@blamejs/exceptd-skills 0.13.71 → 0.13.72

package/data/cve-catalog.json

@@ -9475,6 +9475,123 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "Langflow contains an origin validation error vulnerability that could allow account takeover and remote code execution."
   },
+  "CVE-2026-25592": {
+    "name": "Microsoft Semantic Kernel SessionsPythonPlugin Path Traversal — Prompt-Injection to Host RCE",
+    "type": "RCE",
+    "cvss_score": 9.9,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 9.9 (CRITICAL), Scope:Changed. The high score reflects worst-case impact; the RWEP score is intentionally lower (Hard Rule #3) because there is no confirmed in-the-wild exploitation or KEV listing and a patch shipped at disclosure.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Microsoft published the technique and a working demonstration (a single injected prompt launching calc.exe on the agent host) in the 'Prompts become shells' Security Blog (2026-05-07); GitHub advisory GHSA-2ww3-72rp-wpp4. No standalone public exploit repository, but the chain is fully documented.",
+    "ai_discovered": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_notes": "Discovered and disclosed by Microsoft (MSRC). Not AI-discovered, but the vulnerability class IS AI-native: the exploitation primitive is LLM prompt injection (ATLAS AML.T0051), turning an agent's tool-use boundary into a code-execution boundary.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "Exploit is delivered as an injected prompt to the agent; no separate AI-assisted tooling required to weaponize.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research disclosure with a coordinated patch (1.71.0); no in-the-wild exploitation reported as of curation. The public, documented prompt-injection-to-RCE technique elevates the watch posture — RWEP would jump on any observed exploitation.",
+    "affected": "Microsoft Semantic Kernel — the SessionsPythonPlugin, shipped in the NuGet package Microsoft.SemanticKernel.Plugins.Core (< 1.71.0) and the PyPI package semantic-kernel (< 1.39.3), per GHSA-2ww3-72rp-wpp4.",
+    "affected_versions": [
+      "Microsoft.SemanticKernel.Plugins.Core (NuGet) < 1.71.0",
+      "semantic-kernel (PyPI) < 1.39.3"
+    ],
+    "vector": "The SessionsPythonPlugin in Semantic Kernel's .NET SDK is vulnerable to path traversal (CWE-22), allowing arbitrary file write. Because the plugin executes within an agent wired to tools, an attacker-controlled prompt (indirect or direct LLM prompt injection, AML.T0051) can drive the file write to a location that yields host code execution — escaping the intended Python sandbox. A single injected prompt was shown launching calc.exe on the agent host: prompt injection becomes a remote-code-execution primitive once the model can reach tools.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L. The precondition is that untrusted content reaches the agent's prompt (the normal operating mode for RAG / tool-using agents); no memory-corruption or browser bug needed.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is a dependency upgrade to Microsoft.SemanticKernel.Plugins.Core 1.71.0 or later; application rebuild/redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "NuGet: upgrade Microsoft.SemanticKernel.Plugins.Core to 1.71.0 or later.",
+      "PyPI: upgrade semantic-kernel to 1.39.3 or later.",
+      "Until patched: disable or sandbox the SessionsPythonPlugin and treat any tool that performs file writes as a code-execution boundary reachable by prompt injection."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track AI-agent-framework SDK dependencies (NuGet/PyPI) with the urgency a prompt-injection-to-RCE warrants; the SDK is often outside the OS/patch-management inventory.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the AI-agent framework and its tool plugins as in-scope assets whose flaws are RCE-bearing.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not specifically reach the agent framework's tool-execution sandbox as a control plane.",
+      "DORA-Art-9": "ICT protection measures do not treat the AI agent's tool boundary as an attacker-reachable code-execution surface via prompt injection.",
+      "UK-CAF-B4": "System Security objective has no objective for sandboxing/auditing the code-execution plugins an AI agent can invoke.",
+      "AU-ISM-1546": "Patch-application control is product-agnostic and does not single out AI-agent SDK dependencies.",
+      "ALL-PROMPT-INJECTION-ACCESS-CONTROL": "No compliance framework treats LLM prompt injection as an access-control / code-execution primitive: once an agent can reach a tool that writes files or runs code, injected content crosses from a content-safety problem to host RCE, and no framework requires the tool boundary to be hardened against it."
