@blamejs/exceptd-skills 0.13.75 → 0.13.77
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +8 -0
- package/data/_indexes/_meta.json +8 -8
- package/data/_indexes/activity-feed.json +2 -2
- package/data/_indexes/catalog-summaries.json +2 -2
- package/data/_indexes/chains.json +2584 -0
- package/data/attack-techniques.json +13 -0
- package/data/cve-catalog.json +685 -1
- package/data/cwe-catalog.json +14 -2
- package/data/framework-control-gaps.json +55 -6
- package/data/zeroday-lessons.json +350 -0
- package/manifest.json +44 -44
- package/package.json +2 -2
- package/sbom.cdx.json +23 -23
package/data/cve-catalog.json
CHANGED
|
@@ -55,7 +55,7 @@
|
|
|
55
55
|
"ai_discovery_methodology": {
|
|
56
56
|
"field_added": "2026-05-15",
|
|
57
57
|
"agents_md_target": "Hard Rule #7 — '41% of 2025 zero-days were AI-discovered'. Catalog target rate floor: 0.40.",
|
|
58
|
-
"current_rate": 0.
|
|
58
|
+
"current_rate": 0.036,
|
|
59
59
|
"current_floor_enforced_by_test": 0.03,
|
|
60
60
|
"ladder_to_target": [
|
|
61
61
|
0.03,
|
|
@@ -10010,6 +10010,690 @@
|
|
|
10010
10010
|
"_intake_method": "manual-verified-curation",
|
|
10011
10011
|
"_kev_short_description": "Tencent WeKnora allows authenticated users to inject commands into MCP stdio settings, causing the server to execute attacker-supplied subprocesses."
|
|
10012
10012
|
},
|
|
10013
|
+
"CVE-2026-40933": {
|
|
10014
|
+
"name": "FlowiseAI Flowise MCP Custom Config Command Injection",
|
|
10015
|
+
"type": "RCE",
|
|
10016
|
+
"cvss_score": 9.9,
|
|
10017
|
+
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
|
|
10018
|
+
"cvss_note": "NVD/CNA CVSS v3.1 base 9.9 (CRITICAL, Scope:Changed). Authenticated command injection via the Custom MCP configuration.",
|
|
10019
|
+
"cisa_kev": false,
|
|
10020
|
+
"poc_available": true,
|
|
10021
|
+
"poc_description": "Documented in the 2026 MCP supply-chain advisory family (OX Security) and the NVD record: an attacker who controls the MCP Custom configuration causes the host to execute attacker-influenced commands.",
|
|
10022
|
+
"ai_discovered": false,
|
|
10023
|
+
"ai_discovery_source": "human_researcher",
|
|
10024
|
+
"ai_discovery_notes": "Disclosed via the coordinated 2026 MCP supply-chain advisory; the abused surface is the project's MCP command/transport configuration.",
|
|
10025
|
+
"ai_assisted_weaponization": false,
|
|
10026
|
+
"ai_assisted_notes": "No AI-assisted weaponization; conventional command/argument injection through MCP configuration.",
|
|
10027
|
+
"active_exploitation": "none",
|
|
10028
|
+
"active_exploitation_notes": "Research / advisory disclosure; no confirmed in-the-wild exploitation reported as of curation.",
|
|
10029
|
+
"affected": "FlowiseAI Flowise (low-code LLM orchestration builder) versions prior to 3.1.0.",
|
|
10030
|
+
"affected_versions": [
|
|
10031
|
+
"FlowiseAI Flowise < 3.1.0"
|
|
10032
|
+
],
|
|
10033
|
+
"vector": "Flowise lets an authenticated user define a Custom MCP server configuration whose command/args the server then executes. Sanitization can be bypassed by combining an allow-listed binary (e.g. npx) with execution flags, so the attacker neutralizes special elements (CWE-78) and runs arbitrary OS commands on the Flowise host.",
|
|
10034
|
+
"complexity": "low",
|
|
10035
|
+
"complexity_notes": "NVD AV:N / AC:L: network-reachable, low-complexity command injection through MCP configuration.",
|
|
10036
|
+
"patch_available": true,
|
|
10037
|
+
"patch_required_reboot": false,
|
|
10038
|
+
"live_patch_available": false,
|
|
10039
|
+
"live_patch_tools": [],
|
|
10040
|
+
"live_patch_notes": "Remediation is an application upgrade to 3.1.0 or later; redeploy, no host reboot.",
|
|
10041
|
+
"vendor_update_paths": [
|
|
10042
|
+
"Upgrade FlowiseAI Flowise to 3.1.0 or later. Until then, restrict who can author Custom MCP configurations and run Flowise as a least-privilege container user."
|
|
10043
|
+
],
|
|
10044
|
+
"framework_control_gaps": {
|
|
10045
|
+
"NIST-800-53-SI-2": "Flaw-remediation cadence does not track self-hosted AI agent / RAG frameworks and their MCP command surfaces as managed, RCE-bearing software.",
|
|
10046
|
+
"ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates an AI framework's MCP command/transport configuration as an in-scope command-execution surface.",
|
|
10047
|
+
"NIS2-Art21-patch-management": "Article 21 measures do not reach MCP command configuration as a privileged execution control plane.",
|
|
10048
|
+
"DORA-Art-9": "ICT protection measures do not model command injection via an AI framework's MCP configuration.",
|
|
10049
|
+
"UK-CAF-B4": "System Security objective has no objective for neutralizing command input handed to an AI framework's MCP transport.",
|
|
10050
|
+
"AU-ISM-1546": "Patch-application control does not single out AI-framework MCP command surfaces.",
|
|
10051
|
+
"ALL-AI-PIPELINE-INTEGRITY": "No framework treats user-supplied MCP command/args as untrusted input requiring neutralization; the transport's by-design command execution turns injection into direct RCE."
|
|
10052
|
+
},
|
|
10053
|
+
"atlas_refs": [],
|
|
10054
|
+
"attack_refs": [
|
|
10055
|
+
"T1190",
|
|
10056
|
+
"T1059"
|
|
10057
|
+
],
|
|
10058
|
+
"rwep_score": 30,
|
|
10059
|
+
"rwep_factors": {
|
|
10060
|
+
"cisa_kev": 0,
|
|
10061
|
+
"poc_available": 20,
|
|
10062
|
+
"ai_factor": 0,
|
|
10063
|
+
"active_exploitation": 0,
|
|
10064
|
+
"blast_radius": 25,
|
|
10065
|
+
"patch_available": -15,
|
|
10066
|
+
"live_patch_available": 0,
|
|
10067
|
+
"reboot_required": 0
|
|
10068
|
+
},
|
|
10069
|
+
"rwep_notes": "Standard (RWEP 30, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 (documented technique) + blast_radius=25 minus patch 15.",
|
|
10070
|
+
"epss_score": null,
|
|
10071
|
+
"epss_date": "2026-05-25",
|
|
10072
|
+
"epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
|
|
10073
|
+
"epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-40933",
|
|
10074
|
+
"cwe_refs": [
|
|
10075
|
+
"CWE-78"
|
|
10076
|
+
],
|
|
10077
|
+
"iocs": {
|
|
10078
|
+
"behavioral": [
|
|
10079
|
+
"Flowise spawning a subprocess whose command/args came from an MCP configuration supplied or influenced by a caller rather than a pinned configuration.",
|
|
10080
|
+
"Shell metacharacters, or allow-listed binaries (npm/npx) carrying execution flags, in MCP command/args values.",
|
|
10081
|
+
"An MCP configuration / management surface reachable by a user who should not control command execution.",
|
|
10082
|
+
"FlowiseAI Flowise < 3.1.0 - the exposed precondition."
