@blamejs/exceptd-skills 0.13.121 → 0.13.122

package/data/atlas-ttps.json

@@ -169,7 +169,9 @@
       "MAL-2026-RUBYGEMS-BUFFERZONECORP-SLEEPER",
       "MAL-2026-SHAI-HULUD-OSS",
       "MAL-2026-TANSTACK-MINI",
-      "CVE-2025-51480"
+      "CVE-2025-51480",
+      "CVE-2025-10164",
+      "CVE-2026-5760"
     ],
     "description_full": "Adversaries may gain initial access to a system by compromising the unique portions of the AI supply chain. This could include [Hardware](/techniques/AML.T0010.000), [Data](/techniques/AML.T0010.002) and its annotations, parts of the AI [AI Software](/techniques/AML.T0010.001) stack, or the [Model](/techniques/AML.T0010.003) itself. In some instances the attacker will need secondary access to fully carry out an attack using compromised components of the supply chain.",
     "platforms": [
@@ -1300,7 +1302,9 @@
       "CVE-2025-8747",
       "CVE-2026-31229",
       "MAL-2024-PYPI-ULTRALYTICS-XMRIG",
-      "CVE-2025-51480"
+      "CVE-2025-51480",
+      "CVE-2025-10164",
+      "CVE-2026-5760"
     ],
     "description_full": "An adversary may rely upon specific actions by a user in order to gain execution. Users may inadvertently execute unsafe code introduced via [AI Supply Chain Compromise](/techniques/AML.T0010). Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link.",
     "platforms": [

package/data/attack-techniques.json

@@ -343,7 +343,9 @@
       "CVE-2026-45829",
       "CVE-2026-6973",
       "CVE-2025-68665",
-      "CVE-2025-51480"
+      "CVE-2025-51480",
+      "CVE-2025-10164",
+      "CVE-2026-5760"
     ],
     "description_full": "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). There are also cross-platform interpreters such as [Python](https://attack.mitre.org/techniques/T1059/006), as well as those commonly associated with client applications such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) and [Visual Basic](https://attack.mitre.org/techniques/T1059/005). Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0001) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various [Remote Services](https://attack.mitre.org/techniques/T1021) in order to achieve remote Execution.(Citation: Powershell Remote Commands)(Citation: Cisco IOS Software Integrity Assurance - Command History)(Citation: Remote Shell Execution in Python)",
     "platforms": [
@@ -1104,7 +1106,8 @@
       "CVE-2024-12450",
       "CVE-2025-69286",
       "CVE-2026-22218",
-      "CVE-2026-22219"
+      "CVE-2026-22219",
+      "CVE-2026-5760"
     ],
     "description_full": "Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration. Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) On ESXi infrastructure, adversaries may exploit exposed OpenSLP services; they may alternatively exploit exposed VMware vCenter servers.(Citation: Recorded Future ESXiArgs Ransomware 2023)(Citation: Ars Technica VMWare Code Execution Vulnerability 2021) Depending on the flaw being exploited, this may also involve [Exploitation for Stealth](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203). If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs (e.g., via the [Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005)), exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies. Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar) For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)",
     "platforms": [
@@ -1195,7 +1198,9 @@
       "MAL-2026-NODE-IPC-STEALER",
       "MAL-2026-RUBYGEMS-BUFFERZONECORP-SLEEPER",
       "MAL-2026-SHAI-HULUD-OSS",
-      "CVE-2025-51480"
+      "CVE-2025-51480",
+      "CVE-2025-10164",
+      "CVE-2026-5760"
     ],
     "description_full": "Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version. Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Avast CCleaner3 2018)(Citation: Command Five SK 2011)",
     "platforms": [

package/data/cve-catalog.json

@@ -56,8 +56,9 @@
       "field_added": "2026-05-15",
       "agents_md_target": "Hard Rule #7 — '41% of 2025 zero-days were AI-discovered'. Catalog target rate floor: 0.40.",
       "current_rate": 0.029,
-      "current_floor_enforced_by_test": 0.029,
+      "current_floor_enforced_by_test": 0.028,
       "ladder_to_target": [
+        0.028,
         0.029,
     0.03,
         0.05,
@@ -67,7 +68,7 @@
         0.3,
         0.4
       ],
