@blamejs/exceptd-skills 0.13.2 → 0.13.3

package/data/_indexes/section-offsets.json

@@ -3261,93 +3261,93 @@
     },
     "api-security": {
       "path": "skills/api-security/skill.md",
-      "total_bytes": 37397,
-      "total_lines": 294,
+      "total_bytes": 39261,
+      "total_lines": 304,
       "frontmatter": {
         "line_start": 1,
-        "line_end": 65,
+        "line_end": 71,
         "byte_start": 0,
-        "byte_end": 1814
+        "byte_end": 1959
       },
       "sections": [
         {
           "name": "Threat Context (mid-2026)",
           "normalized_name": "threat-context",
-          "line": 69,
-          "byte_start": 1842,
-          "byte_end": 7022,
+          "line": 75,
+          "byte_start": 1987,
+          "byte_end": 7167,
           "bytes": 5180,
           "h3_count": 0
         },
         {
           "name": "Framework Lag Declaration",
           "normalized_name": "framework-lag-declaration",
-          "line": 95,
-          "byte_start": 7022,
-          "byte_end": 12312,
+          "line": 101,
+          "byte_start": 7167,
+          "byte_end": 12457,
           "bytes": 5290,
           "h3_count": 0
         },
         {
           "name": "TTP Mapping (MITRE ATT&CK Enterprise + ATLAS v5.4.0)",
           "normalized_name": "ttp-mapping",
-          "line": 123,
-          "byte_start": 12312,
-          "byte_end": 14611,
-          "bytes": 2299,
+          "line": 129,
+          "byte_start": 12457,
+          "byte_end": 15207,
+          "bytes": 2750,
           "h3_count": 0
         },
         {
           "name": "Exploit Availability Matrix",
           "normalized_name": "exploit-availability-matrix",
-          "line": 137,
-          "byte_start": 14611,
-          "byte_end": 19079,
+          "line": 143,
+          "byte_start": 15207,
+          "byte_end": 19675,
           "bytes": 4468,
           "h3_count": 0
         },
         {
           "name": "Analysis Procedure",
           "normalized_name": "analysis-procedure",
-          "line": 157,
-          "byte_start": 19079,
-          "byte_end": 26878,
-          "bytes": 7799,
+          "line": 163,
+          "byte_start": 19675,
+          "byte_end": 28154,
+          "bytes": 8479,
           "h3_count": 1
         },
         {
           "name": "Output Format",
           "normalized_name": "output-format",
-          "line": 205,
-          "byte_start": 26878,
-          "byte_end": 30596,
+          "line": 213,
+          "byte_start": 28154,
+          "byte_end": 31872,
           "bytes": 3718,
           "h3_count": 9
         },
         {
           "name": "Compliance Theater Check",
           "normalized_name": "compliance-theater-check",
-          "line": 258,
-          "byte_start": 30596,
-          "byte_end": 32954,
+          "line": 266,
+          "byte_start": 31872,
+          "byte_end": 34230,
           "bytes": 2358,
           "h3_count": 0
         },
         {
           "name": "Defensive Countermeasure Mapping",
           "normalized_name": "defensive-countermeasure-mapping",
-          "line": 272,
-          "byte_start": 32954,
-          "byte_end": 36192,
-          "bytes": 3238,
+          "line": 280,
+          "byte_start": 34230,
+          "byte_end": 38056,
+          "bytes": 3826,
           "h3_count": 0
         },
         {
           "name": "Hand-Off / Related Skills",
           "normalized_name": "hand-off",
-          "line": 286,
-          "byte_start": 36192,
-          "byte_end": 37397,
+          "line": 296,
+          "byte_start": 38056,
+          "byte_end": 39261,
           "bytes": 1205,
           "h3_count": 0
         }
@@ -3825,93 +3825,93 @@
     },
     "email-security-anti-phishing": {
       "path": "skills/email-security-anti-phishing/skill.md",
-      "total_bytes": 26556,
-      "total_lines": 209,
+      "total_bytes": 29232,
+      "total_lines": 219,
       "frontmatter": {
         "line_start": 1,
-        "line_end": 52,
+        "line_end": 58,