|
|
10083
|
+
],
|
|
10084
|
+
"_ioc_source_note": "Behavioral signatures derived from NVD CVE-2026-40933 (CWE-78 command injection via MCP configuration) and the 2026 MCP supply-chain advisory (https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/) describing the unvalidated-MCP-command class."
|
|
10085
|
+
},
|
|
10086
|
+
"source_verified": "2026-05-25",
|
|
10087
|
+
"verification_sources": [
|
|
10088
|
+
"https://nvd.nist.gov/vuln/detail/CVE-2026-40933",
|
|
10089
|
+
"https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/"
|
|
10090
|
+
],
|
|
10091
|
+
"vendor_advisories": [
|
|
10092
|
+
{
|
|
10093
|
+
"vendor": "GitHub Security Advisory",
|
|
10094
|
+
"advisory_id": "CVE-2026-40933",
|
|
10095
|
+
"url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-c9gw-hvqq-f33r",
|
|
10096
|
+
"severity": "critical",
|
|
10097
|
+
"published_date": "2026-04-21"
|
|
10098
|
+
},
|
|
10099
|
+
{
|
|
10100
|
+
"vendor": "NVD",
|
|
10101
|
+
"advisory_id": "CVE-2026-40933",
|
|
10102
|
+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40933",
|
|
10103
|
+
"severity": "critical",
|
|
10104
|
+
"published_date": "2026-04-21"
|
|
10105
|
+
}
|
|
10106
|
+
],
|
|
10107
|
+
"last_updated": "2026-05-25",
|
|
10108
|
+
"discovery_attribution_note": "Imported from NVD (CWE-78; NIST CVSS 9.9) + the 2026 MCP supply-chain advisory family (OX Security). Member of the MCP command-injection class already curated in depth by CVE-2026-22252 and CVE-2026-22688.",
|
|
10109
|
+
"_auto_imported": false,
|
|
10110
|
+
"_intake_method": "manual-verified-curation",
|
|
10111
|
+
"_kev_short_description": "FlowiseAI Flowise allows an authenticated user to bypass MCP Custom-config command sanitization (e.g. npx with execution flags) and run arbitrary OS commands on the host."
|
|
10112
|
+
},
|
|
10113
|
+
"CVE-2026-30624": {
|
|
10114
|
+
"name": "Agent Zero MCP Server Config Command Injection",
|
|
10115
|
+
"type": "RCE",
|
|
10116
|
+
"cvss_score": 8.6,
|
|
10117
|
+
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
|
|
10118
|
+
"cvss_note": "NVD CVSS v3.1 base 8.6 (HIGH). Remote code execution through malicious MCP server configurations executed without adequate validation.",
|
|
10119
|
+
"cisa_kev": false,
|
|
10120
|
+
"poc_available": true,
|
|
10121
|
+
"poc_description": "Documented in the 2026 MCP supply-chain advisory family (OX Security) and the NVD record: an attacker who controls the MCP server configuration causes the host to execute attacker-influenced commands.",
|
|
10122
|
+
"ai_discovered": false,
|
|
10123
|
+
"ai_discovery_source": "human_researcher",
|
|
10124
|
+
"ai_discovery_notes": "Disclosed via the coordinated 2026 MCP supply-chain advisory; the abused surface is the project's MCP command/transport configuration.",
|
|
10125
|
+
"ai_assisted_weaponization": false,
|
|
10126
|
+
"ai_assisted_notes": "No AI-assisted weaponization; conventional command/argument injection through MCP configuration.",
|
|
10127
|
+
"active_exploitation": "none",
|
|
10128
|
+
"active_exploitation_notes": "Research / advisory disclosure; no confirmed in-the-wild exploitation reported as of curation.",
|
|
10129
|
+
"affected": "Agent Zero (autonomous agent framework) version 0.9.8.",
|
|
10130
|
+
"affected_versions": [
|
|
10131
|
+
"Agent Zero 0.9.8"
|
|
10132
|
+
],
|
|
10133
|
+
"vector": "Agent Zero executes MCP server configurations without adequately validating the command/args before spawning the subprocess (CWE-77). An attacker who can supply or influence an MCP server configuration achieves remote code execution on the Agent Zero host.",
|
|
10134
|
+
"complexity": "low",
|
|
10135
|
+
"complexity_notes": "NVD AV:N / AC:L: network-reachable, low-complexity command injection through MCP configuration.",
|
|
10136
|
+
"patch_available": false,
|
|
10137
|
+
"patch_required_reboot": false,
|
|
10138
|
+
"live_patch_available": false,
|
|
10139
|
+
"live_patch_tools": [],
|
|
10140
|
+
"live_patch_notes": "No confirmed fixed release at curation; mitigate by restricting who can configure MCP commands and running the service least-privilege.",
|
|
10141
|
+
"vendor_update_paths": [
|
|
10142
|
+
"Track the Agent Zero project for a fixed release; until one ships, treat MCP server configuration as a privileged surface, restrict who can edit it, and run Agent Zero as a least-privilege user."
|
|
10143
|
+
],
|
|
10144
|
+
"framework_control_gaps": {
|
|
10145
|
+
"NIST-800-53-SI-2": "Flaw-remediation cadence does not track self-hosted AI agent / RAG frameworks and their MCP command surfaces as managed, RCE-bearing software.",
|
|
10146
|
+
"ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates an AI framework's MCP command/transport configuration as an in-scope command-execution surface.",
|
|
10147
|
+
"NIS2-Art21-patch-management": "Article 21 measures do not reach MCP command configuration as a privileged execution control plane.",
|
|
10148
|
+
"DORA-Art-9": "ICT protection measures do not model command injection via an AI framework's MCP configuration.",
|
|
10149
|
+
"UK-CAF-B4": "System Security objective has no objective for neutralizing command input handed to an AI framework's MCP transport.",
|
|
10150
|
+
"AU-ISM-1546": "Patch-application control does not single out AI-framework MCP command surfaces.",
|
|
10151
|
+
"ALL-AI-PIPELINE-INTEGRITY": "No framework treats user-supplied MCP command/args as untrusted input requiring neutralization; the transport's by-design command execution turns injection into direct RCE."
|
|
10152
|
+
},
|
|
10153
|
+
"atlas_refs": [],
|
|
10154
|
+
"attack_refs": [
|
|
10155
|
+
"T1190",
|
|
10156
|
+
"T1059"
|
|
10157
|
+
],
|
|
10158
|
+
"rwep_score": 40,
|
|
10159
|
+
"rwep_factors": {
|
|
10160
|
+
"cisa_kev": 0,
|
|
10161
|
+
"poc_available": 20,
|
|
10162
|
+
"ai_factor": 0,
|
|
10163
|
+
"active_exploitation": 0,
|
|
10164
|
+
"blast_radius": 20,
|
|
10165
|
+
"patch_available": 0,
|
|
10166
|
+
"live_patch_available": 0,
|
|
10167
|
+
"reboot_required": 0
|
|
10168
|
+
},
|
|
10169
|
+
"rwep_notes": "Elevated (RWEP 40, \"patch within 7 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation. poc_available=20 (documented technique) + blast_radius=20.",
|
|
10170
|
+
"epss_score": null,
|
|
10171
|
+
"epss_date": "2026-05-25",
|
|
10172
|
+
"epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
|
|
10173
|
+
"epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-30624",
|
|
10174
|
+
"cwe_refs": [
|
|
10175
|
+
"CWE-77",
|
|
10176
|
+
"CWE-78"
|
|
10177
|
+
],
|
|
10178
|
+
"iocs": {
|
|
10179
|
+
"behavioral": [
|
|
10180
|
+
"agent-zero spawning a subprocess whose command/args came from an MCP configuration supplied or influenced by a caller rather than a pinned configuration.",
|
|
10181
|
+
"Shell metacharacters, or allow-listed binaries (npm/npx) carrying execution flags, in MCP command/args values.",
|
|
10182
|
+
"An MCP configuration / management surface reachable by a user who should not control command execution.",
|
|
10183
|
+
"Agent Zero 0.9.8 - the exposed precondition."
