@blamejs/exceptd-skills 0.13.118 → 0.13.120

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (13) hide show
  1. package/CHANGELOG.md +8 -0
  2. package/data/_indexes/_meta.json +8 -8
  3. package/data/_indexes/activity-feed.json +2 -2
  4. package/data/_indexes/catalog-summaries.json +2 -2
  5. package/data/_indexes/chains.json +577 -0
  6. package/data/attack-techniques.json +10 -4
  7. package/data/cve-catalog.json +308 -0
  8. package/data/cwe-catalog.json +6 -3
  9. package/data/framework-control-gaps.json +37 -15
  10. package/data/zeroday-lessons.json +160 -0
  11. package/manifest.json +44 -44
  12. package/package.json +1 -1
  13. package/sbom.cdx.json +22 -22
package/CHANGELOG.md CHANGED
@@ -1,5 +1,13 @@
1
1
  # Changelog
2
2
 
3
+ ## 0.13.120 — 2026-05-26
4
+
5
+ CVE catalog — LangChain JS serialization injection. Adds **CVE-2025-68665**, the JavaScript sibling of the already-catalogued Python-side CVE-2025-68664. LangChain JS's `toJSON()` (and `JSON.stringify` of LangChain objects) did not escape free-form data containing the internal `lc` marker key, so attacker-controlled data carrying that structure is rehydrated as a legitimate LangChain object on deserialization instead of staying plain data (CWE-502; GitHub CNA CVSS v3.1 8.6, scope-changed / NVD 9.1). Fixed in `@langchain/core` 0.3.80 / 1.1.8 and `langchain` 0.3.37 / 1.2.3. Reuses the LLM-output deserialization trust-zone control (NEW-CTRL-064) and AI-tool input-sanitization (NEW-CTRL-005). Scored conservatively below the Python sibling, which additionally carries suspected-exploitation and weaponization signals the JS variant lacks. CVE count 410 → 411.
6
+
7
+ ## 0.13.119 — 2026-05-26
8
+
9
+ CVE catalog — Chainlit LLM-app framework. Adds two flaws in the `/project/element` update flow of Chainlit, a widely used open-source framework for conversational-AI / LLM apps. **CVE-2026-22218** (VulnCheck CNA CVSS v4.0 7.1; NVD v3.1 6.5) — a custom element with a caller-supplied `path` is copied into the requesting user's session without validation, so an authenticated client reads arbitrary files on the server host (CWE-22 path traversal); fixed in 2.9.4. Reuses the AI-runtime-API path-traversal validation control (NEW-CTRL-094) shared with the AnythingLLM upload traversal. **CVE-2026-22219** (VulnCheck CNA CVSS v4.0 8.3; NVD v3.1 7.7, scope-changed) — with the SQLAlchemy data-layer backend, a custom element's `url` is fetched server-side and the response stored, so an authenticated client reaches internal services or cloud metadata (CWE-918 SSRF); fixed in 2.9.4. Reuses the AI-data-pipeline import SSRF control (NEW-CTRL-105) shared with the Dify, RAGFlow, and Label Studio data-pipeline SSRFs. CVE count 408 → 410.
10
+
3
11
  ## 0.13.118 — 2026-05-26
4
12
 
