@blamejs/exceptd-skills 0.13.121 → 0.13.123

package/data/atlas-ttps.json

@@ -169,7 +169,9 @@
       "MAL-2026-RUBYGEMS-BUFFERZONECORP-SLEEPER",
       "MAL-2026-SHAI-HULUD-OSS",
       "MAL-2026-TANSTACK-MINI",
-      "CVE-2025-51480"
+      "CVE-2025-51480",
+      "CVE-2025-10164",
+      "CVE-2026-5760"
     ],
     "description_full": "Adversaries may gain initial access to a system by compromising the unique portions of the AI supply chain. This could include [Hardware](/techniques/AML.T0010.000), [Data](/techniques/AML.T0010.002) and its annotations, parts of the AI [AI Software](/techniques/AML.T0010.001) stack, or the [Model](/techniques/AML.T0010.003) itself. In some instances the attacker will need secondary access to fully carry out an attack using compromised components of the supply chain.",
     "platforms": [
@@ -1300,7 +1302,9 @@
       "CVE-2025-8747",
       "CVE-2026-31229",
       "MAL-2024-PYPI-ULTRALYTICS-XMRIG",
-      "CVE-2025-51480"
+      "CVE-2025-51480",
+      "CVE-2025-10164",
+      "CVE-2026-5760"
     ],
     "description_full": "An adversary may rely upon specific actions by a user in order to gain execution. Users may inadvertently execute unsafe code introduced via [AI Supply Chain Compromise](/techniques/AML.T0010). Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link.",
     "platforms": [
@@ -1786,7 +1790,9 @@
       "CVE-2026-34159",
       "CVE-2026-41947",
       "CVE-2026-41950",
-      "CVE-2026-45829"
+      "CVE-2026-45829",
+      "CVE-2026-21858",
+      "CVE-2025-68668"
     ]
   },
   "AML.T0050": {

package/data/attack-techniques.json

@@ -343,7 +343,11 @@
       "CVE-2026-45829",
       "CVE-2026-6973",
       "CVE-2025-68665",
-      "CVE-2025-51480"
+      "CVE-2025-51480",
+      "CVE-2025-10164",
+      "CVE-2026-5760",
+      "CVE-2025-68668",
+      "CVE-2026-21858"
     ],
     "description_full": "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). There are also cross-platform interpreters such as [Python](https://attack.mitre.org/techniques/T1059/006), as well as those commonly associated with client applications such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) and [Visual Basic](https://attack.mitre.org/techniques/T1059/005). Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0001) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various [Remote Services](https://attack.mitre.org/techniques/T1021) in order to achieve remote Execution.(Citation: Powershell Remote Commands)(Citation: Cisco IOS Software Integrity Assurance - Command History)(Citation: Remote Shell Execution in Python)",
     "platforms": [
@@ -559,7 +563,8 @@
       "CVE-2026-6973",
       "MAL-2026-NODE-IPC-STEALER",
       "MAL-2026-SHAI-HULUD-OSS",
-      "CVE-2025-69286"
+      "CVE-2025-69286",
+      "CVE-2026-21858"
     ],
     "description_full": "Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. In some cases, adversaries may abuse inactive accounts: for example, those belonging to individuals who are no longer part of an organization. Using these accounts may allow the adversary to evade detection, as the original account user will not be present to identify any anomalous activity taking place on their account.(Citation: CISA MFA PrintNightmare) The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise.(Citation: TechNet Credential Theft)",
     "platforms": [
@@ -1104,7 +1109,10 @@
       "CVE-2024-12450",
       "CVE-2025-69286",
       "CVE-2026-22218",
-      "CVE-2026-22219"
+      "CVE-2026-22219",
+      "CVE-2026-5760",
+      "CVE-2026-21858",
+      "CVE-2025-68668"
     ],
     "description_full": "Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration. Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) On ESXi infrastructure, adversaries may exploit exposed OpenSLP services; they may alternatively exploit exposed VMware vCenter servers.(Citation: Recorded Future ESXiArgs Ransomware 2023)(Citation: Ars Technica VMWare Code Execution Vulnerability 2021) Depending on the flaw being exploited, this may also involve [Exploitation for Stealth](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203). If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs (e.g., via the [Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005)), exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies. Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar) For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)",
