@blamejs/exceptd-skills 0.13.118 → 0.13.119

package/data/attack-techniques.json

@@ -1100,7 +1100,9 @@
       "CVE-2026-9082",
       "MAL-2025-AI-FOUND-FFMPEG-BIGSLEEP",
       "CVE-2024-12450",
-      "CVE-2025-69286"
+      "CVE-2025-69286",
+      "CVE-2026-22218",
+      "CVE-2026-22219"
     ],
     "description_full": "Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration. Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) On ESXi infrastructure, adversaries may exploit exposed OpenSLP services; they may alternatively exploit exposed VMware vCenter servers.(Citation: Recorded Future ESXiArgs Ransomware 2023)(Citation: Ars Technica VMWare Code Execution Vulnerability 2021) Depending on the flaw being exploited, this may also involve [Exploitation for Stealth](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203). If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs (e.g., via the [Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005)), exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies. Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar) For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)",
     "platforms": [
@@ -1323,7 +1325,8 @@
     ],
     "cve_refs": [
       "CVE-2026-41950",
-      "CVE-2024-12450"
+      "CVE-2024-12450",
+      "CVE-2026-22218"
     ]
   },
   "T1485": {
@@ -1582,7 +1585,8 @@
       "CVE-2025-68664",
       "MAL-2025-PYPI-COLORAMA-SOLANA-STEALER",
       "MAL-2026-RUBYGEMS-BUFFERZONECORP-SLEEPER",
-      "CVE-2024-12450"
+      "CVE-2024-12450",
+      "CVE-2026-22219"
     ],
     "description_full": "Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Shell History](https://attack.mitre.org/techniques/T1552/003)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://attack.mitre.org/techniques/T1552/002)), or other specialized files/artifacts (e.g. [Private Keys](https://attack.mitre.org/techniques/T1552/004)).(Citation: Brining MimiKatz to Unix)",
     "platforms": [

