@blamejs/exceptd-skills 0.13.76 → 0.13.77

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (13) hide show
  1. package/CHANGELOG.md +4 -0
  2. package/data/_indexes/_meta.json +8 -8
  3. package/data/_indexes/activity-feed.json +2 -2
  4. package/data/_indexes/catalog-summaries.json +2 -2
  5. package/data/_indexes/chains.json +659 -0
  6. package/data/attack-techniques.json +3 -0
  7. package/data/cve-catalog.json +208 -0
  8. package/data/cwe-catalog.json +4 -1
  9. package/data/framework-control-gaps.json +19 -5
  10. package/data/zeroday-lessons.json +100 -0
  11. package/manifest.json +44 -44
  12. package/package.json +2 -2
  13. package/sbom.cdx.json +23 -23
package/CHANGELOG.md CHANGED
@@ -1,5 +1,9 @@
1
1
  # Changelog
2
2
 
3
+ ## 0.13.77 — 2026-05-25
4
+
5
+ CVE catalog — two current additions. **CVE-2026-9082** (Drupal core, SA-CORE-2026-004, CWE-89, NIST CVSS 9.8) is an unauthenticated SQL injection in the database abstraction layer reachable via JSON:API on PostgreSQL-backed sites; CISA added it to the KEV catalog on 2026-05-22 with a 2026-05-27 remediation due date, so it scores RWEP P1 (78) on confirmed exploitation. Fixed in the SA-CORE-2026-004 releases (10.4.10 / 10.5.10 / 10.6.9 / 11.1.10 / 11.2.12 / 11.3.10). Its zero-day lesson adds a control requiring parameterization to be verified at the database abstraction layer — not assumed from application-layer input validation or a perimeter WAF. **CVE-2026-26015** (DocsGPT, CWE-77, NIST CVSS 9.8 / GitHub 10.0) completes the MCP command-injection family: a crafted payload bypasses the MCP validation step to run shell commands without authentication; fixed in 0.16.0. Both carry CWE + ATT&CK mappings, global-first framework gaps, and behavioral IoCs. CVE count 331 → 333.
6
+
3
7
  ## 0.13.76 — 2026-05-25
4
8
 