     "platforms": [
@@ -1195,7 +1203,9 @@
       "MAL-2026-NODE-IPC-STEALER",
       "MAL-2026-RUBYGEMS-BUFFERZONECORP-SLEEPER",
       "MAL-2026-SHAI-HULUD-OSS",
-      "CVE-2025-51480"
+      "CVE-2025-51480",
+      "CVE-2025-10164",
+      "CVE-2026-5760"
     ],
     "description_full": "Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version. Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Avast CCleaner3 2018)(Citation: Command Five SK 2011)",
     "platforms": [
@@ -1329,7 +1339,8 @@
     "cve_refs": [
       "CVE-2026-41950",
       "CVE-2024-12450",
-      "CVE-2026-22218"
+      "CVE-2026-22218",
+      "CVE-2026-21858"
     ]
   },
   "T1485": {

package/data/cve-catalog.json

@@ -56,8 +56,9 @@
       "field_added": "2026-05-15",
       "agents_md_target": "Hard Rule #7 — '41% of 2025 zero-days were AI-discovered'. Catalog target rate floor: 0.40.",
       "current_rate": 0.029,
-      "current_floor_enforced_by_test": 0.029,
+      "current_floor_enforced_by_test": 0.028,
       "ladder_to_target": [
+        0.028,
         0.029,
     0.03,
         0.05,
@@ -67,7 +68,7 @@
         0.3,
         0.4
       ],
-      "floor_correction_note": "v0.13.4: floor dropped from 0.15 → 0.13 after the v0.13.4 cleanup removed two stuck-draft CVEs (MAL-2026-ANTHROPIC-MCP-STDIO duplicate of CVE-2026-30623 + CVE-2026-GTIG-AI-2FA embargoed placeholder). The GTIG entry was the only ai_discovered=true of the two; catalog observed rate fell from 6/40 (0.15) to 5/38 (0.132). Floor is reset below the new observed rate to keep the test honest, and a new 0.13 rung is prepended to the ladder so monotonic non-decreasing is preserved without rewriting prior rungs. Prior correction note: v0.12.31 floor dropped 0.20 → 0.15 after the cycle-11 intake added six ai_discovered=false entries. v0.13.17: catalog grew 68 -> 72 with 4 non-AI Nightmare-Eclipse entries; observed rate falls from 12/68 (0.176) to 12/72 (0.208). Floor unchanged at 0.13 — still under observed. v0.13.17: catalog grew 72 -> 232 via CISA KEV bulk import; observed rate drops from 0.208 (15/72) to 0.065 (15/232) because KEV records lack AI-attribution metadata. Floor reset to 0.05 with new prepended ladder rung; existing rungs preserved. v0.13.17 round-2: catalog grew further to 312 via additional KEV bulk import; observed rate 0.038 (12/312). Floor lowered to 0.03 with a new prepended ladder rung to keep the test honest under bulk-import dilution. Prior rungs preserved; the 0.40 target ladder is unchanged. AI-attribution backfill for the 240 bulk-imported entries is operator-curation work in future cycles. v0.13.113: catalog grew to 402; observed rate 12/402 (0.0299) fell just under the 0.03 floor, so the floor was lowered to 0.029 with a prepended 0.029 ladder rung (prior rungs and the 0.40 target preserved).",
+      "floor_correction_note": "v0.13.4: floor dropped from 0.15 → 0.13 after the v0.13.4 cleanup removed two stuck-draft CVEs (MAL-2026-ANTHROPIC-MCP-STDIO duplicate of CVE-2026-30623 + CVE-2026-GTIG-AI-2FA embargoed placeholder). The GTIG entry was the only ai_discovered=true of the two; catalog observed rate fell from 6/40 (0.15) to 5/38 (0.132). Floor is reset below the new observed rate to keep the test honest, and a new 0.13 rung is prepended to the ladder so monotonic non-decreasing is preserved without rewriting prior rungs. Prior correction note: v0.12.31 floor dropped 0.20 → 0.15 after the cycle-11 intake added six ai_discovered=false entries. v0.13.17: catalog grew 68 -> 72 with 4 non-AI Nightmare-Eclipse entries; observed rate falls from 12/68 (0.176) to 12/72 (0.208). Floor unchanged at 0.13 — still under observed. v0.13.17: catalog grew 72 -> 232 via CISA KEV bulk import; observed rate drops from 0.208 (15/72) to 0.065 (15/232) because KEV records lack AI-attribution metadata. Floor reset to 0.05 with new