@blamejs/exceptd-skills 0.13.71 → 0.13.73

package/data/atlas-ttps.json

@@ -541,6 +541,7 @@
       "CVE-2025-53773",
       "CVE-2025-55319",
       "CVE-2025-68664",
+      "CVE-2026-25592",
       "CVE-2026-30615",
       "CVE-2026-39884",
       "CVE-2026-39987"

package/data/attack-techniques.json

@@ -272,10 +272,12 @@
       "CVE-2025-1094",
       "CVE-2025-11837",
       "CVE-2025-34291",
+      "CVE-2025-49596",
       "CVE-2025-53773",
       "CVE-2025-55319",
       "CVE-2025-68664",
       "CVE-2026-22778",
+      "CVE-2026-25592",
       "CVE-2026-30615",
       "CVE-2026-30623",
       "CVE-2026-32202",
@@ -876,6 +878,7 @@
       "CVE-2025-48927",
       "CVE-2025-48928",
       "CVE-2025-49113",
+      "CVE-2025-49596",
       "CVE-2025-49704",
       "CVE-2025-49844",
       "CVE-2025-5086",
@@ -1104,6 +1107,7 @@
       "CVE-2025-4919",
       "CVE-2026-21385",
       "CVE-2026-2441",
+      "CVE-2026-25592",
       "CVE-2026-5281",
       "MAL-2025-AI-FOUND-FFMPEG-BIGSLEEP"
     ],

package/data/cve-catalog.json

@@ -9475,6 +9475,229 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "Langflow contains an origin validation error vulnerability that could allow account takeover and remote code execution."
   },
+  "CVE-2026-25592": {
+    "name": "Microsoft Semantic Kernel SessionsPythonPlugin Path Traversal — Prompt-Injection to Host RCE",
+    "type": "RCE",
+    "cvss_score": 9.9,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 9.9 (CRITICAL), Scope:Changed. The high score reflects worst-case impact; the RWEP score is intentionally lower (Hard Rule #3) because there is no confirmed in-the-wild exploitation or KEV listing and a patch shipped at disclosure.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Microsoft published the technique and a working demonstration (a single injected prompt launching calc.exe on the agent host) in the 'Prompts become shells' Security Blog (2026-05-07); GitHub advisory GHSA-2ww3-72rp-wpp4. No standalone public exploit repository, but the chain is fully documented.",
+    "ai_discovered": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_notes": "Discovered and disclosed by Microsoft (MSRC). Not AI-discovered, but the vulnerability class IS AI-native: the exploitation primitive is LLM prompt injection (ATLAS AML.T0051), turning an agent's tool-use boundary into a code-execution boundary.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "Exploit is delivered as an injected prompt to the agent; no separate AI-assisted tooling required to weaponize.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research disclosure with a coordinated patch (1.71.0); no in-the-wild exploitation reported as of curation. The public, documented prompt-injection-to-RCE technique elevates the watch posture — RWEP would jump on any observed exploitation.",
+    "affected": "Microsoft Semantic Kernel — the SessionsPythonPlugin, shipped in the NuGet package Microsoft.SemanticKernel.Plugins.Core (< 1.71.0) and the PyPI package semantic-kernel (< 1.39.3), per GHSA-2ww3-72rp-wpp4.",
+    "affected_versions": [
+      "Microsoft.SemanticKernel.Plugins.Core (NuGet) < 1.71.0",
+      "semantic-kernel (PyPI) < 1.39.3"
+    ],
+    "vector": "The SessionsPythonPlugin in Semantic Kernel's .NET SDK is vulnerable to path traversal (CWE-22), allowing arbitrary file write. Because the plugin executes within an agent wired to tools, an attacker-controlled prompt (indirect or direct LLM prompt injection, AML.T0051) can drive the file write to a location that yields host code execution — escaping the intended Python sandbox. A single injected prompt was shown launching calc.exe on the agent host: prompt injection becomes a remote-code-execution primitive once the model can reach tools.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L. The precondition is that untrusted content reaches the agent's prompt (the normal operating mode for RAG / tool-using agents); no memory-corruption or browser bug needed.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is a dependency upgrade to Microsoft.SemanticKernel.Plugins.Core 1.71.0 or later; application rebuild/redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "NuGet: upgrade Microsoft.SemanticKernel.Plugins.Core to 1.71.0 or later.",
+      "PyPI: upgrade semantic-kernel to 1.39.3 or later.",
+      "Until patched: disable or sandbox the SessionsPythonPlugin and treat any tool that performs file writes as a code-execution boundary reachable by prompt injection."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track AI-agent-framework SDK dependencies (NuGet/PyPI) with the urgency a prompt-injection-to-RCE warrants; the SDK is often outside the OS/patch-management inventory.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the AI-agent framework and its tool plugins as in-scope assets whose flaws are RCE-bearing.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not specifically reach the agent framework's tool-execution sandbox as a control plane.",