package/data/cve-catalog.json

@@ -39336,5 +39336,210 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "RAGFlow generates API keys and share tokens with a predictable serializer keyed by tenant_id over a UUIDv1, so the tokens are mutually derivable and a shared link yields account takeover (CWE-340); fixed in 0.22.0."
+  },
+  "CVE-2026-22218": {
+    "name": "Chainlit /project/element Arbitrary File Read",
+    "type": "Path Traversal",
+    "cvss_score": 7.1,
+    "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
+    "cvss_note": "VulnCheck (CNA) CVSS v4.0 base 7.1 (HIGH); NVD CVSS v3.1 base 6.5. Chainlit's /project/element update flow accepts a custom Element with a user-controlled path value and copies the file at that path into the requesting user's session without validating it stays within the document store (CWE-22 path traversal), so an authenticated client reads arbitrary files on the server host.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory (https://github.com/advisories/GHSA-r399-636x-v7f6 cluster): an authenticated client submits a custom Element whose path field points outside the document store and reads the file's contents from its session.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via VulnCheck (CNA) and enriched by NVD. The abused surface is Chainlit, a widely used open-source framework for building conversational-AI / LLM apps.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is missing path validation on a caller-supplied file path in an LLM app framework's element-update API.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "VulnCheck/NVD advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation, and the CVE is not in CISA KEV (verified against the live catalog).",
+    "affected": "Chainlit before 2.9.4.",
+    "affected_versions": [
+      "Chainlit < 2.9.4"
+    ],
+    "vector": "Chainlit's /project/element update flow accepts a custom Element with a user-controlled `path` value and copies the file at that path into the requesting user's session without confirming the path stays within the document store, so an authenticated client supplies a traversal path and reads arbitrary files on the server host (CWE-22).",
+    "complexity": "low",
+    "complexity_notes": "VulnCheck v4.0 AV:N / AC:L / PR:L - an authenticated client supplies a crafted element path.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to 2.9.4 or later (released 2025-12-24); redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Chainlit to 2.9.4 or later. Canonicalize and validate every caller-supplied file path (including encoding transforms) against an allowlisted base directory before reading, and do not expose the app to untrusted users."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-10": "No input validation is applied to the caller-supplied element path before the server reads it (CWE-22).",
+      "NIST-800-53-AC-3": "Access enforcement does not confine the read to the document store - an authenticated user reads arbitrary host files.",
+      "ISO-27001-2022-A.8.28": "Secure coding does not require canonicalization + allowlisting of file paths in the LLM app framework's element API.",
+      "NIS2-Art21-network-security": "Article 21 measures do not model an LLM app framework's file-bearing API as a path-traversal surface.",
+      "DORA-Art-9": "ICT protection measures do not model arbitrary file read in an AI app as an ICT-risk event.",
+      "UK-CAF-B4": "System security objective has no objective for path canonicalization on AI app-framework file APIs.",
+      "AU-ISM-1546": "Patch-application control does not single out LLM app frameworks.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an LLM app framework's path-bearing input as an integrity boundary requiring canonicalization."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1213"
+    ],
+    "rwep_score": 19,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 14,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Moderate (RWEP 19, \"patch within 30 days\" band per lib/scoring.js). Not KEV (verified), no confirmed in-the-wild exploitation, patched at 2.9.4 (Hard Rule #3): poc_available=20 + blast_radius=14 (authenticated arbitrary file read in a widely used LLM app framework - host secrets/config readable), minus patch_available 15.",
+    "epss_score": 0.00044,
+    "epss_date": "2026-05-26",
+    "epss_note": "FIRST EPSS 0.00044 (14th percentile) as of 2026-05-26.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-22218",
+    "cwe_refs": [
+      "CWE-22"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Chainlit /project/element requests whose element path references files outside the document store (../ traversal or absolute host paths).",
+        "Chainlit sessions receiving file contents (e.g. /etc/passwd, app config, secrets) not uploaded by the requesting user.",
+        "Chainlit < 2.9.4 reachable by authenticated-but-untrusted users - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to VulnCheck / NVD CVE-2026-22218 (CWE-22) and the Chainlit 2.9.4 advisory."
+    },
+    "source_verified": "2026-05-26",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-22218",
+      "https://github.com/advisories/GHSA-r399-636x-v7f6"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "VulnCheck",
+        "advisory_id": "CVE-2026-22218",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22218",
+        "severity": "high",
+        "published_date": "2026-01-20"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-22218",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22218",
+        "severity": "medium",
+        "published_date": "2026-01-20"
+      }
+    ],
+    "last_updated": "2026-05-26",
+    "discovery_attribution_note": "Manually curated from NVD CVE-2026-22218 (CWE-22) + VulnCheck (CNA, CVSS v4.0 7.1). Chainlit LLM-app-framework arbitrary file read; reuses the AI-runtime-API path-traversal validation control NEW-CTRL-094 (shared with the AnythingLLM upload path-traversal and the Ollama path-traversal class).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Chainlit /project/element copies a caller-supplied file path into the user's session without validation, letting an authenticated client read arbitrary host files (CWE-22); fixed in 2.9.4."
+  },
+  "CVE-2026-22219": {
+    "name": "Chainlit /project/element SQLAlchemy-Backend Server-Side Request Forgery",