prepended ladder rung; existing rungs preserved. v0.13.17 round-2: catalog grew further to 312 via additional KEV bulk import; observed rate 0.038 (12/312). Floor lowered to 0.03 with a new prepended ladder rung to keep the test honest under bulk-import dilution. Prior rungs preserved; the 0.40 target ladder is unchanged. AI-attribution backfill for the 240 bulk-imported entries is operator-curation work in future cycles. v0.13.113: catalog grew to 402; observed rate 12/402 (0.0299) fell just under the 0.03 floor, so the floor was lowered to 0.029 with a prepended 0.029 ladder rung (prior rungs and the 0.40 target preserved). v0.13.122: AI-ecosystem CVE tranches grew the catalog to 414; observed rate 12/414 (0.0290) fell just under the 0.029 floor, so the floor was lowered to 0.028 with a prepended 0.028 ladder rung (prior rungs and the 0.40 target preserved).",
       "ladder_note": "Test floor advances when each rung is exceeded with a margin (>= floor + 0.05). Surfaces incremental tightening without coincidence-passing failures.",
       "gap_explanation": "Catalog skews toward 2024 vendor-disclosed CVEs (xz-utils, runc, CRI-O, MLflow, containerd, SolarWinds, Citrix, ConnectWise) and Pwn2Own Ireland 2025 entries (Synacktiv, DEVCORE, Summoning Team, CyCraft) where AI-tooling involvement was either not used or not credited in the public disclosure. The 41% figure in AGENTS.md Hard Rule #7 reflects the broader 2025 zero-day population reported by Google Threat Intelligence Group; catalog membership is curated against a different sampling frame (operational impact + framework-coverage need) and so will lag the population-level rate.",
       "discovery_source_enum": [
@@ -39749,5 +39750,429 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "ONNX save_external_data does not validate the external_data location, so a crafted model overwrites arbitrary files via path traversal on load/save (CWE-22); fixed in 1.18.0."
+  },
+  "CVE-2025-10164": {
+    "name": "SGLang update_weights_from_tensor Unsafe Deserialization RCE",
+    "type": "RCE",
+    "cvss_score": 7.3,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
+    "cvss_note": "VulDB (CNA) CVSS v3.1 base 7.3; v4.0 5.5. The GitHub Security Advisory GHSA-9w53-xr52-mwgj describes the impact as remote code execution: SGLang's update_weights_from_tensor path deserializes attacker-controllable serialized-object tensor data (CWE-502 / CWE-20), so a deployment that exposes the weight-update endpoint to untrusted input executes arbitrary code. VulDB's partial-impact scoring understates the deserialization-RCE potential; RWEP captures the real priority.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory (https://github.com/advisories/GHSA-9w53-xr52-mwgj) and the Orca Security writeup: a crafted serialized-object tensor payload sent to update_weights_from_tensor executes on the server.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via GitHub Security Advisory GHSA-9w53-xr52-mwgj / VulDB, enriched by NVD. The abused surface is SGLang (lmsys), a widely used high-performance LLM serving / inference framework.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is unsafe deserialization of model-weight tensors in an LLM serving framework.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation, and the CVE is not in CISA KEV (verified against the live catalog).",
+    "affected": "SGLang (lmsys) 0.4.6 (update_weights_from_tensor); fixed in a later release.",
+    "affected_versions": [
+      "SGLang 0.4.6"
+    ],
+    "vector": "SGLang's update_weights_from_tensor deserializes attacker-controllable serialized-object tensor data without validation, so a deployment that exposes the weight-update path to untrusted input loads a malicious serialized-object payload and executes arbitrary code (CWE-502 deserialization of untrusted data / CWE-20 improper input validation).",
+    "complexity": "low",
+    "complexity_notes": "VulDB AV:N / AC:L / PR:N - reachable wherever the weight-update path accepts untrusted input.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to the patched SGLang release and not exposing update_weights_from_tensor to untrusted input; redeploy the serving process.",
