@blamejs/exceptd-skills 0.13.73 → 0.13.75

package/data/atlas-ttps.json

@@ -1037,7 +1037,10 @@
     ],
     "reference_url": "https://atlas.mitre.org/techniques/AML.T0104",
     "stix_id": "attack-pattern--04842d98-bb69-586e-9765-6ff1f56ef722",
-    "is_subtechnique": false
+    "is_subtechnique": false,
+    "cve_refs": [
+      "CVE-2025-54136"
+    ]
   },
   "AML.T0105": {
     "id": "AML.T0105",
@@ -2379,7 +2382,10 @@
       "ATLAS"
     ],
     "stix_id": "attack-pattern--b1b2cc5a-7312-5f26-93d3-8b8ee1baf97d",
-    "is_subtechnique": false
+    "is_subtechnique": false,
+    "cve_refs": [
+      "CVE-2025-54136"
+    ]
   },
   "AML.T0111": {
     "id": "AML.T0111",

package/data/attack-techniques.json

@@ -274,8 +274,11 @@
       "CVE-2025-34291",
       "CVE-2025-49596",
       "CVE-2025-53773",
+      "CVE-2025-54136",
       "CVE-2025-55319",
       "CVE-2025-68664",
+      "CVE-2026-22252",
+      "CVE-2026-22688",
       "CVE-2026-22778",
       "CVE-2026-25592",
       "CVE-2026-30615",
@@ -944,6 +947,8 @@
       "CVE-2026-21525",
       "CVE-2026-21533",
       "CVE-2026-21643",
+      "CVE-2026-22252",
+      "CVE-2026-22688",
       "CVE-2026-22719",
       "CVE-2026-22769",
       "CVE-2026-22778",
@@ -1003,6 +1008,9 @@
     "description": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.",
     "tactic": [
       "Initial Access"
+    ],
+    "cve_refs": [
+      "CVE-2025-54136"
     ]
   },
   "T1195.001": {

package/data/cve-catalog.json

@@ -9698,6 +9698,318 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "Anthropic MCP Inspector lacks authentication between its client and proxy, allowing browser-driven unauthenticated remote code execution over stdio."
   },
+  "CVE-2025-54136": {
+    "name": "Cursor MCPoison — Persistent RCE via Modified Already-Trusted MCP Config",
+    "type": "RCE",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 8.8 (HIGH). The 'trust-on-first-use, never-re-validated' design lets a one-time approval become silent persistent code execution.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Check Point Research ('MCPoison') publicly documented the technique: after a user approves an MCP server entry in a project's .cursor/mcp.json, Cursor does not re-validate the config on subsequent edits, so an attacker who later modifies that already-trusted entry (e.g. in a shared / pulled repository) gets their command executed silently each time the project is opened — persistent RCE with no re-prompt.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by Check Point Research. The affected component is a leading AI coding IDE (Cursor) and the abused trust boundary is its MCP tool configuration — squarely AI-agent-tool-poisoning territory.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the attack is a configuration-trust bypass.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research disclosure with a coordinated fix (Cursor 1.3); no confirmed in-the-wild exploitation reported as of curation. The shared-repo persistence and Cursor's large install base elevate the watch posture.",
+    "affected": "Cursor (AI code editor) versions 1.2.4 and below; fixed in 1.3.",
+    "affected_versions": [
+      "Cursor <= 1.2.4"
+    ],
+    "vector": "Cursor establishes trust in an MCP server entry when the user first approves it, but does not re-validate the .cursor/mcp.json entry when it is subsequently modified. An attacker who can change that already-trusted entry — by committing to a shared repository the victim pulls, or with local access — substitutes malicious commands (CWE-78 OS command injection via the MCP launch command) that Cursor then executes silently and persistently on every project open. The vulnerability class is AI-agent tool poisoning (ATLAS AML.T0110): a previously-approved tool is mutated into a malicious one with no fresh consent.",
+    "complexity": "low",
+    "complexity_notes": "NVD AC:L / PR:L. Requires the victim to have approved an MCP entry once and the attacker to modify it (shared-repo collaboration or local access); no further interaction is needed thereafter.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is an application upgrade to Cursor 1.3 or later (which re-validates MCP config changes); no reboot.",
+    "vendor_update_paths": [
+      "Upgrade Cursor to 1.3 or later. Until then, treat .cursor/mcp.json as untrusted in shared repositories, review MCP entries on every pull, and avoid auto-approving MCP servers."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track the AI IDE / agent tooling on developer workstations as managed, RCE-bearing software.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates AI coding assistants and their tool-config trust model as in-scope.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the trust-on-first-use model of an AI IDE's MCP configuration.",
+      "DORA-Art-9": "ICT protection measures do not model an approved-once-then-mutated tool config as a persistent code-execution channel.",
+      "UK-CAF-B4": "System Security objective has no objective for re-validating AI-tool configurations after first approval.",
+      "AU-ISM-1546": "Patch-application control does not address the AI-IDE tool-trust class.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an AI agent's tool-approval state as a control plane requiring re-validation on change; trust-on-first-use turns a shared-repo config edit into silent persistent RCE across every developer who pulls it."
