@blamejs/exceptd-skills 0.13.124 → 0.13.125

package/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 0.13.125 — 2026-05-26
+
+CVE catalog — SGLang unauthenticated IPC-deserialization RCE cluster. Adds two unauthenticated RCEs in SGLang (lmsys), the unauth siblings of the already-catalogued authenticated weight-update flaw. **CVE-2026-3059** (CNA CVSS v3.1 9.8) — the multimodal generation module's ZMQ broker deserializes untrusted serialized objects from unauthenticated peers (CWE-502). **CVE-2026-3060** (CNA CVSS v3.1 9.8) — the encoder-parallel disaggregation module does the same. Both yield unauthenticated remote code execution on the serving host and are fixed in 0.5.10 (PR #20904). Both reuse the AI-inference IPC deserialization-safety control (NEW-CTRL-086), shared with the vLLM ZeroMQ-transport and TensorRT-LLM deserialization class — the lesson being that inference-engine IPC channels must use a safe serializer + peer authentication and never deserialize untrusted objects. CVE count 417 → 419.
+
 ## 0.13.124 — 2026-05-26
 
 CVE catalog — stable-diffusion-webui (AUTOMATIC1111). Adds **CVE-2024-31462** in the most widely deployed Stable Diffusion web UI. The Backup/Restore tab (`save_config_state` in `modules/ui_extensions.py`) builds a file path from an unvalidated user-supplied config-state name and opens it for writing, yielding a limited file write (JSON files to arbitrary locations) on Windows (CWE-22; GitHub CNA CVSS v3.1 6.3; GHSL-2024-010). The advisory tested 1.7.0, but the CVE/OSV record marks releases through 1.8.0 as affected — fixed by commit `d9708c92`, so upgrading 1.7.0 → 1.8.0 is **not** sufficient. Reuses the AI-runtime-API path-traversal validation control (NEW-CTRL-094). CVE count 416 → 417.

package/data/_indexes/_meta.json

@@ -1,21 +1,21 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-27T03:55:33.784Z",
+  "generated_at": "2026-05-27T04:15:58.535Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "82003c5f5458a9f3646595e97348761c10578807c0f617a35cc994fe1d5ffe85",
-    "data/atlas-ttps.json": "2f0c5d58308248a1dcf43ede2469d507d3249acb8f93f04512b5c9b19697a62b",
-    "data/attack-techniques.json": "ec4132359d50c045e4b4e2218608db33324ef41f85aeb40bf61de13cf0168af7",
-    "data/cve-catalog.json": "ff07d91bc04ba45045caa9e3d96fdd7789fe1ab6af8858dfc4387266bb202ef4",
-    "data/cwe-catalog.json": "ea554587b7486e8dba49461528ef5e0445647b14e4358929f327bcef6ad5d987",
+    "manifest.json": "a8415701ba891fb5e1b56c524904e9b89802a59780c50e4c5801ad1e4db2342e",
+    "data/atlas-ttps.json": "c4b9d4b255487178e2d59ed6d810ce96f209d5d0ea4ae1058a1294a44a1bab2c",
+    "data/attack-techniques.json": "1a222638d3d891f351f13828d0c40ef6dcdfdd519a62f6d84b30ad0746b43c8e",
+    "data/cve-catalog.json": "6a034fdbeba5c02addd45146a15f0ef873aaf29527fe35281d080377c862d17e",
+    "data/cwe-catalog.json": "485da92f07bad66ddd102411d18207428239953e76d01a1d1747b56ac61111e3",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
     "data/exploit-availability.json": "ec2656f0d9a893610e27b43eb6035fe9b18e057c9f6dfaac7e7d4959bbcbb795",
-    "data/framework-control-gaps.json": "721956b0c705fe75363ad5bc0227d70f82baf75619fe8f535850ee189e5230f3",
+    "data/framework-control-gaps.json": "200699db68ae9a380a88795a8388c579fb6eb4d3a5fbcd5012486031efe764c4",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "66ef2e1f444a2cf0c2700a754f0a66030bb8a91d9e68394b9537ea1fe8b904fe",
-    "data/zeroday-lessons.json": "0dc49ed26af542bf74e9662095b00e9bd6de5aa7ffe497809a245f54abb1eabf",
+    "data/zeroday-lessons.json": "c33e68f1f4a67ac67ebe3acd1bf7bc584cf241f3627df1a90ad99315fbbeb2b0",
     "skills/kernel-lpe-triage/skill.md": "08b3e9815ba481c57c80f5fc0ccbf5bb7cbb41f570c235ba6ff9596b8c07354d",
     "skills/ai-attack-surface/skill.md": "c4c1eb22a38ca7a959b5725222bab8fbd4f4044a548a93f3e288e6f698334b72",
     "skills/mcp-agent-trust/skill.md": "89ac89084391d2341b6513fefb1be2d36b93de1c130f057696219c1c59440f13",
@@ -72,7 +72,7 @@
       "dlp_refs": 0
     },
     "trigger_table_entries": 538,
-    "chains_cve_entries": 406,
+    "chains_cve_entries": 408,
     "chains_cwe_entries": 172,
     "jurisdictions_indexed": 29,
     "handoff_dag_nodes": 42,

package/data/_indexes/activity-feed.json

@@ -149,7 +149,7 @@
       "artifact": "data/cve-catalog.json",
       "path": "data/cve-catalog.json",
       "schema_version": "1.0.0",
-      "entry_count": 417
+      "entry_count": 419
     },
     {
       "date": "2026-05-18",
@@ -165,7 +165,7 @@
       "artifact": "data/zeroday-lessons.json",
       "path": "data/zeroday-lessons.json",
       "schema_version": "1.1.0",
-      "entry_count": 412
+      "entry_count": 414
     },
     {
       "date": "2026-05-17",

package/data/_indexes/catalog-summaries.json

@@ -62,7 +62,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 417,
+      "entry_count": 419,
       "sample_keys": [
         "CVE-2025-53773",
         "CVE-2026-30615",
@@ -238,7 +238,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 412,
+      "entry_count": 414,
       "sample_keys": [
         "CVE-2026-31431",
         "CVE-2025-53773",