@blamejs/exceptd-skills 0.13.70 → 0.13.72
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +8 -0
- package/data/_indexes/_meta.json +9 -9
- package/data/_indexes/activity-feed.json +2 -2
- package/data/_indexes/catalog-summaries.json +2 -2
- package/data/_indexes/chains.json +1010 -0
- package/data/atlas-ttps.json +1 -0
- package/data/attack-techniques.json +10 -1
- package/data/cve-catalog.json +523 -1
- package/data/cwe-catalog.json +7 -0
- package/data/framework-control-gaps.json +24 -1
- package/data/zeroday-lessons.json +50 -0
- package/manifest.json +44 -44
- package/package.json +2 -2
- package/sbom.cdx.json +25 -25
|
@@ -16249,6 +16249,368 @@
|
|
|
16249
16249
|
]
|
|
16250
16250
|
}
|
|
16251
16251
|
},
|
|
16252
|
+
"CVE-2026-25592": {
|
|
16253
|
+
"name": "Microsoft Semantic Kernel SessionsPythonPlugin Path Traversal — Prompt-Injection to Host RCE",
|
|
16254
|
+
"rwep": 30,
|
|
16255
|
+
"cvss": 9.9,
|
|
16256
|
+
"cisa_kev": false,
|
|
16257
|
+
"epss_score": null,
|
|
16258
|
+
"referencing_skills": [
|
|
16259
|
+
"kernel-lpe-triage",
|
|
16260
|
+
"ai-attack-surface",
|
|
16261
|
+
"compliance-theater",
|
|
16262
|
+
"attack-surface-pentest",
|
|
16263
|
+
"ot-ics-security",
|
|
16264
|
+
"coordinated-vuln-disclosure",
|
|
16265
|
+
"sector-energy"
|
|
16266
|
+
],
|
|
16267
|
+
"chain": {
|
|
16268
|
+
"cwes": [
|
|
16269
|
+
{
|
|
16270
|
+
"id": "CWE-1037",
|
|
16271
|
+
"name": "Processor Optimization Removal or Modification of Security-critical Code",
|
|
16272
|
+
"category": "Hardware / Side Channel"
|
|
16273
|
+
},
|
|
16274
|
+
{
|
|
16275
|
+
"id": "CWE-1039",
|
|
16276
|
+
"name": "Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations",
|
|
16277
|
+
"category": "AI/ML"
|
|
16278
|
+
},
|
|
16279
|
+
{
|
|
16280
|
+
"id": "CWE-125",
|
|
16281
|
+
"name": "Out-of-bounds Read",
|
|
16282
|
+
"category": "Memory Safety"
|
|
16283
|
+
},
|
|
16284
|
+
{
|
|
16285
|
+
"id": "CWE-1357",
|
|
16286
|
+
"name": "Reliance on Insufficiently Trustworthy Component",
|
|
16287
|
+
"category": "Supply Chain"
|
|
16288
|
+
},
|
|
16289
|
+
{
|
|
16290
|
+
"id": "CWE-1395",
|
|
16291
|
+
"name": "Dependency on Vulnerable Third-Party Component",
|
|
16292
|
+
"category": "Supply Chain"
|
|
16293
|
+
},
|
|
16294
|
+
{
|
|
16295
|
+
"id": "CWE-1426",
|
|
16296
|
+
"name": "Improper Validation of Generative AI Output",
|
|
16297
|
+
"category": "AI/ML"
|
|
16298
|
+
},
|
|
16299
|
+
{
|
|
16300
|
+
"id": "CWE-22",
|
|
16301
|
+
"name": "Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)",
|
|
16302
|
+
"category": "Path/Resource"
|
|
16303
|
+
},
|
|
16304
|
+
{
|
|
16305
|
+
"id": "CWE-269",
|
|
16306
|
+
"name": "Improper Privilege Management",
|
|
16307
|
+
"category": "Authorization"
|
|
16308
|
+
},
|
|
16309
|
+
{
|
|
16310
|
+
"id": "CWE-287",
|
|
16311
|
+
"name": "Improper Authentication",
|
|
16312
|
+
"category": "Authentication"
|
|
16313
|
+
},
|
|
16314
|
+
{
|
|
16315
|
+
"id": "CWE-306",
|
|
16316
|
+
"name": "Missing Authentication for Critical Function",
|
|
16317
|
+
"category": "Authentication"
|
|
16318
|
+
},
|
|
16319
|
+
{
|
|
16320
|
+
"id": "CWE-352",
|
|
16321
|
+
"name": "Cross-Site Request Forgery (CSRF)",
|
|
16322
|
+
"category": "Session"
|
|
16323
|
+
},
|
|
16324
|
+
{
|
|
16325
|
+
"id": "CWE-362",
|
|
16326
|
+
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)",
|
|
16327
|
+
"category": "Concurrency"
|
|
16328
|
+
},
|
|
16329
|
+
{
|
|
16330
|
+
"id": "CWE-416",
|
|
16331
|
+
"name": "Use After Free",
|
|
16332
|
+
"category": "Memory Safety"
|
|
16333
|
+
},
|
|
16334
|
+
{
|
|
16335
|
+
"id": "CWE-434",
|
|
16336
|
+
"name": "Unrestricted Upload of File with Dangerous Type",
|
|
16337
|
+
"category": "File Handling"
|
|
16338
|
+
},
|
|
16339
|
+
{
|
|
16340
|
+
"id": "CWE-672",
|
|
16341
|
+
"name": "Operation on a Resource after Expiration or Release",
|
|
16342
|
+
"category": "Memory Safety"
|
|
16343
|
+
},
|
|
16344
|
+
{
|
|
16345
|
+
"id": "CWE-732",
|
|
16346
|
+
"name": "Incorrect Permission Assignment for Critical Resource",
|
|
16347
|
+
"category": "Authorization"
|
|
16348
|
+
},
|
|
16349
|
+
{
|
|
16350
|
+
"id": "CWE-78",
|
|
16351
|
+
"name": "Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)",
|
|
16352
|
+
"category": "Injection"
|
|
16353
|
+
},
|
|
16354
|
+
{
|
|
16355
|
+
"id": "CWE-787",
|
|
16356
|
+
"name": "Out-of-bounds Write",
|
|
16357
|
+
"category": "Memory Safety"
|
|
16358
|
+
},
|
|
16359
|
+
{
|
|
16360
|
+
"id": "CWE-79",
|
|
16361
|
+
"name": "Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)",
|
|
16362
|
+
"category": "Injection"
|
|
16363
|
+
},
|
|
16364
|
+
{
|
|
16365
|
+
"id": "CWE-798",
|
|
16366
|
+
"name": "Use of Hard-coded Credentials",
|
|
16367
|
+
"category": "Credentials"
|
|
16368
|
+
},
|
|
16369
|
+
{
|
|
16370
|
+
"id": "CWE-89",
|
|
16371
|
+
"name": "Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)",
|
|
16372
|
+
"category": "Injection"
|
|
16373
|
+
},
|
|
16374
|
+
{
|
|
16375
|
+
"id": "CWE-918",
|
|
16376
|
+
"name": "Server-Side Request Forgery (SSRF)",
|
|
16377
|
+
"category": "Network"
|
|
16378
|
+
},
|
|
16379
|
+
{
|
|
16380
|
+
"id": "CWE-94",
|
|
16381
|
+
"name": "Improper Control of Generation of Code (Code Injection)",
|
|
16382
|
+
"category": "Injection"
|
|
16383
|
+
}
|
|
16384
|
+
],
|
|
16385
|
+
"atlas": [
|
|
16386
|
+
{
|
|
16387
|
+
"id": "AML.T0010",
|
|
16388
|
+
"name": "ML Supply Chain Compromise",
|
|
16389
|
+
"tactic": "Initial Access"
