@blamejs/exceptd-skills 0.13.76 → 0.13.77

package/data/attack-techniques.json

@@ -281,6 +281,7 @@
       "CVE-2026-22688",
       "CVE-2026-22778",
       "CVE-2026-25592",
+      "CVE-2026-26015",
       "CVE-2026-30615",
       "CVE-2026-30616",
       "CVE-2026-30617",
@@ -959,6 +960,7 @@
       "CVE-2026-22778",
       "CVE-2026-23760",
       "CVE-2026-25108",
+      "CVE-2026-26015",
       "CVE-2026-30616",
       "CVE-2026-30617",
       "CVE-2026-30624",
@@ -980,6 +982,7 @@
       "CVE-2026-42945",
       "CVE-2026-6973",
       "CVE-2026-7482",
+      "CVE-2026-9082",
       "MAL-2025-AI-FOUND-FFMPEG-BIGSLEEP"
     ],
     "description_full": "Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration. Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) On ESXi infrastructure, adversaries may exploit exposed OpenSLP services; they may alternatively exploit exposed VMware vCenter servers.(Citation: Recorded Future ESXiArgs Ransomware 2023)(Citation: Ars Technica VMWare Code Execution Vulnerability 2021) Depending on the flaw being exploited, this may also involve [Exploitation for Stealth](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203). If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs (e.g., via the [Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005)), exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies. Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar) For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)",

package/data/cve-catalog.json

@@ -10486,6 +10486,214 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "Upsonic allow-lists npm/npx for MCP tasks, but their argument flags enable arbitrary OS command execution, so an attacker who can create a task achieves RCE."
   },
+  "CVE-2026-26015": {
+    "name": "DocsGPT MCP stdio Unauthenticated Remote Code Execution",
+    "type": "RCE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 9.8 (CRITICAL); the GitHub advisory scores 10.0. Unauthenticated: a crafted payload bypasses the MCP test behavior to execute commands.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the GitHub Security Advisory GHSA-gcrq-f296-2j74 and the 2026 MCP supply-chain advisory: a crafted MCP stdio configuration payload bypasses DocsGPT's MCP test/validation behavior and runs shell commands without authentication, on both hosted and self-hosted instances.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via coordinated advisory; DocsGPT is an open-source documentation RAG assistant and the abused surface is its MCP stdio configuration.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; command injection through the MCP stdio configuration, reachable without authentication.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research / advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "DocsGPT (arc53) versions 0.15.0 up to (but not including) 0.16.0.",
+    "affected_versions": [
+      "DocsGPT >= 0.15.0, < 0.16.0"
+    ],
+    "vector": "DocsGPT accepts an MCP server configuration with a stdio transport whose shell command it executes. A crafted payload bypasses the MCP test/validation step, so the command runs without authorization or neutralization (CWE-77), giving an unauthenticated attacker remote code execution on the DocsGPT host.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N — network-reachable, low-complexity, unauthenticated command injection.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is an application upgrade to DocsGPT 0.16.0 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade DocsGPT (arc53) to 0.16.0 or later. Until then, do not expose DocsGPT to untrusted networks, restrict MCP configuration, and run it as a least-privilege container user."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track self-hosted documentation/RAG assistants and their MCP transports as managed, RCE-bearing software.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates an AI assistant's MCP stdio configuration as an unauthenticated command-execution surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the MCP stdio configuration as a privileged, unauthenticated execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model unauthenticated command injection via an AI assistant's MCP configuration.",
+      "UK-CAF-B4": "System Security objective has no objective for authenticating and neutralizing command input handed to an AI assistant's MCP transport.",
