@blamejs/exceptd-skills 0.13.118 → 0.13.120

package/data/attack-techniques.json

@@ -341,7 +341,8 @@
       "CVE-2026-39987",
       "CVE-2026-40933",
       "CVE-2026-45829",
-      "CVE-2026-6973"
+      "CVE-2026-6973",
+      "CVE-2025-68665"
     ],
     "description_full": "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). There are also cross-platform interpreters such as [Python](https://attack.mitre.org/techniques/T1059/006), as well as those commonly associated with client applications such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) and [Visual Basic](https://attack.mitre.org/techniques/T1059/005). Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0001) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various [Remote Services](https://attack.mitre.org/techniques/T1021) in order to achieve remote Execution.(Citation: Powershell Remote Commands)(Citation: Cisco IOS Software Integrity Assurance - Command History)(Citation: Remote Shell Execution in Python)",
     "platforms": [
@@ -1100,7 +1101,9 @@
       "CVE-2026-9082",
       "MAL-2025-AI-FOUND-FFMPEG-BIGSLEEP",
       "CVE-2024-12450",
-      "CVE-2025-69286"
+      "CVE-2025-69286",
+      "CVE-2026-22218",
+      "CVE-2026-22219"
     ],
     "description_full": "Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration. Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) On ESXi infrastructure, adversaries may exploit exposed OpenSLP services; they may alternatively exploit exposed VMware vCenter servers.(Citation: Recorded Future ESXiArgs Ransomware 2023)(Citation: Ars Technica VMWare Code Execution Vulnerability 2021) Depending on the flaw being exploited, this may also involve [Exploitation for Stealth](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203). If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs (e.g., via the [Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005)), exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies. Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar) For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)",
     "platforms": [
@@ -1323,7 +1326,8 @@
     ],
     "cve_refs": [
       "CVE-2026-41950",
-      "CVE-2024-12450"
+      "CVE-2024-12450",
+      "CVE-2026-22218"
     ]
   },
   "T1485": {
@@ -1582,7 +1586,9 @@
       "CVE-2025-68664",
       "MAL-2025-PYPI-COLORAMA-SOLANA-STEALER",
       "MAL-2026-RUBYGEMS-BUFFERZONECORP-SLEEPER",
-      "CVE-2024-12450"
+      "CVE-2024-12450",
+      "CVE-2026-22219",
+      "CVE-2025-68665"
     ],
     "description_full": "Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Shell History](https://attack.mitre.org/techniques/T1552/003)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://attack.mitre.org/techniques/T1552/002)), or other specialized files/artifacts (e.g. [Private Keys](https://attack.mitre.org/techniques/T1552/004)).(Citation: Brining MimiKatz to Unix)",
     "platforms": [

package/data/cve-catalog.json

@@ -39336,5 +39336,313 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "RAGFlow generates API keys and share tokens with a predictable serializer keyed by tenant_id over a UUIDv1, so the tokens are mutually derivable and a shared link yields account takeover (CWE-340); fixed in 0.22.0."
+  },
+  "CVE-2026-22218": {
+    "name": "Chainlit /project/element Arbitrary File Read",
+    "type": "Path Traversal",
+    "cvss_score": 7.1,
+    "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
+    "cvss_note": "VulnCheck (CNA) CVSS v4.0 base 7.1 (HIGH); NVD CVSS v3.1 base 6.5. Chainlit's /project/element update flow accepts a custom Element with a user-controlled path value and copies the file at that path into the requesting user's session without validating it stays within the document store (CWE-22 path traversal), so an authenticated client reads arbitrary files on the server host.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory (https://github.com/advisories/GHSA-r399-636x-v7f6 cluster): an authenticated client submits a custom Element whose path field points outside the document store and reads the file's contents from its session.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via VulnCheck (CNA) and enriched by NVD. The abused surface is Chainlit, a widely used open-source framework for building conversational-AI / LLM apps.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is missing path validation on a caller-supplied file path in an LLM app framework's element-update API.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "VulnCheck/NVD advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation, and the CVE is not in CISA KEV (verified against the live catalog).",
