@blamejs/exceptd-skills 0.13.75 → 0.13.77

package/data/cwe-catalog.json

@@ -148,6 +148,11 @@
       "CVE-2025-59689",
       "CVE-2026-22688",
       "CVE-2026-22719",
+      "CVE-2026-26015",
+      "CVE-2026-30616",
+      "CVE-2026-30617",
+      "CVE-2026-30624",
+      "CVE-2026-30625",
       "MAL-2026-3083"
     ],
     "framework_controls_partially_addressing": [
@@ -199,8 +204,14 @@
       "CVE-2026-22252",
       "CVE-2026-22688",
       "CVE-2026-25108",
+      "CVE-2026-26015",
+      "CVE-2026-30616",
+      "CVE-2026-30617",
       "CVE-2026-30623",
-      "CVE-2026-39987"
+      "CVE-2026-30624",
+      "CVE-2026-30625",
+      "CVE-2026-39987",
+      "CVE-2026-40933"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SI-10",
@@ -310,7 +321,8 @@
       "CVE-2025-25257",
       "CVE-2025-57819",
       "CVE-2026-21643",
-      "CVE-2026-42208"
+      "CVE-2026-42208",
+      "CVE-2026-9082"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SI-10",

package/data/framework-control-gaps.json

@@ -38,7 +38,13 @@
       "CVE-2025-49596",
       "CVE-2025-54136",
       "CVE-2026-22252",
-      "CVE-2026-22688"
+      "CVE-2026-22688",
+      "CVE-2026-26015",
+      "CVE-2026-30616",
+      "CVE-2026-30617",
+      "CVE-2026-30624",
+      "CVE-2026-30625",
+      "CVE-2026-40933"
     ],
     "atlas_refs": [
       "AML.T0018",
@@ -1525,7 +1531,12 @@
       "CVE-2026-24858",
       "CVE-2026-25108",
       "CVE-2026-25592",
+      "CVE-2026-26015",
       "CVE-2026-3055",
+      "CVE-2026-30616",
+      "CVE-2026-30617",
+      "CVE-2026-30624",
+      "CVE-2026-30625",
       "CVE-2026-31431",
       "CVE-2026-31635",
       "CVE-2026-32201",
@@ -1538,13 +1549,15 @@
       "CVE-2026-35616",
       "CVE-2026-3909",
       "CVE-2026-3910",
+      "CVE-2026-40933",
       "CVE-2026-41091",
       "CVE-2026-41940",
       "CVE-2026-42945",
       "CVE-2026-45498",
       "CVE-2026-46300",
       "CVE-2026-46333",
-      "CVE-2026-5281"
+      "CVE-2026-5281",
+      "CVE-2026-9082"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -1736,14 +1749,21 @@
       "CVE-2026-22252",
       "CVE-2026-22688",
       "CVE-2026-25592",
+      "CVE-2026-26015",
+      "CVE-2026-30616",
+      "CVE-2026-30617",
+      "CVE-2026-30624",
+      "CVE-2026-30625",
       "CVE-2026-31431",
       "CVE-2026-34926",
       "CVE-2026-39884",
+      "CVE-2026-40933",
       "CVE-2026-41091",
       "CVE-2026-45321",
       "CVE-2026-45498",
       "CVE-2026-46300",
       "CVE-2026-46333",
+      "CVE-2026-9082",
       "MAL-2026-3083"
     ],
     "atlas_refs": [],
@@ -2140,7 +2160,8 @@
       "CVE-2025-1094",
       "CVE-2025-6965",
       "CVE-2026-39884",
-      "CVE-2026-42208"
+      "CVE-2026-42208",
+      "CVE-2026-9082"
     ],
     "atlas_refs": [
       "AML.T0053"
@@ -2465,7 +2486,12 @@
       "CVE-2026-24858",
       "CVE-2026-25108",
       "CVE-2026-25592",
+      "CVE-2026-26015",
       "CVE-2026-3055",
+      "CVE-2026-30616",
+      "CVE-2026-30617",
+      "CVE-2026-30624",
+      "CVE-2026-30625",
       "CVE-2026-31431",
       "CVE-2026-31635",
       "CVE-2026-32201",
@@ -2480,6 +2506,7 @@
       "CVE-2026-35616",
       "CVE-2026-3909",
       "CVE-2026-3910",
+      "CVE-2026-40933",
       "CVE-2026-41091",
       "CVE-2026-41940",
       "CVE-2026-42897",
@@ -2490,7 +2517,8 @@
       "CVE-2026-46300",
       "CVE-2026-46333",
       "CVE-2026-5281",
-      "CVE-2026-6973"
+      "CVE-2026-6973",
+      "CVE-2026-9082"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -4736,13 +4764,20 @@
       "CVE-2026-22252",
       "CVE-2026-22688",
       "CVE-2026-25592",
+      "CVE-2026-26015",
+      "CVE-2026-30616",
+      "CVE-2026-30617",
+      "CVE-2026-30624",
+      "CVE-2026-30625",
       "CVE-2026-34926",
+      "CVE-2026-40933",
       "CVE-2026-41091",
       "CVE-2026-42897",
       "CVE-2026-42945",
       "CVE-2026-45498",
       "CVE-2026-46300",
-      "CVE-2026-46333"
+      "CVE-2026-46333",
+      "CVE-2026-9082"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -5235,11 +5270,18 @@
       "CVE-2026-22252",
       "CVE-2026-22688",
       "CVE-2026-25592",
+      "CVE-2026-26015",
+      "CVE-2026-30616",
+      "CVE-2026-30617",
+      "CVE-2026-30624",
+      "CVE-2026-30625",
       "CVE-2026-34926",
+      "CVE-2026-40933",
       "CVE-2026-41091",
