@blamejs/exceptd-skills 0.13.18 → 0.13.19

package/data/cve-catalog.json

@@ -315,7 +315,11 @@
       ]
     },
     "last_updated": "2026-05-15",
-    "discovery_attribution_note": "OX Security advisory 2026-04-15 — researchers Moshe Siman Tov Bustan, Mustafa Naamnih, and Nir Zadok. Independent corroboration by Trail of Bits (tool-poisoning analysis 2026-04-29) and Johann Rehberger. All named-human research; no AI-discovery tool credited. Source: https://www.ox.security/blog/the-mother-of-all-ai-supply-chains-critical-systemic-vulnerability-at-the-core-of-the-mcp/."
+    "discovery_attribution_note": "OX Security advisory 2026-04-15 — researchers Moshe Siman Tov Bustan, Mustafa Naamnih, and Nir Zadok. Independent corroboration by Trail of Bits (tool-poisoning analysis 2026-04-29) and Johann Rehberger. All named-human research; no AI-discovery tool credited. Source: https://www.ox.security/blog/the-mother-of-all-ai-supply-chains-critical-systemic-vulnerability-at-the-core-of-the-mcp/.",
+    "cwe_refs": [
+      "CWE-94",
+      "CWE-1357"
+    ]
   },
   "CVE-2026-31431": {
     "name": "Copy Fail",
@@ -1138,7 +1142,11 @@
       ]
     },
     "last_updated": "2026-05-15",
-    "discovery_attribution_note": "Discovery by ecosystem detection (multiple firms — Snyk, Wiz, StepSecurity, Socket, Orca, JFrog) within 20 minutes of TeamPCP's 2026-05-11 publish window of 84 malicious versions across 42 @tanstack/* packages. The worm IS the disclosure event; no AI-discovery tool involved on the defender side. Threat-actor side is engineering-grade chained tradecraft (pull_request_target co-residency, OIDC-token scraping). Source: https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem."
+    "discovery_attribution_note": "Discovery by ecosystem detection (multiple firms — Snyk, Wiz, StepSecurity, Socket, Orca, JFrog) within 20 minutes of TeamPCP's 2026-05-11 publish window of 84 malicious versions across 42 @tanstack/* packages. The worm IS the disclosure event; no AI-discovery tool involved on the defender side. Threat-actor side is engineering-grade chained tradecraft (pull_request_target co-residency, OIDC-token scraping). Source: https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem.",
+    "cwe_refs": [
+      "CWE-1357",
+      "CWE-506"
+    ]
   },
   "MAL-2026-3083": {
     "name": "Elementary-Data PyPI Worm (Forged Release via GitHub Actions Script Injection)",
@@ -1517,7 +1525,10 @@
     },
     "epss_score": 0.65,
     "epss_date": "2026-05-14",
-    "cwe_refs": [],
+    "cwe_refs": [
+      "CWE-269",
+      "CWE-668"
+    ],
     "source_verified": "2026-05-14",
     "verification_sources": [
       "https://nvd.nist.gov/vuln/detail/CVE-2024-21626",
@@ -1526,7 +1537,19 @@
     ],
     "last_updated": "2026-05-15",
     "discovery_attribution_note": "Discovered by Rory McNamara of Snyk Security Labs as part of the four-vulnerability Leaky Vessels disclosure (CVE-2024-21626 + CVE-2024-23651/23652/23653) published January 2024. Named human researcher; no AI-tool credited. Source: https://labs.snyk.io/resources/leaky-vessels-docker-runc-container-breakout-vulnerabilities/.",
-    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: +5 (75 -> 80)."
+    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: +5 (75 -> 80).",
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor runc <= 1.1.11 for container-escape-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2024-3094": {
     "ai_assisted_weaponization": false,
@@ -1596,7 +1619,19 @@
     ],
     "last_updated": "2026-05-15",
     "discovery_attribution_note": "Discovered by Andres Freund (Microsoft engineer, PostgreSQL developer) on 2024-03-28 via a 0.5-second SSH-login latency regression traced to liblzma symbol resolution; reported to oss-security. Named human researcher; no AI tooling involved. Source: https://en.wikipedia.org/wiki/XZ_Utils_backdoor.",
-    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors to satisfy Shape B invariant (Σ factors === rwep_score). Prior values used non-canonical weights and/or blast_radius > 30 (over-cap). Stored rwep_score unchanged; factor block now reproducible from canonical RWEP_WEIGHTS + operational fields."
+    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors to satisfy Shape B invariant (Σ factors === rwep_score). Prior values used non-canonical weights and/or blast_radius > 30 (over-cap). Stored rwep_score unchanged; factor block now reproducible from canonical RWEP_WEIGHTS + operational fields.",
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor xz-utils 5.6.0 and 5.6.1 for supply-chain-backdoor-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2024-3154": {
     "ai_assisted_weaponization": false,
@@ -1661,7 +1696,19 @@
       "https://github.com/cri-o/cri-o/security/advisories"
     ],
     "last_updated": "2026-05-15",
-    "discovery_attribution_note": "Reported by the OpenShift / CRI-O upstream security team via Red Hat Bugzilla 2272532; no individual researcher byline in the public advisory and no AI-tool credit. Bug class (systemd property injection through pod annotations) is conventional argument-injection. Source: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2024-3154."
+    "discovery_attribution_note": "Reported by the OpenShift / CRI-O upstream security team via Red Hat Bugzilla 2272532; no individual researcher byline in the public advisory and no AI-tool credit. Bug class (systemd property injection through pod annotations) is conventional argument-injection. Source: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2024-3154.",
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor CRI-O 1.27.x < 1.27.10 for container-escape-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2023-43472": {
     "ai_assisted_weaponization": false,
@@ -1697,7 +1744,9 @@
     "atlas_refs": [
       "AML.T0016"
     ],
-    "attack_refs": [],
+    "attack_refs": [
+      "T1592"
+    ],
     "rwep_score": 30,
     "rwep_factors": {
       "cisa_kev": 0,
@@ -1720,7 +1769,19 @@
       "https://huntr.com/bounties/"
     ],
     "last_updated": "2026-05-15",
-    "discovery_attribution_note": "Discovered by Joseph Beeton, senior security researcher at Contrast Security, via the Protect AI Huntr bug bounty program. Named human researcher; no AI-tool credited. Source: https://securityonline.info/cve-2023-43472-critical-vulnerability-uncovered-in-mlflow/ and https://github.com/advisories/GHSA-wqxf-447m-6f5f."
+    "discovery_attribution_note": "Discovered by Joseph Beeton, senior security researcher at Contrast Security, via the Protect AI Huntr bug bounty program. Named human researcher; no AI-tool credited. Source: https://securityonline.info/cve-2023-43472-critical-vulnerability-uncovered-in-mlflow/ and https://github.com/advisories/GHSA-wqxf-447m-6f5f.",
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor MLflow < 2.9.0 for path-traversal-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2020-10148": {
     "ai_assisted_weaponization": false,
@@ -1781,7 +1842,19 @@
       "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a"
     ],
     "last_updated": "2026-05-15",
-    "discovery_attribution_note": "Discovered during the SUNBURST incident-response investigation by FireEye / Mandiant analysts (publicly attributed to the Mandiant team rather than a single researcher) and corroborated by SolarWinds engineering. Documented in CISA AA20-352A and the CERT/CC VU#843464. Named human teams; pre-AI-tooling era for vendor-side attribution. Source: https://kb.cert.org/vuls/id/843464."
+    "discovery_attribution_note": "Discovered during the SUNBURST incident-response investigation by FireEye / Mandiant analysts (publicly attributed to the Mandiant team rather than a single researcher) and corroborated by SolarWinds engineering. Documented in CISA AA20-352A and the CERT/CC VU#843464. Named human teams; pre-AI-tooling era for vendor-side attribution. Source: https://kb.cert.org/vuls/id/843464.",
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor SolarWinds Orion Platform 2019.4 HF5 through 2020.2.1. for auth-bypass-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2023-3519": {
     "ai_assisted_weaponization": false,
@@ -1844,7 +1917,19 @@
     ],
     "last_updated": "2026-05-15",
     "discovery_attribution_note": "Independent security researchers via Citrix coordinated disclosure (CTX561482, 2023-07-18); no individual researcher named in the Citrix advisory. NSA/CISA AA23-201A documents in-wild exploitation by Chinese state-sponsored actors. No AI-tool credited. Source: https://support.citrix.com/article/CTX561482/ and https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-201a.",
-    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: +5 (75 -> 80)."
+    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: +5 (75 -> 80).",
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor Citrix NetScaler ADC + Gateway 12.1 for RCE-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2024-1709": {
     "ai_assisted_weaponization": false,
@@ -1894,14 +1979,29 @@
     },
     "epss_score": 0.973,
     "epss_date": "2026-05-14",
-    "cwe_refs": [],
+    "cwe_refs": [
+      "CWE-287",
+      "CWE-288"
+    ],
     "source_verified": "2026-05-14",
     "verification_sources": [
       "https://nvd.nist.gov/vuln/detail/CVE-2024-1709",
       "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8"
     ],
     "last_updated": "2026-05-15",
-    "discovery_attribution_note": "Discovered by ConnectWise security engineering and externally reported by Huntress + GreyNoise via in-wild exploitation telemetry within 24 hours of the 2024-02 Patch Tuesday. No individual researcher byline; vendor-internal discovery. No AI-tool credited. Source: https://www.upguard.com/blog/screenconnect-cve-2024."
+    "discovery_attribution_note": "Discovered by ConnectWise security engineering and externally reported by Huntress + GreyNoise via in-wild exploitation telemetry within 24 hours of the 2024-02 Patch Tuesday. No individual researcher byline; vendor-internal discovery. No AI-tool credited. Source: https://www.upguard.com/blog/screenconnect-cve-2024.",
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor ConnectWise ScreenConnect <= 23.9.7 for auth-bypass-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2026-20182": {
     "ai_assisted_weaponization": false,
@@ -1963,7 +2063,19 @@
     ],
     "last_updated": "2026-05-15",
     "discovery_attribution_note": "Discovered by Stephen Fewer (Senior Principal Security Researcher) and Jonah Burgess (Senior Security Researcher), both at Rapid7, while researching the related CVE-2026-20127 vdaemon authentication-bypass. Named human researchers; no AI-tool credited. Source: https://www.rapid7.com/blog/post/ve-cve-2026-20182-critical-authentication-bypass-cisco-catalyst-sd-wan-controller-fixed/.",
-    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: 0."
+    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: 0.",
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor Cisco SD-WAN vManage and vEdge controllers across multiple software trains. for auth-bypass-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2024-40635": {
     "ai_assisted_weaponization": false,
@@ -2013,7 +2125,9 @@
     },
     "epss_score": 0.005,
     "epss_date": "2026-05-14",
-    "cwe_refs": [],
+    "cwe_refs": [
+      "CWE-200"
+    ],
     "source_verified": "2026-05-14",
     "verification_sources": [
       "https://nvd.nist.gov/vuln/detail/CVE-2024-40635",
@@ -2021,7 +2135,19 @@
     ],
     "last_updated": "2026-05-15",
     "discovery_attribution_note": "Reported via the containerd security team (GO-2025-3528, Snyk SNYK-GOLANG-GITHUBCOMCONTAINERDCONTAINERDV2PKGOCI-9479987); no individual researcher byline in the advisory and no AI-tool credited. Bug class is straight integer overflow in WithUser() UID handling. Source: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMCONTAINERDCONTAINERDV2PKGOCI-9479987.",
-    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: 0."
+    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: 0.",
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor containerd 1.6.x < 1.6.34 for information-disclosure-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "MAL-2026-TANSTACK-MINI": {
     "ai_assisted_weaponization": false,
@@ -2095,7 +2221,19 @@
     "related_threats": [
       "MAL-2026-SHAI-HULUD-OSS"
     ],
-    "related_threats_note": "MAL-2026-TANSTACK-MINI is a Mini-Shai-Hulud-wave incident (Microsoft Security Research, 2026-05-11). The framework was open-sourced 2026-05-12 (MAL-2026-SHAI-HULUD-OSS) — TanStack predates the public release by ~24h. Same threat-actor authorship class; same registry-pivot tradecraft."
+    "related_threats_note": "MAL-2026-TANSTACK-MINI is a Mini-Shai-Hulud-wave incident (Microsoft Security Research, 2026-05-11). The framework was open-sourced 2026-05-12 (MAL-2026-SHAI-HULUD-OSS) — TanStack predates the public release by ~24h. Same threat-actor authorship class; same registry-pivot tradecraft.",
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor @tanstack/* packages for supply-chain-worm-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2026-30623": {
     "ai_assisted_weaponization": false,
@@ -2160,7 +2298,19 @@
       "https://github.com/anthropics/anthropic-sdk-python/security/advisories"
     ],
     "last_updated": "2026-05-15",
-    "discovery_attribution_note": "OX Security advisory 2026-04-15; researchers Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok. Same disclosure cluster as CVE-2026-30615. Named-human research; no AI-tool credit. Source: https://www.ox.security/blog/the-mother-of-all-ai-supply-chains-critical-systemic-vulnerability-at-the-core-of-the-mcp/."
+    "discovery_attribution_note": "OX Security advisory 2026-04-15; researchers Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok. Same disclosure cluster as CVE-2026-30615. Named-human research; no AI-tool credit. Source: https://www.ox.security/blog/the-mother-of-all-ai-supply-chains-critical-systemic-vulnerability-at-the-core-of-the-mcp/.",
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor Anthropic MCP SDK stdio transport versions prior to vendor security release (Apr for command-injection-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2025-12686": {
     "ai_assisted_weaponization": false,
@@ -2218,7 +2368,19 @@
     ],
     "last_updated": "2026-05-15",
     "discovery_attribution_note": "Pwn2Own Ireland 2025 (Cork, 2025-10-21) — exploited by @Tek_7987 and @_Anyfun of Synacktiv's offensive security team. Disclosure methodology: attack-surface enumeration + manual code auditing + exploit development per Synacktiv's published writeup; no AI-tool credit. Source: https://www.synacktiv.com/en/publications/breaking-the-beestation-inside-our-pwn2own-2025-exploit-journey.",
-    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: -5 (50 -> 45)."
+    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: -5 (50 -> 45).",
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor Synology BeeStation Manager < 1.4.0-65374 for RCE-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2025-62847": {
     "ai_assisted_weaponization": false,
@@ -2278,7 +2440,19 @@
     ],
     "last_updated": "2026-05-15",
     "discovery_attribution_note": "Pwn2Own Ireland 2025 — exploited by DEVCORE Research Team (chained injection + format-string bug, $40,000 + 4 Master of Pwn points). Named-human team via ZDI live-blog credit; no AI-tool attribution. Source: https://www.thezdi.com/blog/2025/10/21/pwn2own-ireland-2025-day-one-results.",
-    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: -5 (45 -> 40)."
+    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: -5 (45 -> 40).",
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor QNAP QTS < 5.2.4.2950 for RCE-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2025-62848": {
     "ai_assisted_weaponization": false,
@@ -2338,7 +2512,19 @@
     ],
     "last_updated": "2026-05-15",
     "discovery_attribution_note": "Pwn2Own Ireland 2025 — chain 2/3 of the DEVCORE Research Team QNAP TS-453E exploit. Same researcher attribution as CVE-2025-62847; ZDI live-blog credit. No AI-tool attribution. Source: https://www.thezdi.com/blog/2025/10/21/pwn2own-ireland-2025-day-one-results.",
-    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: -5 (45 -> 40)."
+    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: -5 (45 -> 40).",
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor QNAP QTS < 5.2.4.2950 for RCE-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2025-62849": {
     "ai_assisted_weaponization": false,
@@ -2398,7 +2584,19 @@
     ],
     "last_updated": "2026-05-15",
     "discovery_attribution_note": "Pwn2Own Ireland 2025 — chain 3/3 of the DEVCORE Research Team QNAP TS-453E exploit (post-auth elevation). Same attribution as CVE-2025-62847/62848; ZDI credit. No AI-tool attribution. Source: https://www.thezdi.com/blog/2025/10/21/pwn2own-ireland-2025-day-one-results.",
-    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: -5 (40 -> 35)."
+    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: -5 (40 -> 35).",
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor QNAP QTS < 5.2.4.2950 for RCE-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2025-59389": {
     "ai_assisted_weaponization": false,
@@ -2457,7 +2655,19 @@
     ],
     "last_updated": "2026-05-15",
     "discovery_attribution_note": "Pwn2Own Ireland 2025 — Sina Kheirkhah of Summoning Team chained a hardcoded-credential issue with an injection flaw against QNAP Hyper Data Protector ($20,000 award). Named-human researcher; no AI-tool credit. Source: https://www.thezdi.com/blog/2025/10/21/pwn2own-ireland-2025-day-one-results and https://www.qnap.com/en/security-advisory/qsa-25-48.",
-    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: 0."
+    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: 0.",
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor QNAP Hyper Data Protector < 2.1.4.0420 for RCE-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2025-11837": {
     "ai_assisted_weaponization": false,
@@ -2517,7 +2727,19 @@
       "https://www.qnap.com/en/security-advisory/"
     ],
     "last_updated": "2026-05-15",
-    "discovery_attribution_note": "Pwn2Own Ireland 2025 — Chumy Tsai of CyCraft Technology demonstrated the code-injection on QNAP TS-453E ($20,000 award). Named-human researcher via ZDI credit; no AI-tool attribution. Source: https://www.qnap.com/en/security-advisory/qsa-25-47 and https://cybersecuritynews.com/qnap-zero-day-vulnerabilities-exploited/."
+    "discovery_attribution_note": "Pwn2Own Ireland 2025 — Chumy Tsai of CyCraft Technology demonstrated the code-injection on QNAP TS-453E ($20,000 award). Named-human researcher via ZDI credit; no AI-tool attribution. Source: https://www.qnap.com/en/security-advisory/qsa-25-47 and https://cybersecuritynews.com/qnap-zero-day-vulnerabilities-exploited/.",
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor QNAP Malware Remover < 6.6.8.20251023 for code-injection-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2026-42945": {
     "name": "NGINX Rift",
@@ -2594,7 +2816,19 @@
     ],
     "last_updated": "2026-05-15",
     "discovery_attribution_note": "Discovered by depthfirst's autonomous vulnerability-analysis platform; flagged the heap-buffer-overflow in nginx ngx_http_rewrite_module (present since nginx 0.6.27, 2008) within six hours of scan time. First publicly-attributed AI-discovered nginx CVE; jointly disclosed by F5 + depthfirst on 2026-05-13. Source: https://depthfirst.com/nginx-rift and https://github.com/depthfirstdisclosures/nginx-rift.",
-    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors to satisfy Shape B invariant (Σ factors === rwep_score). Prior values used non-canonical weights and/or blast_radius > 30 (over-cap). Stored rwep_score unchanged; factor block now reproducible from canonical RWEP_WEIGHTS + operational fields."
+    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors to satisfy Shape B invariant (Σ factors === rwep_score). Prior values used non-canonical weights and/or blast_radius > 30 (over-cap). Stored rwep_score unchanged; factor block now reproducible from canonical RWEP_WEIGHTS + operational fields.",
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor nginx 0.6.27 through 1.30.0 (every release for 18 years); nginx Plus R32 through for RCE-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2026-0300": {
     "name": "PAN-UID — Palo Alto Networks PAN-OS User-ID Authentication Portal RCE",
@@ -3479,7 +3713,19 @@
     ],
     "_draft": false,
     "last_updated": "2026-05-17",
-    "discovery_attribution_note": "Qualys Threat Research Unit human research, publicly disclosed 2026-05-14. The underlying logic flaw was originally surfaced in a 2020 patch proposal by Jann Horn that was never merged; Qualys identified the exploitable consequence six years later. No AI involvement on either the discovery or weaponization side."
+    "discovery_attribution_note": "Qualys Threat Research Unit human research, publicly disclosed 2026-05-14. The underlying logic flaw was originally surfaced in a 2020 patch proposal by Jann Horn that was never merged; Qualys identified the exploitable consequence six years later. No AI involvement on either the discovery or weaponization side.",
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor Linux kernel for LPE-via-info-disclosure-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "MAL-2026-SHAI-HULUD-OSS": {
     "name": "Shai-Hulud worm framework (TeamPCP open-source release)",
@@ -3563,7 +3809,19 @@
       "https://snyk.io/blog/tanstack-npm-packages-compromised/"
     ],
     "last_updated": "2026-05-17",
-    "discovery_attribution_note": "TeamPCP threat-actor framework, not a vulnerability discovery. The framework was open-sourced 2026-05-12 on GitHub under MIT license by the same actor group responsible for the September 2025 / November 2025 / May 2026 Shai-Hulud npm-worm waves. TeamPCP self-describes the framework as \"vibe coded\" — AI-coding-assistant-mediated authoring. Adoption-side weaponization is accelerated by AI coding assistants + the BreachForums-hosted $1,000 USD bounty contest."
+    "discovery_attribution_note": "TeamPCP threat-actor framework, not a vulnerability discovery. The framework was open-sourced 2026-05-12 on GitHub under MIT license by the same actor group responsible for the September 2025 / November 2025 / May 2026 Shai-Hulud npm-worm waves. TeamPCP self-describes the framework as \"vibe coded\" — AI-coding-assistant-mediated authoring. Adoption-side weaponization is accelerated by AI coding assistants + the BreachForums-hosted $1,000 USD bounty contest.",
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor npm registry (170+ confirmed packages in May 2026 wave) for malicious-framework-release-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2024-21762": {
     "ai_assisted_weaponization": false,
@@ -3658,7 +3916,19 @@
     ],
     "_draft": false,
     "last_updated": "2026-05-17",
-    "discovery_attribution_note": "Vendor-internal discovery by Fortinet PSIRT, disclosed 2024-02-08 via advisory FG-IR-24-015. No external researcher byline. CISA KEV-listed 2024-02-09 with a 7-day federal remediation deadline. Post-exploitation symlink-persistence technique documented in Fortinet's 2025-04-11 advisory after operators reported residual filesystem access on devices patched after compromise."
