npm - @blamejs/exceptd-skills - Versions diffs - 0.13.74 → 0.13.76 - Mend

@blamejs/exceptd-skills 0.13.74 → 0.13.76

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/CHANGELOG.md +8 -0
package/data/_indexes/_meta.json +8 -8
package/data/_indexes/activity-feed.json +2 -2
package/data/_indexes/catalog-summaries.json +2 -2
package/data/_indexes/chains.json +2695 -0
package/data/attack-techniques.json +14 -0
package/data/cve-catalog.json +682 -1
package/data/cwe-catalog.json +16 -2
package/data/framework-control-gaps.json +50 -1
package/data/zeroday-lessons.json +350 -0
package/manifest.json +44 -44
package/package.json +2 -2
package/sbom.cdx.json +23 -23

package/data/cve-catalog.json CHANGED Viewed

@@ -55,7 +55,7 @@
     "ai_discovery_methodology": {
       "field_added": "2026-05-15",
       "agents_md_target": "Hard Rule #7 — '41% of 2025 zero-days were AI-discovered'. Catalog target rate floor: 0.40.",
-      "current_rate": 0.037,
+      "current_rate": 0.036,
       "current_floor_enforced_by_test": 0.03,
       "ladder_to_target": [
         0.03,
@@ -9805,6 +9805,687 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "Cursor does not re-validate a previously-approved MCP configuration entry, so modifying the trusted entry yields persistent silent remote code execution."
   },
+  "CVE-2026-22252": {
+    "name": "LibreChat MCP stdio Transport — Authenticated Arbitrary Command Execution as Root",
+    "type": "RCE",
+    "cvss_score": 9.9,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 9.9 (CRITICAL), Scope:Changed (the GitHub CNA scored 9.1 with PR:H). The MCP stdio transport runs the supplied command as root inside the container, so any authenticated user reaches host-class execution.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the 2026 MCP supply-chain advisory family (OX Security et al.) and the GitHub security advisory: LibreChat's MCP stdio transport accepts an arbitrary command and runs it without validation, so a single authenticated API request executes shell commands as root inside the container.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via coordinated advisory; LibreChat is a widely-used open-source AI chat platform and the abused surface is its MCP tool transport.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is missing authorization / command validation on the MCP stdio transport.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research / advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "LibreChat (open-source AI chat platform) versions prior to 0.8.2-rc2.",
+    "affected_versions": [
+      "LibreChat < 0.8.2-rc2"
+    ],
+    "vector": "LibreChat's MCP stdio transport accepts an arbitrary command/args without authorization or validation (CWE-285 improper authorization). Any authenticated user can therefore issue a single API request that makes the server spawn that command — executing shell commands as root inside the LibreChat container. This is the 'MCP stdio transport runs whatever it is told' class applied to a multi-user AI platform, where ordinary user authentication is the only barrier.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:L — any authenticated user, one API request. Scope:Changed (container-root execution).",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is an application upgrade to LibreChat 0.8.2-rc2 or later (adds authorization / validation on the MCP stdio transport); redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade LibreChat to 0.8.2-rc2 or later. Until then, restrict who can configure / invoke MCP servers and run LibreChat with a least-privilege (non-root) container user and a read-only filesystem where possible."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track self-hosted AI chat platforms and their MCP transports as managed, RCE-bearing software.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the AI platform's MCP tool transport as an in-scope, authorization-critical surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the MCP stdio transport as a privileged command-execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model 'any authenticated user can run commands as container root via the AI tool transport'.",
+      "UK-CAF-B4": "System Security objective has no objective for authorizing and validating commands handed to an AI platform's MCP transport.",
+      "AU-ISM-1546": "Patch-application control does not single out AI-platform MCP transports, whose flaws are container-root RCE.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats the MCP stdio transport — which by design launches commands — as a boundary that must enforce authorization and command validation; without it, ordinary user auth becomes container-root RCE."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 30,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 25,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "P3 (RWEP 30 per lib/scoring.js). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3). poc_available=20 (documented technique) + blast_radius=25 (LibreChat is widely self-hosted; container-root scope) − patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-22252",
+    "cwe_refs": [
+      "CWE-285",
+      "CWE-78"
+    ],
+    "iocs": {
+      "behavioral": [
+        "LibreChat MCP stdio transport spawning a process whose command/args were supplied via an API request rather than a pinned server configuration.",
+        "The LibreChat container (running as root) spawning a shell, interpreter, or downloader as a child of the MCP host process.",
+        "An authenticated, non-admin LibreChat user configuring or invoking an MCP server with an arbitrary command string.",
+        "LibreChat version below 0.8.2-rc2 — the exposed precondition."
