@blamejs/exceptd-skills 0.13.115 → 0.13.117

package/data/cve-catalog.json

@@ -55,7 +55,7 @@
     "ai_discovery_methodology": {
       "field_added": "2026-05-15",
       "agents_md_target": "Hard Rule #7 — '41% of 2025 zero-days were AI-discovered'. Catalog target rate floor: 0.40.",
-      "current_rate": 0.030,
+      "current_rate": 0.029,
       "current_floor_enforced_by_test": 0.029,
       "ladder_to_target": [
         0.029,
@@ -39121,5 +39121,220 @@
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
     "_kev_short_description": "Microsoft Windows Common Log File System (CLFS) Driver contains a use-after-free vulnerability that allows an authorized attacker to elevate privileges locally."
+  },
+  "CVE-2024-12450": {
+    "name": "RAGFlow web_crawl Full-Read SSRF + Arbitrary File Read",
+    "type": "Server-Side Request Forgery",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 9.8 (CRITICAL). The huntr CNA (security@huntr.dev) scored only the SSRF read at v3.0 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N); NVD re-scored 9.8 for the full chain: RAGFlow's `web_crawl` (document_app.py) does not filter the URL, so it is a full-read SSRF AND lacks a file:// scheme restriction (arbitrary server file read) AND runs an outdated headless Chromium with the sandbox disabled (V8 exploitation can escalate to remote code execution). The PR differs between sources (NVD PR:N / huntr PR:L); both agree AV:N/AC:L.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the huntr bounty report (https://huntr.com/bounties/da06360c-87c3-4ba9-be67-29f6eff9d44a): the web_crawl URL parameter is pointed at an internal address / file:// path and the content is returned via the generated PDF.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via huntr (CNA security@huntr.dev) and enriched by NVD. The abused surface is RAGFlow (infiniflow/ragflow), a widely deployed open-source Retrieval-Augmented-Generation engine.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is an unvalidated server-side fetch (SSRF) plus an unsandboxed headless browser in a RAG ingestion path.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "huntr/NVD advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation, and the CVE is not in CISA KEV (verified against the live catalog).",
+    "affected": "RAGFlow (infiniflow/ragflow) before 0.14.0 (reported against 0.12.0).",
+    "affected_versions": [
+      "RAGFlow < 0.14.0"
+    ],
+    "vector": "RAGFlow's web_crawl function in document_app.py does not filter the supplied URL, so an attacker performs a full-read SSRF against internal network addresses, reads arbitrary local files via the file:// scheme, and reaches an outdated headless Chromium run with the sandbox disabled - exposing it to known V8 exploits that can escalate to remote code execution (CWE-918 SSRF / CWE-77).",
+    "complexity": "low",
+    "complexity_notes": "AV:N / AC:L across both NVD and huntr. NVD scores it PR:N (the crawl is reachable without privileges); huntr scored PR:L (a low-privileged user triggers the crawl). Either way no user interaction.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to 0.14.0 or later (fix commit 3faae0b2c2f8a26233ee1442ba04874b3406f6e9); redeploy the container, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade RAGFlow to 0.14.0 or later. Validate and allowlist every URL the web_crawl / ingestion path fetches: reject private, link-local, and cloud-metadata (169.254.169.254) addresses, reject file:// and non-HTTP schemes, and run the headless browser sandboxed."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SC-7": "Boundary protection does not treat the RAG engine's server-side crawl as an egress that can reach internal services.",