+    },
+    "atlas_refs": [
+      "AML.T0051"
+    ],
+    "attack_refs": [
+      "T1059",
+      "T1203"
+    ],
+    "rwep_score": 30,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 25,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "P3 (RWEP 30 per lib/scoring.js) despite CVSS 9.9 — the gap is deliberate (Hard Rule #3, real-world-exploit priority): not KEV-listed, no confirmed in-the-wild exploitation, patch available at disclosure. poc_available=20 (documented working technique) + blast_radius=25 (Semantic Kernel is a widely-used .NET agent SDK) − patch 15. The score escalates immediately on any observed exploitation; the prompt-injection-to-RCE chain is the class to watch.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-25592",
+    "cwe_refs": [
+      "CWE-22",
+      "CWE-94"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Semantic Kernel SessionsPythonPlugin performing a file write whose resolved path escapes the intended session/sandbox directory (path-traversal sequences in plugin file operations).",
+        "An AI-agent process built on Semantic Kernel spawning unexpected child processes (e.g. a shell, interpreter, or calc.exe-style binary) shortly after handling untrusted/retrieved content.",
+        "Agent tool-invocation logs showing a file-write or code-execution tool called as a downstream effect of injected/retrieved content rather than an operator request.",
+        "Deployed Microsoft.SemanticKernel.Plugins.Core dependency below 1.71.0 — the exposed precondition."
+      ],
+      "supply_chain_entry_vectors": [
+        "Untrusted content reaching the agent's prompt context — retrieved documents (RAG), tool outputs, web content, or user input — is the injection entry point; no direct attacker authentication to the host is required."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2026-25592 (CWE-22 path traversal / arbitrary file write in SessionsPythonPlugin) and the Microsoft 'Prompts become shells' Security Blog (2026-05-07) describing the prompt-injection-to-host-RCE chain and calc.exe demonstration."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-25592",
+      "https://www.microsoft.com/en-us/security/blog/2026/05/07/prompts-become-shells-rce-vulnerabilities-ai-agent-frameworks/",
+      "https://github.com/microsoft/semantic-kernel/security/advisories/GHSA-2ww3-72rp-wpp4"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "Microsoft (MSRC)",
+        "advisory_id": "CVE-2026-25592",
+        "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-25592",
+        "severity": "critical",
+        "published_date": "2026-05-07"
+      },
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "GHSA-2ww3-72rp-wpp4",
+        "url": "https://github.com/microsoft/semantic-kernel/security/advisories/GHSA-2ww3-72rp-wpp4",
+        "severity": "critical",
+        "published_date": "2026-05-07"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-25592",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25592",
+        "severity": "critical",
+        "published_date": "2026-05-07"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CVSS 9.9, CWE-22) + Microsoft 'Prompts become shells' Security Blog (2026-05-07) + GHSA-2ww3-72rp-wpp4. Arbitrary file write via path traversal in the SessionsPythonPlugin, exploitable through LLM prompt injection (AML.T0051) to achieve host RCE. Non-KEV research disclosure; fixed in Microsoft.SemanticKernel.Plugins.Core 1.71.0.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Semantic Kernel SessionsPythonPlugin path traversal enabling arbitrary file write and, via prompt injection, host remote code execution."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -102,6 +102,7 @@
       "CVE-2025-4632",
       "CVE-2025-6218",
       "CVE-2025-8110",