+      "AU-ISM-1546": "Patch-application control does not single out AI-assistant MCP transports.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework requires the MCP transport to authenticate callers and neutralize the stdio command; a bypassable validation step is not an authorization boundary."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 27,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 22,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 27, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3). poc_available=20 + blast_radius=22 minus patch 15. Note: unauthenticated reachability raises operational urgency beyond the RWEP number.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-26015",
+    "cwe_refs": [
+      "CWE-77",
+      "CWE-78"
+    ],
+    "iocs": {
+      "behavioral": [
+        "DocsGPT spawning a subprocess whose command came from an MCP stdio configuration rather than a pinned configuration.",
+        "MCP configuration requests to a DocsGPT instance from unauthenticated or untrusted sources.",
+        "Shell metacharacters or unexpected binaries in DocsGPT MCP stdio command values.",
+        "DocsGPT version >= 0.15.0 and < 0.16.0 — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from GitHub Security Advisory GHSA-gcrq-f296-2j74 / NVD CVE-2026-26015 (CWE-77 unauthenticated command injection via MCP stdio configuration) and the 2026 MCP supply-chain advisory (https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-26015",
+      "https://github.com/arc53/DocsGPT/security/advisories/GHSA-gcrq-f296-2j74",
+      "https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2026-26015",
+        "url": "https://github.com/arc53/DocsGPT/security/advisories/GHSA-gcrq-f296-2j74",
+        "severity": "critical",
+        "published_date": "2026-04-29"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-26015",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26015",
+        "severity": "critical",
+        "published_date": "2026-04-29"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-77/CWE-78; NIST CVSS 9.8) + GHSA GHSA-gcrq-f296-2j74 + the 2026 MCP supply-chain advisory family. Unauthenticated member of the MCP command-injection class curated in depth by CVE-2026-22252 and CVE-2026-22688.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "DocsGPT executes an MCP stdio configuration's shell command after a bypassable validation step, giving an unauthenticated attacker remote code execution; fixed in 0.16.0."
+  },
+  "CVE-2026-9082": {
+    "name": "Drupal Core Database API Unauthenticated SQL Injection (SA-CORE-2026-004)",
+    "type": "SQLI",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 9.8 (CRITICAL); Drupal rates SA-CORE-2026-004 Highly Critical. Unauthenticated SQL injection via the database abstraction layer on PostgreSQL-backed sites.",
+    "cisa_kev": true,
+    "cisa_kev_date": "2026-05-22",
+    "cisa_kev_due_date": "2026-05-27",
+    "poc_available": true,
+    "poc_description": "Public proof-of-concept and scanners exist for the unauthenticated SQL injection in Drupal's PostgreSQL EntityQuery condition handler reachable via JSON:API (e.g. github.com/ridhinva/CVE-2026-9082). Drupal published SA-CORE-2026-004 with fixes across all supported branches.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Conventional SQL injection in Drupal core's database abstraction layer; no AI-discovery attribution. Reported through Drupal's security advisory process (SA-CORE-2026-004).",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization reported; classic unauthenticated SQL injection.",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "CISA added CVE-2026-9082 to the KEV catalog (catalog version 2026.05.22) on 2026-05-22 with a 2026-05-27 remediation due date, indicating confirmed active exploitation in the wild. Public reporting describes exploitation of PostgreSQL-backed Drupal sites within days of disclosure.",
+    "affected": "Drupal core 8.9.0 to <10.4.10, 10.5.0 to <10.5.10, 10.6.0 to <10.6.9, 11.0.0 to <11.1.10, 11.2.0 to <11.2.12, and 11.3.0 to <11.3.10; the SQL injection is reachable on PostgreSQL-backed sites via JSON:API.",
+    "affected_versions": [
+      "Drupal core >= 8.9.0, < 10.4.10",
+      "Drupal core >= 10.5.0, < 10.5.10",
+      "Drupal core >= 10.6.0, < 10.6.9",
+      "Drupal core >= 11.0.0, < 11.1.10",
+      "Drupal core >= 11.2.0, < 11.2.12",
+      "Drupal core >= 11.3.0, < 11.3.10"
+    ],
