@blamejs/exceptd-skills 0.13.68 → 0.13.69

package/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 0.13.69 — 2026-05-24
+
+CVE catalog currency: adds **CVE-2026-34926**, the actively-exploited Trend Micro Apex One directory traversal (CVSS 6.7; CISA KEV 2026-05-21, due 2026-06-04). A relative path traversal (CWE-23) on the on-premise management server lets an attacker who already holds server admin credentials modify a key table and inject malicious code that the server deploys to every managed agent — a fleet-wide push through the security tool's own trusted deployment channel (Scope:Changed). Fixed in Apex One on-premise 14.0.0.17079 / SaaS 14.0.20731. The entry carries RWEP scoring (P2, 52, computed via lib/scoring.js — PR:H/AC:H gate it below an unauthenticated RCE), CWE-23/22 and ATT&CK T1072/T1083 mappings, global-first framework-gap declarations, behavioral IoCs, and a zero-day lesson whose new control (NEW-CTRL-078) makes the endpoint-management deployment channel an integrity-monitored control plane. Postdates the catalog's prior bulk KEV intake (KEV catalog 2026.05.15).
+
 ## 0.13.68 — 2026-05-24
 
 CVE catalog currency: adds **CVE-2026-41091**, the actively-exploited Microsoft Defender link-following local privilege escalation (CVSS 7.8; CISA KEV 2026-05-20, due 2026-06-03). The Malware Protection Engine runs as SYSTEM and improperly resolves links before accessing files (CWE-59), so a local low-privileged attacker who plants a symlink/junction can elevate to SYSTEM — the AV/EDR agent itself is the privileged confused deputy. Fixed in engine build 1.1.26040.8 (auto-update, no reboot); managed environments that pin or delay engine updates are the exposed population. The entry carries full RWEP scoring (P2, 55), CWE-59/269 and ATT&CK T1068 mappings, global-first framework-gap declarations, behavioral IoCs, and a matching zero-day lesson whose new control requirement (NEW-CTRL-077) makes the security agent's own engine-build currency an audited target. Postdates the catalog's prior bulk KEV intake (KEV catalog 2026.05.15).

package/data/_indexes/_meta.json

@@ -1,21 +1,21 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-25T05:37:39.668Z",
+  "generated_at": "2026-05-25T06:06:07.403Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "b2768a6fed1f9af27587332675592dd96abf0fe4f7692023324157dec05b1335",
+    "manifest.json": "57d3b2ca1e729f2486752235575cbb98c8255f532a5dce65cdcfdb69b4447d59",
     "data/atlas-ttps.json": "019f12d24dc45ef8f5ae8812dec7c31a9506429a94751aaa559890a007ec6b22",
-    "data/attack-techniques.json": "69afb5bc47a2e15353d62cabc64c41bc0bc3516c4856c889b9c2cdc5c5110e54",
-    "data/cve-catalog.json": "31eec14b758ef04a5d2fd63be8bd08e79a5f195570afc60885feb8f145e54dcc",
-    "data/cwe-catalog.json": "ca52b055bb9a5062ee92f19fb15315379b71bbc50d484cfe274a5197f6c4d5c3",
+    "data/attack-techniques.json": "b47836e9a4707ce79c35cbe58a5bdb8d0d7b8e6d94e489c17c93c465844f02ee",
+    "data/cve-catalog.json": "2bb2cda179aac7e1d8e16beeefef545eaabbb828ab1ee8fca80d285f248b15cf",
+    "data/cwe-catalog.json": "641910cd99496ed3743b4b74ecf152bd67c2cc982c4dc90b22fe204973f33cfa",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
     "data/exploit-availability.json": "ec2656f0d9a893610e27b43eb6035fe9b18e057c9f6dfaac7e7d4959bbcbb795",
-    "data/framework-control-gaps.json": "935c17ffd9b6e08f0a89f711946565fc2bb36d3cc3609d0eea5482c09a0b85c8",
+    "data/framework-control-gaps.json": "5f71b6dc8f07264de30b5fc58229e4796bae90ce696f491c661499d53d4ac5b9",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "66ef2e1f444a2cf0c2700a754f0a66030bb8a91d9e68394b9537ea1fe8b904fe",
-    "data/zeroday-lessons.json": "a970a232aa612d01b93d7cfc7684e8692939265efa09eb3a2ffeca475eb02c08",
+    "data/zeroday-lessons.json": "ef83f6d0844eaa5b6fd7a2b12cc24d64dfdea8d269537d766cc0e1870162a9f9",
     "skills/kernel-lpe-triage/skill.md": "08b3e9815ba481c57c80f5fc0ccbf5bb7cbb41f570c235ba6ff9596b8c07354d",
     "skills/ai-attack-surface/skill.md": "c4c1eb22a38ca7a959b5725222bab8fbd4f4044a548a93f3e288e6f698334b72",
     "skills/mcp-agent-trust/skill.md": "89ac89084391d2341b6513fefb1be2d36b93de1c130f057696219c1c59440f13",
@@ -72,7 +72,7 @@
       "dlp_refs": 0
     },
     "trigger_table_entries": 538,
-    "chains_cve_entries": 303,
+    "chains_cve_entries": 304,
     "chains_cwe_entries": 171,
     "jurisdictions_indexed": 29,
     "handoff_dag_nodes": 42,

package/data/_indexes/activity-feed.json

@@ -149,7 +149,7 @@
       "artifact": "data/cve-catalog.json",
       "path": "data/cve-catalog.json",
       "schema_version": "1.0.0",
-      "entry_count": 314
+      "entry_count": 315
     },
     {
       "date": "2026-05-18",
@@ -165,7 +165,7 @@
       "artifact": "data/zeroday-lessons.json",
       "path": "data/zeroday-lessons.json",
       "schema_version": "1.1.0",
-      "entry_count": 314
+      "entry_count": 315
     },
     {
       "date": "2026-05-17",

package/data/_indexes/catalog-summaries.json

@@ -62,7 +62,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 314,
+      "entry_count": 315,
       "sample_keys": [
         "CVE-2025-53773",
         "CVE-2026-30615",
@@ -238,7 +238,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 314,
+      "entry_count": 315,
       "sample_keys": [
         "CVE-2026-31431",
         "CVE-2025-53773",

