@blamejs/exceptd-skills 0.13.74 → 0.13.76

package/data/cwe-catalog.json

@@ -146,7 +146,12 @@
       "CVE-2025-53773",
       "CVE-2025-55319",
       "CVE-2025-59689",
+      "CVE-2026-22688",
       "CVE-2026-22719",
+      "CVE-2026-30616",
+      "CVE-2026-30617",
+      "CVE-2026-30624",
+      "CVE-2026-30625",
       "MAL-2026-3083"
     ],
     "framework_controls_partially_addressing": [
@@ -195,9 +200,16 @@
       "CVE-2025-66644",
       "CVE-2025-9377",
       "CVE-2026-1731",
+      "CVE-2026-22252",
+      "CVE-2026-22688",
       "CVE-2026-25108",
+      "CVE-2026-30616",
+      "CVE-2026-30617",
       "CVE-2026-30623",
-      "CVE-2026-39987"
+      "CVE-2026-30624",
+      "CVE-2026-30625",
+      "CVE-2026-39987",
+      "CVE-2026-40933"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SI-10",
@@ -2920,7 +2932,9 @@
       "CWE-2000"
     ],
     "related_weaknesses": [],
-    "evidence_cves": [],
+    "evidence_cves": [
+      "CVE-2026-22252"
+    ],
     "last_verified": "2026-05-19",
     "notes": "Bulk-imported v0.13.18 from the canonical MITRE Top 25 + commonly-referenced-class expansion.",
     "_auto_imported": true,

package/data/framework-control-gaps.json

@@ -36,7 +36,14 @@
     "evidence_cves": [
       "CVE-2025-34291",
       "CVE-2025-49596",
-      "CVE-2025-54136"
+      "CVE-2025-54136",
+      "CVE-2026-22252",
+      "CVE-2026-22688",
+      "CVE-2026-30616",
+      "CVE-2026-30617",
+      "CVE-2026-30624",
+      "CVE-2026-30625",
+      "CVE-2026-40933"
     ],
     "atlas_refs": [
       "AML.T0018",
@@ -1512,6 +1519,8 @@
       "CVE-2026-21525",
       "CVE-2026-21533",
       "CVE-2026-21643",
+      "CVE-2026-22252",
+      "CVE-2026-22688",
       "CVE-2026-22719",
       "CVE-2026-22769",
       "CVE-2026-23760",
@@ -1522,6 +1531,10 @@
       "CVE-2026-25108",
       "CVE-2026-25592",
       "CVE-2026-3055",
+      "CVE-2026-30616",
+      "CVE-2026-30617",
+      "CVE-2026-30624",
+      "CVE-2026-30625",
       "CVE-2026-31431",
       "CVE-2026-31635",
       "CVE-2026-32201",
@@ -1534,6 +1547,7 @@
       "CVE-2026-35616",
       "CVE-2026-3909",
       "CVE-2026-3910",
+      "CVE-2026-40933",
       "CVE-2026-41091",
       "CVE-2026-41940",
       "CVE-2026-42945",
@@ -1729,10 +1743,17 @@
       "CVE-2025-43300",
       "CVE-2025-49596",
       "CVE-2025-54136",
+      "CVE-2026-22252",
+      "CVE-2026-22688",
       "CVE-2026-25592",
+      "CVE-2026-30616",
+      "CVE-2026-30617",
+      "CVE-2026-30624",
+      "CVE-2026-30625",
       "CVE-2026-31431",
       "CVE-2026-34926",
       "CVE-2026-39884",
+      "CVE-2026-40933",
       "CVE-2026-41091",
       "CVE-2026-45321",
       "CVE-2026-45498",
@@ -2448,6 +2469,8 @@
       "CVE-2026-21525",
       "CVE-2026-21533",
       "CVE-2026-21643",
+      "CVE-2026-22252",
+      "CVE-2026-22688",
       "CVE-2026-22719",
       "CVE-2026-22769",
       "CVE-2026-23760",
@@ -2458,6 +2481,10 @@
       "CVE-2026-25108",
       "CVE-2026-25592",
       "CVE-2026-3055",
+      "CVE-2026-30616",
+      "CVE-2026-30617",
+      "CVE-2026-30624",
+      "CVE-2026-30625",
       "CVE-2026-31431",
       "CVE-2026-31635",
       "CVE-2026-32201",
@@ -2472,6 +2499,7 @@
       "CVE-2026-35616",
       "CVE-2026-3909",
       "CVE-2026-3910",
+      "CVE-2026-40933",
       "CVE-2026-41091",
       "CVE-2026-41940",
       "CVE-2026-42897",
@@ -4725,8 +4753,15 @@
       "CVE-2025-54136",
       "CVE-2026-0300",
       "CVE-2026-20182",
+      "CVE-2026-22252",
+      "CVE-2026-22688",
       "CVE-2026-25592",
+      "CVE-2026-30616",
+      "CVE-2026-30617",
+      "CVE-2026-30624",
+      "CVE-2026-30625",
       "CVE-2026-34926",
+      "CVE-2026-40933",
       "CVE-2026-41091",
       "CVE-2026-42897",
       "CVE-2026-42945",
@@ -5222,8 +5257,15 @@
       "CVE-2025-34291",
       "CVE-2025-49596",
       "CVE-2025-54136",
+      "CVE-2026-22252",
+      "CVE-2026-22688",
       "CVE-2026-25592",
+      "CVE-2026-30616",
+      "CVE-2026-30617",
+      "CVE-2026-30624",
+      "CVE-2026-30625",
       "CVE-2026-34926",
+      "CVE-2026-40933",
       "CVE-2026-41091",
       "CVE-2026-45498",
       "CVE-2026-46300",
@@ -5263,8 +5305,15 @@
       "CVE-2025-34291",
       "CVE-2025-49596",
       "CVE-2025-54136",
+      "CVE-2026-22252",
+      "CVE-2026-22688",
       "CVE-2026-25592",
+      "CVE-2026-30616",
+      "CVE-2026-30617",
+      "CVE-2026-30624",
+      "CVE-2026-30625",
       "CVE-2026-34926",
+      "CVE-2026-40933",
       "CVE-2026-41091",
       "CVE-2026-45498",
       "CVE-2026-46300",

package/data/zeroday-lessons.json

@@ -6083,6 +6083,356 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2026-22252": {
+    "name": "LibreChat MCP stdio Transport — Authenticated Arbitrary Command Execution as Root",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "LibreChat's MCP stdio transport accepts an arbitrary command without authorization or validation (CWE-285), so any authenticated user can make the server run shell commands as root inside the container via a single API request.",
+      "privileges_required": "any authenticated LibreChat user (PR:L) — including self-registered accounts where open registration is enabled",