+    },
+    "atlas_refs": [
+      "AML.T0110",
+      "AML.T0104"
+    ],
+    "attack_refs": [
+      "T1059",
+      "T1195"
+    ],
+    "rwep_score": 30,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 25,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "P3 (RWEP 30 per lib/scoring.js). Not KEV-listed, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3). poc_available=20 (public Check Point technique) + blast_radius=25 (Cursor is a leading AI IDE; shared-repo persistence reaches every developer who pulls) − patch 15. Escalates on observed exploitation; representative of the AI-agent tool-poisoning class.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-54136",
+    "cwe_refs": [
+      "CWE-78",
+      "CWE-829"
+    ],
+    "iocs": {
+      "behavioral": [
+        "A change to a project's .cursor/mcp.json MCP server `command` / `args` between commits or pulls, especially in a shared repository, without a corresponding fresh in-IDE approval prompt.",
+        "Cursor (or its MCP host process) spawning a command from an MCP entry that differs from the command the user originally approved.",
+        "An MCP server entry whose launch command invokes a shell, downloader, or interpreter rather than a legitimate MCP server binary.",
+        "Cursor version 1.2.4 or below in use on a developer machine that opens shared/untrusted repositories — the exposed precondition."
+      ],
+      "supply_chain_entry_vectors": [
+        "Delivery is a modification to an already-approved .cursor/mcp.json in a shared repository (a malicious commit / PR the victim pulls) or via local file access; the trust was established at first approval and never re-checked."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2025-54136 (CWE-78) and Check Point Research's 'MCPoison' disclosure describing persistent RCE via modification of an already-trusted Cursor MCP configuration."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-54136",
+      "https://research.checkpoint.com/2025/cursor-mcpoison-cve-2025-54136/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "Check Point Research",
+        "advisory_id": "CVE-2025-54136",
+        "url": "https://research.checkpoint.com/2025/cursor-mcpoison-cve-2025-54136/",
+        "severity": "high",
+        "published_date": "2025-08-05"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-54136",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54136",
+        "severity": "high",
+        "published_date": "2025-08-05"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-78, CVSS 8.8) + Check Point Research 'MCPoison'. Cursor does not re-validate an MCP config entry after first approval, so a later modification of the trusted entry yields persistent silent RCE (ATLAS AML.T0110 AI Agent Tool Poisoning); fixed in Cursor 1.3.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Cursor does not re-validate a previously-approved MCP configuration entry, so modifying the trusted entry yields persistent silent remote code execution."