|
|
10184
|
+
],
|
|
10185
|
+
"_ioc_source_note": "Behavioral signatures derived from NVD CVE-2026-30624 (CWE-77/CWE-78 command injection via MCP configuration) and the 2026 MCP supply-chain advisory (https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/) describing the unvalidated-MCP-command class."
|
|
10186
|
+
},
|
|
10187
|
+
"source_verified": "2026-05-25",
|
|
10188
|
+
"verification_sources": [
|
|
10189
|
+
"https://nvd.nist.gov/vuln/detail/CVE-2026-30624",
|
|
10190
|
+
"https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/"
|
|
10191
|
+
],
|
|
10192
|
+
"vendor_advisories": [
|
|
10193
|
+
{
|
|
10194
|
+
"vendor": "NVD",
|
|
10195
|
+
"advisory_id": "CVE-2026-30624",
|
|
10196
|
+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30624",
|
|
10197
|
+
"severity": "high",
|
|
10198
|
+
"published_date": "2026-04-15"
|
|
10199
|
+
}
|
|
10200
|
+
],
|
|
10201
|
+
"last_updated": "2026-05-25",
|
|
10202
|
+
"discovery_attribution_note": "Imported from NVD (CWE-77/CWE-78; NIST CVSS 8.6) + the 2026 MCP supply-chain advisory family (OX Security). Member of the MCP command-injection class already curated in depth by CVE-2026-22252 and CVE-2026-22688.",
|
|
10203
|
+
"_auto_imported": false,
|
|
10204
|
+
"_intake_method": "manual-verified-curation",
|
|
10205
|
+
"_kev_short_description": "Agent Zero executes MCP server configurations without validating the command, letting an attacker who controls a configuration run arbitrary commands on the host."
|
|
10206
|
+
},
|
|
10207
|
+
"CVE-2026-30616": {
|
|
10208
|
+
"name": "Jaaz MCP stdio Command Execution RCE",
|
|
10209
|
+
"type": "RCE",
|
|
10210
|
+
"cvss_score": 7.3,
|
|
10211
|
+
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
|
|
10212
|
+
"cvss_note": "CISA-ADP CVSS v3.1 base 7.3 (HIGH). Remote code execution in MCP stdio command execution handling.",
|
|
10213
|
+
"cisa_kev": false,
|
|
10214
|
+
"poc_available": true,
|
|
10215
|
+
"poc_description": "Documented in the 2026 MCP supply-chain advisory family (OX Security) and the NVD record: an attacker who controls the MCP stdio configuration causes the host to execute attacker-influenced commands.",
|
|
10216
|
+
"ai_discovered": false,
|
|
10217
|
+
"ai_discovery_source": "human_researcher",
|
|
10218
|
+
"ai_discovery_notes": "Disclosed via the coordinated 2026 MCP supply-chain advisory; the abused surface is the project's MCP command/transport configuration.",
|
|
10219
|
+
"ai_assisted_weaponization": false,
|
|
10220
|
+
"ai_assisted_notes": "No AI-assisted weaponization; conventional command/argument injection through MCP configuration.",
|
|
10221
|
+
"active_exploitation": "none",
|
|
10222
|
+
"active_exploitation_notes": "Research / advisory disclosure; no confirmed in-the-wild exploitation reported as of curation.",
|
|
10223
|
+
"affected": "Jaaz (AI design / agent application) version 1.0.30.",
|
|
10224
|
+
"affected_versions": [
|
|
10225
|
+
"Jaaz 1.0.30"
|
|
10226
|
+
],
|
|
10227
|
+
"vector": "Jaaz mishandles MCP stdio command execution, running command/args from an MCP configuration without neutralizing special elements (CWE-77). An attacker able to set the stdio command achieves code execution on the Jaaz host.",
|
|
10228
|
+
"complexity": "low",
|
|
10229
|
+
"complexity_notes": "NVD AV:N / AC:L: network-reachable, low-complexity command injection through MCP configuration.",
|
|
10230
|
+
"patch_available": false,
|
|
10231
|
+
"patch_required_reboot": false,
|
|
10232
|
+
"live_patch_available": false,
|
|
10233
|
+
"live_patch_tools": [],
|
|
10234
|
+
"live_patch_notes": "No confirmed fixed release at curation; mitigate by restricting who can configure MCP commands and running the service least-privilege.",
|
|
10235
|
+
"vendor_update_paths": [
|
|
10236
|
+
"Track the Jaaz project for a fixed release; until then restrict who can configure MCP stdio servers and run Jaaz as a least-privilege user."
|
|
10237
|
+
],
|
|
10238
|
+
"framework_control_gaps": {
|
|
10239
|
+
"NIST-800-53-SI-2": "Flaw-remediation cadence does not track self-hosted AI agent / RAG frameworks and their MCP command surfaces as managed, RCE-bearing software.",
|
|
10240
|
+
"ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates an AI framework's MCP command/transport configuration as an in-scope command-execution surface.",
|
|
10241
|
+
"NIS2-Art21-patch-management": "Article 21 measures do not reach MCP command configuration as a privileged execution control plane.",
|
|
10242
|
+
"DORA-Art-9": "ICT protection measures do not model command injection via an AI framework's MCP configuration.",
|
|
10243
|
+
"UK-CAF-B4": "System Security objective has no objective for neutralizing command input handed to an AI framework's MCP transport.",
|
|
10244
|
+
"AU-ISM-1546": "Patch-application control does not single out AI-framework MCP command surfaces.",
|
|
10245
|
+
"ALL-AI-PIPELINE-INTEGRITY": "No framework treats user-supplied MCP command/args as untrusted input requiring neutralization; the transport's by-design command execution turns injection into direct RCE."
|
|
10246
|
+
},
|
|
10247
|
+
"atlas_refs": [],
|
|
10248
|
+
"attack_refs": [
|
|
10249
|
+
"T1190",
|
|
10250
|
+
"T1059"
|
|
10251
|
+
],
|
|
10252
|
+
"rwep_score": 35,
|
|
10253
|
+
"rwep_factors": {
|
|
10254
|
+
"cisa_kev": 0,
|
|
10255
|
+
"poc_available": 20,
|
|
10256
|
+
"ai_factor": 0,
|
|
10257
|
+
"active_exploitation": 0,
|
|
10258
|
+
"blast_radius": 15,
|
|
10259
|
+
"patch_available": 0,
|
|
10260
|
+
"live_patch_available": 0,
|
|
10261
|
+
"reboot_required": 0
|
|
10262
|
+
},
|
|
10263
|
+
"rwep_notes": "Standard (RWEP 35, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation. poc_available=20 (documented technique) + blast_radius=15.",
|
|
10264
|
+
"epss_score": null,
|
|
10265
|
+
"epss_date": "2026-05-25",
|
|
10266
|
+
"epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
|
|
10267
|
+
"epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-30616",
|
|
10268
|
+
"cwe_refs": [
|
|
10269
|
+
"CWE-77",
|
|
10270
|
+
"CWE-78"
|
|
10271
|
+
],
|
|
10272
|
+
"iocs": {
|
|
10273
|
+
"behavioral": [
|
|
10274
|
+
"jaaz spawning a subprocess whose command/args came from an MCP configuration supplied or influenced by a caller rather than a pinned configuration.",
|
|
10275
|
+
"Shell metacharacters, or allow-listed binaries (npm/npx) carrying execution flags, in MCP command/args values.",
|
|
10276
|
+
"An MCP configuration / management surface reachable by a user who should not control command execution.",
|
|
10277
|
+
"Jaaz 1.0.30 - the exposed precondition."
