@blamejs/exceptd-skills 0.13.66 → 0.13.68

package/data/attack-techniques.json

@@ -271,6 +271,7 @@
     "cve_refs": [
       "CVE-2025-1094",
       "CVE-2025-11837",
+      "CVE-2025-34291",
       "CVE-2025-53773",
       "CVE-2025-55319",
       "CVE-2025-68664",
@@ -401,6 +402,7 @@
       "CVE-2026-31431",
       "CVE-2026-31635",
       "CVE-2026-33825",
+      "CVE-2026-41091",
       "CVE-2026-43284",
       "CVE-2026-43500",
       "CVE-2026-46300",
@@ -853,6 +855,7 @@
       "CVE-2025-32756",
       "CVE-2025-33053",
       "CVE-2025-33073",
+      "CVE-2025-34291",
       "CVE-2025-35939",
       "CVE-2025-37164",
       "CVE-2025-3935",
@@ -2507,7 +2510,8 @@
     "name": "Steal Web Session Cookie",
     "version": "v19",
     "cve_refs": [
-      "CVE-2025-0133"
+      "CVE-2025-0133",
+      "CVE-2025-34291"
     ],
     "description_full": "An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website. Cookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie) There are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) Adversaries may also steal cookies by injecting malicious JavaScript content into websites or relying on [User Execution](https://attack.mitre.org/techniques/T1204) by tricking victims into running malicious JavaScript in their browser.(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023) There are also open source frameworks such as `Evilginx2` and `Muraena` that can gather session cookies through a malicious proxy (e.g., [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena) After an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004) technique to login to the corresponding web application.",
     "platforms": [

package/data/cve-catalog.json

@@ -9351,6 +9351,242 @@
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
     "_kev_short_description": "Langflow contains a code injection vulnerability that could allow building public flows without requiring authentication."
   },
+  "CVE-2025-34291": {
+    "name": "Langflow Account Takeover + RCE (CORS / refresh-token chain)",
+    "type": "RCE",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 8.8 (HIGH). Vendor / CrowdSec report CVSS v4.0 9.4. PR:L reflects that the code-validation endpoint is authenticated by design; the chain defeats that boundary with stolen tokens, so the effective precondition is only that a logged-in user visits an attacker-controlled page.",
+    "cisa_kev": true,
+    "cisa_kev_date": "2026-05-21",
+    "cisa_kev_due_date": "2026-06-04",
+    "cisa_kev_due_date_note": "CISA KEV remediation deadline — 14 days from the 2026-05-21 listing; verified against the live CISA KEV catalog.",
+    "poc_available": true,
+    "poc_description": "Obsidian Security published a full technical writeup (2025-12-05): overly-permissive CORS (credentialed cross-origin requests from any origin) plus a token-refresh endpoint lacking CSRF protection and issuing SameSite=None cookies lets a malicious page a logged-in victim visits capture a valid token pair, which then reaches the by-design code-validation endpoint for RCE. CrowdSec reports in-the-wild exploitation from 2026-01-23.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Discovered and disclosed by Obsidian Security via conventional web-security research (coordinated disclosure; public writeup 2025-12-05). The target is an AI agent/workflow platform, but the discovery method was not AI-assisted.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization reported; the exploit is a conventional CORS + CSRF + token-replay chain against a web API.",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "CrowdSec observed in-the-wild exploitation beginning 2026-01-23; CISA added the CVE to the KEV catalog on 2026-05-21 (CISA's confirmed-exploitation attestation).",
+    "affected": "Langflow (open-source AI agent / LLM workflow platform, 140k+ GitHub stars) — versions up to and including 1.6.9.",
+    "affected_versions": [
+      "Langflow <= 1.6.9"
+    ],
+    "vector": "Chained account takeover to remote code execution. Langflow <= 1.6.9 sets an overly-permissive CORS policy allowing credentialed requests from any origin, and its token-refresh endpoint lacks CSRF protection while issuing SameSite=None cookies. A logged-in user who visits an attacker-controlled page therefore leaks a valid access/refresh token pair to the attacker, who replays it against the code-validation endpoint that executes submitted code by design. No standing attacker authentication is required.",
+    "complexity": "low",
+    "complexity_notes": "NVD AC:L. Drive-by: a single visit by an authenticated victim to an attacker page. The default configuration of Langflow <= 1.6.9 is exploitable; the Langflow 1.7 default configuration is protected.",
+    "patch_available": true,
+    "patch_required_reboot": true,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is a version upgrade (service restart); no live-patch primitive. Langflow 1.7's default configuration is protected. Interim mitigation: restrict CORS to an explicit allow-list and set restrictive SameSite on authentication cookies.",