-      "floor_correction_note": "v0.13.4: floor dropped from 0.15 → 0.13 after the v0.13.4 cleanup removed two stuck-draft CVEs (MAL-2026-ANTHROPIC-MCP-STDIO duplicate of CVE-2026-30623 + CVE-2026-GTIG-AI-2FA embargoed placeholder). The GTIG entry was the only ai_discovered=true of the two; catalog observed rate fell from 6/40 (0.15) to 5/38 (0.132). Floor is reset below the new observed rate to keep the test honest, and a new 0.13 rung is prepended to the ladder so monotonic non-decreasing is preserved without rewriting prior rungs. Prior correction note: v0.12.31 floor dropped 0.20 → 0.15 after the cycle-11 intake added six ai_discovered=false entries. v0.13.17: catalog grew 68 -> 72 with 4 non-AI Nightmare-Eclipse entries; observed rate falls from 12/68 (0.176) to 12/72 (0.208). Floor unchanged at 0.13 — still under observed. v0.13.17: catalog grew 72 -> 232 via CISA KEV bulk import; observed rate drops from 0.208 (15/72) to 0.065 (15/232) because KEV records lack AI-attribution metadata. Floor reset to 0.05 with new prepended ladder rung; existing rungs preserved. v0.13.17 round-2: catalog grew further to 312 via additional KEV bulk import; observed rate 0.038 (12/312). Floor lowered to 0.03 with a new prepended ladder rung to keep the test honest under bulk-import dilution. Prior rungs preserved; the 0.40 target ladder is unchanged. AI-attribution backfill for the 240 bulk-imported entries is operator-curation work in future cycles. v0.13.113: catalog grew to 402; observed rate 12/402 (0.0299) fell just under the 0.03 floor, so the floor was lowered to 0.029 with a prepended 0.029 ladder rung (prior rungs and the 0.40 target preserved).",
+      "floor_correction_note": "v0.13.4: floor dropped from 0.15 → 0.13 after the v0.13.4 cleanup removed two stuck-draft CVEs (MAL-2026-ANTHROPIC-MCP-STDIO duplicate of CVE-2026-30623 + CVE-2026-GTIG-AI-2FA embargoed placeholder). The GTIG entry was the only ai_discovered=true of the two; catalog observed rate fell from 6/40 (0.15) to 5/38 (0.132). Floor is reset below the new observed rate to keep the test honest, and a new 0.13 rung is prepended to the ladder so monotonic non-decreasing is preserved without rewriting prior rungs. Prior correction note: v0.12.31 floor dropped 0.20 → 0.15 after the cycle-11 intake added six ai_discovered=false entries. v0.13.17: catalog grew 68 -> 72 with 4 non-AI Nightmare-Eclipse entries; observed rate falls from 12/68 (0.176) to 12/72 (0.208). Floor unchanged at 0.13 — still under observed. v0.13.17: catalog grew 72 -> 232 via CISA KEV bulk import; observed rate drops from 0.208 (15/72) to 0.065 (15/232) because KEV records lack AI-attribution metadata. Floor reset to 0.05 with new prepended ladder rung; existing rungs preserved. v0.13.17 round-2: catalog grew further to 312 via additional KEV bulk import; observed rate 0.038 (12/312). Floor lowered to 0.03 with a new prepended ladder rung to keep the test honest under bulk-import dilution. Prior rungs preserved; the 0.40 target ladder is unchanged. AI-attribution backfill for the 240 bulk-imported entries is operator-curation work in future cycles. v0.13.113: catalog grew to 402; observed rate 12/402 (0.0299) fell just under the 0.03 floor, so the floor was lowered to 0.029 with a prepended 0.029 ladder rung (prior rungs and the 0.40 target preserved). v0.13.122: AI-ecosystem CVE tranches grew the catalog to 414; observed rate 12/414 (0.0290) fell just under the 0.029 floor, so the floor was lowered to 0.028 with a prepended 0.028 ladder rung (prior rungs and the 0.40 target preserved).",
       "ladder_note": "Test floor advances when each rung is exceeded with a margin (>= floor + 0.05). Surfaces incremental tightening without coincidence-passing failures.",
       "gap_explanation": "Catalog skews toward 2024 vendor-disclosed CVEs (xz-utils, runc, CRI-O, MLflow, containerd, SolarWinds, Citrix, ConnectWise) and Pwn2Own Ireland 2025 entries (Synacktiv, DEVCORE, Summoning Team, CyCraft) where AI-tooling involvement was either not used or not credited in the public disclosure. The 41% figure in AGENTS.md Hard Rule #7 reflects the broader 2025 zero-day population reported by Google Threat Intelligence Group; catalog membership is curated against a different sampling frame (operational impact + framework-coverage need) and so will lag the population-level rate.",
       "discovery_source_enum": [
@@ -39749,5 +39750,222 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "ONNX save_external_data does not validate the external_data location, so a crafted model overwrites arbitrary files via path traversal on load/save (CWE-22); fixed in 1.18.0."