+    "affected": "Chainlit before 2.9.4.",
+    "affected_versions": [
+      "Chainlit < 2.9.4"
+    ],
+    "vector": "Chainlit's /project/element update flow accepts a custom Element with a user-controlled `path` value and copies the file at that path into the requesting user's session without confirming the path stays within the document store, so an authenticated client supplies a traversal path and reads arbitrary files on the server host (CWE-22).",
+    "complexity": "low",
+    "complexity_notes": "VulnCheck v4.0 AV:N / AC:L / PR:L - an authenticated client supplies a crafted element path.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to 2.9.4 or later (released 2025-12-24); redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Chainlit to 2.9.4 or later. Canonicalize and validate every caller-supplied file path (including encoding transforms) against an allowlisted base directory before reading, and do not expose the app to untrusted users."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-10": "No input validation is applied to the caller-supplied element path before the server reads it (CWE-22).",
+      "NIST-800-53-AC-3": "Access enforcement does not confine the read to the document store - an authenticated user reads arbitrary host files.",
+      "ISO-27001-2022-A.8.28": "Secure coding does not require canonicalization + allowlisting of file paths in the LLM app framework's element API.",
+      "NIS2-Art21-network-security": "Article 21 measures do not model an LLM app framework's file-bearing API as a path-traversal surface.",
+      "DORA-Art-9": "ICT protection measures do not model arbitrary file read in an AI app as an ICT-risk event.",
+      "UK-CAF-B4": "System security objective has no objective for path canonicalization on AI app-framework file APIs.",
+      "AU-ISM-1546": "Patch-application control does not single out LLM app frameworks.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an LLM app framework's path-bearing input as an integrity boundary requiring canonicalization."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1213"
+    ],
+    "rwep_score": 19,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 14,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Moderate (RWEP 19, \"patch within 30 days\" band per lib/scoring.js). Not KEV (verified), no confirmed in-the-wild exploitation, patched at 2.9.4 (Hard Rule #3): poc_available=20 + blast_radius=14 (authenticated arbitrary file read in a widely used LLM app framework - host secrets/config readable), minus patch_available 15.",
+    "epss_score": 0.00044,
+    "epss_date": "2026-05-26",
+    "epss_note": "FIRST EPSS 0.00044 (14th percentile) as of 2026-05-26.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-22218",
+    "cwe_refs": [
+      "CWE-22"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Chainlit /project/element requests whose element path references files outside the document store (../ traversal or absolute host paths).",
+        "Chainlit sessions receiving file contents (e.g. /etc/passwd, app config, secrets) not uploaded by the requesting user.",
+        "Chainlit < 2.9.4 reachable by authenticated-but-untrusted users - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to VulnCheck / NVD CVE-2026-22218 (CWE-22) and the Chainlit 2.9.4 advisory."
+    },
+    "source_verified": "2026-05-26",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-22218",
+      "https://github.com/advisories/GHSA-r399-636x-v7f6"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "VulnCheck",
+        "advisory_id": "CVE-2026-22218",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22218",
+        "severity": "high",
+        "published_date": "2026-01-20"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-22218",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22218",
+        "severity": "medium",
+        "published_date": "2026-01-20"
+      }
+    ],
+    "last_updated": "2026-05-26",
+    "discovery_attribution_note": "Manually curated from NVD CVE-2026-22218 (CWE-22) + VulnCheck (CNA, CVSS v4.0 7.1). Chainlit LLM-app-framework arbitrary file read; reuses the AI-runtime-API path-traversal validation control NEW-CTRL-094 (shared with the AnythingLLM upload path-traversal and the Ollama path-traversal class).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Chainlit /project/element copies a caller-supplied file path into the user's session without validation, letting an authenticated client read arbitrary host files (CWE-22); fixed in 2.9.4."