+    "vector": "Drupal core's database abstraction layer fails to neutralize special elements in a query condition handler used by the PostgreSQL driver and reachable through JSON:API, allowing an unauthenticated attacker to inject SQL (CWE-89). Exploitation can lead to information disclosure, data modification, and in some configurations privilege escalation toward code execution.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N — network-reachable, low-complexity, unauthenticated SQL injection.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is a Drupal core upgrade to 10.4.10 / 10.5.10 / 10.6.9 / 11.1.10 / 11.2.12 / 11.3.10 per SA-CORE-2026-004; clear caches, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Drupal core to 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, or 11.3.10 (the fixed release on your branch) per SA-CORE-2026-004. PostgreSQL-backed sites are the exploited configuration; prioritize them. Meet the CISA KEV due date of 2026-05-27."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence frequently misses CMS-core SQL injection in the window between KEV listing (2026-05-22) and the 2026-05-27 due date.",
+      "NIST-800-53-SI-10": "Input-validation control is asserted at the application layer but not verified at the database abstraction layer where the query condition handler builds SQL.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely treats the CMS database driver's query builder as an unauthenticated injection surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not enforce the sub-week remediation cadence an actively-exploited unauthenticated CMS SQLi demands.",
+      "DORA-Art-9": "ICT protection measures do not model an unauthenticated SQL injection in a third-party CMS core as an ICT-risk event with a regulator clock.",
+      "UK-CAF-B4": "System Security objective has no objective for verifying parameterization in the CMS database abstraction layer.",
+      "AU-ISM-1546": "Patch-application control does not single out actively-exploited CMS-core injection for accelerated remediation."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190"
+    ],
+    "rwep_score": 78,
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 28,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "P1 (RWEP 78, >= 75 \"patch or compensating controls within 24 hours\" band per lib/scoring.js timeline). CISA KEV 25 + poc 20 + active_exploitation confirmed 20 + blast_radius 28 (Drupal core install base) minus patch 15. Meet the CISA due date 2026-05-27.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-9082",
+    "cwe_refs": [
+      "CWE-89"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Anomalous JSON:API requests to a PostgreSQL-backed Drupal site carrying SQL metacharacters in filter/condition parameters.",
+        "Unexpected database errors or query-shape changes originating from the EntityQuery condition handler.",
+        "Drupal core version below the SA-CORE-2026-004 fixed release on its branch (e.g. < 10.4.10 / < 10.5.10 / < 10.6.9 / < 11.1.10 / < 11.2.12 / < 11.3.10) on PostgreSQL — the exposed precondition.",
+        "Outbound data egress or new admin accounts following anomalous JSON:API traffic."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from Drupal SA-CORE-2026-004 (https://www.drupal.org/sa-core-2026-004), NVD CVE-2026-9082 (CWE-89 SQL injection via the PostgreSQL EntityQuery condition handler reachable through JSON:API), and the CISA KEV listing (catalog version 2026.05.22)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://www.drupal.org/sa-core-2026-004",
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-9082"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "Drupal Security Team",
+        "advisory_id": "SA-CORE-2026-004",
+        "url": "https://www.drupal.org/sa-core-2026-004",
+        "severity": "critical",
+        "published_date": "2026-05-20"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-9082",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9082",
+        "severity": "critical",
+        "published_date": "2026-05-20"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-89; NIST CVSS 9.8) + Drupal SA-CORE-2026-004 + the CISA KEV listing (catalog version 2026.05.22, added 2026-05-22, due 2026-05-27). Conventional unauthenticated SQL injection, no AI-discovery attribution.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Drupal core's database abstraction layer fails to neutralize special elements in a PostgreSQL query condition handler reachable via JSON:API, allowing unauthenticated SQL injection; actively exploited (CISA KEV 2026-05-22, due 2026-05-27); fixed in SA-CORE-2026-004 releases."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -148,6 +148,7 @@
