npm - @blamejs/exceptd-skills - Versions diffs - 0.13.76 → 0.13.78 - Mend

@blamejs/exceptd-skills 0.13.76 → 0.13.78

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/CHANGELOG.md +8 -0
package/data/_indexes/_meta.json +8 -8
package/data/_indexes/activity-feed.json +2 -2
package/data/_indexes/catalog-summaries.json +2 -2
package/data/_indexes/chains.json +2199 -0
package/data/attack-techniques.json +9 -0
package/data/cve-catalog.json +610 -0
package/data/cwe-catalog.json +8 -1
package/data/framework-control-gaps.json +51 -5
package/data/zeroday-lessons.json +300 -0
package/manifest.json +44 -44
package/package.json +2 -2
package/sbom.cdx.json +23 -23

package/data/cve-catalog.json CHANGED Viewed

@@ -10486,6 +10486,616 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "Upsonic allow-lists npm/npx for MCP tasks, but their argument flags enable arbitrary OS command execution, so an attacker who can create a task achieves RCE."
   },
+  "CVE-2026-26015": {
+    "name": "DocsGPT MCP stdio Unauthenticated Remote Code Execution",
+    "type": "RCE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 9.8 (CRITICAL); the GitHub advisory scores 10.0. Unauthenticated: a crafted payload bypasses the MCP test behavior to execute commands.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the GitHub Security Advisory GHSA-gcrq-f296-2j74 and the 2026 MCP supply-chain advisory: a crafted MCP stdio configuration payload bypasses DocsGPT's MCP test/validation behavior and runs shell commands without authentication, on both hosted and self-hosted instances.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via coordinated advisory; DocsGPT is an open-source documentation RAG assistant and the abused surface is its MCP stdio configuration.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; command injection through the MCP stdio configuration, reachable without authentication.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research / advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "DocsGPT (arc53) versions 0.15.0 up to (but not including) 0.16.0.",
+    "affected_versions": [
+      "DocsGPT >= 0.15.0, < 0.16.0"
+    ],
+    "vector": "DocsGPT accepts an MCP server configuration with a stdio transport whose shell command it executes. A crafted payload bypasses the MCP test/validation step, so the command runs without authorization or neutralization (CWE-77), giving an unauthenticated attacker remote code execution on the DocsGPT host.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N — network-reachable, low-complexity, unauthenticated command injection.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is an application upgrade to DocsGPT 0.16.0 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade DocsGPT (arc53) to 0.16.0 or later. Until then, do not expose DocsGPT to untrusted networks, restrict MCP configuration, and run it as a least-privilege container user."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track self-hosted documentation/RAG assistants and their MCP transports as managed, RCE-bearing software.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates an AI assistant's MCP stdio configuration as an unauthenticated command-execution surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the MCP stdio configuration as a privileged, unauthenticated execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model unauthenticated command injection via an AI assistant's MCP configuration.",
+      "UK-CAF-B4": "System Security objective has no objective for authenticating and neutralizing command input handed to an AI assistant's MCP transport.",
+      "AU-ISM-1546": "Patch-application control does not single out AI-assistant MCP transports.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework requires the MCP transport to authenticate callers and neutralize the stdio command; a bypassable validation step is not an authorization boundary."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 27,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 22,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 27, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3). poc_available=20 + blast_radius=22 minus patch 15. Note: unauthenticated reachability raises operational urgency beyond the RWEP number.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-26015",
+    "cwe_refs": [
+      "CWE-77",
+      "CWE-78"
+    ],
+    "iocs": {
+      "behavioral": [
+        "DocsGPT spawning a subprocess whose command came from an MCP stdio configuration rather than a pinned configuration.",
+        "MCP configuration requests to a DocsGPT instance from unauthenticated or untrusted sources.",
+        "Shell metacharacters or unexpected binaries in DocsGPT MCP stdio command values.",
+        "DocsGPT version >= 0.15.0 and < 0.16.0 — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from GitHub Security Advisory GHSA-gcrq-f296-2j74 / NVD CVE-2026-26015 (CWE-77 unauthenticated command injection via MCP stdio configuration) and the 2026 MCP supply-chain advisory (https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-26015",
+      "https://github.com/arc53/DocsGPT/security/advisories/GHSA-gcrq-f296-2j74",
+      "https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2026-26015",
+        "url": "https://github.com/arc53/DocsGPT/security/advisories/GHSA-gcrq-f296-2j74",
+        "severity": "critical",
+        "published_date": "2026-04-29"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-26015",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26015",
+        "severity": "critical",
+        "published_date": "2026-04-29"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-77/CWE-78; NIST CVSS 9.8) + GHSA GHSA-gcrq-f296-2j74 + the 2026 MCP supply-chain advisory family. Unauthenticated member of the MCP command-injection class curated in depth by CVE-2026-22252 and CVE-2026-22688.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "DocsGPT executes an MCP stdio configuration's shell command after a bypassable validation step, giving an unauthenticated attacker remote code execution; fixed in 0.16.0."