       "CVE-2026-45498",
       "CVE-2026-46300",
       "CVE-2026-46333",
+      "CVE-2026-9082",
       "MAL-2026-SHAI-HULUD-OSS"
     ],
     "atlas_refs": [],
@@ -5278,11 +5320,18 @@
       "CVE-2026-22252",
       "CVE-2026-22688",
       "CVE-2026-25592",
+      "CVE-2026-26015",
+      "CVE-2026-30616",
+      "CVE-2026-30617",
+      "CVE-2026-30624",
+      "CVE-2026-30625",
       "CVE-2026-34926",
+      "CVE-2026-40933",
       "CVE-2026-41091",
       "CVE-2026-45498",
       "CVE-2026-46300",
-      "CVE-2026-46333"
+      "CVE-2026-46333",
+      "CVE-2026-9082"
     ],
     "atlas_refs": [],
     "attack_refs": [

package/data/zeroday-lessons.json

@@ -6183,6 +6183,356 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2026-40933": {
+    "name": "FlowiseAI Flowise MCP Custom Config Command Injection",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Flowise lets an authenticated user define a Custom MCP server configuration whose command/args the server executes; sanitization is bypassed by pairing an allow-listed binary (npx) with execution flags (CWE-78), yielding arbitrary OS command execution on the host.",
+      "privileges_required": "authenticated Flowise user (PR:L)",
+      "complexity": "low (NVD AC:L); allow-list bypass via execution flags",
+      "ai_factor": "The abused surface is the MCP command/transport configuration of an AI framework. The lesson matches the LibreChat (CVE-2026-22252) and WeKnora (CVE-2026-22688) cases: user-supplied or attacker-influenced MCP command/args are untrusted input the transport must neutralize, because the transport's by-design command execution turns injection into RCE. Surfaced via the 2026 MCP supply-chain advisory + GHSA feeds."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track self-hosted low-code LLM builders and their Custom-MCP command surfaces as managed, RCE-bearing software."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not enumerate the Custom MCP configuration as an authorization-critical command-execution surface, nor recognize allow-list bypass via argument flags."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework requires the MCP transport to neutralize allow-listed binaries' execution flags; an allow-list alone is not a command boundary."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "AI agent / RAG frameworks are rarely in the managed vulnerability program, and their MCP command surfaces are not treated as command-injection-prone input.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-084",
+        "name": "MCP-STDIO-CONFIG-INPUT-NEUTRALIZATION",
+        "description": "MCP command configuration must neutralize untrusted command/args, and command allow-lists (npm/npx) must also block argument flags that re-enable arbitrary execution. Upgrade Flowise to 3.1.0+, restrict who may author Custom MCP configurations, and run least-privilege. Same governance as the LibreChat (CVE-2026-22252) and WeKnora (CVE-2026-22688) MCP transport flaws.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2026-40933",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.8",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2026-30625": {
+    "name": "Upsonic MCP Task Allowed-Command Argument Injection RCE",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Upsonic MCP task creation allow-lists npm/npx whose argument flags can be abused to execute arbitrary OS commands (CWE-77 argument injection). An attacker who can create an MCP task achieves code execution; 0.72.0 adds a warning rather than a confirmed fix.",
+      "privileges_required": "attacker able to create an Upsonic MCP task (PR:N per NVD)",
+      "complexity": "low (NVD AC:L); allow-list argument-flag abuse",
+      "ai_factor": "The abused surface is the MCP command/transport configuration of an AI framework. The lesson matches the LibreChat (CVE-2026-22252) and WeKnora (CVE-2026-22688) cases: user-supplied or attacker-influenced MCP command/args are untrusted input the transport must neutralize, because the transport's by-design command execution turns injection into RCE. Surfaced via the 2026 MCP supply-chain advisory + GHSA feeds."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track agent frameworks and their MCP task command allow-lists as managed, RCE-bearing software."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats an allow-list of binaries as a control without accounting for argument-flag abuse of those binaries."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework requires an MCP command allow-list to also constrain the arguments those commands accept; npm/npx flags re-enable execution."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 72,