+      "DORA-Art-9": "ICT protection measures do not treat the AI agent's tool boundary as an attacker-reachable code-execution surface via prompt injection.",
+      "UK-CAF-B4": "System Security objective has no objective for sandboxing/auditing the code-execution plugins an AI agent can invoke.",
+      "AU-ISM-1546": "Patch-application control is product-agnostic and does not single out AI-agent SDK dependencies.",
+      "ALL-PROMPT-INJECTION-ACCESS-CONTROL": "No compliance framework treats LLM prompt injection as an access-control / code-execution primitive: once an agent can reach a tool that writes files or runs code, injected content crosses from a content-safety problem to host RCE, and no framework requires the tool boundary to be hardened against it."
+    },
+    "atlas_refs": [
+      "AML.T0051"
+    ],
+    "attack_refs": [
+      "T1059",
+      "T1203"
+    ],
+    "rwep_score": 30,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 25,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "P3 (RWEP 30 per lib/scoring.js) despite CVSS 9.9 — the gap is deliberate (Hard Rule #3, real-world-exploit priority): not KEV-listed, no confirmed in-the-wild exploitation, patch available at disclosure. poc_available=20 (documented working technique) + blast_radius=25 (Semantic Kernel is a widely-used .NET agent SDK) − patch 15. The score escalates immediately on any observed exploitation; the prompt-injection-to-RCE chain is the class to watch.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-25592",
+    "cwe_refs": [
+      "CWE-22",
+      "CWE-94"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Semantic Kernel SessionsPythonPlugin performing a file write whose resolved path escapes the intended session/sandbox directory (path-traversal sequences in plugin file operations).",
+        "An AI-agent process built on Semantic Kernel spawning unexpected child processes (e.g. a shell, interpreter, or calc.exe-style binary) shortly after handling untrusted/retrieved content.",
+        "Agent tool-invocation logs showing a file-write or code-execution tool called as a downstream effect of injected/retrieved content rather than an operator request.",
+        "Deployed Microsoft.SemanticKernel.Plugins.Core dependency below 1.71.0 — the exposed precondition."
+      ],
+      "supply_chain_entry_vectors": [
+        "Untrusted content reaching the agent's prompt context — retrieved documents (RAG), tool outputs, web content, or user input — is the injection entry point; no direct attacker authentication to the host is required."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2026-25592 (CWE-22 path traversal / arbitrary file write in SessionsPythonPlugin) and the Microsoft 'Prompts become shells' Security Blog (2026-05-07) describing the prompt-injection-to-host-RCE chain and calc.exe demonstration."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-25592",
+      "https://www.microsoft.com/en-us/security/blog/2026/05/07/prompts-become-shells-rce-vulnerabilities-ai-agent-frameworks/",
+      "https://github.com/microsoft/semantic-kernel/security/advisories/GHSA-2ww3-72rp-wpp4"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "Microsoft (MSRC)",
+        "advisory_id": "CVE-2026-25592",
+        "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-25592",
+        "severity": "critical",
+        "published_date": "2026-05-07"
+      },
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "GHSA-2ww3-72rp-wpp4",
+        "url": "https://github.com/microsoft/semantic-kernel/security/advisories/GHSA-2ww3-72rp-wpp4",
+        "severity": "critical",
+        "published_date": "2026-05-07"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-25592",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25592",
+        "severity": "critical",
+        "published_date": "2026-05-07"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CVSS 9.9, CWE-22) + Microsoft 'Prompts become shells' Security Blog (2026-05-07) + GHSA-2ww3-72rp-wpp4. Arbitrary file write via path traversal in the SessionsPythonPlugin, exploitable through LLM prompt injection (AML.T0051) to achieve host RCE. Non-KEV research disclosure; fixed in Microsoft.SemanticKernel.Plugins.Core 1.71.0.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Semantic Kernel SessionsPythonPlugin path traversal enabling arbitrary file write and, via prompt injection, host remote code execution."