         "byte_start": 0,
-        "byte_end": 1187
+        "byte_end": 1333
       },
       "sections": [
         {
           "name": "Threat Context (mid-2026)",
           "normalized_name": "threat-context",
-          "line": 56,
-          "byte_start": 1235,
-          "byte_end": 5665,
+          "line": 62,
+          "byte_start": 1381,
+          "byte_end": 5811,
           "bytes": 4430,
           "h3_count": 0
         },
         {
           "name": "Framework Lag Declaration",
           "normalized_name": "framework-lag-declaration",
-          "line": 74,
-          "byte_start": 5665,
-          "byte_end": 9348,
-          "bytes": 3683,
+          "line": 80,
+          "byte_start": 5811,
+          "byte_end": 9893,
+          "bytes": 4082,
           "h3_count": 0
         },
         {
           "name": "TTP Mapping",
           "normalized_name": "ttp-mapping",
-          "line": 96,
-          "byte_start": 9348,
-          "byte_end": 10768,
-          "bytes": 1420,
+          "line": 102,
+          "byte_start": 9893,
+          "byte_end": 11985,
+          "bytes": 2092,
           "h3_count": 0
         },
         {
           "name": "Exploit Availability Matrix",
           "normalized_name": "exploit-availability-matrix",
-          "line": 110,
-          "byte_start": 10768,
-          "byte_end": 12608,
+          "line": 116,
+          "byte_start": 11985,
+          "byte_end": 13825,
           "bytes": 1840,
           "h3_count": 0
         },
         {
           "name": "Analysis Procedure",
           "normalized_name": "analysis-procedure",
-          "line": 129,
-          "byte_start": 12608,
-          "byte_end": 19367,
-          "bytes": 6759,
+          "line": 135,
+          "byte_start": 13825,
+          "byte_end": 21267,
+          "bytes": 7442,
           "h3_count": 0
         },
         {
           "name": "Output Format",
           "normalized_name": "output-format",
-          "line": 156,
-          "byte_start": 19367,
-          "byte_end": 21188,
+          "line": 164,
+          "byte_start": 21267,
+          "byte_end": 23088,
           "bytes": 1821,
           "h3_count": 0
         },
         {
           "name": "Compliance Theater Check",
           "normalized_name": "compliance-theater-check",
-          "line": 173,
-          "byte_start": 21188,
-          "byte_end": 22990,
+          "line": 181,
+          "byte_start": 23088,
+          "byte_end": 24890,
           "bytes": 1802,
           "h3_count": 0
         },
         {
           "name": "Defensive Countermeasure Mapping",
           "normalized_name": "defensive-countermeasure-mapping",
-          "line": 184,
-          "byte_start": 22990,
-          "byte_end": 25421,
-          "bytes": 2431,
+          "line": 192,
+          "byte_start": 24890,
+          "byte_end": 28097,
+          "bytes": 3207,
           "h3_count": 0
         },
         {
           "name": "Hand-Off / Related Skills",
           "normalized_name": "hand-off",
-          "line": 197,
-          "byte_start": 25421,
-          "byte_end": 26556,
+          "line": 207,
+          "byte_start": 28097,
+          "byte_end": 29232,
           "bytes": 1135,
           "h3_count": 0
         }
@@ -4013,7 +4013,7 @@
     },
     "cloud-iam-incident": {
       "path": "skills/cloud-iam-incident/skill.md",
-      "total_bytes": 44467,
+      "total_bytes": 44474,
       "total_lines": 416,
       "frontmatter": {
         "line_start": 1,
@@ -4027,16 +4027,16 @@
           "normalized_name": "threat-context",
           "line": 81,
           "byte_start": 2782,
-          "byte_end": 8568,
-          "bytes": 5786,
+          "byte_end": 8575,
+          "bytes": 5793,
           "h3_count": 0
         },
         {
           "name": "Framework Lag Declaration",
           "normalized_name": "framework-lag-declaration",
           "line": 114,
-          "byte_start": 8568,
-          "byte_end": 14884,
+          "byte_start": 8575,
