@blamejs/exceptd-skills 0.13.76 → 0.13.78

package/data/cwe-catalog.json

@@ -148,6 +148,7 @@
       "CVE-2025-59689",
       "CVE-2026-22688",
       "CVE-2026-22719",
+      "CVE-2026-26015",
       "CVE-2026-30616",
       "CVE-2026-30617",
       "CVE-2026-30624",
@@ -203,6 +204,7 @@
       "CVE-2026-22252",
       "CVE-2026-22688",
       "CVE-2026-25108",
+      "CVE-2026-26015",
       "CVE-2026-30616",
       "CVE-2026-30617",
       "CVE-2026-30623",
@@ -319,7 +321,8 @@
       "CVE-2025-25257",
       "CVE-2025-57819",
       "CVE-2026-21643",
-      "CVE-2026-42208"
+      "CVE-2026-42208",
+      "CVE-2026-9082"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SI-10",
@@ -1296,10 +1299,13 @@
     ],
     "evidence_cves": [
       "CVE-2023-21529",
+      "CVE-2024-50050",
       "CVE-2024-8069",
       "CVE-2025-10035",
+      "CVE-2025-23254",
       "CVE-2025-24016",
       "CVE-2025-26399",
+      "CVE-2025-30165",
       "CVE-2025-40551",
       "CVE-2025-42999",
       "CVE-2025-49113",
@@ -1307,6 +1313,7 @@
       "CVE-2025-53690",
       "CVE-2025-53770",
       "CVE-2025-59287",
+      "CVE-2025-60455",
       "CVE-2025-68664",
       "CVE-2026-20131",
       "CVE-2026-20963"

package/data/framework-control-gaps.json

@@ -34,11 +34,16 @@
     "status": "open",
     "opened_date": "2026-01-01",
     "evidence_cves": [
+      "CVE-2024-50050",
+      "CVE-2025-23254",
+      "CVE-2025-30165",
       "CVE-2025-34291",
       "CVE-2025-49596",
       "CVE-2025-54136",
+      "CVE-2025-60455",
       "CVE-2026-22252",
       "CVE-2026-22688",
+      "CVE-2026-26015",
       "CVE-2026-30616",
       "CVE-2026-30617",
       "CVE-2026-30624",
@@ -1353,6 +1358,7 @@
       "CVE-2024-37079",
       "CVE-2024-42009",
       "CVE-2024-43468",
+      "CVE-2024-50050",
       "CVE-2024-54085",
       "CVE-2024-56145",
       "CVE-2024-57726",
@@ -1381,6 +1387,7 @@
       "CVE-2025-21043",
       "CVE-2025-21479",
       "CVE-2025-21480",
+      "CVE-2025-23254",
       "CVE-2025-24016",
       "CVE-2025-24201",
       "CVE-2025-24893",
@@ -1396,6 +1403,7 @@
       "CVE-2025-27915",
       "CVE-2025-27920",
       "CVE-2025-29635",
+      "CVE-2025-30165",
       "CVE-2025-30397",
       "CVE-2025-31125",
       "CVE-2025-31277",
@@ -1469,6 +1477,7 @@
       "CVE-2025-59374",
       "CVE-2025-59689",
       "CVE-2025-59718",
+      "CVE-2025-60455",
       "CVE-2025-60710",
       "CVE-2025-61757",
       "CVE-2025-61882",
@@ -1530,6 +1539,7 @@
       "CVE-2026-24858",
       "CVE-2026-25108",
       "CVE-2026-25592",
+      "CVE-2026-26015",
       "CVE-2026-3055",
       "CVE-2026-30616",
       "CVE-2026-30617",
@@ -1554,7 +1564,8 @@
       "CVE-2026-45498",
       "CVE-2026-46300",
       "CVE-2026-46333",
-      "CVE-2026-5281"
+      "CVE-2026-5281",
+      "CVE-2026-9082"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -1735,17 +1746,22 @@
     "status": "open",
     "opened_date": "2026-03-15",
     "evidence_cves": [
+      "CVE-2024-50050",
       "CVE-2025-10585",
       "CVE-2025-1094",
       "CVE-2025-14174",
+      "CVE-2025-23254",
+      "CVE-2025-30165",
       "CVE-2025-34291",
       "CVE-2025-38352",
       "CVE-2025-43300",
       "CVE-2025-49596",
       "CVE-2025-54136",
+      "CVE-2025-60455",
       "CVE-2026-22252",
       "CVE-2026-22688",
       "CVE-2026-25592",
+      "CVE-2026-26015",
       "CVE-2026-30616",
       "CVE-2026-30617",
       "CVE-2026-30624",
@@ -1759,6 +1775,7 @@
       "CVE-2026-45498",
       "CVE-2026-46300",
       "CVE-2026-46333",
+      "CVE-2026-9082",
       "MAL-2026-3083"
     ],
     "atlas_refs": [],
@@ -2151,11 +2168,16 @@
     "status": "open",
     "opened_date": "2026-05-13",
     "evidence_cves": [
+      "CVE-2024-50050",
       "CVE-2025-0133",
       "CVE-2025-1094",
+      "CVE-2025-23254",
+      "CVE-2025-30165",
+      "CVE-2025-60455",
       "CVE-2025-6965",
       "CVE-2026-39884",
-      "CVE-2026-42208"
+      "CVE-2026-42208",
+      "CVE-2026-9082"
     ],
     "atlas_refs": [
       "AML.T0053"
@@ -2298,6 +2320,7 @@
       "CVE-2024-37079",
       "CVE-2024-42009",
       "CVE-2024-43468",
+      "CVE-2024-50050",
       "CVE-2024-54085",
       "CVE-2024-56145",
       "CVE-2024-57726",
@@ -2327,6 +2350,7 @@
       "CVE-2025-21043",
       "CVE-2025-21479",
       "CVE-2025-21480",
+      "CVE-2025-23254",
       "CVE-2025-24016",
       "CVE-2025-24201",
       "CVE-2025-24893",
@@ -2342,6 +2366,7 @@
       "CVE-2025-27915",
       "CVE-2025-27920",
       "CVE-2025-29635",
+      "CVE-2025-30165",
       "CVE-2025-30397",
       "CVE-2025-31125",
       "CVE-2025-31277",
@@ -2416,6 +2441,7 @@
       "CVE-2025-59389",
       "CVE-2025-59689",
       "CVE-2025-59718",
+      "CVE-2025-60455",
       "CVE-2025-60710",