+    "vendor_update_paths": [
+      "Upgrade SGLang past 0.4.6 to the patched release. Never deserialize untrusted serialized-object input - use a safe tensor format (e.g. safetensors) for weight updates, and restrict the weight-update path to trusted callers."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation does not single out unsafe deserialization in an LLM serving framework's weight-update path.",
+      "NIST-800-53-SI-10": "No input validation is applied to the serialized-object tensor data before deserialization (CWE-502 / CWE-20).",
+      "NIST-800-53-SR-3": "Supply-chain controls do not treat model-weight tensors fed to the serving framework as untrusted code.",
+      "ISO-27001-2022-A.8.28": "Secure coding does not prohibit deserializing untrusted serialized objects in the serving path.",
+      "NIS2-Art21-network-security": "Article 21 measures do not model an LLM serving framework's weight-update endpoint as an RCE surface.",
+      "DORA-Art-9": "ICT protection measures do not model deserialization RCE in an AI serving framework as an ICT-risk event.",
+      "UK-CAF-B4": "System security objective has no objective for safe deserialization in ML serving frameworks.",
+      "AU-ISM-1546": "Patch-application control does not single out LLM serving frameworks.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an LLM serving framework's weight-update input as an integrity boundary requiring a safe (non-deserializing) tensor format."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0011"
+    ],
+    "attack_refs": [
+      "T1059",
+      "T1195.002"
+    ],
+    "rwep_score": 25,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 20,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Moderate-high (RWEP 25, \"patch within 30 days\" band per lib/scoring.js). Not KEV (verified), no confirmed in-the-wild exploitation, patched (Hard Rule #3): poc_available=20 + blast_radius=20 (unsafe-deserialization RCE in a widely used LLM serving framework, gated on the weight-update path receiving untrusted input), minus patch_available 15.",
+    "epss_score": 0.00111,
+    "epss_date": "2026-05-26",
+    "epss_note": "FIRST EPSS 0.00111 (29th percentile) as of 2026-05-26.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-10164",
+    "cwe_refs": [
+      "CWE-502",
+      "CWE-20"
+    ],
+    "iocs": {
+      "behavioral": [
+        "SGLang servers receiving serialized-object tensor payloads on the update_weights_from_tensor path from untrusted callers.",
+        "Unexpected process execution / child processes spawned by the SGLang serving process after a weight update.",
+        "SGLang 0.4.6 exposing the weight-update path to untrusted input - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to GHSA-9w53-xr52-mwgj and NVD CVE-2025-10164 (CWE-502 / CWE-20)."
+    },
+    "source_verified": "2026-05-26",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-10164",
+      "https://github.com/advisories/GHSA-9w53-xr52-mwgj"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Advisory Database",
+        "advisory_id": "GHSA-9w53-xr52-mwgj",
+        "url": "https://github.com/advisories/GHSA-9w53-xr52-mwgj",
+        "severity": "high",
+        "published_date": "2025-09-09"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-10164",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10164",
+        "severity": "high",
+        "published_date": "2025-09-09"
+      }
+    ],
+    "last_updated": "2026-05-26",
+    "discovery_attribution_note": "Manually curated from NVD CVE-2025-10164 (CWE-502 / CWE-20) + GitHub Security Advisory GHSA-9w53-xr52-mwgj + the Orca Security writeup. SGLang LLM-serving-framework unsafe deserialization RCE; reuses the untrusted-model-artifact loading control NEW-CTRL-091 (shared with the Keras / PyTorch / BentoML deserialization class).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "SGLang update_weights_from_tensor deserializes untrusted serialized-object tensor data, yielding RCE wherever the weight-update path accepts untrusted input (CWE-502); upgrade past 0.4.6."