+  },
+  "CVE-2026-22219": {
+    "name": "Chainlit /project/element SQLAlchemy-Backend Server-Side Request Forgery",
+    "type": "Server-Side Request Forgery",
+    "cvss_score": 8.3,
+    "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
+    "cvss_note": "VulnCheck (CNA) CVSS v4.0 base 8.3 (HIGH); NVD CVSS v3.1 base 7.7 (scope-changed, S:C). When Chainlit is configured with the SQLAlchemy data-layer backend, its /project/element update flow accepts a custom Element with a user-controlled `url` value and the server issues an outbound GET to it, storing the response - so an authenticated client reaches internal services or cloud metadata via the Chainlit server (CWE-918 SSRF).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory (https://github.com/advisories/GHSA-r399-636x-v7f6): an authenticated client sets a custom Element's url field to an internal address and the server fetches and stores the response.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via VulnCheck (CNA) and enriched by NVD. The abused surface is Chainlit, a widely used open-source framework for building conversational-AI / LLM apps.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is an unvalidated server-side fetch (SSRF) in an LLM app framework's element-update API.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "VulnCheck/NVD advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation, and the CVE is not in CISA KEV (verified against the live catalog).",
+    "affected": "Chainlit before 2.9.4 when configured with the SQLAlchemy data-layer backend.",
+    "affected_versions": [
+      "Chainlit < 2.9.4 (SQLAlchemy data layer)"
+    ],
+    "vector": "When Chainlit uses the SQLAlchemy data-layer backend, its /project/element update flow accepts a custom Element with a user-controlled `url` value and the server issues an outbound GET request to that URL and stores the response, without validating the destination - so an authenticated client reaches internal services or cloud-metadata endpoints via the server (CWE-918).",
+    "complexity": "low",
+    "complexity_notes": "VulnCheck v4.0 AV:N / AC:L / PR:L, scope-changed (SC:H) - an authenticated client supplies a crafted element url.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to 2.9.4 or later (released 2025-12-24); redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Chainlit to 2.9.4 or later. Validate and allowlist every URL the element-update flow fetches: reject private, link-local, and cloud-metadata (169.254.169.254) addresses, reject non-HTTP schemes, and resolve+pin the host to prevent DNS-rebinding."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SC-7": "Boundary protection does not treat the LLM app framework's element-url fetch as an egress that can reach internal services.",
+      "NIST-800-53-SI-10": "No input validation is applied to the user-supplied element url before the server fetches it (CWE-918).",
+      "NIST-800-53-AC-3": "Access enforcement does not stop an authenticated user from directing the server to fetch internal resources.",
+      "ISO-27001-2022-A.8.22": "Segregation of networks does not prevent the LLM app framework from reaching internal services on behalf of a caller.",
+      "NIS2-Art21-network-security": "Article 21 network-security measures do not model an LLM app framework's server-side fetch as an SSRF pivot.",
+      "DORA-Art-9": "ICT protection measures do not model an AI app framework's server-side fetch as an ICT-risk egress.",
+      "UK-CAF-B4": "System security objective has no objective for destination validation on AI-app-framework server-side fetches.",
+      "AU-ISM-1546": "Patch-application control does not single out LLM app frameworks.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an LLM app framework's server-side fetch as an egress that must validate and allowlist destinations."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1552"
+    ],
+    "rwep_score": 23,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 18,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Moderate-high (RWEP 23, \"patch within 30 days\" band per lib/scoring.js). Not KEV (verified), no confirmed in-the-wild exploitation, patched at 2.9.4 (Hard Rule #3): poc_available=20 + blast_radius=18 (scope-changed SSRF that stores the fetched response - reaches internal services / cloud metadata in a widely used LLM app framework), minus patch_available 15.",
+    "epss_score": 0.00052,
+    "epss_date": "2026-05-26",
+    "epss_note": "FIRST EPSS 0.00052 (16th percentile) as of 2026-05-26.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-22219",
+    "cwe_refs": [
+      "CWE-918"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Chainlit /project/element requests whose element url targets internal/link-local addresses or 169.254.169.254 (cloud metadata).",
+        "Outbound GET requests from the Chainlit server to internal hosts triggered by element updates, with responses stored in the SQLAlchemy data layer.",
+        "Chainlit < 2.9.4 with the SQLAlchemy data-layer backend reachable by authenticated-but-untrusted users - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to VulnCheck / NVD CVE-2026-22219 (CWE-918) and the Chainlit 2.9.4 advisory."
+    },
+    "source_verified": "2026-05-26",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-22219",
+      "https://github.com/advisories/GHSA-r399-636x-v7f6"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "VulnCheck",
+        "advisory_id": "CVE-2026-22219",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22219",
+        "severity": "high",
+        "published_date": "2026-01-20"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-22219",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22219",
+        "severity": "high",
+        "published_date": "2026-01-20"
+      }
+    ],
+    "last_updated": "2026-05-26",
+    "discovery_attribution_note": "Manually curated from NVD CVE-2026-22219 (CWE-918) + VulnCheck (CNA, CVSS v4.0 8.3). Chainlit LLM-app-framework server-side request forgery; reuses the AI-data-pipeline import SSRF control NEW-CTRL-105 (shared with the Dify RemoteFileUploadApi, RAGFlow web_crawl, and Label Studio data-pipeline SSRFs).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Chainlit /project/element (SQLAlchemy backend) fetches a caller-supplied url server-side and stores the response, letting an authenticated client reach internal services (CWE-918 SSRF); fixed in 2.9.4."