|
|
16390
|
+
},
|
|
16391
|
+
{
|
|
16392
|
+
"id": "AML.T0016",
|
|
16393
|
+
"name": "Obtain Capabilities: Develop Capabilities",
|
|
16394
|
+
"tactic": "Resource Development"
|
|
16395
|
+
},
|
|
16396
|
+
{
|
|
16397
|
+
"id": "AML.T0017",
|
|
16398
|
+
"name": "Discover ML Model Ontology",
|
|
16399
|
+
"tactic": "Discovery"
|
|
16400
|
+
},
|
|
16401
|
+
{
|
|
16402
|
+
"id": "AML.T0018",
|
|
16403
|
+
"name": "Backdoor ML Model",
|
|
16404
|
+
"tactic": "Persistence"
|
|
16405
|
+
},
|
|
16406
|
+
{
|
|
16407
|
+
"id": "AML.T0020",
|
|
16408
|
+
"name": "Poison Training Data",
|
|
16409
|
+
"tactic": "ML Attack Staging"
|
|
16410
|
+
},
|
|
16411
|
+
{
|
|
16412
|
+
"id": "AML.T0043",
|
|
16413
|
+
"name": "Craft Adversarial Data",
|
|
16414
|
+
"tactic": "ML Attack Staging"
|
|
16415
|
+
},
|
|
16416
|
+
{
|
|
16417
|
+
"id": "AML.T0051",
|
|
16418
|
+
"name": "LLM Prompt Injection",
|
|
16419
|
+
"tactic": "Execution"
|
|
16420
|
+
},
|
|
16421
|
+
{
|
|
16422
|
+
"id": "AML.T0054",
|
|
16423
|
+
"name": "LLM Jailbreak",
|
|
16424
|
+
"tactic": "Defense Evasion"
|
|
16425
|
+
},
|
|
16426
|
+
{
|
|
16427
|
+
"id": "AML.T0096",
|
|
16428
|
+
"name": "AI API as Covert C2 Channel",
|
|
16429
|
+
"tactic": "Command and Control"
|
|
16430
|
+
}
|
|
16431
|
+
],
|
|
16432
|
+
"d3fend": [
|
|
16433
|
+
{
|
|
16434
|
+
"id": "D3-ASLR",
|
|
16435
|
+
"name": "Address Space Layout Randomization",
|
|
16436
|
+
"tactic": "Harden"
|
|
16437
|
+
},
|
|
16438
|
+
{
|
|
16439
|
+
"id": "D3-CSPP",
|
|
16440
|
+
"name": "Client-server Payload Profiling",
|
|
16441
|
+
"tactic": "Detect"
|
|
16442
|
+
},
|
|
16443
|
+
{
|
|
16444
|
+
"id": "D3-EAL",
|
|
16445
|
+
"name": "Executable Allowlisting",
|
|
16446
|
+
"tactic": "Harden"
|
|
16447
|
+
},
|
|
16448
|
+
{
|
|
16449
|
+
"id": "D3-IOPR",
|
|
16450
|
+
"name": "Input/Output Profiling Resource",
|
|
16451
|
+
"tactic": "Detect"
|
|
16452
|
+
},
|
|
16453
|
+
{
|
|
16454
|
+
"id": "D3-NTA",
|
|
16455
|
+
"name": "Network Traffic Analysis",
|
|
16456
|
+
"tactic": "Detect"
|
|
16457
|
+
},
|
|
16458
|
+
{
|
|
16459
|
+
"id": "D3-PHRA",
|
|
16460
|
+
"name": "Process Hardware Resource Access",
|
|
16461
|
+
"tactic": "Isolate"
|
|
16462
|
+
},
|
|
16463
|
+
{
|
|
16464
|
+
"id": "D3-PSEP",
|
|
16465
|
+
"name": "Process Segment Execution Prevention",
|
|
16466
|
+
"tactic": "Harden"
|
|
16467
|
+
}
|
|
16468
|
+
],
|
|
16469
|
+
"framework_gaps": [
|
|
16470
|
+
{
|
|
16471
|
+
"id": "ALL-AI-PIPELINE-INTEGRITY",
|
|
16472
|
+
"framework": "ALL",
|
|
16473
|
+
"control_name": "AI Pipeline Integrity"
|
|
16474
|
+
},
|
|
16475
|
+
{
|
|
16476
|
+
"id": "ALL-PROMPT-INJECTION-ACCESS-CONTROL",
|
|
16477
|
+
"framework": "ALL",
|
|
16478
|
+
"control_name": "Prompt Injection as Access Control Failure"
|
|
16479
|
+
},
|
|
16480
|
+
{
|
|
16481
|
+
"id": "CIS-Controls-v8-Control7",
|
|
16482
|
+
"framework": "CIS Controls v8",
|
|
16483
|
+
"control_name": "Continuous Vulnerability Management"
|
|
16484
|
+
},
|
|
16485
|
+
{
|
|
16486
|
+
"id": "CMMC-2.0-Level-2",
|
|
16487
|
+
"framework": "CMMC 2.0 (Cybersecurity Maturity Model Certification) Level 2",
|
|
16488
|
+
"control_name": "Level 2 — Advanced (110 NIST 800-171 Rev 2 controls)"
|
|
16489
|
+
},
|
|
16490
|
+
{
|
|
16491
|
+
"id": "FedRAMP-Rev5-Moderate",
|
|
16492
|
+
"framework": "FedRAMP Rev 5 Moderate",
|
|
16493
|
+
"control_name": "FedRAMP Moderate baseline (NIST 800-53 Rev 5 tailoring)"
|
|
16494
|
+
},
|
|
16495
|
+
{
|
|
16496
|
+
"id": "IEC-62443-3-3",
|
|
16497
|
+
"framework": "IEC 62443-3-3 (Industrial communication networks — security for IACS)",
|
|
16498
|
+
"control_name": "System security requirements and security levels"
|
|
16499
|
+
},
|
|
16500
|
+
{
|
|
16501
|
+
"id": "ISO-27001-2022-A.8.28",
|
|
16502
|
+
"framework": "ISO/IEC 27001:2022",
|
|
16503
|
+
"control_name": "Secure coding"
|
|
16504
|
+
},
|
|
16505
|
+
{
|
|
16506
|
+
"id": "ISO-27001-2022-A.8.8",
|
|
16507
|
+
"framework": "ISO/IEC 27001:2022",
|
|
16508
|
+
"control_name": "Management of technical vulnerabilities"
|
|
16509
|
+
},
|
|
16510
|
+
{
|
|
16511
|
+
"id": "ISO-IEC-23894-2023-clause-7",
|
|
16512
|
+
"framework": "ISO/IEC 23894:2023 (AI Risk Management Guidance)",
|
|
16513
|
+
"control_name": "AI risk management process"
|
|
16514
|
+
},
|
|
16515
|
+
{
|
|
16516
|
+
"id": "NERC-CIP-007-6-R4",
|
|
16517
|
+
"framework": "NERC CIP-007-6 (BES Cyber System Security Management)",
|
|
16518
|
+
"control_name": "Security event monitoring"
|
|
16519
|
+
},
|
|
16520
|
+
{
|
|
16521
|
+
"id": "NIS2-Art21-patch-management",
|
|
16522
|
+
"framework": "EU NIS2 Directive",
|
|
16523
|
+
"control_name": "Vulnerability handling and disclosure"
|
|
16524
|
+
},
|
|
16525
|
+
{
|
|
16526
|
+
"id": "NIST-800-115",
|
|
16527
|
+
"framework": "NIST SP 800-115 (Technical Guide to Information Security Testing and Assessment)",
|
|
16528
|
+
"control_name": "Technical Guide to Information Security Testing and Assessment"
|
|
16529
|
+
},
|
|
16530
|
+
{
|
|
16531
|
+
"id": "NIST-800-218-SSDF",
|
|
16532
|
+
"framework": "NIST SP 800-218 (Secure Software Development Framework v1.1)",
|
|
16533
|
+
"control_name": "Secure Software Development Framework"
|
|
16534
|
+
},
|
|
16535
|
+
{
|
|
16536
|
+
"id": "NIST-800-53-AC-2",
|
|
16537
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
16538
|
+
"control_name": "Account Management"
|
|
16539
|
+
},
|
|
16540
|
+
{
|
|
16541
|
+
"id": "NIST-800-53-SC-8",
|
|
16542