+          "byte_end": 14891,
           "bytes": 6316,
           "h3_count": 0
         },
@@ -4044,8 +4044,8 @@
           "name": "TTP Mapping",
           "normalized_name": "ttp-mapping",
           "line": 143,
-          "byte_start": 14884,
-          "byte_end": 19424,
+          "byte_start": 14891,
+          "byte_end": 19431,
           "bytes": 4540,
           "h3_count": 0
         },
@@ -4053,8 +4053,8 @@
           "name": "Exploit Availability Matrix",
           "normalized_name": "exploit-availability-matrix",
           "line": 163,
-          "byte_start": 19424,
-          "byte_end": 22796,
+          "byte_start": 19431,
+          "byte_end": 22803,
           "bytes": 3372,
           "h3_count": 0
         },
@@ -4062,8 +4062,8 @@
           "name": "Analysis Procedure",
           "normalized_name": "analysis-procedure",
           "line": 185,
-          "byte_start": 22796,
-          "byte_end": 30421,
+          "byte_start": 22803,
+          "byte_end": 30428,
           "bytes": 7625,
           "h3_count": 12
         },
@@ -4071,8 +4071,8 @@
           "name": "Output Format",
           "normalized_name": "output-format",
           "line": 275,
-          "byte_start": 30421,
-          "byte_end": 32619,
+          "byte_start": 30428,
+          "byte_end": 32626,
           "bytes": 2198,
           "h3_count": 15
         },
@@ -4080,8 +4080,8 @@
           "name": "Compliance Theater Check",
           "normalized_name": "compliance-theater-check",
           "line": 338,
-          "byte_start": 32619,
-          "byte_end": 37218,
+          "byte_start": 32626,
+          "byte_end": 37225,
           "bytes": 4599,
           "h3_count": 0
         },
@@ -4089,8 +4089,8 @@
           "name": "Defensive Countermeasure Mapping",
           "normalized_name": "defensive-countermeasure-mapping",
           "line": 374,
-          "byte_start": 37218,
-          "byte_end": 41294,
+          "byte_start": 37225,
+          "byte_end": 41301,
           "bytes": 4076,
           "h3_count": 0
         },
@@ -4098,8 +4098,8 @@
           "name": "Hand-Off / Related Skills",
           "normalized_name": "hand-off",
           "line": 396,
-          "byte_start": 41294,
-          "byte_end": 44467,
+          "byte_start": 41301,
+          "byte_end": 44474,
           "bytes": 3173,
           "h3_count": 0
         }

package/data/_indexes/token-budget.json

@@ -3,8 +3,8 @@
     "schema_version": "1.0.0",
     "tokenizer_note": "Character-density approximation: 1 token ≈ 4 chars. This is the canonical rule-of-thumb for OpenAI tokenizers on English+technical text. Claude's tokenizer is typically more efficient on prose; treat this as an upper-bound budget for both. Consumers with stricter precision needs should re-tokenize with their own tokenizer.",
     "approx_chars_per_token": 4,
-    "total_chars": 1613380,
-    "total_approx_tokens": 403351,
+    "total_chars": 1617909,
+    "total_approx_tokens": 404483,
     "skill_count": 42
   },
   "skills": {
@@ -1900,10 +1900,10 @@
     },
     "api-security": {
       "path": "skills/api-security/skill.md",
-      "bytes": 37397,
-      "chars": 37162,
-      "lines": 294,
-      "approx_tokens": 9291,
+      "bytes": 39261,
+      "chars": 39026,
+      "lines": 304,
+      "approx_tokens": 9757,
       "approx_chars_per_token": 4,
       "sections": {
         "threat-context": {
@@ -1917,9 +1917,9 @@
           "approx_tokens": 1320
         },
         "ttp-mapping": {
-          "bytes": 2299,
-          "chars": 2269,
-          "approx_tokens": 567
+          "bytes": 2750,
+          "chars": 2720,
+          "approx_tokens": 680
         },
         "exploit-availability-matrix": {
           "bytes": 4468,
@@ -1927,9 +1927,9 @@
           "approx_tokens": 1103
         },
         "analysis-procedure": {
-          "bytes": 7799,
-          "chars": 7756,
-          "approx_tokens": 1939
+          "bytes": 8479,
+          "chars": 8436,
+          "approx_tokens": 2109