|
|
10278
|
+
],
|
|
10279
|
+
"_ioc_source_note": "Behavioral signatures derived from NVD CVE-2026-30616 (CWE-77/CWE-78 command injection via MCP configuration) and the 2026 MCP supply-chain advisory (https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/) describing the unvalidated-MCP-command class."
|
|
10280
|
+
},
|
|
10281
|
+
"source_verified": "2026-05-25",
|
|
10282
|
+
"verification_sources": [
|
|
10283
|
+
"https://nvd.nist.gov/vuln/detail/CVE-2026-30616",
|
|
10284
|
+
"https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/"
|
|
10285
|
+
],
|
|
10286
|
+
"vendor_advisories": [
|
|
10287
|
+
{
|
|
10288
|
+
"vendor": "NVD",
|
|
10289
|
+
"advisory_id": "CVE-2026-30616",
|
|
10290
|
+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30616",
|
|
10291
|
+
"severity": "high",
|
|
10292
|
+
"published_date": "2026-04-15"
|
|
10293
|
+
}
|
|
10294
|
+
],
|
|
10295
|
+
"last_updated": "2026-05-25",
|
|
10296
|
+
"discovery_attribution_note": "Imported from NVD (CWE-77/CWE-78; NIST CVSS 7.3) + the 2026 MCP supply-chain advisory family (OX Security). Member of the MCP command-injection class already curated in depth by CVE-2026-22252 and CVE-2026-22688.",
|
|
10297
|
+
"_auto_imported": false,
|
|
10298
|
+
"_intake_method": "manual-verified-curation",
|
|
10299
|
+
"_kev_short_description": "Jaaz mishandles MCP stdio command execution, letting an attacker who sets the stdio command run arbitrary commands on the host."
|
|
10300
|
+
},
|
|
10301
|
+
"CVE-2026-30617": {
|
|
10302
|
+
"name": "Langchain-Chatchat MCP Management Interface stdio RCE",
|
|
10303
|
+
"type": "RCE",
|
|
10304
|
+
"cvss_score": 8.6,
|
|
10305
|
+
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
|
|
10306
|
+
"cvss_note": "NVD CVSS v3.1 base 8.6 (HIGH). RCE through an exposed MCP management interface that configures malicious stdio server commands.",
|
|
10307
|
+
"cisa_kev": false,
|
|
10308
|
+
"poc_available": true,
|
|
10309
|
+
"poc_description": "Documented in the 2026 MCP supply-chain advisory family (OX Security) and the NVD record: an attacker who controls the MCP stdio configuration causes the host to execute attacker-influenced commands.",
|
|
10310
|
+
"ai_discovered": false,
|
|
10311
|
+
"ai_discovery_source": "human_researcher",
|
|
10312
|
+
"ai_discovery_notes": "Disclosed via the coordinated 2026 MCP supply-chain advisory; the abused surface is the project's MCP command/transport configuration.",
|
|
10313
|
+
"ai_assisted_weaponization": false,
|
|
10314
|
+
"ai_assisted_notes": "No AI-assisted weaponization; conventional command/argument injection through MCP configuration.",
|
|
10315
|
+
"active_exploitation": "none",
|
|
10316
|
+
"active_exploitation_notes": "Research / advisory disclosure; no confirmed in-the-wild exploitation reported as of curation.",
|
|
10317
|
+
"affected": "Langchain-Chatchat (RAG / knowledge-base assistant) version 0.3.1.",
|
|
10318
|
+
"affected_versions": [
|
|
10319
|
+
"Langchain-Chatchat 0.3.1"
|
|
10320
|
+
],
|
|
10321
|
+
"vector": "Langchain-Chatchat exposes an MCP management interface that lets a caller configure a malicious stdio server command, which the server then executes without neutralizing special elements (CWE-77), yielding remote code execution on the host.",
|
|
10322
|
+
"complexity": "low",
|
|
10323
|
+
"complexity_notes": "NVD AV:N / AC:L: network-reachable, low-complexity command injection through MCP configuration.",
|
|
10324
|
+
"patch_available": false,
|
|
10325
|
+
"patch_required_reboot": false,
|
|
10326
|
+
"live_patch_available": false,
|
|
10327
|
+
"live_patch_tools": [],
|
|
10328
|
+
"live_patch_notes": "No confirmed fixed release at curation; mitigate by restricting who can configure MCP commands and running the service least-privilege.",
|
|
10329
|
+
"vendor_update_paths": [
|
|
10330
|
+
"Track the Langchain-Chatchat project for a fixed release; until then do not expose the MCP management interface to untrusted networks and run the service as a least-privilege user."
|
|
10331
|
+
],
|
|
10332
|
+
"framework_control_gaps": {
|
|
10333
|
+
"NIST-800-53-SI-2": "Flaw-remediation cadence does not track self-hosted AI agent / RAG frameworks and their MCP command surfaces as managed, RCE-bearing software.",
|
|
10334
|
+
"ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates an AI framework's MCP command/transport configuration as an in-scope command-execution surface.",
|
|
10335
|
+
"NIS2-Art21-patch-management": "Article 21 measures do not reach MCP command configuration as a privileged execution control plane.",
|
|
10336
|
+
"DORA-Art-9": "ICT protection measures do not model command injection via an AI framework's MCP configuration.",
|
|
10337
|
+
"UK-CAF-B4": "System Security objective has no objective for neutralizing command input handed to an AI framework's MCP transport.",
|
|
10338
|
+
"AU-ISM-1546": "Patch-application control does not single out AI-framework MCP command surfaces.",
|
|
10339
|
+
"ALL-AI-PIPELINE-INTEGRITY": "No framework treats user-supplied MCP command/args as untrusted input requiring neutralization; the transport's by-design command execution turns injection into direct RCE."
|
|
10340
|
+
},
|
|
10341
|
+
"atlas_refs": [],
|
|
10342
|
+
"attack_refs": [
|
|
10343
|
+
"T1190",
|
|
10344
|
+
"T1059"
|
|
10345
|
+
],
|
|
10346
|
+
"rwep_score": 42,
|
|
10347
|
+
"rwep_factors": {
|
|
10348
|
+
"cisa_kev": 0,
|
|
10349
|
+
"poc_available": 20,
|
|
10350
|
+
"ai_factor": 0,
|
|
10351
|
+
"active_exploitation": 0,
|
|
10352
|
+
"blast_radius": 22,
|
|
10353
|
+
"patch_available": 0,
|
|
10354
|
+
"live_patch_available": 0,
|
|
10355
|
+
"reboot_required": 0
|
|
10356
|
+
},
|
|
10357
|
+
"rwep_notes": "Elevated (RWEP 42, \"patch within 7 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation. poc_available=20 (documented technique) + blast_radius=22.",
|
|
10358
|
+
"epss_score": null,
|
|
10359
|
+
"epss_date": "2026-05-25",
|
|
10360
|
+
"epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
|
|
10361
|
+
"epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-30617",
|
|
10362
|
+
"cwe_refs": [
|
|
10363
|
+
"CWE-77",
|
|
10364
|
+
"CWE-78"
|
|
10365
|
+
],
|
|
10366
|
+
"iocs": {
|
|
10367
|
+
"behavioral": [
|
|
10368
|
+
"Langchain-Chatchat spawning a subprocess whose command/args came from an MCP configuration supplied or influenced by a caller rather than a pinned configuration.",
|
|
10369
|
+
"Shell metacharacters, or allow-listed binaries (npm/npx) carrying execution flags, in MCP command/args values.",
|
|
10370
|
+
"An MCP configuration / management surface reachable by a user who should not control command execution.",
|
|
10371
|
+
"Langchain-Chatchat 0.3.1 - the exposed precondition."