       "CVE-2025-59689",
       "CVE-2026-22688",
       "CVE-2026-22719",
+      "CVE-2026-26015",
       "CVE-2026-30616",
       "CVE-2026-30617",
       "CVE-2026-30624",
@@ -203,6 +204,7 @@
       "CVE-2026-22252",
       "CVE-2026-22688",
       "CVE-2026-25108",
+      "CVE-2026-26015",
       "CVE-2026-30616",
       "CVE-2026-30617",
       "CVE-2026-30623",
@@ -319,7 +321,8 @@
       "CVE-2025-25257",
       "CVE-2025-57819",
       "CVE-2026-21643",
-      "CVE-2026-42208"
+      "CVE-2026-42208",
+      "CVE-2026-9082"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SI-10",

package/data/framework-control-gaps.json

@@ -39,6 +39,7 @@
       "CVE-2025-54136",
       "CVE-2026-22252",
       "CVE-2026-22688",
+      "CVE-2026-26015",
       "CVE-2026-30616",
       "CVE-2026-30617",
       "CVE-2026-30624",
@@ -1530,6 +1531,7 @@
       "CVE-2026-24858",
       "CVE-2026-25108",
       "CVE-2026-25592",
+      "CVE-2026-26015",
       "CVE-2026-3055",
       "CVE-2026-30616",
       "CVE-2026-30617",
@@ -1554,7 +1556,8 @@
       "CVE-2026-45498",
       "CVE-2026-46300",
       "CVE-2026-46333",
-      "CVE-2026-5281"
+      "CVE-2026-5281",
+      "CVE-2026-9082"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -1746,6 +1749,7 @@
       "CVE-2026-22252",
       "CVE-2026-22688",
       "CVE-2026-25592",
+      "CVE-2026-26015",
       "CVE-2026-30616",
       "CVE-2026-30617",
       "CVE-2026-30624",
@@ -1759,6 +1763,7 @@
       "CVE-2026-45498",
       "CVE-2026-46300",
       "CVE-2026-46333",
+      "CVE-2026-9082",
       "MAL-2026-3083"
     ],
     "atlas_refs": [],
@@ -2155,7 +2160,8 @@
       "CVE-2025-1094",
       "CVE-2025-6965",
       "CVE-2026-39884",
-      "CVE-2026-42208"
+      "CVE-2026-42208",
+      "CVE-2026-9082"
     ],
     "atlas_refs": [
       "AML.T0053"
@@ -2480,6 +2486,7 @@
       "CVE-2026-24858",
       "CVE-2026-25108",
       "CVE-2026-25592",
+      "CVE-2026-26015",
       "CVE-2026-3055",
       "CVE-2026-30616",
       "CVE-2026-30617",
@@ -2510,7 +2517,8 @@
       "CVE-2026-46300",
       "CVE-2026-46333",
       "CVE-2026-5281",
-      "CVE-2026-6973"
+      "CVE-2026-6973",
+      "CVE-2026-9082"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -4756,6 +4764,7 @@
       "CVE-2026-22252",
       "CVE-2026-22688",
       "CVE-2026-25592",
+      "CVE-2026-26015",
       "CVE-2026-30616",
       "CVE-2026-30617",
       "CVE-2026-30624",
@@ -4767,7 +4776,8 @@
       "CVE-2026-42945",
       "CVE-2026-45498",
       "CVE-2026-46300",
-      "CVE-2026-46333"
+      "CVE-2026-46333",
+      "CVE-2026-9082"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -5260,6 +5270,7 @@
       "CVE-2026-22252",
       "CVE-2026-22688",
       "CVE-2026-25592",
+      "CVE-2026-26015",
       "CVE-2026-30616",
       "CVE-2026-30617",
       "CVE-2026-30624",
@@ -5270,6 +5281,7 @@
       "CVE-2026-45498",
       "CVE-2026-46300",
       "CVE-2026-46333",
+      "CVE-2026-9082",
       "MAL-2026-SHAI-HULUD-OSS"
     ],
     "atlas_refs": [],
@@ -5308,6 +5320,7 @@
       "CVE-2026-22252",
       "CVE-2026-22688",
       "CVE-2026-25592",
+      "CVE-2026-26015",
       "CVE-2026-30616",
       "CVE-2026-30617",
       "CVE-2026-30624",
@@ -5317,7 +5330,8 @@
       "CVE-2026-41091",
       "CVE-2026-45498",
       "CVE-2026-46300",
-      "CVE-2026-46333"
+      "CVE-2026-46333",
+      "CVE-2026-9082"
     ],
     "atlas_refs": [],
     "attack_refs": [

package/data/zeroday-lessons.json

@@ -6433,6 +6433,106 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2026-26015": {
+    "name": "DocsGPT MCP stdio Unauthenticated Remote Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "DocsGPT executes an MCP server configuration's stdio shell command after a validation step that a crafted payload bypasses, so an unauthenticated attacker runs commands on the host (CWE-77).",
+      "privileges_required": "none (NVD PR:N) — unauthenticated, on hosted and self-hosted instances",
+      "complexity": "low (NVD AC:L); one crafted MCP configuration payload",
