@blamejs/exceptd-skills 0.13.125 → 0.13.126

package/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 0.13.126 — 2026-05-26
+
+CVE catalog — n8n Git-node RCE. Adds **CVE-2026-21877**, completing the n8n critical cluster. In versions ≥ 0.123.0 and < 1.121.3, an authenticated user abuses the Git node to write a file of a dangerous type to an arbitrary path, which is then executed — yielding remote code execution and full compromise of both self-hosted and Cloud instances (CWE-434 unrestricted upload chained to CWE-94; GitHub CNA CVSS v3.1 9.9). Fixed in 1.121.3. Reuses the AI-app-builder execution-endpoint auth-and-sandbox control (NEW-CTRL-103), which now also covers file-writing workflow nodes as code-execution sinks. CVE count 419 → 420.
+
 ## 0.13.125 — 2026-05-26
 
 CVE catalog — SGLang unauthenticated IPC-deserialization RCE cluster. Adds two unauthenticated RCEs in SGLang (lmsys), the unauth siblings of the already-catalogued authenticated weight-update flaw. **CVE-2026-3059** (CNA CVSS v3.1 9.8) — the multimodal generation module's ZMQ broker deserializes untrusted serialized objects from unauthenticated peers (CWE-502). **CVE-2026-3060** (CNA CVSS v3.1 9.8) — the encoder-parallel disaggregation module does the same. Both yield unauthenticated remote code execution on the serving host and are fixed in 0.5.10 (PR #20904). Both reuse the AI-inference IPC deserialization-safety control (NEW-CTRL-086), shared with the vLLM ZeroMQ-transport and TensorRT-LLM deserialization class — the lesson being that inference-engine IPC channels must use a safe serializer + peer authentication and never deserialize untrusted objects. CVE count 417 → 419.

package/data/_indexes/_meta.json

@@ -1,21 +1,21 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-27T04:15:58.535Z",
+  "generated_at": "2026-05-27T04:33:05.318Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "a8415701ba891fb5e1b56c524904e9b89802a59780c50e4c5801ad1e4db2342e",
-    "data/atlas-ttps.json": "c4b9d4b255487178e2d59ed6d810ce96f209d5d0ea4ae1058a1294a44a1bab2c",
-    "data/attack-techniques.json": "1a222638d3d891f351f13828d0c40ef6dcdfdd519a62f6d84b30ad0746b43c8e",
-    "data/cve-catalog.json": "6a034fdbeba5c02addd45146a15f0ef873aaf29527fe35281d080377c862d17e",
-    "data/cwe-catalog.json": "485da92f07bad66ddd102411d18207428239953e76d01a1d1747b56ac61111e3",
+    "manifest.json": "13900334f14a87189b4cda1d1357f2efc6075283f24eb1c149ec4309db01a400",
+    "data/atlas-ttps.json": "d24bc02859d40ccf1615db75cca68c077585904e41e0d8f6de448121e9b1abb0",
+    "data/attack-techniques.json": "fa193f0d2d248176a8beddb641e9fe56ba4faa9e15dc253ff876dbf0c5d58a77",
+    "data/cve-catalog.json": "3d451dda7ac0c7d57a4075ae4bafd3148c6184b35dc1bc59d8b81d1f2641e430",
+    "data/cwe-catalog.json": "0b82f1ba29024720dcafb66aaa6c7b59b535badd28dbac8a5c08737c5f25e9a9",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
     "data/exploit-availability.json": "ec2656f0d9a893610e27b43eb6035fe9b18e057c9f6dfaac7e7d4959bbcbb795",
-    "data/framework-control-gaps.json": "200699db68ae9a380a88795a8388c579fb6eb4d3a5fbcd5012486031efe764c4",
+    "data/framework-control-gaps.json": "46094ad9b9584f454daddd28f4c5d27faf0ea0510daafd38fb60bf9d30f6a305",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "66ef2e1f444a2cf0c2700a754f0a66030bb8a91d9e68394b9537ea1fe8b904fe",
-    "data/zeroday-lessons.json": "c33e68f1f4a67ac67ebe3acd1bf7bc584cf241f3627df1a90ad99315fbbeb2b0",
+    "data/zeroday-lessons.json": "258252b9bff1fc11b05b76e10b659c1195971884bd44c92af5fefe17a5ca9512",
     "skills/kernel-lpe-triage/skill.md": "08b3e9815ba481c57c80f5fc0ccbf5bb7cbb41f570c235ba6ff9596b8c07354d",
     "skills/ai-attack-surface/skill.md": "c4c1eb22a38ca7a959b5725222bab8fbd4f4044a548a93f3e288e6f698334b72",
     "skills/mcp-agent-trust/skill.md": "89ac89084391d2341b6513fefb1be2d36b93de1c130f057696219c1c59440f13",
@@ -72,7 +72,7 @@
       "dlp_refs": 0
     },
     "trigger_table_entries": 538,
-    "chains_cve_entries": 408,
+    "chains_cve_entries": 409,
     "chains_cwe_entries": 172,
     "jurisdictions_indexed": 29,
     "handoff_dag_nodes": 42,