+  },
+  "CVE-2025-68665": {
+    "name": "LangChain JS toJSON() 'lc'-Key Serialization Injection",
+    "type": "deserialization-injection",
+    "cvss_score": 8.6,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
+    "cvss_note": "GitHub (CNA, security-advisories@github.com) CVSS v3.1 base 8.6 (scope-changed, S:C); NVD v3.1 base 9.1. LangChain JS's toJSON() (and JSON.stringify of LangChain objects) did not escape free-form kwargs data containing the internal 'lc' marker key, so attacker-controlled data carrying that key structure is treated as a legitimate serialized LangChain object on deserialization rather than plain user data (CWE-502). This is the LangChain-JS sibling of the Python-side CVE-2025-68664 dumps()/dumpd() injection.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the LangChain JS advisory: free-form data with an 'lc' key passed through toJSON()/JSON.stringify is rehydrated as a framework object on load.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via the LangChain JS GitHub Security Advisory and enriched by NVD. The abused surface is LangChain JS, a widely used framework for building LLM-powered applications.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization evidence for the JS variant specifically; the flaw is unescaped framework-marker serialization in an LLM framework. (The Python sibling CVE-2025-68664 carries suspected-exploitation + weaponization signals; this JS entry is scored conservatively per the available evidence.)",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "GitHub advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported for the JS variant as of curation, and the CVE is not in CISA KEV (verified against the live catalog).",
+    "affected": "LangChain JS: @langchain/core before 0.3.80 and before 1.1.8; langchain before 0.3.37 and before 1.2.3.",
+    "affected_versions": [
+      "@langchain/core < 0.3.80",
+      "@langchain/core < 1.1.8",
+      "langchain < 0.3.37",
+      "langchain < 1.2.3"
+    ],
+    "vector": "LangChain JS's toJSON() method (and downstream JSON.stringify of LangChain objects) did not escape free-form kwargs data containing the 'lc' marker key that LangChain uses internally to mark serialized objects, so user-controlled data carrying that structure is rehydrated as a legitimate LangChain object during deserialization instead of being kept as plain data (CWE-502 deserialization of untrusted data).",
+    "complexity": "low",
+    "complexity_notes": "GitHub v3.1 AV:N / AC:L / PR:N / UI:N, scope-changed (S:C).",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading @langchain/core to 0.3.80 or 1.1.8+ and langchain to 0.3.37 or 1.2.3+; redeploy.",
+    "vendor_update_paths": [
+      "Upgrade @langchain/core to 0.3.80 / 1.1.8 (or later) and langchain to 0.3.37 / 1.2.3 (or later). Never round-trip untrusted free-form data through framework serializers that interpret internal marker keys; escape or reject the 'lc' marker in user-derived fields."
+    ],
+    "framework_control_gaps": {
+      "NIST-AI-RMF-MEASURE-2.7": "Serialization round-trip of untrusted free-form data through a framework marker is not in the published AI-risk taxonomy.",
+      "EU-AI-Act-Art15": "Robustness control does not enumerate the serialization-deserialization chain in an LLM framework as an attack surface.",
+      "ISO-IEC-42001-AIMS-A.6.2.5": "Lifecycle controls do not include trust-zone separation on LLM-framework (de)serialization.",
+      "OWASP-LLM-Top-10-LLM01": "Prompt Injection class — untrusted content reaching the serializer is the upstream trigger.",
+      "OWASP-LLM-Top-10-LLM02": "Insecure output handling — applies directly to rehydrating attacker data as a framework object."