+    "vendor_update_paths": [
+      "Upgrade to Langflow 1.7 or later (the 1.7 default configuration is protected against this chain).",
+      "Interim mitigation for <= 1.6.9: tighten the CORS allow-origin list to trusted origins only and guard the public code-validation endpoint."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "30-day flaw-remediation SLA is inadequate for a KEV-listed, in-the-wild-exploited RCE. The CISA KEV due date is the operationally-binding clock.",
+      "ISO-27001-2022-A.8.8": "Vulnerability-management clause does not differentiate routinely-disclosed CVEs from actively-exploited KEV-listed ones; KEV listing collapses patch-cycle response to incident-speed response.",
+      "ISO-27001-2022-A.5.7": "Threat-intelligence clause does not require ingesting actively-exploited-AI-tooling advisories (KEV + vendor AI-platform writeups) as a named source; self-hosted AI orchestration platforms are rarely in the asset inventory that threat intel is matched against.",
+      "NIS2-Art21-patch-management": "Article 21 risk-management measures mandate timely patching but set no AI-platform-specific origin-policy / session-boundary control; an essential/important entity running Langflow <= 1.6.9 can be Art-21-conformant on paper yet exposed to this drive-by RCE.",
+      "DORA-Art-9": "ICT protection/prevention measures require access controls but do not reach application-layer CORS origin policy or SameSite cookie posture on self-hosted AI tooling — the exact boundary this chain abuses.",
+      "UK-CAF-B4": "CAF principle B4 (System Security) expects vulnerability remediation but provides no objective for auditing the origin-policy / token-endpoint configuration of code-executing AI-agent platforms.",
+      "AU-ISM-1546": "ISM patch-application control is timeframe-based and product-agnostic; it does not require the CORS allow-list / CSRF posture review that would have closed this chain on Langflow <= 1.6.9.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No major framework treats the AI-orchestration / agent platform itself as an RCE-bearing trust boundary whose compromise grants control of every downstream flow, credential, and model the platform brokers — nor does any audit the application-layer origin policy (CORS) and session-cookie configuration that this chain abuses."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190",
+      "T1539",
+      "T1059"
+    ],
+    "rwep_score": 80,
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 25,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 5
+    },
+    "rwep_notes": "P1. KEV-listed with confirmed in-wild exploitation since 2026-01-23 and a public exploit chain. blast_radius=25: compromising an AI-agent/workflow platform yields code execution plus control of the brokered model/tool/credential surface, and Langflow's 140k-star footprint widens exposure. patch_available -15 (upgrade to 1.7). ai_factor=0 (not AI-discovered or AI-weaponized).",
+    "epss_score": null,
+    "epss_date": "2026-05-24",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-34291",
+    "cwe_refs": [
+      "CWE-346",
+      "CWE-352",
+      "CWE-942"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Credentialed cross-origin requests (Origin / Referer header outside the deployment's trusted set) to the Langflow token-refresh endpoint — the CORS misconfiguration that enables token theft.",
+        "Access/refresh token pair issued to a session whose refresh call carried a foreign Origin (SameSite=None cookie replayed cross-site) — the account-takeover step.",
+        "Calls to the Langflow code-validation / code-execution endpoint from a session whose token was minted via a cross-origin refresh, or immediately following an anomalous cross-origin refresh — the RCE step.",
+        "Spike in CORS preflight (OPTIONS) and 4xx auth traffic to `/api/v1/*` from origins outside the operator allow-list."
+      ],
+      "payload_content_patterns": [
+        "Requests to the code-validation endpoint carrying executable Python payloads submitted outside the normal flow-builder UI workflow (server-side code execution by design)."
+      ],
+      "supply_chain_entry_vectors": [
+        "Delivery is a malicious or attacker-controlled web page visited by a logged-in Langflow operator (watering-hole or phishing link); no Langflow-side compromise is required to initiate — the victim's authenticated browser session is the entry point.",
+        "Internet-exposed Langflow <= 1.6.9 instances running the default CORS configuration are the exploitable population."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from the Obsidian Security technical writeup (2025-12-05) and the NVD CVE-2025-34291 mechanism; CrowdSec confirmed in-the-wild exploitation from 2026-01-23. No public packet/payload capture beyond the writeup."