package/data/_indexes/activity-feed.json

@@ -149,7 +149,7 @@
       "artifact": "data/cve-catalog.json",
       "path": "data/cve-catalog.json",
       "schema_version": "1.0.0",
-      "entry_count": 419
+      "entry_count": 420
     },
     {
       "date": "2026-05-18",
@@ -165,7 +165,7 @@
       "artifact": "data/zeroday-lessons.json",
       "path": "data/zeroday-lessons.json",
       "schema_version": "1.1.0",
-      "entry_count": 414
+      "entry_count": 415
     },
     {
       "date": "2026-05-17",

package/data/_indexes/catalog-summaries.json

@@ -62,7 +62,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 419,
+      "entry_count": 420,
       "sample_keys": [
         "CVE-2025-53773",
         "CVE-2026-30615",
@@ -238,7 +238,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 414,
+      "entry_count": 415,
       "sample_keys": [
         "CVE-2026-31431",
         "CVE-2025-53773",

package/data/_indexes/chains.json

@@ -76868,6 +76868,360 @@
       ]
     }
   },
+  "CVE-2026-21877": {
+    "name": "n8n Git Node Arbitrary File Write Authenticated RCE",
+    "rwep": 29,
+    "cvss": 9.9,
+    "cisa_kev": false,
+    "epss_score": 0.10735,
+    "referencing_skills": [
+      "ai-attack-surface",
+      "compliance-theater",
+      "rag-pipeline-security",
+      "ai-c2-detection",
+      "threat-modeling-methodology",
+      "webapp-security",
+      "api-security",
+      "container-runtime-security",
+      "email-security-anti-phishing"
+    ],
+    "chain": {
+      "cwes": [
+        {
+          "id": "CWE-1039",
+          "name": "Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations",
+          "category": "AI/ML"
+        },
+        {
+          "id": "CWE-1188",
+          "name": "Initialization of a Resource with an Insecure Default",
+          "category": "Configuration"
+        },
+        {
+          "id": "CWE-1395",
+          "name": "Dependency on Vulnerable Third-Party Component",
+          "category": "Supply Chain"
+        },
+        {
+          "id": "CWE-1426",
+          "name": "Improper Validation of Generative AI Output",
+          "category": "AI/ML"
+        },
+        {
+          "id": "CWE-200",
+          "name": "Exposure of Sensitive Information to an Unauthorized Actor",
+          "category": "Information Exposure"
+        },
+        {
+          "id": "CWE-22",
+          "name": "Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)",
+          "category": "Path/Resource"
+        },
+        {
+          "id": "CWE-269",
+          "name": "Improper Privilege Management",
+          "category": "Authorization"
+        },
+        {
+          "id": "CWE-287",
+          "name": "Improper Authentication",
+          "category": "Authentication"
+        },
+        {
+          "id": "CWE-352",
+          "name": "Cross-Site Request Forgery (CSRF)",
+          "category": "Session"
+        },
+        {
+          "id": "CWE-434",
+          "name": "Unrestricted Upload of File with Dangerous Type",
+          "category": "File Handling"
+        },
+        {
+          "id": "CWE-502",
+          "name": "Deserialization of Untrusted Data",
+          "category": "Serialization"
+        },
+        {
+          "id": "CWE-732",
+          "name": "Incorrect Permission Assignment for Critical Resource",
+          "category": "Authorization"
+        },
+        {
+          "id": "CWE-77",
+          "name": "Improper Neutralization of Special Elements used in a Command (Command Injection)",
+          "category": "Injection"
+        },
+        {
+          "id": "CWE-78",
+          "name": "Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)",
+          "category": "Injection"
+        },
+        {
+          "id": "CWE-787",
+          "name": "Out-of-bounds Write",
+          "category": "Memory Safety"
+        },
+        {
+          "id": "CWE-79",
+          "name": "Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)",