+      "ai_factor": "The abused surface is the MCP stdio configuration of a documentation/RAG assistant. The lesson sharpens the LibreChat (CVE-2026-22252) and WeKnora (CVE-2026-22688) cases: a bypassable validation step is not an authorization boundary — the MCP transport must authenticate the caller AND neutralize the command, because its by-design command execution turns injection into unauthenticated RCE. Surfaced via the 2026 MCP supply-chain advisory + GHSA feeds."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track self-hosted documentation/RAG assistants and their MCP transports as managed, RCE-bearing software."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not enumerate the MCP stdio configuration as an unauthenticated command-execution surface, nor recognize a bypassable validation step as a non-boundary."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework requires the MCP transport to authenticate callers and neutralize the stdio command; a validation step that can be bypassed is not authorization."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 72,
+      "basis": "Documentation/RAG assistants are rarely in the managed vulnerability program, and an MCP 'test' step is mistaken for an authorization control.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-084",
+        "name": "MCP-STDIO-CONFIG-INPUT-NEUTRALIZATION",
+        "description": "MCP stdio configuration command/args must be authenticated and neutralized before execution; a 'test'/validation step that can be bypassed is not an authorization boundary. Upgrade DocsGPT to 0.16.0+, do not expose it to untrusted networks, and run least-privilege. Same governance as the LibreChat (CVE-2026-22252) and WeKnora (CVE-2026-22688) MCP transport flaws, here reachable without authentication.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2026-26015",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.8",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2026-9082": {
+    "name": "Drupal Core Database API Unauthenticated SQL Injection (SA-CORE-2026-004)",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Drupal core's database abstraction layer fails to neutralize special elements in a PostgreSQL query condition handler reachable via JSON:API, allowing an unauthenticated attacker to inject SQL (CWE-89). Actively exploited; CISA KEV 2026-05-22, due 2026-05-27.",
+      "privileges_required": "none (NVD PR:N) — unauthenticated, on PostgreSQL-backed sites",
+      "complexity": "low (NVD AC:L); JSON:API request with crafted condition",
+      "ai_factor": "Not an AI-specific flaw, but a current actively-exploited CMS-core SQLi the catalog tracks for KEV currency. The lesson: input validation asserted at the application layer is not the same as parameterization verified at the database abstraction layer where the query is built — the two must be separately evidenced."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Flaw-remediation cadence frequently misses the sub-week window between KEV listing and the due date for an actively-exploited CMS-core SQLi."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Input-validation control is asserted at the application layer but not verified at the database abstraction layer where the query condition handler builds SQL."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not treat the CMS database driver's query builder as an unauthenticated injection surface."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 65,
+      "basis": "Organizations assert WAF/input-validation coverage at the edge while the injection is in the database abstraction layer's PostgreSQL query builder, reachable via JSON:API.",
+      "theater_pattern": "perimeter_control_substitution"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-085",
+        "name": "DB-ABSTRACTION-LAYER-PARAMETERIZATION-VERIFICATION",
+        "description": "Parameterization must be verified at the database abstraction layer / query builder, not assumed from application-layer input validation or a perimeter WAF. For Drupal, apply SA-CORE-2026-004 (10.4.10 / 10.5.10 / 10.6.9 / 11.1.10 / 11.2.12 / 11.3.10), prioritize PostgreSQL-backed sites, and meet the CISA KEV due date 2026-05-27. The distinguishing test: send a JSON:API request with a SQL metacharacter in a filter condition against a staging instance and confirm the query builder parameterizes rather than concatenates it.",
+        "evidence": "https://www.drupal.org/sa-core-2026-004",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ISO-27001-2022-A.8.8"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2025-34291": {
     "name": "Langflow Account Takeover + RCE (CORS / refresh-token chain)",
     "lesson_date": "2026-05-24",