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
16543
|
+
"control_name": "Transmission Confidentiality and Integrity"
|
|
16544
|
+
},
|
|
16545
|
+
{
|
|
16546
|
+
"id": "NIST-800-53-SI-2",
|
|
16547
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
16548
|
+
"control_name": "Flaw Remediation"
|
|
16549
|
+
},
|
|
16550
|
+
{
|
|
16551
|
+
"id": "NIST-800-53-SI-3",
|
|
16552
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
16553
|
+
"control_name": "Malicious Code Protection"
|
|
16554
|
+
},
|
|
16555
|
+
{
|
|
16556
|
+
"id": "NIST-800-82r3",
|
|
16557
|
+
"framework": "NIST SP 800-82 Rev 3 (Guide to OT Security)",
|
|
16558
|
+
"control_name": "Guide to Operational Technology (OT) Security"
|
|
16559
|
+
},
|
|
16560
|
+
{
|
|
16561
|
+
"id": "OWASP-LLM-Top-10-2025-LLM01",
|
|
16562
|
+
"framework": "OWASP Top 10 for LLM Applications 2025",
|
|
16563
|
+
"control_name": "Prompt Injection"
|
|
16564
|
+
},
|
|
16565
|
+
{
|
|
16566
|
+
"id": "OWASP-LLM-Top-10-2025-LLM02",
|
|
16567
|
+
"framework": "OWASP Top 10 for LLM Applications 2025",
|
|
16568
|
+
"control_name": "Sensitive Information Disclosure"
|
|
16569
|
+
},
|
|
16570
|
+
{
|
|
16571
|
+
"id": "OWASP-Pen-Testing-Guide-v5",
|
|
16572
|
+
"framework": "OWASP Web Security Testing Guide v5 (WSTG)",
|
|
16573
|
+
"control_name": "Web application penetration testing methodology"
|
|
16574
|
+
},
|
|
16575
|
+
{
|
|
16576
|
+
"id": "PCI-DSS-4.0-6.3.3",
|
|
16577
|
+
"framework": "PCI DSS 4.0",
|
|
16578
|
+
"control_name": "All system components are protected from known vulnerabilities by installing applicable security patches/updates"
|
|
16579
|
+
},
|
|
16580
|
+
{
|
|
16581
|
+
"id": "PTES-Pre-engagement",
|
|
16582
|
+
"framework": "Penetration Testing Execution Standard (PTES)",
|
|
16583
|
+
"control_name": "Pre-engagement Interactions"
|
|
16584
|
+
},
|
|
16585
|
+
{
|
|
16586
|
+
"id": "SOC2-CC6-logical-access",
|
|
16587
|
+
"framework": "SOC 2 (AICPA Trust Services Criteria)",
|
|
16588
|
+
"control_name": "Logical and Physical Access Controls"
|
|
16589
|
+
},
|
|
16590
|
+
{
|
|
16591
|
+
"id": "SOC2-CC9-vendor-management",
|
|
16592
|
+
"framework": "SOC 2 (AICPA Trust Services Criteria)",
|
|
16593
|
+
"control_name": "Risk Mitigation — Vendor and Business Partner Risk"
|
|
16594
|
+
}
|
|
16595
|
+
],
|
|
16596
|
+
"attack_refs": [
|
|
16597
|
+
"T0855",
|
|
16598
|
+
"T0883",
|
|
16599
|
+
"T1059",
|
|
16600
|
+
"T1068",
|
|
16601
|
+
"T1078",
|
|
16602
|
+
"T1133",
|
|
16603
|
+
"T1190",
|
|
16604
|
+
"T1548.001",
|
|
16605
|
+
"T1566"
|
|
16606
|
+
],
|
|
16607
|
+
"rfc_refs": [
|
|
16608
|
+
"RFC-4301",
|
|
16609
|
+
"RFC-4303",
|
|
16610
|
+
"RFC-7296"
|
|
16611
|
+
]
|
|
16612
|
+
}
|
|
16613
|
+
},
|
|
16252
16614
|
"CVE-2026-41091": {
|
|
16253
16615
|
"name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
|
|
16254
16616
|
"rwep": 45,
|
|
@@ -17011,6 +17373,601 @@
|
|
|
17011
17373
|
]
|
|
17012
17374
|
}
|
|
17013
17375
|
},
|
|
17376
|
+
"CVE-2008-4250": {
|
|
17377
|
+
"name": "Microsoft Windows Server Service RPC Buffer Overflow (MS08-067)",
|
|
17378
|
+
"rwep": 70,
|
|
17379
|
+
"cvss": 9.3,
|
|
17380
|
+
"cisa_kev": true,
|
|
17381
|
+
"epss_score": null,
|
|
17382
|
+
"referencing_skills": [
|
|
17383
|
+
"kernel-lpe-triage",
|
|
17384
|
+
"coordinated-vuln-disclosure"
|
|
17385
|
+
],
|
|
17386
|
+
"chain": {
|
|
17387
|
+
"cwes": [
|
|
17388
|
+
{
|
|
17389
|
+
"id": "CWE-125",
|
|
17390
|
+
"name": "Out-of-bounds Read",
|
|
17391
|
+
"category": "Memory Safety"
|
|
17392
|
+
},
|
|
17393
|
+
{
|
|
17394
|
+
"id": "CWE-1357",
|
|
17395
|
+
"name": "Reliance on Insufficiently Trustworthy Component",
|
|
17396
|
+
"category": "Supply Chain"
|
|
17397
|
+
},
|
|
17398
|
+
{
|
|
17399
|
+
"id": "CWE-362",
|
|
17400
|
+
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)",
|
|
17401
|
+
"category": "Concurrency"
|
|
17402
|
+
},
|
|
17403
|
+
{
|
|
17404
|
+
"id": "CWE-416",
|
|
17405
|
+
"name": "Use After Free",
|
|
17406
|
+
"category": "Memory Safety"
|
|
17407
|
+
},
|
|
17408
|
+
{
|
|
17409
|
+
"id": "CWE-672",
|
|
17410
|
+
"name": "Operation on a Resource after Expiration or Release",
|
|
17411
|
+
"category": "Memory Safety"
|
|
17412
|
+
},
|
|
17413
|
+
{
|
|
17414
|
+
"id": "CWE-787",
|
|
17415
|
+
"name": "Out-of-bounds Write",
|
|
17416
|
+
"category": "Memory Safety"
|
|
17417
|
+
}
|
|
17418
|
+
],
|
|
17419
|
+
"atlas": [],
|
|
17420
|
+
"d3fend": [
|
|
17421
|
+
{
|
|
17422
|
+
"id": "D3-ASLR",
|
|
17423
|
+
"name": "Address Space Layout Randomization",
|
|
17424
|
+
"tactic": "Harden"
|
|
17425
|
+
},
|
|
17426
|
+
{
|
|
17427
|
+
"id": "D3-EAL",
|
|
17428
|
+
"name": "Executable Allowlisting",
|
|
17429
|
+
"tactic": "Harden"
|
|
17430
|
+
},
|
|
17431
|
+
{
|
|
17432
|
+
"id": "D3-PHRA",
|
|
17433
|
+
"name": "Process Hardware Resource Access",
|
|
17434
|
+
"tactic": "Isolate"
|
|
17435
|
+
},
|
|
17436
|
+
{
|
|
17437
|
+
"id": "D3-PSEP",
|
|
17438
|
+
"name": "Process Segment Execution Prevention",
|
|
17439
|
+
"tactic": "Harden"
|
|
17440
|
+
}
|
|
17441
|
+
],
|
|
17442
|
+
"framework_gaps": [
|
|
17443
|
+
{
|
|
17444
|
+
"id": "CIS-Controls-v8-Control7",
|
|
17445
|
+
"framework": "CIS Controls v8",
|
|
17446
|
+
"control_name": "Continuous Vulnerability Management"
|
|
17447
|
+
},
|
|
17448
|
+
{
|
|
17449
|
+
"id": "ISO-27001-2022-A.8.8",
|
|
17450
|
+
"framework": "ISO/IEC 27001:2022",
|
|
17451
|
+
"control_name": "Management of technical vulnerabilities"
|
|
17452