+          "category": "Injection"
+        },
+        {
+          "id": "CWE-862",
+          "name": "Missing Authorization",
+          "category": "Authorization"
+        },
+        {
+          "id": "CWE-863",
+          "name": "Incorrect Authorization",
+          "category": "Authorization"
+        },
+        {
+          "id": "CWE-89",
+          "name": "Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)",
+          "category": "Injection"
+        },
+        {
+          "id": "CWE-918",
+          "name": "Server-Side Request Forgery (SSRF)",
+          "category": "Network"
+        },
+        {
+          "id": "CWE-94",
+          "name": "Improper Control of Generation of Code (Code Injection)",
+          "category": "Injection"
+        }
+      ],
+      "atlas": [
+        {
+          "id": "AML.T0010",
+          "name": "ML Supply Chain Compromise",
+          "tactic": "Initial Access"
+        },
+        {
+          "id": "AML.T0016",
+          "name": "Obtain Capabilities: Develop Capabilities",
+          "tactic": "Resource Development"
+        },
+        {
+          "id": "AML.T0017",
+          "name": "Discover ML Model Ontology",
+          "tactic": "Discovery"
+        },
+        {
+          "id": "AML.T0018",
+          "name": "Backdoor ML Model",
+          "tactic": "Persistence"
+        },
+        {
+          "id": "AML.T0020",
+          "name": "Poison Training Data",
+          "tactic": "ML Attack Staging"
+        },
+        {
+          "id": "AML.T0043",
+          "name": "Craft Adversarial Data",
+          "tactic": "ML Attack Staging"
+        },
+        {
+          "id": "AML.T0051",
+          "name": "LLM Prompt Injection",
+          "tactic": "Execution"
+        },
+        {
+          "id": "AML.T0054",
+          "name": "LLM Jailbreak",
+          "tactic": "Defense Evasion"
+        },
+        {
+          "id": "AML.T0096",
+          "name": "AI API as Covert C2 Channel",
+          "tactic": "Command and Control"
+        }
+      ],
+      "d3fend": [
+        {
+          "id": "D3-CA",
+          "name": "Certificate Analysis",
+          "tactic": "Detect"
+        },
+        {
+          "id": "D3-CSPP",
+          "name": "Client-server Payload Profiling",
+          "tactic": "Detect"
+        },
+        {
+          "id": "D3-DA",
+          "name": "Domain Analysis",
+          "tactic": "Detect"
+        },
+        {
+          "id": "D3-IOPR",
+          "name": "Input/Output Profiling Resource",
+          "tactic": "Detect"
+        },
+        {
+          "id": "D3-NI",
+          "name": "Network Isolation",
+          "tactic": "Isolate"
+        },
+        {
+          "id": "D3-NTA",
+          "name": "Network Traffic Analysis",
+          "tactic": "Detect"
+        },
+        {
+          "id": "D3-NTPM",
+          "name": "Network Traffic Policy Mapping",
+          "tactic": "Model"
+        }
+      ],
+      "framework_gaps": [
+        {
+          "id": "ALL-AI-PIPELINE-INTEGRITY",
+          "framework": "ALL",
+          "control_name": "AI Pipeline Integrity"
+        },
+        {
+          "id": "ALL-PROMPT-INJECTION-ACCESS-CONTROL",
+          "framework": "ALL",
+          "control_name": "Prompt Injection as Access Control Failure"
+        },
+        {
+          "id": "CMMC-2.0-Level-2",
+          "framework": "CMMC 2.0 (Cybersecurity Maturity Model Certification) Level 2",
+          "control_name": "Level 2 — Advanced (110 NIST 800-171 Rev 2 controls)"
+        },
+        {
+          "id": "FedRAMP-Rev5-Moderate",
+          "framework": "FedRAMP Rev 5 Moderate",
+          "control_name": "FedRAMP Moderate baseline (NIST 800-53 Rev 5 tailoring)"
+        },
+        {
+          "id": "ISO-27001-2022-A.8.16",
+          "framework": "ISO/IEC 27001:2022",
+          "control_name": "Monitoring activities"
+        },
+        {
+          "id": "ISO-27001-2022-A.8.28",