|
|
10372
|
+
],
|
|
10373
|
+
"_ioc_source_note": "Behavioral signatures derived from NVD CVE-2026-30617 (CWE-77/CWE-78 command injection via MCP configuration) and the 2026 MCP supply-chain advisory (https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/) describing the unvalidated-MCP-command class."
|
|
10374
|
+
},
|
|
10375
|
+
"source_verified": "2026-05-25",
|
|
10376
|
+
"verification_sources": [
|
|
10377
|
+
"https://nvd.nist.gov/vuln/detail/CVE-2026-30617",
|
|
10378
|
+
"https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/"
|
|
10379
|
+
],
|
|
10380
|
+
"vendor_advisories": [
|
|
10381
|
+
{
|
|
10382
|
+
"vendor": "NVD",
|
|
10383
|
+
"advisory_id": "CVE-2026-30617",
|
|
10384
|
+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30617",
|
|
10385
|
+
"severity": "high",
|
|
10386
|
+
"published_date": "2026-04-15"
|
|
10387
|
+
}
|
|
10388
|
+
],
|
|
10389
|
+
"last_updated": "2026-05-25",
|
|
10390
|
+
"discovery_attribution_note": "Imported from NVD (CWE-77/CWE-78; NIST CVSS 8.6) + the 2026 MCP supply-chain advisory family (OX Security). Member of the MCP command-injection class already curated in depth by CVE-2026-22252 and CVE-2026-22688.",
|
|
10391
|
+
"_auto_imported": false,
|
|
10392
|
+
"_intake_method": "manual-verified-curation",
|
|
10393
|
+
"_kev_short_description": "Langchain-Chatchat exposes an MCP management interface that lets a caller configure a malicious stdio command the server then executes, yielding RCE."
|
|
10394
|
+
},
|
|
10395
|
+
"CVE-2026-30625": {
|
|
10396
|
+
"name": "Upsonic MCP Task Allowed-Command Argument Injection RCE",
|
|
10397
|
+
"type": "RCE",
|
|
10398
|
+
"cvss_score": 9.8,
|
|
10399
|
+
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
|
|
10400
|
+
"cvss_note": "NVD CVSS v3.1 base 9.8 (CRITICAL). RCE via MCP task creation where allow-listed commands (npm, npx) accept flags that enable arbitrary OS command execution.",
|
|
10401
|
+
"cisa_kev": false,
|
|
10402
|
+
"poc_available": true,
|
|
10403
|
+
"poc_description": "Documented in the 2026 MCP supply-chain advisory family (OX Security) and the NVD record: an attacker who controls the MCP task command allow-list arguments causes the host to execute attacker-influenced commands.",
|
|
10404
|
+
"ai_discovered": false,
|
|
10405
|
+
"ai_discovery_source": "human_researcher",
|
|
10406
|
+
"ai_discovery_notes": "Disclosed via the coordinated 2026 MCP supply-chain advisory; the abused surface is the project's MCP command/transport configuration.",
|
|
10407
|
+
"ai_assisted_weaponization": false,
|
|
10408
|
+
"ai_assisted_notes": "No AI-assisted weaponization; conventional command/argument injection through MCP configuration.",
|
|
10409
|
+
"active_exploitation": "none",
|
|
10410
|
+
"active_exploitation_notes": "Research / advisory disclosure; no confirmed in-the-wild exploitation reported as of curation.",
|
|
10411
|
+
"affected": "Upsonic (agent framework) version 0.71.6; a warning was added in 0.72.0 but a full fix is not confirmed.",
|
|
10412
|
+
"affected_versions": [
|
|
10413
|
+
"Upsonic 0.71.6"
|
|
10414
|
+
],
|
|
10415
|
+
"vector": "Upsonic MCP task creation allows certain commands (npm, npx) whose argument flags can be abused to execute arbitrary OS commands (CWE-77 argument injection). An attacker who can create an MCP task achieves code execution on the host. Version 0.72.0 adds a warning rather than a confirmed fix.",
|
|
10416
|
+
"complexity": "low",
|
|
10417
|
+
"complexity_notes": "NVD AV:N / AC:L: network-reachable, low-complexity command injection through MCP configuration.",
|
|
10418
|
+
"patch_available": false,
|
|
10419
|
+
"patch_required_reboot": false,
|
|
10420
|
+
"live_patch_available": false,
|
|
10421
|
+
"live_patch_tools": [],
|
|
10422
|
+
"live_patch_notes": "No confirmed fixed release at curation; mitigate by restricting who can configure MCP commands and running the service least-privilege.",
|
|
10423
|
+
"vendor_update_paths": [
|
|
10424
|
+
"Upgrade to Upsonic 0.72.0+ for the added warning, but treat the allow-list as insufficient: restrict who can create MCP tasks and run Upsonic as a least-privilege user until a confirmed fix ships."
|
|
10425
|
+
],
|
|
10426
|
+
"framework_control_gaps": {
|
|
10427
|
+
"NIST-800-53-SI-2": "Flaw-remediation cadence does not track self-hosted AI agent / RAG frameworks and their MCP command surfaces as managed, RCE-bearing software.",
|
|
10428
|
+
"ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates an AI framework's MCP command/transport configuration as an in-scope command-execution surface.",
|
|
10429
|
+
"NIS2-Art21-patch-management": "Article 21 measures do not reach MCP command configuration as a privileged execution control plane.",
|
|
10430
|
+
"DORA-Art-9": "ICT protection measures do not model command injection via an AI framework's MCP configuration.",
|
|
10431
|
+
"UK-CAF-B4": "System Security objective has no objective for neutralizing command input handed to an AI framework's MCP transport.",
|
|
10432
|
+
"AU-ISM-1546": "Patch-application control does not single out AI-framework MCP command surfaces.",
|
|
10433
|
+
"ALL-AI-PIPELINE-INTEGRITY": "No framework treats user-supplied MCP command/args as untrusted input requiring neutralization; the transport's by-design command execution turns injection into direct RCE."