+      "NIST-800-53-SI-10": "No input validation is applied to the user-supplied crawl URL before the server fetches it (CWE-918 / CWE-77).",
+      "ISO-27001-2022-A.8.21": "Security of network services does not constrain the destinations the RAG crawler may reach.",
+      "NIS2-Art21-network-security": "Article 21 network-security measures do not model an AI ingestion crawler as an SSRF pivot into the internal network.",
+      "DORA-Art-9": "ICT protection measures do not model a RAG engine's server-side fetch as an ICT-risk egress.",
+      "UK-CAF-B4": "System security objective has no objective for destination validation on AI-pipeline server-side fetches.",
+      "AU-ISM-1546": "Patch-application control does not single out RAG / AI-pipeline platforms.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an AI data-pipeline's server-side fetch as an egress that must validate and allowlist destinations."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1213",
+      "T1552"
+    ],
+    "rwep_score": 31,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 26,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Moderate-high (RWEP 31, \"patch promptly\" band per lib/scoring.js). Not KEV (verified), no confirmed in-the-wild exploitation, patched at 0.14.0 (Hard Rule #3): poc_available=20 + blast_radius=26 (full-read SSRF + arbitrary file read + potential RCE via an unsandboxed headless browser in a widely deployed RAG engine), minus patch_available 15.",
+    "epss_score": 0.00984,
+    "epss_date": "2026-05-26",
+    "epss_note": "FIRST EPSS 0.00984 (77th percentile) as of 2026-05-26.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-12450",
+    "cwe_refs": [
+      "CWE-918",
+      "CWE-77"
+    ],
+    "iocs": {
+      "behavioral": [
+        "RAGFlow web_crawl requests whose URL parameter targets internal/link-local addresses or 169.254.169.254 (cloud metadata).",
+        "RAGFlow web_crawl requests using the file:// scheme to read local server files.",
+        "RAGFlow < 0.14.0 reachable on the network with the document-crawl feature enabled - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the huntr bounty (https://huntr.com/bounties/da06360c-87c3-4ba9-be67-29f6eff9d44a) and NVD CVE-2024-12450 (CWE-918 / CWE-77)."
+    },
+    "source_verified": "2026-05-26",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-12450",
+      "https://github.com/advisories/GHSA-775f-24cq-qg6p",
+      "https://huntr.com/bounties/da06360c-87c3-4ba9-be67-29f6eff9d44a"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "huntr",
+        "advisory_id": "CVE-2024-12450",
+        "url": "https://huntr.com/bounties/da06360c-87c3-4ba9-be67-29f6eff9d44a",
+        "severity": "medium",
+        "published_date": "2025-03-20"
+      },
+      {
+        "vendor": "GitHub Advisory Database",
+        "advisory_id": "GHSA-775f-24cq-qg6p",
+        "url": "https://github.com/advisories/GHSA-775f-24cq-qg6p",
+        "severity": "critical",
+        "published_date": "2025-03-20"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-12450",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12450",
+        "severity": "critical",
+        "published_date": "2025-03-20"
+      }
+    ],
+    "last_updated": "2026-05-26",
+    "discovery_attribution_note": "Manually curated from NVD CVE-2024-12450 (CVSS v3.1 9.8, CWE-918) + the huntr bounty (CNA, v3.0 6.5). RAGFlow RAG-engine ingestion SSRF + arbitrary file read; reuses the AI-data-pipeline import SSRF control NEW-CTRL-105 (shared with the Dify RemoteFileUploadApi and Label Studio data-pipeline SSRF).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "RAGFlow web_crawl does not filter the supplied URL, yielding full-read SSRF, file:// arbitrary file read, and potential RCE via an unsandboxed headless Chromium (CWE-918 / CWE-77); fixed in 0.14.0."