+      "CVE-2026-25592",
       "CVE-2026-34926"
     ],
     "framework_controls_partially_addressing": [
@@ -368,6 +369,7 @@
       "CVE-2026-1281",
       "CVE-2026-1340",
       "CVE-2026-20045",
+      "CVE-2026-25592",
       "CVE-2026-30615",
       "CVE-2026-33017",
       "CVE-2026-34197",

package/data/framework-control-gaps.json

@@ -101,7 +101,9 @@
     "real_requirement": "Prompt-level access control: each model invocation is constrained to an authorized action scope. Actions outside that scope require explicit user re-authorization. System prompt establishes authority hierarchy.",
     "status": "open",
     "opened_date": "2026-01-01",
-    "evidence_cves": [],
+    "evidence_cves": [
+      "CVE-2026-25592"
+    ],
     "atlas_refs": [
       "AML.T0051",
       "AML.T0054"
@@ -1514,6 +1516,7 @@
       "CVE-2026-24423",
       "CVE-2026-24858",
       "CVE-2026-25108",
+      "CVE-2026-25592",
       "CVE-2026-3055",
       "CVE-2026-31431",
       "CVE-2026-31635",
@@ -1720,6 +1723,7 @@
       "CVE-2025-34291",
       "CVE-2025-38352",
       "CVE-2025-43300",
+      "CVE-2026-25592",
       "CVE-2026-31431",
       "CVE-2026-34926",
       "CVE-2026-39884",
@@ -2444,6 +2448,7 @@
       "CVE-2026-24423",
       "CVE-2026-24858",
       "CVE-2026-25108",
+      "CVE-2026-25592",
       "CVE-2026-3055",
       "CVE-2026-31431",
       "CVE-2026-31635",
@@ -4710,6 +4715,7 @@
       "CVE-2025-34291",
       "CVE-2026-0300",
       "CVE-2026-20182",
+      "CVE-2026-25592",
       "CVE-2026-34926",
       "CVE-2026-41091",
       "CVE-2026-42897",
@@ -5204,6 +5210,7 @@
     "evidence_cves": [
       "CVE-2024-21762",
       "CVE-2025-34291",
+      "CVE-2026-25592",
       "CVE-2026-34926",
       "CVE-2026-41091",
       "CVE-2026-45498",
@@ -5242,6 +5249,7 @@
     "evidence_cves": [
       "CVE-2024-21762",
       "CVE-2025-34291",
+      "CVE-2026-25592",
       "CVE-2026-34926",
       "CVE-2026-41091",
       "CVE-2026-45498",

package/data/zeroday-lessons.json

@@ -5933,6 +5933,56 @@
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import"
   },
+  "CVE-2026-25592": {
+    "name": "Microsoft Semantic Kernel SessionsPythonPlugin Path Traversal — Prompt-Injection to Host RCE",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Path traversal (CWE-22) in Semantic Kernel's SessionsPythonPlugin allows arbitrary file write; because the plugin runs inside an agent wired to tools, an injected prompt (AML.T0051) drives the write to a location that yields host code execution — a single prompt launched calc.exe on the agent host.",
+      "privileges_required": "the ability to get untrusted content into the agent's prompt (RAG document, tool output, web content, or user input) — the normal operating mode of a tool-using agent; no host authentication required",
+      "complexity": "low (NVD AV:N / AC:L)",
+      "ai_factor": "AI-native exploitation: the primitive is LLM prompt injection, which crosses from a content-safety problem to a remote-code-execution primitive the moment the model can reach a file-writing or code-running tool. The lesson is that an AI agent's tool boundary IS a code-execution boundary and must be sandboxed and treated as attacker-reachable via injection. Surfaced via the Microsoft Security Blog + GHSA feeds."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Flaw-remediation cadence does not track AI-agent-framework SDK dependencies with the urgency a prompt-injection-to-RCE warrants; the SDK is often outside the patch-management inventory."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Vulnerability management rarely enumerates the AI-agent framework and its tool plugins as in-scope, RCE-bearing assets."
+      },