+          "framework": "ISO/IEC 27001:2022",
+          "control_name": "Secure coding"
+        },
+        {
+          "id": "ISO-IEC-23894-2023-clause-7",
+          "framework": "ISO/IEC 23894:2023 (AI Risk Management Guidance)",
+          "control_name": "AI risk management process"
+        },
+        {
+          "id": "ISO-IEC-42001-2023-clause-6.1.2",
+          "framework": "ISO/IEC 42001:2023 (AI Management System)",
+          "control_name": "AI risk assessment"
+        },
+        {
+          "id": "NIST-800-218-SSDF",
+          "framework": "NIST SP 800-218 (Secure Software Development Framework v1.1)",
+          "control_name": "Secure Software Development Framework"
+        },
+        {
+          "id": "NIST-800-53-AC-2",
+          "framework": "NIST SP 800-53 Rev 5",
+          "control_name": "Account Management"
+        },
+        {
+          "id": "NIST-800-53-CM-7",
+          "framework": "NIST SP 800-53 Rev 5",
+          "control_name": "Least Functionality"
+        },
+        {
+          "id": "NIST-800-53-SC-7",
+          "framework": "NIST SP 800-53 Rev 5",
+          "control_name": "Boundary Protection"
+        },
+        {
+          "id": "NIST-800-53-SI-12",
+          "framework": "NIST SP 800-53 Rev 5",
+          "control_name": "Information Management and Retention"
+        },
+        {
+          "id": "NIST-800-53-SI-3",
+          "framework": "NIST SP 800-53 Rev 5",
+          "control_name": "Malicious Code Protection"
+        },
+        {
+          "id": "NIST-AI-RMF-MEASURE-2.5",
+          "framework": "NIST AI RMF 1.0",
+          "control_name": "AI system to human interaction evaluation"
+        },
+        {
+          "id": "OWASP-ASVS-v5.0-V14",
+          "framework": "OWASP ASVS v5.0",
+          "control_name": "Configuration verification"
+        },
+        {
+          "id": "OWASP-LLM-Top-10-2025-LLM01",
+          "framework": "OWASP Top 10 for LLM Applications 2025",
+          "control_name": "Prompt Injection"
+        },
+        {
+          "id": "OWASP-LLM-Top-10-2025-LLM02",
+          "framework": "OWASP Top 10 for LLM Applications 2025",
+          "control_name": "Sensitive Information Disclosure"
+        },
+        {
+          "id": "OWASP-LLM-Top-10-2025-LLM08",
+          "framework": "OWASP Top 10 for LLM Applications 2025",
+          "control_name": "Vector and Embedding Weaknesses"
+        },
+        {
+          "id": "SLSA-v1.0-Build-L3",
+          "framework": "SLSA v1.0 (Supply-chain Levels for Software Artifacts) — Build Track",
+          "control_name": "Hardened build platform with non-falsifiable provenance"
+        },
+        {
+          "id": "SOC2-CC6-logical-access",
+          "framework": "SOC 2 (AICPA Trust Services Criteria)",
+          "control_name": "Logical and Physical Access Controls"
+        },
+        {
+          "id": "SOC2-CC7-anomaly-detection",
+          "framework": "SOC 2 (AICPA Trust Services Criteria)",
+          "control_name": "System Operations — Threat and Vulnerability Management"
+        }
+      ],
+      "attack_refs": [
+        "T1059",
+        "T1068",
+        "T1071",
+        "T1078",
+        "T1102",
+        "T1190",
+        "T1505",
+        "T1565",
+        "T1566",
+        "T1566.001",
+        "T1566.002",
+        "T1566.003",
+        "T1567",
+        "T1568",
+        "T1610",
+        "T1611"
+      ],
+      "rfc_refs": [
+        "RFC-6749",
+        "RFC-7519",
+        "RFC-8032",
+        "RFC-8446",
+        "RFC-8725",
+        "RFC-9000",
+        "RFC-9114",
+        "RFC-9180",
+        "RFC-9421",
+        "RFC-9458",
+        "RFC-9700"
+      ]
+    }
+  },
   "CWE-20": {
     "name": "Improper Input Validation",
     "category": "Validation",
@@ -77207,6 +77561,7 @@
       "CVE-2025-8747",
       "CVE-2026-0766",
       "CVE-2026-21858",
+      "CVE-2026-21877",
       "CVE-2026-22218",
       "CVE-2026-22252",