+      "complexity": "low (NVD AC:L); one API request, container-root scope",
+      "ai_factor": "The abused surface is the MCP tool transport of a multi-user AI platform. The lesson: an MCP stdio transport launches whatever command it is handed, so it must authorize the caller and validate the command — ordinary user authentication is not an execution boundary. Surfaced via the 2026 MCP supply-chain advisory + GHSA feeds."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track self-hosted AI chat platforms and their MCP transports as managed, RCE-bearing software."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not enumerate the AI platform's MCP tool transport as an authorization-critical surface."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework requires the MCP stdio transport to enforce authorization and command validation; without it, ordinary user auth becomes container-root RCE."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "Self-hosted AI platforms are rarely in the managed vulnerability program, frequently run as root in their container, and their MCP transports are not audited as command-execution boundaries.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-083",
+        "name": "MCP-STDIO-TRANSPORT-COMMAND-GOVERNANCE",
+        "description": "An MCP stdio transport must not execute caller-supplied commands without authorization and validation: restrict which roles may configure/invoke MCP servers, pin or allow-list the launchable commands rather than accepting arbitrary strings, neutralize command input, and run the host process as a least-privilege (non-root) container user with a read-only filesystem where possible. Track the AI platform (e.g. LibreChat >= 0.8.2-rc2) as managed, patch-prioritized software.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2026-22252",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.8",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2026-22688": {
+    "name": "Tencent WeKnora MCP stdio Command Injection",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "WeKnora lets authenticated users set the MCP stdio_config.command/args, which the server executes as a subprocess without neutralizing special elements (CWE-77), yielding command injection / code execution on the host.",
+      "privileges_required": "authenticated WeKnora user (PR:L)",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is the MCP stdio configuration of a RAG / knowledge-base AI platform. The lesson is identical to the LibreChat case: user-supplied MCP command/args are untrusted input that the transport must neutralize, because the MCP transport's by-design command execution turns injection into RCE. Surfaced via the 2026 MCP supply-chain advisory + GHSA feeds."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track self-hosted RAG / knowledge-base AI platforms and their MCP transports as managed, RCE-bearing software."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not enumerate the AI platform's MCP stdio settings as a command-execution surface."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats user-supplied MCP stdio command/args as untrusted input requiring neutralization."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "RAG / knowledge-base AI platforms are rarely in the managed vulnerability program, and their MCP stdio settings are not treated as command-injection-prone input.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-084",
+        "name": "MCP-STDIO-CONFIG-INPUT-NEUTRALIZATION",
+        "description": "User-supplied MCP stdio_config.command/args must be treated as untrusted input: neutralize shell metacharacters, allow-list permissible commands, restrict who may edit MCP stdio settings, and run the AI platform as a least-privilege container user. Track the platform (e.g. Tencent WeKnora >= 0.2.5) as managed, patch-prioritized software. This is the same governance the LibreChat MCP transport flaw (CVE-2026-22252) requires, applied to RAG platforms.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2026-22688",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.8",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2026-40933": {
+    "name": "FlowiseAI Flowise MCP Custom Config Command Injection",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Flowise lets an authenticated user define a Custom MCP server configuration whose command/args the server executes; sanitization is bypassed by pairing an allow-listed binary (npx) with execution flags (CWE-78), yielding arbitrary OS command execution on the host.",
+      "privileges_required": "authenticated Flowise user (PR:L)",
+      "complexity": "low (NVD AC:L); allow-list bypass via execution flags",