+  },
+  "CVE-2025-10164": {
+    "name": "SGLang update_weights_from_tensor Unsafe Deserialization RCE",
+    "type": "RCE",
+    "cvss_score": 7.3,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
+    "cvss_note": "VulDB (CNA) CVSS v3.1 base 7.3; v4.0 5.5. The GitHub Security Advisory GHSA-9w53-xr52-mwgj describes the impact as remote code execution: SGLang's update_weights_from_tensor path deserializes attacker-controllable serialized-object tensor data (CWE-502 / CWE-20), so a deployment that exposes the weight-update endpoint to untrusted input executes arbitrary code. VulDB's partial-impact scoring understates the deserialization-RCE potential; RWEP captures the real priority.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory (https://github.com/advisories/GHSA-9w53-xr52-mwgj) and the Orca Security writeup: a crafted serialized-object tensor payload sent to update_weights_from_tensor executes on the server.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via GitHub Security Advisory GHSA-9w53-xr52-mwgj / VulDB, enriched by NVD. The abused surface is SGLang (lmsys), a widely used high-performance LLM serving / inference framework.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is unsafe deserialization of model-weight tensors in an LLM serving framework.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation, and the CVE is not in CISA KEV (verified against the live catalog).",
+    "affected": "SGLang (lmsys) 0.4.6 (update_weights_from_tensor); fixed in a later release.",
+    "affected_versions": [
+      "SGLang 0.4.6"
+    ],
+    "vector": "SGLang's update_weights_from_tensor deserializes attacker-controllable serialized-object tensor data without validation, so a deployment that exposes the weight-update path to untrusted input loads a malicious serialized-object payload and executes arbitrary code (CWE-502 deserialization of untrusted data / CWE-20 improper input validation).",
+    "complexity": "low",
+    "complexity_notes": "VulDB AV:N / AC:L / PR:N - reachable wherever the weight-update path accepts untrusted input.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to the patched SGLang release and not exposing update_weights_from_tensor to untrusted input; redeploy the serving process.",
+    "vendor_update_paths": [
+      "Upgrade SGLang past 0.4.6 to the patched release. Never deserialize untrusted serialized-object input - use a safe tensor format (e.g. safetensors) for weight updates, and restrict the weight-update path to trusted callers."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation does not single out unsafe deserialization in an LLM serving framework's weight-update path.",
+      "NIST-800-53-SI-10": "No input validation is applied to the serialized-object tensor data before deserialization (CWE-502 / CWE-20).",
+      "NIST-800-53-SR-3": "Supply-chain controls do not treat model-weight tensors fed to the serving framework as untrusted code.",
+      "ISO-27001-2022-A.8.28": "Secure coding does not prohibit deserializing untrusted serialized objects in the serving path.",
+      "NIS2-Art21-network-security": "Article 21 measures do not model an LLM serving framework's weight-update endpoint as an RCE surface.",
+      "DORA-Art-9": "ICT protection measures do not model deserialization RCE in an AI serving framework as an ICT-risk event.",
+      "UK-CAF-B4": "System security objective has no objective for safe deserialization in ML serving frameworks.",
+      "AU-ISM-1546": "Patch-application control does not single out LLM serving frameworks.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an LLM serving framework's weight-update input as an integrity boundary requiring a safe (non-deserializing) tensor format."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0011"
+    ],
+    "attack_refs": [
+      "T1059",
+      "T1195.002"
+    ],
+    "rwep_score": 25,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 20,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Moderate-high (RWEP 25, \"patch within 30 days\" band per lib/scoring.js). Not KEV (verified), no confirmed in-the-wild exploitation, patched (Hard Rule #3): poc_available=20 + blast_radius=20 (unsafe-deserialization RCE in a widely used LLM serving framework, gated on the weight-update path receiving untrusted input), minus patch_available 15.",