|
+
},
|
|
17453
|
+
{
|
|
17454
|
+
"id": "NIS2-Art21-patch-management",
|
|
17455
|
+
"framework": "EU NIS2 Directive",
|
|
17456
|
+
"control_name": "Vulnerability handling and disclosure"
|
|
17457
|
+
},
|
|
17458
|
+
{
|
|
17459
|
+
"id": "NIST-800-218-SSDF",
|
|
17460
|
+
"framework": "NIST SP 800-218 (Secure Software Development Framework v1.1)",
|
|
17461
|
+
"control_name": "Secure Software Development Framework"
|
|
17462
|
+
},
|
|
17463
|
+
{
|
|
17464
|
+
"id": "NIST-800-53-SC-8",
|
|
17465
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
17466
|
+
"control_name": "Transmission Confidentiality and Integrity"
|
|
17467
|
+
},
|
|
17468
|
+
{
|
|
17469
|
+
"id": "NIST-800-53-SI-2",
|
|
17470
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
17471
|
+
"control_name": "Flaw Remediation"
|
|
17472
|
+
},
|
|
17473
|
+
{
|
|
17474
|
+
"id": "PCI-DSS-4.0-6.3.3",
|
|
17475
|
+
"framework": "PCI DSS 4.0",
|
|
17476
|
+
"control_name": "All system components are protected from known vulnerabilities by installing applicable security patches/updates"
|
|
17477
|
+
},
|
|
17478
|
+
{
|
|
17479
|
+
"id": "SOC2-CC9-vendor-management",
|
|
17480
|
+
"framework": "SOC 2 (AICPA Trust Services Criteria)",
|
|
17481
|
+
"control_name": "Risk Mitigation — Vendor and Business Partner Risk"
|
|
17482
|
+
}
|
|
17483
|
+
],
|
|
17484
|
+
"attack_refs": [
|
|
17485
|
+
"T1068",
|
|
17486
|
+
"T1548.001"
|
|
17487
|
+
],
|
|
17488
|
+
"rfc_refs": [
|
|
17489
|
+
"RFC-4301",
|
|
17490
|
+
"RFC-4303",
|
|
17491
|
+
"RFC-7296"
|
|
17492
|
+
]
|
|
17493
|
+
}
|
|
17494
|
+
},
|
|
17495
|
+
"CVE-2009-1537": {
|
|
17496
|
+
"name": "Microsoft DirectShow QuickTime Parsing Memory Corruption",
|
|
17497
|
+
"rwep": 70,
|
|
17498
|
+
"cvss": 8.8,
|
|
17499
|
+
"cisa_kev": true,
|
|
17500
|
+
"epss_score": null,
|
|
17501
|
+
"referencing_skills": [
|
|
17502
|
+
"kernel-lpe-triage",
|
|
17503
|
+
"coordinated-vuln-disclosure"
|
|
17504
|
+
],
|
|
17505
|
+
"chain": {
|
|
17506
|
+
"cwes": [
|
|
17507
|
+
{
|
|
17508
|
+
"id": "CWE-125",
|
|
17509
|
+
"name": "Out-of-bounds Read",
|
|
17510
|
+
"category": "Memory Safety"
|
|
17511
|
+
},
|
|
17512
|
+
{
|
|
17513
|
+
"id": "CWE-1357",
|
|
17514
|
+
"name": "Reliance on Insufficiently Trustworthy Component",
|
|
17515
|
+
"category": "Supply Chain"
|
|
17516
|
+
},
|
|
17517
|
+
{
|
|
17518
|
+
"id": "CWE-362",
|
|
17519
|
+
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)",
|
|
17520
|
+
"category": "Concurrency"
|
|
17521
|
+
},
|
|
17522
|
+
{
|
|
17523
|
+
"id": "CWE-416",
|
|
17524
|
+
"name": "Use After Free",
|
|
17525
|
+
"category": "Memory Safety"
|
|
17526
|
+
},
|
|
17527
|
+
{
|
|
17528
|
+
"id": "CWE-672",
|
|
17529
|
+
"name": "Operation on a Resource after Expiration or Release",
|
|
17530
|
+
"category": "Memory Safety"
|
|
17531
|
+
},
|
|
17532
|
+
{
|
|
17533
|
+
"id": "CWE-787",
|
|
17534
|
+
"name": "Out-of-bounds Write",
|
|
17535
|
+
"category": "Memory Safety"
|
|
17536
|
+
}
|
|
17537
|
+
],
|
|
17538
|
+
"atlas": [],
|
|
17539
|
+
"d3fend": [
|
|
17540
|
+
{
|
|
17541
|
+
"id": "D3-ASLR",
|
|
17542
|
+
"name": "Address Space Layout Randomization",
|
|
17543
|
+
"tactic": "Harden"
|
|
17544
|
+
},
|
|
17545
|
+
{
|
|
17546
|
+
"id": "D3-EAL",
|
|
17547
|
+
"name": "Executable Allowlisting",
|
|
17548
|
+
"tactic": "Harden"
|
|
17549
|
+
},
|
|
17550
|
+
{
|
|
17551
|
+
"id": "D3-PHRA",
|
|
17552
|
+
"name": "Process Hardware Resource Access",
|
|
17553
|
+
"tactic": "Isolate"
|
|
17554
|
+
},
|
|
17555
|
+
{
|
|
17556
|
+
"id": "D3-PSEP",
|
|
17557
|
+
"name": "Process Segment Execution Prevention",
|
|
17558
|
+
"tactic": "Harden"
|
|
17559
|
+
}
|
|
17560
|
+
],
|
|
17561
|
+
"framework_gaps": [
|
|
17562
|
+
{
|
|
17563
|
+
"id": "CIS-Controls-v8-Control7",
|
|
17564
|
+
"framework": "CIS Controls v8",
|
|
17565
|
+
"control_name": "Continuous Vulnerability Management"
|
|
17566
|
+
},
|
|
17567
|
+
{
|
|
17568
|
+
"id": "ISO-27001-2022-A.8.8",
|
|
17569
|
+
"framework": "ISO/IEC 27001:2022",
|
|
17570
|
+
"control_name": "Management of technical vulnerabilities"
|
|
17571
|
+
},
|
|
17572
|
+
{
|
|
17573
|
+
"id": "NIS2-Art21-patch-management",
|
|
17574
|
+
"framework": "EU NIS2 Directive",
|
|
17575
|
+
"control_name": "Vulnerability handling and disclosure"
|
|
17576
|
+
},
|
|
17577
|
+
{
|
|
17578
|
+
"id": "NIST-800-218-SSDF",
|
|
17579
|
+
"framework": "NIST SP 800-218 (Secure Software Development Framework v1.1)",
|
|
17580
|
+
"control_name": "Secure Software Development Framework"
|
|
17581
|
+
},
|
|
17582
|
+
{
|
|
17583
|
+
"id": "NIST-800-53-SC-8",
|
|
17584
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
17585
|
+
"control_name": "Transmission Confidentiality and Integrity"
|
|
17586
|
+
},
|
|
17587
|
+
{
|
|
17588
|
+
"id": "NIST-800-53-SI-2",
|
|
17589
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
17590
|
+
"control_name": "Flaw Remediation"
|
|
17591
|
+
},
|
|
17592
|
+
{
|
|
17593
|
+
"id": "PCI-DSS-4.0-6.3.3",
|
|
17594
|
+
"framework": "PCI DSS 4.0",
|
|
17595
|
+
"control_name": "All system components are protected from known vulnerabilities by installing applicable security patches/updates"
|
|
17596
|
+
},
|
|
17597
|
+
{
|
|
17598
|
+
"id": "SOC2-CC9-vendor-management",
|
|
17599
|
+
"framework": "SOC 2 (AICPA Trust Services Criteria)",
|
|
17600
|
+
"control_name": "Risk Mitigation — Vendor and Business Partner Risk"
|
|
17601
|
+
}
|
|
17602
|
+
],
|
|
17603
|
+
"attack_refs": [
|
|
17604