       "CVE-2025-61757",
       "CVE-2025-61882",
@@ -2480,6 +2506,7 @@
       "CVE-2026-24858",
       "CVE-2026-25108",
       "CVE-2026-25592",
+      "CVE-2026-26015",
       "CVE-2026-3055",
       "CVE-2026-30616",
       "CVE-2026-30617",
@@ -2510,7 +2537,8 @@
       "CVE-2026-46300",
       "CVE-2026-46333",
       "CVE-2026-5281",
-      "CVE-2026-6973"
+      "CVE-2026-6973",
+      "CVE-2026-9082"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -4748,14 +4776,19 @@
     "opened_date": "2026-05-15",
     "evidence_cves": [
       "CVE-2024-21762",
+      "CVE-2024-50050",
+      "CVE-2025-23254",
+      "CVE-2025-30165",
       "CVE-2025-34291",
       "CVE-2025-49596",
       "CVE-2025-54136",
+      "CVE-2025-60455",
       "CVE-2026-0300",
       "CVE-2026-20182",
       "CVE-2026-22252",
       "CVE-2026-22688",
       "CVE-2026-25592",
+      "CVE-2026-26015",
       "CVE-2026-30616",
       "CVE-2026-30617",
       "CVE-2026-30624",
@@ -4767,7 +4800,8 @@
       "CVE-2026-42945",
       "CVE-2026-45498",
       "CVE-2026-46300",
-      "CVE-2026-46333"
+      "CVE-2026-46333",
+      "CVE-2026-9082"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -5254,12 +5288,17 @@
     "opened_date": "2026-05-17",
     "evidence_cves": [
       "CVE-2024-21762",
+      "CVE-2024-50050",
+      "CVE-2025-23254",
+      "CVE-2025-30165",
       "CVE-2025-34291",
       "CVE-2025-49596",
       "CVE-2025-54136",
+      "CVE-2025-60455",
       "CVE-2026-22252",
       "CVE-2026-22688",
       "CVE-2026-25592",
+      "CVE-2026-26015",
       "CVE-2026-30616",
       "CVE-2026-30617",
       "CVE-2026-30624",
@@ -5270,6 +5309,7 @@
       "CVE-2026-45498",
       "CVE-2026-46300",
       "CVE-2026-46333",
+      "CVE-2026-9082",
       "MAL-2026-SHAI-HULUD-OSS"
     ],
     "atlas_refs": [],
@@ -5302,12 +5342,17 @@
     "opened_date": "2026-05-17",
     "evidence_cves": [
       "CVE-2024-21762",
+      "CVE-2024-50050",
+      "CVE-2025-23254",
+      "CVE-2025-30165",
       "CVE-2025-34291",
       "CVE-2025-49596",
       "CVE-2025-54136",
+      "CVE-2025-60455",
       "CVE-2026-22252",
       "CVE-2026-22688",
       "CVE-2026-25592",
+      "CVE-2026-26015",
       "CVE-2026-30616",
       "CVE-2026-30617",
       "CVE-2026-30624",
@@ -5317,7 +5362,8 @@
       "CVE-2026-41091",
       "CVE-2026-45498",
       "CVE-2026-46300",
-      "CVE-2026-46333"
+      "CVE-2026-46333",
+      "CVE-2026-9082"
     ],
     "atlas_refs": [],
     "attack_refs": [

package/data/zeroday-lessons.json

@@ -6433,6 +6433,306 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2026-26015": {
+    "name": "DocsGPT MCP stdio Unauthenticated Remote Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "DocsGPT executes an MCP server configuration's stdio shell command after a validation step that a crafted payload bypasses, so an unauthenticated attacker runs commands on the host (CWE-77).",
+      "privileges_required": "none (NVD PR:N) — unauthenticated, on hosted and self-hosted instances",
+      "complexity": "low (NVD AC:L); one crafted MCP configuration payload",
+      "ai_factor": "The abused surface is the MCP stdio configuration of a documentation/RAG assistant. The lesson sharpens the LibreChat (CVE-2026-22252) and WeKnora (CVE-2026-22688) cases: a bypassable validation step is not an authorization boundary — the MCP transport must authenticate the caller AND neutralize the command, because its by-design command execution turns injection into unauthenticated RCE. Surfaced via the 2026 MCP supply-chain advisory + GHSA feeds."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track self-hosted documentation/RAG assistants and their MCP transports as managed, RCE-bearing software."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not enumerate the MCP stdio configuration as an unauthenticated command-execution surface, nor recognize a bypassable validation step as a non-boundary."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework requires the MCP transport to authenticate callers and neutralize the stdio command; a validation step that can be bypassed is not authorization."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 72,
+      "basis": "Documentation/RAG assistants are rarely in the managed vulnerability program, and an MCP 'test' step is mistaken for an authorization control.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-084",
+        "name": "MCP-STDIO-CONFIG-INPUT-NEUTRALIZATION",
