@blamejs/exceptd-skills 0.13.77 → 0.13.79

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (13) hide show
  1. package/CHANGELOG.md +8 -0
  2. package/data/_indexes/_meta.json +8 -8
  3. package/data/_indexes/activity-feed.json +2 -2
  4. package/data/_indexes/catalog-summaries.json +2 -2
  5. package/data/_indexes/chains.json +2276 -0
  6. package/data/attack-techniques.json +8 -0
  7. package/data/cve-catalog.json +603 -1
  8. package/data/cwe-catalog.json +6 -0
  9. package/data/framework-control-gaps.json +52 -3
  10. package/data/zeroday-lessons.json +300 -0
  11. package/manifest.json +44 -44
  12. package/package.json +2 -2
  13. package/sbom.cdx.json +23 -23
package/CHANGELOG.md CHANGED
@@ -1,5 +1,13 @@
1
1
  # Changelog
2
2
 
3
+ ## 0.13.79 — 2026-05-25
4
+
5
+ CVE catalog — NVIDIA Triton Inference Server authentication bypass. Adds the two CWE-288 authentication-bypass CVEs from NVIDIA's May 2026 Triton bulletin: **CVE-2026-24207** and **CVE-2026-24206**, both NIST CVSS 9.8 and reachable unauthenticated over the network against one of the most widely deployed AI inference servers. A successful bypass reaches Triton's model control plane (model load/unload, repository management) without credentials. Fixed in r26.03. NVD enriched CVE-2026-24206 to 9.8 while NVIDIA scored it 7.3 — the entry stores the NVD primary and records the dispute. Their shared zero-day lesson adds a control requiring inference-server authentication to be proven complete across every request path, not assumed from the primary API. CVE count 337 → 339.
6
+
7
+ ## 0.13.78 — 2026-05-25
8
+
9
+ CVE catalog — ShadowMQ code-reuse family: adds the four AI-inference-engine CVEs from Oligo Security's ShadowMQ research, where one insecure deserialization-over-ZeroMQ primitive (CWE-502) spread across projects by copy-paste code reuse. **CVE-2025-23254** (NVIDIA TensorRT-LLM, NIST CVSS 8.8) — Python executor deserializes untrusted data over its ZeroMQ socket; fixed in 0.18.2. **CVE-2025-30165** (vLLM, NIST CVSS 8.0) — legacy V0 engine deserializes over ZeroMQ in multi-node deployments; no code patch shipped, the V0 engine is off by default since 0.8.0, so it scores higher (RWEP 46) than its patched siblings. **CVE-2024-50050** (Meta Llama Stack, NIST CVSS 6.3, originally scored 9.3 by the disclosing researchers) — the seed of the family, fixed by migrating socket serialization to JSON. **CVE-2025-60455** (Modular Max Server, NIST CVSS 8.4) — deserialization reachable with the experimental KVCache agent enabled; fixed in 25.6.0. All four converge on one control: AI inference engines must use a safe serializer, authenticate socket peers, and isolate the channel — applied across every engine in the estate, since the flaw propagated by reuse. CVE count 333 → 337.
10
+
3
11
  ## 0.13.77 — 2026-05-25
4
12
 