+    "discovery_attribution_note": "Vendor-internal discovery by Fortinet PSIRT, disclosed 2024-02-08 via advisory FG-IR-24-015. No external researcher byline. CISA KEV-listed 2024-02-09 with a 7-day federal remediation deadline. Post-exploitation symlink-persistence technique documented in Fortinet's 2025-04-11 advisory after operators reported residual filesystem access on devices patched after compromise.",
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor Fortinet FortiOS and FortiProxy SSL-VPN feature on FortiGate appliances. Any int for out-of-bounds-write-preauth-rce-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2025-10585": {
     "id": "CVE-2025-10585",
@@ -3723,7 +3993,22 @@
       }
     ],
     "discovery_attribution_note": "Discovered and reported by Google Threat Analysis Group (TAG) — human researcher attribution. Disclosure date 2025-09-16. Source: https://nvd.nist.gov/vuln/detail/CVE-2025-10585",
-    "live_patch_tools": []
+    "live_patch_tools": [],
+    "cwe_refs": [
+      "CWE-843"
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor Google Chrome Stable channel < 140.0.7339.185 (Linux) for type-confusion-rce-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2025-14174": {
     "id": "CVE-2025-14174",
@@ -3792,7 +4077,23 @@
       }
     ],
     "discovery_attribution_note": "Discovery credit not publicly disclosed by Apple at time of patch; targeted-spyware operator activity rather than AI-assisted discovery. Source: https://support.apple.com/en-us/HT215000",
-    "live_patch_tools": []
+    "live_patch_tools": [],
+    "cwe_refs": [
+      "CWE-787",
+      "CWE-119"
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor Apple WebKit on iOS/iPadOS prior to 18.7.3 and 26.2; macOS Tahoe 26.2; Safari 26 for memory-corruption-rce-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2025-43529": {
     "id": "CVE-2025-43529",
@@ -3857,7 +4158,22 @@
       }
     ],
     "discovery_attribution_note": "No AI-tool credit; commercial exploit kit (DarkSword) attribution. Source: https://nvd.nist.gov/vuln/detail/CVE-2025-43529",
-    "live_patch_tools": []
+    "live_patch_tools": [],
+    "cwe_refs": [
+      "CWE-416"
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor Apple WebKit on iOS/iPadOS prior to 18.7.3 / 26.2; macOS Tahoe 26.2; Safari 26.2 for use-after-free-rce-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2025-4919": {
     "id": "CVE-2025-4919",
@@ -3919,7 +4235,22 @@
       }
     ],
     "discovery_attribution_note": "Pwn2Own competitor disclosure; same-day patch. Source: https://www.mozilla.org/en-US/security/advisories/mfsa2025-36/",
-    "live_patch_tools": []
+    "live_patch_tools": [],
+    "cwe_refs": [
+      "CWE-843"
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor Mozilla Firefox < 138.0.4 for type-confusion-rce-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2025-24201": {
     "id": "CVE-2025-24201",
@@ -3987,7 +4318,22 @@
       }
     ],
     "discovery_attribution_note": "Apple-internal discovery in response to targeted-attack telemetry on devices running iOS prior to 17.2. Source: https://nvd.nist.gov/vuln/detail/CVE-2025-24201",
-    "live_patch_tools": []
+    "live_patch_tools": [],
+    "cwe_refs": [
+      "CWE-1395"
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor Apple WebKit on iOS < 18.3.2 for out-of-bounds-write-sandbox-escape-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2025-43300": {
     "id": "CVE-2025-43300",
@@ -4055,15 +4401,30 @@
       }
     ],
     "discovery_attribution_note": "Apple-internal disclosure; full attribution undisclosed. Source: https://nvd.nist.gov/vuln/detail/CVE-2025-43300",
-    "live_patch_tools": []
-  },
-  "CVE-2025-38352": {
-    "id": "CVE-2025-38352",
-    "name": "Android / Linux Kernel POSIX CPU Timer Race (sandbox-escape LPE)",
-    "type": "race-condition-lpe",
-    "cvss_score": 7.4,
-    "cvss_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
-    "cisa_kev": true,
+    "live_patch_tools": [],
+    "cwe_refs": [
+      "CWE-1395"
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor Apple ImageIO on iOS < 18.6.2 for out-of-bounds-write-rce-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
+  },
+  "CVE-2025-38352": {
+    "id": "CVE-2025-38352",
+    "name": "Android / Linux Kernel POSIX CPU Timer Race (sandbox-escape LPE)",
+    "type": "race-condition-lpe",
+    "cvss_score": 7.4,
+    "cvss_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
+    "cisa_kev": true,
     "cisa_kev_date": "2025-09-04",
     "cisa_kev_due_date": "2025-09-25",
     "poc_available": true,
@@ -4124,7 +4485,22 @@
         "published_date": "2025-09-02"
       }
     ],
-    "discovery_attribution_note": "Google Android Security Bulletin September 2025 attribution; no AI-tool credit. Source: https://nvd.nist.gov/vuln/detail/CVE-2025-38352"
+    "discovery_attribution_note": "Google Android Security Bulletin September 2025 attribution; no AI-tool credit. Source: https://nvd.nist.gov/vuln/detail/CVE-2025-38352",
+    "cwe_refs": [
+      "CWE-1395"
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor Linux kernel including downstream Android kernels prior to the September 2025 pa for race-condition-lpe-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2025-55241": {
     "id": "CVE-2025-55241",
@@ -4190,7 +4566,22 @@
       }
     ],
     "discovery_attribution_note": "Researcher disclosure 2025-07-14; Microsoft global server-side fix 2025-07-17; additional hardening 2025-08-06; public disclosure September 2025. Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55241",
-    "live_patch_tools": []
+    "live_patch_tools": [],
+    "cwe_refs": [
+      "CWE-1395"
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor Microsoft Entra ID (formerly Azure Active Directory) tenants with the legacy Azu for cross-tenant-privilege-escalation-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2025-21085": {
     "id": "CVE-2025-21085",
@@ -4252,7 +4643,22 @@
       }
     ],
     "discovery_attribution_note": "Vendor-internal discovery via Cisco PSIRT. Source: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-duo-auth-info-JgkSWBLz",
-    "live_patch_tools": []
+    "live_patch_tools": [],
+    "cwe_refs": [
+      "CWE-1395"
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor Cisco Duo Authentication Proxy versions prior to 6.5.3 with debug-level logging  for information-disclosure-credential-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2025-1094": {
     "id": "CVE-2025-1094",
@@ -4322,7 +4728,22 @@
       }
     ],
     "discovery_attribution_note": "Rapid7 disclosure during BeyondTrust incident triage; no AI-tool attribution. Source: https://nvd.nist.gov/vuln/detail/CVE-2025-1094",
-    "live_patch_tools": []
+    "live_patch_tools": [],
+    "cwe_refs": [
+      "CWE-1395"
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor PostgreSQL psql interactive tool < 17.3 for sql-injection-rce-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2025-49844": {
     "id": "CVE-2025-49844",
@@ -4388,7 +4809,22 @@
       }
     ],
     "discovery_attribution_note": "Wiz Research disclosure (human-led); no AI-tool credit. Source: https://nvd.nist.gov/vuln/detail/CVE-2025-49844",
-    "live_patch_tools": []
+    "live_patch_tools": [],
+    "cwe_refs": [
+      "CWE-416"
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor Redis for use-after-free-rce-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2025-14847": {
     "id": "CVE-2025-14847",
@@ -4452,7 +4888,22 @@
       }
     ],
     "discovery_attribution_note": "Bitsight + MongoDB-coordinated disclosure; no AI-tool attribution. Source: https://nvd.nist.gov/vuln/detail/CVE-2025-14847",
-    "live_patch_tools": []
+    "live_patch_tools": [],
+    "cwe_refs": [
+      "CWE-1395"
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor MongoDB Server affected branches per vendor advisory; Bitsight enumerated multip for information-disclosure-heap-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2025-8671": {
     "id": "CVE-2025-8671",
@@ -4520,7 +4971,22 @@
       }
     ],
     "discovery_attribution_note": "Tel Aviv University academic disclosure paired with Imperva production traffic analysis. ai_discovery_source set to academic_ai_fuzzing as the closest enum match for protocol-fuzzing research, though specific AI-fuzzing tool credit was not published. Source: https://nvd.nist.gov/vuln/detail/CVE-2025-8671",
-    "live_patch_tools": []
+    "live_patch_tools": [],
+    "cwe_refs": [
+      "CWE-1395"
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor HTTP/2 implementations including Apache Tomcat for denial-of-service-protocol-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2025-6965": {
     "id": "CVE-2025-6965",
@@ -4586,7 +5052,23 @@
       }
     ],
     "discovery_attribution_note": "AI-surfaced by Google's 'Big Sleep' (DeepMind + Project Zero collaboration, Gemini-backed). Notable as the first AI-agent foil of an in-the-wild zero-day exploitation campaign. Hard Rule #7 anchor entry.",
-    "live_patch_tools": []
+    "live_patch_tools": [],
+    "cwe_refs": [
+      "CWE-787",
+      "CWE-119"
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor SQLite versions prior to 3.50.2 for memory-corruption-rce-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2026-22778": {
     "id": "CVE-2026-22778",
@@ -4653,7 +5135,23 @@
       }
     ],
     "discovery_attribution_note": "OX Security human research disclosure. Source: https://www.ox.security/blog/cve-2026-22778-vllm-rce-vulnerability/",
-    "live_patch_tools": []
+    "live_patch_tools": [],
+    "cwe_refs": [
+      "CWE-122",
+      "CWE-787"
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor vLLM multimodal endpoints prior to 0.14.1; affects FFmpeg 5.1.x bundled inside O for heap-overflow-rce-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2026-7482": {
     "id": "CVE-2026-7482",
@@ -4718,7 +5216,22 @@
       }
     ],
     "discovery_attribution_note": "Coordinated disclosure to Ollama security team. Source: https://github.com/ollama/ollama/security/advisories",
-    "live_patch_tools": []
+    "live_patch_tools": [],
+    "cwe_refs": [
+      "CWE-1395"
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor Ollama < 0.17.1 across all platforms (Linux for out-of-bounds-read-disclosure-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2025-68664": {
     "id": "CVE-2025-68664",
@@ -4789,7 +5302,22 @@
       }
     ],
     "discovery_attribution_note": "Cyata research team discovery via prompt-injection attack-surface analysis. Source: https://cyata.ai/blog/langgrinch-langchain-core-cve-2025-68664/",
-    "live_patch_tools": []
+    "live_patch_tools": [],
+    "cwe_refs": [
+      "CWE-502"
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor LangChain Core prior to 1.2.5 / 0.3.81. Affects any agent pipeline that serializ for deserialization-injection-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2025-22224": {
     "id": "CVE-2025-22224",
@@ -4859,7 +5387,22 @@
       }
     ],
     "discovery_attribution_note": "Microsoft Threat Intelligence Center disclosure; no AI-tool attribution. Source: https://nvd.nist.gov/vuln/detail/CVE-2025-22224",
-    "live_patch_tools": []
+    "live_patch_tools": [],
+    "cwe_refs": [
+      "CWE-1395"
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor VMware ESXi 7.0 for toctou-vm-escape-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2025-22225": {
     "id": "CVE-2025-22225",
@@ -4926,7 +5469,22 @@
       }
     ],
     "discovery_attribution_note": "Microsoft Threat Intelligence Center co-disclosure. Source: https://nvd.nist.gov/vuln/detail/CVE-2025-22225",
-    "live_patch_tools": []
+    "live_patch_tools": [],
+    "cwe_refs": [
+      "CWE-1395"
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor VMware ESXi 7.0 for arbitrary-kernel-write-vm-escape-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2025-22226": {
     "id": "CVE-2025-22226",
@@ -4993,7 +5551,22 @@
       }
     ],
     "discovery_attribution_note": "Microsoft Threat Intelligence Center co-disclosure. Source: https://nvd.nist.gov/vuln/detail/CVE-2025-22226",
-    "live_patch_tools": []
+    "live_patch_tools": [],
+    "cwe_refs": [
+      "CWE-1395"
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor VMware ESXi 7.0 for information-disclosure-vm-escape-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "MAL-2024-PYPI-ULTRALYTICS-XMRIG": {
     "id": "MAL-2024-PYPI-ULTRALYTICS-XMRIG",
@@ -5065,7 +5638,22 @@
       }
     ],
     "discovery_attribution_note": "ReversingLabs + Wiz + HiddenLayer concurrent ecosystem-telemetry detection. Source: https://www.reversinglabs.com/blog/compromised-ultralytics-pypi-package-delivers-crypto-coinminer",
-    "live_patch_tools": []
+    "live_patch_tools": [],
+    "cwe_refs": [
+      "CWE-1395"
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor ultralytics 8.3.41 and 8.3.42 on PyPI (~60M monthly downloads for supply-chain-cryptominer-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "MAL-2026-RUBYGEMS-BUFFERZONECORP-SLEEPER": {
     "id": "MAL-2026-RUBYGEMS-BUFFERZONECORP-SLEEPER",
@@ -5140,7 +5728,22 @@
       }
     ],
     "discovery_attribution_note": "Socket.dev research disclosure; concurrent reporting by other supply-chain firms. Source: https://socket.dev/blog/malicious-ruby-gems-and-go-modules-steal-secrets-poison-ci",
-    "live_patch_tools": []
+    "live_patch_tools": [],
+    "cwe_refs": [
+      "CWE-1395"
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor Ruby gems and Go modules published by GitHub account 'BufferZoneCorp' impersonat for supply-chain-credential-stealer-multi-ecosystem-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "MAL-2025-PYPI-COLORAMA-SOLANA-STEALER": {
     "id": "MAL-2025-PYPI-COLORAMA-SOLANA-STEALER",
@@ -5214,7 +5817,22 @@
       }
     ],
     "discovery_attribution_note": "Imperva Threat Research + Checkmarx + Check Point ecosystem-telemetry detection. Source: https://www.imperva.com/blog/pythons-colorama-typosquatting-meets-fade-stealer-malware/",
-    "live_patch_tools": []
+    "live_patch_tools": [],
+    "cwe_refs": [
+      "CWE-1395"
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor PyPI typosquats of `colorama` (one of the most-installed Python packages for supply-chain-typosquat-credential-stealer-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2025-0133": {
     "id": "CVE-2025-0133",
@@ -5282,7 +5900,22 @@
       }
     ],
     "discovery_attribution_note": "AI-surfaced by XBOW autonomous-pentest agent during HackerOne VDP engagement. First publicly-attributed AI-tool CVE against Palo Alto. Hard Rule #7 anchor.",
-    "live_patch_tools": []
+    "live_patch_tools": [],
+    "cwe_refs": [
+      "CWE-1395"
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor PAN-OS GlobalProtect gateway and portal. Cloud NGFW (all versions) for reflected-xss-captive-portal-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2025-59529": {
     "id": "CVE-2025-59529",
@@ -5346,7 +5979,22 @@
       }
     ],
     "discovery_attribution_note": "AI-surfaced by ZeroPath SAST agent. Notable as a business-logic class detection — the category most resistant to conventional SAST and most accelerated by LLM-driven analysis. Hard Rule #7 anchor.",
-    "live_patch_tools": []
+    "live_patch_tools": [],
+    "cwe_refs": [
+      "CWE-1395"
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor Avahi (mDNS / DNS-SD service-discovery daemon) deployed with Simple Protocol Ser for business-logic-dos-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2025-55319": {
     "id": "CVE-2025-55319",
@@ -5415,7 +6063,22 @@
       }
     ],
     "discovery_attribution_note": "AI-surfaced by ZeroPath. Doubly-relevant: AI-defender finds bug in AI-agentic IDE integration. ai_assisted_weaponization=true because the AI agent IS the weaponization primitive — qualifies under both Hard Rule #7 limbs.",
-    "live_patch_tools": []
+    "live_patch_tools": [],
+    "cwe_refs": [
+      "CWE-77"
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor Visual Studio Code agentic-AI feature surface prior to vendor fix; affects devel for command-injection-agentic-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2025-53767": {
     "id": "CVE-2025-53767",
@@ -5484,7 +6147,22 @@
       }
     ],
     "discovery_attribution_note": "AI-surfaced by ZeroPath against Azure OpenAI control plane. Hard Rule #7 anchor and identity-class adjacent (cloud-tenant control plane).",
-    "live_patch_tools": []
+    "live_patch_tools": [],
+    "cwe_refs": [
+      "CWE-1395"
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor Azure OpenAI service (Microsoft-managed cloud). Pre-2025-08-19 service state. for ssrf-privilege-escalation-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2025-10725": {
     "id": "CVE-2025-10725",
@@ -5551,7 +6229,22 @@
       }
     ],
     "discovery_attribution_note": "AI-surfaced by ZeroPath against Red Hat OpenShift AI. Hard Rule #7 anchor — AI-defender finding bugs in AI-deployment platform.",
-    "live_patch_tools": []
+    "live_patch_tools": [],
+    "cwe_refs": [
+      "CWE-1395"
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor Red Hat OpenShift AI prior to vendor fix; affects managed-Kubernetes AI deployme for privilege-escalation-rbac-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "MAL-2025-AI-FOUND-FFMPEG-BIGSLEEP": {
     "id": "MAL-2025-AI-FOUND-FFMPEG-BIGSLEEP",
@@ -5620,7 +6313,22 @@
       }
     ],
     "discovery_attribution_note": "Composite / tranche entry covering the Big Sleep FFmpeg + ImageMagick AI-tool zero-day finds (Google DeepMind + Project Zero). Operator action: when the per-CVE detail becomes available, split this into individual catalog entries and retire the composite. Anchor entry for Hard Rule #7 (AI-discovery rate).",
-    "live_patch_tools": []
+    "live_patch_tools": [],
+    "cwe_refs": [
+      "CWE-1395"
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor FFmpeg for ai-discovered-tranche-multi-cve-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2026-31635": {
     "name": "DirtyDecrypt (rxgk page-cache write)",
@@ -5712,7 +6420,19 @@
       }
     ],
     "last_updated": "2026-05-18",
-    "intake_gap_note": "Catalog entry added 2026-05-18 via manual operator triage AFTER public PoC. The daily exceptd-threat-intake routine missed this CVE — kernel.org Atom feed window had rolled past the 2026-04-25 silent-patch commit by the time the PoC published on 2026-05-17, and the V12 rediscovery report went to maintainers privately rather than to oss-security@openwall. The v0.13.14 release adds a vendor-security-blog source (Microsoft / Sysdig / Trail of Bits) to close this class of gap. See feeds_into supply-chain-recovery + framework playbooks for the chained handling."
+    "intake_gap_note": "Catalog entry added 2026-05-18 via manual operator triage AFTER public PoC. The daily exceptd-threat-intake routine missed this CVE — kernel.org Atom feed window had rolled past the 2026-04-25 silent-patch commit by the time the PoC published on 2026-05-17, and the V12 rediscovery report went to maintainers privately rather than to oss-security@openwall. The v0.13.14 release adds a vendor-security-blog source (Microsoft / Sysdig / Trail of Bits) to close this class of gap. See feeds_into supply-chain-recovery + framework playbooks for the chained handling.",
+    "iocs": {
+      "payload_artifacts": [
+        "IOC list pending operator curation. Refer to vendor advisory linked in verification_sources for vendor-supplied indicators. Bulk-import or pre-v0.13.x entry; iocs were not populated at catalog-add time."
+      ],
+      "behavioral": [
+        "Monitor Linux kernel with CONFIG_RXGK enabled (Fedora for LPE-class anomalies — unauthorized state transitions, anomalous process / network behavior, and access-control violations consistent with the vector field. Pair with vendor-supplied detection guidance."
+      ],
+      "version_exposure": [
+        "Confirm running version against the affected_versions[] field; vendor advisory in verification_sources lists fixed builds."
+      ]
+    },
+    "_iocs_stub": true
   },
   "CVE-2020-17103-REREGRESSION-2026": {
     "name": "MiniPlasma — Windows cldflt.sys Cloud Files Mini Filter SYSTEM EoP (re-regression of CVE-2020-17103)",
@@ -6257,7 +6977,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-30; due date 2026-05-03. Notes reference: https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026 ; https://docs.cpanel.net/release-notes/release-notes/ ; https://docs.wpsquared.com/changelogs/version",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel."
+    "_kev_short_description": "WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.",
+    "_iocs_stub": true
   },
   "CVE-2024-1708": {
     "name": "ConnectWise ScreenConnect Path Traversal Vulnerability",
@@ -6365,7 +7086,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-28; due date 2026-05-12. Notes reference: https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8 ; https://nvd.nist.gov/vuln/detail/CVE-2024-1708",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "ConnectWise ScreenConnect contains a path traversal vulnerability which could allow an attacker to execute remote code or directly impact confidential data and critical systems."
+    "_kev_short_description": "ConnectWise ScreenConnect contains a path traversal vulnerability which could allow an attacker to execute remote code or directly impact confidential data and critical systems.",
+    "_iocs_stub": true
   },
   "CVE-2025-29635": {
     "name": "D-Link DIR-823X Command Injection Vulnerability",
@@ -6472,7 +7194,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-24; due date 2026-05-08. Notes reference: https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10469 ; https://nvd.nist.gov/vuln/detail/CVE-2025-29635",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "D-Link DIR-823X contains a command injection vulnerability that allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to /goform/set_prohibiting via the corresponding function. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization."
+    "_kev_short_description": "D-Link DIR-823X contains a command injection vulnerability that allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to /goform/set_prohibiting via the corresponding function. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
+    "_iocs_stub": true
   },
   "CVE-2024-7399": {
     "name": "Samsung MagicINFO 9 Server Path Traversal Vulnerability",
@@ -6579,7 +7302,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-24; due date 2026-05-08. Notes reference: https://security.samsungtv.com/securityUpdates ; https://nvd.nist.gov/vuln/detail/CVE-2024-7399",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Samsung MagicINFO 9 Server contains a path traversal vulnerability that could allow an attacker to write arbitrary files as system authority."
+    "_kev_short_description": "Samsung MagicINFO 9 Server contains a path traversal vulnerability that could allow an attacker to write arbitrary files as system authority.",
+    "_iocs_stub": true
   },
   "CVE-2024-57728": {
     "name": "SimpleHelp Path Traversal Vulnerability",
@@ -6687,7 +7411,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-24; due date 2026-05-08. Notes reference: https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier ; https://nvd.nist.gov/vuln/detail/CVE-2024-57728",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "SimpleHelp contains a path traversal vulnerability that allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file (i.e. zip slip). This can be exploited to execute arbitrary code on the host in the context of the SimpleHelp server user."
+    "_kev_short_description": "SimpleHelp contains a path traversal vulnerability that allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file (i.e. zip slip). This can be exploited to execute arbitrary code on the host in the context of the SimpleHelp server user.",
+    "_iocs_stub": true
   },
   "CVE-2024-57726": {
     "name": "SimpleHelp Missing Authorization Vulnerability",
@@ -6796,7 +7521,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-24; due date 2026-05-08. Notes reference: https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier ; https://nvd.nist.gov/vuln/detail/CVE-2024-57726",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "SimpleHelp contains a missing authorization vulnerability that could allow low-privileged technicians to create API keys with excessive permissions. These API keys can be used to escalate privileges to the server admin role."
+    "_kev_short_description": "SimpleHelp contains a missing authorization vulnerability that could allow low-privileged technicians to create API keys with excessive permissions. These API keys can be used to escalate privileges to the server admin role.",
+    "_iocs_stub": true
   },
   "CVE-2026-20122": {
     "name": "Cisco Catalyst SD-WAN Manager Incorrect Use of Privileged APIs Vulnerability",
@@ -6905,7 +7631,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-20; due date 2026-04-23. Notes reference: CISA Mitigation Instructions: https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems ; https://www.cisa.gov/news-events/directives/supplemental-direction-ed",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Cisco Catalyst SD-WAN Manager contains an incorrect use of privileged APIs vulnerability due to improper file handling on the API interface of an affected system. An attacker could exploit this vulnerability by uploading a malicious file on the local file system. A successful exploit could allow the attacker to overwrite arbitrary files on the affected system and gain vmanage user privileges."
+    "_kev_short_description": "Cisco Catalyst SD-WAN Manager contains an incorrect use of privileged APIs vulnerability due to improper file handling on the API interface of an affected system. An attacker could exploit this vulnerability by uploading a malicious file on the local file system. A successful exploit could allow the attacker to overwrite arbitrary files on the affected system and gain vmanage user privileges.",
+    "_iocs_stub": true
   },
   "CVE-2026-20133": {
     "name": "Cisco Catalyst SD-WAN Manager Exposure of Sensitive Information to an Unauthorized Actor Vulnerability",
@@ -7014,7 +7741,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-20; due date 2026-04-23. Notes reference: CISA Mitigation Instructions: https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems ; https://www.cisa.gov/news-events/directives/supplemental-direction-ed",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Cisco Catalyst SD-WAN Manager contains an exposure of sensitive information to an unauthorized actor vulnerability that could allow remote attackers to view sensitive information on affected systems."
+    "_kev_short_description": "Cisco Catalyst SD-WAN Manager contains an exposure of sensitive information to an unauthorized actor vulnerability that could allow remote attackers to view sensitive information on affected systems.",
+    "_iocs_stub": true
   },
   "CVE-2025-2749": {
     "name": "Kentico Xperience Path Traversal Vulnerability",
@@ -7121,7 +7849,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-20; due date 2026-05-04. Notes reference: https://devnet.kentico.com/download/hotfixes ; https://nvd.nist.gov/vuln/detail/CVE-2025-2749",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Kentico Xperience contains a path traversal vulnerability that could allow an authenticated user's Staging Sync Server to upload arbitrary data to path relative locations."
+    "_kev_short_description": "Kentico Xperience contains a path traversal vulnerability that could allow an authenticated user's Staging Sync Server to upload arbitrary data to path relative locations.",
+    "_iocs_stub": true
   },
   "CVE-2023-27351": {
     "name": "PaperCut NG/MF Improper Authentication Vulnerability",
@@ -7230,7 +7959,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-20; due date 2026-05-04. Notes reference: https://www.papercut.com/kb/Main/PO-1216-and-PO-1219 ; https://nvd.nist.gov/vuln/detail/CVE-2023-27351",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "PaperCut NG/MF contains an improper authentication vulnerability that could allow remote attackers to bypass authentication on affected installations via the SecurityRequestFilter class."
+    "_kev_short_description": "PaperCut NG/MF contains an improper authentication vulnerability that could allow remote attackers to bypass authentication on affected installations via the SecurityRequestFilter class.",
+    "_iocs_stub": true
   },
   "CVE-2025-48700": {
     "name": "Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability",
@@ -7336,7 +8066,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-20; due date 2026-04-23. Notes reference: https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories ; https://nvd.nist.gov/vuln/detail/CVE-2025-48700",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that could allow attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information."
+    "_kev_short_description": "Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that could allow attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information.",
+    "_iocs_stub": true
   },
   "CVE-2026-20128": {
     "name": "Cisco Catalyst SD-WAN Manager Storing Passwords in a Recoverable Format Vulnerability",
@@ -7445,7 +8176,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-20; due date 2026-04-23. Notes reference: CISA Mitigation Instructions: https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems ; https://www.cisa.gov/news-events/directives/supplemental-direction-ed",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Cisco Catalyst SD-WAN Manager contains a storing passwords in a recoverable format vulnerability that allows an authenticated, local attacker to gain DCA user privileges by accessing a credential file for the DCA user on the filesystem as a low-privileged user."
+    "_kev_short_description": "Cisco Catalyst SD-WAN Manager contains a storing passwords in a recoverable format vulnerability that allows an authenticated, local attacker to gain DCA user privileges by accessing a credential file for the DCA user on the filesystem as a low-privileged user.",
+    "_iocs_stub": true
   },
   "CVE-2025-32975": {
     "name": "Quest KACE Systems Management Appliance (SMA) Improper Authentication Vulnerability",
@@ -7552,7 +8284,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-20; due date 2026-05-04. Notes reference: https://support.quest.com/kb/4379499/quest-response-to-kace-sma-vulnerabilities-cve-2025-32975-cve-2025-32976-cve-2025-32977-cve-2025-32978 ; https://nvd.nist.gov/vuln/detail/CVE-2025-32975",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Quest KACE Systems Management Appliance (SMA) contains an improper authentication vulnerability that could allow attackers to impersonate legitimate users without valid credentials."
+    "_kev_short_description": "Quest KACE Systems Management Appliance (SMA) contains an improper authentication vulnerability that could allow attackers to impersonate legitimate users without valid credentials.",
+    "_iocs_stub": true
   },
   "CVE-2024-27199": {
     "name": "JetBrains TeamCity Relative Path Traversal Vulnerability",
@@ -7661,7 +8394,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-20; due date 2026-05-04. Notes reference: https://www.jetbrains.com/privacy-security/issues-fixed/ ; https://blog.jetbrains.com/teamcity/2024/03/additional-critical-security-issues-affecting-teamcity-on-premises-cve-2024-27198-and-cve-2024-27",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "JetBrains TeamCity contains a relative path traversal vulnerability that could allow limited admin actions to be performed."
+    "_kev_short_description": "JetBrains TeamCity contains a relative path traversal vulnerability that could allow limited admin actions to be performed.",
+    "_iocs_stub": true
   },
   "CVE-2026-34197": {
     "name": "Apache ActiveMQ Improper Input Validation Vulnerability",
@@ -7769,7 +8503,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-16; due date 2026-04-30. Notes reference: https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt ; https://nvd.nist.gov/vuln/detail/CVE-2026-34197",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Apache ActiveMQ contains an improper input validation vulnerability that allows for code injection."
+    "_kev_short_description": "Apache ActiveMQ contains an improper input validation vulnerability that allows for code injection.",
+    "_iocs_stub": true
   },
   "CVE-2009-0238": {
     "name": "Microsoft Office Remote Code Execution",
@@ -7876,7 +8611,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-14; due date 2026-04-28. Notes reference: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-009 ; https://nvd.nist.gov/vuln/detail/CVE-2009-0238",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Office Excel contains a remote code execution vulnerability that could allow an attacker to take complete control of an affected system if a user opens a specially crafted Excel file that includes a malformed object."