+  },
+  "CVE-2026-9082": {
+    "name": "Drupal Core Database API Unauthenticated SQL Injection (SA-CORE-2026-004)",
+    "type": "SQLI",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 9.8 (CRITICAL); Drupal rates SA-CORE-2026-004 Highly Critical. Unauthenticated SQL injection via the database abstraction layer on PostgreSQL-backed sites.",
+    "cisa_kev": true,
+    "cisa_kev_date": "2026-05-22",
+    "cisa_kev_due_date": "2026-05-27",
+    "poc_available": true,
+    "poc_description": "Public proof-of-concept and scanners exist for the unauthenticated SQL injection in Drupal's PostgreSQL EntityQuery condition handler reachable via JSON:API (e.g. github.com/ridhinva/CVE-2026-9082). Drupal published SA-CORE-2026-004 with fixes across all supported branches.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Conventional SQL injection in Drupal core's database abstraction layer; no AI-discovery attribution. Reported through Drupal's security advisory process (SA-CORE-2026-004).",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization reported; classic unauthenticated SQL injection.",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "CISA added CVE-2026-9082 to the KEV catalog (catalog version 2026.05.22) on 2026-05-22 with a 2026-05-27 remediation due date, indicating confirmed active exploitation in the wild. Public reporting describes exploitation of PostgreSQL-backed Drupal sites within days of disclosure.",
+    "affected": "Drupal core 8.9.0 to <10.4.10, 10.5.0 to <10.5.10, 10.6.0 to <10.6.9, 11.0.0 to <11.1.10, 11.2.0 to <11.2.12, and 11.3.0 to <11.3.10; the SQL injection is reachable on PostgreSQL-backed sites via JSON:API.",
+    "affected_versions": [
+      "Drupal core >= 8.9.0, < 10.4.10",
+      "Drupal core >= 10.5.0, < 10.5.10",
+      "Drupal core >= 10.6.0, < 10.6.9",
+      "Drupal core >= 11.0.0, < 11.1.10",
+      "Drupal core >= 11.2.0, < 11.2.12",
+      "Drupal core >= 11.3.0, < 11.3.10"
+    ],
+    "vector": "Drupal core's database abstraction layer fails to neutralize special elements in a query condition handler used by the PostgreSQL driver and reachable through JSON:API, allowing an unauthenticated attacker to inject SQL (CWE-89). Exploitation can lead to information disclosure, data modification, and in some configurations privilege escalation toward code execution.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N — network-reachable, low-complexity, unauthenticated SQL injection.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is a Drupal core upgrade to 10.4.10 / 10.5.10 / 10.6.9 / 11.1.10 / 11.2.12 / 11.3.10 per SA-CORE-2026-004; clear caches, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Drupal core to 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, or 11.3.10 (the fixed release on your branch) per SA-CORE-2026-004. PostgreSQL-backed sites are the exploited configuration; prioritize them. Meet the CISA KEV due date of 2026-05-27."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence frequently misses CMS-core SQL injection in the window between KEV listing (2026-05-22) and the 2026-05-27 due date.",