+  },
+  "CVE-2025-69286": {
+    "name": "RAGFlow Predictable API-Key / Share-Token Account Takeover",
+    "type": "Account Takeover",
+    "cvss_score": 8.9,
+    "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
+    "cvss_note": "GitHub (CNA, security-advisories@github.com) CVSS v4.0 base 8.9; NVD CVSS v3.1 base 9.8 (CRITICAL). RAGFlow generates the API key and the beta (assistant/agent share) token with the same URLSafeTimedSerializer keyed by the tenant_id (a predictable secret) over a timestamp-based UUIDv1, so the two tokens are mutually derivable: an attacker who obtains a shared assistant/agent URL derives the personal API key and takes full control of the owner's account (CWE-340 generation of predictable identifiers).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "The disclosing advisory (https://github.com/infiniflow/ragflow/security/advisories/GHSA-9j5g-g4xm-57w7) details deriving the API key from a shared beta token: both are produced by generate_confirmation_token using tenant_id as the serializer secret and get_uuid() (UUIDv1) as data, enumerable within a small timestamp window.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via the GitHub Security Advisory (GHSA-9j5g-g4xm-57w7) and enriched by NVD. The abused surface is RAGFlow (infiniflow/ragflow), a widely deployed open-source Retrieval-Augmented-Generation engine.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is predictable token generation (insecure key derivation) in a RAG platform's API-key / share-token issuance.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "GitHub advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation, and the CVE is not in CISA KEV (verified against the live catalog).",
+    "affected": "RAGFlow (infiniflow/ragflow) before 0.22.0.",
+    "affected_versions": [
+      "RAGFlow < 0.22.0"
+    ],
+    "vector": "RAGFlow's API key and beta (assistant/agent share) token are both generated by generate_confirmation_token, which builds a URLSafeTimedSerializer initialized with the tenant_id as the secret_key and uses get_uuid() (a timestamp-based UUIDv1) as the input data with tenant_id as the salt. Because the inputs are predictable and the two tokens are generated nearly simultaneously, they are mutually derivable - an attacker who obtains a shared assistant/agent URL derives the account's personal API key and gains full control (CWE-340).",
+    "complexity": "low",
+    "complexity_notes": "GitHub v4.0 AV:N/AC:L/AT:N/PR:N/UI:N. The practical precondition is obtaining a shared assistant/agent URL (commonly distributed); from it the API key is derivable.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to 0.22.0 or later (fix commit a3bb4aadcc3494fb27f2a9933b4c46df8eb532e6); redeploy the container, no host reboot. Rotate any API keys / share tokens issued by a vulnerable version.",
+    "vendor_update_paths": [
+      "Upgrade RAGFlow to 0.22.0 or later, then rotate all API keys and share/beta tokens issued by the vulnerable version. Generate API keys and share tokens from a CSPRNG (os.urandom / secrets) with an unpredictable per-install server secret - never key the serializer with the tenant_id, never use a timestamp-based UUIDv1 as token material, and never let one token be derivable from another."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-IA-2": "Identification and authentication is defeated - an attacker derives a valid API key and acts as the account owner.",
+      "NIST-800-53-AC-3": "Access enforcement is bypassed once the derived API key grants full account control.",
+      "ISO-27001-2022-A.8.24": "Use of cryptography is inadequate - tokens are produced by a predictable serializer instead of a CSPRNG, so issued tokens are not unpredictable.",
+      "NIS2-Art21-identity-management": "Article 21 access-control measures do not prevent predictable-token account takeover in AI apps.",
+      "DORA-Art-9": "ICT protection measures do not model predictable token generation in an AI app as an ICT-risk event.",
+      "UK-CAF-B2": "Identity and Access Control objective has no objective for token-generation entropy on AI app-platform APIs.",
+      "AU-ISM-1546": "Patch-application control does not single out RAG / AI-pipeline platforms.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an AI app platform's API-key / share-token generation (CSPRNG + unpredictable secret) as an authentication-integrity control."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1078",
+      "T1212"
+    ],
+    "rwep_score": 28,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 23,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Moderate (RWEP 28, \"patch within 30 days\" band per lib/scoring.js). Not KEV (verified), no confirmed in-the-wild exploitation, patched at 0.22.0 (Hard Rule #3): poc_available=20 + blast_radius=23 (account takeover including admin in a widely deployed RAG engine, gated on obtaining a shared assistant/agent URL), minus patch_available 15.",
+    "epss_score": 0.00125,
+    "epss_date": "2026-05-26",
+    "epss_note": "FIRST EPSS 0.00125 (31st percentile) as of 2026-05-26.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-69286",
+    "cwe_refs": [
+      "CWE-340"
+    ],
+    "iocs": {
+      "behavioral": [
+        "RAGFlow API requests authenticating with API keys that were not issued through the normal create-key flow (derived keys).",
+        "Access to an assistant/agent owner's resources originating from a holder of only the shared assistant/agent URL.",
+        "RAGFlow < 0.22.0 with shared assistant/agent links distributed outside the owner's trust boundary - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the GitHub Security Advisory (https://github.com/infiniflow/ragflow/security/advisories/GHSA-9j5g-g4xm-57w7) and NVD CVE-2025-69286 (CWE-340)."