+      "basis": "AI agent / RAG frameworks are rarely in the managed vulnerability program, and their MCP command surfaces are not treated as command-injection-prone input.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-084",
+        "name": "MCP-STDIO-CONFIG-INPUT-NEUTRALIZATION",
+        "description": "An MCP command allow-list must also constrain arguments — npm/npx execution flags must be blocked, not just the binary name allow-listed. Treat 0.72.0's warning as insufficient; restrict who may create MCP tasks and run Upsonic least-privilege until a confirmed fix ships.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2026-30625",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.8",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2026-30617": {
+    "name": "Langchain-Chatchat MCP Management Interface stdio RCE",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Langchain-Chatchat exposes an MCP management interface that lets a caller configure a malicious stdio server command, which the server executes without neutralizing special elements (CWE-77), yielding remote code execution on the host.",
+      "privileges_required": "caller reaching the exposed MCP management interface (PR:N per NVD)",
+      "complexity": "low (NVD AC:L); exposed management interface",
+      "ai_factor": "The abused surface is the MCP command/transport configuration of an AI framework. The lesson matches the LibreChat (CVE-2026-22252) and WeKnora (CVE-2026-22688) cases: user-supplied or attacker-influenced MCP command/args are untrusted input the transport must neutralize, because the transport's by-design command execution turns injection into RCE. Surfaced via the 2026 MCP supply-chain advisory + GHSA feeds."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track RAG / knowledge-base assistants and their MCP management interfaces as managed, RCE-bearing software."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not enumerate an exposed MCP management interface as an authorization-critical command-execution surface."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework requires the MCP management interface to be authenticated and the configured stdio command to be neutralized before execution."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "AI agent / RAG frameworks are rarely in the managed vulnerability program, and their MCP command surfaces are not treated as command-injection-prone input.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-083",
+        "name": "MCP-STDIO-TRANSPORT-COMMAND-GOVERNANCE",
+        "description": "The MCP management/transport surface must authorize callers and neutralize the stdio command it is handed before execution. Do not expose the MCP management interface to untrusted networks; run least-privilege. Same governance as the LibreChat (CVE-2026-22252) MCP transport flaw, applied to an exposed management interface.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2026-30617",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.8",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2026-30624": {
+    "name": "Agent Zero MCP Server Config Command Injection",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Agent Zero executes MCP server configurations without adequately validating the command/args before spawning the subprocess (CWE-77). An attacker who can supply or influence an MCP server configuration achieves remote code execution on the host.",
+      "privileges_required": "attacker able to supply or influence an MCP server configuration (PR:N per NVD)",
+      "complexity": "low (NVD AC:L); unvalidated server configuration",