+      "NIST-800-53-SI-10": "Input-validation control is asserted at the application layer but not verified at the database abstraction layer where the query condition handler builds SQL.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely treats the CMS database driver's query builder as an unauthenticated injection surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not enforce the sub-week remediation cadence an actively-exploited unauthenticated CMS SQLi demands.",
+      "DORA-Art-9": "ICT protection measures do not model an unauthenticated SQL injection in a third-party CMS core as an ICT-risk event with a regulator clock.",
+      "UK-CAF-B4": "System Security objective has no objective for verifying parameterization in the CMS database abstraction layer.",
+      "AU-ISM-1546": "Patch-application control does not single out actively-exploited CMS-core injection for accelerated remediation."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190"
+    ],
+    "rwep_score": 78,
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 28,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "P1 (RWEP 78, >= 75 \"patch or compensating controls within 24 hours\" band per lib/scoring.js timeline). CISA KEV 25 + poc 20 + active_exploitation confirmed 20 + blast_radius 28 (Drupal core install base) minus patch 15. Meet the CISA due date 2026-05-27.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-9082",
+    "cwe_refs": [
+      "CWE-89"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Anomalous JSON:API requests to a PostgreSQL-backed Drupal site carrying SQL metacharacters in filter/condition parameters.",
+        "Unexpected database errors or query-shape changes originating from the EntityQuery condition handler.",
+        "Drupal core version below the SA-CORE-2026-004 fixed release on its branch (e.g. < 10.4.10 / < 10.5.10 / < 10.6.9 / < 11.1.10 / < 11.2.12 / < 11.3.10) on PostgreSQL — the exposed precondition.",
+        "Outbound data egress or new admin accounts following anomalous JSON:API traffic."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from Drupal SA-CORE-2026-004 (https://www.drupal.org/sa-core-2026-004), NVD CVE-2026-9082 (CWE-89 SQL injection via the PostgreSQL EntityQuery condition handler reachable through JSON:API), and the CISA KEV listing (catalog version 2026.05.22)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://www.drupal.org/sa-core-2026-004",
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-9082"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "Drupal Security Team",
+        "advisory_id": "SA-CORE-2026-004",
+        "url": "https://www.drupal.org/sa-core-2026-004",
+        "severity": "critical",
+        "published_date": "2026-05-20"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-9082",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9082",
+        "severity": "critical",
+        "published_date": "2026-05-20"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-89; NIST CVSS 9.8) + Drupal SA-CORE-2026-004 + the CISA KEV listing (catalog version 2026.05.22, added 2026-05-22, due 2026-05-27). Conventional unauthenticated SQL injection, no AI-discovery attribution.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Drupal core's database abstraction layer fails to neutralize special elements in a PostgreSQL query condition handler reachable via JSON:API, allowing unauthenticated SQL injection; actively exploited (CISA KEV 2026-05-22, due 2026-05-27); fixed in SA-CORE-2026-004 releases."