+    },
+    "source_verified": "2026-05-24",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-34291",
+      "https://www.obsidiansecurity.com/blog/cve-2025-34291-critical-account-takeover-and-rce-vulnerability-in-the-langflow-ai-agent-workflow-platform",
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+      "https://www.crowdsec.net/vulntracking-report/cve-2025-34291"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "CISA KEV",
+        "advisory_id": "CVE-2025-34291",
+        "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+        "severity": "high",
+        "published_date": "2026-05-21"
+      },
+      {
+        "vendor": "Obsidian Security",
+        "advisory_id": null,
+        "url": "https://www.obsidiansecurity.com/blog/cve-2025-34291-critical-account-takeover-and-rce-vulnerability-in-the-langflow-ai-agent-workflow-platform",
+        "severity": "high",
+        "published_date": "2025-12-05"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-34291",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34291",
+        "severity": "high",
+        "published_date": "2025-12-05"
+      }
+    ],
+    "last_updated": "2026-05-24",
+    "discovery_attribution_note": "Manually curated from NVD + Obsidian Security writeup + CISA KEV (added 2026-05-21) + CrowdSec exploitation telemetry. CWE-346 (Origin Validation / CORS) chained with CWE-352 (CSRF) on the token-refresh endpoint and CWE-942 (permissive cross-domain policy). Postdates the v0.13.17 bulk KEV intake (catalog version 2026.05.15).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Langflow contains an origin validation error vulnerability that could allow account takeover and remote code execution."
+  },
+  "CVE-2026-41091": {
+    "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
+    "type": "LPE",
+    "cvss_score": 7.8,
+    "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 7.8 (HIGH). Local, low-complexity, low-privilege elevation: the Malware Protection Engine runs as SYSTEM, so a link-following primitive in it is a clean LPE-to-SYSTEM.",
+    "cisa_kev": true,
+    "cisa_kev_date": "2026-05-20",
+    "cisa_kev_due_date": "2026-06-03",
+    "cisa_kev_due_date_note": "CISA KEV (FCEB) remediation deadline for the 2026-05-20 listing; verified against the live KEV catalog.",
+    "poc_available": false,
+    "poc_description": "CISA KEV-listed with Microsoft 'Exploitation Detected'. No public proof-of-concept repository verified at curation time; exploitation is confirmed regardless of public PoC status.",
+    "ai_discovered": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_notes": "Reported through Microsoft's MSRC process; no AI-discovery attribution surfaced.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization reported.",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "Microsoft flagged 'Exploitation Detected'; CISA added the CVE to the KEV catalog on 2026-05-20 alongside CVE-2026-45498 (Defender DoS). Help Net Security and The Hacker News reported active exploitation 2026-05-21.",
+    "affected": "Microsoft Malware Protection Engine (Microsoft Defender) versions 1.1.26030.3008 through 1.1.26040.8, excluding the fixed build 1.1.26040.8.",
+    "affected_versions": [
+      "Microsoft Malware Protection Engine >= 1.1.26030.3008, < 1.1.26040.8"
+    ],
+    "vector": "The Malware Protection Engine improperly resolves links before accessing files (link following, CWE-59). A local low-privileged attacker plants a link (symlink / junction / hardlink) so that an engine file operation running as SYSTEM follows it to a target the attacker could not otherwise write, yielding elevation to SYSTEM. The security agent itself is the privileged confused deputy.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:L / AC:L / PR:L. Requires local low-privileged code execution; the engine auto-runs as SYSTEM so no further pivot is needed.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": true,
+    "live_patch_tools": [
+      "Microsoft Defender antimalware-platform auto-update (Malware Protection Engine updates apply without reboot)"
+    ],
+    "live_patch_notes": "Defender's antimalware platform / engine auto-updates; the fixed engine build is 1.1.26040.8 and applies without reboot. The exposed population is managed environments that pin or delay engine updates — verify the deployed engine version is >= 1.1.26040.8.",
+    "vendor_update_paths": [
+      "Confirm the Microsoft Malware Protection Engine is updated to 1.1.26040.8 or later (auto-update is the default; ensure it is not blocked by a managed-update policy)."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "30-day flaw-remediation SLA is inadequate for a KEV-listed, in-the-wild-exploited LPE; the CISA KEV due date (2026-06-03) is the binding clock.",
+      "ISO-27001-2022-A.8.8": "Vulnerability-management clause does not differentiate routinely-disclosed CVEs from KEV-listed actively-exploited ones, and does not specifically require verifying that the security agent's own engine build is current.",