+        "description": "MCP stdio configuration command/args must be authenticated and neutralized before execution; a 'test'/validation step that can be bypassed is not an authorization boundary. Upgrade DocsGPT to 0.16.0+, do not expose it to untrusted networks, and run least-privilege. Same governance as the LibreChat (CVE-2026-22252) and WeKnora (CVE-2026-22688) MCP transport flaws, here reachable without authentication.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2026-26015",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.8",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2026-9082": {
+    "name": "Drupal Core Database API Unauthenticated SQL Injection (SA-CORE-2026-004)",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Drupal core's database abstraction layer fails to neutralize special elements in a PostgreSQL query condition handler reachable via JSON:API, allowing an unauthenticated attacker to inject SQL (CWE-89). Actively exploited; CISA KEV 2026-05-22, due 2026-05-27.",
+      "privileges_required": "none (NVD PR:N) — unauthenticated, on PostgreSQL-backed sites",
+      "complexity": "low (NVD AC:L); JSON:API request with crafted condition",
+      "ai_factor": "Not an AI-specific flaw, but a current actively-exploited CMS-core SQLi the catalog tracks for KEV currency. The lesson: input validation asserted at the application layer is not the same as parameterization verified at the database abstraction layer where the query is built — the two must be separately evidenced."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Flaw-remediation cadence frequently misses the sub-week window between KEV listing and the due date for an actively-exploited CMS-core SQLi."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Input-validation control is asserted at the application layer but not verified at the database abstraction layer where the query condition handler builds SQL."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not treat the CMS database driver's query builder as an unauthenticated injection surface."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 65,
+      "basis": "Organizations assert WAF/input-validation coverage at the edge while the injection is in the database abstraction layer's PostgreSQL query builder, reachable via JSON:API.",
+      "theater_pattern": "perimeter_control_substitution"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-085",
+        "name": "DB-ABSTRACTION-LAYER-PARAMETERIZATION-VERIFICATION",
+        "description": "Parameterization must be verified at the database abstraction layer / query builder, not assumed from application-layer input validation or a perimeter WAF. For Drupal, apply SA-CORE-2026-004 (10.4.10 / 10.5.10 / 10.6.9 / 11.1.10 / 11.2.12 / 11.3.10), prioritize PostgreSQL-backed sites, and meet the CISA KEV due date 2026-05-27. The distinguishing test: send a JSON:API request with a SQL metacharacter in a filter condition against a staging instance and confirm the query builder parameterizes rather than concatenates it.",
+        "evidence": "https://www.drupal.org/sa-core-2026-004",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ISO-27001-2022-A.8.8"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2025-23254": {
+    "name": "NVIDIA TensorRT-LLM Python Executor Deserialization RCE (ShadowMQ)",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "NVIDIA TensorRT-LLM deserializes untrusted pickle data received over a ZeroMQ / IPC socket without validation (CWE-502), so an attacker who reaches the channel executes code. The same insecure pattern spread across AI inference engines by copy-paste code reuse (Oligo ShadowMQ).",
+      "privileges_required": "local access to the TRT-LLM server (NVD AV:L/PR:L)",
+      "complexity": "low (NVD AC:L); a crafted serialized payload on the deserialization channel",
+      "ai_factor": "The abused surface is the IPC/socket layer of an AI inference engine. The lesson is the supply-chain one: an insecure deserialization primitive was reused across vLLM, NVIDIA TensorRT-LLM, Meta Llama Stack and Modular Max, so one root cause became an ecosystem-wide exposure. Inference-engine sockets must use a safe serializer and be treated as untrusted input."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track AI inference engines and their socket serialization layers as managed, RCE-bearing software, nor flag a flaw recurring across projects via code reuse."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Input-validation control is not applied to data deserialized from an inference engine's internal socket; the serializer is treated as trusted."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework requires an AI inference engine's socket serialization to use a safe format and validate peers; the unsafe primitive propagated by code reuse."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 68,
+      "basis": "AI inference engines are rarely in the managed vulnerability program, and their internal serialization sockets are assumed trusted; a reused insecure primitive is not tracked across the projects that copied it.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-086",