|
+
"T1068",
|
|
17605
|
+
"T1548.001"
|
|
17606
|
+
],
|
|
17607
|
+
"rfc_refs": [
|
|
17608
|
+
"RFC-4301",
|
|
17609
|
+
"RFC-4303",
|
|
17610
|
+
"RFC-7296"
|
|
17611
|
+
]
|
|
17612
|
+
}
|
|
17613
|
+
},
|
|
17614
|
+
"CVE-2009-3459": {
|
|
17615
|
+
"name": "Adobe Acrobat and Reader Heap-Based Buffer Overflow",
|
|
17616
|
+
"rwep": 70,
|
|
17617
|
+
"cvss": 8.8,
|
|
17618
|
+
"cisa_kev": true,
|
|
17619
|
+
"epss_score": null,
|
|
17620
|
+
"referencing_skills": [
|
|
17621
|
+
"kernel-lpe-triage",
|
|
17622
|
+
"coordinated-vuln-disclosure"
|
|
17623
|
+
],
|
|
17624
|
+
"chain": {
|
|
17625
|
+
"cwes": [
|
|
17626
|
+
{
|
|
17627
|
+
"id": "CWE-125",
|
|
17628
|
+
"name": "Out-of-bounds Read",
|
|
17629
|
+
"category": "Memory Safety"
|
|
17630
|
+
},
|
|
17631
|
+
{
|
|
17632
|
+
"id": "CWE-1357",
|
|
17633
|
+
"name": "Reliance on Insufficiently Trustworthy Component",
|
|
17634
|
+
"category": "Supply Chain"
|
|
17635
|
+
},
|
|
17636
|
+
{
|
|
17637
|
+
"id": "CWE-362",
|
|
17638
|
+
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)",
|
|
17639
|
+
"category": "Concurrency"
|
|
17640
|
+
},
|
|
17641
|
+
{
|
|
17642
|
+
"id": "CWE-416",
|
|
17643
|
+
"name": "Use After Free",
|
|
17644
|
+
"category": "Memory Safety"
|
|
17645
|
+
},
|
|
17646
|
+
{
|
|
17647
|
+
"id": "CWE-672",
|
|
17648
|
+
"name": "Operation on a Resource after Expiration or Release",
|
|
17649
|
+
"category": "Memory Safety"
|
|
17650
|
+
},
|
|
17651
|
+
{
|
|
17652
|
+
"id": "CWE-787",
|
|
17653
|
+
"name": "Out-of-bounds Write",
|
|
17654
|
+
"category": "Memory Safety"
|
|
17655
|
+
}
|
|
17656
|
+
],
|
|
17657
|
+
"atlas": [],
|
|
17658
|
+
"d3fend": [
|
|
17659
|
+
{
|
|
17660
|
+
"id": "D3-ASLR",
|
|
17661
|
+
"name": "Address Space Layout Randomization",
|
|
17662
|
+
"tactic": "Harden"
|
|
17663
|
+
},
|
|
17664
|
+
{
|
|
17665
|
+
"id": "D3-EAL",
|
|
17666
|
+
"name": "Executable Allowlisting",
|
|
17667
|
+
"tactic": "Harden"
|
|
17668
|
+
},
|
|
17669
|
+
{
|
|
17670
|
+
"id": "D3-PHRA",
|
|
17671
|
+
"name": "Process Hardware Resource Access",
|
|
17672
|
+
"tactic": "Isolate"
|
|
17673
|
+
},
|
|
17674
|
+
{
|
|
17675
|
+
"id": "D3-PSEP",
|
|
17676
|
+
"name": "Process Segment Execution Prevention",
|
|
17677
|
+
"tactic": "Harden"
|
|
17678
|
+
}
|
|
17679
|
+
],
|
|
17680
|
+
"framework_gaps": [
|
|
17681
|
+
{
|
|
17682
|
+
"id": "CIS-Controls-v8-Control7",
|
|
17683
|
+
"framework": "CIS Controls v8",
|
|
17684
|
+
"control_name": "Continuous Vulnerability Management"
|
|
17685
|
+
},
|
|
17686
|
+
{
|
|
17687
|
+
"id": "ISO-27001-2022-A.8.8",
|
|
17688
|
+
"framework": "ISO/IEC 27001:2022",
|
|
17689
|
+
"control_name": "Management of technical vulnerabilities"
|
|
17690
|
+
},
|
|
17691
|
+
{
|
|
17692
|
+
"id": "NIS2-Art21-patch-management",
|
|
17693
|
+
"framework": "EU NIS2 Directive",
|
|
17694
|
+
"control_name": "Vulnerability handling and disclosure"
|
|
17695
|
+
},
|
|
17696
|
+
{
|
|
17697
|
+
"id": "NIST-800-218-SSDF",
|
|
17698
|
+
"framework": "NIST SP 800-218 (Secure Software Development Framework v1.1)",
|
|
17699
|
+
"control_name": "Secure Software Development Framework"
|
|
17700
|
+
},
|
|
17701
|
+
{
|
|
17702
|
+
"id": "NIST-800-53-SC-8",
|
|
17703
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
17704
|
+
"control_name": "Transmission Confidentiality and Integrity"
|
|
17705
|
+
},
|
|
17706
|
+
{
|
|
17707
|
+
"id": "NIST-800-53-SI-2",
|
|
17708
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
17709
|
+
"control_name": "Flaw Remediation"
|
|
17710
|
+
},
|
|
17711
|
+
{
|
|
17712
|
+
"id": "PCI-DSS-4.0-6.3.3",
|
|
17713
|
+
"framework": "PCI DSS 4.0",
|
|
17714
|
+
"control_name": "All system components are protected from known vulnerabilities by installing applicable security patches/updates"
|
|
17715
|
+
},
|
|
17716
|
+
{
|
|
17717
|
+
"id": "SOC2-CC9-vendor-management",
|
|
17718
|
+
"framework": "SOC 2 (AICPA Trust Services Criteria)",
|
|
17719
|
+
"control_name": "Risk Mitigation — Vendor and Business Partner Risk"
|
|
17720
|
+
}
|
|
17721
|
+
],
|
|
17722
|
+
"attack_refs": [
|
|
17723
|
+
"T1068",
|
|
17724
|
+
"T1548.001"
|
|
17725
|
+
],
|
|
17726
|
+
"rfc_refs": [
|
|
17727
|
+
"RFC-4301",
|
|
17728
|
+
"RFC-4303",
|
|
17729
|
+
"RFC-7296"
|
|
17730
|
+
]
|
|
17731
|
+
}
|
|
17732
|
+
},
|
|
17733
|
+
"CVE-2010-0249": {
|
|
17734
|
+
"name": "Microsoft Internet Explorer Use-After-Free (Operation Aurora)",
|
|
17735
|
+
"rwep": 70,
|
|
17736
|
+
"cvss": 8.8,
|
|
17737
|
+
"cisa_kev": true,
|
|
17738
|
+
"epss_score": null,
|
|
17739
|
+
"referencing_skills": [
|
|
17740
|
+
"kernel-lpe-triage",
|
|
17741
|
+
"coordinated-vuln-disclosure"
|
|
17742
|
+
],
|
|
17743
|
+
"chain": {
|
|
17744
|
+
"cwes": [
|
|
17745
|
+
{
|
|
17746
|
+
"id": "CWE-125",
|
|
17747
|
+
"name": "Out-of-bounds Read",
|
|
17748
|
+
"category": "Memory Safety"
|
|
17749
|
+
},
|
|
17750
|
+
{
|
|
17751
|
+
"id": "CWE-1357",
|
|
17752
|
+
"name": "Reliance on Insufficiently Trustworthy Component",
|
|
17753
|
+
"category": "Supply Chain"
|
|
17754
|
+
},
|
|
17755
|
+
{
|
|
17756
|
+
"id": "CWE-362",
|
|
17757
|
+
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)",
|
|
17758
|
+
"category": "Concurrency"
|
|
17759
|
+
},
|
|
17760
|
+
{
|
|
17761
|
+
"id": "CWE-416",
|
|
17762
|
+
"name": "Use After Free",
|
|
17763
|
+
"category": "Memory Safety"
|
|
17764
|
+
},
|
|
17765
|
+
{
|
|
17766
|
+
"id": "CWE-672",
|
|
17767
|
+
"name": "Operation on a Resource after Expiration or Release",