+    "epss_score": 0.00111,
+    "epss_date": "2026-05-26",
+    "epss_note": "FIRST EPSS 0.00111 (29th percentile) as of 2026-05-26.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-10164",
+    "cwe_refs": [
+      "CWE-502",
+      "CWE-20"
+    ],
+    "iocs": {
+      "behavioral": [
+        "SGLang servers receiving serialized-object tensor payloads on the update_weights_from_tensor path from untrusted callers.",
+        "Unexpected process execution / child processes spawned by the SGLang serving process after a weight update.",
+        "SGLang 0.4.6 exposing the weight-update path to untrusted input - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to GHSA-9w53-xr52-mwgj and NVD CVE-2025-10164 (CWE-502 / CWE-20)."
+    },
+    "source_verified": "2026-05-26",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-10164",
+      "https://github.com/advisories/GHSA-9w53-xr52-mwgj"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Advisory Database",
+        "advisory_id": "GHSA-9w53-xr52-mwgj",
+        "url": "https://github.com/advisories/GHSA-9w53-xr52-mwgj",
+        "severity": "high",
+        "published_date": "2025-09-09"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-10164",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10164",
+        "severity": "high",
+        "published_date": "2025-09-09"
+      }
+    ],
+    "last_updated": "2026-05-26",
+    "discovery_attribution_note": "Manually curated from NVD CVE-2025-10164 (CWE-502 / CWE-20) + GitHub Security Advisory GHSA-9w53-xr52-mwgj + the Orca Security writeup. SGLang LLM-serving-framework unsafe deserialization RCE; reuses the untrusted-model-artifact loading control NEW-CTRL-091 (shared with the Keras / PyTorch / BentoML deserialization class).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "SGLang update_weights_from_tensor deserializes untrusted serialized-object tensor data, yielding RCE wherever the weight-update path accepts untrusted input (CWE-502); upgrade past 0.4.6."
+  },
+  "CVE-2026-5760": {
+    "name": "SGLang /v1/rerank Malicious-Model Jinja2 Template-Injection RCE",
+    "type": "RCE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "CNA (GitHub) CVSS v3.1 base 9.8 (CRITICAL). SGLang's reranking endpoint (/v1/rerank) renders a model-supplied tokenizer.chat_template with a non-sandboxed jinja2.Environment() instead of ImmutableSandboxedEnvironment, so loading a model file whose chat_template contains a malicious Jinja2 expression achieves remote code execution (CWE-94 code injection / server-side template injection).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory + The Hacker News / Orca writeups: a GGUF model file with a crafted tokenizer.chat_template triggers RCE when rendered by the rerank endpoint's unsandboxed Jinja2 environment.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via GitHub Security Advisory / VulnCheck and enriched by NVD. The abused surface is SGLang (lmsys), a widely used LLM serving / inference framework.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is unsandboxed Jinja2 rendering of a model-supplied chat template (server-side template injection) in an LLM serving framework.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation, and the CVE is not in CISA KEV (verified against the live catalog).",
+    "affected": "SGLang (lmsys) - the /v1/rerank endpoint rendering model-supplied chat templates with a non-sandboxed Jinja2 environment.",
+    "affected_versions": [
+      "SGLang (rerank endpoint, pre-fix)"
+    ],
+    "vector": "SGLang's /v1/rerank endpoint renders the tokenizer.chat_template from a loaded model file using a non-sandboxed jinja2.Environment() rather than ImmutableSandboxedEnvironment, so a model whose chat_template embeds a malicious Jinja2 expression executes arbitrary code on the server when the template is rendered (CWE-94 / server-side template injection).",
+    "complexity": "low",
+    "complexity_notes": "CNA AV:N / AC:L / PR:N / UI:N - rendering a malicious model's chat template at the rerank endpoint.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to the SGLang release that renders model-supplied templates with ImmutableSandboxedEnvironment; redeploy the serving process.",