+      "ALL-PROMPT-INJECTION-ACCESS-CONTROL": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats prompt injection as an access-control / code-execution primitive: once an agent can reach a tool that writes files or runs code, injected content becomes host RCE, and nothing requires the tool boundary to be hardened against it."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 75,
+      "basis": "Organizations deploying AI agents rarely sandbox or audit the file-write / code-execution tools the agent can invoke, and treat prompt injection as a content-safety issue rather than an RCE primitive; SDK dependency currency for agent frameworks is seldom tracked.",
+      "theater_pattern": "ai_pipeline_integrity"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-080",
+        "name": "AGENT-TOOL-EXECUTION-SANDBOX",
+        "description": "Any AI agent wired to tools that can write files or execute code must treat its tool boundary as an attacker-reachable remote-code-execution boundary: sandbox file-writing / code-running plugins with strict path and capability confinement, validate and canonicalize all tool-supplied paths against traversal, gate code-execution tools behind out-of-band human approval for untrusted-content-triggered invocations, and track agent-framework SDK dependencies (e.g. Microsoft.SemanticKernel.Plugins.Core >= 1.71.0) as KEV-priority patch targets. Prompt injection must be modeled as a code-execution primitive, not a content-safety nuisance.",
+        "evidence": "https://www.microsoft.com/en-us/security/blog/2026/05/07/prompts-become-shells-rce-vulnerabilities-ai-agent-frameworks/",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.8",
+          "ALL-PROMPT-INJECTION-ACCESS-CONTROL"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2025-34291": {
     "name": "Langflow Account Takeover + RCE (CORS / refresh-token chain)",
     "lesson_date": "2026-05-24",

package/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "exceptd-security",
-  "version": "0.13.71",
+  "version": "0.13.72",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
   "homepage": "https://exceptd.com",
   "license": "Apache-2.0",
@@ -53,7 +53,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "lXhZgoIrrVloO3XaTvo/43AxZn4mwErstd7DR0O/oVhD3AOGODM4HqrageYEou9WKOdMEGP5mJNTjJsXdP5NDA==",
-      "signed_at": "2026-05-25T12:23:49.090Z",
+      "signed_at": "2026-05-25T12:58:49.445Z",
       "cwe_refs": [
         "CWE-125",
         "CWE-362",
@@ -123,7 +123,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "ztSKk/zFMFbT12qRcEeBKpydBn7fTT86KxMmor0DTCoKQWk5fJ0fSInfP1XMSB6rFk4/SuSjKVxQRMKVJ5a+Cg==",
-      "signed_at": "2026-05-25T12:23:49.092Z",
+      "signed_at": "2026-05-25T12:58:49.447Z",
       "cwe_refs": [
         "CWE-1039",
         "CWE-1426",
@@ -196,7 +196,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "K6QdPHNK5c4K5QFjrW0QsUhjp71D7SOisSoulwPNSvKRdi2rY+yg0kdckijBMkLMsVPyUvcC9giu93mKJ1OZDg==",
-      "signed_at": "2026-05-25T12:23:49.092Z",
+      "signed_at": "2026-05-25T12:58:49.447Z",
       "cwe_refs": [
         "CWE-22",
         "CWE-345",
@@ -248,7 +248,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-22",
       "signature": "Qd3SBWmUAaaT++e1Ry2wBIz/dCBmNBMl0+4Rb0etvJLES0fIBEAkU1mTbgNZnT5XOg9J5twdUpymWtmKnDDQCQ==",
-      "signed_at": "2026-05-25T12:23:49.092Z"
+      "signed_at": "2026-05-25T12:58:49.447Z"
     },
     {
       "name": "compliance-theater",
@@ -279,7 +279,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "F2Shxae0ua0gPtvwzTRVzzHaIgJcFDRT3/akLUAZ4aaMQhkleKkcTaTpkjp+pTVEdPfLeLGNCeAOMs+whVYOBg==",
-      "signed_at": "2026-05-25T12:23:49.093Z"
+      "signed_at": "2026-05-25T12:58:49.448Z"
     },
     {
       "name": "exploit-scoring",
@@ -308,7 +308,7 @@
       ],
       "last_threat_review": "2026-05-18",