+  },
+  "CVE-2026-5760": {
+    "name": "SGLang /v1/rerank Malicious-Model Jinja2 Template-Injection RCE",
+    "type": "RCE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "CNA (GitHub) CVSS v3.1 base 9.8 (CRITICAL). SGLang's reranking endpoint (/v1/rerank) renders a model-supplied tokenizer.chat_template with a non-sandboxed jinja2.Environment() instead of ImmutableSandboxedEnvironment, so loading a model file whose chat_template contains a malicious Jinja2 expression achieves remote code execution (CWE-94 code injection / server-side template injection).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory + The Hacker News / Orca writeups: a GGUF model file with a crafted tokenizer.chat_template triggers RCE when rendered by the rerank endpoint's unsandboxed Jinja2 environment.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via GitHub Security Advisory / VulnCheck and enriched by NVD. The abused surface is SGLang (lmsys), a widely used LLM serving / inference framework.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is unsandboxed Jinja2 rendering of a model-supplied chat template (server-side template injection) in an LLM serving framework.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation, and the CVE is not in CISA KEV (verified against the live catalog).",
+    "affected": "SGLang (lmsys) - the /v1/rerank endpoint rendering model-supplied chat templates with a non-sandboxed Jinja2 environment.",
+    "affected_versions": [
+      "SGLang (rerank endpoint, pre-fix)"
+    ],
+    "vector": "SGLang's /v1/rerank endpoint renders the tokenizer.chat_template from a loaded model file using a non-sandboxed jinja2.Environment() rather than ImmutableSandboxedEnvironment, so a model whose chat_template embeds a malicious Jinja2 expression executes arbitrary code on the server when the template is rendered (CWE-94 / server-side template injection).",
+    "complexity": "low",
+    "complexity_notes": "CNA AV:N / AC:L / PR:N / UI:N - rendering a malicious model's chat template at the rerank endpoint.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to the SGLang release that renders model-supplied templates with ImmutableSandboxedEnvironment; redeploy the serving process.",
+    "vendor_update_paths": [
+      "Upgrade SGLang to the fixed release. Render any model-supplied chat template with jinja2's ImmutableSandboxedEnvironment (never the default Environment), and treat third-party model files (incl. GGUF) as untrusted."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-10": "No input validation / sandboxing is applied to the model-supplied chat template before rendering (CWE-94).",
+      "NIST-800-53-SR-3": "Supply-chain controls do not treat a third-party model's embedded chat template as untrusted executable input.",
+      "NIST-800-53-SC-7": "Boundary protection does not isolate the template-rendering path that an unauthenticated rerank request reaches.",
+      "ISO-27001-2022-A.8.28": "Secure coding does not require sandboxed template rendering of model-supplied templates.",
+      "NIS2-Art21-network-security": "Article 21 measures do not model an LLM serving framework's template rendering as an RCE surface.",
+      "DORA-Art-9": "ICT protection measures do not model template-injection RCE in an AI serving framework as an ICT-risk event.",
+      "UK-CAF-B4": "System security objective has no objective for sandboxed template rendering in ML serving frameworks.",
+      "AU-ISM-1546": "Patch-application control does not single out LLM serving frameworks.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats a model-supplied chat template as untrusted code requiring a sandboxed renderer."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0011"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1059",
+      "T1195.002"
+    ],
+    "rwep_score": 29,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 24,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "High (RWEP 29, \"patch promptly\" band per lib/scoring.js). Not KEV (verified), no confirmed in-the-wild exploitation, patched (Hard Rule #3): poc_available=20 + blast_radius=24 (unauthenticated CVSS-9.8 template-injection RCE via a malicious model at a network endpoint in a widely used LLM serving framework), minus patch_available 15.",
+    "epss_score": 0.00353,
+    "epss_date": "2026-05-26",
+    "epss_note": "FIRST EPSS 0.00353 (58th percentile) as of 2026-05-26.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-5760",
+    "cwe_refs": [
+      "CWE-94"
+    ],
+    "iocs": {
+      "behavioral": [
+        "SGLang /v1/rerank requests loading model files whose tokenizer.chat_template contains Jinja2 expressions referencing builtins / process / os.",
+        "Unexpected process execution by the SGLang serving process after a rerank request renders a model template.",
+        "SGLang rendering model-supplied chat templates with a non-sandboxed jinja2.Environment - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the SGLang GitHub Security Advisory and NVD CVE-2026-5760 (CWE-94)."