+  },
+  "CVE-2026-22252": {
+    "name": "LibreChat MCP stdio Transport — Authenticated Arbitrary Command Execution as Root",
+    "type": "RCE",
+    "cvss_score": 9.9,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 9.9 (CRITICAL), Scope:Changed (the GitHub CNA scored 9.1 with PR:H). The MCP stdio transport runs the supplied command as root inside the container, so any authenticated user reaches host-class execution.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the 2026 MCP supply-chain advisory family (OX Security et al.) and the GitHub security advisory: LibreChat's MCP stdio transport accepts an arbitrary command and runs it without validation, so a single authenticated API request executes shell commands as root inside the container.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via coordinated advisory; LibreChat is a widely-used open-source AI chat platform and the abused surface is its MCP tool transport.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is missing authorization / command validation on the MCP stdio transport.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research / advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "LibreChat (open-source AI chat platform) versions prior to 0.8.2-rc2.",
+    "affected_versions": [
+      "LibreChat < 0.8.2-rc2"
+    ],
+    "vector": "LibreChat's MCP stdio transport accepts an arbitrary command/args without authorization or validation (CWE-285 improper authorization). Any authenticated user can therefore issue a single API request that makes the server spawn that command — executing shell commands as root inside the LibreChat container. This is the 'MCP stdio transport runs whatever it is told' class applied to a multi-user AI platform, where ordinary user authentication is the only barrier.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:L — any authenticated user, one API request. Scope:Changed (container-root execution).",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is an application upgrade to LibreChat 0.8.2-rc2 or later (adds authorization / validation on the MCP stdio transport); redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade LibreChat to 0.8.2-rc2 or later. Until then, restrict who can configure / invoke MCP servers and run LibreChat with a least-privilege (non-root) container user and a read-only filesystem where possible."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track self-hosted AI chat platforms and their MCP transports as managed, RCE-bearing software.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the AI platform's MCP tool transport as an in-scope, authorization-critical surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the MCP stdio transport as a privileged command-execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model 'any authenticated user can run commands as container root via the AI tool transport'.",
+      "UK-CAF-B4": "System Security objective has no objective for authorizing and validating commands handed to an AI platform's MCP transport.",
+      "AU-ISM-1546": "Patch-application control does not single out AI-platform MCP transports, whose flaws are container-root RCE.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats the MCP stdio transport — which by design launches commands — as a boundary that must enforce authorization and command validation; without it, ordinary user auth becomes container-root RCE."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 30,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 25,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "P3 (RWEP 30 per lib/scoring.js). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3). poc_available=20 (documented technique) + blast_radius=25 (LibreChat is widely self-hosted; container-root scope) − patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-22252",
+    "cwe_refs": [
+      "CWE-285",
+      "CWE-78"
+    ],
+    "iocs": {
+      "behavioral": [
+        "LibreChat MCP stdio transport spawning a process whose command/args were supplied via an API request rather than a pinned server configuration.",
+        "The LibreChat container (running as root) spawning a shell, interpreter, or downloader as a child of the MCP host process.",
+        "An authenticated, non-admin LibreChat user configuring or invoking an MCP server with an arbitrary command string.",
+        "LibreChat version below 0.8.2-rc2 — the exposed precondition."
+      ],
+      "supply_chain_entry_vectors": [
+        "Any authenticated LibreChat account (including a low-privilege or self-registered user where open registration is enabled) is the entry point; no admin role required."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2026-22252 (CWE-285 improper authorization; MCP stdio transport executes arbitrary commands as root) and the 2026 MCP supply-chain advisory describing the unvalidated-stdio-command class."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-22252",
+      "https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2026-22252",
+        "url": "https://github.com/danny-avila/LibreChat/security/advisories/GHSA-cxhj-j78r-p88f",
+        "severity": "critical",
+        "published_date": "2026-01-12"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-22252",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22252",
+        "severity": "critical",
+        "published_date": "2026-01-12"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-285; NIST CVSS 9.9, CNA 9.1) + the 2026 MCP supply-chain advisory family. LibreChat's MCP stdio transport runs arbitrary commands without authorization, giving any authenticated user container-root RCE; fixed in 0.8.2-rc2.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "LibreChat's MCP stdio transport accepts arbitrary commands without validation, letting any authenticated user execute shell commands as root in the container."