5
13
  CVE catalog — two current additions. **CVE-2026-9082** (Drupal core, SA-CORE-2026-004, CWE-89, NIST CVSS 9.8) is an unauthenticated SQL injection in the database abstraction layer reachable via JSON:API on PostgreSQL-backed sites; CISA added it to the KEV catalog on 2026-05-22 with a 2026-05-27 remediation due date, so it scores RWEP P1 (78) on confirmed exploitation. Fixed in the SA-CORE-2026-004 releases (10.4.10 / 10.5.10 / 10.6.9 / 11.1.10 / 11.2.12 / 11.3.10). Its zero-day lesson adds a control requiring parameterization to be verified at the database abstraction layer — not assumed from application-layer input validation or a perimeter WAF. **CVE-2026-26015** (DocsGPT, CWE-77, NIST CVSS 9.8 / GitHub 10.0) completes the MCP command-injection family: a crafted payload bypasses the MCP validation step to run shell commands without authentication; fixed in 0.16.0. Both carry CWE + ATT&CK mappings, global-first framework gaps, and behavioral IoCs. CVE count 331 → 333.
package/data/_indexes/_meta.json CHANGED
@@ -1,21 +1,21 @@
1
1
  {
2
2
  "schema_version": "1.1.0",
3
- "generated_at": "2026-05-25T15:37:01.228Z",
3
+ "generated_at": "2026-05-25T16:42:34.062Z",
4
4
  "generator": "scripts/build-indexes.js",
5
5
  "source_count": 54,
6
6
  "source_hashes": {
7
- "manifest.json": "5eb494e992f4b9efdd66160b6f86bac028df90ff0d1d82fb12c94d82a66f10bc",
7
+ "manifest.json": "4f7bed02332724fc70706387c682a16111eeba29020f81bdc2ec96e9844ae4fc",
8
8
  "data/atlas-ttps.json": "07e28f5fe196d8e16082968ce36e4d33b720a024a9c00afd10ddc076a8ae8935",
9
- "data/attack-techniques.json": "bd0a3543c975d7454401acdee260b00685f0e54010878144daa5dd7fcd5335de",
10
- "data/cve-catalog.json": "7b12779c6a459dbcf303c46bba7d05cc4b54e697741b4cfddf2732e7e3c334b2",
11
- "data/cwe-catalog.json": "3f9c1c34914b5947378f6449bc4977e68472209def736b98fe2b0a310d545d65",
9
+ "data/attack-techniques.json": "17d33816b3c5d8266166b2bf13e03d1404df1617e8c6d58f4af53199a1400fe6",
10
+ "data/cve-catalog.json": "737b00a7f6ec4f47a72c3d018a1661393e869f0e9d667715d71d948d7e92c373",
11
+ "data/cwe-catalog.json": "56d65a2cb3c5a2f2e354ee9e391c9cd3dbf2b1a8b308777e9ab77694710a3c76",
12
12
  "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
13
13
  "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
14
14
  "data/exploit-availability.json": "ec2656f0d9a893610e27b43eb6035fe9b18e057c9f6dfaac7e7d4959bbcbb795",
15
- "data/framework-control-gaps.json": "2dad9eda3c8470436d9c6df7aabfeb751d924651b407c3877e80a652f51b44fc",
15
+ "data/framework-control-gaps.json": "c2406c9486687d902a0deee3398cd5efa75a500c89136df5c8a014bf90313c1e",
16
16
  "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
17
17
  "data/rfc-references.json": "66ef2e1f444a2cf0c2700a754f0a66030bb8a91d9e68394b9537ea1fe8b904fe",
18
- "data/zeroday-lessons.json": "a68ba34b20d287d70fc4b19e7cb181a22567dd9ea5b3f8bb154084ade826a857",
18
+ "data/zeroday-lessons.json": "b813b3a35fed6214a0eec2f1ff95a8947b3096458c7136ebc1882e6867220823",
19
19
  "skills/kernel-lpe-triage/skill.md": "08b3e9815ba481c57c80f5fc0ccbf5bb7cbb41f570c235ba6ff9596b8c07354d",
20
20
  "skills/ai-attack-surface/skill.md": "c4c1eb22a38ca7a959b5725222bab8fbd4f4044a548a93f3e288e6f698334b72",
21
21
  "skills/mcp-agent-trust/skill.md": "89ac89084391d2341b6513fefb1be2d36b93de1c130f057696219c1c59440f13",
@@ -72,7 +72,7 @@
72
72
  "dlp_refs": 0
73
73
  },
74
74
  "trigger_table_entries": 538,
75
- "chains_cve_entries": 322,
75
+ "chains_cve_entries": 328,
76
76
  "chains_cwe_entries": 171,
77
77
  "jurisdictions_indexed": 29,
78
78
  "handoff_dag_nodes": 42,
package/data/_indexes/activity-feed.json CHANGED
@@ -149,7 +149,7 @@
149
149
  "artifact": "data/cve-catalog.json",
150
150
  "path": "data/cve-catalog.json",
151
151
  "schema_version": "1.0.0",
152
- "entry_count": 333
152
+ "entry_count": 339
153
153
  },
154
154
  {
155
155
  "date": "2026-05-18",
@@ -165,7 +165,7 @@
165
165
  "artifact": "data/zeroday-lessons.json",
166
166
  "path": "data/zeroday-lessons.json",
167
167
  "schema_version": "1.1.0",
168
- "entry_count": 328
168
+ "entry_count": 334
169
169
  },
170
170
  {
171
171
  "date": "2026-05-17",
package/data/_indexes/catalog-summaries.json CHANGED
@@ -62,7 +62,7 @@
62
62
  "rebuild_after_days": 365,
63
63
  "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
64
64
  },
65
- "entry_count": 333,
65
+ "entry_count": 339,
66
66
  "sample_keys": [
67
67
  "CVE-2025-53773",
68
68
  "CVE-2026-30615",
@@ -238,7 +238,7 @@
238
238
  "rebuild_after_days": 365,
239
239
  "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
240
240
  },
241
- "entry_count": 328,
241
+ "entry_count": 334,
242
242
  "sample_keys": [
243
243
  "CVE-2026-31431",
244
244
  "CVE-2025-53773",