       "signature": "NA1hoQycvQhSUoG5rwlXX0mOVmGxoXRVezkELGEA2nZOdGis4gXkHT3O6Sfw7zxE4JuMrsCb65TEeOWk9WEPDg==",
-      "signed_at": "2026-05-25T12:23:49.093Z"
+      "signed_at": "2026-05-25T12:58:49.449Z"
     },
     {
       "name": "rag-pipeline-security",
@@ -345,7 +345,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "W3pS8lnaCP96TQzsJpG5d5yv5IwgaQyS4Z2Ctcz5BOJf6LbajSIgeDgTZ4f4Bhr5m4E7KsgWGjZS4x7Fwd33BQ==",
-      "signed_at": "2026-05-25T12:23:49.094Z",
+      "signed_at": "2026-05-25T12:58:49.449Z",
       "cwe_refs": [
         "CWE-1395",
         "CWE-1426"
@@ -405,7 +405,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "/WDGygh1Ck4yWlBWDGtEUVCqKB8d+UaJXoAoBXujtt+GAl8JbMNpaN1TvI0WkEltQ9dTxaAzSn20/eVDqv8iDQ==",
-      "signed_at": "2026-05-25T12:23:49.094Z",
+      "signed_at": "2026-05-25T12:58:49.450Z",
       "d3fend_refs": [
         "D3-CA",
         "D3-CSPP",
@@ -440,7 +440,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-22",
       "signature": "za1NKBpy9LC91F/ESO/qhUfmvVr8GNItQOjR5OJLeHm+2dQ9HHiFWQK2eo53V/n/0uhubuggURA3yS6kJuWwBg==",
-      "signed_at": "2026-05-25T12:23:49.094Z",
+      "signed_at": "2026-05-25T12:58:49.450Z",
       "cwe_refs": [
         "CWE-1188"
       ],
@@ -474,7 +474,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-18",
       "signature": "xiHAhhdufm9hCKU8PLiPE0MX65ej2F4OZwtlWLGLCiie9/km+Kiqbt192LcMvr94v83C98pb9wIaqFsFWft6AQ==",
-      "signed_at": "2026-05-25T12:23:49.095Z",
+      "signed_at": "2026-05-25T12:58:49.450Z",
       "forward_watch": [
         "New AI attack classes as ATLAS v6 publishes",
         "Post-quantum adversary capability timeline",
@@ -513,7 +513,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "oYsSk35N2Uzq7MRofACykylcVwkgPhI4luWZ14vmQT+gUKLyZiKVOUJbe1+7lGl6BYPRN0sUDQ0f7S5Eu5w2Ag==",
-      "signed_at": "2026-05-25T12:23:49.095Z"
+      "signed_at": "2026-05-25T12:58:49.451Z"
     },
     {
       "name": "zeroday-gap-learn",
@@ -540,7 +540,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-18",
       "signature": "igRqYyU1unRFH40BsPyAR62SPrk8QZv8dPGb8S9O9EvLCNOZAzm3t+HdT/NKqzWHwrpomOzkkkyLfYI/0qTUDA==",
-      "signed_at": "2026-05-25T12:23:49.095Z",
+      "signed_at": "2026-05-25T12:58:49.451Z",
       "forward_watch": [
         "New CISA KEV entries",
         "New ATLAS TTP additions in each ATLAS release",
@@ -604,7 +604,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "i/17u4kJiSpcZAz7LnTyRePFugQOstQ1P4kVoe0oGf4E2/j8oIN9U9DccjUn/YHZhKWIJ2AILG/DMhvMrr3bBg==",
-      "signed_at": "2026-05-25T12:23:49.096Z",
+      "signed_at": "2026-05-25T12:58:49.452Z",
       "cwe_refs": [
         "CWE-327"
       ],
@@ -652,7 +652,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "QuOVaQ4E2Sl39TClbhZ7HA9XrYAyRrDL44HY3RTE7aWLue0hV2cxaBt40ALGmHS++631QGFDlZTLZI77Tr6nAA==",
-      "signed_at": "2026-05-25T12:23:49.096Z"
+      "signed_at": "2026-05-25T12:58:49.452Z"
     },
     {
       "name": "security-maturity-tiers",
@@ -689,7 +689,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "8Px1s2lDj10/Q6erwEQlXgUHM1+OTruUR8qAHPX7Oo3k/l69N6P9sm0PsafS9wDFtj9l5C/OiLiFgzMlMt6vBw==",
-      "signed_at": "2026-05-25T12:23:49.096Z",
+      "signed_at": "2026-05-25T12:58:49.452Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -724,7 +724,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-11",
       "signature": "urRcataVWg6/utyEkSiOWoNxTL8sABRjPR7ShyDfZGnAozFph/yDktSoaPVxQDXwu9EfJE+qhUW5OYR/yJECBQ==",
-      "signed_at": "2026-05-25T12:23:49.097Z"
+      "signed_at": "2026-05-25T12:58:49.453Z"
     },
     {
       "name": "attack-surface-pentest",
@@ -796,7 +796,7 @@
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — Microsoft Edge 4-bug sandbox escape by Orange Tsai (DEVCORE); forward-watch only (browser sandbox, out of current playbook scope); track Microsoft Edge security advisory and KEV add"