+    },
+    "source_verified": "2026-05-26",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-69286",
+      "https://github.com/infiniflow/ragflow/security/advisories/GHSA-9j5g-g4xm-57w7"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "GHSA-9j5g-g4xm-57w7",
+        "url": "https://github.com/infiniflow/ragflow/security/advisories/GHSA-9j5g-g4xm-57w7",
+        "severity": "critical",
+        "published_date": "2025-12-31"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-69286",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69286",
+        "severity": "critical",
+        "published_date": "2025-12-31"
+      }
+    ],
+    "last_updated": "2026-05-26",
+    "discovery_attribution_note": "Manually curated from NVD CVE-2025-69286 (CVSS v3.1 9.8, CWE-340) + the GitHub Security Advisory GHSA-9j5g-g4xm-57w7 (CNA, CVSS v4.0 8.9). RAGFlow RAG-engine predictable-token account takeover; introduces the AI-app API-token generation-integrity control NEW-CTRL-109.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "RAGFlow generates API keys and share tokens with a predictable serializer keyed by tenant_id over a UUIDv1, so the tokens are mutually derivable and a shared link yields account takeover (CWE-340); fixed in 0.22.0."
   }
 }

package/data/cwe-catalog.json

@@ -164,7 +164,8 @@
       "CVE-2026-30617",
       "CVE-2026-30624",
       "CVE-2026-30625",
-      "MAL-2026-3083"
+      "MAL-2026-3083",
+      "CVE-2024-12450"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SI-10",
@@ -1885,7 +1886,8 @@
       "CVE-2024-6587",
       "CVE-2025-25297",
       "CVE-2025-56520",
-      "CVE-2025-61884"
+      "CVE-2025-61884",
+      "CVE-2024-12450"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SC-7",
@@ -4386,5 +4388,36 @@
     ],
     "last_verified": "2026-05-19",
     "notes": "Added v0.13.19 to back the runc /proc/self/fd container-escape (CVE-2024-21626) cwe_refs entry."
+  },
+  "CWE-340": {
+    "id": "CWE-340",
+    "name": "Generation of Predictable Numbers or Identifiers",
+    "abstraction": "Class",
+    "category": "Cryptography",
+    "description": "The product uses a scheme that generates numbers or identifiers that are more predictable than required (e.g. timestamp-based UUIDv1, a serializer keyed by a guessable secret, sequential ids), so an attacker can predict or derive the value. Child of CWE-330; siblings include CWE-330, -341, -342.",
+    "top_25_rank_2024": null,
+    "top_25_rank_2025": null,
+    "view_memberships": [
+      "CWE-1000",
+      "CWE-310"
+    ],
+    "related_attack_patterns_capec": [
+      "CAPEC-59",
+      "CAPEC-112"
+    ],
+    "skills_referencing": [],
+    "evidence_cves": [
+      "CVE-2025-69286"
+    ],
+    "framework_controls_partially_addressing": [
+      "NIST-800-53-IA-5",
+      "NIST-800-53-SC-13"
+    ],
+    "real_requirement": "Generate security-relevant identifiers and tokens (API keys, share/reset tokens, session ids) from an OS CSPRNG with an unpredictable per-install secret; never key a serializer with a tenant/customer id, never use timestamp-based UUIDv1 as token material, and never let one token be derivable from another.",
+    "lag_notes": "Framework controls require 'unpredictable' authenticators in the abstract; codebase-level enforcement that token-generation never uses a predictable secret or timestamp source is absent.",
+    "last_verified": "2026-05-26",
+    "playbooks_referencing": [
+      "identity-sso-compromise"
+    ]
   }
 }

package/data/framework-control-gaps.json

@@ -116,7 +116,9 @@
       "CVE-2026-40933",
       "CVE-2026-41947",
       "CVE-2026-41950",
-      "CVE-2026-45829"
+      "CVE-2026-45829",
+      "CVE-2024-12450",
+      "CVE-2025-69286"
     ],
     "atlas_refs": [
       "AML.T0018",
@@ -2308,7 +2310,8 @@
       "CVE-2025-53767",
       "CVE-2025-56520",
       "CVE-2026-34159",
-      "CVE-2026-42897"
+      "CVE-2026-42897",
+      "CVE-2024-12450"
     ],
     "atlas_refs": [
       "AML.T0096",
@@ -2422,7 +2425,8 @@
       "CVE-2026-39884",
       "CVE-2026-42208",
       "CVE-2026-45829",
-      "CVE-2026-9082"
+      "CVE-2026-9082",
+      "CVE-2024-12450"
     ],
     "atlas_refs": [
       "AML.T0053"
@@ -3890,7 +3894,8 @@
       "CVE-2026-24207",
       "CVE-2026-26190",
       "CVE-2026-41947",