|
|
17768
|
+
"category": "Memory Safety"
|
|
17769
|
+
},
|
|
17770
|
+
{
|
|
17771
|
+
"id": "CWE-787",
|
|
17772
|
+
"name": "Out-of-bounds Write",
|
|
17773
|
+
"category": "Memory Safety"
|
|
17774
|
+
}
|
|
17775
|
+
],
|
|
17776
|
+
"atlas": [],
|
|
17777
|
+
"d3fend": [
|
|
17778
|
+
{
|
|
17779
|
+
"id": "D3-ASLR",
|
|
17780
|
+
"name": "Address Space Layout Randomization",
|
|
17781
|
+
"tactic": "Harden"
|
|
17782
|
+
},
|
|
17783
|
+
{
|
|
17784
|
+
"id": "D3-EAL",
|
|
17785
|
+
"name": "Executable Allowlisting",
|
|
17786
|
+
"tactic": "Harden"
|
|
17787
|
+
},
|
|
17788
|
+
{
|
|
17789
|
+
"id": "D3-PHRA",
|
|
17790
|
+
"name": "Process Hardware Resource Access",
|
|
17791
|
+
"tactic": "Isolate"
|
|
17792
|
+
},
|
|
17793
|
+
{
|
|
17794
|
+
"id": "D3-PSEP",
|
|
17795
|
+
"name": "Process Segment Execution Prevention",
|
|
17796
|
+
"tactic": "Harden"
|
|
17797
|
+
}
|
|
17798
|
+
],
|
|
17799
|
+
"framework_gaps": [
|
|
17800
|
+
{
|
|
17801
|
+
"id": "CIS-Controls-v8-Control7",
|
|
17802
|
+
"framework": "CIS Controls v8",
|
|
17803
|
+
"control_name": "Continuous Vulnerability Management"
|
|
17804
|
+
},
|
|
17805
|
+
{
|
|
17806
|
+
"id": "ISO-27001-2022-A.8.8",
|
|
17807
|
+
"framework": "ISO/IEC 27001:2022",
|
|
17808
|
+
"control_name": "Management of technical vulnerabilities"
|
|
17809
|
+
},
|
|
17810
|
+
{
|
|
17811
|
+
"id": "NIS2-Art21-patch-management",
|
|
17812
|
+
"framework": "EU NIS2 Directive",
|
|
17813
|
+
"control_name": "Vulnerability handling and disclosure"
|
|
17814
|
+
},
|
|
17815
|
+
{
|
|
17816
|
+
"id": "NIST-800-218-SSDF",
|
|
17817
|
+
"framework": "NIST SP 800-218 (Secure Software Development Framework v1.1)",
|
|
17818
|
+
"control_name": "Secure Software Development Framework"
|
|
17819
|
+
},
|
|
17820
|
+
{
|
|
17821
|
+
"id": "NIST-800-53-SC-8",
|
|
17822
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
17823
|
+
"control_name": "Transmission Confidentiality and Integrity"
|
|
17824
|
+
},
|
|
17825
|
+
{
|
|
17826
|
+
"id": "NIST-800-53-SI-2",
|
|
17827
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
17828
|
+
"control_name": "Flaw Remediation"
|
|
17829
|
+
},
|
|
17830
|
+
{
|
|
17831
|
+
"id": "PCI-DSS-4.0-6.3.3",
|
|
17832
|
+
"framework": "PCI DSS 4.0",
|
|
17833
|
+
"control_name": "All system components are protected from known vulnerabilities by installing applicable security patches/updates"
|
|
17834
|
+
},
|
|
17835
|
+
{
|
|
17836
|
+
"id": "SOC2-CC9-vendor-management",
|
|
17837
|
+
"framework": "SOC 2 (AICPA Trust Services Criteria)",
|
|
17838
|
+
"control_name": "Risk Mitigation — Vendor and Business Partner Risk"
|
|
17839
|
+
}
|
|
17840
|
+
],
|
|
17841
|
+
"attack_refs": [
|
|
17842
|
+
"T1068",
|
|
17843
|
+
"T1548.001"
|
|
17844
|
+
],
|
|
17845
|
+
"rfc_refs": [
|
|
17846
|
+
"RFC-4301",
|
|
17847
|
+
"RFC-4303",
|
|
17848
|
+
"RFC-7296"
|
|
17849
|
+
]
|
|
17850
|
+
}
|
|
17851
|
+
},
|
|
17852
|
+
"CVE-2010-0806": {
|
|
17853
|
+
"name": "Microsoft Internet Explorer Use-After-Free (iepeers)",
|
|
17854
|
+
"rwep": 70,
|
|
17855
|
+
"cvss": 8.8,
|
|
17856
|
+
"cisa_kev": true,
|
|
17857
|
+
"epss_score": null,
|
|
17858
|
+
"referencing_skills": [
|
|
17859
|
+
"kernel-lpe-triage",
|
|
17860
|
+
"coordinated-vuln-disclosure"
|
|
17861
|
+
],
|
|
17862
|
+
"chain": {
|
|
17863
|
+
"cwes": [
|
|
17864
|
+
{
|
|
17865
|
+
"id": "CWE-125",
|
|
17866
|
+
"name": "Out-of-bounds Read",
|
|
17867
|
+
"category": "Memory Safety"
|
|
17868
|
+
},
|
|
17869
|
+
{
|
|
17870
|
+
"id": "CWE-1357",
|
|
17871
|
+
"name": "Reliance on Insufficiently Trustworthy Component",
|
|
17872
|
+
"category": "Supply Chain"
|
|
17873
|
+
},
|
|
17874
|
+
{
|
|
17875
|
+
"id": "CWE-362",
|
|
17876
|
+
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)",
|
|
17877
|
+
"category": "Concurrency"
|
|
17878
|
+
},
|
|
17879
|
+
{
|
|
17880
|
+
"id": "CWE-416",
|
|
17881
|
+
"name": "Use After Free",
|
|
17882
|
+
"category": "Memory Safety"
|
|
17883
|
+
},
|
|
17884
|
+
{
|
|
17885
|
+
"id": "CWE-672",
|
|
17886
|
+
"name": "Operation on a Resource after Expiration or Release",
|
|
17887
|
+
"category": "Memory Safety"
|
|
17888
|
+
},
|
|
17889
|
+
{
|
|
17890
|
+
"id": "CWE-787",
|
|
17891
|
+
"name": "Out-of-bounds Write",
|
|
17892
|
+
"category": "Memory Safety"
|
|
17893
|
+
}
|
|
17894
|
+
],
|
|
17895
|
+
"atlas": [],
|
|
17896
|
+
"d3fend": [
|
|
17897
|
+
{
|
|
17898
|
+
"id": "D3-ASLR",
|
|
17899
|
+
"name": "Address Space Layout Randomization",
|
|
17900
|
+
"tactic": "Harden"
|
|
17901
|
+
},
|
|
17902
|
+
{
|
|
17903
|
+
"id": "D3-EAL",
|
|
17904
|
+
"name": "Executable Allowlisting",
|
|
17905
|
+
"tactic": "Harden"
|
|
17906
|
+
},
|
|
17907
|
+
{
|
|
17908
|
+
"id": "D3-PHRA",
|
|
17909
|
+
"name": "Process Hardware Resource Access",
|
|
17910
|
+
"tactic": "Isolate"
|
|
17911
|
+
},
|
|
17912
|
+
{
|
|
17913
|
+
"id": "D3-PSEP",
|
|
17914
|
+
"name": "Process Segment Execution Prevention",
|
|
17915
|
+
"tactic": "Harden"
|
|
17916
|
+
}
|
|
17917
|
+
],
|
|
17918
|
+
"framework_gaps": [
|
|
17919
|
+
{
|
|
17920
|
+
"id": "CIS-Controls-v8-Control7",
|
|
17921
|
+
"framework": "CIS Controls v8",
|
|
17922
|
+
"control_name": "Continuous Vulnerability Management"
|
|
17923
|
+
},
|
|
17924
|
+
{
|
|
17925
|
+
"id": "ISO-27001-2022-A.8.8",
|
|
17926
|
+
"framework": "ISO/IEC 27001:2022",
|
|
17927
|
+
"control_name": "Management of technical vulnerabilities"
|
|
17928
|
+
},
|
|
17929
|
+
{
|
|
17930
|
+