|
|
10434
|
+
},
|
|
10435
|
+
"atlas_refs": [],
|
|
10436
|
+
"attack_refs": [
|
|
10437
|
+
"T1190",
|
|
10438
|
+
"T1059"
|
|
10439
|
+
],
|
|
10440
|
+
"rwep_score": 38,
|
|
10441
|
+
"rwep_factors": {
|
|
10442
|
+
"cisa_kev": 0,
|
|
10443
|
+
"poc_available": 20,
|
|
10444
|
+
"ai_factor": 0,
|
|
10445
|
+
"active_exploitation": 0,
|
|
10446
|
+
"blast_radius": 18,
|
|
10447
|
+
"patch_available": 0,
|
|
10448
|
+
"live_patch_available": 0,
|
|
10449
|
+
"reboot_required": 0
|
|
10450
|
+
},
|
|
10451
|
+
"rwep_notes": "Standard (RWEP 38, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation. poc_available=20 (documented technique) + blast_radius=18.",
|
|
10452
|
+
"epss_score": null,
|
|
10453
|
+
"epss_date": "2026-05-25",
|
|
10454
|
+
"epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
|
|
10455
|
+
"epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-30625",
|
|
10456
|
+
"cwe_refs": [
|
|
10457
|
+
"CWE-77",
|
|
10458
|
+
"CWE-78"
|
|
10459
|
+
],
|
|
10460
|
+
"iocs": {
|
|
10461
|
+
"behavioral": [
|
|
10462
|
+
"Upsonic spawning a subprocess whose command/args came from an MCP configuration supplied or influenced by a caller rather than a pinned configuration.",
|
|
10463
|
+
"Shell metacharacters, or allow-listed binaries (npm/npx) carrying execution flags, in MCP command/args values.",
|
|
10464
|
+
"An MCP configuration / management surface reachable by a user who should not control command execution.",
|
|
10465
|
+
"Upsonic 0.71.6 - the exposed precondition."
|
|
10466
|
+
],
|
|
10467
|
+
"_ioc_source_note": "Behavioral signatures derived from NVD CVE-2026-30625 (CWE-77/CWE-78 command injection via MCP configuration) and the 2026 MCP supply-chain advisory (https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/) describing the unvalidated-MCP-command class."
|
|
10468
|
+
},
|
|
10469
|
+
"source_verified": "2026-05-25",
|
|
10470
|
+
"verification_sources": [
|
|
10471
|
+
"https://nvd.nist.gov/vuln/detail/CVE-2026-30625",
|
|
10472
|
+
"https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/"
|
|
10473
|
+
],
|
|
10474
|
+
"vendor_advisories": [
|
|
10475
|
+
{
|
|
10476
|
+
"vendor": "NVD",
|
|
10477
|
+
"advisory_id": "CVE-2026-30625",
|
|
10478
|
+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30625",
|
|
10479
|
+
"severity": "critical",
|
|
10480
|
+
"published_date": "2026-04-15"
|
|
10481
|
+
}
|
|
10482
|
+
],
|
|
10483
|
+
"last_updated": "2026-05-25",
|
|
10484
|
+
"discovery_attribution_note": "Imported from NVD (CWE-77/CWE-78; NIST CVSS 9.8) + the 2026 MCP supply-chain advisory family (OX Security). Member of the MCP command-injection class already curated in depth by CVE-2026-22252 and CVE-2026-22688.",
|
|
10485
|
+
"_auto_imported": false,
|
|
10486
|
+
"_intake_method": "manual-verified-curation",
|
|
10487
|
+
"_kev_short_description": "Upsonic allow-lists npm/npx for MCP tasks, but their argument flags enable arbitrary OS command execution, so an attacker who can create a task achieves RCE."
|
|
10488
|
+
},
|
|
10489
|
+
"CVE-2026-26015": {
|
|
10490
|
+
"name": "DocsGPT MCP stdio Unauthenticated Remote Code Execution",
|
|
10491
|
+
"type": "RCE",
|
|
10492
|
+
"cvss_score": 9.8,
|
|
10493
|
+
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
|
|
10494
|
+
"cvss_note": "NVD CVSS v3.1 base 9.8 (CRITICAL); the GitHub advisory scores 10.0. Unauthenticated: a crafted payload bypasses the MCP test behavior to execute commands.",
|
|
10495
|
+
"cisa_kev": false,
|
|
10496
|
+
"poc_available": true,
|
|
10497
|
+
"poc_description": "Documented in the GitHub Security Advisory GHSA-gcrq-f296-2j74 and the 2026 MCP supply-chain advisory: a crafted MCP stdio configuration payload bypasses DocsGPT's MCP test/validation behavior and runs shell commands without authentication, on both hosted and self-hosted instances.",
|
|
10498
|
+
"ai_discovered": false,
|
|
10499
|
+
"ai_discovery_source": "human_researcher",
|
|
10500
|
+
"ai_discovery_notes": "Disclosed via coordinated advisory; DocsGPT is an open-source documentation RAG assistant and the abused surface is its MCP stdio configuration.",
|
|
10501
|
+
"ai_assisted_weaponization": false,
|
|
10502
|
+
"ai_assisted_notes": "No AI-assisted weaponization; command injection through the MCP stdio configuration, reachable without authentication.",
|
|
10503
|
+
"active_exploitation": "none",
|
|
10504
|
+
"active_exploitation_notes": "Research / advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
|
|
10505
|
+
"affected": "DocsGPT (arc53) versions 0.15.0 up to (but not including) 0.16.0.",
|
|
10506
|
+
"affected_versions": [
|
|
10507
|
+
"DocsGPT >= 0.15.0, < 0.16.0"
|
|
10508
|
+
],
|
|
10509
|
+
"vector": "DocsGPT accepts an MCP server configuration with a stdio transport whose shell command it executes. A crafted payload bypasses the MCP test/validation step, so the command runs without authorization or neutralization (CWE-77), giving an unauthenticated attacker remote code execution on the DocsGPT host.",
|
|
10510
|
+
"complexity": "low",
|
|
10511
|
+
"complexity_notes": "NVD AV:N / AC:L / PR:N — network-reachable, low-complexity, unauthenticated command injection.",
|
|
10512
|
+
"patch_available": true,
|
|
10513
|
+
"patch_required_reboot": false,
|
|
10514
|
+
"live_patch_available": false,
|
|
10515
|
+
"live_patch_tools": [],
|
|
10516
|
+
"live_patch_notes": "Remediation is an application upgrade to DocsGPT 0.16.0 or later; redeploy, no host reboot.",
|
|
10517
|
+
"vendor_update_paths": [
|
|
10518
|
+
"Upgrade DocsGPT (arc53) to 0.16.0 or later. Until then, do not expose DocsGPT to untrusted networks, restrict MCP configuration, and run it as a least-privilege container user."
|
|
10519
|
+
],
|
|
10520
|
+
"framework_control_gaps": {
|
|
10521
|
+
"NIST-800-53-SI-2": "Flaw-remediation cadence does not track self-hosted documentation/RAG assistants and their MCP transports as managed, RCE-bearing software.",
|
|
10522
|
+
"ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates an AI assistant's MCP stdio configuration as an unauthenticated command-execution surface.",
|
|
10523
|
+
"NIS2-Art21-patch-management": "Article 21 measures do not reach the MCP stdio configuration as a privileged, unauthenticated execution control plane.",
|
|
10524
|
+
"DORA-Art-9": "ICT protection measures do not model unauthenticated command injection via an AI assistant's MCP configuration.",
|
|
10525
|
+
"UK-CAF-B4": "System Security objective has no objective for authenticating and neutralizing command input handed to an AI assistant's MCP transport.",
|
|
10526
|
+
"AU-ISM-1546": "Patch-application control does not single out AI-assistant MCP transports.",
|
|
10527
|
+
"ALL-AI-PIPELINE-INTEGRITY": "No framework requires the MCP transport to authenticate callers and neutralize the stdio command; a bypassable validation step is not an authorization boundary."