+    "_kev_short_description": "Microsoft Office Excel contains a remote code execution vulnerability that could allow an attacker to take complete control of an affected system if a user opens a specially crafted Excel file that includes a malformed object.",
+    "_iocs_stub": true
   },
   "CVE-2026-32201": {
     "name": "Microsoft SharePoint Server Improper Input Validation Vulnerability",
@@ -7983,7 +8719,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-14; due date 2026-04-28. Notes reference: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-32201 ; https://nvd.nist.gov/vuln/detail/CVE-2026-32201",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft SharePoint Server contains an improper input validation vulnerability that allows an unauthorized attacker to perform spoofing over a network."
+    "_kev_short_description": "Microsoft SharePoint Server contains an improper input validation vulnerability that allows an unauthorized attacker to perform spoofing over a network.",
+    "_iocs_stub": true
   },
   "CVE-2012-1854": {
     "name": "Microsoft Visual Basic for Applications Insecure Library Loading Vulnerability",
@@ -8090,7 +8827,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-13; due date 2026-04-27. Notes reference: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-046 ; https://nvd.nist.gov/vuln/detail/CVE-2012-1854",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Visual Basic for Applications (VBA) contains an insecure library loading vulnerability that could allow for remote code execution."
+    "_kev_short_description": "Microsoft Visual Basic for Applications (VBA) contains an insecure library loading vulnerability that could allow for remote code execution.",
+    "_iocs_stub": true
   },
   "CVE-2025-60710": {
     "name": "Microsoft Windows Link Following Vulnerability",
@@ -8196,7 +8934,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-13; due date 2026-04-27. Notes reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-60710 ; https://nvd.nist.gov/vuln/detail/CVE-2025-60710",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows contains a link following vulnerability that allows for privilege escalation"
+    "_kev_short_description": "Microsoft Windows contains a link following vulnerability that allows for privilege escalation",
+    "_iocs_stub": true
   },
   "CVE-2023-21529": {
     "name": "Microsoft Exchange Server Deserialization of Untrusted Data Vulnerability",
@@ -8305,7 +9044,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-13; due date 2026-04-27. Notes reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21529 ; https://nvd.nist.gov/vuln/detail/CVE-2023-21529",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Exchange Server contains a deserialization of untrusted data that allows an authenticated attacker to achieve remote code execution."
+    "_kev_short_description": "Microsoft Exchange Server contains a deserialization of untrusted data that allows an authenticated attacker to achieve remote code execution.",
+    "_iocs_stub": true
   },
   "CVE-2023-36424": {
     "name": "Microsoft Windows Out-of-Bounds Read Vulnerability",
@@ -8411,7 +9151,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-13; due date 2026-04-27. Notes reference: https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36424 ; https://nvd.nist.gov/vuln/detail/CVE-2023-36424",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows Common Log File System Driver contains an out-of-bounds read vulnerability that could allow a threat actor for privileges escalation"
+    "_kev_short_description": "Microsoft Windows Common Log File System Driver contains an out-of-bounds read vulnerability that could allow a threat actor for privileges escalation",
+    "_iocs_stub": true
   },
   "CVE-2020-9715": {
     "name": "Adobe Acrobat Use-After-Free Vulnerability",
@@ -8517,7 +9258,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-13; due date 2026-04-27. Notes reference: https://helpx.adobe.com/security/products/acrobat/apsb20-48.html ; https://nvd.nist.gov/vuln/detail/CVE-2020-9715",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Adobe Acrobat contains a use-after-free vulnerability that allows for code execution"
+    "_kev_short_description": "Adobe Acrobat contains a use-after-free vulnerability that allows for code execution",
+    "_iocs_stub": true
   },
   "CVE-2026-21643": {
     "name": "Fortinet FortiClient EMS SQL Injection Vulnerability",
@@ -8624,7 +9366,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-13; due date 2026-04-16. Notes reference: https://fortiguard.fortinet.com/psirt/FG-IR-25-1142 ; https://nvd.nist.gov/vuln/detail/CVE-2026-21643",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Fortinet FortiClient EMS contains a SQL injection vulnerability that may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests."
+    "_kev_short_description": "Fortinet FortiClient EMS contains a SQL injection vulnerability that may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.",
+    "_iocs_stub": true
   },
   "CVE-2026-34621": {
     "name": "Adobe Acrobat and Reader Prototype Pollution Vulnerability",
@@ -8731,7 +9474,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-13; due date 2026-04-27. Notes reference: https://helpx.adobe.com/security/products/acrobat/apsb26-43.html ; https://nvd.nist.gov/vuln/detail/CVE-2026-34621",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Adobe Acrobat and Reader contain a prototype pollution vulnerability that allows for arbitrary code execution."
+    "_kev_short_description": "Adobe Acrobat and Reader contain a prototype pollution vulnerability that allows for arbitrary code execution.",
+    "_iocs_stub": true
   },
   "CVE-2026-1340": {
     "name": "Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability",
@@ -8840,7 +9584,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-08; due date 2026-04-11. Notes reference: Please adhere to Ivanti's guidelines to assess exposure and mitigate risks. Check for signs of potential compromise on all internet accessible Ivanti products affected by this vulnerability. Apply any",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution."
+    "_kev_short_description": "Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.",
+    "_iocs_stub": true
   },
   "CVE-2026-35616": {
     "name": "Fortinet FortiClient EMS Improper Access Control Vulnerability",
@@ -8947,7 +9692,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-06; due date 2026-04-09. Notes reference: Please adhere to Fortinet's guidelines to assess exposure and mitigate risks. Check for signs of potential compromise on all internet accessible Fortinet products affected by this vulnerability. Apply",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Fortinet FortiClient EMS contains an improper access control vulnerability that may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests."
+    "_kev_short_description": "Fortinet FortiClient EMS contains an improper access control vulnerability that may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.",
+    "_iocs_stub": true
   },
   "CVE-2026-3502": {
     "name": "TrueConf Client Download of Code Without Integrity Check Vulnerability",
@@ -9055,7 +9801,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-02; due date 2026-04-16. Notes reference: https://trueconf.com/blog/update/trueconf-8-5 ; https://trueconf.com/downloads/windows.html ; https://nvd.nist.gov/vuln/detail/CVE-2026-3502",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "TrueConf Client contains a download of code without integrity check vulnerability. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user."
+    "_kev_short_description": "TrueConf Client contains a download of code without integrity check vulnerability. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user.",
+    "_iocs_stub": true
   },
   "CVE-2026-5281": {
     "name": "Google Dawn Use-After-Free Vulnerability",
@@ -9161,7 +9908,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-01; due date 2026-04-15. Notes reference: This vulnerability affects an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https://ch",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Google Dawn contains an use-after-free vulnerability that could allow a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. This vulnerability could affect multiple Chromium-based products including, but not limited to, Google Chrome, Microsoft Edge, and Opera."
+    "_kev_short_description": "Google Dawn contains an use-after-free vulnerability that could allow a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. This vulnerability could affect multiple Chromium-based products including, but not limited to, Google Chrome, Microsoft Edge, and Opera.",
+    "_iocs_stub": true
   },
   "CVE-2026-3055": {
     "name": "Citrix NetScaler Out-of-Bounds Read Vulnerability",
@@ -9267,7 +10015,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-30; due date 2026-04-02. Notes reference: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300&articleURL=NetScaler_ADC_and_NetScaler_Gateway_Security_Bulletin_for_CVE_2026_3055_and_CVE_2026_4368 ; https://nvd.nist",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Citrix NetScaler ADC (formerly Citrix ADC), NetScaler Gateway (formerly Citrix Gateway) and NetScaler ADC FIPS and NDcPP contain an out-of-bounds reads vulnerability when configured as a SAML IDP leading to memory overread."
+    "_kev_short_description": "Citrix NetScaler ADC (formerly Citrix ADC), NetScaler Gateway (formerly Citrix Gateway) and NetScaler ADC FIPS and NDcPP contain an out-of-bounds reads vulnerability when configured as a SAML IDP leading to memory overread.",
+    "_iocs_stub": true
   },
   "CVE-2025-53521": {
     "name": "F5 BIG-IP Stack-Based Buffer Overflow Vulnerability",
@@ -9376,7 +10125,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-27; due date 2026-03-30. Notes reference: Please adhere to F5’s guidelines to assess exposure and mitigate risks. Check for signs of potential compromise on all internet accessible F5 products affected by this vulnerability. For more informat",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "F5 BIG-IP APM contains a stack-based buffer overflow vulnerability that could allow a threat actor to achieve remote code execution."
+    "_kev_short_description": "F5 BIG-IP APM contains a stack-based buffer overflow vulnerability that could allow a threat actor to achieve remote code execution.",
+    "_iocs_stub": true
   },
   "CVE-2026-33634": {
     "name": "Aquasecurity Trivy Embedded Malicious Code Vulnerability",
@@ -9483,7 +10233,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-26; due date 2026-04-09. Notes reference: This vulnerability involves a supply‑chain compromise in a product that may be used across multiple products and environments. Additional vendor‑provided guidance must be followed to ensure full remed",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Aquasecurity Trivy contains an embedded malicious code vulnerability that could allow an attacker to gain access to everything in the CI/CD environment, including all tokens, SSH keys, cloud credentials, database passwords, and any sensitive configuration in memory."
+    "_kev_short_description": "Aquasecurity Trivy contains an embedded malicious code vulnerability that could allow an attacker to gain access to everything in the CI/CD environment, including all tokens, SSH keys, cloud credentials, database passwords, and any sensitive configuration in memory.",
+    "_iocs_stub": true
   },
   "CVE-2026-33017": {
     "name": "Langflow Code Injection Vulnerability",
@@ -9592,7 +10343,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-25; due date 2026-04-08. Notes reference: https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx ; https://nvd.nist.gov/vuln/detail/CVE-2026-33017",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Langflow contains a code injection vulnerability that could allow building public flows without requiring authentication."
+    "_kev_short_description": "Langflow contains a code injection vulnerability that could allow building public flows without requiring authentication.",
+    "_iocs_stub": true
   },
   "CVE-2025-32432": {
     "name": "Craft CMS Code Injection Vulnerability",
@@ -9700,7 +10452,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-20; due date 2026-04-03. Notes reference: https://craftcms.com/knowledge-base/craft-cms-cve-2025-32432 ; https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3 ; https://nvd.nist.gov/vuln/detail/CVE-2025-32432",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Craft CMS contains a code injection vulnerability that allows a remote attacker to execute arbitrary code."
+    "_kev_short_description": "Craft CMS contains a code injection vulnerability that allows a remote attacker to execute arbitrary code.",
+    "_iocs_stub": true
   },
   "CVE-2025-54068": {
     "name": "Laravel Livewire Code Injection Vulnerability",
@@ -9808,7 +10561,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-20; due date 2026-04-03. Notes reference: https://github.com/livewire/livewire/security/advisories/GHSA-29cq-5w36-x7w3 ; https://github.com/livewire/livewire/commit/ef04be759da41b14d2d129e670533180a44987dc ; https://nvd.nist.gov/vuln/detail/C",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Laravel Livewire contain a code injection vulnerability that could allow unauthenticated attackers to achieve remote command execution in specific scenarios."
+    "_kev_short_description": "Laravel Livewire contain a code injection vulnerability that could allow unauthenticated attackers to achieve remote command execution in specific scenarios.",
+    "_iocs_stub": true
   },
   "CVE-2025-43510": {
     "name": "Apple Multiple Products Improper Locking Vulnerability",
@@ -9922,7 +10676,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-20; due date 2026-04-03. Notes reference: https://support.apple.com/en-us/125632 ; https://support.apple.com/en-us/125633 ; https://support.apple.com/en-us/125634 ; https://support.apple.com/en-us/125635 ; https://support.apple.com/en-us/1256",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Apple watchOS, iOS, iPadOS, macOS, visionOS, and tvOS contain an improper locking vulnerability that could allow a malicious application to cause unexpected changes in memory shared between processes."
+    "_kev_short_description": "Apple watchOS, iOS, iPadOS, macOS, visionOS, and tvOS contain an improper locking vulnerability that could allow a malicious application to cause unexpected changes in memory shared between processes.",
+    "_iocs_stub": true
   },
   "CVE-2025-43520": {
     "name": "Apple Multiple Products Classic Buffer Overflow Vulnerability",
@@ -10036,7 +10791,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-20; due date 2026-04-03. Notes reference: https://support.apple.com/en-us/125632 ; https://support.apple.com/en-us/125633 ; https://support.apple.com/en-us/125634 ; https://support.apple.com/en-us/125635 ; https://support.apple.com/en-us/1256",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Apple watchOS, iOS, iPadOS, macOS, visionOS, and tvOS contain a classic buffer overflow vulnerability which could allow a malicious application to cause unexpected system termination or write kernel memory."
+    "_kev_short_description": "Apple watchOS, iOS, iPadOS, macOS, visionOS, and tvOS contain a classic buffer overflow vulnerability which could allow a malicious application to cause unexpected system termination or write kernel memory.",
+    "_iocs_stub": true
   },
   "CVE-2025-31277": {
     "name": "Apple Multiple Products Buffer Overflow Vulnerability",
@@ -10146,7 +10902,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-20; due date 2026-04-03. Notes reference: https://support.apple.com/en-us/124147 ; https://support.apple.com/en-us/124149 ; https://support.apple.com/en-us/124152 ; https://support.apple.com/en-us/124153 ; https://support.apple.com/en-us/1241",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Apple Safari, iOS, watchOS, visionOS, iPadOS, macOS, and tvOS contain a buffer overflow vulnerability that could allow the processing of maliciously crafted web content which may lead to memory corruption."
+    "_kev_short_description": "Apple Safari, iOS, watchOS, visionOS, iPadOS, macOS, and tvOS contain a buffer overflow vulnerability that could allow the processing of maliciously crafted web content which may lead to memory corruption.",
+    "_iocs_stub": true
   },
   "CVE-2026-20131": {
     "name": "Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management Deserialization of Untrusted Data Vulnerability",
@@ -10255,7 +11012,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-19; due date 2026-03-22. Notes reference: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-NKhnULJh ; https://nvd.nist.gov/vuln/detail/CVE-2026-20131",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management contain a deserialization of untrusted data vulnerability in the web-based management interface that could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device."
+    "_kev_short_description": "Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management contain a deserialization of untrusted data vulnerability in the web-based management interface that could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device.",
+    "_iocs_stub": true
   },
   "CVE-2025-66376": {
     "name": "Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability",
@@ -10361,7 +11119,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-18; due date 2026-04-01. Notes reference: https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories ; https://nvd.nist.gov/vuln/detail/CVE-2025-66376",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability in the Classic UI where attackers could abuse Cascading Style Sheets (CSS) @import directives in email HTML."
+    "_kev_short_description": "Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability in the Classic UI where attackers could abuse Cascading Style Sheets (CSS) @import directives in email HTML.",
+    "_iocs_stub": true
   },
   "CVE-2026-20963": {
     "name": "Microsoft SharePoint Deserialization of Untrusted Data Vulnerability",
@@ -10468,7 +11227,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-18; due date 2026-03-21. Notes reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20963 ; https://nvd.nist.gov/vuln/detail/CVE-2026-20963",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft SharePoint contains a deserialization of untrusted data vulnerability that allows an unauthorized attacker to execute code over a network."
+    "_kev_short_description": "Microsoft SharePoint contains a deserialization of untrusted data vulnerability that allows an unauthorized attacker to execute code over a network.",
+    "_iocs_stub": true
   },
   "CVE-2025-47813": {
     "name": "Wing FTP Server Information Disclosure Vulnerability",
@@ -10574,7 +11334,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-16; due date 2026-03-30. Notes reference: https://www.wftpserver.com/serverhistory.htm ; https://nvd.nist.gov/vuln/detail/CVE-2025-47813",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Wing FTP Server contains a generation of error message containing sensitive information vulnerability when using a long value in the UID cookie."
+    "_kev_short_description": "Wing FTP Server contains a generation of error message containing sensitive information vulnerability when using a long value in the UID cookie.",
+    "_iocs_stub": true
   },
   "CVE-2026-3910": {
     "name": "Google Chromium V8 Improper Restriction of Operations Within the Bounds of a Memory Buffer Vulnerability",
@@ -10681,7 +11442,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-13; due date 2026-03-27. Notes reference: https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_12.html ; https://nvd.nist.gov/vuln/detail/CVE-2026-3910",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Google Chromium V8 contains an improper restriction of operations within the bounds of a memory buffer vulnerability that could allow a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera."
+    "_kev_short_description": "Google Chromium V8 contains an improper restriction of operations within the bounds of a memory buffer vulnerability that could allow a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.",
+    "_iocs_stub": true
   },
   "CVE-2026-3909": {
     "name": "Google Skia Out-of-Bounds Write Vulnerability",
@@ -10788,7 +11550,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-13; due date 2026-03-27. Notes reference: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For mor",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Google Skia contains an out-of-bounds write vulnerability that could allow a remote attacker to perform out of bounds memory access via a crafted HTML page. This vulnerability affects Google Chrome and ChromeOS, Android, Flutter, and possibly other products."
+    "_kev_short_description": "Google Skia contains an out-of-bounds write vulnerability that could allow a remote attacker to perform out of bounds memory access via a crafted HTML page. This vulnerability affects Google Chrome and ChromeOS, Android, Flutter, and possibly other products.",
+    "_iocs_stub": true
   },
   "CVE-2025-68613": {
     "name": "n8n Improper Control of Dynamically-Managed Code Resources Vulnerability",
@@ -10895,7 +11658,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-11; due date 2026-03-25. Notes reference: https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp ; https://nvd.nist.gov/vuln/detail/CVE-2025-68613",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "n8n contains an improper control of dynamically managed code resources vulnerability in its workflow expression evaluation system that allows for remote code execution."
+    "_kev_short_description": "n8n contains an improper control of dynamically managed code resources vulnerability in its workflow expression evaluation system that allows for remote code execution.",
+    "_iocs_stub": true
   },
   "CVE-2021-22054": {
     "name": "Omnissa Workspace ONE Server-Side Request Forgery",
@@ -11001,7 +11765,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-09; due date 2026-03-23. Notes reference: https://web.archive.org/web/20211222154335/https://www.vmware.com/security/advisories/VMSA-2021-0029.html ; https://nvd.nist.gov/vuln/detail/CVE-2021-22054",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Omnissa Workspace One UEM formerly known as VMware Workspace One UEM contains a server-side request forgery (SSRF) vulnerability that could allow a malicious actor with network access to UEM to send their requests without authentication and to gain access to sensitive information."
+    "_kev_short_description": "Omnissa Workspace One UEM formerly known as VMware Workspace One UEM contains a server-side request forgery (SSRF) vulnerability that could allow a malicious actor with network access to UEM to send their requests without authentication and to gain access to sensitive information.",
+    "_iocs_stub": true
   },
   "CVE-2025-26399": {
     "name": "SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability",
@@ -11109,7 +11874,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-09; due date 2026-03-12. Notes reference: https://www.solarwinds.com/trust-center/security-advisories/cve-2025-26399 ; https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_12-8-7-hotfix-1_release_notes.htm ; ht",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "SolarWinds Web Help Desk contain a deserialization of untrusted data vulnerability in AjaxProxy that could allow an attacker to run commands on the host machine."
+    "_kev_short_description": "SolarWinds Web Help Desk contain a deserialization of untrusted data vulnerability in AjaxProxy that could allow an attacker to run commands on the host machine.",
+    "_iocs_stub": true
   },
   "CVE-2026-1603": {
     "name": "Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability",
@@ -11216,7 +11982,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-09; due date 2026-03-23. Notes reference: https://hub.ivanti.com/s/article/Security-Advisory-EPM-February-2026-for-EPM-2024?language=en_US ; https://nvd.nist.gov/vuln/detail/CVE-2026-1603",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Ivanti Endpoint Manager (EPM) contains an authentication bypass using an alternate path or channel vulnerability that could allow a remote unauthenticated attacker to leak specific stored credential data."
+    "_kev_short_description": "Ivanti Endpoint Manager (EPM) contains an authentication bypass using an alternate path or channel vulnerability that could allow a remote unauthenticated attacker to leak specific stored credential data.",
+    "_iocs_stub": true
   },
   "CVE-2017-7921": {
     "name": "Hikvision Multiple Products Improper Authentication Vulnerability",
@@ -11323,7 +12090,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-05; due date 2026-03-26. Notes reference: https://www.hikvision.com/us-en/support/document-center/special-notices/privilege-escalating-vulnerability-in-certain-hikvision-ip-cameras/ ; https://nvd.nist.gov/vuln/detail/CVE-2017-7921",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Multiple Hikvision products contain an improper authentication vulnerability that could allow a malicious user to escalate privileges on the system and gain access to sensitive information."
+    "_kev_short_description": "Multiple Hikvision products contain an improper authentication vulnerability that could allow a malicious user to escalate privileges on the system and gain access to sensitive information.",
+    "_iocs_stub": true
   },
   "CVE-2021-22681": {
     "name": "Rockwell Multiple Products Insufficient Protected Credentials Vulnerability",
@@ -11431,7 +12199,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-05; due date 2026-03-26. Notes reference: https://support.rockwellautomation.com/app/answers/answer_view/a_id/1130301/~/cve-2021-22681%3A-authentication-bypass-vulnerability-found-in-logix-controllers- ; https://www.cisa.gov/news-events/ics-a",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Multiple Rockwell products contain an insufficient protected credentials vulnerability. Studio 5000 Logix Designer software may allow a key to be discovered. This key is used to verify Logix controllers are communicating with Rockwell Automation design software. If successfully exploited, this vulnerability could allow an unauthorized application to connect with Logix controllers. To leverage this vulnerability, an unauthorized user would require network access to the controller."
+    "_kev_short_description": "Multiple Rockwell products contain an insufficient protected credentials vulnerability. Studio 5000 Logix Designer software may allow a key to be discovered. This key is used to verify Logix controllers are communicating with Rockwell Automation design software. If successfully exploited, this vulnerability could allow an unauthorized application to connect with Logix controllers. To leverage this vulnerability, an unauthorized user would require network access to the controller.",
+    "_iocs_stub": true
   },
   "CVE-2023-43000": {
     "name": "Apple Multiple products Use-After-Free Vulnerability",
@@ -11539,7 +12308,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-05; due date 2026-03-26. Notes reference: https://support.apple.com/en-us/120324 ; https://support.apple.com/en-us/120331 ; https://support.apple.com/en-us/120338 ; https://nvd.nist.gov/vuln/detail/CVE-2023-43000",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Apple macOS, iOS, iPadOS, and Safari 16.6 contain a use-after-free vulnerability due to the processing of maliciously crafted web content that may lead to memory corruption."
+    "_kev_short_description": "Apple macOS, iOS, iPadOS, and Safari 16.6 contain a use-after-free vulnerability due to the processing of maliciously crafted web content that may lead to memory corruption.",
+    "_iocs_stub": true
   },
   "CVE-2021-30952": {
     "name": "Apple Multiple Products Integer Overflow or Wraparound Vulnerability",
@@ -11649,7 +12419,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-05; due date 2026-03-26. Notes reference: https://support.apple.com/en-us/HT212975 ; https://support.apple.com/en-us/HT212976 ; https://support.apple.com/en-us/HT212978 ; https://support.apple.com/en-us/HT212980 ; https://support.apple.com/en",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Apple tvOS, macOS, Safari, iPadOS and watchOS contain an integer overflow or wraparound vulnerability due to the processing of maliciously crafted web content that may lead to arbitrary code execution."
+    "_kev_short_description": "Apple tvOS, macOS, Safari, iPadOS and watchOS contain an integer overflow or wraparound vulnerability due to the processing of maliciously crafted web content that may lead to arbitrary code execution.",
+    "_iocs_stub": true
   },
   "CVE-2023-41974": {
     "name": "Apple iOS and iPadOS Use-After-Free Vulnerability",
@@ -11756,7 +12527,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-05; due date 2026-03-26. Notes reference: https://support.apple.com/en-us/HT213938 ; https://support.apple.com/kb/HT213938 ; https://nvd.nist.gov/vuln/detail/CVE-2023-41974",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Apple iOS and iPadOS contain a use-after-free vulnerability. An app may be able to execute arbitrary code with kernel privileges."
+    "_kev_short_description": "Apple iOS and iPadOS contain a use-after-free vulnerability. An app may be able to execute arbitrary code with kernel privileges.",
+    "_iocs_stub": true
   },
   "CVE-2026-22719": {
     "name": "Broadcom VMware Aria Operations Command Injection Vulnerability",
@@ -11864,7 +12636,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-03; due date 2026-03-24. Notes reference: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947 ; https://knowledge.broadcom.com/external/article/430349 ; https://nvd.nist.gov/vuln/det",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Broadcom VMware Aria Operations formerly known as vRealize Operations (vROps) contains a command injection vulnerability that allows an unauthenticated attacker to execute arbitrary commands, potentially leading to remote code execution during support‑assisted product migration."
+    "_kev_short_description": "Broadcom VMware Aria Operations formerly known as vRealize Operations (vROps) contains a command injection vulnerability that allows an unauthenticated attacker to execute arbitrary commands, potentially leading to remote code execution during support‑assisted product migration.",
+    "_iocs_stub": true
   },
   "CVE-2026-21385": {
     "name": "Qualcomm Multiple Chipsets Memory Corruption Vulnerability",
@@ -11970,7 +12743,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-03; due date 2026-03-24. Notes reference: Please check with specific vendors (OEMs,) for information on patching status. For more information, please see: https://source.android.com/docs/security/bulletin/2026/2026-03-01 ; https://nvd.nist.go",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Multiple Qualcomm chipsets contain a memory corruption vulnerability while using alignments for memory allocation. "
+    "_kev_short_description": "Multiple Qualcomm chipsets contain a memory corruption vulnerability while using alignments for memory allocation. ",
+    "_iocs_stub": true
   },
   "CVE-2022-20775": {
     "name": "Cisco SD-WAN Path Traversal Vulnerability",
@@ -12079,7 +12853,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-25; due date 2026-02-27. Notes reference: CISA Mitigation Instructions: https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems ; https://www.cisa.gov/news-events/directives/supplemental-direction-ed",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Cisco SD-WAN CLI contains a path traversal vulnerability that could allow an authenticated local attacker to gain elevated privileges via improper access controls on commands within the application CLI. A successful exploit could allow the attacker to execute arbitrary commands as the root user."