5
9
  CVE catalog — MCP command-injection family expansion: adds five more verified entries from the 2026 MCP supply-chain advisory, all variations of the same root cause where an AI framework hands caller-supplied command/args to its MCP transport and executes them. **CVE-2026-40933** (FlowiseAI Flowise, CWE-78, NIST CVSS 9.9) — an authenticated user bypasses Custom-MCP command sanitization by pairing an allow-listed binary (npx) with execution flags; fixed in 3.1.0. **CVE-2026-30625** (Upsonic, CWE-77, NIST CVSS 9.8) — MCP task creation allow-lists npm/npx whose argument flags re-enable arbitrary command execution; 0.72.0 adds a warning, not a confirmed fix. **CVE-2026-30617** (Langchain-Chatchat, CWE-77, NIST CVSS 8.6) — an exposed MCP management interface lets a caller configure a malicious stdio command. **CVE-2026-30624** (Agent Zero, CWE-77, NIST CVSS 8.6) — MCP server configurations execute without adequate validation. **CVE-2026-30616** (Jaaz, CWE-77, NIST CVSS 7.3) — MCP stdio command-execution handling runs configured commands unsanitized. Each carries CWE + ATT&CK T1190/T1059 mappings, global-first framework gaps, behavioral IoCs, and RWEP scoring; all map to the MCP-transport command-governance controls already established for this class. CVE count 326 → 331.
package/data/_indexes/_meta.json CHANGED
@@ -1,21 +1,21 @@
1
1
  {
2
2
  "schema_version": "1.1.0",
3
- "generated_at": "2026-05-25T15:12:29.287Z",
3
+ "generated_at": "2026-05-25T15:37:01.228Z",
4
4
  "generator": "scripts/build-indexes.js",
5
5
  "source_count": 54,
6
6
  "source_hashes": {
7
- "manifest.json": "ad78e35ee920926594ace90c6a4b750b0c21a9282fbd517813eca88f12ac4ef0",
7
+ "manifest.json": "5eb494e992f4b9efdd66160b6f86bac028df90ff0d1d82fb12c94d82a66f10bc",
8
8
  "data/atlas-ttps.json": "07e28f5fe196d8e16082968ce36e4d33b720a024a9c00afd10ddc076a8ae8935",
9
- "data/attack-techniques.json": "1dd41a2dc19e4cf4a02df0bf84362f418355ba988f19491775352d57c8c61c66",
10
- "data/cve-catalog.json": "fac45afb6141b754647bf88b67b99da2470e5680c1b0a5b41c0105cf7418fe5f",
11
- "data/cwe-catalog.json": "4bfc842cb748608d5e9c4f725824101e3beb242ad7e82802a0dbf25991a089fa",
9
+ "data/attack-techniques.json": "bd0a3543c975d7454401acdee260b00685f0e54010878144daa5dd7fcd5335de",
10
+ "data/cve-catalog.json": "7b12779c6a459dbcf303c46bba7d05cc4b54e697741b4cfddf2732e7e3c334b2",
11
+ "data/cwe-catalog.json": "3f9c1c34914b5947378f6449bc4977e68472209def736b98fe2b0a310d545d65",
12
12
  "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
13
13
  "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
14
14
  "data/exploit-availability.json": "ec2656f0d9a893610e27b43eb6035fe9b18e057c9f6dfaac7e7d4959bbcbb795",
15
- "data/framework-control-gaps.json": "71c44c3715f7306096399ff8e4acfad3f5a287c6b802c1ddb721b7d9725161d6",
15
+ "data/framework-control-gaps.json": "2dad9eda3c8470436d9c6df7aabfeb751d924651b407c3877e80a652f51b44fc",
16
16
  "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
17
17
  "data/rfc-references.json": "66ef2e1f444a2cf0c2700a754f0a66030bb8a91d9e68394b9537ea1fe8b904fe",
18
- "data/zeroday-lessons.json": "2268eb4c037bd71743b63b4f5b0a032895a911aafe961763c49d5861c3c066cc",
18
+ "data/zeroday-lessons.json": "a68ba34b20d287d70fc4b19e7cb181a22567dd9ea5b3f8bb154084ade826a857",
19
19
  "skills/kernel-lpe-triage/skill.md": "08b3e9815ba481c57c80f5fc0ccbf5bb7cbb41f570c235ba6ff9596b8c07354d",
20
20
  "skills/ai-attack-surface/skill.md": "c4c1eb22a38ca7a959b5725222bab8fbd4f4044a548a93f3e288e6f698334b72",
21
21
  "skills/mcp-agent-trust/skill.md": "89ac89084391d2341b6513fefb1be2d36b93de1c130f057696219c1c59440f13",
@@ -72,7 +72,7 @@
72
72
  "dlp_refs": 0
73
73
  },
74
74
  "trigger_table_entries": 538,
75
- "chains_cve_entries": 320,
75
+ "chains_cve_entries": 322,
76
76
  "chains_cwe_entries": 171,
77
77
  "jurisdictions_indexed": 29,
78
78
  "handoff_dag_nodes": 42,
package/data/_indexes/activity-feed.json CHANGED
@@ -149,7 +149,7 @@
149
149
  "artifact": "data/cve-catalog.json",
150
150
  "path": "data/cve-catalog.json",
151
151
  "schema_version": "1.0.0",
152
- "entry_count": 331
152
+ "entry_count": 333
153
153
  },
154
154
  {
155
155
  "date": "2026-05-18",
@@ -165,7 +165,7 @@
165
165
  "artifact": "data/zeroday-lessons.json",
166
166
  "path": "data/zeroday-lessons.json",
167
167
  "schema_version": "1.1.0",
168
- "entry_count": 326
168
+ "entry_count": 328
169
169
  },
170
170
  {
171
171
  "date": "2026-05-17",
package/data/_indexes/catalog-summaries.json CHANGED
@@ -62,7 +62,7 @@
62
62
  "rebuild_after_days": 365,
63
63
  "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
64
64
  },
65
- "entry_count": 331,
65
+ "entry_count": 333,
66
66
  "sample_keys": [
67
67
  "CVE-2025-53773",
68
68
  "CVE-2026-30615",
@@ -238,7 +238,7 @@
238
238
  "rebuild_after_days": 365,
239
239
  "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
240
240
  },
241
- "entry_count": 326,
241
+ "entry_count": 328,
242
242
  "sample_keys": [
243
243
  "CVE-2026-31431",
244
244
  "CVE-2025-53773",