+  },
+  "CVE-2026-22688": {
+    "name": "Tencent WeKnora MCP stdio Command Injection",
+    "type": "RCE",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 8.8 (HIGH); the GitHub CNA scored 9.9 (Scope:Changed). Authenticated command injection through the MCP stdio settings.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the 2026 MCP supply-chain advisory family and the GitHub security advisory: authenticated users can inject stdio_config.command / args into WeKnora's MCP stdio settings, causing the server to spawn subprocesses with the injected values (command injection).",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via coordinated advisory; WeKnora is Tencent's open-source RAG / knowledge-base platform and the abused surface is its MCP stdio configuration.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; classic command injection via the MCP stdio settings.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research / advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Tencent WeKnora (open-source RAG / knowledge-base platform) versions prior to 0.2.5.",
+    "affected_versions": [
+      "Tencent WeKnora < 0.2.5"
+    ],
+    "vector": "WeKnora lets authenticated users set the MCP stdio_config.command and args, which the server then executes as a subprocess without neutralizing special elements (CWE-77 command injection). An authenticated user can therefore inject a command that the server runs, achieving code execution on the WeKnora host.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:L — authenticated, low-complexity command injection.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is an application upgrade to WeKnora 0.2.5 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Tencent WeKnora to 0.2.5 or later. Until then, restrict who can edit MCP stdio settings and run WeKnora as a least-privilege container user."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track self-hosted RAG / knowledge-base AI platforms and their MCP transports as managed, RCE-bearing software.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the AI platform's MCP stdio settings as an in-scope command-execution surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the MCP stdio settings as a privileged command-execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model authenticated command injection via an AI platform's MCP configuration.",
+      "UK-CAF-B4": "System Security objective has no objective for neutralizing command input handed to an AI platform's MCP transport.",
+      "AU-ISM-1546": "Patch-application control does not single out AI-platform MCP transports.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats user-supplied MCP stdio command/args as untrusted input requiring neutralization; the MCP transport's by-design command execution makes injection a direct RCE."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 30,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 25,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "P3 (RWEP 30 per lib/scoring.js). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3). poc_available=20 (documented technique) + blast_radius=25 (Tencent-backed open-source RAG platform) − patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-22688",
+    "cwe_refs": [
+      "CWE-77",
+      "CWE-78"
+    ],
+    "iocs": {
+      "behavioral": [
+        "WeKnora spawning a subprocess whose command/args came from MCP stdio_config supplied by a user rather than a pinned configuration.",
+        "Shell metacharacters or unexpected binaries in WeKnora MCP stdio_config.command / args values.",
+        "An authenticated WeKnora user editing MCP stdio settings to include a command string.",
+        "WeKnora version below 0.2.5 — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2026-22688 (CWE-77 command injection via MCP stdio_config) and the 2026 MCP supply-chain advisory describing the unvalidated-stdio-command class."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-22688",
+      "https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2026-22688",