       "CVE-2026-22688",
@@ -77446,6 +77801,7 @@
       "CVE-2025-68668",
       "CVE-2025-6965",
       "CVE-2026-21858",
+      "CVE-2026-21877",
       "CVE-2026-22218",
       "CVE-2026-30615",
       "CVE-2026-30623",
@@ -77657,6 +78013,7 @@
       "CVE-2025-8747",
       "CVE-2026-0766",
       "CVE-2026-21858",
+      "CVE-2026-21877",
       "CVE-2026-22218",
       "CVE-2026-22252",
       "CVE-2026-22688",
@@ -77879,6 +78236,7 @@
       "CVE-2025-8747",
       "CVE-2026-0766",
       "CVE-2026-21858",
+      "CVE-2026-21877",
       "CVE-2026-22218",
       "CVE-2026-22252",
       "CVE-2026-22688",
@@ -78115,6 +78473,7 @@
       "CVE-2025-8747",
       "CVE-2026-0766",
       "CVE-2026-21858",
+      "CVE-2026-21877",
       "CVE-2026-22218",
       "CVE-2026-22252",
       "CVE-2026-22688",
@@ -78466,6 +78825,7 @@
       "CVE-2025-8747",
       "CVE-2026-0766",
       "CVE-2026-21858",
+      "CVE-2026-21877",
       "CVE-2026-22218",
       "CVE-2026-22219",
       "CVE-2026-22252",
@@ -79244,6 +79604,7 @@
       "CVE-2025-68668",
       "CVE-2025-6965",
       "CVE-2026-21858",
+      "CVE-2026-21877",
       "CVE-2026-22218",
       "CVE-2026-22219",
       "CVE-2026-3059",
@@ -79672,6 +80033,7 @@
       "CVE-2025-8747",
       "CVE-2026-0766",
       "CVE-2026-21858",
+      "CVE-2026-21877",
       "CVE-2026-22218",
       "CVE-2026-22252",
       "CVE-2026-22688",
@@ -80333,6 +80695,7 @@
       "CVE-2025-8747",
       "CVE-2026-0766",
       "CVE-2026-21858",
+      "CVE-2026-21877",
       "CVE-2026-22218",
       "CVE-2026-22252",
       "CVE-2026-22688",
@@ -81350,6 +81713,7 @@
       "CVE-2025-8747",
       "CVE-2026-0766",
       "CVE-2026-21858",
+      "CVE-2026-21877",
       "CVE-2026-22218",
       "CVE-2026-22252",
       "CVE-2026-22688",
@@ -82614,6 +82978,7 @@
       "CVE-2025-8747",
       "CVE-2026-0766",
       "CVE-2026-21858",
+      "CVE-2026-21877",
       "CVE-2026-22218",
       "CVE-2026-22252",
       "CVE-2026-22688",
@@ -83066,6 +83431,7 @@
       "CVE-2025-68668",
       "CVE-2025-6965",
       "CVE-2026-21858",
+      "CVE-2026-21877",
       "CVE-2026-22218",
       "CVE-2026-30615",
       "CVE-2026-30623",
@@ -84064,6 +84430,7 @@
       "CVE-2025-8747",
       "CVE-2026-0766",
       "CVE-2026-21858",
+      "CVE-2026-21877",
       "CVE-2026-22218",
       "CVE-2026-22252",
       "CVE-2026-22688",
@@ -84619,6 +84986,7 @@
       "CVE-2026-21533",
       "CVE-2026-21643",
       "CVE-2026-21858",
+      "CVE-2026-21877",
       "CVE-2026-22218",
       "CVE-2026-22252",
       "CVE-2026-22688",
@@ -85385,6 +85753,7 @@
       "CVE-2025-68668",
       "CVE-2025-6965",
       "CVE-2026-21858",
+      "CVE-2026-21877",
       "CVE-2026-22218",
       "CVE-2026-30615",
       "CVE-2026-30623",
@@ -85690,6 +86059,7 @@
       "CVE-2025-68668",
       "CVE-2025-6965",
       "CVE-2026-21858",
+      "CVE-2026-21877",
       "CVE-2026-22218",
       "CVE-2026-30615",
       "CVE-2026-30623",
@@ -86073,6 +86443,7 @@
       "CVE-2025-8747",
       "CVE-2026-0766",
       "CVE-2026-21858",
+      "CVE-2026-21877",
       "CVE-2026-22218",
       "CVE-2026-22252",
       "CVE-2026-22688",
@@ -86444,6 +86815,7 @@
       "CVE-2025-8747",
       "CVE-2026-0766",
       "CVE-2026-21858",
+      "CVE-2026-21877",
       "CVE-2026-22218",
       "CVE-2026-22219",
       "CVE-2026-22252",
@@ -86655,6 +87027,7 @@
       "CVE-2025-68668",
       "CVE-2025-6965",
       "CVE-2026-21858",
+      "CVE-2026-21877",
       "CVE-2026-22218",
       "CVE-2026-30615",
       "CVE-2026-30623",
@@ -87438,6 +87811,7 @@
       "CVE-2025-8747",
       "CVE-2026-0766",
       "CVE-2026-21858",
+      "CVE-2026-21877",
       "CVE-2026-22218",
       "CVE-2026-22252",
       "CVE-2026-22688",
@@ -87800,6 +88174,7 @@
       "CVE-2025-8747",
       "CVE-2026-0766",
       "CVE-2026-21858",
+      "CVE-2026-21877",
       "CVE-2026-22218",
       "CVE-2026-22219",
       "CVE-2026-22252",