+      "ai_factor": "The abused surface is the MCP command/transport configuration of an AI framework. The lesson matches the LibreChat (CVE-2026-22252) and WeKnora (CVE-2026-22688) cases: user-supplied or attacker-influenced MCP command/args are untrusted input the transport must neutralize, because the transport's by-design command execution turns injection into RCE. Surfaced via the 2026 MCP supply-chain advisory + GHSA feeds."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track autonomous agent frameworks and their MCP server-configuration surfaces as managed, RCE-bearing software."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not enumerate MCP server configuration as an authorization-critical command-execution surface."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework requires MCP server configurations to be validated and authorized before the configured command is executed."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "AI agent / RAG frameworks are rarely in the managed vulnerability program, and their MCP command surfaces are not treated as command-injection-prone input.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-083",
+        "name": "MCP-STDIO-TRANSPORT-COMMAND-GOVERNANCE",
+        "description": "MCP server configurations must be validated and the caller authorized before the configured command is spawned. Treat MCP server configuration as a privileged surface, restrict who can edit it, and run Agent Zero least-privilege. Same governance as the LibreChat (CVE-2026-22252) MCP transport flaw.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2026-30624",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.8",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2026-30616": {
+    "name": "Jaaz MCP stdio Command Execution RCE",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Jaaz mishandles MCP stdio command execution, running command/args from an MCP configuration without neutralizing special elements (CWE-77). An attacker able to set the stdio command achieves code execution on the Jaaz host.",
+      "privileges_required": "attacker able to set the Jaaz MCP stdio command (PR:N per CISA-ADP)",
+      "complexity": "low (CISA-ADP AC:L)",
+      "ai_factor": "The abused surface is the MCP command/transport configuration of an AI framework. The lesson matches the LibreChat (CVE-2026-22252) and WeKnora (CVE-2026-22688) cases: user-supplied or attacker-influenced MCP command/args are untrusted input the transport must neutralize, because the transport's by-design command execution turns injection into RCE. Surfaced via the 2026 MCP supply-chain advisory + GHSA feeds."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track AI design / agent applications and their MCP stdio handling as managed, RCE-bearing software."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not enumerate MCP stdio command handling as an authorization-critical command-execution surface."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework requires the MCP stdio handler to neutralize the configured command before execution."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "AI agent / RAG frameworks are rarely in the managed vulnerability program, and their MCP command surfaces are not treated as command-injection-prone input.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-084",
+        "name": "MCP-STDIO-CONFIG-INPUT-NEUTRALIZATION",
+        "description": "The MCP stdio handler must neutralize the configured command/args before execution and restrict who can configure stdio servers. Run Jaaz least-privilege. Same governance as the WeKnora (CVE-2026-22688) MCP stdio flaw.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2026-30616",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.8",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2026-26015": {
+    "name": "DocsGPT MCP stdio Unauthenticated Remote Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "DocsGPT executes an MCP server configuration's stdio shell command after a validation step that a crafted payload bypasses, so an unauthenticated attacker runs commands on the host (CWE-77).",
+      "privileges_required": "none (NVD PR:N) — unauthenticated, on hosted and self-hosted instances",
+      "complexity": "low (NVD AC:L); one crafted MCP configuration payload",