+  },
+  "CVE-2025-49596": {
+    "name": "MCP Inspector Missing Authentication — Unauthenticated RCE via the Inspector Proxy",
+    "type": "RCE",
+    "cvss_score": 8.3,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
+    "cvss_note": "Operator v3.1 estimate (NVD has not assessed v3.1; the GitHub CNA published CVSS v4.0 9.4 CRITICAL). Exploitation lures a victim's browser to reach the locally-bound, unauthenticated MCP Inspector proxy (the 0.0.0.0-day / DNS-rebinding class), hence AC:H / UI:R; once reached, commands run over stdio with no auth.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Publicly documented by Oligo Security (the 0.0.0.0-day / MCP Inspector RCE research): a malicious web page a developer visits can reach the Inspector proxy bound on the loopback/0.0.0.0 and issue unauthenticated requests that launch MCP commands over stdio, yielding RCE on the developer's machine. Technique is fully public; no separate exploit repository required.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by Oligo Security via conventional web/SSRF-class research. The affected component is core AI-developer tooling (Anthropic's official MCP Inspector), placing it on the AI/MCP supply-chain surface.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the exploit is a browser-driven cross-origin request chain.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research disclosure with a coordinated fix (0.14.1); no confirmed in-the-wild exploitation reported as of curation. The public technique and the ubiquity of MCP Inspector in agent-developer workflows elevate the watch posture.",
+    "affected": "Anthropic MCP Inspector (the official Model Context Protocol server-testing tool, @modelcontextprotocol/inspector) prior to 0.14.1.",
+    "affected_versions": [
+      "@modelcontextprotocol/inspector < 0.14.1"
+    ],
+    "vector": "The MCP Inspector client and its proxy have no authentication between them, so any unauthenticated request that reaches the proxy can launch MCP commands over stdio — remote code execution on the host running Inspector. Because the proxy is browser-reachable (loopback / 0.0.0.0 binding), a malicious web page a developer visits can drive the requests cross-origin (the 0.0.0.0-day + DNS-rebinding class), with no developer interaction beyond visiting the page.",
+    "complexity": "high",
+    "complexity_notes": "Requires luring the developer's browser to a malicious page and the cross-origin/DNS-rebinding setup (AC:H, UI:R); the missing-auth flaw itself (CWE-306) imposes no further barrier once a request reaches the proxy.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is a tool upgrade to @modelcontextprotocol/inspector 0.14.1+ (which adds a session-token auth between client and proxy and origin checks); no reboot.",
+    "vendor_update_paths": [
+      "Upgrade @modelcontextprotocol/inspector to 0.14.1 or later (adds proxy auth + origin validation). Until then, do not run MCP Inspector on a machine where a browser may visit untrusted pages, and bind it to loopback only with a firewall."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track AI-developer tooling (MCP Inspector and similar) as managed, RCE-bearing software on developer workstations.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates locally-run AI/MCP developer tools as in-scope assets.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach developer-workstation AI tooling whose loopback services are browser-reachable.",
+      "DORA-Art-9": "ICT protection measures seldom model a developer's locally-bound MCP tooling as an attacker-reachable RCE surface via the browser.",
+      "UK-CAF-B4": "System Security objective has no objective for hardening locally-bound developer AI services against cross-origin / DNS-rebinding access.",
+      "AU-ISM-1546": "Patch-application control does not single out AI/MCP developer tooling, whose RCE flaws compromise the developer's machine and credentials.",
+      "ALL-AI-PIPELINE-INTEGRITY": "MCP — the connective tissue of the agent ecosystem — concentrates RCE risk in its tooling; no framework treats the MCP toolchain (inspector, proxy, servers) as a supply-chain control plane whose compromise reaches every connected agent and credential."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 30,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 25,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "P3 (RWEP 30 per lib/scoring.js). Not KEV-listed, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3 — the 9.4 CNA CVSS does not by itself drive priority). poc_available=20 (public Oligo technique) + blast_radius=25 (MCP Inspector is the official, widely-used MCP debug tool) − patch 15. Escalates on observed exploitation; representative of the MCP-toolchain RCE class.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-49596",
+    "cwe_refs": [
+      "CWE-306",
+      "CWE-352",
+      "CWE-346"
+    ],
+    "iocs": {
+      "behavioral": [
+        "The MCP Inspector proxy (default port 6277) receiving requests whose Origin / Referer is an external web page rather than the local Inspector client — the cross-origin driver of the exploit.",
+        "MCP Inspector launching MCP server commands over stdio that were not initiated from the local Inspector UI session.",
+        "An MCP Inspector / Node proxy process spawning unexpected child processes (shell, interpreter) on a developer workstation.",
+        "Deployed @modelcontextprotocol/inspector below 0.14.1 reachable on 0.0.0.0 / loopback while a browser is in use — the exposed precondition."