package/data/atlas-ttps.json

@@ -1795,7 +1795,8 @@
       "CVE-2025-68668",
       "CVE-2024-31462",
       "CVE-2026-3059",
-      "CVE-2026-3060"
+      "CVE-2026-3060",
+      "CVE-2026-21877"
     ]
   },
   "AML.T0050": {

package/data/attack-techniques.json

@@ -349,7 +349,8 @@
       "CVE-2025-68668",
       "CVE-2026-21858",
       "CVE-2026-3059",
-      "CVE-2026-3060"
+      "CVE-2026-3060",
+      "CVE-2026-21877"
     ],
     "description_full": "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). There are also cross-platform interpreters such as [Python](https://attack.mitre.org/techniques/T1059/006), as well as those commonly associated with client applications such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) and [Visual Basic](https://attack.mitre.org/techniques/T1059/005). Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0001) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various [Remote Services](https://attack.mitre.org/techniques/T1021) in order to achieve remote Execution.(Citation: Powershell Remote Commands)(Citation: Cisco IOS Software Integrity Assurance - Command History)(Citation: Remote Shell Execution in Python)",
     "platforms": [
@@ -1117,7 +1118,8 @@
       "CVE-2025-68668",
       "CVE-2024-31462",
       "CVE-2026-3059",
-      "CVE-2026-3060"
+      "CVE-2026-3060",
+      "CVE-2026-21877"
     ],
     "description_full": "Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration. Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) On ESXi infrastructure, adversaries may exploit exposed OpenSLP services; they may alternatively exploit exposed VMware vCenter servers.(Citation: Recorded Future ESXiArgs Ransomware 2023)(Citation: Ars Technica VMWare Code Execution Vulnerability 2021) Depending on the flaw being exploited, this may also involve [Exploitation for Stealth](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203). If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs (e.g., via the [Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005)), exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies. Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar) For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)",
     "platforms": [