+        "name": "AI-INFERENCE-IPC-DESERIALIZATION-SAFETY",
+        "description": "AI inference engines must use a safe serializer (e.g. JSON) for IPC/socket communication, never deserialize untrusted serialized objects, authenticate socket peers, and isolate the channel on a trusted network segment. Because the insecure primitive spread by code reuse, the control must be applied across every inference engine in the estate, not one at a time. Apply the project fix (NVIDIA TensorRT-LLM), and for vLLM keep the legacy V0 engine disabled. The distinguishing test: send a crafted serialized object to the inference engine's socket from an unauthorized peer on a staging instance and confirm it is rejected, not deserialized.",
+        "evidence": "https://nvidia.custhelp.com/app/answers/detail/a_id/5648",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2025-30165": {
+    "name": "vLLM V0 Engine ZeroMQ Deserialization RCE (ShadowMQ)",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "vLLM deserializes untrusted pickle data received over a ZeroMQ / IPC socket without validation (CWE-502), so an attacker who reaches the channel executes code. The same insecure pattern spread across AI inference engines by copy-paste code reuse (Oligo ShadowMQ).",
+      "privileges_required": "adjacent-network reach to the ZeroMQ socket (NVD AV:A/PR:L)",
+      "complexity": "low (NVD AC:L); a crafted serialized payload on the deserialization channel",
+      "ai_factor": "The abused surface is the IPC/socket layer of an AI inference engine. The lesson is the supply-chain one: an insecure deserialization primitive was reused across vLLM, NVIDIA TensorRT-LLM, Meta Llama Stack and Modular Max, so one root cause became an ecosystem-wide exposure. Inference-engine sockets must use a safe serializer and be treated as untrusted input."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track AI inference engines and their socket serialization layers as managed, RCE-bearing software, nor flag a flaw recurring across projects via code reuse."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Input-validation control is not applied to data deserialized from an inference engine's internal socket; the serializer is treated as trusted."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework requires an AI inference engine's socket serialization to use a safe format and validate peers; the unsafe primitive propagated by code reuse."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "AI inference engines are rarely in the managed vulnerability program, and their internal serialization sockets are assumed trusted; a reused insecure primitive is not tracked across the projects that copied it.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-086",
+        "name": "AI-INFERENCE-IPC-DESERIALIZATION-SAFETY",
+        "description": "AI inference engines must use a safe serializer (e.g. JSON) for IPC/socket communication, never deserialize untrusted serialized objects, authenticate socket peers, and isolate the channel on a trusted network segment. Because the insecure primitive spread by code reuse, the control must be applied across every inference engine in the estate, not one at a time. No code patch shipped for vLLM CVE-2025-30165; the mitigation is to keep the legacy V0 engine disabled (its default since 0.8.0) and isolate the ZeroMQ socket on a trusted network segment. The distinguishing test: send a crafted serialized object to the inference engine's socket from an unauthorized peer on a staging instance and confirm it is rejected, not deserialized.",
+        "evidence": "https://github.com/vllm-project/vllm/security/advisories/GHSA-9pcc-gvx5-r5wm",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2024-50050": {
+    "name": "Meta Llama Stack Socket Deserialization RCE (ShadowMQ)",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Meta Llama Stack deserializes untrusted pickle data received over a ZeroMQ / IPC socket without validation (CWE-502), so an attacker who reaches the channel executes code. The same insecure pattern spread across AI inference engines by copy-paste code reuse (Oligo ShadowMQ).",
+      "privileges_required": "network reach to the inference socket (NVD AV:N/PR:L)",
+      "complexity": "low (NVD AC:L); a crafted serialized payload on the deserialization channel",