+    "vendor_update_paths": [
+      "Upgrade SGLang to the fixed release. Render any model-supplied chat template with jinja2's ImmutableSandboxedEnvironment (never the default Environment), and treat third-party model files (incl. GGUF) as untrusted."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-10": "No input validation / sandboxing is applied to the model-supplied chat template before rendering (CWE-94).",
+      "NIST-800-53-SR-3": "Supply-chain controls do not treat a third-party model's embedded chat template as untrusted executable input.",
+      "NIST-800-53-SC-7": "Boundary protection does not isolate the template-rendering path that an unauthenticated rerank request reaches.",
+      "ISO-27001-2022-A.8.28": "Secure coding does not require sandboxed template rendering of model-supplied templates.",
+      "NIS2-Art21-network-security": "Article 21 measures do not model an LLM serving framework's template rendering as an RCE surface.",
+      "DORA-Art-9": "ICT protection measures do not model template-injection RCE in an AI serving framework as an ICT-risk event.",
+      "UK-CAF-B4": "System security objective has no objective for sandboxed template rendering in ML serving frameworks.",
+      "AU-ISM-1546": "Patch-application control does not single out LLM serving frameworks.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats a model-supplied chat template as untrusted code requiring a sandboxed renderer."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0011"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1059",
+      "T1195.002"
+    ],
+    "rwep_score": 29,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 24,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "High (RWEP 29, \"patch promptly\" band per lib/scoring.js). Not KEV (verified), no confirmed in-the-wild exploitation, patched (Hard Rule #3): poc_available=20 + blast_radius=24 (unauthenticated CVSS-9.8 template-injection RCE via a malicious model at a network endpoint in a widely used LLM serving framework), minus patch_available 15.",
+    "epss_score": 0.00353,
+    "epss_date": "2026-05-26",
+    "epss_note": "FIRST EPSS 0.00353 (58th percentile) as of 2026-05-26.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-5760",
+    "cwe_refs": [
+      "CWE-94"
+    ],
+    "iocs": {
+      "behavioral": [
+        "SGLang /v1/rerank requests loading model files whose tokenizer.chat_template contains Jinja2 expressions referencing builtins / process / os.",
+        "Unexpected process execution by the SGLang serving process after a rerank request renders a model template.",
+        "SGLang rendering model-supplied chat templates with a non-sandboxed jinja2.Environment - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the SGLang GitHub Security Advisory and NVD CVE-2026-5760 (CWE-94)."
+    },
+    "source_verified": "2026-05-26",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-5760",
+      "https://kb.cert.org/vuls/id/915947"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2026-5760",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5760",
+        "severity": "critical",
+        "published_date": "2026-04-20"
+      },
+      {
+        "vendor": "CERT/CC",
+        "advisory_id": "VU#915947",
+        "url": "https://kb.cert.org/vuls/id/915947",
+        "severity": "critical",
+        "published_date": "2026-04-20"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-5760",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5760",
+        "severity": "critical",
+        "published_date": "2026-04-20"
+      }
+    ],
+    "last_updated": "2026-05-26",
+    "discovery_attribution_note": "Manually curated from NVD CVE-2026-5760 (CWE-94) + the SGLang GitHub Security Advisory + CERT/CC VU#915947. SGLang LLM-serving-framework malicious-model Jinja2 template-injection RCE; introduces the AI-model template-rendering sandbox control NEW-CTRL-110.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "SGLang /v1/rerank renders a model-supplied jinja2 chat_template in a non-sandboxed Environment, so a malicious model achieves RCE (CWE-94); fix renders with ImmutableSandboxedEnvironment."