+    "_kev_short_description": "Cisco SD-WAN CLI contains a path traversal vulnerability that could allow an authenticated local attacker to gain elevated privileges via improper access controls on commands within the application CLI. A successful exploit could allow the attacker to execute arbitrary commands as the root user.",
+    "_iocs_stub": true
   },
   "CVE-2026-20127": {
     "name": "Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability",
@@ -12188,7 +12963,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-25; due date 2026-02-27. Notes reference: CISA Mitigation Instructions: https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems ; https://www.cisa.gov/news-events/directives/supplemental-direction-ed",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, contain an authentication bypass vulnerability could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric."
+    "_kev_short_description": "Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, contain an authentication bypass vulnerability could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.",
+    "_iocs_stub": true
   },
   "CVE-2026-25108": {
     "name": "Soliton Systems K.K FileZen OS Command Injection Vulnerability",
@@ -12295,7 +13071,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-24; due date 2026-03-17. Notes reference: https://jvn.jp/en/jp/JVN84622767/ ; https://nvd.nist.gov/vuln/detail/CVE-2026-25108",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Soliton Systems K.K FileZen contains an OS command injection vulnerability when an user logs-in to the affected product and sends a specially crafted HTTP request."
+    "_kev_short_description": "Soliton Systems K.K FileZen contains an OS command injection vulnerability when an user logs-in to the affected product and sends a specially crafted HTTP request.",
+    "_iocs_stub": true
   },
   "CVE-2025-49113": {
     "name": "RoundCube Webmail Deserialization of Untrusted Data Vulnerability",
@@ -12404,7 +13181,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-20; due date 2026-03-13. Notes reference: https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10 ; https://github.com/roundcube/roundcubemail/releases/tag/1.5.10 ; https://github.com/roundcube/roundcubemail/releases/tag/1.6.",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "RoundCube Webmail contains a deserialization of untrusted data vulnerability that allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php."
+    "_kev_short_description": "RoundCube Webmail contains a deserialization of untrusted data vulnerability that allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php.",
+    "_iocs_stub": true
   },
   "CVE-2025-68461": {
     "name": "RoundCube Webmail Cross-site Scripting Vulnerability",
@@ -12511,7 +13289,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-20; due date 2026-03-13. Notes reference: https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12 ; https://github.com/roundcube/roundcubemail/commit/bfa032631c36b900e7444dfa278340b33cbf7cdb ; https://nvd.nist.gov/vuln/detail",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "RoundCube Webmail contains a cross-site scripting vulnerability via the animate tag in an SVG document."
+    "_kev_short_description": "RoundCube Webmail contains a cross-site scripting vulnerability via the animate tag in an SVG document.",
+    "_iocs_stub": true
   },
   "CVE-2021-22175": {
     "name": "GitLab Server-Side Request Forgery (SSRF) Vulnerability",
@@ -12617,7 +13396,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-18; due date 2026-03-11. Notes reference: https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22175.json ; https://nvd.nist.gov/vuln/detail/CVE-2021-22175",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "GitLab contains a server-side request forgery (SSRF) vulnerability when requests to the internal network for webhooks are enabled."
+    "_kev_short_description": "GitLab contains a server-side request forgery (SSRF) vulnerability when requests to the internal network for webhooks are enabled.",
+    "_iocs_stub": true
   },
   "CVE-2026-22769": {
     "name": "Dell RecoverPoint for Virtual Machines (RP4VMs) Use of Hard-coded Credentials Vulnerability",
@@ -12726,7 +13506,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-18; due date 2026-02-21. Notes reference: https://www.dell.com/support/kbdoc/en-us/000426773/dsa-2026-079 ; https://www.dell.com/support/kbdoc/en-us/000426742/recoverpoint-for-vms-apply-the-remediation-script-for-dsa ; https://cloud.google.co",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Dell RecoverPoint for Virtual Machines (RP4VMs) contains an use of hard-coded credentials vulnerability that could allow an unauthenticated remote attacker to gain unauthorized access to the underlying operating system and root-level persistence."
+    "_kev_short_description": "Dell RecoverPoint for Virtual Machines (RP4VMs) contains an use of hard-coded credentials vulnerability that could allow an unauthenticated remote attacker to gain unauthorized access to the underlying operating system and root-level persistence.",
+    "_iocs_stub": true
   },
   "CVE-2020-7796": {
     "name": "Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability",
@@ -12832,7 +13613,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-17; due date 2026-03-10. Notes reference: https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P7 ; https://nvd.nist.gov/vuln/detail/CVE-2020-7796",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Synacor Zimbra Collaboration Suite (ZCS) contains a server-side request forgery vulnerability if WebEx zimlet installed and zimlet JSP is enabled."
+    "_kev_short_description": "Synacor Zimbra Collaboration Suite (ZCS) contains a server-side request forgery vulnerability if WebEx zimlet installed and zimlet JSP is enabled.",
+    "_iocs_stub": true
   },
   "CVE-2024-7694": {
     "name": "TeamT5 ThreatSonar Anti-Ransomware Unrestricted Upload of File with Dangerous Type Vulnerability",
@@ -12940,7 +13722,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-17; due date 2026-03-10. Notes reference: https://teamt5.org/en/posts/vulnerability-notice-threat-sonar-anti-ransomware-20240715/ ; https://www.twcert.org.tw/en/cp-139-8000-e5a5c-2.html ; https://nvd.nist.gov/vuln/detail/CVE-2024-7694",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "TeamT5 ThreatSonar Anti-Ransomware contains an unrestricted upload of file with dangerous type vulnerability. ThreatSonar Anti-Ransomware does not properly validate the content of uploaded files. Remote attackers with administrator privileges on the product platform can upload malicious files, which can be used to execute arbitrary system commands on the server."
+    "_kev_short_description": "TeamT5 ThreatSonar Anti-Ransomware contains an unrestricted upload of file with dangerous type vulnerability. ThreatSonar Anti-Ransomware does not properly validate the content of uploaded files. Remote attackers with administrator privileges on the product platform can upload malicious files, which can be used to execute arbitrary system commands on the server.",
+    "_iocs_stub": true
   },
   "CVE-2008-0015": {
     "name": " Microsoft Windows Video ActiveX Control Remote Code Execution Vulnerability",
@@ -13047,7 +13830,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-17; due date 2026-03-10. Notes reference: https://web.archive.org/web/20110305211119/https://www.microsoft.com/technet/security/bulletin/ms09-032.mspx ; https://nvd.nist.gov/vuln/detail/CVE-2008-0015",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows Video ActiveX Control contains a remote code execution vulnerability. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user."
+    "_kev_short_description": "Microsoft Windows Video ActiveX Control contains a remote code execution vulnerability. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.",
+    "_iocs_stub": true
   },
   "CVE-2026-2441": {
     "name": "Google Chromium CSS Use-After-Free Vulnerability",
@@ -13153,7 +13937,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-17; due date 2026-03-10. Notes reference: https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_13.html ; https://nvd.nist.gov/vuln/detail/CVE-2026-2441",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Google Chromium CSS contains a use-after-free vulnerability that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera."
+    "_kev_short_description": "Google Chromium CSS contains a use-after-free vulnerability that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.",
+    "_iocs_stub": true
   },
   "CVE-2026-1731": {
     "name": "BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) OS Command Injection Vulnerability",
@@ -13262,7 +14047,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-13; due date 2026-02-16. Notes reference: Please adhere to the vendor's guidelines to assess exposure and mitigate risks. Check for signs of potential compromise on all internet accessible BeyondTrust products affected by this vulnerability. ",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA)contain an OS command injection vulnerability. Successful exploitation could allow an unauthenticated remote attacker to execute operating system commands in the context of the site user. Successful exploitation requires no authentication or user interaction and may lead to system compromise, including unauthorized access, data exfiltration, and service disruption."
+    "_kev_short_description": "BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA)contain an OS command injection vulnerability. Successful exploitation could allow an unauthenticated remote attacker to execute operating system commands in the context of the site user. Successful exploitation requires no authentication or user interaction and may lead to system compromise, including unauthorized access, data exfiltration, and service disruption.",
+    "_iocs_stub": true
   },
   "CVE-2026-20700": {
     "name": "Apple Multiple Buffer Overflow Vulnerability",
@@ -13373,7 +14159,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-12; due date 2026-03-05. Notes reference: https://support.apple.com/en-us/126346 ; https://support.apple.com/en-us/126348 ; https://support.apple.com/en-us/126351 ; https://support.apple.com/en-us/126352 ; https://support.apple.com/en-us/1263",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Apple iOS, macOS, tvOS, watchOS, and visionOS contain an improper restriction of operations within the bounds of a memory buffer vulnerability that could allow an attacker with memory write the capability to execute arbitrary code."
+    "_kev_short_description": "Apple iOS, macOS, tvOS, watchOS, and visionOS contain an improper restriction of operations within the bounds of a memory buffer vulnerability that could allow an attacker with memory write the capability to execute arbitrary code.",
+    "_iocs_stub": true
   },
   "CVE-2024-43468": {
     "name": "Microsoft Configuration Manager SQL Injection Vulnerability",
@@ -13480,7 +14267,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-12; due date 2026-03-05. Notes reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43468 ; https://nvd.nist.gov/vuln/detail/CVE-2024-43468",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Configuration Manager contains an SQL injection vulnerability. An unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to the target environment which are processed in an unsafe manner enabling the attacker to execute commands on the server and/or underlying database."
+    "_kev_short_description": "Microsoft Configuration Manager contains an SQL injection vulnerability. An unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to the target environment which are processed in an unsafe manner enabling the attacker to execute commands on the server and/or underlying database.",
+    "_iocs_stub": true
   },
   "CVE-2025-15556": {
     "name": "Notepad++ Download of Code Without Integrity Check Vulnerability",
@@ -13588,7 +14376,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-12; due date 2026-03-05. Notes reference: https://notepad-plus-plus.org/news/clarification-security-incident/ ; https://community.notepad-plus-plus.org/topic/27298/notepad-v8-8-9-vulnerability-fix ; https://nvd.nist.gov/vuln/detail/CVE-2025-1",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Notepad++ when using the WinGUp updater, contains a download of code without integrity check vulnerability that could allow an attacker to intercept or redirect update traffic to download and execute an attacker-controlled installer. This could lead to arbitrary code execution with the privileges of the user."
+    "_kev_short_description": "Notepad++ when using the WinGUp updater, contains a download of code without integrity check vulnerability that could allow an attacker to intercept or redirect update traffic to download and execute an attacker-controlled installer. This could lead to arbitrary code execution with the privileges of the user.",
+    "_iocs_stub": true
   },
   "CVE-2025-40536": {
     "name": "SolarWinds Web Help Desk Security Control Bypass Vulnerability",
@@ -13696,7 +14485,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-12; due date 2026-02-15. Notes reference: https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm ; https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40536 ; https://nvd",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "SolarWinds Web Help Desk contains a security control bypass vulnerability that could allow an unauthenticated attacker to gain access to certain restricted functionality."
+    "_kev_short_description": "SolarWinds Web Help Desk contains a security control bypass vulnerability that could allow an unauthenticated attacker to gain access to certain restricted functionality.",
+    "_iocs_stub": true
   },
   "CVE-2026-21513": {
     "name": "Microsoft MSHTML Framework Protection Mechanism Failure Vulnerability",
@@ -13803,7 +14593,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-10; due date 2026-03-03. Notes reference: https://msrc.microsoft.com/update-guide/advisory/CVE-2026-21513 ; https://nvd.nist.gov/vuln/detail/CVE-2026-21513",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft MSHTML Framework contains a protection mechanism failure vulnerability that could allow an unauthorized attacker to bypass a security feature over a network."
+    "_kev_short_description": "Microsoft MSHTML Framework contains a protection mechanism failure vulnerability that could allow an unauthorized attacker to bypass a security feature over a network.",
+    "_iocs_stub": true
   },
   "CVE-2026-21525": {
     "name": "Microsoft Windows NULL Pointer Dereference Vulnerability",
@@ -13910,7 +14701,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-10; due date 2026-03-03. Notes reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21525 ; https://nvd.nist.gov/vuln/detail/CVE-2026-21525",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows Remote Access Connection Manager contains a NULL pointer dereference that could allow an unauthorized attacker to deny service locally."
+    "_kev_short_description": "Microsoft Windows Remote Access Connection Manager contains a NULL pointer dereference that could allow an unauthorized attacker to deny service locally.",
+    "_iocs_stub": true
   },
   "CVE-2026-21510": {
     "name": "Microsoft Windows Shell Protection Mechanism Failure Vulnerability",
@@ -14017,7 +14809,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-10; due date 2026-03-03. Notes reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21510 ; https://nvd.nist.gov/vuln/detail/CVE-2026-21510 ",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows Shell contains a protection mechanism failure vulnerability that could allow an unauthorized attacker to bypass a security feature over a network. "
+    "_kev_short_description": "Microsoft Windows Shell contains a protection mechanism failure vulnerability that could allow an unauthorized attacker to bypass a security feature over a network. ",
+    "_iocs_stub": true
   },
   "CVE-2026-21533": {
     "name": "Microsoft Windows Improper Privilege Management Vulnerability",
@@ -14124,7 +14917,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-10; due date 2026-03-03. Notes reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21533 ; https://nvd.nist.gov/vuln/detail/CVE-2026-21533",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows Remote Desktop Services contains an improper privilege management vulnerability that could allow an authorized attacker to elevate privileges locally."
+    "_kev_short_description": "Microsoft Windows Remote Desktop Services contains an improper privilege management vulnerability that could allow an authorized attacker to elevate privileges locally.",
+    "_iocs_stub": true
   },
   "CVE-2026-21519": {
     "name": "Microsoft Windows Type Confusion Vulnerability",
@@ -14231,7 +15025,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-10; due date 2026-03-03. Notes reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21519 ; https://nvd.nist.gov/vuln/detail/CVE-2026-21519",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Desktop Windows Manager contains a type confusion vulnerability that could allow an authorized attacker to elevate privileges locally."
+    "_kev_short_description": "Microsoft Desktop Windows Manager contains a type confusion vulnerability that could allow an authorized attacker to elevate privileges locally.",
+    "_iocs_stub": true
   },
   "CVE-2026-21514": {
     "name": "Microsoft Office Word Reliance on Untrusted Inputs in a Security Decision Vulnerability",
@@ -14338,7 +15133,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-10; due date 2026-03-03. Notes reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21514 ; https://nvd.nist.gov/vuln/detail/CVE-2026-21514",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Office Word contains a reliance on untrusted inputs in a security decision vulnerability that could allow an authorized attacker to elevate privileges locally."
+    "_kev_short_description": "Microsoft Office Word contains a reliance on untrusted inputs in a security decision vulnerability that could allow an authorized attacker to elevate privileges locally.",
+    "_iocs_stub": true
   },
   "CVE-2025-11953": {
     "name": "React Native Community CLI OS Command Injection Vulnerability",
@@ -14446,7 +15242,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-05; due date 2026-02-26. Notes reference: This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "React Native Community CLI contains an OS command injection vulnerability which could allow unauthenticated network attackers to send POST requests to the Metro Development Server and run arbitrary executables via a vulnerable endpoint exposed by the server. On Windows, attackers can also execute arbitrary shell commands with fully controlled arguments."
+    "_kev_short_description": "React Native Community CLI contains an OS command injection vulnerability which could allow unauthenticated network attackers to send POST requests to the Metro Development Server and run arbitrary executables via a vulnerable endpoint exposed by the server. On Windows, attackers can also execute arbitrary shell commands with fully controlled arguments.",
+    "_iocs_stub": true
   },
   "CVE-2026-24423": {
     "name": "SmarterTools SmarterMail Missing Authentication for Critical Function Vulnerability",
@@ -14556,7 +15353,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-05; due date 2026-02-26. Notes reference: https://www.smartertools.com/smartermail/release-notes/current ; https://www.cve.org/CVERecord?id=CVE-2026-24423 ; https://nvd.nist.gov/vuln/detail/CVE-2026-24423",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "SmarterTools SmarterMail contains a missing authentication for critical function vulnerability in the ConnectToHub API method. This could allow the attacker to point the SmarterMail instance to a malicious HTTP server which serves the malicious OS command and could lead to command execution. "
+    "_kev_short_description": "SmarterTools SmarterMail contains a missing authentication for critical function vulnerability in the ConnectToHub API method. This could allow the attacker to point the SmarterMail instance to a malicious HTTP server which serves the malicious OS command and could lead to command execution. ",
+    "_iocs_stub": true
   },
   "CVE-2021-39935": {
     "name": "GitLab Community and Enterprise Editions Server-Side Request Forgery (SSRF) Vulnerability",
@@ -14662,7 +15460,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-03; due date 2026-02-24. Notes reference: https://about.gitlab.com/releases/2021/12/06/security-release-gitlab-14-5-2-released/ ; https://nvd.nist.gov/vuln/detail/CVE-2021-39935",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "GitLab Community and Enterprise Editions contain a server-side request forgery vulnerability which could allow unauthorized external users to perform Server Side Requests via the CI Lint API. "
+    "_kev_short_description": "GitLab Community and Enterprise Editions contain a server-side request forgery vulnerability which could allow unauthorized external users to perform Server Side Requests via the CI Lint API. ",
+    "_iocs_stub": true
   },
   "CVE-2025-64328": {
     "name": "Sangoma FreePBX OS Command Injection Vulnerability",
@@ -14769,7 +15568,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-03; due date 2026-02-24. Notes reference: https://github.com/FreePBX/security-reporting/security/advisories/GHSA-vm9p-46mv-5xvw ; https://nvd.nist.gov/vuln/detail/CVE-2025-64328",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Sangoma FreePBX Endpoint Manager contains an OS command injection vulnerability that could allow for a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function. An attacker can leverage this vulnerability to potentially obtain remote access to the system as an asterisk user. "
+    "_kev_short_description": "Sangoma FreePBX Endpoint Manager contains an OS command injection vulnerability that could allow for a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function. An attacker can leverage this vulnerability to potentially obtain remote access to the system as an asterisk user. ",
+    "_iocs_stub": true
   },
   "CVE-2019-19006": {
     "name": " Sangoma FreePBX Improper Authentication Vulnerability",
@@ -14876,7 +15676,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-03; due date 2026-02-24. Notes reference: https://wiki.freepbx.org/display/FOP/2019-11-20%2BRemote%2BAdmin%2BAuthentication%2BBypass ; https://nvd.nist.gov/vuln/detail/CVE-2019-19006",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Sangoma FreePBX contains an improper authentication vulnerability that potentially allows unauthorized users to bypass password authentication and access services provided by the FreePBX admin."
+    "_kev_short_description": "Sangoma FreePBX contains an improper authentication vulnerability that potentially allows unauthorized users to bypass password authentication and access services provided by the FreePBX admin.",
+    "_iocs_stub": true
   },
   "CVE-2025-40551": {
     "name": "SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability (variant: CVE-2025-40551)",
@@ -14983,7 +15784,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-03; due date 2026-02-06. Notes reference: https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40551 ; https://nvd.nist.gov/vuln/detail/CVE-2025-40551",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "SolarWinds Web Help Desk contains a deserialization of untrusted data vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication."
+    "_kev_short_description": "SolarWinds Web Help Desk contains a deserialization of untrusted data vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.",
+    "_iocs_stub": true
   },
   "CVE-2026-1281": {
     "name": "Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability (variant: CVE-2026-1281)",
@@ -15092,7 +15894,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-01-29; due date 2026-02-01. Notes reference: Please adhere to Ivanti's guidelines to assess exposure and mitigate risks. Check for signs of potential compromise on all internet accessible Ivanti products affected by this vulnerability. Apply any",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution."
+    "_kev_short_description": "Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.",
+    "_iocs_stub": true
   },
   "CVE-2026-24858": {
     "name": "Fortinet Multiple Products Authentication Bypass Using an Alternate Path or Channel Vulnerability",
@@ -15200,7 +16003,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-01-27; due date 2026-01-30. Notes reference: Please adhere to Fortinet's guidelines to assess exposure and mitigate risks. Check for signs of potential compromise on all internet accessible Fortinet products affected by this vulnerability. Apply",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Fortinet FortiAnalyzer, FortiManager, FortiOS, and FortiProxy contain an authentication bypass using an alternate path or channel that could allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices."
+    "_kev_short_description": "Fortinet FortiAnalyzer, FortiManager, FortiOS, and FortiProxy contain an authentication bypass using an alternate path or channel that could allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices.",
+    "_iocs_stub": true
   },
   "CVE-2018-14634": {
     "name": "Linux Kernel Integer Overflow Vulnerability",
@@ -15309,7 +16113,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-01-26; due date 2026-02-16. Notes reference: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For mor",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Linux Kernel contains an integer overflow vulnerability in the create_elf_tables() function which could allow an unprivileged local user with access to SUID (or otherwise privileged) binary to escalate their privileges on the system."
+    "_kev_short_description": "Linux Kernel contains an integer overflow vulnerability in the create_elf_tables() function which could allow an unprivileged local user with access to SUID (or otherwise privileged) binary to escalate their privileges on the system.",
+    "_iocs_stub": true
   },
   "CVE-2025-52691": {
     "name": "SmarterTools SmarterMail Unrestricted Upload of File with Dangerous Type Vulnerability",
@@ -15419,7 +16224,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-01-26; due date 2026-02-16. Notes reference: https://www.smartertools.com/smartermail/release-notes/current ; https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-124/ ; https://nvd.nist.gov/vuln/detail/CVE-2025-52691",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "SmarterTools SmarterMail contains an unrestricted upload of file with dangerous type vulnerability that could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution."
+    "_kev_short_description": "SmarterTools SmarterMail contains an unrestricted upload of file with dangerous type vulnerability that could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution.",
+    "_iocs_stub": true
   },
   "CVE-2026-23760": {
     "name": "SmarterTools SmarterMail Authentication Bypass Using an Alternate Path or Channel Vulnerability",
@@ -15528,7 +16334,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-01-26; due date 2026-02-16. Notes reference: https://www.smartertools.com/smartermail/release-notes/current ; https://nvd.nist.gov/vuln/detail/CVE-2026-23760",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "SmarterTools SmarterMail contains an authentication bypass using an alternate path or channel vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. This could allow an unauthenticated attacker to supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance."
+    "_kev_short_description": "SmarterTools SmarterMail contains an authentication bypass using an alternate path or channel vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. This could allow an unauthenticated attacker to supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance.",
+    "_iocs_stub": true
   },
   "CVE-2026-24061": {
     "name": "GNU InetUtils Argument Injection Vulnerability",
@@ -15637,7 +16444,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-01-26; due date 2026-02-16. Notes reference: This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "GNU InetUtils contains an argument injection vulnerability in telnetd that could allow for remote authentication bypass via a \"-f root\" value for the USER environment variable."
+    "_kev_short_description": "GNU InetUtils contains an argument injection vulnerability in telnetd that could allow for remote authentication bypass via a \"-f root\" value for the USER environment variable.",
+    "_iocs_stub": true
   },
   "CVE-2026-21509": {
     "name": "Microsoft Office Security Feature Bypass Vulnerability",
@@ -15744,7 +16552,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-01-26; due date 2026-02-16. Notes reference: Please adhere to Microsoft’s recommended guidelines to address this vulnerability. Implement all final mitigations provided by the vendor for Office 2021, and apply the interim corresponding mitigatio",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Office contains a security feature bypass vulnerability in which reliance on untrusted inputs in a security decision in Microsoft Office could allow an unauthorized attacker to bypass a security feature locally. Some of the impacted product(s) could be end-of-life (EoL) and/or end-of-service (EoS). Users are advised to discontinue use and/or transition to a supported version."
+    "_kev_short_description": "Microsoft Office contains a security feature bypass vulnerability in which reliance on untrusted inputs in a security decision in Microsoft Office could allow an unauthorized attacker to bypass a security feature locally. Some of the impacted product(s) could be end-of-life (EoL) and/or end-of-service (EoS). Users are advised to discontinue use and/or transition to a supported version.",
+    "_iocs_stub": true
   },
   "CVE-2024-37079": {
     "name": "Broadcom VMware vCenter Server Out-of-bounds Write Vulnerability",
@@ -15851,7 +16660,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-01-23; due date 2026-02-13. Notes reference: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453 ; https://nvd.nist.gov/vuln/detail/CVE-2024-37079",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Broadcom VMware vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol. This could allow a malicious actor with network access to vCenter Server to send specially crafted network packets, potentially leading to remote code execution."
+    "_kev_short_description": "Broadcom VMware vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol. This could allow a malicious actor with network access to vCenter Server to send specially crafted network packets, potentially leading to remote code execution.",
+    "_iocs_stub": true
   },
   "CVE-2025-68645": {
     "name": "Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability",
@@ -15958,7 +16768,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-01-22; due date 2026-02-12. Notes reference: https://wiki.zimbra.com/wiki/Security_Center ; https://nvd.nist.gov/vuln/detail/CVE-2025-68645",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Synacor Zimbra Collaboration Suite (ZCS) contains a PHP remote file inclusion vulnerability that could allow for remote attackers to craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory."
+    "_kev_short_description": "Synacor Zimbra Collaboration Suite (ZCS) contains a PHP remote file inclusion vulnerability that could allow for remote attackers to craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory.",
+    "_iocs_stub": true
   },
   "CVE-2025-34026": {
     "name": "Versa Concerto Improper Authentication Vulnerability",
@@ -16065,7 +16876,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-01-22; due date 2026-02-12. Notes reference: https://security-portal.versa-networks.com/emailbulletins/6830f94328defa375486ff2e ; https://nvd.nist.gov/vuln/detail/CVE-2025-34026",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Versa Concerto SD-WAN orchestration platform contains an improper authentication vulnerability in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The internal Actuator endpoint can be leveraged for access to heap dumps and trace logs."