+      ],
+      "supply_chain_entry_vectors": [
+        "Delivery is a malicious or attacker-controlled web page visited by a developer running MCP Inspector; the developer's browser is the cross-origin entry point, no direct host authentication required."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2025-49596 (CWE-306 missing authentication between Inspector client and proxy enabling stdio command execution) and the Oligo Security primary-source writeup at https://www.oligo.security/blog/critical-rce-vulnerability-in-anthropic-mcp-inspector-cve-2025-49596 (the 0.0.0.0-day / DNS-rebinding MCP Inspector RCE research)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-49596",
+      "https://www.oligo.security/blog/critical-rce-vulnerability-in-anthropic-mcp-inspector-cve-2025-49596",
+      "https://github.com/modelcontextprotocol/inspector/security/advisories"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2025-49596",
+        "url": "https://github.com/modelcontextprotocol/inspector/security/advisories",
+        "severity": "critical",
+        "published_date": "2025-06-13"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-49596",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49596",
+        "severity": "critical",
+        "published_date": "2025-06-13"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-306; CNA CVSS v4.0 9.4, v3.1 N/A) + Oligo Security 0.0.0.0-day / MCP Inspector RCE research. Missing authentication between the Inspector client and proxy allows browser-driven, unauthenticated RCE over stdio; fixed in @modelcontextprotocol/inspector 0.14.1. Part of the broader 2026 MCP-toolchain RCE advisory class.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Anthropic MCP Inspector lacks authentication between its client and proxy, allowing browser-driven unauthenticated remote code execution over stdio."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -102,6 +102,7 @@
       "CVE-2025-4632",
       "CVE-2025-6218",
       "CVE-2025-8110",
+      "CVE-2026-25592",
       "CVE-2026-34926"
     ],
     "framework_controls_partially_addressing": [
@@ -368,6 +369,7 @@
       "CVE-2026-1281",
       "CVE-2026-1340",
       "CVE-2026-20045",
+      "CVE-2026-25592",
       "CVE-2026-30615",
       "CVE-2026-33017",
       "CVE-2026-34197",
@@ -705,6 +707,7 @@
       "CVE-2020-24363",
       "CVE-2025-32433",
       "CVE-2025-4008",
+      "CVE-2025-49596",
       "CVE-2025-61757",
       "CVE-2026-0300",
       "CVE-2026-24423",
@@ -1034,7 +1037,8 @@
     ],
     "evidence_cves": [
       "CVE-2023-2533",
-      "CVE-2025-34291"
+      "CVE-2025-34291",
+      "CVE-2025-49596"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SC-23",
@@ -2972,7 +2976,8 @@
     ],
     "related_weaknesses": [],
     "evidence_cves": [
-      "CVE-2025-34291"
+      "CVE-2025-34291",
+      "CVE-2025-49596"
     ],
     "last_verified": "2026-05-19",
     "notes": "Bulk-imported v0.13.18 from the canonical MITRE Top 25 + commonly-referenced-class expansion.",

package/data/framework-control-gaps.json

@@ -34,7 +34,8 @@
     "status": "open",
     "opened_date": "2026-01-01",
     "evidence_cves": [
-      "CVE-2025-34291"
+      "CVE-2025-34291",
+      "CVE-2025-49596"
     ],
     "atlas_refs": [
       "AML.T0018",
@@ -101,7 +102,9 @@
     "real_requirement": "Prompt-level access control: each model invocation is constrained to an authorized action scope. Actions outside that scope require explicit user re-authorization. System prompt establishes authority hierarchy.",
     "status": "open",
     "opened_date": "2026-01-01",