         },
         "output-format": {
           "bytes": 3718,
@@ -1942,9 +1942,9 @@
           "approx_tokens": 587
         },
         "defensive-countermeasure-mapping": {
-          "bytes": 3238,
-          "chars": 3218,
-          "approx_tokens": 805
+          "bytes": 3826,
+          "chars": 3806,
+          "approx_tokens": 952
         },
         "hand-off": {
           "bytes": 1205,
@@ -2230,10 +2230,10 @@
     },
     "email-security-anti-phishing": {
       "path": "skills/email-security-anti-phishing/skill.md",
-      "bytes": 26556,
-      "chars": 26458,
-      "lines": 209,
-      "approx_tokens": 6615,
+      "bytes": 29232,
+      "chars": 29116,
+      "lines": 219,
+      "approx_tokens": 7279,
       "approx_chars_per_token": 4,
       "sections": {
         "threat-context": {
@@ -2242,14 +2242,14 @@
           "approx_tokens": 1104
         },
         "framework-lag-declaration": {
-          "bytes": 3683,
-          "chars": 3680,
-          "approx_tokens": 920
+          "bytes": 4082,
+          "chars": 4077,
+          "approx_tokens": 1019
         },
         "ttp-mapping": {
-          "bytes": 1420,
-          "chars": 1414,
-          "approx_tokens": 354
+          "bytes": 2092,
+          "chars": 2080,
+          "approx_tokens": 520
         },
         "exploit-availability-matrix": {
           "bytes": 1840,
@@ -2257,9 +2257,9 @@
           "approx_tokens": 460
         },
         "analysis-procedure": {
-          "bytes": 6759,
-          "chars": 6735,
-          "approx_tokens": 1684
+          "bytes": 7442,
+          "chars": 7416,
+          "approx_tokens": 1854
         },
         "output-format": {
           "bytes": 1821,
@@ -2272,9 +2272,9 @@
           "approx_tokens": 450
         },
         "defensive-countermeasure-mapping": {
-          "bytes": 2431,
-          "chars": 2419,
-          "approx_tokens": 605
+          "bytes": 3207,
+          "chars": 3187,
+          "approx_tokens": 797
         },
         "hand-off": {
           "bytes": 1135,
@@ -2340,16 +2340,16 @@
     },
     "cloud-iam-incident": {
       "path": "skills/cloud-iam-incident/skill.md",
-      "bytes": 44467,
-      "chars": 44309,
+      "bytes": 44474,
+      "chars": 44316,
       "lines": 416,
-      "approx_tokens": 11077,
+      "approx_tokens": 11079,
       "approx_chars_per_token": 4,
       "sections": {
         "threat-context": {
-          "bytes": 5786,
-          "chars": 5772,
-          "approx_tokens": 1443
+          "bytes": 5793,
+          "chars": 5779,
+          "approx_tokens": 1445
         },
         "framework-lag-declaration": {
           "bytes": 6316,

package/data/attack-techniques.json

@@ -217,6 +217,7 @@
     "name": "External Remote Services",
     "version": "v19",
     "cve_refs": [
+      "CVE-2024-21762",
       "CVE-2026-0300",
       "CVE-2026-39987"
     ]
@@ -232,6 +233,7 @@
       "CVE-2020-10148",
       "CVE-2023-3519",
       "CVE-2024-1709",
+      "CVE-2024-21762",
       "CVE-2025-12686",
       "CVE-2025-53773",
       "CVE-2025-59389",

package/data/cve-catalog.json

@@ -55,7 +55,7 @@
     "ai_discovery_methodology": {
       "field_added": "2026-05-15",
       "agents_md_target": "Hard Rule #7 — '41% of 2025 zero-days were AI-discovered'. Catalog target rate floor: 0.40.",
-      "current_rate": 0.154,
+      "current_rate": 0.15,
       "current_floor_enforced_by_test": 0.15,
       "ladder_to_target": [
         0.15,
@@ -3704,5 +3704,100 @@
     ],
     "last_updated": "2026-05-17",
     "discovery_attribution_note": "TeamPCP threat-actor framework, not a vulnerability discovery. The framework was open-sourced 2026-05-12 on GitHub under MIT license by the same actor group responsible for the September 2025 / November 2025 / May 2026 Shai-Hulud npm-worm waves. TeamPCP self-describes the framework as \"vibe coded\" — AI-coding-assistant-mediated authoring. Adoption-side weaponization is accelerated by AI coding assistants + the BreachForums-hosted $1,000 USD bounty contest."