+    "type": "Server-Side Request Forgery",
+    "cvss_score": 8.3,
+    "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
+    "cvss_note": "VulnCheck (CNA) CVSS v4.0 base 8.3 (HIGH); NVD CVSS v3.1 base 7.7 (scope-changed, S:C). When Chainlit is configured with the SQLAlchemy data-layer backend, its /project/element update flow accepts a custom Element with a user-controlled `url` value and the server issues an outbound GET to it, storing the response - so an authenticated client reaches internal services or cloud metadata via the Chainlit server (CWE-918 SSRF).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory (https://github.com/advisories/GHSA-r399-636x-v7f6): an authenticated client sets a custom Element's url field to an internal address and the server fetches and stores the response.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via VulnCheck (CNA) and enriched by NVD. The abused surface is Chainlit, a widely used open-source framework for building conversational-AI / LLM apps.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is an unvalidated server-side fetch (SSRF) in an LLM app framework's element-update API.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "VulnCheck/NVD advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation, and the CVE is not in CISA KEV (verified against the live catalog).",
+    "affected": "Chainlit before 2.9.4 when configured with the SQLAlchemy data-layer backend.",
+    "affected_versions": [
+      "Chainlit < 2.9.4 (SQLAlchemy data layer)"
+    ],
+    "vector": "When Chainlit uses the SQLAlchemy data-layer backend, its /project/element update flow accepts a custom Element with a user-controlled `url` value and the server issues an outbound GET request to that URL and stores the response, without validating the destination - so an authenticated client reaches internal services or cloud-metadata endpoints via the server (CWE-918).",
+    "complexity": "low",
+    "complexity_notes": "VulnCheck v4.0 AV:N / AC:L / PR:L, scope-changed (SC:H) - an authenticated client supplies a crafted element url.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to 2.9.4 or later (released 2025-12-24); redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Chainlit to 2.9.4 or later. Validate and allowlist every URL the element-update flow fetches: reject private, link-local, and cloud-metadata (169.254.169.254) addresses, reject non-HTTP schemes, and resolve+pin the host to prevent DNS-rebinding."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SC-7": "Boundary protection does not treat the LLM app framework's element-url fetch as an egress that can reach internal services.",
+      "NIST-800-53-SI-10": "No input validation is applied to the user-supplied element url before the server fetches it (CWE-918).",
+      "NIST-800-53-AC-3": "Access enforcement does not stop an authenticated user from directing the server to fetch internal resources.",
+      "ISO-27001-2022-A.8.22": "Segregation of networks does not prevent the LLM app framework from reaching internal services on behalf of a caller.",
+      "NIS2-Art21-network-security": "Article 21 network-security measures do not model an LLM app framework's server-side fetch as an SSRF pivot.",
+      "DORA-Art-9": "ICT protection measures do not model an AI app framework's server-side fetch as an ICT-risk egress.",
+      "UK-CAF-B4": "System security objective has no objective for destination validation on AI-app-framework server-side fetches.",
+      "AU-ISM-1546": "Patch-application control does not single out LLM app frameworks.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an LLM app framework's server-side fetch as an egress that must validate and allowlist destinations."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1552"
+    ],
+    "rwep_score": 23,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 18,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Moderate-high (RWEP 23, \"patch within 30 days\" band per lib/scoring.js). Not KEV (verified), no confirmed in-the-wild exploitation, patched at 2.9.4 (Hard Rule #3): poc_available=20 + blast_radius=18 (scope-changed SSRF that stores the fetched response - reaches internal services / cloud metadata in a widely used LLM app framework), minus patch_available 15.",
+    "epss_score": 0.00052,
+    "epss_date": "2026-05-26",
+    "epss_note": "FIRST EPSS 0.00052 (16th percentile) as of 2026-05-26.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-22219",
+    "cwe_refs": [
+      "CWE-918"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Chainlit /project/element requests whose element url targets internal/link-local addresses or 169.254.169.254 (cloud metadata).",
+        "Outbound GET requests from the Chainlit server to internal hosts triggered by element updates, with responses stored in the SQLAlchemy data layer.",
+        "Chainlit < 2.9.4 with the SQLAlchemy data-layer backend reachable by authenticated-but-untrusted users - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to VulnCheck / NVD CVE-2026-22219 (CWE-918) and the Chainlit 2.9.4 advisory."
+    },
+    "source_verified": "2026-05-26",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-22219",
+      "https://github.com/advisories/GHSA-r399-636x-v7f6"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "VulnCheck",
+        "advisory_id": "CVE-2026-22219",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22219",
+        "severity": "high",
+        "published_date": "2026-01-20"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-22219",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22219",
+        "severity": "high",
+        "published_date": "2026-01-20"
+      }
+    ],
+    "last_updated": "2026-05-26",
+    "discovery_attribution_note": "Manually curated from NVD CVE-2026-22219 (CWE-918) + VulnCheck (CNA, CVSS v4.0 8.3). Chainlit LLM-app-framework server-side request forgery; reuses the AI-data-pipeline import SSRF control NEW-CTRL-105 (shared with the Dify RemoteFileUploadApi, RAGFlow web_crawl, and Label Studio data-pipeline SSRFs).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Chainlit /project/element (SQLAlchemy backend) fetches a caller-supplied url server-side and stores the response, letting an authenticated client reach internal services (CWE-918 SSRF); fixed in 2.9.4."
   }
 }