+      "ai_factor": "The abused surface is the MCP command/transport configuration of an AI framework. The lesson matches the LibreChat (CVE-2026-22252) and WeKnora (CVE-2026-22688) cases: user-supplied or attacker-influenced MCP command/args are untrusted input the transport must neutralize, because the transport's by-design command execution turns injection into RCE. Surfaced via the 2026 MCP supply-chain advisory + GHSA feeds."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track self-hosted low-code LLM builders and their Custom-MCP command surfaces as managed, RCE-bearing software."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not enumerate the Custom MCP configuration as an authorization-critical command-execution surface, nor recognize allow-list bypass via argument flags."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework requires the MCP transport to neutralize allow-listed binaries' execution flags; an allow-list alone is not a command boundary."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "AI agent / RAG frameworks are rarely in the managed vulnerability program, and their MCP command surfaces are not treated as command-injection-prone input.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-084",
+        "name": "MCP-STDIO-CONFIG-INPUT-NEUTRALIZATION",
+        "description": "MCP command configuration must neutralize untrusted command/args, and command allow-lists (npm/npx) must also block argument flags that re-enable arbitrary execution. Upgrade Flowise to 3.1.0+, restrict who may author Custom MCP configurations, and run least-privilege. Same governance as the LibreChat (CVE-2026-22252) and WeKnora (CVE-2026-22688) MCP transport flaws.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2026-40933",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.8",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2026-30625": {
+    "name": "Upsonic MCP Task Allowed-Command Argument Injection RCE",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Upsonic MCP task creation allow-lists npm/npx whose argument flags can be abused to execute arbitrary OS commands (CWE-77 argument injection). An attacker who can create an MCP task achieves code execution; 0.72.0 adds a warning rather than a confirmed fix.",
+      "privileges_required": "attacker able to create an Upsonic MCP task (PR:N per NVD)",
+      "complexity": "low (NVD AC:L); allow-list argument-flag abuse",
+      "ai_factor": "The abused surface is the MCP command/transport configuration of an AI framework. The lesson matches the LibreChat (CVE-2026-22252) and WeKnora (CVE-2026-22688) cases: user-supplied or attacker-influenced MCP command/args are untrusted input the transport must neutralize, because the transport's by-design command execution turns injection into RCE. Surfaced via the 2026 MCP supply-chain advisory + GHSA feeds."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track agent frameworks and their MCP task command allow-lists as managed, RCE-bearing software."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats an allow-list of binaries as a control without accounting for argument-flag abuse of those binaries."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework requires an MCP command allow-list to also constrain the arguments those commands accept; npm/npx flags re-enable execution."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 72,
+      "basis": "AI agent / RAG frameworks are rarely in the managed vulnerability program, and their MCP command surfaces are not treated as command-injection-prone input.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-084",
+        "name": "MCP-STDIO-CONFIG-INPUT-NEUTRALIZATION",
+        "description": "An MCP command allow-list must also constrain arguments — npm/npx execution flags must be blocked, not just the binary name allow-listed. Treat 0.72.0's warning as insufficient; restrict who may create MCP tasks and run Upsonic least-privilege until a confirmed fix ships.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2026-30625",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.8",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2026-30617": {
+    "name": "Langchain-Chatchat MCP Management Interface stdio RCE",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Langchain-Chatchat exposes an MCP management interface that lets a caller configure a malicious stdio server command, which the server executes without neutralizing special elements (CWE-77), yielding remote code execution on the host.",
+      "privileges_required": "caller reaching the exposed MCP management interface (PR:N per NVD)",
+      "complexity": "low (NVD AC:L); exposed management interface",
+      "ai_factor": "The abused surface is the MCP command/transport configuration of an AI framework. The lesson matches the LibreChat (CVE-2026-22252) and WeKnora (CVE-2026-22688) cases: user-supplied or attacker-influenced MCP command/args are untrusted input the transport must neutralize, because the transport's by-design command execution turns injection into RCE. Surfaced via the 2026 MCP supply-chain advisory + GHSA feeds."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track RAG / knowledge-base assistants and their MCP management interfaces as managed, RCE-bearing software."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not enumerate an exposed MCP management interface as an authorization-critical command-execution surface."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework requires the MCP management interface to be authenticated and the configured stdio command to be neutralized before execution."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "AI agent / RAG frameworks are rarely in the managed vulnerability program, and their MCP command surfaces are not treated as command-injection-prone input.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-083",