|
|
10528
|
+
},
|
|
10529
|
+
"atlas_refs": [],
|
|
10530
|
+
"attack_refs": [
|
|
10531
|
+
"T1190",
|
|
10532
|
+
"T1059"
|
|
10533
|
+
],
|
|
10534
|
+
"rwep_score": 27,
|
|
10535
|
+
"rwep_factors": {
|
|
10536
|
+
"cisa_kev": 0,
|
|
10537
|
+
"poc_available": 20,
|
|
10538
|
+
"ai_factor": 0,
|
|
10539
|
+
"active_exploitation": 0,
|
|
10540
|
+
"blast_radius": 22,
|
|
10541
|
+
"patch_available": -15,
|
|
10542
|
+
"live_patch_available": 0,
|
|
10543
|
+
"reboot_required": 0
|
|
10544
|
+
},
|
|
10545
|
+
"rwep_notes": "Standard (RWEP 27, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3). poc_available=20 + blast_radius=22 minus patch 15. Note: unauthenticated reachability raises operational urgency beyond the RWEP number.",
|
|
10546
|
+
"epss_score": null,
|
|
10547
|
+
"epss_date": "2026-05-25",
|
|
10548
|
+
"epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
|
|
10549
|
+
"epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-26015",
|
|
10550
|
+
"cwe_refs": [
|
|
10551
|
+
"CWE-77",
|
|
10552
|
+
"CWE-78"
|
|
10553
|
+
],
|
|
10554
|
+
"iocs": {
|
|
10555
|
+
"behavioral": [
|
|
10556
|
+
"DocsGPT spawning a subprocess whose command came from an MCP stdio configuration rather than a pinned configuration.",
|
|
10557
|
+
"MCP configuration requests to a DocsGPT instance from unauthenticated or untrusted sources.",
|
|
10558
|
+
"Shell metacharacters or unexpected binaries in DocsGPT MCP stdio command values.",
|
|
10559
|
+
"DocsGPT version >= 0.15.0 and < 0.16.0 — the exposed precondition."
|
|
10560
|
+
],
|
|
10561
|
+
"_ioc_source_note": "Behavioral signatures derived from GitHub Security Advisory GHSA-gcrq-f296-2j74 / NVD CVE-2026-26015 (CWE-77 unauthenticated command injection via MCP stdio configuration) and the 2026 MCP supply-chain advisory (https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/)."
|
|
10562
|
+
},
|
|
10563
|
+
"source_verified": "2026-05-25",
|
|
10564
|
+
"verification_sources": [
|
|
10565
|
+
"https://nvd.nist.gov/vuln/detail/CVE-2026-26015",
|
|
10566
|
+
"https://github.com/arc53/DocsGPT/security/advisories/GHSA-gcrq-f296-2j74",
|
|
10567
|
+
"https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/"
|
|
10568
|
+
],
|
|
10569
|
+
"vendor_advisories": [
|
|
10570
|
+
{
|
|
10571
|
+
"vendor": "GitHub Security Advisory",
|
|
10572
|
+
"advisory_id": "CVE-2026-26015",
|
|
10573
|
+
"url": "https://github.com/arc53/DocsGPT/security/advisories/GHSA-gcrq-f296-2j74",
|
|
10574
|
+
"severity": "critical",
|
|
10575
|
+
"published_date": "2026-04-29"
|
|
10576
|
+
},
|
|
10577
|
+
{
|
|
10578
|
+
"vendor": "NVD",
|
|
10579
|
+
"advisory_id": "CVE-2026-26015",
|
|
10580
|
+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26015",
|
|
10581
|
+
"severity": "critical",
|
|
10582
|
+
"published_date": "2026-04-29"
|
|
10583
|
+
}
|
|
10584
|
+
],
|
|
10585
|
+
"last_updated": "2026-05-25",
|
|
10586
|
+
"discovery_attribution_note": "Manually curated from NVD (CWE-77/CWE-78; NIST CVSS 9.8) + GHSA GHSA-gcrq-f296-2j74 + the 2026 MCP supply-chain advisory family. Unauthenticated member of the MCP command-injection class curated in depth by CVE-2026-22252 and CVE-2026-22688.",
|
|
10587
|
+
"_auto_imported": false,
|
|
10588
|
+
"_intake_method": "manual-verified-curation",
|
|
10589
|
+
"_kev_short_description": "DocsGPT executes an MCP stdio configuration's shell command after a bypassable validation step, giving an unauthenticated attacker remote code execution; fixed in 0.16.0."
|
|
10590
|
+
},
|
|
10591
|
+
"CVE-2026-9082": {
|
|
10592
|
+
"name": "Drupal Core Database API Unauthenticated SQL Injection (SA-CORE-2026-004)",
|
|
10593
|
+
"type": "SQLI",
|
|
10594
|
+
"cvss_score": 9.8,
|
|
10595
|
+
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
|
|
10596
|
+
"cvss_note": "NVD CVSS v3.1 base 9.8 (CRITICAL); Drupal rates SA-CORE-2026-004 Highly Critical. Unauthenticated SQL injection via the database abstraction layer on PostgreSQL-backed sites.",
|
|
10597
|
+
"cisa_kev": true,
|
|
10598
|
+
"cisa_kev_date": "2026-05-22",
|
|
10599
|
+
"cisa_kev_due_date": "2026-05-27",
|
|
10600
|
+
"poc_available": true,
|
|
10601
|
+
"poc_description": "Public proof-of-concept and scanners exist for the unauthenticated SQL injection in Drupal's PostgreSQL EntityQuery condition handler reachable via JSON:API (e.g. github.com/ridhinva/CVE-2026-9082). Drupal published SA-CORE-2026-004 with fixes across all supported branches.",
|
|
10602
|
+
"ai_discovered": false,
|
|
10603
|
+
"ai_discovery_source": "human_researcher",
|
|
10604
|
+
"ai_discovery_notes": "Conventional SQL injection in Drupal core's database abstraction layer; no AI-discovery attribution. Reported through Drupal's security advisory process (SA-CORE-2026-004).",
|
|
10605
|
+
"ai_assisted_weaponization": false,
|
|
10606
|
+
"ai_assisted_notes": "No AI-assisted weaponization reported; classic unauthenticated SQL injection.",
|
|
10607
|
+
"active_exploitation": "confirmed",
|
|
10608
|
+
"active_exploitation_notes": "CISA added CVE-2026-9082 to the KEV catalog (catalog version 2026.05.22) on 2026-05-22 with a 2026-05-27 remediation due date, indicating confirmed active exploitation in the wild. Public reporting describes exploitation of PostgreSQL-backed Drupal sites within days of disclosure.",
|
|
10609
|
+
"affected": "Drupal core 8.9.0 to <10.4.10, 10.5.0 to <10.5.10, 10.6.0 to <10.6.9, 11.0.0 to <11.1.10, 11.2.0 to <11.2.12, and 11.3.0 to <11.3.10; the SQL injection is reachable on PostgreSQL-backed sites via JSON:API.",
|
|
10610
|
+
"affected_versions": [
|
|
10611
|
+
"Drupal core >= 8.9.0, < 10.4.10",
|
|
10612
|
+
"Drupal core >= 10.5.0, < 10.5.10",
|
|
10613
|
+
"Drupal core >= 10.6.0, < 10.6.9",
|
|
10614
|
+
"Drupal core >= 11.0.0, < 11.1.10",
|
|
10615
|
+
"Drupal core >= 11.2.0, < 11.2.12",
|
|
10616
|
+
"Drupal core >= 11.3.0, < 11.3.10"
|
|
10617
|
+
],
|
|
10618
|
+
"vector": "Drupal core's database abstraction layer fails to neutralize special elements in a query condition handler used by the PostgreSQL driver and reachable through JSON:API, allowing an unauthenticated attacker to inject SQL (CWE-89). Exploitation can lead to information disclosure, data modification, and in some configurations privilege escalation toward code execution.",
|
|
10619
|
+
"complexity": "low",
|
|
10620
|
+
"complexity_notes": "NVD AV:N / AC:L / PR:N — network-reachable, low-complexity, unauthenticated SQL injection.",
|
|
10621
|
+
"patch_available": true,
|
|
10622
|
+
"patch_required_reboot": false,
|
|
10623
|
+
"live_patch_available": false,
|
|
10624
|
+
"live_patch_tools": [],
|
|
10625
|
+
"live_patch_notes": "Remediation is a Drupal core upgrade to 10.4.10 / 10.5.10 / 10.6.9 / 11.1.10 / 11.2.12 / 11.3.10 per SA-CORE-2026-004; clear caches, no host reboot.",
|
|
10626
|
+
"vendor_update_paths": [
|
|
10627
|
+
"Upgrade Drupal core to 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, or 11.3.10 (the fixed release on your branch) per SA-CORE-2026-004. PostgreSQL-backed sites are the exploited configuration; prioritize them. Meet the CISA KEV due date of 2026-05-27."