package/data/_indexes/chains.json

@@ -16503,6 +16503,260 @@
       ]
     }
   },
+  "CVE-2026-34926": {
+    "name": "Trend Micro Apex One Directory Traversal → Malicious Agent Code Deployment",
+    "rwep": 52,
+    "cvss": 6.7,
+    "cisa_kev": true,
+    "epss_score": null,
+    "referencing_skills": [
+      "kernel-lpe-triage",
+      "attack-surface-pentest",
+      "ot-ics-security",
+      "coordinated-vuln-disclosure",
+      "sector-energy"
+    ],
+    "chain": {
+      "cwes": [
+        {
+          "id": "CWE-1037",
+          "name": "Processor Optimization Removal or Modification of Security-critical Code",
+          "category": "Hardware / Side Channel"
+        },
+        {
+          "id": "CWE-125",
+          "name": "Out-of-bounds Read",
+          "category": "Memory Safety"
+        },
+        {
+          "id": "CWE-1357",
+          "name": "Reliance on Insufficiently Trustworthy Component",
+          "category": "Supply Chain"
+        },
+        {
+          "id": "CWE-1395",
+          "name": "Dependency on Vulnerable Third-Party Component",
+          "category": "Supply Chain"
+        },
+        {
+          "id": "CWE-22",
+          "name": "Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)",
+          "category": "Path/Resource"
+        },
+        {
+          "id": "CWE-269",
+          "name": "Improper Privilege Management",
+          "category": "Authorization"
+        },
+        {
+          "id": "CWE-287",
+          "name": "Improper Authentication",
+          "category": "Authentication"
+        },
+        {
+          "id": "CWE-306",
+          "name": "Missing Authentication for Critical Function",
+          "category": "Authentication"
+        },
+        {
+          "id": "CWE-352",
+          "name": "Cross-Site Request Forgery (CSRF)",
+          "category": "Session"
+        },
+        {
+          "id": "CWE-362",
+          "name": "Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)",
+          "category": "Concurrency"
+        },
+        {
+          "id": "CWE-416",
+          "name": "Use After Free",
+          "category": "Memory Safety"
+        },
+        {
+          "id": "CWE-434",
+          "name": "Unrestricted Upload of File with Dangerous Type",
+          "category": "File Handling"
+        },
+        {
+          "id": "CWE-672",
+          "name": "Operation on a Resource after Expiration or Release",
+          "category": "Memory Safety"
+        },
+        {
+          "id": "CWE-732",
+          "name": "Incorrect Permission Assignment for Critical Resource",
+          "category": "Authorization"
+        },
+        {
+          "id": "CWE-78",
+          "name": "Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)",
+          "category": "Injection"
+        },
+        {
+          "id": "CWE-787",
+          "name": "Out-of-bounds Write",
+          "category": "Memory Safety"
+        },
+        {
+          "id": "CWE-79",
+          "name": "Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)",
+          "category": "Injection"
+        },
+        {
+          "id": "CWE-798",
+          "name": "Use of Hard-coded Credentials",
+          "category": "Credentials"
+        },
+        {
+          "id": "CWE-89",
+          "name": "Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)",
+          "category": "Injection"
+        },
+        {
+          "id": "CWE-918",
+          "name": "Server-Side Request Forgery (SSRF)",
+          "category": "Network"
+        }
+      ],
+      "atlas": [
+        {
+          "id": "AML.T0010",
+          "name": "ML Supply Chain Compromise",
+          "tactic": "Initial Access"
+        },
+        {
+          "id": "AML.T0043",
+          "name": "Craft Adversarial Data",
+          "tactic": "ML Attack Staging"
+        },
+        {
+          "id": "AML.T0051",
+          "name": "LLM Prompt Injection",
+          "tactic": "Execution"
+        }
+      ],
+      "d3fend": [
+        {
+          "id": "D3-ASLR",
+          "name": "Address Space Layout Randomization",
+          "tactic": "Harden"
+        },
+        {
+          "id": "D3-CSPP",
+          "name": "Client-server Payload Profiling",
+          "tactic": "Detect"
+        },
+        {
+          "id": "D3-EAL",
+          "name": "Executable Allowlisting",
+          "tactic": "Harden"
+        },
+        {
+          "id": "D3-NTA",
+          "name": "Network Traffic Analysis",
+          "tactic": "Detect"
+        },
+        {
+          "id": "D3-PHRA",
+          "name": "Process Hardware Resource Access",
+          "tactic": "Isolate"
+        },
+        {
+          "id": "D3-PSEP",
+          "name": "Process Segment Execution Prevention",
+          "tactic": "Harden"
+        }
+      ],
+      "framework_gaps": [
+        {
+          "id": "CIS-Controls-v8-Control7",
+          "framework": "CIS Controls v8",
+          "control_name": "Continuous Vulnerability Management"
+        },
+        {
+          "id": "IEC-62443-3-3",
+          "framework": "IEC 62443-3-3 (Industrial communication networks — security for IACS)",
+          "control_name": "System security requirements and security levels"
+        },
+        {
+          "id": "ISO-27001-2022-A.8.8",
+          "framework": "ISO/IEC 27001:2022",
+          "control_name": "Management of technical vulnerabilities"
+        },
+        {
+          "id": "NERC-CIP-007-6-R4",
+          "framework": "NERC CIP-007-6 (BES Cyber System Security Management)",
+          "control_name": "Security event monitoring"
+        },
+        {
+          "id": "NIS2-Art21-patch-management",
+          "framework": "EU NIS2 Directive",
+          "control_name": "Vulnerability handling and disclosure"
+        },
+        {
+          "id": "NIST-800-115",
+          "framework": "NIST SP 800-115 (Technical Guide to Information Security Testing and Assessment)",