+    },
+    "atlas_refs": [
+      "AML.T0051",
+      "AML.T0040"
+    ],
+    "attack_refs": [
+      "T1059",
+      "T1552"
+    ],
+    "rwep_score": 25,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 20,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Moderate-high (RWEP 25, \"patch within 30 days\" band per lib/scoring.js). Not KEV (verified), no confirmed in-the-wild exploitation for the JS variant, patched (Hard Rule #3): poc_available=20 + blast_radius=20 (unauthenticated scope-changed deserialization injection in a widely used LLM framework), minus patch_available 15. Scored below its Python sibling CVE-2025-68664 (RWEP 52), which additionally carries suspected-exploitation + weaponization signals.",
+    "epss_score": 0.00066,
+    "epss_date": "2026-05-26",
+    "epss_note": "FIRST EPSS 0.00066 (20th percentile) as of 2026-05-26.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-68665",
+    "cwe_refs": [
+      "CWE-502"
+    ],
+    "iocs": {
+      "behavioral": [
+        "LangChain JS applications round-tripping user-controlled free-form data through toJSON() / JSON.stringify where the data contains an 'lc' key.",
+        "Deserialized LangChain objects instantiated from fields that should have been plain user data.",
+        "@langchain/core < 0.3.80 / < 1.1.8 or langchain < 0.3.37 / < 1.2.3 handling untrusted serialized input — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the LangChain JS GitHub Security Advisory and NVD CVE-2025-68665 (CWE-502)."
+    },
+    "source_verified": "2026-05-26",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-68665",
+      "https://github.com/langchain-ai/langchainjs/releases/tag/%40langchain%2Fcore%401.1.8"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2025-68665",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68665",
+        "severity": "high",
+        "published_date": "2025-12-23"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-68665",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68665",
+        "severity": "critical",
+        "published_date": "2025-12-23"
+      }
+    ],
+    "last_updated": "2026-05-26",
+    "discovery_attribution_note": "Manually curated from NVD CVE-2025-68665 (CWE-502) + the LangChain JS GitHub Security Advisory (CNA, CVSS v3.1 8.6). LangChain-JS toJSON() serialization injection — the JavaScript sibling of the Python-side CVE-2025-68664; reuses the LLM-output deserialization trust-zone control NEW-CTRL-064 + AI-tool input-sanitization NEW-CTRL-005.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "LangChain JS toJSON() did not escape the internal 'lc' marker in free-form data, so attacker data is rehydrated as a framework object on deserialization (CWE-502); fixed in @langchain/core 1.1.8 / langchain 1.2.3."
   }
 }

package/data/cwe-catalog.json

@@ -113,7 +113,8 @@
       "CVE-2025-67818",
       "CVE-2025-8110",
       "CVE-2026-25592",
-      "CVE-2026-34926"
+      "CVE-2026-34926",
+      "CVE-2026-22218"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-AC-3",
@@ -1372,7 +1373,8 @@
       "CVE-2025-8747",
       "CVE-2026-20131",
       "CVE-2026-20963",
-      "CVE-2026-31229"
+      "CVE-2026-31229",
+      "CVE-2025-68665"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SI-10",
@@ -1887,7 +1889,8 @@
       "CVE-2025-25297",
       "CVE-2025-56520",
       "CVE-2025-61884",
-      "CVE-2024-12450"
+      "CVE-2024-12450",
+      "CVE-2026-22219"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SC-7",

package/data/framework-control-gaps.json

@@ -118,7 +118,9 @@
       "CVE-2026-41950",
       "CVE-2026-45829",
       "CVE-2024-12450",
-      "CVE-2025-69286"
+      "CVE-2025-69286",
+      "CVE-2026-22218",
+      "CVE-2026-22219"
     ],
     "atlas_refs": [
       "AML.T0018",
@@ -1259,7 +1261,8 @@
       "CVE-2024-21626",
       "CVE-2025-23266",
       "CVE-2025-25297",
-      "CVE-2025-56520"
+      "CVE-2025-56520",
+      "CVE-2026-22219"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -1311,7 +1314,8 @@
       "CVE-2026-30623",
       "CVE-2026-31229",
       "CVE-2026-31230",
-      "CVE-2026-33017"
+      "CVE-2026-33017",
+      "CVE-2026-22218"