+  },
+  "CVE-2025-23254": {
+    "name": "NVIDIA TensorRT-LLM Python Executor Deserialization RCE (ShadowMQ)",
+    "type": "RCE",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
+    "cvss_note": "NVIDIA/NVD CVSS v3.1 base 8.8 (HIGH, Scope:Changed). Insecure deserialization in the TensorRT-LLM Python executor.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in Oligo Security's ShadowMQ research (code reuse spread an insecure ZeroMQ recv_pyobj deserialization pattern across AI inference engines) and the project advisory: an attacker who reaches the deserialization channel supplies a crafted payload that executes code.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by Oligo Security (ShadowMQ research). The abused surface is the IPC/socket layer of an AI inference engine; the propagation mechanism is copy-paste code reuse of an insecure deserialization pattern across projects.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; classic CWE-502 insecure deserialization, notable for spreading via code reuse across the AI inference ecosystem.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research disclosure (Oligo ShadowMQ); no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "NVIDIA TensorRT-LLM prior to 0.18.2.",
+    "affected_versions": [
+      "NVIDIA TensorRT-LLM < 0.18.2"
+    ],
+    "vector": "NVIDIA TensorRT-LLM's Python executor deserializes untrusted pickle data received over its ZeroMQ socket without validation (CWE-502). An attacker with local access to the TRT-LLM server can supply a crafted payload that executes code, discloses information, or tampers with data.",
+    "complexity": "low",
+    "complexity_notes": "NVD AC:L. Reachability: local (per the CVSS vector).",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is an application upgrade to 0.18.2 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade NVIDIA TensorRT-LLM to 0.18.2 or later. Restrict local access to the TRT-LLM server and isolate its ZeroMQ socket."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track AI inference engines and their IPC/socket serialization layers as managed, RCE-bearing software, nor account for the same flaw recurring across projects via code reuse.",
+      "NIST-800-53-SI-10": "Input-validation control is not applied to data deserialized from an inference engine's internal socket; the unsafe serializer is treated as trusted.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates an AI inference engine's deserialization channel as an injection surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach AI-inference IPC deserialization as a privileged execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model insecure deserialization in an AI inference engine as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for validating data deserialized from an inference engine's socket.",
+      "AU-ISM-1546": "Patch-application control does not single out AI inference engines, nor the code-reuse propagation of one flaw across many.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an inference engine's socket serialization as untrusted input requiring a safe serializer; code reuse spread the same CWE-502 across vLLM, TensorRT-LLM, Llama Stack and Modular Max."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1059"
+    ],
+    "rwep_score": 29,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 24,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 29, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 (Oligo ShadowMQ technique) + blast_radius=24 minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-23254",
+    "cwe_refs": [
+      "CWE-502"
+    ],
+    "iocs": {
+      "behavioral": [
+        "NVIDIA deserializing data received over a ZeroMQ / IPC socket from an untrusted or unexpected peer.",
+        "Inbound connections to the inference engine's internal serialization socket from outside the trusted node set.",
+        "Python subprocess or interpreter activity spawned during deserialization of socket data.",
+        "Affected version present: NVIDIA TensorRT-LLM < 0.18.2 — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2025-23254 (CWE-502 insecure deserialization) and Oligo Security's ShadowMQ research (https://www.oligo.security/blog/shadowmq-how-code-reuse-spread-critical-vulnerabilities-across-the-ai-ecosystem) describing the recv_pyobj code-reuse pattern."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-23254",
+      "https://www.oligo.security/blog/shadowmq-how-code-reuse-spread-critical-vulnerabilities-across-the-ai-ecosystem"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "NVIDIA Product Security",
+        "advisory_id": "NVIDIA-5648",
+        "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5648",
+        "severity": "high",
+        "published_date": "2025-05-01"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-23254",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23254",
+        "severity": "high",
+        "published_date": "2025-05-01"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-502; NIST CVSS 8.8) + Oligo Security's ShadowMQ research. Member of the ShadowMQ code-reuse family (insecure deserialization over ZeroMQ propagated across AI inference engines).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "NVIDIA TensorRT-LLM's Python executor deserializes untrusted data over its ZeroMQ socket, letting a local attacker execute code; part of the ShadowMQ code-reuse family; fixed in 0.18.2."