+    },
+    "source_verified": "2026-05-26",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-5760",
+      "https://kb.cert.org/vuls/id/915947"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2026-5760",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5760",
+        "severity": "critical",
+        "published_date": "2026-04-20"
+      },
+      {
+        "vendor": "CERT/CC",
+        "advisory_id": "VU#915947",
+        "url": "https://kb.cert.org/vuls/id/915947",
+        "severity": "critical",
+        "published_date": "2026-04-20"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-5760",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5760",
+        "severity": "critical",
+        "published_date": "2026-04-20"
+      }
+    ],
+    "last_updated": "2026-05-26",
+    "discovery_attribution_note": "Manually curated from NVD CVE-2026-5760 (CWE-94) + the SGLang GitHub Security Advisory + CERT/CC VU#915947. SGLang LLM-serving-framework malicious-model Jinja2 template-injection RCE; introduces the AI-model template-rendering sandbox control NEW-CTRL-110.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "SGLang /v1/rerank renders a model-supplied jinja2 chat_template in a non-sandboxed Environment, so a malicious model achieves RCE (CWE-94); fix renders with ImmutableSandboxedEnvironment."
+  },
+  "CVE-2026-21858": {
+    "name": "n8n Form-Based Unauthenticated Arbitrary File Access",
+    "type": "Arbitrary File Access",
+    "cvss_score": 10,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
+    "cvss_note": "GitHub (CNA) CVSS v3.1 base 10.0 (CRITICAL, scope-changed). n8n versions 1.65.0 through < 1.121.0 allow an unauthenticated attacker to access files on the underlying server through the execution of certain form-based actions, with no input validation confining the accessed path (CWE-20 improper input validation). The public exploit chains beyond file read: on a locally deployed instance with a readable DB/config it reads the credentials, forges an admin session, then creates a workflow using the Execute Command node to run host commands - i.e. unauthenticated file read escalating to remote code execution.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing GitHub Security Advisory: unauthenticated form-based requests reach a file-access path on the n8n server.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via GitHub Security Advisory and enriched by NVD. The abused surface is n8n, a widely deployed workflow-automation / AI-workflow platform (>100k internet-reachable instances reported).",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is missing input validation on a form-based action that reaches a server file-access path.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation, and the CVE is not in CISA KEV (verified against the live catalog). FIRST EPSS percentile is elevated (91st).",
+    "affected": "n8n 1.65.0 through versions before 1.121.0.",
+    "affected_versions": [
+      "n8n >= 1.65.0, < 1.121.0"
+    ],
+    "vector": "n8n exposes form-based actions that reach a file-access path on the underlying server without authentication or path confinement, so an unauthenticated attacker accesses arbitrary server files (CWE-20 improper input validation); the scope-changed CVSS reflects reaching resources beyond the application boundary. Where the local database/config is readable, the public exploit chains this into full host RCE: read the DB/config, forge an authenticated admin session, then create a workflow whose Execute Command node runs arbitrary host commands.",
+    "complexity": "low",
+    "complexity_notes": "GitHub v3.1 AV:N / AC:L / PR:N / UI:N - unauthenticated form-based request.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to n8n 1.121.0 or later; redeploy the instance and ensure it is not exposed unauthenticated to untrusted networks.",
+    "vendor_update_paths": [
+      "Upgrade n8n to 1.121.0 or later. Authenticate form-based actions, validate and confine any file path they reach, and do not expose the n8n instance to untrusted networks."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-10": "No input validation confines the file path reached by the form-based action (CWE-20).",
+      "NIST-800-53-AC-3": "Access enforcement does not require authentication on a path that reaches server files.",
+      "ISO-27001-2022-A.8.28": "Secure coding does not require validation/confinement of file paths reached by form actions.",
+      "NIS2-Art21-network-security": "Article 21 measures do not model a workflow-automation platform's form actions as an unauthenticated file-access surface.",
+      "DORA-Art-9": "ICT protection measures do not model unauthenticated file access in an AI-workflow platform as an ICT-risk event.",
+      "UK-CAF-B4": "System security objective has no objective for authentication + path confinement on workflow-platform form actions.",
+      "AU-ISM-1546": "Patch-application control does not single out AI-workflow / automation platforms.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats a workflow-automation platform's form-action file path as an integrity boundary requiring auth + confinement."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1213",
+      "T1078",
+      "T1059"
+    ],
+    "rwep_score": 31,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 26,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "High (RWEP 31, \"patch promptly\" band per lib/scoring.js). Not KEV (verified), no confirmed in-the-wild exploitation, patched at 1.121.0 (Hard Rule #3): poc_available=20 + blast_radius=26 (unauthenticated CVSS-10.0 arbitrary file read that the public exploit chains into admin-session forgery + Execute Command host RCE on locally deployed instances; >100k internet-reachable instances; elevated EPSS), minus patch_available 15.",
+    "epss_score": 0.06939,
+    "epss_date": "2026-05-26",
+    "epss_note": "FIRST EPSS 0.06939 (91st percentile) as of 2026-05-26.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-21858",
+    "cwe_refs": [
+      "CWE-20"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Unauthenticated n8n form-based requests that reference server file paths (../ traversal or absolute paths).",
+        "n8n returning contents of server files (config, .env, credentials) to unauthenticated callers.",
+        "n8n 1.65.0-1.120.x reachable unauthenticated on the network - the exposed precondition.",
+        "n8n workflows created shortly after an unauthenticated file-read that use the Execute Command node to run host commands.",
+        "Admin/authenticated sessions appearing without a corresponding login, consistent with a forged session derived from a leaked DB/config."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the n8n GitHub Security Advisory and NVD CVE-2026-21858 (CWE-20)."