+          "control_name": "Technical Guide to Information Security Testing and Assessment"
+        },
+        {
+          "id": "NIST-800-218-SSDF",
+          "framework": "NIST SP 800-218 (Secure Software Development Framework v1.1)",
+          "control_name": "Secure Software Development Framework"
+        },
+        {
+          "id": "NIST-800-53-SC-8",
+          "framework": "NIST SP 800-53 Rev 5",
+          "control_name": "Transmission Confidentiality and Integrity"
+        },
+        {
+          "id": "NIST-800-53-SI-2",
+          "framework": "NIST SP 800-53 Rev 5",
+          "control_name": "Flaw Remediation"
+        },
+        {
+          "id": "NIST-800-82r3",
+          "framework": "NIST SP 800-82 Rev 3 (Guide to OT Security)",
+          "control_name": "Guide to Operational Technology (OT) Security"
+        },
+        {
+          "id": "OWASP-Pen-Testing-Guide-v5",
+          "framework": "OWASP Web Security Testing Guide v5 (WSTG)",
+          "control_name": "Web application penetration testing methodology"
+        },
+        {
+          "id": "PCI-DSS-4.0-6.3.3",
+          "framework": "PCI DSS 4.0",
+          "control_name": "All system components are protected from known vulnerabilities by installing applicable security patches/updates"
+        },
+        {
+          "id": "PTES-Pre-engagement",
+          "framework": "Penetration Testing Execution Standard (PTES)",
+          "control_name": "Pre-engagement Interactions"
+        },
+        {
+          "id": "SOC2-CC9-vendor-management",
+          "framework": "SOC 2 (AICPA Trust Services Criteria)",
+          "control_name": "Risk Mitigation — Vendor and Business Partner Risk"
+        }
+      ],
+      "attack_refs": [
+        "T0855",
+        "T0883",
+        "T1059",
+        "T1068",
+        "T1078",
+        "T1133",
+        "T1190",
+        "T1548.001"
+      ],
+      "rfc_refs": [
+        "RFC-4301",
+        "RFC-4303",
+        "RFC-7296"
+      ]
+    }
+  },
   "CVE-2025-32432": {
     "name": "Craft CMS Code Injection Vulnerability",
     "rwep": 77,
@@ -41537,6 +41791,7 @@
       "CVE-2026-30615",
       "CVE-2026-30623",
       "CVE-2026-31431",
+      "CVE-2026-34926",
       "CVE-2026-39884",
       "CVE-2026-41091",
       "CVE-2026-42208",
@@ -41878,6 +42133,7 @@
       "CVE-2025-6965",
       "CVE-2026-30623",
       "CVE-2026-31431",
+      "CVE-2026-34926",
       "CVE-2026-39884",
       "CVE-2026-41091",
       "CVE-2026-42208",
@@ -42015,6 +42271,7 @@
       "CVE-2025-6965",
       "CVE-2026-30623",
       "CVE-2026-31431",
+      "CVE-2026-34926",
       "CVE-2026-39884",
       "CVE-2026-41091",
       "CVE-2026-42208",
@@ -42166,6 +42423,7 @@
       "CVE-2025-6965",
       "CVE-2026-30623",
       "CVE-2026-31431",
+      "CVE-2026-34926",
       "CVE-2026-39884",
       "CVE-2026-41091",
       "CVE-2026-42208",
@@ -42819,6 +43077,7 @@
       "CVE-2026-33825",
       "CVE-2026-34197",
       "CVE-2026-34621",
+      "CVE-2026-34926",
       "CVE-2026-3502",
       "CVE-2026-35616",
       "CVE-2026-3909",
@@ -43422,6 +43681,7 @@
       "CVE-2026-30615",
       "CVE-2026-30623",
       "CVE-2026-31431",
+      "CVE-2026-34926",
       "CVE-2026-39884",
       "CVE-2026-41091",
       "CVE-2026-42208",
@@ -43998,6 +44258,7 @@
       "CVE-2026-30615",
       "CVE-2026-30623",
       "CVE-2026-31431",
+      "CVE-2026-34926",
       "CVE-2026-39884",
       "CVE-2026-41091",
       "CVE-2026-42208",
@@ -44207,6 +44468,7 @@
       "CVE-2025-53773",
       "CVE-2026-30615",
       "CVE-2026-31431",
+      "CVE-2026-34926",
       "CVE-2026-39884",
       "CVE-2026-41091",
       "CVE-2026-45321",
@@ -44852,6 +45114,7 @@
       "CVE-2026-30615",
       "CVE-2026-30623",
       "CVE-2026-31431",
+      "CVE-2026-34926",
       "CVE-2026-39884",
       "CVE-2026-41091",
       "CVE-2026-42208",
@@ -45249,6 +45512,7 @@
       "CVE-2026-33825",
       "CVE-2026-34197",
       "CVE-2026-34621",
+      "CVE-2026-34926",
       "CVE-2026-3502",
       "CVE-2026-35616",
       "CVE-2026-3909",
@@ -45641,6 +45905,7 @@
       "CVE-2026-33825",
       "CVE-2026-34197",
       "CVE-2026-34621",
+      "CVE-2026-34926",
       "CVE-2026-3502",
       "CVE-2026-35616",
       "CVE-2026-3909",
@@ -45885,6 +46150,7 @@
       "CVE-2026-30615",
       "CVE-2026-30623",
       "CVE-2026-31431",
+      "CVE-2026-34926",
       "CVE-2026-39884",
       "CVE-2026-41091",
       "CVE-2026-42208",
@@ -46834,6 +47100,7 @@
       "CVE-2026-33825",
       "CVE-2026-34197",
       "CVE-2026-34621",
+      "CVE-2026-34926",
       "CVE-2026-3502",
       "CVE-2026-35616",
       "CVE-2026-3909",
@@ -47142,6 +47409,7 @@
       "CVE-2026-30615",
       "CVE-2026-30623",
       "CVE-2026-31431",
+      "CVE-2026-34926",
       "CVE-2026-39884",
       "CVE-2026-41091",
       "CVE-2026-42208",
@@ -47624,6 +47892,7 @@
       "CVE-2026-33825",
       "CVE-2026-34197",
       "CVE-2026-34621",
+      "CVE-2026-34926",
       "CVE-2026-3502",
       "CVE-2026-35616",
       "CVE-2026-3909",
@@ -47941,6 +48210,7 @@
       "CVE-2025-53773",
       "CVE-2026-30615",
       "CVE-2026-31431",
+      "CVE-2026-34926",
       "CVE-2026-39884",
       "CVE-2026-41091",
       "CVE-2026-45321",
@@ -48855,6 +49125,7 @@
       "CVE-2026-30615",
       "CVE-2026-30623",
       "CVE-2026-31431",
+      "CVE-2026-34926",
       "CVE-2026-39884",
       "CVE-2026-41091",
       "CVE-2026-42208",
@@ -48922,6 +49193,7 @@
       "CVE-2025-38352",
       "CVE-2025-43300",
       "CVE-2026-31431",
+      "CVE-2026-34926",
       "CVE-2026-39884",
       "CVE-2026-41091",
       "CVE-2026-45321",
@@ -49646,6 +49918,7 @@
       "CVE-2026-33634",
       "CVE-2026-34197",
       "CVE-2026-34621",
+      "CVE-2026-34926",
       "CVE-2026-3502",
       "CVE-2026-35616",
       "CVE-2026-3909",
@@ -49890,6 +50163,7 @@
       "CVE-2026-30615",
       "CVE-2026-30623",
       "CVE-2026-31431",
+      "CVE-2026-34926",
       "CVE-2026-39884",
       "CVE-2026-41091",
       "CVE-2026-45321",