+      "ai_factor": "The abused surface is the MCP stdio configuration of a documentation/RAG assistant. The lesson sharpens the LibreChat (CVE-2026-22252) and WeKnora (CVE-2026-22688) cases: a bypassable validation step is not an authorization boundary — the MCP transport must authenticate the caller AND neutralize the command, because its by-design command execution turns injection into unauthenticated RCE. Surfaced via the 2026 MCP supply-chain advisory + GHSA feeds."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track self-hosted documentation/RAG assistants and their MCP transports as managed, RCE-bearing software."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not enumerate the MCP stdio configuration as an unauthenticated command-execution surface, nor recognize a bypassable validation step as a non-boundary."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework requires the MCP transport to authenticate callers and neutralize the stdio command; a validation step that can be bypassed is not authorization."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 72,
+      "basis": "Documentation/RAG assistants are rarely in the managed vulnerability program, and an MCP 'test' step is mistaken for an authorization control.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-084",
+        "name": "MCP-STDIO-CONFIG-INPUT-NEUTRALIZATION",
+        "description": "MCP stdio configuration command/args must be authenticated and neutralized before execution; a 'test'/validation step that can be bypassed is not an authorization boundary. Upgrade DocsGPT to 0.16.0+, do not expose it to untrusted networks, and run least-privilege. Same governance as the LibreChat (CVE-2026-22252) and WeKnora (CVE-2026-22688) MCP transport flaws, here reachable without authentication.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2026-26015",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.8",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2026-9082": {
+    "name": "Drupal Core Database API Unauthenticated SQL Injection (SA-CORE-2026-004)",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Drupal core's database abstraction layer fails to neutralize special elements in a PostgreSQL query condition handler reachable via JSON:API, allowing an unauthenticated attacker to inject SQL (CWE-89). Actively exploited; CISA KEV 2026-05-22, due 2026-05-27.",
+      "privileges_required": "none (NVD PR:N) — unauthenticated, on PostgreSQL-backed sites",
+      "complexity": "low (NVD AC:L); JSON:API request with crafted condition",
+      "ai_factor": "Not an AI-specific flaw, but a current actively-exploited CMS-core SQLi the catalog tracks for KEV currency. The lesson: input validation asserted at the application layer is not the same as parameterization verified at the database abstraction layer where the query is built — the two must be separately evidenced."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Flaw-remediation cadence frequently misses the sub-week window between KEV listing and the due date for an actively-exploited CMS-core SQLi."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Input-validation control is asserted at the application layer but not verified at the database abstraction layer where the query condition handler builds SQL."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not treat the CMS database driver's query builder as an unauthenticated injection surface."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 65,
+      "basis": "Organizations assert WAF/input-validation coverage at the edge while the injection is in the database abstraction layer's PostgreSQL query builder, reachable via JSON:API.",
+      "theater_pattern": "perimeter_control_substitution"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-085",
+        "name": "DB-ABSTRACTION-LAYER-PARAMETERIZATION-VERIFICATION",
+        "description": "Parameterization must be verified at the database abstraction layer / query builder, not assumed from application-layer input validation or a perimeter WAF. For Drupal, apply SA-CORE-2026-004 (10.4.10 / 10.5.10 / 10.6.9 / 11.1.10 / 11.2.12 / 11.3.10), prioritize PostgreSQL-backed sites, and meet the CISA KEV due date 2026-05-27. The distinguishing test: send a JSON:API request with a SQL metacharacter in a filter condition against a staging instance and confirm the query builder parameterizes rather than concatenates it.",
+        "evidence": "https://www.drupal.org/sa-core-2026-004",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ISO-27001-2022-A.8.8"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2025-34291": {
     "name": "Langflow Account Takeover + RCE (CORS / refresh-token chain)",
     "lesson_date": "2026-05-24",