+    "_kev_short_description": "Versa Concerto SD-WAN orchestration platform contains an improper authentication vulnerability in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The internal Actuator endpoint can be leveraged for access to heap dumps and trace logs.",
+    "_iocs_stub": true
   },
   "CVE-2025-31125": {
     "name": "Vite Vitejs Improper Access Control Vulnerability",
@@ -16173,7 +16985,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-01-22; due date 2026-02-12. Notes reference: This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Vite Vitejs contains an improper access control vulnerability that exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected."
+    "_kev_short_description": "Vite Vitejs contains an improper access control vulnerability that exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.",
+    "_iocs_stub": true
   },
   "CVE-2025-54313": {
     "name": "Prettier eslint-config-prettier Embedded Malicious Code Vulnerability",
@@ -16281,7 +17094,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-01-22; due date 2026-02-12. Notes reference: This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Prettier eslint-config-prettier contains an embedded malicious code vulnerability. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows."
+    "_kev_short_description": "Prettier eslint-config-prettier contains an embedded malicious code vulnerability. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.",
+    "_iocs_stub": true
   },
   "CVE-2026-20045": {
     "name": "Cisco Unified Communications Products Code Injection Vulnerability",
@@ -16388,7 +17202,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-01-21; due date 2026-02-11. Notes reference: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voice-rce-mORhqY4b ; https://nvd.nist.gov/vuln/detail/CVE-2026-20045",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance contain a code injection vulnerability that could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root."
+    "_kev_short_description": "Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance contain a code injection vulnerability that could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root.",
+    "_iocs_stub": true
   },
   "CVE-2026-20805": {
     "name": "Microsoft Windows Information Disclosure Vulnerability",
@@ -16494,7 +17309,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-01-13; due date 2026-02-03. Notes reference: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-20805 ; https://nvd.nist.gov/vuln/detail/CVE-2026-20805",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows Desktop Windows Manager contains an information disclosure vulnerability that allows an authorized attacker to disclose information locally."
+    "_kev_short_description": "Microsoft Windows Desktop Windows Manager contains an information disclosure vulnerability that allows an authorized attacker to disclose information locally.",
+    "_iocs_stub": true
   },
   "CVE-2025-8110": {
     "name": "Gogs Path Traversal Vulnerability",
@@ -16600,7 +17416,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-01-12; due date 2026-02-02. Notes reference: https://github.com/gogs/gogs/commit/553707f3fd5f68f47f531cfcff56aa3ec294c6f6 ; https://nvd.nist.gov/vuln/detail/CVE-2025-8110",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Gogs contains a path traversal vulnerability affecting improper Symbolic link handling in the PutContents API that could allow for code execution."
+    "_kev_short_description": "Gogs contains a path traversal vulnerability affecting improper Symbolic link handling in the PutContents API that could allow for code execution.",
+    "_iocs_stub": true
   },
   "CVE-2009-0556": {
     "name": "Microsoft Office PowerPoint Code Injection Vulnerability",
@@ -16707,7 +17524,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-01-07; due date 2026-01-28. Notes reference: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-017 ; https://nvd.nist.gov/vuln/detail/CVE-2009-0556",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Office PowerPoint contains a code injection vulnerability that allows remote attackers to execute arbitrary code via a PowerPoint file with an OutlineTextRefAtom containing an invalid index value that triggers memory corruption."
+    "_kev_short_description": "Microsoft Office PowerPoint contains a code injection vulnerability that allows remote attackers to execute arbitrary code via a PowerPoint file with an OutlineTextRefAtom containing an invalid index value that triggers memory corruption.",
+    "_iocs_stub": true
   },
   "CVE-2025-37164": {
     "name": "Hewlett Packard Enterprise (HPE) OneView Code Injection Vulnerability",
@@ -16814,7 +17632,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-01-07; due date 2026-01-28. Notes reference: https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04985en_us&docLocale=en_US ; https://nvd.nist.gov/vuln/detail/CVE-2025-37164",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Hewlett Packard Enterprise (HPE) OneView contains a code injection vulnerability that allows a remote unauthenticated user to perform remote code execution."
+    "_kev_short_description": "Hewlett Packard Enterprise (HPE) OneView contains a code injection vulnerability that allows a remote unauthenticated user to perform remote code execution.",
+    "_iocs_stub": true
   },
   "CVE-2023-52163": {
     "name": "Digiever DS-2105 Pro Missing Authorization Vulnerability",
@@ -16921,7 +17740,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-22; due date 2026-01-12. Notes reference: https://www.digiever.com/tw/support/faq-content.php?FAQ=217 ; https://nvd.nist.gov/vuln/detail/CVE-2023-52163",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Digiever DS-2105 Pro contains a missing authorization vulnerability which could allow for command injection via time_tzsetup.cgi."
+    "_kev_short_description": "Digiever DS-2105 Pro contains a missing authorization vulnerability which could allow for command injection via time_tzsetup.cgi.",
+    "_iocs_stub": true
   },
   "CVE-2025-14733": {
     "name": "WatchGuard Firebox Out of Bounds Write Vulnerability",
@@ -17028,7 +17848,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-19; due date 2025-12-26. Notes reference: Check for signs of potential compromise on all internet accessible instances after applying mitigations. For more information please see: https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00027",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "WatchGuard Fireware OS iked process contains an out of bounds write vulnerability in the OS iked process. This vulnerability may allow a remote unauthenticated attacker to execute arbitrary code and affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer."
+    "_kev_short_description": "WatchGuard Fireware OS iked process contains an out of bounds write vulnerability in the OS iked process. This vulnerability may allow a remote unauthenticated attacker to execute arbitrary code and affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer.",
+    "_iocs_stub": true
   },
   "CVE-2025-59374": {
     "name": "ASUS Live Update Embedded Malicious Code Vulnerability",
@@ -17135,7 +17956,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-17; due date 2026-01-07. Notes reference: https://www.asus.com/support/faq/1018727/ ; https://nvd.nist.gov/vuln/detail/CVE-2025-59374",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "ASUS Live Update contains an embedded malicious code vulnerability client were distributed with unauthorized modifications introduced through a supply chain compromise. The modified builds could cause devices meeting specific targeting conditions to perform unintended actions. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization."
+    "_kev_short_description": "ASUS Live Update contains an embedded malicious code vulnerability client were distributed with unauthorized modifications introduced through a supply chain compromise. The modified builds could cause devices meeting specific targeting conditions to perform unintended actions. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
+    "_iocs_stub": true
   },
   "CVE-2025-40602": {
     "name": "SonicWall SMA1000 Missing Authorization Vulnerability",
@@ -17242,7 +18064,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-17; due date 2025-12-24. Notes reference: Check for signs of potential compromise on all internet accessible SonicWall SMA1000 instances after applying mitigations. For more information please see: https://psirt.global.sonicwall.com/vuln-deta",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "SonicWall SMA1000 contains a missing authorization vulnerability that could allow for privilege escalation appliance management console (AMC) of affected devices."
+    "_kev_short_description": "SonicWall SMA1000 contains a missing authorization vulnerability that could allow for privilege escalation appliance management console (AMC) of affected devices.",
+    "_iocs_stub": true
   },
   "CVE-2025-20393": {
     "name": "Cisco Multiple Products Improper Input Validation Vulnerability",
@@ -17349,7 +18172,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-17; due date 2025-12-24. Notes reference: Please adhere to Cisco's guidelines to assess exposure and mitigate risks. Check for signs of potential compromise on all internet accessible Cisco products affected by this vulnerability. Apply any f",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Cisco Secure Email Gateway, Secure Email, AsyncOS Software, and Web Manager appliances contains an improper input validation vulnerability that allows threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance."
+    "_kev_short_description": "Cisco Secure Email Gateway, Secure Email, AsyncOS Software, and Web Manager appliances contains an improper input validation vulnerability that allows threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance.",
+    "_iocs_stub": true
   },
   "CVE-2025-59718": {
     "name": "Fortinet Multiple Products Improper Verification of Cryptographic Signature Vulnerability",
@@ -17457,7 +18281,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-16; due date 2025-12-23. Notes reference: https://fortiguard.fortinet.com/psirt/FG-IR-25-647 ; https://docs.fortinet.com/upgrade-tool/fortigate ; https://nvd.nist.gov/vuln/detail/CVE-2025-59718",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Fortinet FortiOS, FortiSwitchMaster, FortiProxy, and FortiWeb contain an improper verification of cryptographic signature vulnerability that may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML message. Please be aware that CVE-2025-59719 pertains to the same problem and is mentioned in the same vendor advisory. Ensure to apply all patches mentioned in the advisory."
+    "_kev_short_description": "Fortinet FortiOS, FortiSwitchMaster, FortiProxy, and FortiWeb contain an improper verification of cryptographic signature vulnerability that may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML message. Please be aware that CVE-2025-59719 pertains to the same problem and is mentioned in the same vendor advisory. Ensure to apply all patches mentioned in the advisory.",
+    "_iocs_stub": true
   },
   "CVE-2025-14611": {
     "name": "Gladinet CentreStack and Triofox Hard Coded Cryptographic Vulnerability",
@@ -17566,7 +18391,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-15; due date 2026-01-05. Notes reference: https://www.centrestack.com/p/gce_latest_release.html ; https://access.triofox.com/releases_history/; https://support.centrestack.com/hc/en-us/articles/360007159054-Hardening-the-CentreStack-Cluster#h",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Gladinet CentreStack and TrioFox contain a hardcoded cryptographic keys vulnerability for their implementation of the AES cryptoscheme. This vulnerability degrades security for public exposed endpoints that may make use of it and may offer arbitrary local file inclusion when provided a specially crafted request without authentication."
+    "_kev_short_description": "Gladinet CentreStack and TrioFox contain a hardcoded cryptographic keys vulnerability for their implementation of the AES cryptoscheme. This vulnerability degrades security for public exposed endpoints that may make use of it and may offer arbitrary local file inclusion when provided a specially crafted request without authentication.",
+    "_iocs_stub": true
   },
   "CVE-2018-4063": {
     "name": "Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type Vulnerability",
@@ -17675,7 +18501,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-12; due date 2026-01-02. Notes reference: https://www.cisa.gov/news-events/ics-advisories/icsa-19-122-03 ; https://source.sierrawireless.com/resources/airlink/software_reference_docs/technical-bulletin/sierra-wireless-technical-bulletin---swi",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Sierra Wireless AirLink ALEOS contains an unrestricted upload of file with dangerous type vulnerability. A specially crafted HTTP request can upload a file, resulting in executable code being uploaded, and routable, to the webserver. An attacker can make an authenticated HTTP request to trigger this vulnerability. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization."
+    "_kev_short_description": "Sierra Wireless AirLink ALEOS contains an unrestricted upload of file with dangerous type vulnerability. A specially crafted HTTP request can upload a file, resulting in executable code being uploaded, and routable, to the webserver. An attacker can make an authenticated HTTP request to trigger this vulnerability. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
+    "_iocs_stub": true
   },
   "CVE-2025-58360": {
     "name": "OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability",
@@ -17783,7 +18610,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-11; due date 2026-01-01. Notes reference: This vulnerability affects an open-source component, third-party library, or a protocol used by different products. For more information, please see: https://github.com/geoserver/geoserver/security/ad",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "OSGeo GeoServer contains an improper restriction of XML external entity reference vulnerability that occurs when the application accepts XML input through a specific endpoint /geoserver/wms operation GetMap and could allow an attacker to define external entities within the XML request."
+    "_kev_short_description": "OSGeo GeoServer contains an improper restriction of XML external entity reference vulnerability that occurs when the application accepts XML input through a specific endpoint /geoserver/wms operation GetMap and could allow an attacker to define external entities within the XML request.",
+    "_iocs_stub": true
   },
   "CVE-2025-6218": {
     "name": "RARLAB WinRAR Path Traversal Vulnerability",
@@ -17889,7 +18717,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-09; due date 2025-12-30. Notes reference: https://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=276&cHash=b5165454d983fc9717bc8748901a64f9 ; https://nvd.nist.gov/vuln/detail/CVE-2025-6218",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "RARLAB WinRAR contains a path traversal vulnerability allowing an attacker to execute code in the context of the current user."
+    "_kev_short_description": "RARLAB WinRAR contains a path traversal vulnerability allowing an attacker to execute code in the context of the current user.",
+    "_iocs_stub": true
   },
   "CVE-2025-62221": {
     "name": "Microsoft Windows Use After Free Vulnerability",
@@ -17996,7 +18825,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-09; due date 2025-12-30. Notes reference: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-62221 ; https://nvd.nist.gov/vuln/detail/CVE-2025-62221",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows Cloud Files Mini Filter Driver contains a use after free vulnerability that can allow an authorized attacker to elevate privileges locally."
+    "_kev_short_description": "Microsoft Windows Cloud Files Mini Filter Driver contains a use after free vulnerability that can allow an authorized attacker to elevate privileges locally.",
+    "_iocs_stub": true
   },
   "CVE-2022-37055": {
     "name": "D-Link Routers Buffer Overflow Vulnerability",
@@ -18103,7 +18933,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-08; due date 2025-12-29. Notes reference: https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10308 ; https://nvd.nist.gov/vuln/detail/CVE-2022-37055",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "D-Link Routers contains a buffer overflow vulnerability that has a high impact on confidentiality, integrity, and availability. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization."
+    "_kev_short_description": "D-Link Routers contains a buffer overflow vulnerability that has a high impact on confidentiality, integrity, and availability. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
+    "_iocs_stub": true
   },
   "CVE-2025-66644": {
     "name": "Array Networks ArrayOS AG OS Command Injection Vulnerability",
@@ -18211,7 +19042,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-08; due date 2025-12-29. Notes reference: https://support.arraynetworks.net/prx/001/http/supportportal.arraynetworks.net/ag.html ; https://www.jpcert.or.jp/at/2025/at250024.html ; https://nvd.nist.gov/vuln/detail/CVE-2025-66644",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Array Networks ArrayOS AG contains an OS command injection vulnerability that could allow an attacker to execute arbitrary commands."
+    "_kev_short_description": "Array Networks ArrayOS AG contains an OS command injection vulnerability that could allow an attacker to execute arbitrary commands.",
+    "_iocs_stub": true
   },
   "CVE-2025-55182": {
     "name": "Meta React Server Components Remote Code Execution Vulnerability",
@@ -18321,7 +19153,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-05; due date 2025-12-12. Notes reference: Check for signs of potential compromise on all internet accessible REACT instances after applying mitigations. For more information, please see: https://react.dev/blog/2025/12/03/critical-security-vul",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints. Please note CVE-2025-66478 has been rejected, but it is associated with CVE-2025- 55182."
+    "_kev_short_description": "Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints. Please note CVE-2025-66478 has been rejected, but it is associated with CVE-2025- 55182.",
+    "_iocs_stub": true
   },
   "CVE-2021-26828": {
     "name": "OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability",
@@ -18428,7 +19261,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-03; due date 2025-12-24. Notes reference: This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "OpenPLC ScadaBR contains an unrestricted upload of file with dangerous type vulnerability that allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm."
+    "_kev_short_description": "OpenPLC ScadaBR contains an unrestricted upload of file with dangerous type vulnerability that allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm.",
+    "_iocs_stub": true
   },
   "CVE-2025-48633": {
     "name": "Android Framework Information Disclosure Vulnerability",
@@ -18534,7 +19368,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-02; due date 2025-12-23. Notes reference: https://source.android.com/docs/security/bulletin/2025-12-01 ; https://nvd.nist.gov/vuln/detail/CVE-2025-48633",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Android Framework contains an unspecified vulnerability that allows for information disclosure."
+    "_kev_short_description": "Android Framework contains an unspecified vulnerability that allows for information disclosure.",
+    "_iocs_stub": true
   },
   "CVE-2025-48572": {
     "name": "Android Framework Privilege Escalation Vulnerability",
@@ -18640,7 +19475,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-02; due date 2025-12-23. Notes reference: https://source.android.com/docs/security/bulletin/2025-12-01 ; https://nvd.nist.gov/vuln/detail/CVE-2025-48572",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Android Framework contains an unspecified vulnerability that allows for privilege escalation."
+    "_kev_short_description": "Android Framework contains an unspecified vulnerability that allows for privilege escalation.",
+    "_iocs_stub": true
   },
   "CVE-2021-26829": {
     "name": "OpenPLC ScadaBR Cross-site Scripting Vulnerability",
@@ -18746,7 +19582,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-11-28; due date 2025-12-19. Notes reference: This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "OpenPLC ScadaBR contains a cross-site scripting vulnerability via system_settings.shtm."
+    "_kev_short_description": "OpenPLC ScadaBR contains a cross-site scripting vulnerability via system_settings.shtm.",
+    "_iocs_stub": true
   },
   "CVE-2025-61757": {
     "name": "Oracle Fusion Middleware Missing Authentication for Critical Function Vulnerability",
@@ -18853,7 +19690,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-11-21; due date 2025-12-12. Notes reference: https://www.oracle.com/security-alerts/cpuoct2025.html ; https://nvd.nist.gov/vuln/detail/CVE-2025-61757",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Oracle Fusion Middleware contains a missing authentication for critical function vulnerability, allowing unauthenticated remote attackers to take over Identity Manager."
+    "_kev_short_description": "Oracle Fusion Middleware contains a missing authentication for critical function vulnerability, allowing unauthenticated remote attackers to take over Identity Manager.",
+    "_iocs_stub": true
   },
   "CVE-2025-13223": {
     "name": "Google Chromium V8 Type Confusion Vulnerability",
@@ -18960,7 +19798,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-11-19; due date 2025-12-10. Notes reference: https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop_17.html ; https://nvd.nist.gov/vuln/detail/CVE-2025-13223",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Google Chromium V8 contains a type confusion vulnerability that allows for heap corruption."
+    "_kev_short_description": "Google Chromium V8 contains a type confusion vulnerability that allows for heap corruption.",
+    "_iocs_stub": true
   },
   "CVE-2025-58034": {
     "name": "Fortinet FortiWeb OS Command Injection Vulnerability",
@@ -19067,7 +19906,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-11-18; due date 2025-11-25. Notes reference: https://fortiguard.fortinet.com/psirt/FG-IR-25-513 ; https://nvd.nist.gov/vuln/detail/CVE-2025-58034",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Fortinet FortiWeb contains an OS command Injection vulnerability that may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands."
+    "_kev_short_description": "Fortinet FortiWeb contains an OS command Injection vulnerability that may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands.",
+    "_iocs_stub": true
   },
   "CVE-2025-64446": {
     "name": "Fortinet FortiWeb Path Traversal Vulnerability",
@@ -19173,7 +20013,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-11-14; due date 2025-11-21. Notes reference: https://www.fortiguard.com/psirt/FG-IR-25-910 ; https://nvd.nist.gov/vuln/detail/CVE-2025-64446",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Fortinet FortiWeb contains a relative path traversal vulnerability that may allow an unauthenticated attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests."
+    "_kev_short_description": "Fortinet FortiWeb contains a relative path traversal vulnerability that may allow an unauthenticated attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.",
+    "_iocs_stub": true
   },
   "CVE-2025-12480": {
     "name": "Gladinet Triofox Improper Access Control Vulnerability",
@@ -19280,7 +20121,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-11-12; due date 2025-12-03. Notes reference: https://access.triofox.com/releases_history ; https://nvd.nist.gov/vuln/detail/CVE-2025-12480",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Gladinet Triofox contains an improper access control vulnerability that allows access to initial setup pages even after setup is complete."
+    "_kev_short_description": "Gladinet Triofox contains an improper access control vulnerability that allows access to initial setup pages even after setup is complete.",
+    "_iocs_stub": true
   },
   "CVE-2025-62215": {
     "name": "Microsoft Windows Race Condition Vulnerability",
@@ -19386,7 +20228,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-11-12; due date 2025-12-03. Notes reference: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-62215 ; https://nvd.nist.gov/vuln/detail/CVE-2025-62215",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows Kernel contains a race condition vulnerability that allows a local attacker with low-level privileges to escalate privileges. Successful exploitation of this vulnerability could enable the attacker to gain SYSTEM-level access."
+    "_kev_short_description": "Microsoft Windows Kernel contains a race condition vulnerability that allows a local attacker with low-level privileges to escalate privileges. Successful exploitation of this vulnerability could enable the attacker to gain SYSTEM-level access.",
+    "_iocs_stub": true
   },
   "CVE-2025-9242": {
     "name": "WatchGuard Firebox Out-of-Bounds Write Vulnerability",
@@ -19493,7 +20336,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-11-12; due date 2025-12-03. Notes reference: https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00015 ; https://nvd.nist.gov/vuln/detail/CVE-2025-9242",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "WatchGuard Firebox contains an out-of-bounds write vulnerability in the OS iked process that may allow a remote unauthenticated attacker to execute arbitrary code."
+    "_kev_short_description": "WatchGuard Firebox contains an out-of-bounds write vulnerability in the OS iked process that may allow a remote unauthenticated attacker to execute arbitrary code.",
+    "_iocs_stub": true
   },
   "CVE-2025-21042": {
     "name": "Samsung Mobile Devices Out-of-Bounds Write Vulnerability",
@@ -19600,7 +20444,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-11-10; due date 2025-12-01. Notes reference: https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=04 ; https://nvd.nist.gov/vuln/detail/CVE-2025-21042",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Samsung mobile devices contain an out-of-bounds write vulnerability in libimagecodec.quram.so. This vulnerability could allow remote attackers to execute arbitrary code."
+    "_kev_short_description": "Samsung mobile devices contain an out-of-bounds write vulnerability in libimagecodec.quram.so. This vulnerability could allow remote attackers to execute arbitrary code.",
+    "_iocs_stub": true
   },
   "CVE-2025-48703": {
     "name": "CWP Control Web Panel OS Command Injection Vulnerability",
@@ -19707,7 +20552,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-11-04; due date 2025-11-25. Notes reference: https://control-webpanel.com/changelog ; https://nvd.nist.gov/vuln/detail/CVE-2025-48703",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command Injection vulnerability that allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known."
+    "_kev_short_description": "CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command Injection vulnerability that allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.",
+    "_iocs_stub": true
   },
   "CVE-2025-11371": {
     "name": "Gladinet CentreStack and Triofox Files or Directories Accessible to External Parties Vulnerability",
@@ -19814,7 +20660,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-11-04; due date 2025-11-25. Notes reference: https://www.centrestack.com/p/gce_latest_release.html ; https://nvd.nist.gov/vuln/detail/CVE-2025-11371",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Gladinet CentreStack and Triofox contains a files or directories accessible to external parties vulnerability that allows unintended disclosure of system files."
+    "_kev_short_description": "Gladinet CentreStack and Triofox contains a files or directories accessible to external parties vulnerability that allows unintended disclosure of system files.",
+    "_iocs_stub": true
   },
   "CVE-2025-41244": {
     "name": "Broadcom VMware Aria Operations and VMware Tools Privilege Defined with Unsafe Actions Vulnerability",
@@ -19921,7 +20768,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-30; due date 2025-11-20. Notes reference: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36149 ; https://nvd.nist.gov/vuln/detail/CVE-2025-41244",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Broadcom VMware Aria Operations and VMware Tools contain a privilege defined with unsafe actions vulnerability. A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM."
+    "_kev_short_description": "Broadcom VMware Aria Operations and VMware Tools contain a privilege defined with unsafe actions vulnerability. A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM.",
+    "_iocs_stub": true
   },
   "CVE-2025-24893": {
     "name": "XWiki Platform Eval Injection Vulnerability",
@@ -20028,7 +20876,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-30; due date 2025-11-20. Notes reference: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562j ; https://nvd.nist.gov/vuln/detail/CVE-2025-24893",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "XWiki Platform contains an eval injection vulnerability that could allow any guest to perform arbitrary remote code execution through a request to SolrSearch."
+    "_kev_short_description": "XWiki Platform contains an eval injection vulnerability that could allow any guest to perform arbitrary remote code execution through a request to SolrSearch.",
+    "_iocs_stub": true
   },
   "CVE-2025-6204": {
     "name": "Dassault Systèmes DELMIA Apriso Code Injection Vulnerability",
@@ -20135,7 +20984,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-28; due date 2025-11-18. Notes reference: https://www.3ds.com/trust-center/security/security-advisories/cve-2025-6204 ; https://nvd.nist.gov/vuln/detail/CVE-2025-6204",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Dassault Systèmes DELMIA Apriso contains a code injection vulnerability that could allow an attacker to execute arbitrary code."
+    "_kev_short_description": "Dassault Systèmes DELMIA Apriso contains a code injection vulnerability that could allow an attacker to execute arbitrary code.",
+    "_iocs_stub": true
   },
   "CVE-2025-6205": {
     "name": "Dassault Systèmes DELMIA Apriso Missing Authorization Vulnerability",
@@ -20242,7 +21092,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-28; due date 2025-11-18. Notes reference: https://www.3ds.com/trust-center/security/security-advisories/cve-2025-6205 ; https://nvd.nist.gov/vuln/detail/CVE-2025-6205",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Dassault Systèmes DELMIA Apriso contains a missing authorization vulnerability that could allow an attacker to gain privileged access to the application."
+    "_kev_short_description": "Dassault Systèmes DELMIA Apriso contains a missing authorization vulnerability that could allow an attacker to gain privileged access to the application.",
+    "_iocs_stub": true
   },
   "CVE-2025-54236": {
     "name": "Adobe Commerce and Magento Improper Input Validation Vulnerability",
@@ -20349,7 +21200,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-24; due date 2025-11-14. Notes reference: https://experienceleague.adobe.com/en/docs/experience-cloud-kcs/kbarticles/ka-27397 ; https://nvd.nist.gov/vuln/detail/CVE-2025-54236",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Adobe Commerce and Magento Open Source contain an improper input validation vulnerability that could allow an attacker to take over customer accounts through the Commerce REST API."