package/data/cwe-catalog.json

@@ -113,7 +113,8 @@
       "CVE-2025-67818",
       "CVE-2025-8110",
       "CVE-2026-25592",
-      "CVE-2026-34926"
+      "CVE-2026-34926",
+      "CVE-2026-22218"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-AC-3",
@@ -1887,7 +1888,8 @@
       "CVE-2025-25297",
       "CVE-2025-56520",
       "CVE-2025-61884",
-      "CVE-2024-12450"
+      "CVE-2024-12450",
+      "CVE-2026-22219"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SC-7",

package/data/framework-control-gaps.json

@@ -118,7 +118,9 @@
       "CVE-2026-41950",
       "CVE-2026-45829",
       "CVE-2024-12450",
-      "CVE-2025-69286"
+      "CVE-2025-69286",
+      "CVE-2026-22218",
+      "CVE-2026-22219"
     ],
     "atlas_refs": [
       "AML.T0018",
@@ -1259,7 +1261,8 @@
       "CVE-2024-21626",
       "CVE-2025-23266",
       "CVE-2025-25297",
-      "CVE-2025-56520"
+      "CVE-2025-56520",
+      "CVE-2026-22219"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -1311,7 +1314,8 @@
       "CVE-2026-30623",
       "CVE-2026-31229",
       "CVE-2026-31230",
-      "CVE-2026-33017"
+      "CVE-2026-33017",
+      "CVE-2026-22218"
     ],
     "atlas_refs": [
       "AML.T0051",
@@ -2311,7 +2315,8 @@
       "CVE-2025-56520",
       "CVE-2026-34159",
       "CVE-2026-42897",
-      "CVE-2024-12450"
+      "CVE-2024-12450",
+      "CVE-2026-22219"
     ],
     "atlas_refs": [
       "AML.T0096",
@@ -2426,7 +2431,9 @@
       "CVE-2026-42208",
       "CVE-2026-45829",
       "CVE-2026-9082",
-      "CVE-2024-12450"
+      "CVE-2024-12450",
+      "CVE-2026-22218",
+      "CVE-2026-22219"
     ],
     "atlas_refs": [
       "AML.T0053"
@@ -5208,7 +5215,9 @@
       "CVE-2026-46333",
       "CVE-2026-9082",
       "CVE-2024-12450",
-      "CVE-2025-69286"
+      "CVE-2025-69286",
+      "CVE-2026-22218",
+      "CVE-2026-22219"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -5258,7 +5267,9 @@
       "CVE-2026-41947",
       "CVE-2026-41950",
       "CVE-2026-7482",
-      "CVE-2025-69286"
+      "CVE-2025-69286",
+      "CVE-2026-22218",
+      "CVE-2026-22219"
     ],
     "atlas_refs": [
       "AML.T0051"
@@ -5799,7 +5810,9 @@
       "CVE-2026-46333",
       "CVE-2026-9082",
       "MAL-2026-SHAI-HULUD-OSS",
-      "CVE-2024-12450"
+      "CVE-2024-12450",
+      "CVE-2026-22218",
+      "CVE-2026-22219"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -5924,7 +5937,9 @@
       "CVE-2026-46333",
       "CVE-2026-9082",
       "CVE-2024-12450",
-      "CVE-2025-69286"
+      "CVE-2025-69286",
+      "CVE-2026-22218",
+      "CVE-2026-22219"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -6346,7 +6361,9 @@
       "CVE-2025-25297",
       "CVE-2025-56520",
       "CVE-2026-20182",
-      "CVE-2024-12450"
+      "CVE-2024-12450",
+      "CVE-2026-22218",
+      "CVE-2026-22219"
     ],
     "atlas_refs": [],
     "attack_refs": [