+      "NIS2-Art21-patch-management": "Article 21 measures mandate timely patching but assume the EDR/AV agent is part of the defense, not itself the LPE vector; engine-version currency is rarely a tracked control.",
+      "DORA-Art-9": "ICT protection measures presume the endpoint-protection tool is trustworthy; a privileged confused-deputy in that tool is outside the typical control narrative.",
+      "UK-CAF-B4": "System Security objective expects vulnerability remediation but does not call out keeping the security agent's engine build patched as a distinct, audited control.",
+      "AU-ISM-1546": "Patch-application timeframe control is product-agnostic and does not single out the AV/EDR engine, whose SYSTEM privilege makes its flaws maximally severe."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1068"
+    ],
+    "rwep_score": 45,
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 0,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 25,
+      "patch_available": -15,
+      "live_patch_available": -10,
+      "reboot_required": 0
+    },
+    "rwep_notes": "P2 (RWEP 45 per lib/scoring.js). KEV-listed with confirmed exploitation; blast_radius=25 — Microsoft Defender is present on virtually every Windows endpoint. No verified public PoC (poc_available=0); auto-update / no-reboot remediation reduces urgency (patch_available -15, live_patch_available -10). The notable risk is that the AV/EDR engine itself is the LPE-to-SYSTEM primitive.",
+    "epss_score": null,
+    "epss_date": "2026-05-24",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-41091",
+    "cwe_refs": [
+      "CWE-59",
+      "CWE-269"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Creation of symbolic links, NTFS junctions, or hardlinks by a non-SYSTEM process inside paths the Malware Protection Engine reads/writes (scan staging, quarantine, signature-update, or platform-update directories under ProgramData\\Microsoft\\Windows Defender).",
+        "Malware Protection Engine (MsMpEng / engine worker) performing a file write or move as SYSTEM that resolves through an attacker-plantable link to a target outside its expected directory tree.",
+        "Deployed Defender engine version below 1.1.26040.8 on hosts that otherwise receive auto-updates — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from the NVD CVE-2026-41091 mechanism (CWE-59 link following in the Malware Protection Engine running as SYSTEM) and Microsoft's advisory; no public packet/payload capture available at curation time."
+    },
+    "source_verified": "2026-05-24",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-41091",
+      "https://www.helpnetsecurity.com/2026/05/21/microsoft-defender-vulnerabilities-cve-2026-41091-cve-2026-45498/",
+      "https://thehackernews.com/2026/05/microsoft-warns-of-two-actively.html",
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "CISA KEV",
+        "advisory_id": "CVE-2026-41091",
+        "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+        "severity": "high",
+        "published_date": "2026-05-20"
+      },
+      {
+        "vendor": "Microsoft (MSRC)",
+        "advisory_id": "CVE-2026-41091",
+        "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41091",
+        "severity": "high",
+        "published_date": "2026-05-20"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-41091",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41091",
+        "severity": "high",
+        "published_date": "2026-05-20"
+      }
+    ],
+    "last_updated": "2026-05-24",
+    "discovery_attribution_note": "Manually curated from NVD + Microsoft MSRC ('Exploitation Detected') + CISA KEV (added 2026-05-20, due 2026-06-03) + Help Net Security / The Hacker News coverage (2026-05-21). CWE-59 (link following) in the Malware Protection Engine, which runs as SYSTEM. Postdates the v0.13.17 bulk KEV intake (catalog version 2026.05.15).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Defender (Malware Protection Engine) improperly resolves links before file access, allowing local privilege elevation to SYSTEM."
+  },
   "CVE-2025-32432": {
     "name": "Craft CMS Code Injection Vulnerability",
     "type": "RCE",

package/data/cwe-catalog.json

@@ -577,7 +577,8 @@
       "CVE-2025-48543",
       "CVE-2025-48572",
       "CVE-2025-62849",
-      "CVE-2026-21533"
+      "CVE-2026-21533",
+      "CVE-2026-41091"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-AC-6",
@@ -1031,7 +1032,8 @@
       "webapp-security"
     ],
     "evidence_cves": [
-      "CVE-2023-2533"
+      "CVE-2023-2533",
+      "CVE-2025-34291"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SC-23",
@@ -2147,7 +2149,8 @@
     "related_weaknesses": [],
     "evidence_cves": [
       "CVE-2025-48384",
-      "CVE-2025-60710"
+      "CVE-2025-60710",
+      "CVE-2026-41091"
     ],
     "last_verified": "2026-05-18",
     "notes": "Added v0.13.17 KEV bulk-import."