"id": "NIS2-Art21-patch-management",
|
|
17931
|
+
"framework": "EU NIS2 Directive",
|
|
17932
|
+
"control_name": "Vulnerability handling and disclosure"
|
|
17933
|
+
},
|
|
17934
|
+
{
|
|
17935
|
+
"id": "NIST-800-218-SSDF",
|
|
17936
|
+
"framework": "NIST SP 800-218 (Secure Software Development Framework v1.1)",
|
|
17937
|
+
"control_name": "Secure Software Development Framework"
|
|
17938
|
+
},
|
|
17939
|
+
{
|
|
17940
|
+
"id": "NIST-800-53-SC-8",
|
|
17941
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
17942
|
+
"control_name": "Transmission Confidentiality and Integrity"
|
|
17943
|
+
},
|
|
17944
|
+
{
|
|
17945
|
+
"id": "NIST-800-53-SI-2",
|
|
17946
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
17947
|
+
"control_name": "Flaw Remediation"
|
|
17948
|
+
},
|
|
17949
|
+
{
|
|
17950
|
+
"id": "PCI-DSS-4.0-6.3.3",
|
|
17951
|
+
"framework": "PCI DSS 4.0",
|
|
17952
|
+
"control_name": "All system components are protected from known vulnerabilities by installing applicable security patches/updates"
|
|
17953
|
+
},
|
|
17954
|
+
{
|
|
17955
|
+
"id": "SOC2-CC9-vendor-management",
|
|
17956
|
+
"framework": "SOC 2 (AICPA Trust Services Criteria)",
|
|
17957
|
+
"control_name": "Risk Mitigation — Vendor and Business Partner Risk"
|
|
17958
|
+
}
|
|
17959
|
+
],
|
|
17960
|
+
"attack_refs": [
|
|
17961
|
+
"T1068",
|
|
17962
|
+
"T1548.001"
|
|
17963
|
+
],
|
|
17964
|
+
"rfc_refs": [
|
|
17965
|
+
"RFC-4301",
|
|
17966
|
+
"RFC-4303",
|
|
17967
|
+
"RFC-7296"
|
|
17968
|
+
]
|
|
17969
|
+
}
|
|
17970
|
+
},
|
|
17014
17971
|
"CVE-2025-32432": {
|
|
17015
17972
|
"name": "Craft CMS Code Injection Vulnerability",
|
|
17016
17973
|
"rwep": 77,
|
|
@@ -42042,6 +42999,7 @@
|
|
|
42042
42999
|
"CVE-2025-49844",
|
|
42043
43000
|
"CVE-2025-53773",
|
|
42044
43001
|
"CVE-2025-6965",
|
|
43002
|
+
"CVE-2026-25592",
|
|
42045
43003
|
"CVE-2026-30615",
|
|
42046
43004
|
"CVE-2026-30623",
|
|
42047
43005
|
"CVE-2026-31431",
|
|
@@ -42386,6 +43344,7 @@
|
|
|
42386
43344
|
"CVE-2025-38352",
|
|
42387
43345
|
"CVE-2025-43300",
|
|
42388
43346
|
"CVE-2025-6965",
|
|
43347
|
+
"CVE-2026-25592",
|
|
42389
43348
|
"CVE-2026-30623",
|
|
42390
43349
|
"CVE-2026-31431",
|
|
42391
43350
|
"CVE-2026-34926",
|
|
@@ -42525,6 +43484,7 @@
|
|
|
42525
43484
|
"CVE-2025-38352",
|
|
42526
43485
|
"CVE-2025-43300",
|
|
42527
43486
|
"CVE-2025-6965",
|
|
43487
|
+
"CVE-2026-25592",
|
|
42528
43488
|
"CVE-2026-30623",
|
|
42529
43489
|
"CVE-2026-31431",
|
|
42530
43490
|
"CVE-2026-34926",
|
|
@@ -42678,6 +43638,7 @@
|
|
|
42678
43638
|
"CVE-2025-38352",
|
|
42679
43639
|
"CVE-2025-43300",
|
|
42680
43640
|
"CVE-2025-6965",
|
|
43641
|
+
"CVE-2026-25592",
|
|
42681
43642
|
"CVE-2026-30623",
|
|
42682
43643
|
"CVE-2026-31431",
|
|
42683
43644
|
"CVE-2026-34926",
|
|
@@ -42937,6 +43898,7 @@
|
|
|
42937
43898
|
"CVE-2025-53773",
|
|
42938
43899
|
"CVE-2025-6965",
|
|
42939
43900
|
"CVE-2026-22778",
|
|
43901
|
+
"CVE-2026-25592",
|
|
42940
43902
|
"CVE-2026-30615",
|
|
42941
43903
|
"CVE-2026-30623",
|
|
42942
43904
|
"CVE-2026-32202",
|
|
@@ -43080,8 +44042,13 @@
|
|
|
43080
44042
|
"BUG-2026-NIGHTMARE-ECLIPSE-GREENPLASMA",
|
|
43081
44043
|
"CVE-2007-0671",
|
|
43082
44044
|
"CVE-2008-0015",
|
|
44045
|
+
"CVE-2008-4250",
|
|
43083
44046
|
"CVE-2009-0238",
|
|
43084
44047
|
"CVE-2009-0556",
|
|
44048
|
+
"CVE-2009-1537",
|
|
44049
|
+
"CVE-2009-3459",
|
|
44050
|
+
"CVE-2010-0249",
|
|
44051
|
+
"CVE-2010-0806",
|
|
43085
44052
|
"CVE-2010-3765",
|
|
43086
44053
|
"CVE-2010-3962",
|
|
43087
44054
|
"CVE-2011-3402",
|
|
@@ -43325,6 +44292,7 @@
|
|
|
43325
44292
|
"CVE-2026-24423",
|
|
43326
44293
|
"CVE-2026-24858",
|
|
43327
44294
|
"CVE-2026-25108",
|
|
44295
|
+
"CVE-2026-25592",
|
|
43328
44296
|
"CVE-2026-3055",
|
|
43329
44297
|
"CVE-2026-31431",
|
|
43330
44298
|
"CVE-2026-31635",
|
|
@@ -43937,6 +44905,7 @@
|
|
|
43937
44905
|
"CVE-2025-49844",
|
|
43938
44906
|
"CVE-2025-53773",
|
|
43939
44907
|
"CVE-2025-6965",
|
|
44908
|
+
"CVE-2026-25592",
|
|
43940
44909
|
"CVE-2026-30615",
|
|
43941
44910
|
"CVE-2026-30623",
|
|
43942
44911
|
"CVE-2026-31431",
|
|
@@ -44515,6 +45484,7 @@
|
|
|
44515
45484
|
"CVE-2025-49844",
|
|
44516
45485
|
"CVE-2025-53773",
|
|
44517
45486
|
"CVE-2025-6965",
|
|
45487
|
+
"CVE-2026-25592",
|
|
44518
45488
|
"CVE-2026-30615",
|
|
44519
45489
|
"CVE-2026-30623",
|
|
44520
45490
|
"CVE-2026-31431",
|
|
@@ -44727,6 +45697,7 @@
|
|
|
44727
45697
|
"CVE-2025-38352",
|
|
44728
45698
|
"CVE-2025-43300",
|
|
44729
45699
|
"CVE-2025-53773",
|
|
45700
|
+
"CVE-2026-25592",
|
|
44730
45701
|
"CVE-2026-30615",
|
|
44731
45702
|
"CVE-2026-31431",
|
|
44732
45703
|
"CVE-2026-34926",
|
|
@@ -45373,6 +46344,7 @@
|
|
|
45373
46344
|
"CVE-2025-49844",
|
|
45374
46345
|
"CVE-2025-53773",
|
|
45375
46346
|
"CVE-2025-6965",
|
|
46347
|
+
"CVE-2026-25592",
|
|
45376
46348
|
"CVE-2026-30615",
|
|
45377
46349
|
"CVE-2026-30623",
|
|
45378
46350
|
"CVE-2026-31431",
|
|
@@ -45520,8 +46492,13 @@
|
|
|
45520
46492
|
"BUG-2026-NIGHTMARE-ECLIPSE-GREENPLASMA",
|
|
45521
46493
|
"CVE-2007-0671",
|
|
45522
46494
|
"CVE-2008-0015",
|
|
46495
|
+
"CVE-2008-4250",
|
|
45523
46496
|
"CVE-2009-0238",
|
|
45524
46497
|
"CVE-2009-0556",
|
|
46498
|
+
"CVE-2009-1537",
|
|
46499
|
+
"CVE-2009-3459",
|
|
46500
|
+
"CVE-2010-0249",
|
|
46501
|
+
"CVE-2010-0806",
|
|
45525
46502
|
"CVE-2010-3765",
|
|
45526
46503
|
"CVE-2010-3962",
|
|
45527
46504
|
"CVE-2011-3402",
|
|
@@ -45765,6 +46742,7 @@
|
|
|
45765
46742
|
"CVE-2026-24423",