package/data/attack-techniques.json

@@ -3346,7 +3346,10 @@
       "Windows"
     ],
     "stix_id": "attack-pattern--92a78814-b191-47ca-909c-1ccfe3777414",
-    "is_subtechnique": false
+    "is_subtechnique": false,
+    "cve_refs": [
+      "CVE-2026-34926"
+    ]
   },
   "T1074": {
     "id": "T1074",
@@ -3439,7 +3442,10 @@
       "Windows"
     ],
     "stix_id": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
-    "is_subtechnique": false
+    "is_subtechnique": false,
+    "cve_refs": [
+      "CVE-2026-34926"
+    ]
   },
   "T1087": {
     "id": "T1087",

package/data/cve-catalog.json

@@ -9587,6 +9587,117 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "Microsoft Defender (Malware Protection Engine) improperly resolves links before file access, allowing local privilege elevation to SYSTEM."
   },
+  "CVE-2026-34926": {
+    "name": "Trend Micro Apex One Directory Traversal → Malicious Agent Code Deployment",
+    "type": "RCE",
+    "cvss_score": 6.7,
+    "cvss_vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L",
+    "cvss_note": "NVD CVSS v3.1 base 6.7 (MEDIUM). High privileges (PR:H — server admin) and high complexity (AC:H) gate it, but Scope:Changed reflects the real impact: the directory traversal lets an attacker on the Apex One management server inject code that the server then deploys to every managed agent — a fleet-wide push from the security tool's own deployment channel.",
+    "cisa_kev": true,
+    "cisa_kev_date": "2026-05-21",
+    "cisa_kev_due_date": "2026-06-04",
+    "cisa_kev_due_date_note": "CISA KEV remediation deadline for the 2026-05-21 listing; verified against the live KEV catalog.",
+    "poc_available": false,
+    "poc_description": "CISA KEV-listed (confirmed exploitation). No public proof-of-concept repository referenced by NVD or the Trend Micro advisory at curation time.",
+    "ai_discovered": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_notes": "Reported through Trend Micro / ZDI coordinated disclosure; no AI-discovery attribution surfaced.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization reported.",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "CISA added the CVE to the KEV catalog on 2026-05-21 (confirmed-exploitation attestation).",
+    "affected": "Trend Micro Apex One on-premise (before 14.0.0.17079) and Apex One SaaS (before 14.0.20731).",
+    "affected_versions": [
+      "Trend Micro Apex One (on-premise) < 14.0.0.17079",
+      "Trend Micro Apex One (SaaS) < 14.0.20731"
+    ],
+    "vector": "A relative path-traversal flaw (CWE-23) on the Apex One on-premise management server lets an attacker who already has server access and administrative credentials modify a key table and inject malicious code that the server deploys to its managed agents. The trust the endpoints place in the management server's deployment channel turns a post-admin server foothold into fleet-wide agent code execution (Scope:Changed).",
+    "complexity": "high",
+    "complexity_notes": "NVD AC:H, PR:H: requires server access plus already-obtained administrative credentials. This is a post-admin-compromise propagation primitive, not an initial-access RCE — its value to an attacker is turning one server into the whole agent fleet.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Vendor fix via product update — Apex One on-premise 14.0.0.17079 / SaaS 14.0.20731 or later; application update, no host reboot.",
+    "vendor_update_paths": [
+      "Update Apex One on-premise to 14.0.0.17079 or later; Apex One SaaS to 14.0.20731 or later."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "30-day flaw-remediation SLA is inadequate for a KEV-listed actively-exploited flaw; the CISA KEV due date (2026-06-04) is the binding clock.",
+      "ISO-27001-2022-A.8.8": "Vulnerability-management clause does not differentiate routinely-disclosed CVEs from KEV-listed actively-exploited ones.",
+      "NIS2-Art21-patch-management": "Article 21 measures mandate patching but do not treat the EDR/endpoint-management server's agent-deployment channel as a high-blast-radius supply-chain control plane that must be hardened and monitored.",
+      "DORA-Art-9": "ICT protection measures assume the endpoint-management platform is trustworthy; abuse of its own deployment channel to push code to agents is outside the typical control narrative.",
+      "UK-CAF-B4": "System Security objective expects remediation but does not call out the management-server → agent deployment path as a privileged trust boundary requiring integrity controls.",
+      "AU-ISM-1546": "Patch-application timeframe control is product-agnostic; it does not address the fleet-wide propagation risk of a compromised endpoint-management server."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1072",
+      "T1083"
+    ],
+    "rwep_score": 52,
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 0,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 22,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "P2 (RWEP 52 per lib/scoring.js). KEV-listed with confirmed exploitation. blast_radius=22: the management server's deployment channel reaches the whole agent fleet, but PR:H/AC:H (requires pre-existing server admin) caps practical reach below an unauthenticated RCE. No verified public PoC. patch_available -15 (vendor update).",
+    "epss_score": null,
+    "epss_date": "2026-05-24",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-34926",
+    "cwe_refs": [
+      "CWE-23",
+      "CWE-22"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Modification of the Apex One server's agent-deployment key table or staged agent payloads by a process/path outside the normal product update workflow.",
+        "Apex One management server pushing an agent update/package that was not initiated by a sanctioned administrator action (deployment from an anomalous session or off-hours).",
+        "Path-traversal sequences (`..\\` / `../`) in requests to Apex One on-premise server endpoints that handle file or key-table writes.",
+        "On-premise Apex One server below 14.0.0.17079 (or SaaS below 14.0.20731) — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from the NVD CVE-2026-34926 mechanism (CWE-23 relative path traversal enabling key-table modification and malicious agent deployment) and the Trend Micro advisory; no public packet/payload capture available at curation time."
+    },
+    "source_verified": "2026-05-24",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-34926",
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "CISA KEV",
+        "advisory_id": "CVE-2026-34926",
+        "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+        "severity": "medium",
+        "published_date": "2026-05-21"
+      },
+      {
+        "vendor": "Trend Micro",
+        "advisory_id": "CVE-2026-34926",
+        "url": "https://success.trendmicro.com/solution/CVE-2026-34926",
+        "severity": "medium",
+        "published_date": "2026-05-21"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-34926",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34926",
+        "severity": "medium",
+        "published_date": "2026-05-21"
+      }
+    ],
+    "last_updated": "2026-05-24",
+    "discovery_attribution_note": "Manually curated from NVD + CISA KEV (added 2026-05-21, due 2026-06-04). CWE-23 relative path traversal on the Apex One on-premise management server enabling key-table modification and malicious code deployment to managed agents. Postdates the v0.13.17 bulk KEV intake (catalog version 2026.05.15).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Trend Micro Apex One on-premise contains a directory traversal that lets a pre-authenticated local attacker modify a key table to inject malicious code deployed to agents."
+  },
   "CVE-2025-32432": {
     "name": "Craft CMS Code Injection Vulnerability",
     "type": "RCE",

package/data/cwe-catalog.json

@@ -101,7 +101,8 @@
       "CVE-2025-27920",
       "CVE-2025-4632",
       "CVE-2025-6218",
-      "CVE-2025-8110"
+      "CVE-2025-8110",
+      "CVE-2026-34926"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-AC-3",
@@ -2110,7 +2111,8 @@
     "related_weaknesses": [],
     "evidence_cves": [
       "CVE-2024-27199",
-      "CVE-2025-64446"
+      "CVE-2025-64446",
+      "CVE-2026-34926"
     ],
     "last_verified": "2026-05-18",
     "notes": "Added v0.13.17 KEV bulk-import."

package/data/framework-control-gaps.json

@@ -1517,6 +1517,7 @@
       "CVE-2026-33634",
       "CVE-2026-34197",
       "CVE-2026-34621",
+      "CVE-2026-34926",
       "CVE-2026-3502",
       "CVE-2026-35616",
       "CVE-2026-3909",
@@ -1714,6 +1715,7 @@
       "CVE-2025-38352",
       "CVE-2025-43300",
       "CVE-2026-31431",
+      "CVE-2026-34926",
       "CVE-2026-39884",
       "CVE-2026-41091",
       "CVE-2026-45321",
@@ -2440,6 +2442,7 @@
       "CVE-2026-33825",
       "CVE-2026-34197",
       "CVE-2026-34621",
+      "CVE-2026-34926",
       "CVE-2026-3502",
       "CVE-2026-35616",
       "CVE-2026-3909",
@@ -4694,6 +4697,7 @@
       "CVE-2025-34291",
       "CVE-2026-0300",
       "CVE-2026-20182",
+      "CVE-2026-34926",
       "CVE-2026-41091",
       "CVE-2026-42897",
       "CVE-2026-42945",
@@ -5181,6 +5185,7 @@
     "evidence_cves": [
       "CVE-2024-21762",
       "CVE-2025-34291",
+      "CVE-2026-34926",
       "CVE-2026-41091",
       "CVE-2026-46300",
       "CVE-2026-46333",
@@ -5217,6 +5222,7 @@
     "evidence_cves": [
       "CVE-2024-21762",
       "CVE-2025-34291",
+      "CVE-2026-34926",
       "CVE-2026-41091",
       "CVE-2026-46300",
       "CVE-2026-46333"

package/data/zeroday-lessons.json

@@ -6023,6 +6023,51 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2026-34926": {
+    "name": "Trend Micro Apex One Directory Traversal → Malicious Agent Code Deployment",
+    "lesson_date": "2026-05-24",
+    "attack_vector": {
+      "description": "A relative path traversal (CWE-23) on the Apex One on-premise management server lets an attacker with server admin access modify a key table and inject malicious code that the server deploys to all managed agents — fleet-wide code execution through the security tool's own trusted deployment channel.",
+      "privileges_required": "server access + already-obtained administrative credentials (PR:H)",
+      "complexity": "high (NVD AC:H) — post-admin-compromise propagation primitive, not initial access",
+      "ai_factor": "Not AI-discovered. The lesson: an endpoint-management server's agent-deployment channel is a high-blast-radius supply-chain control plane — its integrity must be monitored, because a foothold on the server becomes the entire agent fleet. Surfaced by the CISA-KEV poller after the v0.13.17 bulk intake."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "30-day SLA inadequate for a KEV-listed flaw; KEV due date (2026-06-04) is the binding clock."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not differentiate routinely-disclosed CVEs from KEV-listed ones, nor treat the agent-deployment channel as a control plane needing integrity monitoring."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 45,
+      "basis": "Orgs audit endpoint protection for coverage and patch SLA but rarely monitor the integrity of the management server's agent-deployment channel; a post-admin foothold there is treated as 'already game over' rather than as a fleet-propagation risk to contain.",
+      "theater_pattern": "detection_gap"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-078",
+        "name": "ENDPOINT-MGMT-DEPLOYMENT-CHANNEL-INTEGRITY",
+        "description": "Treat the EDR/endpoint-management server's agent-deployment channel (package/key-table → agent push) as a privileged supply-chain control plane: integrity-monitor the deployment artifacts and key tables, alert on agent pushes not tied to a sanctioned admin action, and patch the management server to the fixed build (Apex One on-prem 14.0.0.17079 / SaaS 14.0.20731) as a KEV-priority item. A server foothold must not silently become fleet-wide agent code execution.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2026-34926",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.8",
+          "NIS2-Art21-patch-management"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2025-32432": {
     "name": "Craft CMS Code Injection Vulnerability",
     "lesson_date": "2026-05-18",