+      "ai_factor": "The abused surface is the IPC/socket layer of an AI inference engine. The lesson is the supply-chain one: an insecure deserialization primitive was reused across vLLM, NVIDIA TensorRT-LLM, Meta Llama Stack and Modular Max, so one root cause became an ecosystem-wide exposure. Inference-engine sockets must use a safe serializer and be treated as untrusted input."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track AI inference engines and their socket serialization layers as managed, RCE-bearing software, nor flag a flaw recurring across projects via code reuse."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Input-validation control is not applied to data deserialized from an inference engine's internal socket; the serializer is treated as trusted."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework requires an AI inference engine's socket serialization to use a safe format and validate peers; the unsafe primitive propagated by code reuse."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "AI inference engines are rarely in the managed vulnerability program, and their internal serialization sockets are assumed trusted; a reused insecure primitive is not tracked across the projects that copied it.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-086",
+        "name": "AI-INFERENCE-IPC-DESERIALIZATION-SAFETY",
+        "description": "AI inference engines must use a safe serializer (e.g. JSON) for IPC/socket communication, never deserialize untrusted serialized objects, authenticate socket peers, and isolate the channel on a trusted network segment. Because the insecure primitive spread by code reuse, the control must be applied across every inference engine in the estate, not one at a time. Apply the project fix (Meta Llama Stack), and for vLLM keep the legacy V0 engine disabled. The distinguishing test: send a crafted serialized object to the inference engine's socket from an unauthorized peer on a staging instance and confirm it is rejected, not deserialized.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2024-50050",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2025-60455": {
+    "name": "Modular Max Server KVCache-Agent Deserialization RCE (ShadowMQ)",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Modular Max Server deserializes untrusted pickle data received over a ZeroMQ / IPC socket without validation (CWE-502), so an attacker who reaches the channel executes code. The same insecure pattern spread across AI inference engines by copy-paste code reuse (Oligo ShadowMQ).",
+      "privileges_required": "local reach with the experimental KVCache agent enabled (NVD AV:L/PR:N)",
+      "complexity": "low (NVD AC:L); a crafted serialized payload on the deserialization channel",
+      "ai_factor": "The abused surface is the IPC/socket layer of an AI inference engine. The lesson is the supply-chain one: an insecure deserialization primitive was reused across vLLM, NVIDIA TensorRT-LLM, Meta Llama Stack and Modular Max, so one root cause became an ecosystem-wide exposure. Inference-engine sockets must use a safe serializer and be treated as untrusted input."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track AI inference engines and their socket serialization layers as managed, RCE-bearing software, nor flag a flaw recurring across projects via code reuse."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Input-validation control is not applied to data deserialized from an inference engine's internal socket; the serializer is treated as trusted."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework requires an AI inference engine's socket serialization to use a safe format and validate peers; the unsafe primitive propagated by code reuse."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 66,
+      "basis": "AI inference engines are rarely in the managed vulnerability program, and their internal serialization sockets are assumed trusted; a reused insecure primitive is not tracked across the projects that copied it.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-086",
+        "name": "AI-INFERENCE-IPC-DESERIALIZATION-SAFETY",
+        "description": "AI inference engines must use a safe serializer (e.g. JSON) for IPC/socket communication, never deserialize untrusted serialized objects, authenticate socket peers, and isolate the channel on a trusted network segment. Because the insecure primitive spread by code reuse, the control must be applied across every inference engine in the estate, not one at a time. Apply the project fix (Modular Max Server), and for vLLM keep the legacy V0 engine disabled. The distinguishing test: send a crafted serialized object to the inference engine's socket from an unauthorized peer on a staging instance and confirm it is rejected, not deserialized.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2025-60455",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2025-34291": {
     "name": "Langflow Account Takeover + RCE (CORS / refresh-token chain)",
     "lesson_date": "2026-05-24",