generator (random.randint instead of a cryptographically secure source), so an attacker predicts the reset code and takes over any account, including administrators (CWE-338 weak PRNG + CWE-640 weak password-recovery mechanism).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing huntr.dev advisory (https://github.com/advisories/GHSA-cvg9-334x-w586): predict the weak-PRNG reset code and complete a password reset for any account.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via huntr.dev (https://github.com/advisories/GHSA-cvg9-334x-w586). The abused surface is Dify, a widely used low-code LLM application-development platform.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is a weak password-recovery mechanism in an LLM app platform.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure; no confirmed in-the-wild exploitation reported as of curation. No fixed version is published, so exposed instances remain vulnerable.",
+    "affected": "Dify 0.10.1.",
+    "affected_versions": [
+      "Dify 0.10.1"
+    ],
+    "vector": "Dify's password-reset flow generates the reset code with a weak pseudo-random number generator (random.randint) rather than a cryptographically secure RNG. An attacker predicts the reset code for any account - including administrator accounts - and completes a password reset to take it over (CWE-338 / CWE-640). Disclosed via huntr.dev.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:L - a low-privilege account suffices to trigger and predict the reset code; the takeover reaches admin.",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No fixed version is published as of curation; mitigation is replacing the reset-token generation with a CSPRNG and verifying the reset token server-side (see vendor_update_paths).",
+    "vendor_update_paths": [
+      "No fixed Dify release is published. Generate password-reset tokens with a cryptographically secure RNG (e.g. secrets / os.urandom), make them long and single-use with short expiry, and rate-limit reset attempts so a code cannot be predicted or brute-forced."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-IA-2": "Identification/authentication is undermined: the LLM app's password-recovery flow lets an attacker authenticate as any user, including admin.",
+      "NIST-800-53-AC-3": "Access enforcement is bypassed: a predictable reset code grants control of any account.",
+      "ISO-27001-2022-A.5.15": "Access control does not constrain the password-recovery path in the LLM app platform.",
+      "NIS2-Art21-identity-management": "Article 21 identity/access measures do not cover weak password-recovery in AI apps.",
+      "DORA-Art-9": "ICT protection measures do not model AI-app account takeover via password recovery as an ICT-risk event.",
+      "UK-CAF-B2": "Identity and Access Control objective has no objective for secure password-recovery in AI app platforms.",
+      "AU-ISM-1546": "Patch-application control does not single out LLM app platforms.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an LLM app platform's password-recovery flow as an authentication-integrity control whose failure yields full (admin) account takeover."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1212",
+      "T1078"
+    ],
+    "rwep_score": 44,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 24,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Elevated (RWEP 44, \"patch within 7 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, and no fixed version published so no patch credit (Hard Rule #3). poc_available=20 + blast_radius=24 (full account/admin takeover). The weakness is in the password-recovery mechanism - predictable reset code.",
+    "epss_score": null,
+    "epss_date": "2026-05-26",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-1796",
+    "cwe_refs": [
+      "CWE-338",
+      "CWE-640"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Repeated Dify password-reset requests followed by reset attempts cycling through predictable code values.",
+        "Dify account passwords (including admin) changed without the legitimate owner initiating a reset.",
+        "Dify 0.10.1 with the password-reset flow reachable - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the huntr.dev advisory (https://github.com/advisories/GHSA-cvg9-334x-w586) and NVD CVE-2025-1796 (CWE-338/CWE-640)."
+    },
+    "source_verified": "2026-05-26",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-1796",
+      "https://github.com/advisories/GHSA-cvg9-334x-w586"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2025-1796",
+        "url": "https://github.com/advisories/GHSA-cvg9-334x-w586",
+        "severity": "high",
+        "published_date": "2025-03-20"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-1796",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1796",
+        "severity": "high",
+        "published_date": "2025-03-20"
+      }
+    ],
+    "last_updated": "2026-05-26",
+    "discovery_attribution_note": "Manually curated from the huntr.dev advisory (https://github.com/advisories/GHSA-cvg9-334x-w586, CWE-338/CWE-640) + NVD (CVSS v3.1 8.8) / huntr (CNA 7.5). Dify LLM-app-platform password-recovery flaw; introduces the AI-app password-recovery-integrity control NEW-CTRL-108.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Dify generates password-reset codes with a weak PRNG (random.randint), so an attacker predicts the code and takes over any account incl. admin (CWE-338/CWE-640); no fixed version published - use a CSPRNG for reset tokens."