package/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "exceptd-security",
-  "version": "0.13.68",
+  "version": "0.13.69",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
   "homepage": "https://exceptd.com",
   "license": "Apache-2.0",
@@ -53,7 +53,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "lXhZgoIrrVloO3XaTvo/43AxZn4mwErstd7DR0O/oVhD3AOGODM4HqrageYEou9WKOdMEGP5mJNTjJsXdP5NDA==",
-      "signed_at": "2026-05-25T05:34:57.115Z",
+      "signed_at": "2026-05-25T06:03:13.392Z",
       "cwe_refs": [
         "CWE-125",
         "CWE-362",
@@ -123,7 +123,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "ztSKk/zFMFbT12qRcEeBKpydBn7fTT86KxMmor0DTCoKQWk5fJ0fSInfP1XMSB6rFk4/SuSjKVxQRMKVJ5a+Cg==",
-      "signed_at": "2026-05-25T05:34:57.117Z",
+      "signed_at": "2026-05-25T06:03:13.394Z",
       "cwe_refs": [
         "CWE-1039",
         "CWE-1426",
@@ -196,7 +196,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "K6QdPHNK5c4K5QFjrW0QsUhjp71D7SOisSoulwPNSvKRdi2rY+yg0kdckijBMkLMsVPyUvcC9giu93mKJ1OZDg==",
-      "signed_at": "2026-05-25T05:34:57.118Z",
+      "signed_at": "2026-05-25T06:03:13.395Z",
       "cwe_refs": [
         "CWE-22",
         "CWE-345",
@@ -248,7 +248,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-22",
       "signature": "Qd3SBWmUAaaT++e1Ry2wBIz/dCBmNBMl0+4Rb0etvJLES0fIBEAkU1mTbgNZnT5XOg9J5twdUpymWtmKnDDQCQ==",
-      "signed_at": "2026-05-25T05:34:57.118Z"
+      "signed_at": "2026-05-25T06:03:13.395Z"
     },
     {
       "name": "compliance-theater",
@@ -279,7 +279,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "F2Shxae0ua0gPtvwzTRVzzHaIgJcFDRT3/akLUAZ4aaMQhkleKkcTaTpkjp+pTVEdPfLeLGNCeAOMs+whVYOBg==",
-      "signed_at": "2026-05-25T05:34:57.119Z"
+      "signed_at": "2026-05-25T06:03:13.396Z"
     },
     {
       "name": "exploit-scoring",
@@ -308,7 +308,7 @@
       ],
       "last_threat_review": "2026-05-18",
       "signature": "NA1hoQycvQhSUoG5rwlXX0mOVmGxoXRVezkELGEA2nZOdGis4gXkHT3O6Sfw7zxE4JuMrsCb65TEeOWk9WEPDg==",
-      "signed_at": "2026-05-25T05:34:57.119Z"
+      "signed_at": "2026-05-25T06:03:13.397Z"
     },
     {
       "name": "rag-pipeline-security",
@@ -345,7 +345,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "W3pS8lnaCP96TQzsJpG5d5yv5IwgaQyS4Z2Ctcz5BOJf6LbajSIgeDgTZ4f4Bhr5m4E7KsgWGjZS4x7Fwd33BQ==",
-      "signed_at": "2026-05-25T05:34:57.120Z",
+      "signed_at": "2026-05-25T06:03:13.397Z",
       "cwe_refs": [
         "CWE-1395",
         "CWE-1426"
@@ -405,7 +405,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "/WDGygh1Ck4yWlBWDGtEUVCqKB8d+UaJXoAoBXujtt+GAl8JbMNpaN1TvI0WkEltQ9dTxaAzSn20/eVDqv8iDQ==",
-      "signed_at": "2026-05-25T05:34:57.120Z",
+      "signed_at": "2026-05-25T06:03:13.398Z",
       "d3fend_refs": [
         "D3-CA",
         "D3-CSPP",
@@ -440,7 +440,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-22",
       "signature": "za1NKBpy9LC91F/ESO/qhUfmvVr8GNItQOjR5OJLeHm+2dQ9HHiFWQK2eo53V/n/0uhubuggURA3yS6kJuWwBg==",
-      "signed_at": "2026-05-25T05:34:57.120Z",
+      "signed_at": "2026-05-25T06:03:13.398Z",
       "cwe_refs": [
         "CWE-1188"
       ],
@@ -474,7 +474,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-18",
       "signature": "xiHAhhdufm9hCKU8PLiPE0MX65ej2F4OZwtlWLGLCiie9/km+Kiqbt192LcMvr94v83C98pb9wIaqFsFWft6AQ==",
-      "signed_at": "2026-05-25T05:34:57.121Z",
+      "signed_at": "2026-05-25T06:03:13.399Z",
       "forward_watch": [
         "New AI attack classes as ATLAS v6 publishes",
         "Post-quantum adversary capability timeline",
@@ -513,7 +513,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "oYsSk35N2Uzq7MRofACykylcVwkgPhI4luWZ14vmQT+gUKLyZiKVOUJbe1+7lGl6BYPRN0sUDQ0f7S5Eu5w2Ag==",
-      "signed_at": "2026-05-25T05:34:57.121Z"
+      "signed_at": "2026-05-25T06:03:13.399Z"
     },
     {
       "name": "zeroday-gap-learn",
@@ -540,7 +540,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-18",
       "signature": "igRqYyU1unRFH40BsPyAR62SPrk8QZv8dPGb8S9O9EvLCNOZAzm3t+HdT/NKqzWHwrpomOzkkkyLfYI/0qTUDA==",
-      "signed_at": "2026-05-25T05:34:57.121Z",
+      "signed_at": "2026-05-25T06:03:13.400Z",
       "forward_watch": [
         "New CISA KEV entries",
         "New ATLAS TTP additions in each ATLAS release",
@@ -604,7 +604,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "i/17u4kJiSpcZAz7LnTyRePFugQOstQ1P4kVoe0oGf4E2/j8oIN9U9DccjUn/YHZhKWIJ2AILG/DMhvMrr3bBg==",
-      "signed_at": "2026-05-25T05:34:57.122Z",
+      "signed_at": "2026-05-25T06:03:13.401Z",
       "cwe_refs": [
         "CWE-327"
       ],
@@ -652,7 +652,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "QuOVaQ4E2Sl39TClbhZ7HA9XrYAyRrDL44HY3RTE7aWLue0hV2cxaBt40ALGmHS++631QGFDlZTLZI77Tr6nAA==",
-      "signed_at": "2026-05-25T05:34:57.122Z"
+      "signed_at": "2026-05-25T06:03:13.401Z"
     },
     {
       "name": "security-maturity-tiers",
@@ -689,7 +689,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "8Px1s2lDj10/Q6erwEQlXgUHM1+OTruUR8qAHPX7Oo3k/l69N6P9sm0PsafS9wDFtj9l5C/OiLiFgzMlMt6vBw==",
-      "signed_at": "2026-05-25T05:34:57.123Z",
+      "signed_at": "2026-05-25T06:03:13.402Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -724,7 +724,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-11",
       "signature": "urRcataVWg6/utyEkSiOWoNxTL8sABRjPR7ShyDfZGnAozFph/yDktSoaPVxQDXwu9EfJE+qhUW5OYR/yJECBQ==",
-      "signed_at": "2026-05-25T05:34:57.123Z"
+      "signed_at": "2026-05-25T06:03:13.403Z"
     },
     {
       "name": "attack-surface-pentest",