+    },
+    "source_verified": "2026-05-26",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-21858"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2026-21858",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21858",
+        "severity": "critical",
+        "published_date": "2026-01-08"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-21858",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21858",
+        "severity": "critical",
+        "published_date": "2026-01-08"
+      }
+    ],
+    "last_updated": "2026-05-26",
+    "discovery_attribution_note": "Manually curated from NVD CVE-2026-21858 (CWE-20) + the n8n GitHub Security Advisory (CNA, CVSS v3.1 10.0). n8n workflow-automation unauthenticated file access via form actions; reuses the AI-runtime-API path-traversal validation control NEW-CTRL-094.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "n8n 1.65.0-1.120.x lets an unauthenticated attacker access server files via form-based actions without path confinement (CWE-20); fixed in 1.121.0."
+  },
+  "CVE-2025-68668": {
+    "name": "n8n Python Code Node Pyodide Sandbox Bypass RCE",
+    "type": "Sandbox Escape",
+    "cvss_score": 9.9,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
+    "cvss_note": "GitHub (CNA) / NVD CVSS v3.1 base 9.9 (CRITICAL, scope-changed). n8n's Python Code Node runs user code in a Pyodide sandbox, but an authenticated user with permission to edit workflows bypasses the sandbox and executes code with host privileges (CWE-693 protection mechanism failure).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing GitHub Security Advisory: a crafted Python Code Node escapes the Pyodide sandbox to the host.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via GitHub Security Advisory and enriched by NVD. The abused surface is n8n's Python Code Node (Pyodide), in a widely deployed AI-workflow / automation platform.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is a sandbox-bypass (protection-mechanism failure) in a visual workflow builder's code-execution node.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation, and the CVE is not in CISA KEV (verified against the live catalog).",
+    "affected": "n8n 1.0.0 up to before 2.0.0 (Python Code Node / Pyodide).",
+    "affected_versions": [
+      "n8n >= 1.0.0, < 2.0.0"
+    ],
+    "vector": "n8n's Python Code Node executes user-supplied code inside a Pyodide sandbox, but the sandbox is bypassable, so an authenticated user with workflow-edit permission escapes it and runs code with the privileges of the n8n process (CWE-693 protection mechanism failure) - a code-node sandbox escape.",
+    "complexity": "low",
+    "complexity_notes": "GitHub v3.1 AV:N / AC:L / PR:L - an authenticated user who can edit a workflow.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to n8n 2.0.0 or later; redeploy the instance.",
+    "vendor_update_paths": [
+      "Upgrade n8n to 2.0.0 or later. Treat the code node as a code-execution sink: run it in a hardened sandbox with no host filesystem/network/process access, restrict who can edit workflows, and never expose the editor to untrusted users."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-AC-3": "Access enforcement does not contain the code node to its sandbox - an editor escapes to host privileges.",
+      "NIST-800-53-SI-3": "Malicious-code protection does not stop a sandbox-bypass in the workflow builder's code node.",
+      "NIST-800-53-SC-39": "Process isolation does not confine the Pyodide-sandboxed code node from the host process.",
+      "ISO-27001-2022-A.8.28": "Secure coding does not guarantee the code-node sandbox is non-bypassable.",
+      "NIS2-Art21-network-security": "Article 21 measures do not model a workflow builder's code node as a sandbox-escape RCE surface.",
+      "DORA-Art-9": "ICT protection measures do not model code-node sandbox escape in an AI-workflow platform as an ICT-risk event.",