+        "name": "MCP-STDIO-TRANSPORT-COMMAND-GOVERNANCE",
+        "description": "The MCP management/transport surface must authorize callers and neutralize the stdio command it is handed before execution. Do not expose the MCP management interface to untrusted networks; run least-privilege. Same governance as the LibreChat (CVE-2026-22252) MCP transport flaw, applied to an exposed management interface.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2026-30617",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.8",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2026-30624": {
+    "name": "Agent Zero MCP Server Config Command Injection",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Agent Zero executes MCP server configurations without adequately validating the command/args before spawning the subprocess (CWE-77). An attacker who can supply or influence an MCP server configuration achieves remote code execution on the host.",
+      "privileges_required": "attacker able to supply or influence an MCP server configuration (PR:N per NVD)",
+      "complexity": "low (NVD AC:L); unvalidated server configuration",
+      "ai_factor": "The abused surface is the MCP command/transport configuration of an AI framework. The lesson matches the LibreChat (CVE-2026-22252) and WeKnora (CVE-2026-22688) cases: user-supplied or attacker-influenced MCP command/args are untrusted input the transport must neutralize, because the transport's by-design command execution turns injection into RCE. Surfaced via the 2026 MCP supply-chain advisory + GHSA feeds."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track autonomous agent frameworks and their MCP server-configuration surfaces as managed, RCE-bearing software."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not enumerate MCP server configuration as an authorization-critical command-execution surface."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework requires MCP server configurations to be validated and authorized before the configured command is executed."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "AI agent / RAG frameworks are rarely in the managed vulnerability program, and their MCP command surfaces are not treated as command-injection-prone input.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-083",
+        "name": "MCP-STDIO-TRANSPORT-COMMAND-GOVERNANCE",
+        "description": "MCP server configurations must be validated and the caller authorized before the configured command is spawned. Treat MCP server configuration as a privileged surface, restrict who can edit it, and run Agent Zero least-privilege. Same governance as the LibreChat (CVE-2026-22252) MCP transport flaw.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2026-30624",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.8",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2026-30616": {
+    "name": "Jaaz MCP stdio Command Execution RCE",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Jaaz mishandles MCP stdio command execution, running command/args from an MCP configuration without neutralizing special elements (CWE-77). An attacker able to set the stdio command achieves code execution on the Jaaz host.",
+      "privileges_required": "attacker able to set the Jaaz MCP stdio command (PR:N per CISA-ADP)",
+      "complexity": "low (CISA-ADP AC:L)",
+      "ai_factor": "The abused surface is the MCP command/transport configuration of an AI framework. The lesson matches the LibreChat (CVE-2026-22252) and WeKnora (CVE-2026-22688) cases: user-supplied or attacker-influenced MCP command/args are untrusted input the transport must neutralize, because the transport's by-design command execution turns injection into RCE. Surfaced via the 2026 MCP supply-chain advisory + GHSA feeds."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track AI design / agent applications and their MCP stdio handling as managed, RCE-bearing software."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not enumerate MCP stdio command handling as an authorization-critical command-execution surface."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework requires the MCP stdio handler to neutralize the configured command before execution."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "AI agent / RAG frameworks are rarely in the managed vulnerability program, and their MCP command surfaces are not treated as command-injection-prone input.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-084",
+        "name": "MCP-STDIO-CONFIG-INPUT-NEUTRALIZATION",
+        "description": "The MCP stdio handler must neutralize the configured command/args before execution and restrict who can configure stdio servers. Run Jaaz least-privilege. Same governance as the WeKnora (CVE-2026-22688) MCP stdio flaw.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2026-30616",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.8",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2025-34291": {
     "name": "Langflow Account Takeover + RCE (CORS / refresh-token chain)",
     "lesson_date": "2026-05-24",