@@ -796,7 +796,7 @@
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — Microsoft Edge 4-bug sandbox escape by Orange Tsai (DEVCORE); forward-watch only (browser sandbox, out of current playbook scope); track Microsoft Edge security advisory and KEV add"
       ],
       "signature": "C7lv65/Ecm8JJgSKxrX5lxx0YFzKWtrIQSKp+vy50I5e8945s1JmifGUUrnQwRQhq/Pkv7EmfiH5XSO8h75bDg==",
-      "signed_at": "2026-05-25T05:34:57.123Z"
+      "signed_at": "2026-05-25T06:03:13.403Z"
     },
     {
       "name": "fuzz-testing-strategy",
@@ -856,7 +856,7 @@
         "OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
       ],
       "signature": "Z7ypCUnXx8JpLtgxxB6RHNi39w74AmrGY1N4ofAGCXhkuM2EaFVm1AU0dvl9UQ1bVLfHKEDGqMO/TwlIY7RABg==",
-      "signed_at": "2026-05-25T05:34:57.124Z"
+      "signed_at": "2026-05-25T06:03:13.403Z"
     },
     {
       "name": "dlp-gap-analysis",
@@ -931,7 +931,7 @@
         "Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
       ],
       "signature": "IgEnpHOhCftAyfUNdKsjbrd169T9pJkk/rRM2ZEna+H18y7p5x48+1kME2sJMZjJuyAdQFBJi8PJXZFwLGI+DQ==",
-      "signed_at": "2026-05-25T05:34:57.124Z"
+      "signed_at": "2026-05-25T06:03:13.404Z"
     },
     {
       "name": "supply-chain-integrity",
@@ -1010,7 +1010,7 @@
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Megatron Bridge path traversal by haehae; AI training-stack file-system trust boundary; track patch and SBOM-attestation impact"
       ],
       "signature": "pcLrM98A3vUSZRjwNAk0aZ9umvOwB41XCLLsCOy/IebB2F/06oIrGUKkMHtHwm4pTVPShMMcKdZQQ3jz30FnCg==",
-      "signed_at": "2026-05-25T05:34:57.124Z"
+      "signed_at": "2026-05-25T06:03:13.404Z"
     },
     {
       "name": "defensive-countermeasure-mapping",
@@ -1067,7 +1067,7 @@
       ],
       "last_threat_review": "2026-05-11",
       "signature": "G5q5elh7Q7eu2xcwTVQJGDTGfvZR0OGQaLSLJPb2wjzCHFF8PWuZfCHZdjjqisiRzRWPyLlzgfHeMJqOdy7cBw==",
-      "signed_at": "2026-05-25T05:34:57.125Z"
+      "signed_at": "2026-05-25T06:03:13.405Z"
     },
     {
       "name": "identity-assurance",
@@ -1134,7 +1134,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "Wv5hGMeHjlaQK1zwicVCA7AvdKgJBgvcjdpGM9Ywahh9tagAKhbkOjybowDQZzu7OZ3bDkbh6pBYc1Sdwr6NAA==",
-      "signed_at": "2026-05-25T05:34:57.125Z"
+      "signed_at": "2026-05-25T06:03:13.405Z"
     },
     {
       "name": "ot-ics-security",
@@ -1190,7 +1190,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "8t5qKHd3yWi57dvG36YQkLN/X9bQWqtEiYjay4IfSmqhJpM/xXPaQVKNGz3wscrO8OLKUZ0OaX7Mj5kzpgBKBQ==",
-      "signed_at": "2026-05-25T05:34:57.125Z"
+      "signed_at": "2026-05-25T06:03:13.406Z"
     },
     {
       "name": "coordinated-vuln-disclosure",
@@ -1242,7 +1242,7 @@
         "NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
       ],
       "signature": "GDGt4UPqBa04PjlpSmpyihGzd3OgfBN7jaAK5tfwp+LRSs3ygKOdbeivUCCHNagTY1hE6hG2Ou40ADfBFuXeAg==",
-      "signed_at": "2026-05-25T05:34:57.126Z"
+      "signed_at": "2026-05-25T06:03:13.406Z"
     },
     {
       "name": "threat-modeling-methodology",
@@ -1292,7 +1292,7 @@
         "PASTA v2 updates incorporating AI/ML application threats"
       ],
       "signature": "rFBpOQEJUPpl+v88Lw/WqVJRhTl80vy0VbPAbzQj3Q0suJRRrJg368I9uKu5LXIBKFDvKxnGIcIzbGg9NUtaCA==",
-      "signed_at": "2026-05-25T05:34:57.126Z"
+      "signed_at": "2026-05-25T06:03:13.407Z"
     },
     {
       "name": "webapp-security",
@@ -1366,7 +1366,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "ux85YI4t2mVHOyt744Yin1HHy+z11JIFygjKfFfQOBBl5QVV3A267jeIy7utix85irMcpZm/T3yx/ooqiK2tBA==",
-      "signed_at": "2026-05-25T05:34:57.126Z",
+      "signed_at": "2026-05-25T06:03:13.407Z",
       "forward_watch": [
         "NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; AI-assisted discovery angle; track for active-exploitation confirmation and patch advisory affecting front-door web app deployments"
       ]
@@ -1419,7 +1419,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-15",
       "signature": "IIXnkZ5ZNqFwOto5KfytADTLLZLoyXNZACD1ORZ40P1HUAQxe6u2uyXFzzsfuob4Uy06jNkRGr2FFgCphUH1Cw==",
-      "signed_at": "2026-05-25T05:34:57.127Z"
+      "signed_at": "2026-05-25T06:03:13.408Z"
     },
     {
       "name": "sector-healthcare",
@@ -1479,7 +1479,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "AhF9KF8ZBlDteciV+F8IBSmFVYCvQOn44GmD4rZjgLoPxfIv/QE1/vSkK32zyqDKtHWkLSXExbkkPkxA/V6dDw==",
-      "signed_at": "2026-05-25T05:34:57.127Z"
+      "signed_at": "2026-05-25T06:03:13.409Z"
     },
     {
       "name": "sector-financial",
@@ -1560,7 +1560,7 @@
         "TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
       ],
       "signature": "HQgZvb4ReziEz5rNFr8i/O8/rJEZR+iHRROT7m/D2QUqhrcNISPkYXENsUZlG8xapzy/Ik92ehkseyj4hdmhCQ==",
-      "signed_at": "2026-05-25T05:34:57.128Z"
+      "signed_at": "2026-05-25T06:03:13.409Z"
     },
     {
       "name": "sector-federal-government",
@@ -1629,7 +1629,7 @@
         "Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
       ],
       "signature": "linxmsXZiOYtcs71sSWgGCrvb8xQfmxmtTY5PRvZJ0/8FgJulo0tQtejzexYG775s7XhjAmGsDP238BQTQ8ADA==",
-      "signed_at": "2026-05-25T05:34:57.128Z"
+      "signed_at": "2026-05-25T06:03:13.410Z"
     },
     {
       "name": "sector-energy",
@@ -1694,7 +1694,7 @@
         "ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
       ],
       "signature": "JjBfc0ovta560Clk0x3QGRM5osFJDwcvpy3rT7QEGdCIL827jzE8QCow1C8deXq+4JhY2sA/d7/8IsxikdlkCg==",
-      "signed_at": "2026-05-25T05:34:57.128Z"