+      ],
+      "supply_chain_entry_vectors": [
+        "Any authenticated LibreChat account (including a low-privilege or self-registered user where open registration is enabled) is the entry point; no admin role required."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2026-22252 (CWE-285 improper authorization; MCP stdio transport executes arbitrary commands as root) and the 2026 MCP supply-chain advisory describing the unvalidated-stdio-command class."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-22252",
+      "https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2026-22252",
+        "url": "https://github.com/danny-avila/LibreChat/security/advisories/GHSA-cxhj-j78r-p88f",
+        "severity": "critical",
+        "published_date": "2026-01-12"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-22252",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22252",
+        "severity": "critical",
+        "published_date": "2026-01-12"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-285; NIST CVSS 9.9, CNA 9.1) + the 2026 MCP supply-chain advisory family. LibreChat's MCP stdio transport runs arbitrary commands without authorization, giving any authenticated user container-root RCE; fixed in 0.8.2-rc2.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "LibreChat's MCP stdio transport accepts arbitrary commands without validation, letting any authenticated user execute shell commands as root in the container."
+  },
+  "CVE-2026-22688": {
+    "name": "Tencent WeKnora MCP stdio Command Injection",
+    "type": "RCE",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 8.8 (HIGH); the GitHub CNA scored 9.9 (Scope:Changed). Authenticated command injection through the MCP stdio settings.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the 2026 MCP supply-chain advisory family and the GitHub security advisory: authenticated users can inject stdio_config.command / args into WeKnora's MCP stdio settings, causing the server to spawn subprocesses with the injected values (command injection).",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via coordinated advisory; WeKnora is Tencent's open-source RAG / knowledge-base platform and the abused surface is its MCP stdio configuration.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; classic command injection via the MCP stdio settings.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research / advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Tencent WeKnora (open-source RAG / knowledge-base platform) versions prior to 0.2.5.",
+    "affected_versions": [
+      "Tencent WeKnora < 0.2.5"
+    ],
+    "vector": "WeKnora lets authenticated users set the MCP stdio_config.command and args, which the server then executes as a subprocess without neutralizing special elements (CWE-77 command injection). An authenticated user can therefore inject a command that the server runs, achieving code execution on the WeKnora host.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:L — authenticated, low-complexity command injection.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is an application upgrade to WeKnora 0.2.5 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Tencent WeKnora to 0.2.5 or later. Until then, restrict who can edit MCP stdio settings and run WeKnora as a least-privilege container user."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track self-hosted RAG / knowledge-base AI platforms and their MCP transports as managed, RCE-bearing software.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the AI platform's MCP stdio settings as an in-scope command-execution surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the MCP stdio settings as a privileged command-execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model authenticated command injection via an AI platform's MCP configuration.",
+      "UK-CAF-B4": "System Security objective has no objective for neutralizing command input handed to an AI platform's MCP transport.",
+      "AU-ISM-1546": "Patch-application control does not single out AI-platform MCP transports.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats user-supplied MCP stdio command/args as untrusted input requiring neutralization; the MCP transport's by-design command execution makes injection a direct RCE."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 30,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 25,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "P3 (RWEP 30 per lib/scoring.js). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3). poc_available=20 (documented technique) + blast_radius=25 (Tencent-backed open-source RAG platform) − patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-22688",
+    "cwe_refs": [
+      "CWE-77",
+      "CWE-78"
+    ],
+    "iocs": {
+      "behavioral": [
+        "WeKnora spawning a subprocess whose command/args came from MCP stdio_config supplied by a user rather than a pinned configuration.",
+        "Shell metacharacters or unexpected binaries in WeKnora MCP stdio_config.command / args values.",
+        "An authenticated WeKnora user editing MCP stdio settings to include a command string.",
+        "WeKnora version below 0.2.5 — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2026-22688 (CWE-77 command injection via MCP stdio_config) and the 2026 MCP supply-chain advisory describing the unvalidated-stdio-command class."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-22688",
+      "https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2026-22688",
+        "url": "https://github.com/Tencent/WeKnora/security/advisories/GHSA-78h3-63c4-5fqc",
+        "severity": "high",
+        "published_date": "2026-01-09"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-22688",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22688",
+        "severity": "high",
+        "published_date": "2026-01-09"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-77; NIST CVSS 8.8, CNA 9.9) + the 2026 MCP supply-chain advisory family. Authenticated users inject stdio_config.command/args into WeKnora's MCP settings for command execution; fixed in 0.2.5.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Tencent WeKnora allows authenticated users to inject commands into MCP stdio settings, causing the server to execute attacker-supplied subprocesses."