+  },
+  "CVE-2024-21762": {
+    "ai_assisted_weaponization": false,
+    "name": "Fortinet FortiOS / FortiProxy SSL-VPN out-of-bounds write (sslvpnd preauth RCE)",
+    "type": "out-of-bounds-write-preauth-rce",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD 9.8. Fortinet PSIRT FG-IR-24-015 advisory scored 9.6; the 0.2 delta is the scope (S:U vs S:C) interpretation. Operationally treated as 9.8 — unauthenticated network reach to the SSL-VPN web surface with code execution on the appliance.",
+    "cisa_kev": true,
+    "cisa_kev_date": "2024-02-09",
+    "cisa_kev_due_date": "2024-02-16",
+    "poc_available": true,
+    "poc_description": "Multiple public PoCs published within days of Fortinet's 2024-02-08 disclosure (h4x0r-dz/CVE-2024-21762 on GitHub among the earliest). The vulnerability is an out-of-bounds write in sslvpnd reachable via a specially crafted unauthenticated HTTP request to the SSL-VPN web surface.",
+    "ai_discovered": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_notes": "Vendor-internal discovery by Fortinet PSIRT; no AI tooling credited.",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "Fortinet's 2024-02-08 advisory stated the vulnerability was 'potentially being exploited in the wild'; CISA KEV-listed the next day (2024-02-09) with a 7-day federal remediation deadline. Multiple state-aligned and ransomware-affiliate clusters subsequently observed exploiting the bug for initial access. Canadian Centre for Cyber Security joint advisory (2024) bundled CVE-2024-21762 with CVE-2022-42475 and CVE-2023-27997 as the canonical FortiGate persistent-access trio. Fortinet's 2025-04-11 advisory documented a post-exploitation technique establishing persistence on devices patched after compromise — read-only symlinks left behind in the SSL-VPN language-file directory grant ongoing filesystem read access even on fully patched firmware, requiring an additional cleanup step beyond the patch itself.",
+    "affected": "Fortinet FortiOS and FortiProxy SSL-VPN feature on FortiGate appliances. Any internet-facing FortiGate with SSL-VPN enabled is in scope; FortiGates without SSL-VPN enabled are not reachable via this vector.",
+    "affected_versions": [
+      "fortios 7.6.0 (pre-7.6.2)",
+      "fortios 7.4.0-7.4.6 (pre-7.4.7)",
+      "fortios 7.2.0-7.2.10 (pre-7.2.11)",
+      "fortios 7.0.0-7.0.16 (pre-7.0.17)",
+      "fortios 6.4.0-6.4.15 (pre-6.4.16)",
+      "fortiproxy 7.4.0-7.4.2 (pre-7.4.3)",
+      "fortiproxy 7.2.0-7.2.8 (pre-7.2.9)",
+      "fortiproxy 7.0.0-7.0.14 (pre-7.0.15)",
+      "fortiproxy 2.0.0-2.0.13 (pre-2.0.14)"
+    ],
+    "vector": "Out-of-bounds write in the sslvpnd daemon's HTTP request handling. An unauthenticated remote attacker sends a specially crafted HTTP request to the SSL-VPN web surface, corrupting memory and achieving code execution as the sslvpnd process on the appliance. Workaround pre-patch: disable SSL-VPN entirely (Fortinet's recommended interim mitigation).",
+    "complexity": "low",
+    "complexity_notes": "Single-request exploitation, no preconditions beyond SSL-VPN being enabled and network-reachable. Public PoCs available; mass-scanning observed within hours of disclosure.",
+    "patch_available": true,
+    "patch_required_reboot": true,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "FortiOS firmware updates require a device reboot. No live-patching primitive exists for FortiGate appliances. Fortinet's 2025-04 post-exploitation advisory adds an additional cleanup requirement on top of the firmware update — operators must follow the FortiGuard remediation steps to remove read-only symlinks left behind by attackers who compromised the device before patching.",
+    "vendor_update_paths": [
+      "FortiOS 7.6.2+",
+      "FortiOS 7.4.7+",
+      "FortiOS 7.2.11+",
+      "FortiOS 7.0.17+",
+      "FortiOS 6.4.16+",
+      "FortiProxy 7.4.3+",
+      "FortiProxy 7.2.9+",
+      "FortiProxy 7.0.15+",
+      "FortiProxy 2.0.14+"