+      "signed_at": "2026-05-25T06:03:13.410Z"
     },
     {
       "name": "sector-telecom",
@@ -1780,7 +1780,7 @@
         "O-RAN SFG / WG11 security specifications"
       ],
       "signature": "JWVxKFoKrbX4d+Tko1d4OBdwyg25MfFFKn4CT6E/CzH+YwnU3T6Y76uBQIKg3+gIGTvPduqyvQwQQ5FxKDuPBw==",
-      "signed_at": "2026-05-25T05:34:57.129Z"
+      "signed_at": "2026-05-25T06:03:13.410Z"
     },
     {
       "name": "api-security",
@@ -1849,7 +1849,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-18",
       "signature": "BmCRCestWqr55+fCynEhtAl5NWLT+xLTkpwS0Icp3SaoZOw/ce3Y6TtqjHRSKn4CBJq7YDiLRWxmhO3MStvOAA==",
-      "signed_at": "2026-05-25T05:34:57.129Z",
+      "signed_at": "2026-05-25T06:03:13.411Z",
       "forward_watch": [
         "NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; track for active-exploitation confirmation and patch advisory affecting API gateway / reverse-proxy deployments",
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — LiteLLM 3-bug SSRF + Code Injection chain by k3vg3n; LLM-proxy API surface; track upstream patch and CVE assignments",
@@ -1935,7 +1935,7 @@
         "CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
       ],
       "signature": "/DV3pmZwrRySrk1OCbyI+0BQESacjupJfUX3eC2NGtXuYOBro0vndIP+z27heFxumnjU3a9sfla7/U9X+pqnDw==",
-      "signed_at": "2026-05-25T05:34:57.129Z"
+      "signed_at": "2026-05-25T06:03:13.411Z"
     },
     {
       "name": "container-runtime-security",
@@ -1997,7 +1997,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-15",
       "signature": "E2UGSf9ATyYgzBr8uM/0ubOUmDqo1jVA7f9mVxv6LHfWGCNuQNXDyuNou9VAmUCeeXEeUYIi3AFjXkJqpOkxDA==",
-      "signed_at": "2026-05-25T05:34:57.130Z",
+      "signed_at": "2026-05-25T06:03:13.412Z",
       "forward_watch": [
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Container Toolkit container escape ($50K award) by chompie / IBM X-Force XOR; high-severity container/hypervisor boundary break; track patch and KEV add post-embargo"
       ]
@@ -2071,7 +2071,7 @@
         "MITRE ATLAS v5.6.0 (released May 2026) shipped the AML.T0010 sub-technique expansion this forecast tracked plus new techniques (\"Publish Poisoned AI Agent Tool\", \"Escape to Host\"); inventory now 16 tactics, 84 techniques, 56 sub-techniques. Forward watch: subsequent ATLAS minor and major releases — track next-cadence updates to agentic-AI TTPs and MLOps-pipeline-specific techniques"
       ],
       "signature": "IL+DlRCDJN/p08iiJCFkasKcoyjcB0uWrJ6ORLjQcS1HrUa5Xt62QxVjYPHzaevlm5y36ZdmfESqsZJmzK3lCg==",
-      "signed_at": "2026-05-25T05:34:57.130Z"
+      "signed_at": "2026-05-25T06:03:13.412Z"
     },
     {
       "name": "incident-response-playbook",
@@ -2133,7 +2133,7 @@
         "NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
       ],
       "signature": "MmjLjlmOMLjhJJ4ZfR8MYlHam+ZB+eSqfh6Nv+DecaG4O5zeo9DBP/iL3cbyDVZxmhnhivgJild2ccYeWTeZAg==",
-      "signed_at": "2026-05-25T05:34:57.130Z"
+      "signed_at": "2026-05-25T06:03:13.413Z"
     },
     {
       "name": "ransomware-response",
@@ -2213,7 +2213,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "ssueL03g9fWlhXpTe+IiY5l7RqQkunN4DTN5QETKE+VOX+qggdjAR8PONxk77ol4xWYmHrM/VcH8CNtXUEvgBA==",
-      "signed_at": "2026-05-25T05:34:57.131Z"
+      "signed_at": "2026-05-25T06:03:13.413Z"
     },
     {
       "name": "email-security-anti-phishing",
@@ -2266,7 +2266,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-18",
       "signature": "rK+WnuS+9tqEABmwc0jO/PEmxcLjG1/tmUb897HsClQeKzf+TQOlwBE+OsbtuKxpjYNwur62Xxs3TxObkwm8Cw==",
-      "signed_at": "2026-05-25T05:34:57.131Z"
+      "signed_at": "2026-05-25T06:03:13.413Z"
     },
     {
       "name": "age-gates-child-safety",
@@ -2334,7 +2334,7 @@
         "US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
       ],
       "signature": "Rgho5TOFUL1txOzcVR0kASCNdovSU4yt99JlGilJlJRyg0A+BdeeQYrZrhPF6Vx2reUAVG0BeHfcZtSbi+cwCg==",
-      "signed_at": "2026-05-25T05:34:57.132Z"
+      "signed_at": "2026-05-25T06:03:13.414Z"
     },
     {
       "name": "cloud-iam-incident",
@@ -2414,7 +2414,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "e/kij7GtKaytROyIj7V5RH+FC9WtmVFzrmG2kIlNDNn29ep/CRNlIQKwXLpzo/81AIf634pmdr1qy/+vwIuUDA==",
-      "signed_at": "2026-05-25T05:34:57.132Z",
+      "signed_at": "2026-05-25T06:03:13.414Z",
       "forward_watch": [
         "AWS IAM Identity Center session-policy refresh and step-up-on-admin enforcement (anticipated 2026-H2 release)",
         "GCP Workload Identity Federation principal-set attribute mapping tightening (post-2026 Q3 Federation hardening guide)",
@@ -2508,7 +2508,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "ew9Kglc9fAZzbn0ZIfGP7WSK/j4eV2VhSvpy+s5bEfNEVYIMa2kZjnGBapgUsyGDLes9H9K2ovjQyX17+GKiBw==",
-      "signed_at": "2026-05-25T05:34:57.132Z",
+      "signed_at": "2026-05-25T06:03:13.415Z",
       "forward_watch": [
         "Entra ID conditional access evolution post-Midnight Blizzard — Microsoft's 2025-2026 commitments on legacy-tenant MFA enforcement and OAuth-app consent gating",
         "Okta IPSIE (Interoperability Profile for Secure Identity in the Enterprise) OpenID Foundation working-group output and adoption timeline",
@@ -2526,6 +2526,6 @@
   ],
   "manifest_signature": {
     "algorithm": "Ed25519",
-    "signature_base64": "RXJszj67x01F/EPX8CjtxAQnic8lH2mJoK7D6WYKQfIiMigntsflT6PtgDztRg0U15K9XKLBwUe+9D7yJH+hCw=="
+    "signature_base64": "wWIaLwQ5PeDoalhc+ThKpGtKGw5Md1qMXY5cHxKgT1jsnaVXD2QlQr05UQ9v6NmmH9tGS+7mCeKQ8gJFk7sfAQ=="
   }
 }