-    "evidence_cves": [],
+    "evidence_cves": [
+      "CVE-2026-25592"
+    ],
     "atlas_refs": [
       "AML.T0051",
       "AML.T0054"
@@ -1431,6 +1434,7 @@
       "CVE-2025-48928",
       "CVE-2025-49113",
       "CVE-2025-4919",
+      "CVE-2025-49596",
       "CVE-2025-49704",
       "CVE-2025-49706",
       "CVE-2025-5086",
@@ -1514,6 +1518,7 @@
       "CVE-2026-24423",
       "CVE-2026-24858",
       "CVE-2026-25108",
+      "CVE-2026-25592",
       "CVE-2026-3055",
       "CVE-2026-31431",
       "CVE-2026-31635",
@@ -1720,6 +1725,8 @@
       "CVE-2025-34291",
       "CVE-2025-38352",
       "CVE-2025-43300",
+      "CVE-2025-49596",
+      "CVE-2026-25592",
       "CVE-2026-31431",
       "CVE-2026-34926",
       "CVE-2026-39884",
@@ -2357,6 +2364,7 @@
       "CVE-2025-48928",
       "CVE-2025-49113",
       "CVE-2025-4919",
+      "CVE-2025-49596",
       "CVE-2025-49704",
       "CVE-2025-49706",
       "CVE-2025-5086",
@@ -2444,6 +2452,7 @@
       "CVE-2026-24423",
       "CVE-2026-24858",
       "CVE-2026-25108",
+      "CVE-2026-25592",
       "CVE-2026-3055",
       "CVE-2026-31431",
       "CVE-2026-31635",
@@ -4708,8 +4717,10 @@
     "evidence_cves": [
       "CVE-2024-21762",
       "CVE-2025-34291",
+      "CVE-2025-49596",
       "CVE-2026-0300",
       "CVE-2026-20182",
+      "CVE-2026-25592",
       "CVE-2026-34926",
       "CVE-2026-41091",
       "CVE-2026-42897",
@@ -5204,6 +5215,8 @@
     "evidence_cves": [
       "CVE-2024-21762",
       "CVE-2025-34291",
+      "CVE-2025-49596",
+      "CVE-2026-25592",
       "CVE-2026-34926",
       "CVE-2026-41091",
       "CVE-2026-45498",
@@ -5242,6 +5255,8 @@
     "evidence_cves": [
       "CVE-2024-21762",
       "CVE-2025-34291",
+      "CVE-2025-49596",
+      "CVE-2026-25592",
       "CVE-2026-34926",
       "CVE-2026-41091",
       "CVE-2026-45498",

package/data/zeroday-lessons.json

@@ -5933,6 +5933,106 @@
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import"
   },
+  "CVE-2026-25592": {
+    "name": "Microsoft Semantic Kernel SessionsPythonPlugin Path Traversal — Prompt-Injection to Host RCE",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Path traversal (CWE-22) in Semantic Kernel's SessionsPythonPlugin allows arbitrary file write; because the plugin runs inside an agent wired to tools, an injected prompt (AML.T0051) drives the write to a location that yields host code execution — a single prompt launched calc.exe on the agent host.",
+      "privileges_required": "the ability to get untrusted content into the agent's prompt (RAG document, tool output, web content, or user input) — the normal operating mode of a tool-using agent; no host authentication required",
+      "complexity": "low (NVD AV:N / AC:L)",
+      "ai_factor": "AI-native exploitation: the primitive is LLM prompt injection, which crosses from a content-safety problem to a remote-code-execution primitive the moment the model can reach a file-writing or code-running tool. The lesson is that an AI agent's tool boundary IS a code-execution boundary and must be sandboxed and treated as attacker-reachable via injection. Surfaced via the Microsoft Security Blog + GHSA feeds."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Flaw-remediation cadence does not track AI-agent-framework SDK dependencies with the urgency a prompt-injection-to-RCE warrants; the SDK is often outside the patch-management inventory."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Vulnerability management rarely enumerates the AI-agent framework and its tool plugins as in-scope, RCE-bearing assets."