       ],
       "signature": "C7lv65/Ecm8JJgSKxrX5lxx0YFzKWtrIQSKp+vy50I5e8945s1JmifGUUrnQwRQhq/Pkv7EmfiH5XSO8h75bDg==",
-      "signed_at": "2026-05-25T12:23:49.097Z"
+      "signed_at": "2026-05-25T12:58:49.453Z"
     },
     {
       "name": "fuzz-testing-strategy",
@@ -856,7 +856,7 @@
         "OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
       ],
       "signature": "Z7ypCUnXx8JpLtgxxB6RHNi39w74AmrGY1N4ofAGCXhkuM2EaFVm1AU0dvl9UQ1bVLfHKEDGqMO/TwlIY7RABg==",
-      "signed_at": "2026-05-25T12:23:49.097Z"
+      "signed_at": "2026-05-25T12:58:49.453Z"
     },
     {
       "name": "dlp-gap-analysis",
@@ -931,7 +931,7 @@
         "Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
       ],
       "signature": "IgEnpHOhCftAyfUNdKsjbrd169T9pJkk/rRM2ZEna+H18y7p5x48+1kME2sJMZjJuyAdQFBJi8PJXZFwLGI+DQ==",
-      "signed_at": "2026-05-25T12:23:49.098Z"
+      "signed_at": "2026-05-25T12:58:49.454Z"
     },
     {
       "name": "supply-chain-integrity",
@@ -1010,7 +1010,7 @@
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Megatron Bridge path traversal by haehae; AI training-stack file-system trust boundary; track patch and SBOM-attestation impact"
       ],
       "signature": "pcLrM98A3vUSZRjwNAk0aZ9umvOwB41XCLLsCOy/IebB2F/06oIrGUKkMHtHwm4pTVPShMMcKdZQQ3jz30FnCg==",
-      "signed_at": "2026-05-25T12:23:49.098Z"
+      "signed_at": "2026-05-25T12:58:49.454Z"
     },
     {
       "name": "defensive-countermeasure-mapping",
@@ -1067,7 +1067,7 @@
       ],
       "last_threat_review": "2026-05-11",
       "signature": "G5q5elh7Q7eu2xcwTVQJGDTGfvZR0OGQaLSLJPb2wjzCHFF8PWuZfCHZdjjqisiRzRWPyLlzgfHeMJqOdy7cBw==",
-      "signed_at": "2026-05-25T12:23:49.098Z"
+      "signed_at": "2026-05-25T12:58:49.454Z"
     },
     {
       "name": "identity-assurance",
@@ -1134,7 +1134,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "Wv5hGMeHjlaQK1zwicVCA7AvdKgJBgvcjdpGM9Ywahh9tagAKhbkOjybowDQZzu7OZ3bDkbh6pBYc1Sdwr6NAA==",
-      "signed_at": "2026-05-25T12:23:49.099Z"
+      "signed_at": "2026-05-25T12:58:49.455Z"
     },
     {
       "name": "ot-ics-security",
@@ -1190,7 +1190,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "8t5qKHd3yWi57dvG36YQkLN/X9bQWqtEiYjay4IfSmqhJpM/xXPaQVKNGz3wscrO8OLKUZ0OaX7Mj5kzpgBKBQ==",
-      "signed_at": "2026-05-25T12:23:49.099Z"
+      "signed_at": "2026-05-25T12:58:49.455Z"
     },
     {
       "name": "coordinated-vuln-disclosure",
@@ -1242,7 +1242,7 @@
         "NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
       ],
       "signature": "GDGt4UPqBa04PjlpSmpyihGzd3OgfBN7jaAK5tfwp+LRSs3ygKOdbeivUCCHNagTY1hE6hG2Ou40ADfBFuXeAg==",
-      "signed_at": "2026-05-25T12:23:49.099Z"
+      "signed_at": "2026-05-25T12:58:49.455Z"
     },
     {
       "name": "threat-modeling-methodology",
@@ -1292,7 +1292,7 @@
         "PASTA v2 updates incorporating AI/ML application threats"
       ],
       "signature": "rFBpOQEJUPpl+v88Lw/WqVJRhTl80vy0VbPAbzQj3Q0suJRRrJg368I9uKu5LXIBKFDvKxnGIcIzbGg9NUtaCA==",
-      "signed_at": "2026-05-25T12:23:49.099Z"
+      "signed_at": "2026-05-25T12:58:49.456Z"
     },
     {
       "name": "webapp-security",
@@ -1366,7 +1366,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "ux85YI4t2mVHOyt744Yin1HHy+z11JIFygjKfFfQOBBl5QVV3A267jeIy7utix85irMcpZm/T3yx/ooqiK2tBA==",
-      "signed_at": "2026-05-25T12:23:49.100Z",
+      "signed_at": "2026-05-25T12:58:49.456Z",
       "forward_watch": [
         "NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; AI-assisted discovery angle; track for active-exploitation confirmation and patch advisory affecting front-door web app deployments"
       ]
@@ -1419,7 +1419,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-15",