+  },
+  "CVE-2026-40933": {
+    "name": "FlowiseAI Flowise MCP Custom Config Command Injection",
+    "type": "RCE",
+    "cvss_score": 9.9,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
+    "cvss_note": "NVD/CNA CVSS v3.1 base 9.9 (CRITICAL, Scope:Changed). Authenticated command injection via the Custom MCP configuration.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the 2026 MCP supply-chain advisory family (OX Security) and the NVD record: an attacker who controls the MCP Custom configuration causes the host to execute attacker-influenced commands.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via the coordinated 2026 MCP supply-chain advisory; the abused surface is the project's MCP command/transport configuration.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; conventional command/argument injection through MCP configuration.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research / advisory disclosure; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "FlowiseAI Flowise (low-code LLM orchestration builder) versions prior to 3.1.0.",
+    "affected_versions": [
+      "FlowiseAI Flowise < 3.1.0"
+    ],
+    "vector": "Flowise lets an authenticated user define a Custom MCP server configuration whose command/args the server then executes. Sanitization can be bypassed by combining an allow-listed binary (e.g. npx) with execution flags, so the attacker neutralizes special elements (CWE-78) and runs arbitrary OS commands on the Flowise host.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L: network-reachable, low-complexity command injection through MCP configuration.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is an application upgrade to 3.1.0 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade FlowiseAI Flowise to 3.1.0 or later. Until then, restrict who can author Custom MCP configurations and run Flowise as a least-privilege container user."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track self-hosted AI agent / RAG frameworks and their MCP command surfaces as managed, RCE-bearing software.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates an AI framework's MCP command/transport configuration as an in-scope command-execution surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach MCP command configuration as a privileged execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model command injection via an AI framework's MCP configuration.",
+      "UK-CAF-B4": "System Security objective has no objective for neutralizing command input handed to an AI framework's MCP transport.",
+      "AU-ISM-1546": "Patch-application control does not single out AI-framework MCP command surfaces.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats user-supplied MCP command/args as untrusted input requiring neutralization; the transport's by-design command execution turns injection into direct RCE."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 30,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 25,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 30, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 (documented technique) + blast_radius=25 minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-40933",
+    "cwe_refs": [
+      "CWE-78"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Flowise spawning a subprocess whose command/args came from an MCP configuration supplied or influenced by a caller rather than a pinned configuration.",
+        "Shell metacharacters, or allow-listed binaries (npm/npx) carrying execution flags, in MCP command/args values.",
+        "An MCP configuration / management surface reachable by a user who should not control command execution.",
+        "FlowiseAI Flowise < 3.1.0 - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2026-40933 (CWE-78 command injection via MCP configuration) and the 2026 MCP supply-chain advisory (https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/) describing the unvalidated-MCP-command class."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-40933",
+      "https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2026-40933",
+        "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-c9gw-hvqq-f33r",
+        "severity": "critical",
+        "published_date": "2026-04-21"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-40933",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40933",
+        "severity": "critical",
+        "published_date": "2026-04-21"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Imported from NVD (CWE-78; NIST CVSS 9.9) + the 2026 MCP supply-chain advisory family (OX Security). Member of the MCP command-injection class already curated in depth by CVE-2026-22252 and CVE-2026-22688.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "FlowiseAI Flowise allows an authenticated user to bypass MCP Custom-config command sanitization (e.g. npx with execution flags) and run arbitrary OS commands on the host."