+    "_kev_short_description": "Adobe Commerce and Magento Open Source contain an improper input validation vulnerability that could allow an attacker to take over customer accounts through the Commerce REST API.",
+    "_iocs_stub": true
   },
   "CVE-2025-59287": {
     "name": "Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability",
@@ -20456,7 +21308,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-24; due date 2025-11-14. Notes reference: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-59287 ; https://nvd.nist.gov/vuln/detail/CVE-2025-59287",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows Server Update Service (WSUS) contains a deserialization of untrusted data vulnerability that allows for remote code execution."
+    "_kev_short_description": "Microsoft Windows Server Update Service (WSUS) contains a deserialization of untrusted data vulnerability that allows for remote code execution.",
+    "_iocs_stub": true
   },
   "CVE-2025-61932": {
     "name": "Motex LANSCOPE Endpoint Manager Improper Verification of Source of a Communication Channel Vulnerability",
@@ -20563,7 +21416,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-22; due date 2025-11-12. Notes reference: https://www.motex.co.jp/news/notice/2025/release251020/ ; https://nvd.nist.gov/vuln/detail/CVE-2025-61932",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Motex LANSCOPE Endpoint Manager contains an improper verification of source of a communication channel vulnerability allowing an attacker to execute arbitrary code by sending specially crafted packets."
+    "_kev_short_description": "Motex LANSCOPE Endpoint Manager contains an improper verification of source of a communication channel vulnerability allowing an attacker to execute arbitrary code by sending specially crafted packets.",
+    "_iocs_stub": true
   },
   "CVE-2022-48503": {
     "name": "Apple Multiple Products Unspecified Vulnerability",
@@ -20674,7 +21528,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-20; due date 2025-11-10. Notes reference: https://support.apple.com/en-us/HT213340 ; https://support.apple.com/en-us/HT213341 ; https://support.apple.com/en-us/HT213342 ; https://support.apple.com/en-us/HT213345 ; https://support.apple.com/en",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Apple macOS, iOS, tvOS, Safari, and watchOS contain an unspecified vulnerability in JavaScriptCore that when processing web content may lead to arbitrary code execution. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization."
+    "_kev_short_description": "Apple macOS, iOS, tvOS, Safari, and watchOS contain an unspecified vulnerability in JavaScriptCore that when processing web content may lead to arbitrary code execution. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
+    "_iocs_stub": true
   },
   "CVE-2025-2746": {
     "name": "Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability",
@@ -20781,7 +21636,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-20; due date 2025-11-10. Notes reference: https://devnet.kentico.com/download/hotfixes ; https://nvd.nist.gov/vuln/detail/CVE-2025-2746",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Kentico Xperience CMS contains an authentication bypass using an alternate path or channel vulnerability that could allow an attacker to control administrative objects."
+    "_kev_short_description": "Kentico Xperience CMS contains an authentication bypass using an alternate path or channel vulnerability that could allow an attacker to control administrative objects.",
+    "_iocs_stub": true
   },
   "CVE-2025-2747": {
     "name": "Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability (variant: CVE-2025-2747)",
@@ -20888,7 +21744,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-20; due date 2025-11-10. Notes reference: https://devnet.kentico.com/download/hotfixes ; https://nvd.nist.gov/vuln/detail/CVE-2025-2747",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Kentico Xperience CMS contains an authentication bypass using an alternate path or channel vulnerability that could allow an attacker to control administrative objects."
+    "_kev_short_description": "Kentico Xperience CMS contains an authentication bypass using an alternate path or channel vulnerability that could allow an attacker to control administrative objects.",
+    "_iocs_stub": true
   },
   "CVE-2025-33073": {
     "name": "Microsoft Windows SMB Client Improper Access Control Vulnerability",
@@ -20995,7 +21852,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-20; due date 2025-11-10. Notes reference: https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-33073 ; https://nvd.nist.gov/vuln/detail/CVE-2025-33073",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows SMB Client contains an improper access control vulnerability that could allow for privilege escalation. An attacker could execute a specially crafted malicious script to coerce the victim machine to connect back to the attack system using SMB and authenticate."
+    "_kev_short_description": "Microsoft Windows SMB Client contains an improper access control vulnerability that could allow for privilege escalation. An attacker could execute a specially crafted malicious script to coerce the victim machine to connect back to the attack system using SMB and authenticate.",
+    "_iocs_stub": true
   },
   "CVE-2025-61884": {
     "name": "Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability",
@@ -21103,7 +21961,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-20; due date 2025-11-10. Notes reference: https://www.oracle.com/security-alerts/alert-cve-2025-61884.html ; https://nvd.nist.gov/vuln/detail/CVE-2025-61884",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Oracle E-Business Suite contains a server-side request forgery (SSRF) vulnerability in the Runtime component of Oracle Configurator. This vulnerability is remotely exploitable without authentication."
+    "_kev_short_description": "Oracle E-Business Suite contains a server-side request forgery (SSRF) vulnerability in the Runtime component of Oracle Configurator. This vulnerability is remotely exploitable without authentication.",
+    "_iocs_stub": true
   },
   "CVE-2025-54253": {
     "name": "Adobe Experience Manager Forms Code Execution Vulnerability",
@@ -21210,7 +22069,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-15; due date 2025-11-05. Notes reference: https://helpx.adobe.com/security/products/aem-forms/apsb25-82.html ; https://nvd.nist.gov/vuln/detail/CVE-2025-54253",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Adobe Experience Manager Forms in JEE contains an unspecified vulnerability that allows for arbitrary code execution."
+    "_kev_short_description": "Adobe Experience Manager Forms in JEE contains an unspecified vulnerability that allows for arbitrary code execution.",
+    "_iocs_stub": true
   },
   "CVE-2025-47827": {
     "name": "IGEL OS Use of a Key Past its Expiration Date Vulnerability",
@@ -21317,7 +22177,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-14; due date 2025-11-04. Notes reference: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-47827 ; https://nvd.nist.gov/vuln/detail/CVE-2025-47827",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "IGEL OS contains a use of a key past its expiration date vulnerability that allows for Secure Boot bypass. The igel-flash-driver module improperly verifies a cryptographic signature. Ultimately, a crafted root filesystem can be mounted from an unverified SquashFS image."
+    "_kev_short_description": "IGEL OS contains a use of a key past its expiration date vulnerability that allows for Secure Boot bypass. The igel-flash-driver module improperly verifies a cryptographic signature. Ultimately, a crafted root filesystem can be mounted from an unverified SquashFS image.",
+    "_iocs_stub": true
   },
   "CVE-2025-24990": {
     "name": "Microsoft Windows Untrusted Pointer Dereference Vulnerability",
@@ -21423,7 +22284,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-14; due date 2025-11-04. Notes reference: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-24990 ; https://nvd.nist.gov/vuln/detail/CVE-2025-24990",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows Agere Modem Driver contains an untrusted pointer dereference vulnerability that allows for privilege escalation. An attacker who successfully exploited this vulnerability could gain administrator privileges."
+    "_kev_short_description": "Microsoft Windows Agere Modem Driver contains an untrusted pointer dereference vulnerability that allows for privilege escalation. An attacker who successfully exploited this vulnerability could gain administrator privileges.",
+    "_iocs_stub": true
   },
   "CVE-2025-59230": {
     "name": "Microsoft Windows Improper Access Control Vulnerability",
@@ -21530,7 +22392,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-14; due date 2025-11-04. Notes reference: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-59230 ; https://nvd.nist.gov/vuln/detail/CVE-2025-59230",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows contains an improper access control vulnerability in Windows Remote Access Connection Manager which could allow an authorized attacker to elevate privileges locally."
+    "_kev_short_description": "Microsoft Windows contains an improper access control vulnerability in Windows Remote Access Connection Manager which could allow an authorized attacker to elevate privileges locally.",
+    "_iocs_stub": true
   },
   "CVE-2016-7836": {
     "name": "SKYSEA Client View Improper Authentication Vulnerability",
@@ -21637,7 +22500,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-14; due date 2025-11-04. Notes reference: https://www.skyseaclientview.net/news/161221/ ; https://nvd.nist.gov/vuln/detail/CVE-2016-7836",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "SKYSEA Client View contains an improper authentication vulnerability that allows remote code execution via a flaw in processing authentication on the TCP connection with the management console program."
+    "_kev_short_description": "SKYSEA Client View contains an improper authentication vulnerability that allows remote code execution via a flaw in processing authentication on the TCP connection with the management console program.",
+    "_iocs_stub": true
   },
   "CVE-2021-43798": {
     "name": "Grafana Path Traversal Vulnerability",
@@ -21743,7 +22607,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-09; due date 2025-10-30. Notes reference: https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/ ; https://nvd.nist.gov/vuln/detail/CVE-2021-43798",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Grafana contains a path traversal vulnerability that could allow access to local files."
+    "_kev_short_description": "Grafana contains a path traversal vulnerability that could allow access to local files.",
+    "_iocs_stub": true
   },
   "CVE-2025-27915": {
     "name": "Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability (variant: CVE-2025-27915)",
@@ -21849,7 +22714,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-07; due date 2025-10-28. Notes reference: https://wiki.zimbra.com/wiki/Security_Center ; https://nvd.nist.gov/vuln/detail/CVE-2025-27915",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a tag. This allows an attacker to run arbitrary JavaScript within the victim's session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim's account, including e-mail redirection and data exfiltration."
+    "_kev_short_description": "Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a tag. This allows an attacker to run arbitrary JavaScript within the victim's session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim's account, including e-mail redirection and data exfiltration.",
+    "_iocs_stub": true
   },
   "CVE-2021-22555": {
     "name": "Linux Kernel Heap Out-of-Bounds Write Vulnerability",
@@ -21958,7 +22824,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-06; due date 2025-10-27. Notes reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/netfilter/x_tables.c?id=9fa492cdc160cd27ce1046cb36f47d3b2b1efa21 ; https://git.kernel.org/pub/scm/linux/kernel/git/torvald",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Linux Kernel contains a heap out-of-bounds write vulnerability that could allow an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space."
+    "_kev_short_description": "Linux Kernel contains a heap out-of-bounds write vulnerability that could allow an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space.",
+    "_iocs_stub": true
   },
   "CVE-2010-3962": {
     "name": "Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability",
@@ -22065,7 +22932,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-06; due date 2025-10-27. Notes reference: https://learn.microsoft.com/en-us/security-updates/SecurityAdvisories/2010/2458511?redirectedfrom=MSDN ; https://nvd.nist.gov/vuln/detail/CVE-2010-3962",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Internet Explorer contains an uninitialized memory corruption vulnerability that could allow for remote code execution. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization."
+    "_kev_short_description": "Microsoft Internet Explorer contains an uninitialized memory corruption vulnerability that could allow for remote code execution. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
+    "_iocs_stub": true
   },
   "CVE-2021-43226": {
     "name": "Microsoft Windows Privilege Escalation Vulnerability",
@@ -22171,7 +23039,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-06; due date 2025-10-27. Notes reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43226 ; https://nvd.nist.gov/vuln/detail/CVE-2021-43226",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows Common Log File System Driver contains a privilege escalation vulnerability that could allow a local, privileged attacker to bypass certain security mechanisms."
+    "_kev_short_description": "Microsoft Windows Common Log File System Driver contains a privilege escalation vulnerability that could allow a local, privileged attacker to bypass certain security mechanisms.",
+    "_iocs_stub": true
   },
   "CVE-2013-3918": {
     "name": "Microsoft Windows Out-of-Bounds Write Vulnerability",
@@ -22278,7 +23147,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-06; due date 2025-10-27. Notes reference: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-090 ; https://nvd.nist.gov/vuln/detail/CVE-2013-3918",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows contains an out-of-bounds write vulnerability in the InformationCardSigninHelper Class ActiveX control, icardie.dll. An attacker could exploit the vulnerability by constructing a specially crafted webpage. When a user views the webpage, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization."
+    "_kev_short_description": "Microsoft Windows contains an out-of-bounds write vulnerability in the InformationCardSigninHelper Class ActiveX control, icardie.dll. An attacker could exploit the vulnerability by constructing a specially crafted webpage. When a user views the webpage, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
+    "_iocs_stub": true
   },
   "CVE-2011-3402": {
     "name": "Microsoft Windows Remote Code Execution Vulnerability",
@@ -22385,7 +23255,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-06; due date 2025-10-27. Notes reference: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-087 ; https://nvd.nist.gov/vuln/detail/CVE-2011-3402",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows Kernel contains an unspecified vulnerability in the TrueType font parsing engine in win32k.sys in the kernel-mode drivers that allows remote attackers to execute arbitrary code via crafted font data in a Word document or web page."
+    "_kev_short_description": "Microsoft Windows Kernel contains an unspecified vulnerability in the TrueType font parsing engine in win32k.sys in the kernel-mode drivers that allows remote attackers to execute arbitrary code via crafted font data in a Word document or web page.",
+    "_iocs_stub": true
   },
   "CVE-2010-3765": {
     "name": "Mozilla Multiple Products Remote Code Execution Vulnerability",
@@ -22492,7 +23363,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-06; due date 2025-10-27. Notes reference: https://www.mozilla.org/en-US/security/advisories/mfsa2010-73 ; https://nvd.nist.gov/vuln/detail/CVE-2010-3765",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Mozilla Firefox, SeaMonkey, and Thunderbird contain an unspecified vulnerability when JavaScript is enabled. This allows remote attackers to execute arbitrary code via vectors related to nsCSSFrameConstructor::ContentAppended, the appendChild method, incorrect index tracking, and the creation of multiple frames, which triggers memory corruption."
+    "_kev_short_description": "Mozilla Firefox, SeaMonkey, and Thunderbird contain an unspecified vulnerability when JavaScript is enabled. This allows remote attackers to execute arbitrary code via vectors related to nsCSSFrameConstructor::ContentAppended, the appendChild method, incorrect index tracking, and the creation of multiple frames, which triggers memory corruption.",
+    "_iocs_stub": true
   },
   "CVE-2025-61882": {
     "name": "Oracle E-Business Suite Unspecified Vulnerability",
@@ -22601,7 +23473,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-06; due date 2025-10-27. Notes reference: https://www.oracle.com/security-alerts/alert-cve-2025-61882.html ; https://nvd.nist.gov/vuln/detail/CVE-2025-61882",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Oracle E-Business Suite contains an unspecified vulnerability in the BI Publisher Integration component. The vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Concurrent Processing. Successful attacks can result in takeover of Oracle Concurrent Processing."
+    "_kev_short_description": "Oracle E-Business Suite contains an unspecified vulnerability in the BI Publisher Integration component. The vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Concurrent Processing. Successful attacks can result in takeover of Oracle Concurrent Processing.",
+    "_iocs_stub": true
   },
   "CVE-2014-6278": {
     "name": "GNU Bash OS Command Injection Vulnerability",
@@ -22711,7 +23584,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-02; due date 2025-10-23. Notes reference: This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: http:",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "GNU Bash contains an OS command injection vulnerability which allows remote attackers to execute arbitrary commands via a crafted environment."
+    "_kev_short_description": "GNU Bash contains an OS command injection vulnerability which allows remote attackers to execute arbitrary commands via a crafted environment.",
+    "_iocs_stub": true
   },
   "CVE-2017-1000353": {
     "name": "Jenkins Remote Code Execution Vulnerability",
@@ -22818,7 +23692,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-02; due date 2025-10-23. Notes reference: https://www.jenkins.io/security/advisory/2017-04-26/ ; https://nvd.nist.gov/vuln/detail/CVE-2017-1000353",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Jenkins contains a remote code execution vulnerability. This vulnerability that could allowed attackers to transfer a serialized Java SignedObject object to the remoting-based Jenkins CLI, that would be deserialized using a new ObjectInputStream, bypassing the existing blocklist-based protection mechanism."
+    "_kev_short_description": "Jenkins contains a remote code execution vulnerability. This vulnerability that could allowed attackers to transfer a serialized Java SignedObject object to the remoting-based Jenkins CLI, that would be deserialized using a new ObjectInputStream, bypassing the existing blocklist-based protection mechanism.",
+    "_iocs_stub": true
   },
   "CVE-2015-7755": {
     "name": "Juniper ScreenOS Improper Authentication Vulnerability",
@@ -22925,7 +23800,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-02; due date 2025-10-23. Notes reference: https://supportportal.juniper.net/s/article/2015-12-Out-of-Cycle-Security-Bulletin-ScreenOS-Multiple-Security-issues-with-ScreenOS-CVE-2015-7755-CVE-2015-7756 ; https://nvd.nist.gov/vuln/detail/CVE-20",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Juniper ScreenOS contains an improper authentication vulnerability that could allow unauthorized remote administrative access to the device."
+    "_kev_short_description": "Juniper ScreenOS contains an improper authentication vulnerability that could allow unauthorized remote administrative access to the device.",
+    "_iocs_stub": true
   },
   "CVE-2025-21043": {
     "name": "Samsung Mobile Devices Out-of-Bounds Write Vulnerability (variant: CVE-2025-21043)",
@@ -23032,7 +23908,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-02; due date 2025-10-23. Notes reference: https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=09 ; https://nvd.nist.gov/vuln/detail/CVE-2025-21043",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Samsung mobile devices contain an out-of-bounds write vulnerability in libimagecodec.quram.so which allows remote attackers to execute arbitrary code."
+    "_kev_short_description": "Samsung mobile devices contain an out-of-bounds write vulnerability in libimagecodec.quram.so which allows remote attackers to execute arbitrary code.",
+    "_iocs_stub": true
   },
   "CVE-2025-4008": {
     "name": "Smartbedded Meteobridge Command Injection Vulnerability",
@@ -23140,7 +24017,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-02; due date 2025-10-23. Notes reference: https://forum.meteohub.de/viewtopic.php?t=18687 ; https://nvd.nist.gov/vuln/detail/CVE-2025-4008",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Smartbedded Meteobridge contains a command injection vulnerability that could allow remote unauthenticated attackers to gain arbitrary command execution with elevated privileges (root) on affected devices."
+    "_kev_short_description": "Smartbedded Meteobridge contains a command injection vulnerability that could allow remote unauthenticated attackers to gain arbitrary command execution with elevated privileges (root) on affected devices.",
+    "_iocs_stub": true
   },
   "CVE-2025-32463": {
     "name": "Sudo Inclusion of Functionality from Untrusted Control Sphere Vulnerability",
@@ -23247,7 +24125,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-09-29; due date 2025-10-20. Notes reference: This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Sudo contains an inclusion of functionality from untrusted control sphere vulnerability. This vulnerability could allow local attacker to leverage sudo’s -R (--chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file."
+    "_kev_short_description": "Sudo contains an inclusion of functionality from untrusted control sphere vulnerability. This vulnerability could allow local attacker to leverage sudo’s -R (--chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file.",
+    "_iocs_stub": true
   },
   "CVE-2025-59689": {
     "name": "Libraesva Email Security Gateway Command Injection Vulnerability",
@@ -23354,7 +24233,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-09-29; due date 2025-10-20. Notes reference: https://docs.libraesva.com/knowledgebase/security-advisory-command-injection-vulnerability-cve-2025-59689/ ; https://nvd.nist.gov/vuln/detail/CVE-2025-59689",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Libraesva Email Security Gateway (ESG) contains a command injection vulnerability which allows command injection via a compressed e-mail attachment."
+    "_kev_short_description": "Libraesva Email Security Gateway (ESG) contains a command injection vulnerability which allows command injection via a compressed e-mail attachment.",
+    "_iocs_stub": true
   },
   "CVE-2025-10035": {
     "name": "Fortra GoAnywhere MFT Deserialization of Untrusted Data Vulnerability",
@@ -23464,7 +24344,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-09-29; due date 2025-10-20. Notes reference: https://www.fortra.com/security/advisories/product-security/fi-2025-012 ; https://nvd.nist.gov/vuln/detail/CVE-2025-10035",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Fortra GoAnywhere MFT contains a deserialization of untrusted data vulnerability allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection."
+    "_kev_short_description": "Fortra GoAnywhere MFT contains a deserialization of untrusted data vulnerability allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.",
+    "_iocs_stub": true
   },
   "CVE-2025-20352": {
     "name": "Cisco IOS and IOS XE Software SNMP Denial of Service and Remote Code Execution Vulnerability",
@@ -23571,7 +24452,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-09-29; due date 2025-10-20. Notes reference: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-x4LPhte ; https://nvd.nist.gov/vuln/detail/CVE-2025-20352",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Cisco IOS and IOS XE contains a stack-based buffer overflow vulnerability in the Simple Network Management Protocol (SNMP) subsystem that could allow for denial of service or remote code execution. A successful exploit could allow a low-privileged attacker to cause the affected system to reload, resulting in a DoS condition, or allow a high-privileged attacker to execute arbitrary code as the root user and obtain full control of the affected system."
+    "_kev_short_description": "Cisco IOS and IOS XE contains a stack-based buffer overflow vulnerability in the Simple Network Management Protocol (SNMP) subsystem that could allow for denial of service or remote code execution. A successful exploit could allow a low-privileged attacker to cause the affected system to reload, resulting in a DoS condition, or allow a high-privileged attacker to execute arbitrary code as the root user and obtain full control of the affected system.",
+    "_iocs_stub": true
   },
   "CVE-2021-21311": {
     "name": "Adminer Server-Side Request Forgery Vulnerability",
@@ -23677,7 +24559,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-09-29; due date 2025-10-20. Notes reference: https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6 ; https://nvd.nist.gov/vuln/detail/CVE-2021-21311",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Adminer contains a server-side request forgery vulnerability that, when exploited, allows a remote attacker to obtain potentially sensitive information."
+    "_kev_short_description": "Adminer contains a server-side request forgery vulnerability that, when exploited, allows a remote attacker to obtain potentially sensitive information.",
+    "_iocs_stub": true
   },
   "CVE-2025-20362": {
     "name": "Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Missing Authorization Vulnerability",
@@ -23789,7 +24672,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-09-25; due date 2025-09-26. Notes reference: CISA Mitigation Instructions: https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices ; https://www.cisa.gov/news-events/directives/supplemental-d",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Software VPN Web Server contain a missing authorization vulnerability. This vulnerability could be chained with CVE-2025-20333."
+    "_kev_short_description": "Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Software VPN Web Server contain a missing authorization vulnerability. This vulnerability could be chained with CVE-2025-20333.",
+    "_iocs_stub": true
   },
   "CVE-2025-20333": {
     "name": "Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) Buffer Overflow Vulnerability",
@@ -23901,7 +24785,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-09-25; due date 2025-09-26. Notes reference: CISA Mitigation Instructions: https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices ; https://www.cisa.gov/news-events/directives/supplemental-d",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Software VPN Web Server contain a buffer overflow vulnerability that allows for remote code execution. This vulnerability could be chained with CVE-2025-20362."
+    "_kev_short_description": "Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Software VPN Web Server contain a buffer overflow vulnerability that allows for remote code execution. This vulnerability could be chained with CVE-2025-20362.",
+    "_iocs_stub": true
   },
   "CVE-2025-5086": {
     "name": "Dassault Systèmes DELMIA Apriso Deserialization of Untrusted Data Vulnerability",
@@ -24008,7 +24893,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-09-11; due date 2025-10-02. Notes reference: https://www.3ds.com/trust-center/security/security-advisories/cve-2025-5086 ; https://nvd.nist.gov/vuln/detail/CVE-2025-5086",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Dassault Systèmes DELMIA Apriso contains a deserialization of untrusted data vulnerability that could lead to a remote code execution."
+    "_kev_short_description": "Dassault Systèmes DELMIA Apriso contains a deserialization of untrusted data vulnerability that could lead to a remote code execution.",
+    "_iocs_stub": true
   },
   "CVE-2025-48543": {
     "name": "Android Runtime Use-After-Free Vulnerability",
@@ -24114,7 +25000,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-09-04; due date 2025-09-25. Notes reference: https://source.android.com/docs/security/bulletin/2025-09-01 ; https://nvd.nist.gov/vuln/detail/CVE-2025-48543",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Android Runtime contains a use-after-free vulnerability potentially allowing a chrome sandbox escape leading to local privilege escalation."
+    "_kev_short_description": "Android Runtime contains a use-after-free vulnerability potentially allowing a chrome sandbox escape leading to local privilege escalation.",
+    "_iocs_stub": true
   },
   "CVE-2025-53690": {
     "name": "Sitecore Multiple Products Deserialization of Untrusted Data Vulnerability",
@@ -24221,7 +25108,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-09-04; due date 2025-09-25. Notes reference: https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003865 ; https://nvd.nist.gov/vuln/detail/CVE-2025-53690",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the use of default machine keys. This flaw allows attackers to exploit exposed ASP.NET machine keys to achieve remote code execution. "
+    "_kev_short_description": "Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the use of default machine keys. This flaw allows attackers to exploit exposed ASP.NET machine keys to achieve remote code execution. ",
+    "_iocs_stub": true
   },
   "CVE-2023-50224": {
     "name": "TP-Link TL-WR841N Authentication Bypass by Spoofing Vulnerability",
@@ -24328,7 +25216,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-09-03; due date 2025-09-24. Notes reference: https://www.tp-link.com/us/support/faq/4308/ ; https://nvd.nist.gov/vuln/detail/CVE-2023-50224",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "TP-Link TL-WR841N contains an authentication bypass by spoofing vulnerability within the httpd service, which listens on TCP port 80 by default, leading to the disclose of stored credentials. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization."
+    "_kev_short_description": "TP-Link TL-WR841N contains an authentication bypass by spoofing vulnerability within the httpd service, which listens on TCP port 80 by default, leading to the disclose of stored credentials. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
+    "_iocs_stub": true
   },
   "CVE-2025-9377": {
     "name": "TP-Link Archer C7(EU) and TL-WR841N/ND(MS) OS Command Injection Vulnerability",
@@ -24435,7 +25324,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-09-03; due date 2025-09-24. Notes reference: https://www.tp-link.com/us/support/faq/4308/ ; https://nvd.nist.gov/vuln/detail/CVE-2025-9377",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "TP-Link Archer C7(EU) and TL-WR841N/ND(MS) contain an OS command injection vulnerability that exists in the Parental Control page. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization."