       "signature": "IIXnkZ5ZNqFwOto5KfytADTLLZLoyXNZACD1ORZ40P1HUAQxe6u2uyXFzzsfuob4Uy06jNkRGr2FFgCphUH1Cw==",
-      "signed_at": "2026-05-25T12:23:49.100Z"
+      "signed_at": "2026-05-25T12:58:49.456Z"
     },
     {
       "name": "sector-healthcare",
@@ -1479,7 +1479,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "AhF9KF8ZBlDteciV+F8IBSmFVYCvQOn44GmD4rZjgLoPxfIv/QE1/vSkK32zyqDKtHWkLSXExbkkPkxA/V6dDw==",
-      "signed_at": "2026-05-25T12:23:49.101Z"
+      "signed_at": "2026-05-25T12:58:49.457Z"
     },
     {
       "name": "sector-financial",
@@ -1560,7 +1560,7 @@
         "TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
       ],
       "signature": "HQgZvb4ReziEz5rNFr8i/O8/rJEZR+iHRROT7m/D2QUqhrcNISPkYXENsUZlG8xapzy/Ik92ehkseyj4hdmhCQ==",
-      "signed_at": "2026-05-25T12:23:49.101Z"
+      "signed_at": "2026-05-25T12:58:49.457Z"
     },
     {
       "name": "sector-federal-government",
@@ -1629,7 +1629,7 @@
         "Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
       ],
       "signature": "linxmsXZiOYtcs71sSWgGCrvb8xQfmxmtTY5PRvZJ0/8FgJulo0tQtejzexYG775s7XhjAmGsDP238BQTQ8ADA==",
-      "signed_at": "2026-05-25T12:23:49.101Z"
+      "signed_at": "2026-05-25T12:58:49.458Z"
     },
     {
       "name": "sector-energy",
@@ -1694,7 +1694,7 @@
         "ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
       ],
       "signature": "JjBfc0ovta560Clk0x3QGRM5osFJDwcvpy3rT7QEGdCIL827jzE8QCow1C8deXq+4JhY2sA/d7/8IsxikdlkCg==",
-      "signed_at": "2026-05-25T12:23:49.102Z"
+      "signed_at": "2026-05-25T12:58:49.458Z"
     },
     {
       "name": "sector-telecom",
@@ -1780,7 +1780,7 @@
         "O-RAN SFG / WG11 security specifications"
       ],
       "signature": "JWVxKFoKrbX4d+Tko1d4OBdwyg25MfFFKn4CT6E/CzH+YwnU3T6Y76uBQIKg3+gIGTvPduqyvQwQQ5FxKDuPBw==",
-      "signed_at": "2026-05-25T12:23:49.102Z"
+      "signed_at": "2026-05-25T12:58:49.458Z"
     },
     {
       "name": "api-security",
@@ -1849,7 +1849,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-18",
       "signature": "BmCRCestWqr55+fCynEhtAl5NWLT+xLTkpwS0Icp3SaoZOw/ce3Y6TtqjHRSKn4CBJq7YDiLRWxmhO3MStvOAA==",
-      "signed_at": "2026-05-25T12:23:49.102Z",
+      "signed_at": "2026-05-25T12:58:49.458Z",
       "forward_watch": [
         "NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; track for active-exploitation confirmation and patch advisory affecting API gateway / reverse-proxy deployments",
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — LiteLLM 3-bug SSRF + Code Injection chain by k3vg3n; LLM-proxy API surface; track upstream patch and CVE assignments",
@@ -1935,7 +1935,7 @@
         "CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
       ],
       "signature": "/DV3pmZwrRySrk1OCbyI+0BQESacjupJfUX3eC2NGtXuYOBro0vndIP+z27heFxumnjU3a9sfla7/U9X+pqnDw==",
-      "signed_at": "2026-05-25T12:23:49.103Z"
+      "signed_at": "2026-05-25T12:58:49.459Z"
     },
     {
       "name": "container-runtime-security",
@@ -1997,7 +1997,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-15",
       "signature": "E2UGSf9ATyYgzBr8uM/0ubOUmDqo1jVA7f9mVxv6LHfWGCNuQNXDyuNou9VAmUCeeXEeUYIi3AFjXkJqpOkxDA==",
-      "signed_at": "2026-05-25T12:23:49.103Z",
+      "signed_at": "2026-05-25T12:58:49.459Z",
       "forward_watch": [
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Container Toolkit container escape ($50K award) by chompie / IBM X-Force XOR; high-severity container/hypervisor boundary break; track patch and KEV add post-embargo"
       ]
@@ -2071,7 +2071,7 @@
         "MITRE ATLAS v5.6.0 (released May 2026) shipped the AML.T0010 sub-technique expansion this forecast tracked plus new techniques (\"Publish Poisoned AI Agent Tool\", \"Escape to Host\"); inventory now 16 tactics, 84 techniques, 56 sub-techniques. Forward watch: subsequent ATLAS minor and major releases — track next-cadence updates to agentic-AI TTPs and MLOps-pipeline-specific techniques"