@@ -2959,7 +2962,9 @@
       "CWE-2000"
     ],
     "related_weaknesses": [],
-    "evidence_cves": [],
+    "evidence_cves": [
+      "CVE-2025-34291"
+    ],
     "last_verified": "2026-05-19",
     "notes": "Bulk-imported v0.13.18 from the canonical MITRE Top 25 + commonly-referenced-class expansion.",
     "_auto_imported": true,
@@ -3833,7 +3838,9 @@
       "CWE-2000"
     ],
     "related_weaknesses": [],
-    "evidence_cves": [],
+    "evidence_cves": [
+      "CVE-2025-34291"
+    ],
     "last_verified": "2026-05-19",
     "notes": "Bulk-imported v0.13.18 from the canonical MITRE Top 25 + commonly-referenced-class expansion.",
     "_auto_imported": true,

package/data/framework-control-gaps.json

@@ -33,7 +33,9 @@
     "real_requirement": "AI pipeline integrity controls: (1) model version pinning where API supports it, (2) behavioral test suite with regression alerting, (3) provider changelog monitoring, (4) training pipeline SLSA-equivalent supply chain attestation for self-hosted models.",
     "status": "open",
     "opened_date": "2026-01-01",
-    "evidence_cves": [],
+    "evidence_cves": [
+      "CVE-2025-34291"
+    ],
     "atlas_refs": [
       "AML.T0018",
       "AML.T0020"
@@ -1392,6 +1394,7 @@
       "CVE-2025-33053",
       "CVE-2025-33073",
       "CVE-2025-34026",
+      "CVE-2025-34291",
       "CVE-2025-35939",
       "CVE-2025-37164",
       "CVE-2025-38352",
@@ -1518,6 +1521,7 @@
       "CVE-2026-35616",
       "CVE-2026-3909",
       "CVE-2026-3910",
+      "CVE-2026-41091",
       "CVE-2026-41940",
       "CVE-2026-42945",
       "CVE-2026-46300",
@@ -1706,10 +1710,12 @@
       "CVE-2025-10585",
       "CVE-2025-1094",
       "CVE-2025-14174",
+      "CVE-2025-34291",
       "CVE-2025-38352",
       "CVE-2025-43300",
       "CVE-2026-31431",
       "CVE-2026-39884",
+      "CVE-2026-41091",
       "CVE-2026-45321",
       "CVE-2026-46300",
       "CVE-2026-46333",
@@ -2305,6 +2311,7 @@
       "CVE-2025-33053",
       "CVE-2025-33073",
       "CVE-2025-34026",
+      "CVE-2025-34291",
       "CVE-2025-35939",
       "CVE-2025-37164",
       "CVE-2025-38352",
@@ -2437,6 +2444,7 @@
       "CVE-2026-35616",
       "CVE-2026-3909",
       "CVE-2026-3910",
+      "CVE-2026-41091",
       "CVE-2026-41940",
       "CVE-2026-42897",
       "CVE-2026-42945",
@@ -4683,8 +4691,10 @@
     "opened_date": "2026-05-15",
     "evidence_cves": [
       "CVE-2024-21762",
+      "CVE-2025-34291",
       "CVE-2026-0300",
       "CVE-2026-20182",
+      "CVE-2026-41091",
       "CVE-2026-42897",
       "CVE-2026-42945",
       "CVE-2026-46300",
@@ -5170,6 +5180,8 @@
     "opened_date": "2026-05-17",
     "evidence_cves": [
       "CVE-2024-21762",
+      "CVE-2025-34291",
+      "CVE-2026-41091",
       "CVE-2026-46300",
       "CVE-2026-46333",
       "MAL-2026-SHAI-HULUD-OSS"
@@ -5204,6 +5216,8 @@
     "opened_date": "2026-05-17",
     "evidence_cves": [
       "CVE-2024-21762",
+      "CVE-2025-34291",
+      "CVE-2026-41091",
       "CVE-2026-46300",
       "CVE-2026-46333"
     ],
@@ -5236,6 +5250,7 @@
     "status": "open",
     "opened_date": "2026-05-17",
     "evidence_cves": [
+      "CVE-2025-34291",
       "CVE-2026-46300",
       "CVE-2026-46333"
     ],

package/data/zeroday-lessons.json

@@ -5933,6 +5933,96 @@
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import"
   },
+  "CVE-2025-34291": {
+    "name": "Langflow Account Takeover + RCE (CORS / refresh-token chain)",
+    "lesson_date": "2026-05-24",
+    "attack_vector": {
+      "description": "Overly-permissive CORS plus a CSRF-unprotected token-refresh endpoint (SameSite=None cookies) let a malicious page steal a logged-in Langflow user's token pair, which is replayed against the by-design code-validation endpoint for account takeover and remote code execution.",
+      "privileges_required": "none standing for the attacker — requires only that an authenticated victim visits an attacker-controlled page (drive-by)",
+      "complexity": "low (NVD AC:L; the default configuration of Langflow <= 1.6.9 is exploitable)",