+  },
+  "CVE-2025-30165": {
+    "name": "vLLM V0 Engine ZeroMQ Deserialization RCE (ShadowMQ)",
+    "type": "RCE",
+    "cvss_score": 8,
+    "cvss_vector": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 8.0 (HIGH, AV:Adjacent). Unsafe deserialization over ZeroMQ in multi-node V0-engine deployments.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in Oligo Security's ShadowMQ research (code reuse spread an insecure ZeroMQ recv_pyobj deserialization pattern across AI inference engines) and the project advisory: an attacker who reaches the deserialization channel supplies a crafted payload that executes code.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by Oligo Security (ShadowMQ research). The abused surface is the IPC/socket layer of an AI inference engine; the propagation mechanism is copy-paste code reuse of an insecure deserialization pattern across projects.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; classic CWE-502 insecure deserialization, notable for spreading via code reuse across the AI inference ecosystem.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research disclosure (Oligo ShadowMQ); no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "vLLM 0.5.2 and later when the legacy V0 engine is used in multi-node deployments. The maintainers did not ship a code patch; the V0 engine is off by default since 0.8.0, which is the recommended mitigation.",
+    "affected_versions": [
+      "vLLM >= 0.5.2 (V0 engine, multi-node)"
+    ],
+    "vector": "vLLM's legacy V0 engine deserializes untrusted pickle data received over a ZeroMQ socket in multi-node deployments (CWE-502). An adjacent-network attacker who can reach the socket executes arbitrary code on the vLLM worker.",
+    "complexity": "low",
+    "complexity_notes": "NVD AC:L. Reachability: adjacent (per the CVSS vector).",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No code patch shipped; mitigate via the project's recommended configuration (see vendor_update_paths) and network isolation of the deserialization channel.",
+    "vendor_update_paths": [
+      "Do not enable the legacy V0 engine; it is off by default since vLLM 0.8.0 and that default is the recommended mitigation. If V0 multi-node is required, isolate the ZeroMQ socket on a trusted network segment."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track AI inference engines and their IPC/socket serialization layers as managed, RCE-bearing software, nor account for the same flaw recurring across projects via code reuse.",
+      "NIST-800-53-SI-10": "Input-validation control is not applied to data deserialized from an inference engine's internal socket; the unsafe serializer is treated as trusted.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates an AI inference engine's deserialization channel as an injection surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach AI-inference IPC deserialization as a privileged execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model insecure deserialization in an AI inference engine as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for validating data deserialized from an inference engine's socket.",
+      "AU-ISM-1546": "Patch-application control does not single out AI inference engines, nor the code-reuse propagation of one flaw across many.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an inference engine's socket serialization as untrusted input requiring a safe serializer; code reuse spread the same CWE-502 across vLLM, TensorRT-LLM, Llama Stack and Modular Max."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 46,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 26,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Elevated (RWEP 46, \"patch within 7 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, no code patch shipped. poc_available=20 (Oligo ShadowMQ technique) + blast_radius=26.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-30165",
+    "cwe_refs": [
+      "CWE-502"
+    ],
+    "iocs": {
+      "behavioral": [
+        "vLLM deserializing data received over a ZeroMQ / IPC socket from an untrusted or unexpected peer.",
+        "Inbound connections to the inference engine's internal serialization socket from outside the trusted node set.",
+        "Python subprocess or interpreter activity spawned during deserialization of socket data.",
+        "Affected version present: vLLM >= 0.5.2 (V0 engine, multi-node) — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2025-30165 (CWE-502 insecure deserialization) and Oligo Security's ShadowMQ research (https://www.oligo.security/blog/shadowmq-how-code-reuse-spread-critical-vulnerabilities-across-the-ai-ecosystem) describing the recv_pyobj code-reuse pattern."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-30165",
+      "https://www.oligo.security/blog/shadowmq-how-code-reuse-spread-critical-vulnerabilities-across-the-ai-ecosystem"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2025-30165",
+        "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-9pcc-gvx5-r5wm",
+        "severity": "high",
+        "published_date": "2025-05-06"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-30165",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30165",
+        "severity": "high",
+        "published_date": "2025-05-06"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-502; NIST CVSS 8) + Oligo Security's ShadowMQ research. Member of the ShadowMQ code-reuse family (insecure deserialization over ZeroMQ propagated across AI inference engines).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "vLLM's legacy V0 engine deserializes untrusted data over ZeroMQ in multi-node deployments, allowing adjacent-network RCE; no code patch shipped — the V0 engine is off by default since 0.8.0; part of the ShadowMQ code-reuse family."