       ],
       "signature": "IL+DlRCDJN/p08iiJCFkasKcoyjcB0uWrJ6ORLjQcS1HrUa5Xt62QxVjYPHzaevlm5y36ZdmfESqsZJmzK3lCg==",
-      "signed_at": "2026-05-25T12:23:49.103Z"
+      "signed_at": "2026-05-25T12:58:49.460Z"
     },
     {
       "name": "incident-response-playbook",
@@ -2133,7 +2133,7 @@
         "NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
       ],
       "signature": "MmjLjlmOMLjhJJ4ZfR8MYlHam+ZB+eSqfh6Nv+DecaG4O5zeo9DBP/iL3cbyDVZxmhnhivgJild2ccYeWTeZAg==",
-      "signed_at": "2026-05-25T12:23:49.104Z"
+      "signed_at": "2026-05-25T12:58:49.460Z"
     },
     {
       "name": "ransomware-response",
@@ -2213,7 +2213,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "ssueL03g9fWlhXpTe+IiY5l7RqQkunN4DTN5QETKE+VOX+qggdjAR8PONxk77ol4xWYmHrM/VcH8CNtXUEvgBA==",
-      "signed_at": "2026-05-25T12:23:49.104Z"
+      "signed_at": "2026-05-25T12:58:49.460Z"
     },
     {
       "name": "email-security-anti-phishing",
@@ -2266,7 +2266,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-18",
       "signature": "rK+WnuS+9tqEABmwc0jO/PEmxcLjG1/tmUb897HsClQeKzf+TQOlwBE+OsbtuKxpjYNwur62Xxs3TxObkwm8Cw==",
-      "signed_at": "2026-05-25T12:23:49.104Z"
+      "signed_at": "2026-05-25T12:58:49.461Z"
     },
     {
       "name": "age-gates-child-safety",
@@ -2334,7 +2334,7 @@
         "US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
       ],
       "signature": "Rgho5TOFUL1txOzcVR0kASCNdovSU4yt99JlGilJlJRyg0A+BdeeQYrZrhPF6Vx2reUAVG0BeHfcZtSbi+cwCg==",
-      "signed_at": "2026-05-25T12:23:49.105Z"
+      "signed_at": "2026-05-25T12:58:49.461Z"
     },
     {
       "name": "cloud-iam-incident",
@@ -2414,7 +2414,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "e/kij7GtKaytROyIj7V5RH+FC9WtmVFzrmG2kIlNDNn29ep/CRNlIQKwXLpzo/81AIf634pmdr1qy/+vwIuUDA==",
-      "signed_at": "2026-05-25T12:23:49.105Z",
+      "signed_at": "2026-05-25T12:58:49.461Z",
       "forward_watch": [
         "AWS IAM Identity Center session-policy refresh and step-up-on-admin enforcement (anticipated 2026-H2 release)",
         "GCP Workload Identity Federation principal-set attribute mapping tightening (post-2026 Q3 Federation hardening guide)",
@@ -2508,7 +2508,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "ew9Kglc9fAZzbn0ZIfGP7WSK/j4eV2VhSvpy+s5bEfNEVYIMa2kZjnGBapgUsyGDLes9H9K2ovjQyX17+GKiBw==",
-      "signed_at": "2026-05-25T12:23:49.105Z",
+      "signed_at": "2026-05-25T12:58:49.462Z",
       "forward_watch": [
         "Entra ID conditional access evolution post-Midnight Blizzard — Microsoft's 2025-2026 commitments on legacy-tenant MFA enforcement and OAuth-app consent gating",
         "Okta IPSIE (Interoperability Profile for Secure Identity in the Enterprise) OpenID Foundation working-group output and adoption timeline",
@@ -2526,6 +2526,6 @@
   ],
   "manifest_signature": {
     "algorithm": "Ed25519",
-    "signature_base64": "0eO0Y3u5/ikz7b6zY3sAU11cEOXKXDsaOFTr9BkaPUMH2ELjjwsnsm5k8Jx/XgnoWsyLX9Fsj0Mgm82Maf0dAQ=="
+    "signature_base64": "d/BP9u9Hv9u4jiijm+yvszaLRoWWN/hCezTYoDZR5GDuAHQ8axchgrbYWoYXtwpuB984QvvXBpB8c00DEiuXAA=="
   }
 }

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@blamejs/exceptd-skills",
-  "version": "0.13.71",
-  "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 11 catalogs (321 CVEs / 171 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 7476 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
+  "version": "0.13.72",
+  "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 11 catalogs (322 CVEs / 171 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 7476 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
   "keywords": [
     "ai-security",
     "ai-skills",