package/data/zeroday-lessons.json

@@ -17136,5 +17136,105 @@
     ],
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2026-22218": {
+    "name": "Chainlit /project/element Arbitrary File Read",
+    "lesson_date": "2026-05-26",
+    "attack_vector": {
+      "description": "Chainlit's /project/element update flow copies a file at a caller-supplied path into the user's session without validating it stays within the document store, so an authenticated client reads arbitrary host files.",
+      "privileges_required": "low (an authenticated client)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is Chainlit, an open-source LLM-app framework. The lesson: an LLM app framework's file/path-bearing inputs must be canonicalized and validated against an allowlisted base before any filesystem read, and the app must not be exposed to untrusted users."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No input validation is applied to the caller-supplied element path before the server reads it."
+      },
+      "NIST-800-53-AC-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The read is not confined to the document store - an authenticated user reads arbitrary host files."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an LLM app framework's path-bearing input as an integrity boundary requiring canonicalization."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 77,
+      "basis": "LLM app frameworks accept file/element references from clients and read them on trusted-network assumptions; path canonicalization is rarely audited.",
+      "theater_pattern": "ai_app_path_traversal_file_read"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-094",
+        "name": "AI-RUNTIME-API-PATH-TRAVERSAL-VALIDATION",
+        "description": "An AI application's file/path-bearing inputs (upload filenames, model digests, element/document paths, API route parameters) must be canonicalized and validated - including non-ASCII / encoding transforms - against an allowlisted base directory before touching the filesystem, and the app must not be network-exposed to untrusted users. The distinguishing test: submit an element/file reference whose path decodes to ../ traversal or an absolute host path on a staging instance and confirm it is rejected, not read and returned.",
+        "evidence": "https://github.com/advisories/GHSA-r399-636x-v7f6",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2026-22219": {
+    "name": "Chainlit /project/element SQLAlchemy-Backend Server-Side Request Forgery",
+    "lesson_date": "2026-05-26",
+    "attack_vector": {
+      "description": "When Chainlit uses the SQLAlchemy data-layer backend, its /project/element flow fetches a caller-supplied url server-side and stores the response without validating the destination, so an authenticated client reaches internal services or cloud metadata.",
+      "privileges_required": "low (an authenticated client)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is Chainlit, an open-source LLM-app framework. The lesson: an LLM app framework's server-side fetches must validate and allowlist destinations or become an SSRF pivot - the same control that closes the Dify and RAGFlow ingestion SSRFs."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SC-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Boundary protection does not treat the framework's element-url fetch as an egress that can reach internal services."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No input validation is applied to the user-supplied element url before the server fetches it."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an LLM app framework's server-side fetch as an egress that must validate and allowlist destinations."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 78,
+      "basis": "LLM app frameworks fetch caller-supplied URLs from element/data-layer flows on trusted-network assumptions; the fetch destination is not validated.",
+      "theater_pattern": "ai_data_pipeline_ssrf_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-105",
+        "name": "AI-DATA-PIPELINE-IMPORT-SSRF-PROTECTION",
+        "description": "An AI data-pipeline / app platform that fetches from caller-supplied URLs or endpoints (data import, element urls, cloud-storage endpoint configuration, webhook/annotation sources, ingestion crawlers) must validate and allowlist the destination before issuing the request: reject private, link-local, and cloud-metadata addresses (169.254.169.254), reject file:// and non-HTTP schemes, and resolve+pin the host to prevent DNS-rebinding. Restrict who can configure server-side fetches. The distinguishing test: configure the fetched URL to an internal or cloud-metadata address on a staging instance and confirm the server refuses the fetch - a platform that issues the request and returns/stores the response is exploitable for SSRF / internal pivot, regardless of authentication posture.",
+        "evidence": "https://github.com/advisories/GHSA-r399-636x-v7f6",
+        "gap_closes": [
+          "NIST-800-53-SC-7",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
   }
 }