+      },
+      "ALL-PROMPT-INJECTION-ACCESS-CONTROL": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats prompt injection as an access-control / code-execution primitive: once an agent can reach a tool that writes files or runs code, injected content becomes host RCE, and nothing requires the tool boundary to be hardened against it."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 75,
+      "basis": "Organizations deploying AI agents rarely sandbox or audit the file-write / code-execution tools the agent can invoke, and treat prompt injection as a content-safety issue rather than an RCE primitive; SDK dependency currency for agent frameworks is seldom tracked.",
+      "theater_pattern": "ai_pipeline_integrity"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-080",
+        "name": "AGENT-TOOL-EXECUTION-SANDBOX",
+        "description": "Any AI agent wired to tools that can write files or execute code must treat its tool boundary as an attacker-reachable remote-code-execution boundary: sandbox file-writing / code-running plugins with strict path and capability confinement, validate and canonicalize all tool-supplied paths against traversal, gate code-execution tools behind out-of-band human approval for untrusted-content-triggered invocations, and track agent-framework SDK dependencies (e.g. Microsoft.SemanticKernel.Plugins.Core >= 1.71.0) as KEV-priority patch targets. Prompt injection must be modeled as a code-execution primitive, not a content-safety nuisance.",
+        "evidence": "https://www.microsoft.com/en-us/security/blog/2026/05/07/prompts-become-shells-rce-vulnerabilities-ai-agent-frameworks/",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.8",
+          "ALL-PROMPT-INJECTION-ACCESS-CONTROL"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2025-49596": {
+    "name": "MCP Inspector Missing Authentication — Unauthenticated RCE via the Inspector Proxy",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Anthropic's official MCP Inspector has no authentication between its client and proxy; because the proxy is browser-reachable (loopback / 0.0.0.0), a malicious web page a developer visits can issue unauthenticated cross-origin requests that launch MCP commands over stdio — RCE on the developer's machine (the 0.0.0.0-day / DNS-rebinding class).",
+      "privileges_required": "none on the host — the developer need only run MCP Inspector and visit an attacker-controlled web page",
+      "complexity": "high (browser lure + cross-origin/DNS-rebinding setup), but the missing-auth flaw itself imposes no barrier once a request reaches the proxy",
+      "ai_factor": "The compromised component is core AI/MCP developer tooling. The lesson: MCP — the connective tissue of the agent ecosystem — concentrates RCE risk in its toolchain (inspector, proxy, servers); locally-bound AI dev services are browser-reachable and must authenticate and origin-validate. Surfaced via the MCP supply-chain advisory + GHSA feeds."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Flaw-remediation cadence does not track AI/MCP developer tooling on workstations as managed, RCE-bearing software."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Vulnerability management rarely enumerates locally-run AI/MCP developer tools as in-scope assets."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats the MCP toolchain as a supply-chain control plane whose compromise reaches every connected agent and credential."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "Developer-workstation AI/MCP tooling is almost never in the managed vulnerability program; loopback services are assumed unreachable, ignoring browser-driven cross-origin / DNS-rebinding access.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-081",
+        "name": "MCP-TOOLCHAIN-LOCALHOST-AUTH",
+        "description": "Locally-bound AI/MCP developer services (Inspector, proxies, dev servers) must authenticate their own client↔service channel and validate request Origin, never trusting loopback / 0.0.0.0 reachability as an access-control boundary (browsers can reach it cross-origin via the 0.0.0.0-day and DNS rebinding). Track MCP toolchain packages (e.g. @modelcontextprotocol/inspector >= 0.14.1) as managed, patch-prioritized software on developer workstations.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2025-49596",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.8",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2025-34291": {
     "name": "Langflow Account Takeover + RCE (CORS / refresh-token chain)",
     "lesson_date": "2026-05-24",