|
|
10628
|
+
],
|
|
10629
|
+
"framework_control_gaps": {
|
|
10630
|
+
"NIST-800-53-SI-2": "Flaw-remediation cadence frequently misses CMS-core SQL injection in the window between KEV listing (2026-05-22) and the 2026-05-27 due date.",
|
|
10631
|
+
"NIST-800-53-SI-10": "Input-validation control is asserted at the application layer but not verified at the database abstraction layer where the query condition handler builds SQL.",
|
|
10632
|
+
"ISO-27001-2022-A.8.8": "Vulnerability management rarely treats the CMS database driver's query builder as an unauthenticated injection surface.",
|
|
10633
|
+
"NIS2-Art21-patch-management": "Article 21 measures do not enforce the sub-week remediation cadence an actively-exploited unauthenticated CMS SQLi demands.",
|
|
10634
|
+
"DORA-Art-9": "ICT protection measures do not model an unauthenticated SQL injection in a third-party CMS core as an ICT-risk event with a regulator clock.",
|
|
10635
|
+
"UK-CAF-B4": "System Security objective has no objective for verifying parameterization in the CMS database abstraction layer.",
|
|
10636
|
+
"AU-ISM-1546": "Patch-application control does not single out actively-exploited CMS-core injection for accelerated remediation."
|
|
10637
|
+
},
|
|
10638
|
+
"atlas_refs": [],
|
|
10639
|
+
"attack_refs": [
|
|
10640
|
+
"T1190"
|
|
10641
|
+
],
|
|
10642
|
+
"rwep_score": 78,
|
|
10643
|
+
"rwep_factors": {
|
|
10644
|
+
"cisa_kev": 25,
|
|
10645
|
+
"poc_available": 20,
|
|
10646
|
+
"ai_factor": 0,
|
|
10647
|
+
"active_exploitation": 20,
|
|
10648
|
+
"blast_radius": 28,
|
|
10649
|
+
"patch_available": -15,
|
|
10650
|
+
"live_patch_available": 0,
|
|
10651
|
+
"reboot_required": 0
|
|
10652
|
+
},
|
|
10653
|
+
"rwep_notes": "P1 (RWEP 78, >= 75 \"patch or compensating controls within 24 hours\" band per lib/scoring.js timeline). CISA KEV 25 + poc 20 + active_exploitation confirmed 20 + blast_radius 28 (Drupal core install base) minus patch 15. Meet the CISA due date 2026-05-27.",
|
|
10654
|
+
"epss_score": null,
|
|
10655
|
+
"epss_date": "2026-05-25",
|
|
10656
|
+
"epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
|
|
10657
|
+
"epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-9082",
|
|
10658
|
+
"cwe_refs": [
|
|
10659
|
+
"CWE-89"
|
|
10660
|
+
],
|
|
10661
|
+
"iocs": {
|
|
10662
|
+
"behavioral": [
|
|
10663
|
+
"Anomalous JSON:API requests to a PostgreSQL-backed Drupal site carrying SQL metacharacters in filter/condition parameters.",
|
|
10664
|
+
"Unexpected database errors or query-shape changes originating from the EntityQuery condition handler.",
|
|
10665
|
+
"Drupal core version below the SA-CORE-2026-004 fixed release on its branch (e.g. < 10.4.10 / < 10.5.10 / < 10.6.9 / < 11.1.10 / < 11.2.12 / < 11.3.10) on PostgreSQL — the exposed precondition.",
|
|
10666
|
+
"Outbound data egress or new admin accounts following anomalous JSON:API traffic."
|
|
10667
|
+
],
|
|
10668
|
+
"_ioc_source_note": "Behavioral signatures derived from Drupal SA-CORE-2026-004 (https://www.drupal.org/sa-core-2026-004), NVD CVE-2026-9082 (CWE-89 SQL injection via the PostgreSQL EntityQuery condition handler reachable through JSON:API), and the CISA KEV listing (catalog version 2026.05.22)."
|
|
10669
|
+
},
|
|
10670
|
+
"source_verified": "2026-05-25",
|
|
10671
|
+
"verification_sources": [
|
|
10672
|
+
"https://www.drupal.org/sa-core-2026-004",
|
|
10673
|
+
"https://nvd.nist.gov/vuln/detail/CVE-2026-9082"
|
|
10674
|
+
],
|
|
10675
|
+
"vendor_advisories": [
|
|
10676
|
+
{
|
|
10677
|
+
"vendor": "Drupal Security Team",
|
|
10678
|
+
"advisory_id": "SA-CORE-2026-004",
|
|
10679
|
+
"url": "https://www.drupal.org/sa-core-2026-004",
|
|
10680
|
+
"severity": "critical",
|
|
10681
|
+
"published_date": "2026-05-20"
|
|
10682
|
+
},
|
|
10683
|
+
{
|
|
10684
|
+
"vendor": "NVD",
|
|
10685
|
+
"advisory_id": "CVE-2026-9082",
|
|
10686
|
+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9082",
|
|
10687
|
+
"severity": "critical",
|
|
10688
|
+
"published_date": "2026-05-20"
|
|
10689
|
+
}
|
|
10690
|
+
],
|
|
10691
|
+
"last_updated": "2026-05-25",
|
|
10692
|
+
"discovery_attribution_note": "Manually curated from NVD (CWE-89; NIST CVSS 9.8) + Drupal SA-CORE-2026-004 + the CISA KEV listing (catalog version 2026.05.22, added 2026-05-22, due 2026-05-27). Conventional unauthenticated SQL injection, no AI-discovery attribution.",
|
|
10693
|
+
"_auto_imported": false,
|
|
10694
|
+
"_intake_method": "manual-verified-curation",
|
|
10695
|
+
"_kev_short_description": "Drupal core's database abstraction layer fails to neutralize special elements in a PostgreSQL query condition handler reachable via JSON:API, allowing unauthenticated SQL injection; actively exploited (CISA KEV 2026-05-22, due 2026-05-27); fixed in SA-CORE-2026-004 releases."
|
|
10696
|
+
},
|
|
10013
10697
|
"CVE-2026-41091": {
|
|
10014
10698
|
"name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
|
|
10015
10699
|
"type": "LPE",
|