+  },
+  "CVE-2024-50050": {
+    "name": "Meta Llama Stack Socket Deserialization RCE (ShadowMQ)",
+    "type": "RCE",
+    "cvss_score": 6.3,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
+    "cvss_note": "NVD CISA-ADP CVSS v3.1 base 6.3 (MEDIUM); Oligo and Snyk originally scored the same flaw 9.3 (CRITICAL) — a documented CVSS dispute. The serialization format was replaced with JSON in the fix.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in Oligo Security's ShadowMQ research (code reuse spread an insecure ZeroMQ recv_pyobj deserialization pattern across AI inference engines) and the project advisory: an attacker who reaches the deserialization channel supplies a crafted payload that executes code.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by Oligo Security (ShadowMQ research). The abused surface is the IPC/socket layer of an AI inference engine; the propagation mechanism is copy-paste code reuse of an insecure deserialization pattern across projects.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; classic CWE-502 insecure deserialization, notable for spreading via code reuse across the AI inference ecosystem.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research disclosure (Oligo ShadowMQ); no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Meta Llama Stack prior to the JSON-migration revision 7a8aa775e5a267cf8660d83140011a0b7f91e005 (released as 0.0.41).",
+    "affected_versions": [
+      "Meta Llama Stack < 0.0.41"
+    ],
+    "vector": "Meta Llama Stack used pickle as the serialization format for socket communication and deserialized untrusted data without validation (CWE-502), allowing a network attacker who reaches the socket to execute code. The fix replaced the unsafe format with JSON.",
+    "complexity": "low",
+    "complexity_notes": "NVD AC:L. Reachability: network (per the CVSS vector).",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is an application upgrade to 0.0.41 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Meta Llama Stack to 0.0.41 or later (serialization migrated to JSON). Isolate the inference socket on a trusted network segment."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track AI inference engines and their IPC/socket serialization layers as managed, RCE-bearing software, nor account for the same flaw recurring across projects via code reuse.",
+      "NIST-800-53-SI-10": "Input-validation control is not applied to data deserialized from an inference engine's internal socket; the unsafe serializer is treated as trusted.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates an AI inference engine's deserialization channel as an injection surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach AI-inference IPC deserialization as a privileged execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model insecure deserialization in an AI inference engine as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for validating data deserialized from an inference engine's socket.",
+      "AU-ISM-1546": "Patch-application control does not single out AI inference engines, nor the code-reuse propagation of one flaw across many.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an inference engine's socket serialization as untrusted input requiring a safe serializer; code reuse spread the same CWE-502 across vLLM, TensorRT-LLM, Llama Stack and Modular Max."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 27,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 22,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 27, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 (Oligo ShadowMQ technique) + blast_radius=22 minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-50050",
+    "cwe_refs": [
+      "CWE-502"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Meta deserializing data received over a ZeroMQ / IPC socket from an untrusted or unexpected peer.",
+        "Inbound connections to the inference engine's internal serialization socket from outside the trusted node set.",
+        "Python subprocess or interpreter activity spawned during deserialization of socket data.",
+        "Affected version present: Meta Llama Stack < 0.0.41 — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2024-50050 (CWE-502 insecure deserialization) and Oligo Security's ShadowMQ research (https://www.oligo.security/blog/shadowmq-how-code-reuse-spread-critical-vulnerabilities-across-the-ai-ecosystem) describing the recv_pyobj code-reuse pattern."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-50050",
+      "https://www.oligo.security/blog/shadowmq-how-code-reuse-spread-critical-vulnerabilities-across-the-ai-ecosystem"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2024-50050",
+        "url": "https://github.com/meta-llama/llama-stack/security/advisories",
+        "severity": "medium",
+        "published_date": "2024-10-23"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-50050",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50050",
+        "severity": "medium",
+        "published_date": "2024-10-23"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-502; NIST CVSS 6.3) + Oligo Security's ShadowMQ research. Member of the ShadowMQ code-reuse family (insecure deserialization over ZeroMQ propagated across AI inference engines).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Meta Llama Stack used an unsafe socket serialization format and deserialized untrusted data, allowing network RCE; fixed by migrating to JSON in 0.0.41; the seed of the ShadowMQ code-reuse family."