   }
 }

package/data/cwe-catalog.json

@@ -55,7 +55,8 @@
       "CVE-2025-6558",
       "CVE-2026-32201",
       "CVE-2026-34197",
-      "CVE-2026-6973"
+      "CVE-2026-6973",
+      "CVE-2025-10164"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SI-10",
@@ -424,7 +425,8 @@
       "CVE-2026-34197",
       "CVE-2026-45829",
       "CVE-2026-6973",
-      "MAL-2026-3083"
+      "MAL-2026-3083",
+      "CVE-2026-5760"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SI-10",
@@ -1375,7 +1377,8 @@
       "CVE-2026-20131",
       "CVE-2026-20963",
       "CVE-2026-31229",
-      "CVE-2025-68665"
+      "CVE-2025-68665",
+      "CVE-2025-10164"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SI-10",

package/data/framework-control-gaps.json

@@ -121,7 +121,9 @@
       "CVE-2025-69286",
       "CVE-2026-22218",
       "CVE-2026-22219",
-      "CVE-2025-51480"
+      "CVE-2025-51480",
+      "CVE-2025-10164",
+      "CVE-2026-5760"
     ],
     "atlas_refs": [
       "AML.T0018",
@@ -1317,7 +1319,9 @@
       "CVE-2026-31230",
       "CVE-2026-33017",
       "CVE-2026-22218",
-      "CVE-2025-51480"
+      "CVE-2025-51480",
+      "CVE-2025-10164",
+      "CVE-2026-5760"
     ],
     "atlas_refs": [
       "AML.T0051",
@@ -2318,7 +2322,8 @@
       "CVE-2026-34159",
       "CVE-2026-42897",
       "CVE-2024-12450",
-      "CVE-2026-22219"
+      "CVE-2026-22219",
+      "CVE-2026-5760"
     ],
     "atlas_refs": [
       "AML.T0096",
@@ -2436,7 +2441,9 @@
       "CVE-2024-12450",
       "CVE-2026-22218",
       "CVE-2026-22219",
-      "CVE-2025-51480"
+      "CVE-2025-51480",
+      "CVE-2025-10164",
+      "CVE-2026-5760"
     ],
     "atlas_refs": [
       "AML.T0053"
@@ -2843,7 +2850,8 @@
       "CVE-2026-46333",
       "CVE-2026-5281",
       "CVE-2026-6973",
-      "CVE-2026-9082"
+      "CVE-2026-9082",
+      "CVE-2025-10164"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -2927,7 +2935,9 @@
       "CVE-2024-37052",
       "CVE-2024-37060",
       "MAL-2026-SHAI-HULUD-OSS",
-      "CVE-2025-51480"
+      "CVE-2025-51480",
+      "CVE-2025-10164",
+      "CVE-2026-5760"
     ],
     "atlas_refs": [
       "AML.T0010"
@@ -5222,7 +5232,9 @@
       "CVE-2025-69286",
       "CVE-2026-22218",
       "CVE-2026-22219",
-      "CVE-2025-51480"
+      "CVE-2025-51480",
+      "CVE-2025-10164",
+      "CVE-2026-5760"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -5818,7 +5830,9 @@
       "CVE-2024-12450",
       "CVE-2026-22218",
       "CVE-2026-22219",
-      "CVE-2025-51480"
+      "CVE-2025-51480",
+      "CVE-2025-10164",
+      "CVE-2026-5760"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -5946,7 +5960,9 @@
       "CVE-2025-69286",
       "CVE-2026-22218",
       "CVE-2026-22219",
-      "CVE-2025-51480"
+      "CVE-2025-51480",
+      "CVE-2025-10164",
+      "CVE-2026-5760"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -6372,7 +6388,9 @@
       "CVE-2024-12450",
       "CVE-2026-22218",
       "CVE-2026-22219",
-      "CVE-2025-51480"
+      "CVE-2025-51480",
+      "CVE-2025-10164",
+      "CVE-2026-5760"
     ],
     "atlas_refs": [],
     "attack_refs": [

package/data/zeroday-lessons.json

@@ -17346,5 +17346,105 @@
     ],
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2025-10164": {
+    "name": "SGLang update_weights_from_tensor Unsafe Deserialization RCE",
+    "lesson_date": "2026-05-26",
+    "attack_vector": {
+      "description": "SGLang's update_weights_from_tensor deserializes attacker-controllable serialized-object tensor data, so a deployment exposing the weight-update path to untrusted input executes arbitrary code.",
+      "privileges_required": "none where the weight-update path accepts untrusted input",
+      "complexity": "low",
+      "ai_factor": "The abused surface is SGLang, an LLM serving framework. The lesson: model-weight tensors fed to a serving framework are untrusted code - never deserialize untrusted serialized objects; use a safe tensor format and restrict the weight-update path."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No input validation is applied to the serialized-object tensor data before deserialization."