     ],
     "atlas_refs": [
       "AML.T0051",
@@ -2311,7 +2315,8 @@
       "CVE-2025-56520",
       "CVE-2026-34159",
       "CVE-2026-42897",
-      "CVE-2024-12450"
+      "CVE-2024-12450",
+      "CVE-2026-22219"
     ],
     "atlas_refs": [
       "AML.T0096",
@@ -2426,7 +2431,9 @@
       "CVE-2026-42208",
       "CVE-2026-45829",
       "CVE-2026-9082",
-      "CVE-2024-12450"
+      "CVE-2024-12450",
+      "CVE-2026-22218",
+      "CVE-2026-22219"
     ],
     "atlas_refs": [
       "AML.T0053"
@@ -5208,7 +5215,9 @@
       "CVE-2026-46333",
       "CVE-2026-9082",
       "CVE-2024-12450",
-      "CVE-2025-69286"
+      "CVE-2025-69286",
+      "CVE-2026-22218",
+      "CVE-2026-22219"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -5258,7 +5267,9 @@
       "CVE-2026-41947",
       "CVE-2026-41950",
       "CVE-2026-7482",
-      "CVE-2025-69286"
+      "CVE-2025-69286",
+      "CVE-2026-22218",
+      "CVE-2026-22219"
     ],
     "atlas_refs": [
       "AML.T0051"
@@ -5799,7 +5810,9 @@
       "CVE-2026-46333",
       "CVE-2026-9082",
       "MAL-2026-SHAI-HULUD-OSS",
-      "CVE-2024-12450"
+      "CVE-2024-12450",
+      "CVE-2026-22218",
+      "CVE-2026-22219"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -5924,7 +5937,9 @@
       "CVE-2026-46333",
       "CVE-2026-9082",
       "CVE-2024-12450",
-      "CVE-2025-69286"
+      "CVE-2025-69286",
+      "CVE-2026-22218",
+      "CVE-2026-22219"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -6269,7 +6284,8 @@
       "CVE-2023-43472",
       "CVE-2025-55319",
       "CVE-2025-68664",
-      "CVE-2026-30623"
+      "CVE-2026-30623",
+      "CVE-2025-68665"
     ],
     "atlas_refs": [
       "AML.T0010",
@@ -6346,7 +6362,9 @@
       "CVE-2025-25297",
       "CVE-2025-56520",
       "CVE-2026-20182",
-      "CVE-2024-12450"
+      "CVE-2024-12450",
+      "CVE-2026-22218",
+      "CVE-2026-22219"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -6574,7 +6592,8 @@
       "CVE-2025-68664",
       "CVE-2025-6965",
       "CVE-2026-22778",
-      "MAL-2025-AI-FOUND-FFMPEG-BIGSLEEP"
+      "MAL-2025-AI-FOUND-FFMPEG-BIGSLEEP",
+      "CVE-2025-68665"
     ],
     "theater_test": {
       "claim": "We are compliant with Art-15 (Accuracy, robustness, and cybersecurity of high-risk AI systems) because we follow the documented requirement: Article 15 — high-risk AI systems must be designed and developed so as to achieve an appropriate level of accuracy, robustness, and cybersecurity throughout their lifecycle. Anchored on the assumption",
@@ -7065,7 +7084,8 @@
     "evidence_cves": [
       "CVE-2025-10725",
       "CVE-2025-55319",
-      "CVE-2025-68664"
+      "CVE-2025-68664",
+      "CVE-2025-68665"
     ],
     "theater_test": {
       "claim": "We are compliant with Annex A.6.2.5 (AI system lifecycle — verification and validation) because we follow the documented requirement: Annex A.6.2.5 — verification and validation across the AI system lifecycle, ensuring intended behaviour is preserved across design, training, deployment, and operations. Anchored on lifecycle-stage ga",
@@ -7094,7 +7114,8 @@
     "opened_at": "2026-05-18",
     "evidence_cves": [
       "CVE-2025-55319",
-      "CVE-2025-68664"
+      "CVE-2025-68664",
+      "CVE-2025-68665"
     ],
     "theater_test": {
       "claim": "We are compliant with LLM01 (Prompt Injection (2023 edition)) because we follow the documented requirement: LLM01:2023 — preventing prompt injection where user-controlled input or third-party content overrides the developer's instructions to the LLM. Anchored on input-sanitisation, prompt-template hardening",
@@ -7122,7 +7143,8 @@
     "status": "open",
     "opened_at": "2026-05-18",
     "evidence_cves": [
-      "CVE-2025-68664"
+      "CVE-2025-68664",
+      "CVE-2025-68665"
     ],
     "theater_test": {
       "claim": "We are compliant with LLM02 (Insecure Output Handling (2023 edition)) because we follow the documented requirement: LLM02:2023 — preventing downstream systems from blindly trusting LLM output where it can produce XSS, SSRF, privilege escalation, or remote code execution. Anchored on treating LLM output as untrusted",