+  },
+  "CVE-2026-30624": {
+    "name": "Agent Zero MCP Server Config Command Injection",
+    "type": "RCE",
+    "cvss_score": 8.6,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 8.6 (HIGH). Remote code execution through malicious MCP server configurations executed without adequate validation.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the 2026 MCP supply-chain advisory family (OX Security) and the NVD record: an attacker who controls the MCP server configuration causes the host to execute attacker-influenced commands.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via the coordinated 2026 MCP supply-chain advisory; the abused surface is the project's MCP command/transport configuration.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; conventional command/argument injection through MCP configuration.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research / advisory disclosure; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Agent Zero (autonomous agent framework) version 0.9.8.",
+    "affected_versions": [
+      "Agent Zero 0.9.8"
+    ],
+    "vector": "Agent Zero executes MCP server configurations without adequately validating the command/args before spawning the subprocess (CWE-77). An attacker who can supply or influence an MCP server configuration achieves remote code execution on the Agent Zero host.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L: network-reachable, low-complexity command injection through MCP configuration.",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No confirmed fixed release at curation; mitigate by restricting who can configure MCP commands and running the service least-privilege.",
+    "vendor_update_paths": [
+      "Track the Agent Zero project for a fixed release; until one ships, treat MCP server configuration as a privileged surface, restrict who can edit it, and run Agent Zero as a least-privilege user."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track self-hosted AI agent / RAG frameworks and their MCP command surfaces as managed, RCE-bearing software.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates an AI framework's MCP command/transport configuration as an in-scope command-execution surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach MCP command configuration as a privileged execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model command injection via an AI framework's MCP configuration.",
+      "UK-CAF-B4": "System Security objective has no objective for neutralizing command input handed to an AI framework's MCP transport.",
+      "AU-ISM-1546": "Patch-application control does not single out AI-framework MCP command surfaces.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats user-supplied MCP command/args as untrusted input requiring neutralization; the transport's by-design command execution turns injection into direct RCE."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 40,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 20,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Elevated (RWEP 40, \"patch within 7 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation. poc_available=20 (documented technique) + blast_radius=20.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-30624",
+    "cwe_refs": [
+      "CWE-77",
+      "CWE-78"
+    ],
+    "iocs": {
+      "behavioral": [
+        "agent-zero spawning a subprocess whose command/args came from an MCP configuration supplied or influenced by a caller rather than a pinned configuration.",
+        "Shell metacharacters, or allow-listed binaries (npm/npx) carrying execution flags, in MCP command/args values.",
+        "An MCP configuration / management surface reachable by a user who should not control command execution.",
+        "Agent Zero 0.9.8 - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2026-30624 (CWE-77/CWE-78 command injection via MCP configuration) and the 2026 MCP supply-chain advisory (https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/) describing the unvalidated-MCP-command class."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-30624",
+      "https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-30624",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30624",
+        "severity": "high",
+        "published_date": "2026-04-15"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Imported from NVD (CWE-77/CWE-78; NIST CVSS 8.6) + the 2026 MCP supply-chain advisory family (OX Security). Member of the MCP command-injection class already curated in depth by CVE-2026-22252 and CVE-2026-22688.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Agent Zero executes MCP server configurations without validating the command, letting an attacker who controls a configuration run arbitrary commands on the host."