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@blamejs/exceptd-skills",
-  "version": "0.13.68",
-  "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 11 catalogs (314 CVEs / 171 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 7476 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
+  "version": "0.13.69",
+  "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 11 catalogs (315 CVEs / 171 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 7476 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
   "keywords": [
     "ai-security",
     "ai-skills",

package/sbom.cdx.json

@@ -1,23 +1,23 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:cc609ed1-d847-4f1e-adfc-ccff396a0bdc",
+  "serialNumber": "urn:uuid:87b3725b-fc26-4ebb-822c-c8e96ac61315",
   "version": 1,
   "metadata": {
-    "timestamp": "2134-08-29T03:49:37.000Z",
+    "timestamp": "2098-02-22T12:19:39.000Z",
     "tools": [
       {
         "vendor": "blamejs",
         "name": "scripts/refresh-sbom.js",
-        "version": "0.13.68"
+        "version": "0.13.69"
       }
     ],
     "component": {
-      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.13.68",
+      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.13.69",
       "type": "application",
       "name": "@blamejs/exceptd-skills",
-      "version": "0.13.68",
-      "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 11 catalogs (314 CVEs / 171 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 7476 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
+      "version": "0.13.69",
+      "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 11 catalogs (315 CVEs / 171 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 7476 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
       "licenses": [
         {
           "license": {
@@ -25,17 +25,17 @@
           }
         }
       ],
-      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.13.68",
+      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.13.69",
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "2f9dcbe8accb41b72dbe9ae4c7a44aec8992ed4ba3cd24e35a88f5449bd00411"
+          "content": "58ed07f65b253e6044cc3abe2a9467f222d05c5bf13be8f13171172a7da00b5f"
         }
       ],
       "externalReferences": [
         {
           "type": "distribution",
-          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.13.68"
+          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.13.69"
         },
         {
           "type": "vcs",
@@ -116,11 +116,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "7ba5c63d8a5a6aee091df89c8f2a996eae811914735344707f9196f49b79ea99"
+          "content": "bbd7c1caf0e0d86105ff04a47fb1c93f20ae0ce90f281560f63dd382e9ca4d0e"
         },
         {
           "alg": "SHA3-512",
-          "content": "12f5c9211a9f468ffe689b220d48d380f736512b1cb8dfac846d2316453b657a57c34f151d59156144d99e4cb73777724b79711881d90c8e5a8df6d35d70680d"
+          "content": "27ebe3d5b8e3631e17ceb598408770f4ea8e7b65bc037bca96bf5a08c3b696c835d6939c76ec30aa5c2c2edbd2d11c3e814fce566d38eb48a6dd58df310c834e"
         }
       ]
     },
@@ -311,11 +311,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "69afb5bc47a2e15353d62cabc64c41bc0bc3516c4856c889b9c2cdc5c5110e54"
+          "content": "b47836e9a4707ce79c35cbe58a5bdb8d0d7b8e6d94e489c17c93c465844f02ee"
         },
         {
           "alg": "SHA3-512",
-          "content": "126b94bd684022e5cee05c8327d6ab95e00343802b28ea3796cef65adf3997872e469b73e26b87efa5ebc4bf07bc55a74e00b749209ab5837668eaa570084535"
+          "content": "5798bde1d7136e94292fd4a720c4d693f140fb6d1af28b56f212e4d47ab9d517402b28ec01f56c73f8fb1745516dfbf940130fc7b6a6b6cedcc212d0e6df09b8"
         }
       ]
     },
@@ -326,11 +326,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "31eec14b758ef04a5d2fd63be8bd08e79a5f195570afc60885feb8f145e54dcc"
+          "content": "2bb2cda179aac7e1d8e16beeefef545eaabbb828ab1ee8fca80d285f248b15cf"
         },
         {
           "alg": "SHA3-512",
-          "content": "833b204d1fdf5d6a190c65535ed4d615cc3fa605f91c8db0783f0bfe56d2d9ae40f46cdc1cb8a01612d959c2d9edacba7a69d162d6bba433d3d0f08feb6a7b8c"
+          "content": "71b3fb27e780ce3e0cd18ed2feb09d9c668b5ae17d9179d7a9a577d435ed8bf8d32bae6550a301f98d764301e9348a178d8113fb53d377177afce8634a1c9204"
         }
       ]
     },
@@ -341,11 +341,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "ca52b055bb9a5062ee92f19fb15315379b71bbc50d484cfe274a5197f6c4d5c3"
+          "content": "641910cd99496ed3743b4b74ecf152bd67c2cc982c4dc90b22fe204973f33cfa"
         },
         {
           "alg": "SHA3-512",
-          "content": "00c1b447636105e800829525e5d6f1dfa6f7758f6534ef365ac456542870db78960a24d8eb97f0aea7e3f37564c89fc027ae3d438a32653d66343e122b259593"
+          "content": "9756e4e6c2ceb75eb8d8a719cabdcce96697a750396bac82eaf71442d6142a25a113811d95ad527859d1bda746bbd91292c557925d84e348d290faf0914f2bba"
         }
       ]
     },
@@ -401,11 +401,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "935c17ffd9b6e08f0a89f711946565fc2bb36d3cc3609d0eea5482c09a0b85c8"
+          "content": "5f71b6dc8f07264de30b5fc58229e4796bae90ce696f491c661499d53d4ac5b9"
         },
         {
           "alg": "SHA3-512",
-          "content": "b4ec15547f2fc69bb90ec0976aaae9beb060afbe6c5222a741cc161229d89fb307576aadbe72ea8f7481b16d9b8a26b48a6aa8dc0f4858e7a930898d32f2b4d7"
+          "content": "d1c21169137f46d46847c72018eda66729c197af6a9f45cd89b95b8fff0d5c801436c4b10bdb6a1b3c2e45125627bc1320153946c298ab4b1ee4ffb31234d7d1"
         }
       ]
     },
@@ -791,11 +791,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "a970a232aa612d01b93d7cfc7684e8692939265efa09eb3a2ffeca475eb02c08"
+          "content": "ef83f6d0844eaa5b6fd7a2b12cc24d64dfdea8d269537d766cc0e1870162a9f9"
         },
         {
           "alg": "SHA3-512",
-          "content": "b552ce976607e3fe2420b67e36342454735a985c51697706b120e6282eecf8458124e344985467968b2db7d0e58ae9bddee8bb9859d254047791dc2ca1dd4e5b"
+          "content": "9a752a28485b1cccd735b319a2d2687dd9af7ab0e1059156a4bb4064cfcaf90b4ba9c9fdd7eeb3536468b3a4b0079c487dbc6d8857703c01a899c07189b378c1"
         }
       ]
     },
@@ -1661,11 +1661,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "b2768a6fed1f9af27587332675592dd96abf0fe4f7692023324157dec05b1335"
+          "content": "57d3b2ca1e729f2486752235575cbb98c8255f532a5dce65cdcfdb69b4447d59"
         },
         {
           "alg": "SHA3-512",
-          "content": "18f38faef0650894461997a42852c1c2eedea023f9913e14dc575fffa8c42b99924d9f9656d9911f4c6ae769ecf081b5afb28237a45a826d729ac205024f19a2"
+          "content": "5c189c922ed25da2b6d0236f819a642a7403661440fb1815e04ed4cfcea6ae5ef3809c2226bafa668deca4c8391d300b244372536d183a96d645686978576352"
         }
       ]
     },