+        "url": "https://github.com/Tencent/WeKnora/security/advisories/GHSA-78h3-63c4-5fqc",
+        "severity": "high",
+        "published_date": "2026-01-09"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-22688",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22688",
+        "severity": "high",
+        "published_date": "2026-01-09"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-77; NIST CVSS 8.8, CNA 9.9) + the 2026 MCP supply-chain advisory family. Authenticated users inject stdio_config.command/args into WeKnora's MCP settings for command execution; fixed in 0.2.5.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Tencent WeKnora allows authenticated users to inject commands into MCP stdio settings, causing the server to execute attacker-supplied subprocesses."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -146,6 +146,7 @@
       "CVE-2025-53773",
       "CVE-2025-55319",
       "CVE-2025-59689",
+      "CVE-2026-22688",
       "CVE-2026-22719",
       "MAL-2026-3083"
     ],
@@ -186,6 +187,7 @@
       "CVE-2025-11953",
       "CVE-2025-12686",
       "CVE-2025-48703",
+      "CVE-2025-54136",
       "CVE-2025-54948",
       "CVE-2025-58034",
       "CVE-2025-59389",
@@ -194,6 +196,8 @@
       "CVE-2025-66644",
       "CVE-2025-9377",
       "CVE-2026-1731",
+      "CVE-2026-22252",
+      "CVE-2026-22688",
       "CVE-2026-25108",
       "CVE-2026-30623",
       "CVE-2026-39987"
@@ -1647,6 +1651,7 @@
     ],
     "evidence_cves": [
       "CVE-2025-32463",
+      "CVE-2025-54136",
       "MAL-2026-NODE-IPC-STEALER",
       "MAL-2026-SHAI-HULUD-OSS"
     ],
@@ -2918,7 +2923,9 @@
       "CWE-2000"
     ],
     "related_weaknesses": [],
-    "evidence_cves": [],
+    "evidence_cves": [
+      "CVE-2026-22252"
+    ],
     "last_verified": "2026-05-19",
     "notes": "Bulk-imported v0.13.18 from the canonical MITRE Top 25 + commonly-referenced-class expansion.",
     "_auto_imported": true,

package/data/framework-control-gaps.json

@@ -35,7 +35,10 @@
     "opened_date": "2026-01-01",
     "evidence_cves": [
       "CVE-2025-34291",
-      "CVE-2025-49596"
+      "CVE-2025-49596",
+      "CVE-2025-54136",
+      "CVE-2026-22252",
+      "CVE-2026-22688"
     ],
     "atlas_refs": [
       "AML.T0018",
@@ -1443,6 +1446,7 @@
       "CVE-2025-53690",
       "CVE-2025-53770",
       "CVE-2025-54068",
+      "CVE-2025-54136",
       "CVE-2025-5419",
       "CVE-2025-54236",
       "CVE-2025-54253",
@@ -1510,6 +1514,8 @@
       "CVE-2026-21525",
       "CVE-2026-21533",
       "CVE-2026-21643",
+      "CVE-2026-22252",
+      "CVE-2026-22688",
       "CVE-2026-22719",
       "CVE-2026-22769",
       "CVE-2026-23760",
@@ -1726,6 +1732,9 @@
       "CVE-2025-38352",
       "CVE-2025-43300",
       "CVE-2025-49596",
+      "CVE-2025-54136",
+      "CVE-2026-22252",
+      "CVE-2026-22688",
       "CVE-2026-25592",
       "CVE-2026-31431",
       "CVE-2026-34926",
@@ -2373,6 +2382,7 @@
       "CVE-2025-53690",
       "CVE-2025-53770",
       "CVE-2025-54068",
+      "CVE-2025-54136",
       "CVE-2025-5419",
       "CVE-2025-54236",
       "CVE-2025-54253",
@@ -2444,6 +2454,8 @@
       "CVE-2026-21525",
       "CVE-2026-21533",
       "CVE-2026-21643",
+      "CVE-2026-22252",
+      "CVE-2026-22688",
       "CVE-2026-22719",
       "CVE-2026-22769",
       "CVE-2026-23760",
@@ -4718,8 +4730,11 @@
       "CVE-2024-21762",
       "CVE-2025-34291",
       "CVE-2025-49596",
+      "CVE-2025-54136",
       "CVE-2026-0300",
       "CVE-2026-20182",
+      "CVE-2026-22252",
+      "CVE-2026-22688",
       "CVE-2026-25592",
       "CVE-2026-34926",
       "CVE-2026-41091",
@@ -5216,6 +5231,9 @@
       "CVE-2024-21762",
       "CVE-2025-34291",
       "CVE-2025-49596",
+      "CVE-2025-54136",
+      "CVE-2026-22252",
+      "CVE-2026-22688",
       "CVE-2026-25592",
       "CVE-2026-34926",
       "CVE-2026-41091",
@@ -5256,6 +5274,9 @@
       "CVE-2024-21762",
       "CVE-2025-34291",
       "CVE-2025-49596",
+      "CVE-2025-54136",
+      "CVE-2026-22252",
+      "CVE-2026-22688",
       "CVE-2026-25592",
       "CVE-2026-34926",
       "CVE-2026-41091",