+  },
+  "CVE-2026-30616": {
+    "name": "Jaaz MCP stdio Command Execution RCE",
+    "type": "RCE",
+    "cvss_score": 7.3,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
+    "cvss_note": "CISA-ADP CVSS v3.1 base 7.3 (HIGH). Remote code execution in MCP stdio command execution handling.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the 2026 MCP supply-chain advisory family (OX Security) and the NVD record: an attacker who controls the MCP stdio configuration causes the host to execute attacker-influenced commands.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via the coordinated 2026 MCP supply-chain advisory; the abused surface is the project's MCP command/transport configuration.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; conventional command/argument injection through MCP configuration.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research / advisory disclosure; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Jaaz (AI design / agent application) version 1.0.30.",
+    "affected_versions": [
+      "Jaaz 1.0.30"
+    ],
+    "vector": "Jaaz mishandles MCP stdio command execution, running command/args from an MCP configuration without neutralizing special elements (CWE-77). An attacker able to set the stdio command achieves code execution on the Jaaz host.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L: network-reachable, low-complexity command injection through MCP configuration.",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No confirmed fixed release at curation; mitigate by restricting who can configure MCP commands and running the service least-privilege.",
+    "vendor_update_paths": [
+      "Track the Jaaz project for a fixed release; until then restrict who can configure MCP stdio servers and run Jaaz as a least-privilege user."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track self-hosted AI agent / RAG frameworks and their MCP command surfaces as managed, RCE-bearing software.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates an AI framework's MCP command/transport configuration as an in-scope command-execution surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach MCP command configuration as a privileged execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model command injection via an AI framework's MCP configuration.",
+      "UK-CAF-B4": "System Security objective has no objective for neutralizing command input handed to an AI framework's MCP transport.",
+      "AU-ISM-1546": "Patch-application control does not single out AI-framework MCP command surfaces.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats user-supplied MCP command/args as untrusted input requiring neutralization; the transport's by-design command execution turns injection into direct RCE."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 35,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 15,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 35, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation. poc_available=20 (documented technique) + blast_radius=15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-30616",
+    "cwe_refs": [
+      "CWE-77",
+      "CWE-78"
+    ],
+    "iocs": {
+      "behavioral": [
+        "jaaz spawning a subprocess whose command/args came from an MCP configuration supplied or influenced by a caller rather than a pinned configuration.",
+        "Shell metacharacters, or allow-listed binaries (npm/npx) carrying execution flags, in MCP command/args values.",
+        "An MCP configuration / management surface reachable by a user who should not control command execution.",
+        "Jaaz 1.0.30 - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2026-30616 (CWE-77/CWE-78 command injection via MCP configuration) and the 2026 MCP supply-chain advisory (https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/) describing the unvalidated-MCP-command class."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-30616",
+      "https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-30616",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30616",
+        "severity": "high",
+        "published_date": "2026-04-15"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Imported from NVD (CWE-77/CWE-78; NIST CVSS 7.3) + the 2026 MCP supply-chain advisory family (OX Security). Member of the MCP command-injection class already curated in depth by CVE-2026-22252 and CVE-2026-22688.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Jaaz mishandles MCP stdio command execution, letting an attacker who sets the stdio command run arbitrary commands on the host."
+  },
+  "CVE-2026-30617": {
+    "name": "Langchain-Chatchat MCP Management Interface stdio RCE",
+    "type": "RCE",
+    "cvss_score": 8.6,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 8.6 (HIGH). RCE through an exposed MCP management interface that configures malicious stdio server commands.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the 2026 MCP supply-chain advisory family (OX Security) and the NVD record: an attacker who controls the MCP stdio configuration causes the host to execute attacker-influenced commands.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via the coordinated 2026 MCP supply-chain advisory; the abused surface is the project's MCP command/transport configuration.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; conventional command/argument injection through MCP configuration.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research / advisory disclosure; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Langchain-Chatchat (RAG / knowledge-base assistant) version 0.3.1.",
+    "affected_versions": [
+      "Langchain-Chatchat 0.3.1"
+    ],
+    "vector": "Langchain-Chatchat exposes an MCP management interface that lets a caller configure a malicious stdio server command, which the server then executes without neutralizing special elements (CWE-77), yielding remote code execution on the host.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L: network-reachable, low-complexity command injection through MCP configuration.",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No confirmed fixed release at curation; mitigate by restricting who can configure MCP commands and running the service least-privilege.",
+    "vendor_update_paths": [
+      "Track the Langchain-Chatchat project for a fixed release; until then do not expose the MCP management interface to untrusted networks and run the service as a least-privilege user."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track self-hosted AI agent / RAG frameworks and their MCP command surfaces as managed, RCE-bearing software.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates an AI framework's MCP command/transport configuration as an in-scope command-execution surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach MCP command configuration as a privileged execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model command injection via an AI framework's MCP configuration.",
+      "UK-CAF-B4": "System Security objective has no objective for neutralizing command input handed to an AI framework's MCP transport.",
+      "AU-ISM-1546": "Patch-application control does not single out AI-framework MCP command surfaces.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats user-supplied MCP command/args as untrusted input requiring neutralization; the transport's by-design command execution turns injection into direct RCE."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 42,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 22,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Elevated (RWEP 42, \"patch within 7 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation. poc_available=20 (documented technique) + blast_radius=22.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-30617",
+    "cwe_refs": [
+      "CWE-77",
+      "CWE-78"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Langchain-Chatchat spawning a subprocess whose command/args came from an MCP configuration supplied or influenced by a caller rather than a pinned configuration.",
+        "Shell metacharacters, or allow-listed binaries (npm/npx) carrying execution flags, in MCP command/args values.",
+        "An MCP configuration / management surface reachable by a user who should not control command execution.",
+        "Langchain-Chatchat 0.3.1 - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2026-30617 (CWE-77/CWE-78 command injection via MCP configuration) and the 2026 MCP supply-chain advisory (https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/) describing the unvalidated-MCP-command class."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-30617",
+      "https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-30617",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30617",
+        "severity": "high",
+        "published_date": "2026-04-15"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Imported from NVD (CWE-77/CWE-78; NIST CVSS 8.6) + the 2026 MCP supply-chain advisory family (OX Security). Member of the MCP command-injection class already curated in depth by CVE-2026-22252 and CVE-2026-22688.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Langchain-Chatchat exposes an MCP management interface that lets a caller configure a malicious stdio command the server then executes, yielding RCE."