5
13
  The researcher-handle tracker behind `refresh --check-advisories` (NEW-CTRL-073) now follows the Nightmare-Eclipse handle on its GitLab public-activity Atom feed instead of the GitHub events API — the handle's GitHub account was removed. The feed count is unchanged and the diff shape is identical: GitLab tag pushes and newly created public projects surface as `researcher-handle-drop` diffs exactly as the GitHub events did, carrying the same `researcher_handle` field. The NEW-CTRL-073 control text is now platform-agnostic (GitHub events or a GitLab activity feed).
package/data/_indexes/_meta.json CHANGED
@@ -1,21 +1,21 @@
1
1
  {
2
2
  "schema_version": "1.1.0",
3
- "generated_at": "2026-05-27T00:21:07.706Z",
3
+ "generated_at": "2026-05-27T02:21:37.099Z",
4
4
  "generator": "scripts/build-indexes.js",
5
5
  "source_count": 54,
6
6
  "source_hashes": {
7
- "manifest.json": "c9b4af4a90b3da6eadec358254afe012cfd6c9a4df9944a8f15e92c52afcfd4d",
7
+ "manifest.json": "6ab635bfaef39a128a874fa2db7853e857c026112aaf030c997d4c1d7e3f3218",
8
8
  "data/atlas-ttps.json": "8dca8b3a370632548b3d7f465686ac6b47a26920bf6f618db401e349af2a33e2",
9
- "data/attack-techniques.json": "5bdfa22b5a9b4880e5340e70546cd6812750fcaf19697342b0a2bc8658fb2356",
10
- "data/cve-catalog.json": "5b37ab9f4863738df042a6a71126d99cd403ffdf0c18b2a0ae3de8c08f98dffa",
11
- "data/cwe-catalog.json": "df6e1e0d7d6f8fcd1cd899e272b17e89c91f25f51b095b3a160c6945d31debc8",
9
+ "data/attack-techniques.json": "4237fe46b0d8700a90c8a4dabd8753bf54b1752b744b368c4caf76cb960553c8",
10
+ "data/cve-catalog.json": "51ef99a37316f596fa2fcb950405cedd7bf0576302f8c0bcf41535a0e7541369",
11
+ "data/cwe-catalog.json": "686ba057cdca827a6fd4eb1b559cb82fc1c97310f5af63a6adf6f0ac6d87f738",
12
12
  "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
13
13
  "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
14
14
  "data/exploit-availability.json": "ec2656f0d9a893610e27b43eb6035fe9b18e057c9f6dfaac7e7d4959bbcbb795",
15
- "data/framework-control-gaps.json": "4a0987b9646258d0fcd8df28d82f0bacd8dfb49e19faeca7a5ccd4e151c01bc1",
15
+ "data/framework-control-gaps.json": "79171be6be0bfcb1e2c7b62b4e142d290579ea593974d67a47796a92d7a2aebf",
16
16
  "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
17
17
  "data/rfc-references.json": "66ef2e1f444a2cf0c2700a754f0a66030bb8a91d9e68394b9537ea1fe8b904fe",
18
- "data/zeroday-lessons.json": "b660d756c816913cfd24211b41d8b67b70881283b028d1b44b6903a6cda8b796",
18
+ "data/zeroday-lessons.json": "a270416f6c20f17cd1cdf556622828d8efaf5073c3661c1fae4366949ed7fe27",
19
19
  "skills/kernel-lpe-triage/skill.md": "08b3e9815ba481c57c80f5fc0ccbf5bb7cbb41f570c235ba6ff9596b8c07354d",
20
20
  "skills/ai-attack-surface/skill.md": "c4c1eb22a38ca7a959b5725222bab8fbd4f4044a548a93f3e288e6f698334b72",
21
21
  "skills/mcp-agent-trust/skill.md": "89ac89084391d2341b6513fefb1be2d36b93de1c130f057696219c1c59440f13",
@@ -72,7 +72,7 @@
72
72
  "dlp_refs": 0
73
73
  },
74
74
  "trigger_table_entries": 538,
75
- "chains_cve_entries": 397,
75
+ "chains_cve_entries": 400,
76
76
  "chains_cwe_entries": 172,
77
77
  "jurisdictions_indexed": 29,
78
78
  "handoff_dag_nodes": 42,
package/data/_indexes/activity-feed.json CHANGED
@@ -149,7 +149,7 @@
149
149
  "artifact": "data/cve-catalog.json",
150
150
  "path": "data/cve-catalog.json",
151
151
  "schema_version": "1.0.0",
152
- "entry_count": 408
152
+ "entry_count": 411
153
153
  },
154
154
  {
155
155
  "date": "2026-05-18",
@@ -165,7 +165,7 @@
165
165
  "artifact": "data/zeroday-lessons.json",
166
166
  "path": "data/zeroday-lessons.json",
167
167
  "schema_version": "1.1.0",
168
- "entry_count": 403
168
+ "entry_count": 406
169
169
  },
170
170
  {
171
171
  "date": "2026-05-17",
package/data/_indexes/catalog-summaries.json CHANGED
@@ -62,7 +62,7 @@
62
62
  "rebuild_after_days": 365,
63
63
  "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
64
64
  },
65
- "entry_count": 408,
65
+ "entry_count": 411,
66
66
  "sample_keys": [
67
67
  "CVE-2025-53773",
68
68
  "CVE-2026-30615",
@@ -238,7 +238,7 @@
238
238
  "rebuild_after_days": 365,
239
239
  "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
240
240
  },
241
- "entry_count": 403,
241
+ "entry_count": 406,
242
242
  "sample_keys": [
243
243
  "CVE-2026-31431",
244
244
  "CVE-2025-53773",