+    "_kev_short_description": "TP-Link Archer C7(EU) and TL-WR841N/ND(MS) contain an OS command injection vulnerability that exists in the Parental Control page. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
+    "_iocs_stub": true
   },
   "CVE-2020-24363": {
     "name": "TP-link TL-WA855RE Missing Authentication for Critical Function Vulnerability",
@@ -24543,7 +25433,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-09-02; due date 2025-09-23. Notes reference: https://www.tp-link.com/us/home-networking/range-extender/tl-wa855re/#overview ; https://www.tp-link.com/us/support/download/tl-wa855re/#FAQs ; https://nvd.nist.gov/vuln/detail/CVE-2020-24363",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "TP-link TL-WA855RE contains a missing authentication for critical function vulnerability. This vulnerability could allow an unauthenticated attacker (on the same network) to submit a TDDP_RESET POST request for a factory reset and reboot. The attacker can then obtain incorrect access control by setting a new administrative password. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization."
+    "_kev_short_description": "TP-link TL-WA855RE contains a missing authentication for critical function vulnerability. This vulnerability could allow an unauthenticated attacker (on the same network) to submit a TDDP_RESET POST request for a factory reset and reboot. The attacker can then obtain incorrect access control by setting a new administrative password. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
+    "_iocs_stub": true
   },
   "CVE-2025-55177": {
     "name": "Meta Platforms WhatsApp Incorrect Authorization Vulnerability",
@@ -24650,7 +25541,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-09-02; due date 2025-09-23. Notes reference: https://www.whatsapp.com/security/advisories/2025/ ; https://nvd.nist.gov/vuln/detail/CVE-2025-55177",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Meta Platforms WhatsApp contains an incorrect authorization vulnerability due to an incomplete authorization of linked device synchronization messages. This vulnerability could allow an unrelated user to trigger processing of content from an arbitrary URL on a target’s device."
+    "_kev_short_description": "Meta Platforms WhatsApp contains an incorrect authorization vulnerability due to an incomplete authorization of linked device synchronization messages. This vulnerability could allow an unrelated user to trigger processing of content from an arbitrary URL on a target’s device.",
+    "_iocs_stub": true
   },
   "CVE-2025-57819": {
     "name": "Sangoma FreePBX Authentication Bypass Vulnerability",
@@ -24758,7 +25650,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-08-29; due date 2025-09-19. Notes reference: https://github.com/FreePBX/security-reporting/security/advisories/GHSA-m42g-xg4c-5f3h ; https://nvd.nist.gov/vuln/detail/CVE-2025-57819",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Sangoma FreePBX contains an authentication bypass vulnerability due to insufficiently sanitized user-supplied data allows unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution."
+    "_kev_short_description": "Sangoma FreePBX contains an authentication bypass vulnerability due to insufficiently sanitized user-supplied data allows unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution.",
+    "_iocs_stub": true
   },
   "CVE-2025-7775": {
     "name": "Citrix NetScaler Memory Overflow Vulnerability",
@@ -24865,7 +25758,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-08-26; due date 2025-08-28. Notes reference: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938 ; https://nvd.nist.gov/vuln/detail/CVE-2025-7775",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Citrix NetScaler ADC and NetScaler Gateway contain a memory overflow vulnerability that could allow for remote code execution and/or denial of service."
+    "_kev_short_description": "Citrix NetScaler ADC and NetScaler Gateway contain a memory overflow vulnerability that could allow for remote code execution and/or denial of service.",
+    "_iocs_stub": true
   },
   "CVE-2025-48384": {
     "name": "Git Link Following Vulnerability",
@@ -24977,7 +25871,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-08-25; due date 2025-09-15. Notes reference: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. For more information, please see: https://github.com/git/git/security/advisori",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Git contains a link following vulnerability that stems from Git’s inconsistent handling of carriage return characters in configuration files."
+    "_kev_short_description": "Git contains a link following vulnerability that stems from Git’s inconsistent handling of carriage return characters in configuration files.",
+    "_iocs_stub": true
   },
   "CVE-2024-8068": {
     "name": "Citrix Session Recording Improper Privilege Management Vulnerability",
@@ -25083,7 +25978,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-08-25; due date 2025-09-15. Notes reference: https://support.citrix.com/external/article/691941/citrix-session-recording-security-bullet.html ; https://nvd.nist.gov/vuln/detail/CVE-2024-8068",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Citrix Session Recording contains an improper privilege management vulnerability that could allow for privilege escalation to NetworkService Account access. An attacker must be an authenticated user in the same Windows Active Directory domain as the session recording server domain."
+    "_kev_short_description": "Citrix Session Recording contains an improper privilege management vulnerability that could allow for privilege escalation to NetworkService Account access. An attacker must be an authenticated user in the same Windows Active Directory domain as the session recording server domain.",
+    "_iocs_stub": true
   },
   "CVE-2024-8069": {
     "name": "Citrix Session Recording Deserialization of Untrusted Data Vulnerability",
@@ -25190,7 +26086,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-08-25; due date 2025-09-15. Notes reference: https://support.citrix.com/external/article/691941/citrix-session-recording-security-bullet.html ; https://nvd.nist.gov/vuln/detail/CVE-2024-8069",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Citrix Session Recording contains a deserialization of untrusted data vulnerability that allows limited remote code execution with privilege of a NetworkService Account access. Attacker must be an authenticated user on the same intranet as the session recording server."
+    "_kev_short_description": "Citrix Session Recording contains a deserialization of untrusted data vulnerability that allows limited remote code execution with privilege of a NetworkService Account access. Attacker must be an authenticated user on the same intranet as the session recording server.",
+    "_iocs_stub": true
   },
   "CVE-2025-54948": {
     "name": "Trend Micro Apex One OS Command Injection Vulnerability",
@@ -25297,7 +26194,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-08-18; due date 2025-09-08. Notes reference: https://success.trendmicro.com/en-US/solution/KA-0020652 ; N/A ; https://nvd.nist.gov/vuln/detail/CVE-2025-54948",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Trend Micro Apex One Management Console (on-premise) contains an OS command injection vulnerability that could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations."
+    "_kev_short_description": "Trend Micro Apex One Management Console (on-premise) contains an OS command injection vulnerability that could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations.",
+    "_iocs_stub": true
   },
   "CVE-2025-8876": {
     "name": "N-able N-Central Command Injection Vulnerability",
@@ -25404,7 +26302,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-08-13; due date 2025-08-20. Notes reference: https://status.n-able.com/2025/08/13/announcing-the-ga-of-n-central-2025-3-1/ ; https://nvd.nist.gov/vuln/detail/CVE-2025-8876",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "N-able N-Central contains a command injection vulnerability via improper sanitization of user input."
+    "_kev_short_description": "N-able N-Central contains a command injection vulnerability via improper sanitization of user input.",
+    "_iocs_stub": true
   },
   "CVE-2025-8875": {
     "name": "N-able N-Central Insecure Deserialization Vulnerability",
@@ -25511,7 +26410,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-08-13; due date 2025-08-20. Notes reference: https://status.n-able.com/2025/08/13/announcing-the-ga-of-n-central-2025-3-1/ ; https://nvd.nist.gov/vuln/detail/CVE-2025-8875",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "N-able N-Central contains an insecure deserialization vulnerability that could lead to command execution."
+    "_kev_short_description": "N-able N-Central contains an insecure deserialization vulnerability that could lead to command execution.",
+    "_iocs_stub": true
   },
   "CVE-2025-8088": {
     "name": "RARLAB WinRAR Path Traversal Vulnerability (variant: CVE-2025-8088)",
@@ -25617,7 +26517,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-08-12; due date 2025-09-02. Notes reference: https://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=283&cHash=a64b4a8f662d3639dec8d65f47bc93c5 ; https://nvd.nist.gov/vuln/detail/CVE-2025-8088",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "RARLAB WinRAR contains a path traversal vulnerability affecting the Windows version of WinRAR. This vulnerability could allow an attacker to execute arbitrary code by crafting malicious archive files."
+    "_kev_short_description": "RARLAB WinRAR contains a path traversal vulnerability affecting the Windows version of WinRAR. This vulnerability could allow an attacker to execute arbitrary code by crafting malicious archive files.",
+    "_iocs_stub": true
   },
   "CVE-2007-0671": {
     "name": "Microsoft Office Excel Remote Code Execution Vulnerability",
@@ -25724,7 +26625,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-08-12; due date 2025-09-02. Notes reference: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-015 ; https://nvd.nist.gov/vuln/detail/CVE-2007-0671",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Office Excel contains a remote code execution vulnerability that can be exploited when a specially crafted Excel file is opened. This malicious file could be delivered as an email attachment or hosted on a malicious website. An attacker could leverage this vulnerability by creating a specially crafted Excel file, which, when opened, allowing an attacker to execute remote code on the affected system."
+    "_kev_short_description": "Microsoft Office Excel contains a remote code execution vulnerability that can be exploited when a specially crafted Excel file is opened. This malicious file could be delivered as an email attachment or hosted on a malicious website. An attacker could leverage this vulnerability by creating a specially crafted Excel file, which, when opened, allowing an attacker to execute remote code on the affected system.",
+    "_iocs_stub": true
   },
   "CVE-2013-3893": {
     "name": "Microsoft Internet Explorer Resource Management Errors Vulnerability",
@@ -25831,7 +26733,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-08-12; due date 2025-09-02. Notes reference: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-080 ; https://nvd.nist.gov/vuln/detail/CVE-2013-3893",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Internet Explorer contains a memory corruption vulnerability that allows for remote code execution. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization."
+    "_kev_short_description": "Microsoft Internet Explorer contains a memory corruption vulnerability that allows for remote code execution. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
+    "_iocs_stub": true
   },
   "CVE-2020-25078": {
     "name": "D-Link DCS-2530L and DCS-2670L Devices Unspecified Vulnerability",
@@ -25939,7 +26842,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-08-05; due date 2025-08-26. Notes reference: https://support.dlink.com/productinfo.aspx?m=DCS-2530L ; https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10180 ; https://nvd.nist.gov/vuln/detail/CVE-2020-25078",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "D-Link DCS-2530L and DCS-2670L devices contains an unspecified vulnerability that could allow for remote administrator password disclosure. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization."
+    "_kev_short_description": "D-Link DCS-2530L and DCS-2670L devices contains an unspecified vulnerability that could allow for remote administrator password disclosure. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
+    "_iocs_stub": true
   },
   "CVE-2020-25079": {
     "name": "D-Link DCS-2530L and DCS-2670L Command Injection Vulnerability",
@@ -26047,7 +26951,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-08-05; due date 2025-08-26. Notes reference: https://support.dlink.com/productinfo.aspx?m=DCS-2530L ; https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10180 ; https://nvd.nist.gov/vuln/detail/CVE-2020-25079",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "D-Link DCS-2530L and DCS-2670L devices contains a command injection vulnerability in the cgi-bin/ddns_enc.cgi. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization."
+    "_kev_short_description": "D-Link DCS-2530L and DCS-2670L devices contains a command injection vulnerability in the cgi-bin/ddns_enc.cgi. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
+    "_iocs_stub": true
   },
   "CVE-2022-40799": {
     "name": "D-Link DNR-322L Download of Code Without Integrity Check Vulnerability",
@@ -26154,7 +27059,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-08-05; due date 2025-08-26. Notes reference: https://www.dlink.com/uk/en/products/dnr-322l-cloud-network-video-recorder ; https://nvd.nist.gov/vuln/detail/CVE-2022-40799",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "D-Link DNR-322L contains a download of code without integrity check vulnerability that could allow an authenticated attacker to execute OS level commands on the device. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization."
+    "_kev_short_description": "D-Link DNR-322L contains a download of code without integrity check vulnerability that could allow an authenticated attacker to execute OS level commands on the device. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
+    "_iocs_stub": true
   },
   "CVE-2023-2533": {
     "name": "PaperCut NG/MF Cross-Site Request Forgery (CSRF) Vulnerability",
@@ -26261,7 +27167,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-28; due date 2025-08-18. Notes reference: https://www.papercut.com/kb/Main/SecurityBulletinJune2023 ; https://nvd.nist.gov/vuln/detail/CVE-2023-2533",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "PaperCut NG/MF contains a cross-site request forgery (CSRF) vulnerability, which, under specific conditions, could potentially enable an attacker to alter security settings or execute arbitrary code. "
+    "_kev_short_description": "PaperCut NG/MF contains a cross-site request forgery (CSRF) vulnerability, which, under specific conditions, could potentially enable an attacker to alter security settings or execute arbitrary code. ",
+    "_iocs_stub": true
   },
   "CVE-2025-20337": {
     "name": "Cisco Identity Services Engine Injection Vulnerability",
@@ -26368,7 +27275,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-28; due date 2025-08-18. Notes reference: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6 ; https://nvd.nist.gov/vuln/detail/CVE-2025-20337",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Cisco Identity Services Engine contains an injection vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC due to insufficient validation of user-supplied input allowing an attacker to exploit this vulnerability by submitting a crafted API request. Successful exploitation could allow an attacker to perform remote code execution and obtaining root privileges on an affected device."
+    "_kev_short_description": "Cisco Identity Services Engine contains an injection vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC due to insufficient validation of user-supplied input allowing an attacker to exploit this vulnerability by submitting a crafted API request. Successful exploitation could allow an attacker to perform remote code execution and obtaining root privileges on an affected device.",
+    "_iocs_stub": true
   },
   "CVE-2025-20281": {
     "name": "Cisco Identity Services Engine Injection Vulnerability (variant: CVE-2025-20281)",
@@ -26475,7 +27383,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-28; due date 2025-08-18. Notes reference: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6 ; https://nvd.nist.gov/vuln/detail/CVE-2025-20281",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Cisco Identity Services Engine contains an injection vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC due to insufficient validation of user-supplied input allowing an attacker to exploit this vulnerability by submitting a crafted API request. Successful exploitation could allow an attacker to perform remote code execution and obtaining root privileges on an affected device."
+    "_kev_short_description": "Cisco Identity Services Engine contains an injection vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC due to insufficient validation of user-supplied input allowing an attacker to exploit this vulnerability by submitting a crafted API request. Successful exploitation could allow an attacker to perform remote code execution and obtaining root privileges on an affected device.",
+    "_iocs_stub": true
   },
   "CVE-2025-2775": {
     "name": "SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability",
@@ -26582,7 +27491,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-22; due date 2025-08-12. Notes reference: https://documentation.sysaid.com/docs/24-40-60 ; https://nvd.nist.gov/vuln/detail/CVE-2025-2775",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "SysAid On-Prem contains an improper restriction of XML external entity reference vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read primitives."
+    "_kev_short_description": "SysAid On-Prem contains an improper restriction of XML external entity reference vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read primitives.",
+    "_iocs_stub": true
   },
   "CVE-2025-2776": {
     "name": "SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability (variant: CVE-2025-2776)",
@@ -26689,7 +27599,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-22; due date 2025-08-12. Notes reference: https://documentation.sysaid.com/docs/24-40-60 ; https://nvd.nist.gov/vuln/detail/CVE-2025-2776",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "SysAid On-Prem contains an improper restriction of XML external entity reference vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives."
+    "_kev_short_description": "SysAid On-Prem contains an improper restriction of XML external entity reference vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives.",
+    "_iocs_stub": true
   },
   "CVE-2025-6558": {
     "name": "Google Chromium ANGLE and GPU Improper Input Validation Vulnerability",
@@ -26796,7 +27707,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-22; due date 2025-08-12. Notes reference: https://chromereleases.googleblog.com/2025/07/stable-channel-update-for-desktop_15.html ; https://nvd.nist.gov/vuln/detail/CVE-2025-6558",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Google Chromium contains an improper input validation vulnerability in ANGLE and GPU. This vulnerability could allow a remote attacker to potentially perform a sandbox escape via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera."
+    "_kev_short_description": "Google Chromium contains an improper input validation vulnerability in ANGLE and GPU. This vulnerability could allow a remote attacker to potentially perform a sandbox escape via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.",
+    "_iocs_stub": true
   },
   "CVE-2025-54309": {
     "name": " CrushFTP Unprotected Alternate Channel Vulnerability",
@@ -26903,7 +27815,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-22; due date 2025-08-12. Notes reference: https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025 ; https://nvd.nist.gov/vuln/detail/CVE-2025-54309 ",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "CrushFTP contains an unprotected alternate channel vulnerability. When the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS."
+    "_kev_short_description": "CrushFTP contains an unprotected alternate channel vulnerability. When the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS.",
+    "_iocs_stub": true
   },
   "CVE-2025-49704": {
     "name": "Microsoft SharePoint Code Injection Vulnerability",
@@ -27014,7 +27927,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-22; due date 2025-07-23. Notes reference: CISA Mitigation Instructions: https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770; https://www.microsoft.com/en-us/secur",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft SharePoint contains a code injection vulnerability that could allow an authorized attacker to execute code over a network. This vulnerability could be chained with CVE-2025-49706. CVE-2025-53770 is a patch bypass for CVE-2025-49704, and the updates for CVE-2025-53770 include more robust protection than those for CVE-2025-49704."
+    "_kev_short_description": "Microsoft SharePoint contains a code injection vulnerability that could allow an authorized attacker to execute code over a network. This vulnerability could be chained with CVE-2025-49706. CVE-2025-53770 is a patch bypass for CVE-2025-49704, and the updates for CVE-2025-53770 include more robust protection than those for CVE-2025-49704.",
+    "_iocs_stub": true
   },
   "CVE-2025-49706": {
     "name": "Microsoft SharePoint Improper Authentication Vulnerability",
@@ -27125,7 +28039,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-22; due date 2025-07-23. Notes reference: CISA Mitigation Instructions: https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770 ; https://www.microsoft.com/en-us/secu",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft SharePoint contains an improper authentication vulnerability that allows an authorized attacker to perform spoofing over a network. Successfully exploitation could allow an attacker to view sensitive information and make some changes to disclosed information. This vulnerability could be chained with CVE-2025-49704. CVE-2025-53771 is a patch bypass for CVE-2025-49706, and the updates for CVE-2025-53771 include more robust protection than those for CVE-2025-49706."
+    "_kev_short_description": "Microsoft SharePoint contains an improper authentication vulnerability that allows an authorized attacker to perform spoofing over a network. Successfully exploitation could allow an attacker to view sensitive information and make some changes to disclosed information. This vulnerability could be chained with CVE-2025-49704. CVE-2025-53771 is a patch bypass for CVE-2025-49706, and the updates for CVE-2025-53771 include more robust protection than those for CVE-2025-49706.",
+    "_iocs_stub": true
   },
   "CVE-2025-53770": {
     "name": "Microsoft SharePoint Deserialization of Untrusted Data Vulnerability (variant: CVE-2025-53770)",
@@ -27236,7 +28151,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-20; due date 2025-07-21. Notes reference: CISA Mitigation Instructions: https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770; https://www.microsoft.com/en-us/secur",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft SharePoint Server on-premises contains a deserialization of untrusted data vulnerability that could allow an unauthorized attacker to execute code over a network. This vulnerability could be chained with CVE-2025-53771. CVE-2025-53770 is a patch bypass for CVE-2025-49704, and the updates for CVE-2025-53770 include more robust protection than those for CVE-2025-49704."
+    "_kev_short_description": "Microsoft SharePoint Server on-premises contains a deserialization of untrusted data vulnerability that could allow an unauthorized attacker to execute code over a network. This vulnerability could be chained with CVE-2025-53771. CVE-2025-53770 is a patch bypass for CVE-2025-49704, and the updates for CVE-2025-53770 include more robust protection than those for CVE-2025-49704.",
+    "_iocs_stub": true
   },
   "CVE-2025-25257": {
     "name": "Fortinet FortiWeb SQL Injection Vulnerability",
@@ -27343,7 +28259,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-18; due date 2025-08-08. Notes reference: https://fortiguard.fortinet.com/psirt/FG-IR-25-151 ; https://nvd.nist.gov/vuln/detail/CVE-2025-25257",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Fortinet FortiWeb contains a SQL injection vulnerability that may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests."
+    "_kev_short_description": "Fortinet FortiWeb contains a SQL injection vulnerability that may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.",
+    "_iocs_stub": true
   },
   "CVE-2025-47812": {
     "name": "Wing FTP Server Improper Neutralization of Null Byte or NUL Character Vulnerability",
@@ -27450,7 +28367,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-14; due date 2025-08-04. Notes reference: https://www.wftpserver.com/serverhistory.htm ; https://nvd.nist.gov/vuln/detail/CVE-2025-47812",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Wing FTP Server contains an improper neutralization of null byte or NUL character vulnerability that can allow injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default)."
+    "_kev_short_description": "Wing FTP Server contains an improper neutralization of null byte or NUL character vulnerability that can allow injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default).",
+    "_iocs_stub": true
   },
   "CVE-2025-5777": {
     "name": "Citrix NetScaler ADC and Gateway Out-of-Bounds Read Vulnerability",
@@ -27558,7 +28476,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-10; due date 2025-07-11. Notes reference: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420 ; https://nvd.nist.gov/vuln/detail/CVE-2025-5777",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Citrix NetScaler ADC and Gateway contain an out-of-bounds read vulnerability due to insufficient input validation. This vulnerability can lead to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server."
+    "_kev_short_description": "Citrix NetScaler ADC and Gateway contain an out-of-bounds read vulnerability due to insufficient input validation. This vulnerability can lead to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.",
+    "_iocs_stub": true
   },
   "CVE-2019-9621": {
     "name": "Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery (SSRF) Vulnerability",
@@ -27666,7 +28585,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-07; due date 2025-07-28. Notes reference: https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories ; https://wiki.zimbra.com/wiki/Security_Center ; https://nvd.nist.gov/vuln/detail/CVE-2019-9621",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Synacor Zimbra Collaboration Suite (ZCS) contains a server-side request forgery (SSRF) vulnerability via the ProxyServlet component."
+    "_kev_short_description": "Synacor Zimbra Collaboration Suite (ZCS) contains a server-side request forgery (SSRF) vulnerability via the ProxyServlet component.",
+    "_iocs_stub": true
   },
   "CVE-2019-5418": {
     "name": "Rails Ruby on Rails Path Traversal Vulnerability",
@@ -27772,7 +28692,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-07; due date 2025-07-28. Notes reference: https://web.archive.org/web/20190313201629/https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/ ; https://nvd.nist.gov/vuln/detail/CVE-2019-5418",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Rails Ruby on Rails contains a path traversal vulnerability in Action View. Specially crafted accept headers in combination with calls to `render file:` can cause arbitrary files on the target server to be rendered, disclosing the file contents."
+    "_kev_short_description": "Rails Ruby on Rails contains a path traversal vulnerability in Action View. Specially crafted accept headers in combination with calls to `render file:` can cause arbitrary files on the target server to be rendered, disclosing the file contents.",
+    "_iocs_stub": true
   },
   "CVE-2016-10033": {
     "name": "PHPMailer Command Injection Vulnerability",
@@ -27881,7 +28802,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-07; due date 2025-07-28. Notes reference: This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "PHPMailer contains a command injection vulnerability because it fails to sanitize user-supplied input. Specifically, this issue affects the 'mail()' function of 'class.phpmailer.php' script. An attacker can exploit this issue to execute arbitrary code within the context of the application. Failed exploit attempts will result in a denial-of-service condition."
+    "_kev_short_description": "PHPMailer contains a command injection vulnerability because it fails to sanitize user-supplied input. Specifically, this issue affects the 'mail()' function of 'class.phpmailer.php' script. An attacker can exploit this issue to execute arbitrary code within the context of the application. Failed exploit attempts will result in a denial-of-service condition.",
+    "_iocs_stub": true
   },
   "CVE-2014-3931": {
     "name": "Multi-Router Looking Glass (MRLG) Buffer Overflow Vulnerability",
@@ -27987,7 +28909,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-07; due date 2025-07-28. Notes reference: https://mrlg.op-sec.us/ ; https://nvd.nist.gov/vuln/detail/CVE-2014-3931",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Multi-Router Looking Glass (MRLG) contains a buffer overflow vulnerability that could allow remote attackers to cause an arbitrary memory write and memory corruption."
+    "_kev_short_description": "Multi-Router Looking Glass (MRLG) contains a buffer overflow vulnerability that could allow remote attackers to cause an arbitrary memory write and memory corruption.",
+    "_iocs_stub": true
   },
   "CVE-2025-6554": {
     "name": "Google Chromium V8 Type Confusion Vulnerability (variant: CVE-2025-6554)",
@@ -28094,7 +29017,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-02; due date 2025-07-23. Notes reference: https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop_30.html?m=1 ; https://nvd.nist.gov/vuln/detail/CVE-2025-6554",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Google Chromium V8 contains a type confusion vulnerability that could allow a remote attacker to perform arbitrary read/write via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera."
+    "_kev_short_description": "Google Chromium V8 contains a type confusion vulnerability that could allow a remote attacker to perform arbitrary read/write via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.",
+    "_iocs_stub": true
   },
   "CVE-2025-48928": {
     "name": "TeleMessage TM SGNL Exposure of Core Dump File to an Unauthorized Control Sphere Vulnerability",
@@ -28193,7 +29117,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-01; due date 2025-07-22. Notes reference: It is recommended that mitigations be applied per vendor instructions if available. If these instructions cannot be located or if mitigations are unavailable, discontinue use of the product. ; https:/",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "TeleMessage TM SGNL contains an exposure of core dump file to an unauthorized control sphere Vulnerability. This vulnerability is based on a JSP application in which the heap content is roughly equivalent to a \"core dump\" in which a password previously sent over HTTP would be included in this dump."