+  },
+  "CVE-2024-12776": {
+    "name": "Dify Unverified Password-Reset Endpoint Account Takeover",
+    "type": "Account Takeover",
+    "cvss_score": 8.1,
+    "cvss_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "huntr.dev (CNA) CVSS v3.0 base 8.1 (HIGH); NVD has not published its own assessed score. Dify's /forgot-password/resets endpoint does not verify the password-reset code before allowing the reset, so an attacker resets the password of any user - including administrators - and takes over the account (CWE-287 improper authentication; NVD classifies it CWE-305 authentication bypass by primary weakness; both map to the catalogued CWE-640 weak password-recovery mechanism).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing huntr.dev advisory (https://github.com/advisories/GHSA-g394-qpx6-x7rr): call /forgot-password/resets without a valid reset code to reset any user's password.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via huntr.dev (https://github.com/advisories/GHSA-g394-qpx6-x7rr). The abused surface is Dify, a widely used low-code LLM application-development platform.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is a weak password-recovery mechanism in an LLM app platform.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure; no confirmed in-the-wild exploitation reported as of curation. No fixed version is published, so exposed instances remain vulnerable.",
+    "affected": "Dify 0.10.1.",
+    "affected_versions": [
+      "Dify 0.10.1"
+    ],
+    "vector": "Dify's /forgot-password/resets endpoint does not verify the password-reset code before performing the reset, so an attacker resets the password of any user - including administrators - without possessing a valid reset code, taking over the account (CWE-287 / CWE-640). Disclosed via huntr.dev.",
+    "complexity": "high",
+    "complexity_notes": "huntr CNA AV:N / AC:H / PR:N - unauthenticated, but the reset flow requires some setup (AC:H); the takeover reaches admin.",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No fixed version is published as of curation; mitigation is replacing the reset-token generation with a CSPRNG and verifying the reset token server-side (see vendor_update_paths).",
+    "vendor_update_paths": [
+      "No fixed Dify release is published. Verify the password-reset code server-side before accepting a new password at /forgot-password/resets, bind the code to the requesting user and a short expiry, and invalidate it after use."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-IA-2": "Identification/authentication is undermined: the LLM app's password-recovery flow lets an attacker authenticate as any user, including admin.",
+      "NIST-800-53-AC-3": "Access enforcement is bypassed: an unverified reset endpoint grants control of any account.",
+      "ISO-27001-2022-A.5.15": "Access control does not constrain the password-recovery path in the LLM app platform.",
+      "NIS2-Art21-identity-management": "Article 21 identity/access measures do not cover weak password-recovery in AI apps.",
+      "DORA-Art-9": "ICT protection measures do not model AI-app account takeover via password recovery as an ICT-risk event.",
+      "UK-CAF-B2": "Identity and Access Control objective has no objective for secure password-recovery in AI app platforms.",
+      "AU-ISM-1546": "Patch-application control does not single out LLM app platforms.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an LLM app platform's password-recovery flow as an authentication-integrity control whose failure yields full (admin) account takeover."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1078",
+      "T1556"
+    ],
+    "rwep_score": 44,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 24,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Elevated (RWEP 44, \"patch within 7 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, and no fixed version published so no patch credit (Hard Rule #3). poc_available=20 + blast_radius=24 (full account/admin takeover). The weakness is in the password-recovery mechanism - unverified reset endpoint.",
+    "epss_score": null,
+    "epss_date": "2026-05-26",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-12776",
+    "cwe_refs": [
+      "CWE-287",
+      "CWE-640"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Dify /forgot-password/resets calls that succeed without a preceding valid reset-code issuance/verification.",
+        "Dify account passwords (including admin) changed without the legitimate owner initiating a reset.",
+        "Dify 0.10.1 with the password-reset flow reachable - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the huntr.dev advisory (https://github.com/advisories/GHSA-g394-qpx6-x7rr) and NVD CVE-2024-12776 (CWE-287/CWE-640; NVD CWE-305)."
+    },
+    "source_verified": "2026-05-26",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-12776",
+      "https://github.com/advisories/GHSA-g394-qpx6-x7rr"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2024-12776",
+        "url": "https://github.com/advisories/GHSA-g394-qpx6-x7rr",
+        "severity": "high",
+        "published_date": "2024-12-17"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-12776",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12776",
+        "severity": "high",
+        "published_date": "2024-12-17"
+      }
+    ],
+    "last_updated": "2026-05-26",
+    "discovery_attribution_note": "Manually curated from the huntr.dev advisory (https://github.com/advisories/GHSA-g394-qpx6-x7rr, CWE-287/CWE-640; NVD assigns CWE-305, mapped to catalogued CWE-640) + huntr (CNA, CVSS v3.0 8.1; NVD unscored). Dify LLM-app-platform password-recovery flaw; introduces the AI-app password-recovery-integrity control NEW-CTRL-108.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Dify's /forgot-password/resets endpoint does not verify the reset code, letting an attacker reset any user's password incl. admin (CWE-287/CWE-640; NVD CWE-305); no fixed version published - verify the reset token server-side."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -398,6 +398,7 @@
       "CVE-2025-32432",
       "CVE-2025-3248",
       "CVE-2025-33236",
+      "CVE-2025-3466",
       "CVE-2025-37164",
       "CVE-2025-43200",
       "CVE-2025-4428",
@@ -716,6 +717,7 @@
       "CVE-2020-10148",
       "CVE-2021-32030",
       "CVE-2023-27351",
+      "CVE-2024-12776",
       "CVE-2024-1709",
       "CVE-2025-32975",
       "CVE-2025-3935",
@@ -1024,7 +1026,9 @@
       "CAPEC-485"
     ],
     "skills_referencing": [],
-    "evidence_cves": [],
+    "evidence_cves": [
+      "CVE-2025-1796"
+    ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SC-13"
     ],
@@ -1880,6 +1884,7 @@
       "CVE-2023-51449",
       "CVE-2024-6587",
       "CVE-2025-25297",
+      "CVE-2025-56520",
       "CVE-2025-61884"
     ],
     "framework_controls_partially_addressing": [
@@ -2180,6 +2185,7 @@
     ],
     "evidence_cves": [
       "BUG-2026-NIGHTMARE-ECLIPSE-UNDEFEND",
+      "CVE-2025-3466",
       "CVE-2025-40536",
       "CVE-2026-21510",
       "CVE-2026-21513"
@@ -3510,7 +3516,10 @@
       "CWE-2000"
     ],
     "related_weaknesses": [],
-    "evidence_cves": [],
+    "evidence_cves": [
+      "CVE-2024-12776",
+      "CVE-2025-1796"
+    ],
     "last_verified": "2026-05-19",
     "notes": "Bulk-imported v0.13.18 from the canonical MITRE Top 25 + commonly-referenced-class expansion.",
     "_auto_imported": true,