-      "CVE-2026-41950"
+      "CVE-2026-41950",
+      "CVE-2025-69286"
     ],
     "atlas_refs": [
       "AML.T0010",
@@ -5201,7 +5206,9 @@
       "CVE-2026-45829",
       "CVE-2026-46300",
       "CVE-2026-46333",
-      "CVE-2026-9082"
+      "CVE-2026-9082",
+      "CVE-2024-12450",
+      "CVE-2025-69286"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -5250,7 +5257,8 @@
       "CVE-2026-39987",
       "CVE-2026-41947",
       "CVE-2026-41950",
-      "CVE-2026-7482"
+      "CVE-2026-7482",
+      "CVE-2025-69286"
     ],
     "atlas_refs": [
       "AML.T0051"
@@ -5552,7 +5560,8 @@
       "CVE-2026-33017",
       "CVE-2026-41947",
       "CVE-2026-41950",
-      "CVE-2026-6973"
+      "CVE-2026-6973",
+      "CVE-2025-69286"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -5789,7 +5798,8 @@
       "CVE-2026-46300",
       "CVE-2026-46333",
       "CVE-2026-9082",
-      "MAL-2026-SHAI-HULUD-OSS"
+      "MAL-2026-SHAI-HULUD-OSS",
+      "CVE-2024-12450"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -5912,7 +5922,9 @@
       "CVE-2026-45829",
       "CVE-2026-46300",
       "CVE-2026-46333",
-      "CVE-2026-9082"
+      "CVE-2026-9082",
+      "CVE-2024-12450",
+      "CVE-2025-69286"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -6220,7 +6232,8 @@
       "CVE-2026-24207",
       "CVE-2026-26190",
       "CVE-2026-33017",
-      "CVE-2026-45829"
+      "CVE-2026-45829",
+      "CVE-2025-69286"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -6332,7 +6345,8 @@
       "CVE-2024-21762",
       "CVE-2025-25297",
       "CVE-2025-56520",
-      "CVE-2026-20182"
+      "CVE-2026-20182",
+      "CVE-2024-12450"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -6760,7 +6774,8 @@
     "opened_at": "2026-05-18",
     "evidence_cves": [
       "CVE-2025-14847",
-      "CVE-2025-22226"
+      "CVE-2025-22226",
+      "CVE-2025-69286"
     ],
     "theater_test": {
       "claim": "We are compliant with A.8.24 (Use of cryptography) because we follow the documented requirement: Annex A.8.24 — defining and implementing rules for the effective use of cryptography, including key management. Anchored on the assumption that correctly-applied transport and at-rest encryption prese",
@@ -7136,7 +7151,8 @@
     "opened_at": "2026-05-18",
     "evidence_cves": [
       "CVE-2025-22224",
-      "CVE-2025-22225"
+      "CVE-2025-22225",
+      "CVE-2024-12450"
     ],
     "theater_test": {
       "claim": "We are compliant with A.8.21 (Security of network services) because we follow the documented requirement: Annex A.8.21 — identifying, implementing, and monitoring security mechanisms, service levels, and management requirements for network services. Anchored on segmentation, secure protocols, and service-",

package/data/zeroday-lessons.json

@@ -17036,5 +17036,105 @@
     "ai_assist_factor": "none",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+  },
+  "CVE-2024-12450": {
+    "name": "RAGFlow web_crawl Full-Read SSRF + Arbitrary File Read",
+    "lesson_date": "2026-05-26",
+    "attack_vector": {
+      "description": "RAGFlow's web_crawl function does not filter the supplied URL, so an attacker performs a full-read SSRF against internal addresses, reads local files via file://, and reaches an unsandboxed headless Chromium that can escalate to RCE.",
+      "privileges_required": "none to low (NVD PR:N; huntr PR:L)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is RAGFlow, an open-source Retrieval-Augmented-Generation engine. The lesson: a RAG engine's ingestion crawler is a server-side fetch that must validate and allowlist destinations and run any headless browser sandboxed, or it becomes an SSRF / file-read / RCE pivot."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SC-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Boundary protection does not treat the RAG engine's crawl as an egress that can reach internal services."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No input validation is applied to the user-supplied crawl URL before the server fetches it."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats a RAG engine's server-side fetch as an egress that must validate and allowlist destinations."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 79,