+  },
+  "CVE-2026-30625": {
+    "name": "Upsonic MCP Task Allowed-Command Argument Injection RCE",
+    "type": "RCE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 9.8 (CRITICAL). RCE via MCP task creation where allow-listed commands (npm, npx) accept flags that enable arbitrary OS command execution.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the 2026 MCP supply-chain advisory family (OX Security) and the NVD record: an attacker who controls the MCP task command allow-list arguments causes the host to execute attacker-influenced commands.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via the coordinated 2026 MCP supply-chain advisory; the abused surface is the project's MCP command/transport configuration.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; conventional command/argument injection through MCP configuration.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research / advisory disclosure; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Upsonic (agent framework) version 0.71.6; a warning was added in 0.72.0 but a full fix is not confirmed.",
+    "affected_versions": [
+      "Upsonic 0.71.6"
+    ],
+    "vector": "Upsonic MCP task creation allows certain commands (npm, npx) whose argument flags can be abused to execute arbitrary OS commands (CWE-77 argument injection). An attacker who can create an MCP task achieves code execution on the host. Version 0.72.0 adds a warning rather than a confirmed fix.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L: network-reachable, low-complexity command injection through MCP configuration.",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No confirmed fixed release at curation; mitigate by restricting who can configure MCP commands and running the service least-privilege.",
+    "vendor_update_paths": [
+      "Upgrade to Upsonic 0.72.0+ for the added warning, but treat the allow-list as insufficient: restrict who can create MCP tasks and run Upsonic as a least-privilege user until a confirmed fix ships."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track self-hosted AI agent / RAG frameworks and their MCP command surfaces as managed, RCE-bearing software.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates an AI framework's MCP command/transport configuration as an in-scope command-execution surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach MCP command configuration as a privileged execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model command injection via an AI framework's MCP configuration.",
+      "UK-CAF-B4": "System Security objective has no objective for neutralizing command input handed to an AI framework's MCP transport.",
+      "AU-ISM-1546": "Patch-application control does not single out AI-framework MCP command surfaces.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats user-supplied MCP command/args as untrusted input requiring neutralization; the transport's by-design command execution turns injection into direct RCE."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 38,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 18,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 38, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation. poc_available=20 (documented technique) + blast_radius=18.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-30625",
+    "cwe_refs": [
+      "CWE-77",
+      "CWE-78"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Upsonic spawning a subprocess whose command/args came from an MCP configuration supplied or influenced by a caller rather than a pinned configuration.",
+        "Shell metacharacters, or allow-listed binaries (npm/npx) carrying execution flags, in MCP command/args values.",
+        "An MCP configuration / management surface reachable by a user who should not control command execution.",
+        "Upsonic 0.71.6 - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2026-30625 (CWE-77/CWE-78 command injection via MCP configuration) and the 2026 MCP supply-chain advisory (https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/) describing the unvalidated-MCP-command class."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-30625",
+      "https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-30625",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30625",
+        "severity": "critical",
+        "published_date": "2026-04-15"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Imported from NVD (CWE-77/CWE-78; NIST CVSS 9.8) + the 2026 MCP supply-chain advisory family (OX Security). Member of the MCP command-injection class already curated in depth by CVE-2026-22252 and CVE-2026-22688.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Upsonic allow-lists npm/npx for MCP tasks, but their argument flags enable arbitrary OS command execution, so an attacker who can create a task achieves RCE."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",