+      "ai_factor": "Not AI-discovered (Obsidian Security, conventional web-security research). The AI-security lesson: an AI agent/workflow orchestration platform is itself an RCE-bearing web trust boundary — compromising it grants control over every model, tool, and credential it brokers. Surfaced by the CISA-KEV poller + advisory feeds after the v0.13.17 bulk intake (KEV catalog 2026.05.15) had already run."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "30-day flaw-remediation SLA inadequate for a KEV-listed, in-the-wild-exploited RCE; the CISA KEV due date is the binding clock."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not differentiate routinely-disclosed CVEs from KEV-listed actively-exploited ones. Also: application-layer origin policy (CORS) and session-cookie configuration — the boundary this chain abuses — is rarely audited on self-hosted AI-agent platforms."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "Self-hosted AI-platform deployments rarely audit CORS / session-cookie configuration; audit programs check patch SLA and TLS but not application-layer origin policy. Exposure widened by Langflow's 140k-star footprint and the drive-by trigger (victim need only visit a page).",
+      "theater_pattern": "config_drift"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-076",
+        "name": "AI-PLATFORM-ORIGIN-POLICY-AUDIT",
+        "description": "Self-hosted AI agent / LLM workflow platforms that expose a by-design code-execution endpoint (Langflow, Flowise, and similar) must enforce and audit, on every release: an explicit CORS allow-list (no wildcard or credentialed any-origin), CSRF protection on all token/session endpoints, and SameSite=Lax-or-Strict authentication cookies. The platform's session boundary is a remote-code-execution boundary and must be reviewed as one.",
+        "evidence": "https://www.obsidiansecurity.com/blog/cve-2025-34291-critical-account-takeover-and-rce-vulnerability-in-the-langflow-ai-agent-workflow-platform",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.8",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2026-41091": {
+    "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
+    "lesson_date": "2026-05-24",
+    "attack_vector": {
+      "description": "The Malware Protection Engine, which runs as SYSTEM, improperly resolves links before accessing files (CWE-59). A local low-privileged attacker plants a symlink/junction/hardlink so an engine file operation follows it to a target the attacker could not otherwise write, elevating to SYSTEM.",
+      "privileges_required": "local, low-privileged code execution (no admin)",
+      "complexity": "low (NVD AV:L / AC:L / PR:L)",
+      "ai_factor": "Not AI-discovered. The lesson: the EDR/AV agent is itself a SYSTEM-privileged confused deputy — a link-following flaw in the security tool is a maximally-severe LPE, and engine-build currency must be an audited control, not assumed because 'Defender auto-updates'. Surfaced by the CISA-KEV poller after the v0.13.17 bulk intake."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "30-day SLA inadequate for a KEV-listed LPE; KEV due date (2026-06-03) is the binding clock, and engine-version currency is not a tracked remediation target."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not differentiate routinely-disclosed CVEs from KEV-listed ones, nor require verifying that the security agent's own engine build is patched."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 50,
+      "basis": "Most orgs assume Defender auto-updates close engine flaws; managed environments that pin/delay engine builds remain exposed while passing patch-SLA audits that track OS patches, not AV-engine builds.",
+      "theater_pattern": "patch_management"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-077",
+        "name": "SECURITY-AGENT-ENGINE-CURRENCY-AUDIT",
+        "description": "Treat the EDR/AV agent's own engine/platform build as a first-class, audited remediation target: verify (not assume) that the deployed Microsoft Defender Malware Protection Engine is >= the fixed build (1.1.26040.8 for CVE-2026-41091) on every endpoint, and alarm on hosts whose engine build lags despite an auto-update policy. A SYSTEM-privileged security agent's flaws are LPE-to-SYSTEM by construction.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2026-41091",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.8",
+          "AU-ISM-1546"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2025-32432": {
     "name": "Craft CMS Code Injection Vulnerability",
     "lesson_date": "2026-05-18",