+    "_kev_short_description": "TeleMessage TM SGNL contains an exposure of core dump file to an unauthorized control sphere Vulnerability. This vulnerability is based on a JSP application in which the heap content is roughly equivalent to a \"core dump\" in which a password previously sent over HTTP would be included in this dump.",
+    "_iocs_stub": true
   },
   "CVE-2025-48927": {
     "name": "TeleMessage TM SGNL Initialization of a Resource with an Insecure Default Vulnerability",
@@ -28292,7 +29217,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-01; due date 2025-07-22. Notes reference: It is recommended that mitigations be applied per vendor instructions if available. If these instructions cannot be located or if mitigations are unavailable, discontinue use of the product. ; https:/",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "TeleMessage TM SGNL contains an initialization of a resource with an insecure default vulnerability. This vulnerability relies on how the Spring Boot Actuator is configured with an exposed heap dump endpoint at a /heapdump URI."
+    "_kev_short_description": "TeleMessage TM SGNL contains an initialization of a resource with an insecure default vulnerability. This vulnerability relies on how the Spring Boot Actuator is configured with an exposed heap dump endpoint at a /heapdump URI.",
+    "_iocs_stub": true
   },
   "CVE-2025-6543": {
     "name": "Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability",
@@ -28399,7 +29325,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-30; due date 2025-07-21. Notes reference: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694788 ; https://www.netscaler.com/blog/news/netscaler-critical-security-updates-for-cve-2025-6543-and-cve-2025-5777/ ;   http",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Citrix NetScaler ADC and Gateway contain a buffer overflow vulnerability leading to unintended control flow and Denial of Service. NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server."
+    "_kev_short_description": "Citrix NetScaler ADC and Gateway contain a buffer overflow vulnerability leading to unintended control flow and Denial of Service. NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.",
+    "_iocs_stub": true
   },
   "CVE-2019-6693": {
     "name": "Fortinet FortiOS Use of Hard-Coded Credentials Vulnerability",
@@ -28508,7 +29435,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-25; due date 2025-07-16. Notes reference: https://fortiguard.com/advisory/FG-IR-19-007 ; https://nvd.nist.gov/vuln/detail/CVE-2019-6693",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Fortinet FortiOS contains a use of hard-coded credentials vulnerability that could allow an attacker to cipher sensitive data in FortiOS configuration backup file via knowledge of the hard-coded key. "
+    "_kev_short_description": "Fortinet FortiOS contains a use of hard-coded credentials vulnerability that could allow an attacker to cipher sensitive data in FortiOS configuration backup file via knowledge of the hard-coded key. ",
+    "_iocs_stub": true
   },
   "CVE-2024-0769": {
     "name": " D-Link DIR-859 Router Path Traversal Vulnerability",
@@ -28614,7 +29542,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-25; due date 2025-07-16. Notes reference: https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10371 ; https://nvd.nist.gov/vuln/detail/CVE-2024-0769",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "D-Link DIR-859 routers contain a path traversal vulnerability in the file /hedwig.cgi of the component HTTP POST Request Handler. Manipulation of the argument service with the input ../../../../htdocs/webinc/getcfg/DHCPS6.BRIDGE-1.xml allows for the leakage of session data potentially enabling privilege escalation and unauthorized control of the device. This vulnerability affects legacy D-Link products. All associated hardware revisions have reached their end-of-life (EOL) or end-of-service (EOS) life cycle and should be retired and replaced per vendor instructions."
+    "_kev_short_description": "D-Link DIR-859 routers contain a path traversal vulnerability in the file /hedwig.cgi of the component HTTP POST Request Handler. Manipulation of the argument service with the input ../../../../htdocs/webinc/getcfg/DHCPS6.BRIDGE-1.xml allows for the leakage of session data potentially enabling privilege escalation and unauthorized control of the device. This vulnerability affects legacy D-Link products. All associated hardware revisions have reached their end-of-life (EOL) or end-of-service (EOS) life cycle and should be retired and replaced per vendor instructions.",
+    "_iocs_stub": true
   },
   "CVE-2024-54085": {
     "name": "AMI MegaRAC SPx Authentication Bypass by Spoofing Vulnerability",
@@ -28722,7 +29651,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-25; due date 2025-07-16. Notes reference: This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "AMI MegaRAC SPx contains an authentication bypass by spoofing vulnerability in the Redfish Host Interface. A successful exploitation of this vulnerability may lead to a loss of confidentiality, integrity, and/or availability."
+    "_kev_short_description": "AMI MegaRAC SPx contains an authentication bypass by spoofing vulnerability in the Redfish Host Interface. A successful exploitation of this vulnerability may lead to a loss of confidentiality, integrity, and/or availability.",
+    "_iocs_stub": true
   },
   "CVE-2023-0386": {
     "name": "Linux Kernel Improper Ownership Management Vulnerability",
@@ -28831,7 +29761,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-17; due date 2025-07-08. Notes reference: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. For more information, please see: https://git.kernel.org/pub/scm/linux/kernel/",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Linux Kernel contains an improper ownership management vulnerability, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system."
+    "_kev_short_description": "Linux Kernel contains an improper ownership management vulnerability, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.",
+    "_iocs_stub": true
   },
   "CVE-2023-33538": {
     "name": "TP-Link Multiple Routers Command Injection Vulnerability",
@@ -28938,7 +29869,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-16; due date 2025-07-07. Notes reference: https://www.tp-link.com/nordic/support/faq/3562/ ; https://nvd.nist.gov/vuln/detail/CVE-2023-33538",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 contain a command injection vulnerability via the component /userRpm/WlanNetworkRpm. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization."
+    "_kev_short_description": "TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 contain a command injection vulnerability via the component /userRpm/WlanNetworkRpm. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
+    "_iocs_stub": true
   },
   "CVE-2025-43200": {
     "name": "Apple Multiple Products Unspecified Vulnerability (variant: CVE-2025-43200)",
@@ -29051,7 +29983,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-16; due date 2025-07-07. Notes reference: https://support.apple.com/en-us/122174 ; https://support.apple.com/en-us/122173 ; https://support.apple.com/en-us/122900 ; https://support.apple.com/en-us/122901 ; https://support.apple.com/en-us/1229",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Apple iOS, iPadOS, macOS, watchOS, and visionOS, contain an unspecified vulnerability when processing a maliciously crafted photo or video shared via an iCloud Link."
+    "_kev_short_description": "Apple iOS, iPadOS, macOS, watchOS, and visionOS, contain an unspecified vulnerability when processing a maliciously crafted photo or video shared via an iCloud Link.",
+    "_iocs_stub": true
   },
   "CVE-2025-33053": {
     "name": " Microsoft Windows External Control of File Name or Path Vulnerability",
@@ -29158,7 +30091,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-10; due date 2025-07-01. Notes reference: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053 ; https://nvd.nist.gov/vuln/detail/CVE-2025-33053",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows contains an external control of file name or path vulnerability that could allow an attacker to execute code from a remote WebDAV location specified by the WorkingDirectory attribute of Internet Shortcut files."
+    "_kev_short_description": "Microsoft Windows contains an external control of file name or path vulnerability that could allow an attacker to execute code from a remote WebDAV location specified by the WorkingDirectory attribute of Internet Shortcut files.",
+    "_iocs_stub": true
   },
   "CVE-2025-24016": {
     "name": "Wazuh Server Deserialization of Untrusted Data Vulnerability",
@@ -29266,7 +30200,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-10; due date 2025-07-01. Notes reference: https://wazuh.com/blog/addressing-the-cve-2025-24016-vulnerability/ ; https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh ; https://nvd.nist.gov/vuln/detail/CVE-2025-24016",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Wazuh contains a deserialization of untrusted data vulnerability that allows for remote code execution on Wazuh servers."
+    "_kev_short_description": "Wazuh contains a deserialization of untrusted data vulnerability that allows for remote code execution on Wazuh servers.",
+    "_iocs_stub": true
   },
   "CVE-2024-42009": {
     "name": "RoundCube Webmail Cross-Site Scripting Vulnerability",
@@ -29372,7 +30307,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-09; due date 2025-06-30. Notes reference: https://roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8 ; https://nvd.nist.gov/vuln/detail/CVE-2024-42009",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "RoundCube Webmail contains a cross-site scripting vulnerability. This vulnerability could allow a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php."
+    "_kev_short_description": "RoundCube Webmail contains a cross-site scripting vulnerability. This vulnerability could allow a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.",
+    "_iocs_stub": true
   },
   "CVE-2025-32433": {
     "name": "Erlang Erlang/OTP SSH Server Missing Authentication for Critical Function Vulnerability",
@@ -29480,7 +30416,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-09; due date 2025-06-30. Notes reference: This vulnerability affects a common open-source project, third-party library, or a protocol used by different products. For more information, please see: https://github.com/erlang/otp/security/advisor",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Erlang Erlang/OTP SSH server contains a missing authentication for critical function vulnerability. This could allow an attacker to execute arbitrary commands without valid credentials, potentially leading to unauthenticated remote code execution (RCE). By exploiting a flaw in how SSH protocol messages are handled, a malicious actor could gain unauthorized access to affected systems. This vulnerability could affect various products that implement Erlang/OTP SSH server, including—but not limited to—Cisco, NetApp, and SUSE."
+    "_kev_short_description": "Erlang Erlang/OTP SSH server contains a missing authentication for critical function vulnerability. This could allow an attacker to execute arbitrary commands without valid credentials, potentially leading to unauthenticated remote code execution (RCE). By exploiting a flaw in how SSH protocol messages are handled, a malicious actor could gain unauthorized access to affected systems. This vulnerability could affect various products that implement Erlang/OTP SSH server, including—but not limited to—Cisco, NetApp, and SUSE.",
+    "_iocs_stub": true
   },
   "CVE-2025-5419": {
     "name": "Google Chromium V8 Out-of-Bounds Read and Write Vulnerability",
@@ -29587,7 +30524,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-05; due date 2025-06-26. Notes reference: https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop.html;   https://nvd.nist.gov/vuln/detail/CVE-2025-5419\",",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Google Chromium V8 contains an out-of-bounds read and write vulnerability that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera."
+    "_kev_short_description": "Google Chromium V8 contains an out-of-bounds read and write vulnerability that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.",
+    "_iocs_stub": true
   },
   "CVE-2025-21479": {
     "name": "Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability",
@@ -29693,7 +30631,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-03; due date 2025-06-24. Notes reference: Please check with specific vendors (OEMs,) for information on patching status. For more information, please see: https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2025-bulletin.h",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Multiple Qualcomm chipsets contain an incorrect authorization vulnerability. This vulnerability allows for memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands."
+    "_kev_short_description": "Multiple Qualcomm chipsets contain an incorrect authorization vulnerability. This vulnerability allows for memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands.",
+    "_iocs_stub": true
   },
   "CVE-2025-21480": {
     "name": "Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability (variant: CVE-2025-21480)",
@@ -29799,7 +30738,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-03; due date 2025-06-24. Notes reference: Please check with specific vendors (OEMs,) for information on patching status. For more information, please see: https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2025-bulletin.h",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Multiple Qualcomm chipsets contain an incorrect authorization vulnerability. This vulnerability allows for memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands."
+    "_kev_short_description": "Multiple Qualcomm chipsets contain an incorrect authorization vulnerability. This vulnerability allows for memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands.",
+    "_iocs_stub": true
   },
   "CVE-2025-27038": {
     "name": "Qualcomm Multiple Chipsets Use-After-Free Vulnerability",
@@ -29905,7 +30845,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-03; due date 2025-06-24. Notes reference: Please check with specific vendors (OEMs,) for information on patching status. For more information, please see: https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2025-bulletin.h",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Multiple Qualcomm chipsets contain a use-after-free vulnerability. This vulnerability allows for memory corruption while rendering graphics using Adreno GPU drivers in Chrome."
+    "_kev_short_description": "Multiple Qualcomm chipsets contain a use-after-free vulnerability. This vulnerability allows for memory corruption while rendering graphics using Adreno GPU drivers in Chrome.",
+    "_iocs_stub": true
   },
   "CVE-2021-32030": {
     "name": "ASUS Routers Improper Authentication Vulnerability",
@@ -30013,7 +30954,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-02; due date 2025-06-23. Notes reference: https://www.asus.com/us/supportonly/lyra%20mini/helpdesk_bios/ ; https://www.asus.com/us/supportonly/rog%20rapture%20gt-ac2900/helpdesk_bios/; https://nvd.nist.gov/vuln/detail/CVE-2021-32030",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "ASUS Lyra Mini and ASUS GT-AC2900 devices contain an improper authentication vulnerability that allows an attacker to gain unauthorized access to the administrative interface. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization."
+    "_kev_short_description": "ASUS Lyra Mini and ASUS GT-AC2900 devices contain an improper authentication vulnerability that allows an attacker to gain unauthorized access to the administrative interface. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
+    "_iocs_stub": true
   },
   "CVE-2025-3935": {
     "name": "ConnectWise ScreenConnect Improper Authentication Vulnerability",
@@ -30120,7 +31062,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-02; due date 2025-06-23. Notes reference: https://www.connectwise.com/company/trust/security-bulletins/screenconnect-security-patch-2025.4 ;   https://nvd.nist.gov/vuln/detail/CVE-2025-3935",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "ConnectWise ScreenConnect contains an improper authentication vulnerability. This vulnerability could allow a ViewState code injection attack, which could allow remote code execution if machine keys are compromised."
+    "_kev_short_description": "ConnectWise ScreenConnect contains an improper authentication vulnerability. This vulnerability could allow a ViewState code injection attack, which could allow remote code execution if machine keys are compromised.",
+    "_iocs_stub": true
   },
   "CVE-2025-35939": {
     "name": "Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability",
@@ -30227,7 +31170,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-02; due date 2025-06-23. Notes reference: https://github.com/craftcms/cms/pull/17220 ;   https://nvd.nist.gov/vuln/detail/CVE-2025-35939",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Craft CMS contains an external control of assumed-immutable web parameter vulnerability. This vulnerability could allow an unauthenticated client to introduce arbitrary values, such as PHP code, to a known local file location on the server. This vulnerability could be chained with CVE-2024-58136 as represented by CVE-2025-32432."
+    "_kev_short_description": "Craft CMS contains an external control of assumed-immutable web parameter vulnerability. This vulnerability could allow an unauthenticated client to introduce arbitrary values, such as PHP code, to a known local file location on the server. This vulnerability could be chained with CVE-2024-58136 as represented by CVE-2025-32432.",
+    "_iocs_stub": true
   },
   "CVE-2024-56145": {
     "name": "Craft CMS Code Injection Vulnerability (variant: CVE-2024-56145)",
@@ -30334,7 +31278,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-02; due date 2025-06-23. Notes reference: https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9 ; https://nvd.nist.gov/vuln/detail/CVE-2024-56145",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Craft CMS contains a code injection vulnerability. Users with affected versions are vulnerable to remote code execution if their php.ini configuration has `register_argc_argv` enabled."
+    "_kev_short_description": "Craft CMS contains a code injection vulnerability. Users with affected versions are vulnerable to remote code execution if their php.ini configuration has `register_argc_argv` enabled.",
+    "_iocs_stub": true
   },
   "CVE-2023-39780": {
     "name": "ASUS RT-AX55 Routers OS Command Injection Vulnerability",
@@ -30442,7 +31387,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-02; due date 2025-06-23. Notes reference: https://www.asus.com/networking-iot-servers/wifi-6/all-series/rt-ax55/helpdesk_bios/?model2Name=RT-AX55 ;   https://www.asus.com/content/asus-product-security-advisory/ ; https://nvd.nist.gov/vuln/det",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "ASUS RT-AX55 devices contain an OS command injection vulnerability that could allow a remote, authenticated attacker to execute arbitrary commands. As represented by CVE-2023-41346."
+    "_kev_short_description": "ASUS RT-AX55 devices contain an OS command injection vulnerability that could allow a remote, authenticated attacker to execute arbitrary commands. As represented by CVE-2023-41346.",
+    "_iocs_stub": true
   },
   "CVE-2025-4632": {
     "name": "Samsung MagicINFO 9 Server Path Traversal Vulnerability (variant: CVE-2025-4632)",
@@ -30548,7 +31494,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-05-22; due date 2025-06-12. Notes reference: https://security.samsungtv.com/securityUpdates#SVP-MAY-2025 ; https://nvd.nist.gov/vuln/detail/CVE-2025-4632",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Samsung MagicINFO 9 Server contains a path traversal vulnerability that allows an attacker to write arbitrary file as system authority."
+    "_kev_short_description": "Samsung MagicINFO 9 Server contains a path traversal vulnerability that allows an attacker to write arbitrary file as system authority.",
+    "_iocs_stub": true
   },
   "CVE-2023-38950": {
     "name": "ZKTeco BioTime Path Traversal Vulnerability",
@@ -30654,7 +31601,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-05-19; due date 2025-06-09. Notes reference: https://www.zkteco.com/en/Security_Bulletinsibs ; https://nvd.nist.gov/vuln/detail/CVE-2023-38950",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "ZKTeco BioTime contains a path traversal vulnerability in the iclock API that allows an unauthenticated attacker to read arbitrary files via supplying a crafted payload."
+    "_kev_short_description": "ZKTeco BioTime contains a path traversal vulnerability in the iclock API that allows an unauthenticated attacker to read arbitrary files via supplying a crafted payload.",
+    "_iocs_stub": true
   },
   "CVE-2024-27443": {
     "name": "Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability",
@@ -30762,7 +31710,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-05-19; due date 2025-06-09. Notes reference: https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P46#Security_Fixes ; https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P39#Security_Fixes ; https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.7#Sec",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Zimbra Collaboration contains a cross-site scripting (XSS) vulnerability in the CalendarInvite feature of the Zimbra webmail classic user interface. An attacker can exploit this vulnerability via an email message containing a crafted calendar header, leading to the execution of arbitrary JavaScript code."
+    "_kev_short_description": "Zimbra Collaboration contains a cross-site scripting (XSS) vulnerability in the CalendarInvite feature of the Zimbra webmail classic user interface. An attacker can exploit this vulnerability via an email message containing a crafted calendar header, leading to the execution of arbitrary JavaScript code.",
+    "_iocs_stub": true
   },
   "CVE-2025-27920": {
     "name": "Srimax Output Messenger Directory Traversal Vulnerability",
@@ -30868,7 +31817,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-05-19; due date 2025-06-09. Notes reference: https://www.outputmessenger.com/cve-2025-27920/ ; https://nvd.nist.gov/vuln/detail/CVE-2025-27920",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Srimax Output Messenger contains a directory traversal vulnerability that allows an attacker to access sensitive files outside the intended directory, potentially leading to configuration leakage or arbitrary file access."
+    "_kev_short_description": "Srimax Output Messenger contains a directory traversal vulnerability that allows an attacker to access sensitive files outside the intended directory, potentially leading to configuration leakage or arbitrary file access.",
+    "_iocs_stub": true
   },
   "CVE-2024-11182": {
     "name": "MDaemon Email Server Cross-Site Scripting (XSS) Vulnerability",
@@ -30975,7 +31925,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-05-19; due date 2025-06-09. Notes reference: https://files.mdaemon.com/mdaemon/beta/RelNotes_en.html ; https://mdaemon.com/pages/downloads-critical-updates ; https://nvd.nist.gov/vuln/detail/CVE-2024-11182",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "MDaemon Email Server contains a cross-site scripting (XSS) vulnerability that allows a remote attacker to load arbitrary JavaScript code via an HTML e-mail message."
+    "_kev_short_description": "MDaemon Email Server contains a cross-site scripting (XSS) vulnerability that allows a remote attacker to load arbitrary JavaScript code via an HTML e-mail message.",
+    "_iocs_stub": true
   },
   "CVE-2025-4428": {
     "name": "Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability (variant: CVE-2025-4428)",
@@ -31082,7 +32033,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-05-19; due date 2025-06-09. Notes reference: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM ; https://nvd.nist.gov/vuln/detail/CVE-2025-4428",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability in the API component that allows an authenticated attacker to remotely execute arbitrary code via crafted API requests. This vulnerability results from an insecure implementation of the Hibernate Validator open-source library, as represented by CVE-2025-35036."
+    "_kev_short_description": "Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability in the API component that allows an authenticated attacker to remotely execute arbitrary code via crafted API requests. This vulnerability results from an insecure implementation of the Hibernate Validator open-source library, as represented by CVE-2025-35036.",
+    "_iocs_stub": true
   },
   "CVE-2025-4427": {
     "name": "Ivanti Endpoint Manager Mobile (EPMM) Authentication Bypass Vulnerability",
@@ -31189,7 +32141,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-05-19; due date 2025-06-09. Notes reference: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM ; https://nvd.nist.gov/vuln/detail/CVE-2025-4427",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Ivanti Endpoint Manager Mobile (EPMM) contains an authentication bypass vulnerability in the API component that allows an attacker to access protected resources without proper credentials via crafted API requests. This vulnerability results from an insecure implementation of the Spring Framework open-source library."
+    "_kev_short_description": "Ivanti Endpoint Manager Mobile (EPMM) contains an authentication bypass vulnerability in the API component that allows an attacker to access protected resources without proper credentials via crafted API requests. This vulnerability results from an insecure implementation of the Spring Framework open-source library.",
+    "_iocs_stub": true
   },
   "CVE-2025-42999": {
     "name": "SAP NetWeaver Deserialization Vulnerability",
@@ -31296,7 +32249,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-05-15; due date 2025-06-05. Notes reference: SAP users must have an account to log in and access the patch: https://me.sap.com/notes/3604119 ; https://nvd.nist.gov/vuln/detail/CVE-2025-42999",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "SAP NetWeaver Visual Composer Metadata Uploader contains a deserialization vulnerability that allows a privileged attacker to compromise the confidentiality, integrity, and availability of the host system by deserializing untrusted or malicious content."
+    "_kev_short_description": "SAP NetWeaver Visual Composer Metadata Uploader contains a deserialization vulnerability that allows a privileged attacker to compromise the confidentiality, integrity, and availability of the host system by deserializing untrusted or malicious content.",
+    "_iocs_stub": true
   },
   "CVE-2024-12987": {
     "name": "DrayTek Vigor Routers OS Command Injection Vulnerability",
@@ -31405,7 +32359,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-05-15; due date 2025-06-05. Notes reference: https://fw.draytek.com.tw/Vigor2960/Firmware/v1.5.1.5/DrayTek_Vigor2960_V1.5.1.5_01release-note.pdf ; https://fw.draytek.com.tw/Vigor300B/Firmware/v1.5.1.5/DrayTek_Vigor300B_V1.5.1.5_01release-note.pd",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "DrayTek Vigor2960, Vigor300B, and Vigor3900 routers contain an OS command injection vulnerability due to an unknown function of the file /cgi-bin/mainfunction.cgi/apmcfgupload of the component web management interface."
+    "_kev_short_description": "DrayTek Vigor2960, Vigor300B, and Vigor3900 routers contain an OS command injection vulnerability due to an unknown function of the file /cgi-bin/mainfunction.cgi/apmcfgupload of the component web management interface.",
+    "_iocs_stub": true
   },
   "CVE-2025-32756": {
     "name": "Fortinet Multiple Products Stack-Based Buffer Overflow Vulnerability",
@@ -31512,7 +32467,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-05-14; due date 2025-06-04. Notes reference: https://fortiguard.fortinet.com/psirt/FG-IR-25-254 ; https://nvd.nist.gov/vuln/detail/CVE-2025-32756",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Fortinet FortiFone, FortiVoice, FortiNDR and FortiMail contain a stack-based overflow vulnerability that may allow a remote unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests."
+    "_kev_short_description": "Fortinet FortiFone, FortiVoice, FortiNDR and FortiMail contain a stack-based overflow vulnerability that may allow a remote unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests.",
+    "_iocs_stub": true
   },
   "CVE-2025-32709": {
     "name": "Microsoft Windows Ancillary Function Driver for WinSock Use-After-Free Vulnerability",
@@ -31618,7 +32574,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-05-13; due date 2025-06-03. Notes reference: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-32709 ; https://nvd.nist.gov/vuln/detail/CVE-2025-32709",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows Ancillary Function Driver for WinSock contains a use-after-free vulnerability that allows an authorized attacker to escalate privileges to administrator."
+    "_kev_short_description": "Microsoft Windows Ancillary Function Driver for WinSock contains a use-after-free vulnerability that allows an authorized attacker to escalate privileges to administrator.",
+    "_iocs_stub": true
   },
   "CVE-2025-30397": {
     "name": "Microsoft Windows Scripting Engine Type Confusion Vulnerability",
@@ -31725,7 +32682,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-05-13; due date 2025-06-03. Notes reference: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-30397 ; https://nvd.nist.gov/vuln/detail/CVE-2025-30397",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows Scripting Engine contains a type confusion vulnerability that allows an unauthorized attacker to execute code over a network via a specially crafted URL."
+    "_kev_short_description": "Microsoft Windows Scripting Engine contains a type confusion vulnerability that allows an unauthorized attacker to execute code over a network via a specially crafted URL.",
+    "_iocs_stub": true
   },
   "CVE-2025-32706": {
     "name": "Microsoft Windows Common Log File System (CLFS) Driver Heap-Based Buffer Overflow Vulnerability",
@@ -31832,7 +32790,8 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-05-13; due date 2025-06-03. Notes reference: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-32706 ; https://nvd.nist.gov/vuln/detail/CVE-2025-32706",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows Common Log File System (CLFS) Driver contains a heap-based buffer overflow vulnerability that allows an authorized attacker to elevate privileges locally."
+    "_kev_short_description": "Microsoft Windows Common Log File System (CLFS) Driver contains a heap-based buffer overflow vulnerability that allows an authorized attacker to elevate privileges locally.",
+    "_iocs_stub": true
   },
   "CVE-2025-32701": {
     "name": "Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free Vulnerability",
@@ -31938,6 +32897,7 @@
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-05-13; due date 2025-06-03. Notes reference: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-32701 ; https://nvd.nist.gov/vuln/detail/CVE-2025-32701",
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows Common Log File System (CLFS) Driver contains a use-after-free vulnerability that allows an authorized attacker to elevate privileges locally."
+    "_kev_short_description": "Microsoft Windows Common Log File System (CLFS) Driver contains a use-after-free vulnerability that allows an authorized attacker to elevate privileges locally.",
+    "_iocs_stub": true
   }
 }