+      "basis": "RAG engines crawl user-supplied URLs for ingestion on trusted-network assumptions; the fetch destination and scheme are not validated and the headless browser is not sandboxed.",
+      "theater_pattern": "ai_data_pipeline_ssrf_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-105",
+        "name": "AI-DATA-PIPELINE-IMPORT-SSRF-PROTECTION",
+        "description": "An AI data-pipeline platform that fetches from caller-supplied URLs or endpoints (data import, cloud-storage endpoint configuration, webhook/annotation sources, ingestion crawlers) must validate and allowlist the destination before issuing the request: reject private, link-local, and cloud-metadata addresses (169.254.169.254), reject file:// and non-HTTP schemes, and resolve+pin the host to prevent DNS-rebinding. Run any headless browser sandboxed. Restrict who can configure server-side fetches. The distinguishing test: configure the import/crawl URL to an internal or cloud-metadata address (or a file:// path) on a staging instance and confirm the server refuses the fetch - a platform that issues the request and returns the response is exploitable for SSRF / file read / internal pivot, regardless of authentication posture.",
+        "evidence": "https://huntr.com/bounties/da06360c-87c3-4ba9-be67-29f6eff9d44a",
+        "gap_closes": [
+          "NIST-800-53-SC-7",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2025-69286": {
+    "name": "RAGFlow Predictable API-Key / Share-Token Account Takeover",
+    "lesson_date": "2026-05-26",
+    "attack_vector": {
+      "description": "RAGFlow generates its API key and share/beta token with the same URLSafeTimedSerializer keyed by the tenant_id over a timestamp-based UUIDv1, so the tokens are mutually derivable - a shared assistant/agent URL yields the owner's API key and full account control.",
+      "privileges_required": "none (an attacker who obtains a shared assistant/agent URL)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is RAGFlow, an open-source Retrieval-Augmented-Generation engine. The lesson: an AI app's API keys and share tokens are authentication material that must be generated from a CSPRNG with an unpredictable per-install secret - never derivable from a tenant id, a timestamp, or another token."
+    },
+    "framework_coverage": {
+      "NIST-800-53-IA-5": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Authenticator management does not require API keys / share tokens to be unpredictable and non-derivable."
+      },
+      "NIST-800-53-AC-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Access enforcement is bypassed once a derivable API key grants full account control."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an AI app platform's token generation (CSPRNG + unpredictable secret) as an authentication-integrity control."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 80,
+      "basis": "AI app platforms issue API keys and share tokens with bespoke serializers seeded by tenant ids and timestamp-based UUIDs; token-generation entropy is rarely audited.",
+      "theater_pattern": "ai_app_predictable_token_generation"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-109",
+        "name": "AI-APP-API-TOKEN-GENERATION-INTEGRITY",
+        "description": "An AI application's API keys, share/beta tokens, and session identifiers must be generated from a cryptographically secure RNG (os.urandom / secrets) with an unpredictable per-install server secret. Never key a token serializer with a tenant/customer id, never use a timestamp-based UUIDv1 (or any guessable counter) as token material, and never let one issued token be derivable from another. Make tokens long, single-use where applicable, and revocable. The distinguishing test: on a staging instance, mint two tokens (or two accounts' tokens) and confirm that one cannot be derived from the other, from the tenant id, or from the generation timestamp - an AI app whose API-key / share-token derivation is predictable permits account takeover from a shared link alone.",
+        "evidence": "https://github.com/infiniflow/ragflow/security/advisories/GHSA-9j5g-g4xm-57w7",
+        "gap_closes": [
+          "NIST-800-53-IA-5",
+          "NIST-800-53-AC-3",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
   }
 }