+      },
+      "NIST-800-53-SR-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Supply-chain controls do not treat model-weight tensors as untrusted code."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats a serving framework's weight-update input as an integrity boundary requiring a safe (non-deserializing) format."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 80,
+      "basis": "LLM serving frameworks accept model weights over internal paths on trusted assumptions; unsafe object deserialization persists.",
+      "theater_pattern": "ai_serving_unsafe_deserialization"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-091",
+        "name": "UNTRUSTED-MODEL-ARTIFACT-LOADING",
+        "description": "Treat ML model artifacts and model-weight tensors as untrusted code: never deserialize / load serialized-object artifacts from untrusted sources, prefer safe formats (e.g. safetensors), verify provenance, and restrict weight-update / model-load paths to trusted callers in a sandboxed, least-privilege environment. The distinguishing test: send a crafted serialized-object payload to the weight-update path on a sandboxed instance and confirm no code executes.",
+        "evidence": "https://github.com/advisories/GHSA-9w53-xr52-mwgj",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2026-5760": {
+    "name": "SGLang /v1/rerank Malicious-Model Jinja2 Template-Injection RCE",
+    "lesson_date": "2026-05-26",
+    "attack_vector": {
+      "description": "SGLang renders a model-supplied tokenizer.chat_template with a non-sandboxed jinja2.Environment at the /v1/rerank endpoint, so a malicious model's template expression executes arbitrary code.",
+      "privileges_required": "none (unauthenticated rerank request loading a malicious model)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is SGLang, an LLM serving framework. The lesson: a model-supplied chat template is untrusted code - render it only in a sandboxed jinja2 environment (ImmutableSandboxedEnvironment), never the default Environment."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No sandboxing is applied to the model-supplied chat template before rendering."
+      },
+      "NIST-800-53-SC-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Boundary protection does not isolate the template-rendering path an unauthenticated request reaches."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats a model-supplied chat template as untrusted code requiring a sandboxed renderer."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 82,
+      "basis": "LLM serving frameworks render model-supplied chat templates with default (non-sandboxed) jinja2; template-injection via malicious models is rarely audited.",
+      "theater_pattern": "ai_model_template_injection"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-110",
+        "name": "AI-MODEL-TEMPLATE-RENDERING-SANDBOX",
+        "description": "An LLM serving framework that renders model-supplied templates (jinja2 chat_template, prompt templates, tokenizer config) must render them in a sandboxed environment - jinja2's ImmutableSandboxedEnvironment, never the default jinja2.Environment() - and treat third-party model files (incl. GGUF) as untrusted. The distinguishing test: load a model whose chat_template embeds a Jinja2 expression that reaches builtins/os on a staging instance and confirm rendering is refused, not executed - a framework that renders model templates with the default environment is exploitable for server-side template-injection RCE.",
+        "evidence": "https://kb.cert.org/vuls/id/915947",
+        "gap_closes": [
+          "NIST-800-53-SI-10",
+          "NIST-800-53-SC-7",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
   }
 }