+  },
+  "CVE-2025-60455": {
+    "name": "Modular Max Server KVCache-Agent Deserialization RCE (ShadowMQ)",
+    "type": "RCE",
+    "cvss_score": 8.4,
+    "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 8.4 (HIGH). Unsafe deserialization reachable when --experimental-enable-kvcache-agent is enabled.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in Oligo Security's ShadowMQ research (code reuse spread an insecure ZeroMQ recv_pyobj deserialization pattern across AI inference engines) and the project advisory: an attacker who reaches the deserialization channel supplies a crafted payload that executes code.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by Oligo Security (ShadowMQ research). The abused surface is the IPC/socket layer of an AI inference engine; the propagation mechanism is copy-paste code reuse of an insecure deserialization pattern across projects.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; classic CWE-502 insecure deserialization, notable for spreading via code reuse across the AI inference ecosystem.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research disclosure (Oligo ShadowMQ); no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Modular Max Server before 25.6.0 when the --experimental-enable-kvcache-agent feature is enabled.",
+    "affected_versions": [
+      "Modular Max Server < 25.6.0 (kvcache-agent enabled)"
+    ],
+    "vector": "Modular Max Server deserializes untrusted pickle data over its inter-process channel when the experimental KVCache agent is enabled (CWE-502), allowing arbitrary code execution on the server.",
+    "complexity": "low",
+    "complexity_notes": "NVD AC:L. Reachability: local (per the CVSS vector).",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is an application upgrade to 25.6.0 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Modular Max Server to 25.6.0 or later. Until then, do not run with --experimental-enable-kvcache-agent."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track AI inference engines and their IPC/socket serialization layers as managed, RCE-bearing software, nor account for the same flaw recurring across projects via code reuse.",
+      "NIST-800-53-SI-10": "Input-validation control is not applied to data deserialized from an inference engine's internal socket; the unsafe serializer is treated as trusted.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates an AI inference engine's deserialization channel as an injection surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach AI-inference IPC deserialization as a privileged execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model insecure deserialization in an AI inference engine as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for validating data deserialized from an inference engine's socket.",
+      "AU-ISM-1546": "Patch-application control does not single out AI inference engines, nor the code-reuse propagation of one flaw across many.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an inference engine's socket serialization as untrusted input requiring a safe serializer; code reuse spread the same CWE-502 across vLLM, TensorRT-LLM, Llama Stack and Modular Max."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1059"
+    ],
+    "rwep_score": 23,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 18,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 23, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 (Oligo ShadowMQ technique) + blast_radius=18 minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-60455",
+    "cwe_refs": [
+      "CWE-502"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Modular deserializing data received over a ZeroMQ / IPC socket from an untrusted or unexpected peer.",
+        "Inbound connections to the inference engine's internal serialization socket from outside the trusted node set.",
+        "Python subprocess or interpreter activity spawned during deserialization of socket data.",
+        "Affected version present: Modular Max Server < 25.6.0 (kvcache-agent enabled) — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2025-60455 (CWE-502 insecure deserialization) and Oligo Security's ShadowMQ research (https://www.oligo.security/blog/shadowmq-how-code-reuse-spread-critical-vulnerabilities-across-the-ai-ecosystem) describing the recv_pyobj code-reuse pattern."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-60455",
+      "https://www.oligo.security/blog/shadowmq-how-code-reuse-spread-critical-vulnerabilities-across-the-ai-ecosystem"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2025-60455",
+        "url": "https://github.com/modular/modular/security/advisories",
+        "severity": "high",
+        "published_date": "2025-11-18"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-60455",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60455",
+        "severity": "high",
+        "published_date": "2025-11-18"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-502; NIST CVSS 8.4) + Oligo Security's ShadowMQ research. Member of the ShadowMQ code-reuse family (insecure deserialization over ZeroMQ propagated across AI inference engines).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Modular Max Server deserializes untrusted data when the experimental KVCache agent is enabled, allowing code execution; part of the ShadowMQ code-reuse family; fixed in 25.6.0."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",