|
|
45766
46743
|
"CVE-2026-24858",
|
|
45767
46744
|
"CVE-2026-25108",
|
|
46745
|
+
"CVE-2026-25592",
|
|
45768
46746
|
"CVE-2026-3055",
|
|
45769
46747
|
"CVE-2026-31431",
|
|
45770
46748
|
"CVE-2026-31635",
|
|
@@ -45914,8 +46892,13 @@
|
|
|
45914
46892
|
"BUG-2026-NIGHTMARE-ECLIPSE-GREENPLASMA",
|
|
45915
46893
|
"CVE-2007-0671",
|
|
45916
46894
|
"CVE-2008-0015",
|
|
46895
|
+
"CVE-2008-4250",
|
|
45917
46896
|
"CVE-2009-0238",
|
|
45918
46897
|
"CVE-2009-0556",
|
|
46898
|
+
"CVE-2009-1537",
|
|
46899
|
+
"CVE-2009-3459",
|
|
46900
|
+
"CVE-2010-0249",
|
|
46901
|
+
"CVE-2010-0806",
|
|
45919
46902
|
"CVE-2010-3765",
|
|
45920
46903
|
"CVE-2010-3962",
|
|
45921
46904
|
"CVE-2011-3402",
|
|
@@ -46159,6 +47142,7 @@
|
|
|
46159
47142
|
"CVE-2026-24423",
|
|
46160
47143
|
"CVE-2026-24858",
|
|
46161
47144
|
"CVE-2026-25108",
|
|
47145
|
+
"CVE-2026-25592",
|
|
46162
47146
|
"CVE-2026-3055",
|
|
46163
47147
|
"CVE-2026-31431",
|
|
46164
47148
|
"CVE-2026-31635",
|
|
@@ -46412,6 +47396,7 @@
|
|
|
46412
47396
|
"CVE-2025-49844",
|
|
46413
47397
|
"CVE-2025-53773",
|
|
46414
47398
|
"CVE-2025-6965",
|
|
47399
|
+
"CVE-2026-25592",
|
|
46415
47400
|
"CVE-2026-30615",
|
|
46416
47401
|
"CVE-2026-30623",
|
|
46417
47402
|
"CVE-2026-31431",
|
|
@@ -47111,8 +48096,13 @@
|
|
|
47111
48096
|
"BUG-2026-NIGHTMARE-ECLIPSE-GREENPLASMA",
|
|
47112
48097
|
"CVE-2007-0671",
|
|
47113
48098
|
"CVE-2008-0015",
|
|
48099
|
+
"CVE-2008-4250",
|
|
47114
48100
|
"CVE-2009-0238",
|
|
47115
48101
|
"CVE-2009-0556",
|
|
48102
|
+
"CVE-2009-1537",
|
|
48103
|
+
"CVE-2009-3459",
|
|
48104
|
+
"CVE-2010-0249",
|
|
48105
|
+
"CVE-2010-0806",
|
|
47116
48106
|
"CVE-2010-3765",
|
|
47117
48107
|
"CVE-2010-3962",
|
|
47118
48108
|
"CVE-2011-3402",
|
|
@@ -47356,6 +48346,7 @@
|
|
|
47356
48346
|
"CVE-2026-24423",
|
|
47357
48347
|
"CVE-2026-24858",
|
|
47358
48348
|
"CVE-2026-25108",
|
|
48349
|
+
"CVE-2026-25592",
|
|
47359
48350
|
"CVE-2026-3055",
|
|
47360
48351
|
"CVE-2026-31431",
|
|
47361
48352
|
"CVE-2026-31635",
|
|
@@ -47673,6 +48664,7 @@
|
|
|
47673
48664
|
"CVE-2025-49844",
|
|
47674
48665
|
"CVE-2025-53773",
|
|
47675
48666
|
"CVE-2025-6965",
|
|
48667
|
+
"CVE-2026-25592",
|
|
47676
48668
|
"CVE-2026-30615",
|
|
47677
48669
|
"CVE-2026-30623",
|
|
47678
48670
|
"CVE-2026-31431",
|
|
@@ -47897,8 +48889,13 @@
|
|
|
47897
48889
|
"BUG-2026-NIGHTMARE-ECLIPSE-GREENPLASMA",
|
|
47898
48890
|
"CVE-2007-0671",
|
|
47899
48891
|
"CVE-2008-0015",
|
|
48892
|
+
"CVE-2008-4250",
|
|
47900
48893
|
"CVE-2009-0238",
|
|
47901
48894
|
"CVE-2009-0556",
|
|
48895
|
+
"CVE-2009-1537",
|
|
48896
|
+
"CVE-2009-3459",
|
|
48897
|
+
"CVE-2010-0249",
|
|
48898
|
+
"CVE-2010-0806",
|
|
47902
48899
|
"CVE-2010-3765",
|
|
47903
48900
|
"CVE-2010-3962",
|
|
47904
48901
|
"CVE-2011-3402",
|
|
@@ -48148,6 +49145,7 @@
|
|
|
48148
49145
|
"CVE-2026-24423",
|
|
48149
49146
|
"CVE-2026-24858",
|
|
48150
49147
|
"CVE-2026-25108",
|
|
49148
|
+
"CVE-2026-25592",
|
|
48151
49149
|
"CVE-2026-3055",
|
|
48152
49150
|
"CVE-2026-30615",
|
|
48153
49151
|
"CVE-2026-30623",
|
|
@@ -48477,6 +49475,7 @@
|
|
|
48477
49475
|
"CVE-2025-43300",
|
|
48478
49476
|
"CVE-2025-49844",
|
|
48479
49477
|
"CVE-2025-53773",
|
|
49478
|
+
"CVE-2026-25592",
|
|
48480
49479
|
"CVE-2026-30615",
|
|
48481
49480
|
"CVE-2026-31431",
|
|
48482
49481
|
"CVE-2026-34926",
|
|
@@ -49392,6 +50391,7 @@
|
|
|
49392
50391
|
"CVE-2025-49844",
|
|
49393
50392
|
"CVE-2025-53773",
|
|
49394
50393
|
"CVE-2025-6965",
|
|
50394
|
+
"CVE-2026-25592",
|
|
49395
50395
|
"CVE-2026-30615",
|
|
49396
50396
|
"CVE-2026-30623",
|
|
49397
50397
|
"CVE-2026-31431",
|
|
@@ -49463,6 +50463,7 @@
|
|
|
49463
50463
|
"CVE-2025-34291",
|
|
49464
50464
|
"CVE-2025-38352",
|
|
49465
50465
|
"CVE-2025-43300",
|
|
50466
|
+
"CVE-2026-25592",
|
|
49466
50467
|
"CVE-2026-31431",
|
|
49467
50468
|
"CVE-2026-34926",
|
|
49468
50469
|
"CVE-2026-39884",
|
|
@@ -49611,6 +50612,7 @@
|
|
|
49611
50612
|
"CVE-2025-53773",
|
|
49612
50613
|
"CVE-2025-6965",
|
|
49613
50614
|
"CVE-2026-22778",
|
|
50615
|
+
"CVE-2026-25592",
|
|
49614
50616
|
"CVE-2026-30623",
|
|
49615
50617
|
"CVE-2026-32202",
|
|
49616
50618
|
"CVE-2026-33825",
|
|
@@ -49943,8 +50945,13 @@
|
|
|
49943
50945
|
"BUG-2026-NIGHTMARE-ECLIPSE-GREENPLASMA",
|
|
49944
50946
|
"CVE-2007-0671",
|
|
49945
50947
|
"CVE-2008-0015",
|
|
50948
|
+
"CVE-2008-4250",
|
|
49946
50949
|
"CVE-2009-0238",
|
|
49947
50950
|
"CVE-2009-0556",
|
|
50951
|
+
"CVE-2009-1537",
|
|
50952
|
+
"CVE-2009-3459",
|
|
50953
|
+
"CVE-2010-0249",
|
|
50954
|
+
"CVE-2010-0806",
|
|
49948
50955
|
"CVE-2010-3765",
|
|
49949
50956
|
"CVE-2010-3962",
|
|
49950
50957
|
"CVE-2011-3402",
|
|
@@ -50181,6 +51188,7 @@
|
|
|
50181
51188
|
"CVE-2026-24423",
|
|
50182
51189
|
"CVE-2026-24858",
|
|
50183
51190
|
"CVE-2026-25108",
|
|
51191
|
+
"CVE-2026-25592",
|
|
50184
51192
|
"CVE-2026-3055",
|
|
50185
51193
|
"CVE-2026-30615",
|
|
50186
51194
|
"CVE-2026-31431",
|
|
@@ -50433,6 +51441,7 @@
|
|
|
50433
51441
|
"CVE-2025-49844",
|
|
50434
51442
|
"CVE-2025-53773",
|
|
50435
51443
|
"CVE-2025-6965",
|
|
51444
|
+
"CVE-2026-25592",
|
|
50436
51445
|
"CVE-2026-30615",
|
|
50437
51446
|
"CVE-2026-30623",
|
|
50438
51447
|
"CVE-2026-31431",
|
|
@@ -50703,6 +51712,7 @@
|
|
|
50703
51712
|
"CVE-2025-53773",
|
|
50704
51713
|
"CVE-2025-6965",
|
|
50705
51714
|
"CVE-2026-22778",
|
|
51715
|
+
"CVE-2026-25592",
|
|
50706
51716
|
"CVE-2026-30615",
|
|
50707
51717
|
"CVE-2026-30623",
|
|
50708
51718
|
"CVE-2026-32202",
|