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "30-day patch SLA is multiple orders of magnitude longer than the observed exploitation window (hours from disclosure to mass-scanning). Reboot-required nature breaks the standard maintenance-window assumption; many operators delayed patching until the next scheduled window, extending exposure.",
+      "ISO-27001-2022-A.8.8": "'Appropriate timescales' undefined; standard 30-day interpretation is unsafe for an unauthenticated preauth RCE on an internet-facing security appliance with public PoCs and confirmed in-wild exploitation.",
+      "NIS2-Art21-network-security": "EU NIS2 treats VPN concentrators as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA. Operators in NIS2 sectors typically discovered the vulnerability via vendor advisory, not via the regulatory channel.",
+      "DORA-Art-9": "ICT incident management presumes vendor-patch cadence; the appliance-reboot requirement breaks the standard SLA assumption for financial-entity SSL-VPN concentrators.",
+      "UK-CAF-B4": "System security principle is silent on the operational reality that fully patched FortiGates can carry attacker persistence (symlink-based filesystem read access) seeded before the patch was applied. Patch alone is insufficient; cleanup verification is required.",
+      "AU-ISM-1546": "Essential 8 patch-applications ML3 (48h) is closer to the operational reality than NIST SI-2 but still misses the mass-scanning window. Internet-facing-appliance class deserves a tighter SLA than general application patching.",
+      "PCI-DSS-4.0-6.3.3": "30-day critical patch window is exploitation acceptance for an unauthenticated preauth RCE on a perimeter SSL-VPN appliance carrying CDE traffic."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190",
+      "T1133"
+    ],
+    "rwep_score": 85,
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 30,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 5
+    },
+    "rwep_notes": "RWEP 85. cisa_kev (+25) + poc_available (+20) + active_exploitation confirmed (+20) + blast_radius 30 (every internet-facing FortiGate with SSL-VPN enabled — global perimeter-appliance install base, frequently used as ransomware initial-access vector through 2024-2026) - patch_available (-15) + reboot_required (+5). Live-patch credit not available — FortiOS has no live-patching primitive. Operationally exceeds the live-patching ceiling because patching requires a maintenance window; many fleets remained exposed for weeks after the patch shipped.",
+    "epss_score": null,
+    "epss_date": null,
+    "cwe_refs": [
+      "CWE-787"
+    ],
+    "source_verified": "2026-05-17",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-21762",
+      "https://www.fortiguard.com/psirt/FG-IR-24-015",
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+      "https://www.tenable.com/blog/cve-2024-21762-critical-fortinet-fortios-out-of-bound-write-ssl-vpn-vulnerability",
+      "https://www.rapid7.com/blog/post/2024/02/12/etr-critical-fortinet-fortios-cve-2024-21762-exploited/",
+      "https://www.huntress.com/threat-library/vulnerabilities/cve-2024-21762",
+      "https://www.helpnetsecurity.com/2024/02/12/critical-fortinet-fortios-flaw-exploited-in-the-wild-cve-2024-21762/",
+      "https://www.cisa.gov/news-events/alerts/2025/04/11/fortinet-releases-advisory-new-post-exploitation-technique-known-vulnerabilities",
+      "https://www.cyber.gc.ca/en/alerts-advisories/compromise-persistent-access-fortinet-fortios-products-cve-2022-42475-cve-2023-27997-cve-2024-21762"
+    ],
+    "_draft": false,
+    "last_updated": "2026-05-17",
+    "discovery_attribution_note": "Vendor-internal discovery by Fortinet PSIRT, disclosed 2024-02-08 via advisory FG-IR-24-015. No external researcher byline. CISA KEV-listed 2024-02-09 with a 7-day federal remediation deadline. Post-exploitation symlink-persistence technique documented in Fortinet's 2025-04-11 advisory after operators reported residual filesystem access on devices patched after compromise."
   }
 }

package/data/cwe-catalog.json

@@ -1369,6 +1369,7 @@
     ],
     "evidence_cves": [
       "CVE-2023-3519",
+      "CVE-2024-21762",
       "CVE-2026-0300",
       "CVE-2026-42945",
       "CVE-2026-43500",