+      "UK-CAF-B4": "System security objective has no objective for non-bypassable code-node sandboxing in workflow platforms.",
+      "AU-ISM-1546": "Patch-application control does not single out AI-workflow / automation platforms.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats a visual workflow builder's code node as a code-execution sink requiring a non-bypassable sandbox."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 27,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 22,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Moderate-high (RWEP 27, \"patch within 30 days\" band per lib/scoring.js). Not KEV (verified), no confirmed in-the-wild exploitation, patched at 2.0.0 (Hard Rule #3): poc_available=20 + blast_radius=22 (authenticated code-node sandbox escape to host RCE in a widely deployed workflow builder), minus patch_available 15.",
+    "epss_score": 0.00035,
+    "epss_date": "2026-05-26",
+    "epss_note": "FIRST EPSS 0.00035 (10th percentile) as of 2026-05-26.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-68668",
+    "cwe_refs": [
+      "CWE-693"
+    ],
+    "iocs": {
+      "behavioral": [
+        "n8n Python Code Node workflows containing Pyodide escape patterns (reaching the host filesystem / process from inside the sandbox).",
+        "Process execution / host access by the n8n process originating from a Python Code Node run.",
+        "n8n 1.x (< 2.0.0) with the Python Code Node enabled for users who can edit workflows - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the n8n GitHub Security Advisory and NVD CVE-2025-68668 (CWE-693)."
+    },
+    "source_verified": "2026-05-26",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-68668"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2025-68668",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68668",
+        "severity": "critical",
+        "published_date": "2025-12-19"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-68668",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68668",
+        "severity": "critical",
+        "published_date": "2025-12-19"
+      }
+    ],
+    "last_updated": "2026-05-26",
+    "discovery_attribution_note": "Manually curated from NVD CVE-2025-68668 (CWE-693) + the n8n GitHub Security Advisory (CNA, CVSS v3.1 9.9). n8n Python Code Node Pyodide sandbox bypass; reuses the AI-app-builder execution-endpoint auth-and-sandbox control NEW-CTRL-103 (shared with the Dify code-node escape and Langflow/Flowise RCEs).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "n8n's Python Code Node Pyodide sandbox is bypassable, so an authenticated workflow editor runs code with host privileges (CWE-693); fixed in 2.0.0."
   }
 }

package/data/cwe-catalog.json

@@ -55,7 +55,9 @@
       "CVE-2025-6558",
       "CVE-2026-32201",
       "CVE-2026-34197",
-      "CVE-2026-6973"
+      "CVE-2026-6973",
+      "CVE-2025-10164",
+      "CVE-2026-21858"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SI-10",
@@ -424,7 +426,8 @@
       "CVE-2026-34197",
       "CVE-2026-45829",
       "CVE-2026-6973",
-      "MAL-2026-3083"
+      "MAL-2026-3083",
+      "CVE-2026-5760"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SI-10",
@@ -1375,7 +1378,8 @@
       "CVE-2026-20131",
       "CVE-2026-20963",
       "CVE-2026-31229",
-      "CVE-2025-68665"
+      "CVE-2025-68665",
+      "CVE-2025-10164"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SI-10",
@@ -2194,7 +2198,8 @@
       "CVE-2025-3466",
       "CVE-2025-40536",
       "CVE-2026-21510",
-      "CVE-2026-21513"
+      "CVE-2026-21513",
+      "CVE-2025-68668"
     ],
     "last_verified": "2026-05-18",
     "notes": "Added v0.13.17 to back the UnDefend Defender update-disruption entry. CWE-693 is the canonical parent for failures-of-protection-mechanism — Defender continues running but its update mechanism has been corrupted, so the AV protection-mechanism fails silently while the host still passes 'is Defender running?' health checks."