npm - @blamejs/exceptd-skills - Versions diffs - 0.13.77 → 0.13.79 - Mend

@blamejs/exceptd-skills 0.13.77 → 0.13.79

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/CHANGELOG.md +8 -0
package/data/_indexes/_meta.json +8 -8
package/data/_indexes/activity-feed.json +2 -2
package/data/_indexes/catalog-summaries.json +2 -2
package/data/_indexes/chains.json +2276 -0
package/data/attack-techniques.json +8 -0
package/data/cve-catalog.json +603 -1
package/data/cwe-catalog.json +6 -0
package/data/framework-control-gaps.json +52 -3
package/data/zeroday-lessons.json +300 -0
package/manifest.json +44 -44
package/package.json +2 -2
package/sbom.cdx.json +23 -23

package/data/cve-catalog.json CHANGED Viewed

@@ -55,7 +55,7 @@
     "ai_discovery_methodology": {
       "field_added": "2026-05-15",
       "agents_md_target": "Hard Rule #7 — '41% of 2025 zero-days were AI-discovered'. Catalog target rate floor: 0.40.",
-      "current_rate": 0.036,
+      "current_rate": 0.035,
       "current_floor_enforced_by_test": 0.03,
       "ladder_to_target": [
         0.03,
@@ -10694,6 +10694,608 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "Drupal core's database abstraction layer fails to neutralize special elements in a PostgreSQL query condition handler reachable via JSON:API, allowing unauthenticated SQL injection; actively exploited (CISA KEV 2026-05-22, due 2026-05-27); fixed in SA-CORE-2026-004 releases."
   },
+  "CVE-2025-23254": {
+    "name": "NVIDIA TensorRT-LLM Python Executor Deserialization RCE (ShadowMQ)",
+    "type": "RCE",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
+    "cvss_note": "NVIDIA/NVD CVSS v3.1 base 8.8 (HIGH, Scope:Changed). Insecure deserialization in the TensorRT-LLM Python executor.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in Oligo Security's ShadowMQ research (code reuse spread an insecure ZeroMQ recv_pyobj deserialization pattern across AI inference engines) and the project advisory: an attacker who reaches the deserialization channel supplies a crafted payload that executes code.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by Oligo Security (ShadowMQ research). The abused surface is the IPC/socket layer of an AI inference engine; the propagation mechanism is copy-paste code reuse of an insecure deserialization pattern across projects.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; classic CWE-502 insecure deserialization, notable for spreading via code reuse across the AI inference ecosystem.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research disclosure (Oligo ShadowMQ); no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "NVIDIA TensorRT-LLM prior to 0.18.2.",
+    "affected_versions": [
+      "NVIDIA TensorRT-LLM < 0.18.2"
+    ],
+    "vector": "NVIDIA TensorRT-LLM's Python executor deserializes untrusted pickle data received over its ZeroMQ socket without validation (CWE-502). An attacker with local access to the TRT-LLM server can supply a crafted payload that executes code, discloses information, or tampers with data.",
+    "complexity": "low",
+    "complexity_notes": "NVD AC:L. Reachability: local (per the CVSS vector).",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is an application upgrade to 0.18.2 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade NVIDIA TensorRT-LLM to 0.18.2 or later. Restrict local access to the TRT-LLM server and isolate its ZeroMQ socket."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track AI inference engines and their IPC/socket serialization layers as managed, RCE-bearing software, nor account for the same flaw recurring across projects via code reuse.",
+      "NIST-800-53-SI-10": "Input-validation control is not applied to data deserialized from an inference engine's internal socket; the unsafe serializer is treated as trusted.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates an AI inference engine's deserialization channel as an injection surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach AI-inference IPC deserialization as a privileged execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model insecure deserialization in an AI inference engine as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for validating data deserialized from an inference engine's socket.",
+      "AU-ISM-1546": "Patch-application control does not single out AI inference engines, nor the code-reuse propagation of one flaw across many.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an inference engine's socket serialization as untrusted input requiring a safe serializer; code reuse spread the same CWE-502 across vLLM, TensorRT-LLM, Llama Stack and Modular Max."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1059"
+    ],
+    "rwep_score": 29,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 24,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 29, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 (Oligo ShadowMQ technique) + blast_radius=24 minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-23254",
+    "cwe_refs": [
+      "CWE-502"
+    ],
+    "iocs": {
+      "behavioral": [
+        "NVIDIA deserializing data received over a ZeroMQ / IPC socket from an untrusted or unexpected peer.",
+        "Inbound connections to the inference engine's internal serialization socket from outside the trusted node set.",
+        "Python subprocess or interpreter activity spawned during deserialization of socket data.",
+        "Affected version present: NVIDIA TensorRT-LLM < 0.18.2 — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2025-23254 (CWE-502 insecure deserialization) and Oligo Security's ShadowMQ research (https://www.oligo.security/blog/shadowmq-how-code-reuse-spread-critical-vulnerabilities-across-the-ai-ecosystem) describing the recv_pyobj code-reuse pattern."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-23254",
+      "https://www.oligo.security/blog/shadowmq-how-code-reuse-spread-critical-vulnerabilities-across-the-ai-ecosystem"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "NVIDIA Product Security",
+        "advisory_id": "NVIDIA-5648",
+        "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5648",
+        "severity": "high",
+        "published_date": "2025-05-01"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-23254",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23254",
+        "severity": "high",
+        "published_date": "2025-05-01"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-502; NIST CVSS 8.8) + Oligo Security's ShadowMQ research. Member of the ShadowMQ code-reuse family (insecure deserialization over ZeroMQ propagated across AI inference engines).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "NVIDIA TensorRT-LLM's Python executor deserializes untrusted data over its ZeroMQ socket, letting a local attacker execute code; part of the ShadowMQ code-reuse family; fixed in 0.18.2."
+  },
+  "CVE-2025-30165": {
+    "name": "vLLM V0 Engine ZeroMQ Deserialization RCE (ShadowMQ)",
+    "type": "RCE",
+    "cvss_score": 8,
+    "cvss_vector": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 8.0 (HIGH, AV:Adjacent). Unsafe deserialization over ZeroMQ in multi-node V0-engine deployments.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in Oligo Security's ShadowMQ research (code reuse spread an insecure ZeroMQ recv_pyobj deserialization pattern across AI inference engines) and the project advisory: an attacker who reaches the deserialization channel supplies a crafted payload that executes code.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by Oligo Security (ShadowMQ research). The abused surface is the IPC/socket layer of an AI inference engine; the propagation mechanism is copy-paste code reuse of an insecure deserialization pattern across projects.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; classic CWE-502 insecure deserialization, notable for spreading via code reuse across the AI inference ecosystem.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research disclosure (Oligo ShadowMQ); no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "vLLM 0.5.2 and later when the legacy V0 engine is used in multi-node deployments. The maintainers did not ship a code patch; the V0 engine is off by default since 0.8.0, which is the recommended mitigation.",
+    "affected_versions": [
+      "vLLM >= 0.5.2 (V0 engine, multi-node)"
+    ],
+    "vector": "vLLM's legacy V0 engine deserializes untrusted pickle data received over a ZeroMQ socket in multi-node deployments (CWE-502). An adjacent-network attacker who can reach the socket executes arbitrary code on the vLLM worker.",
+    "complexity": "low",
+    "complexity_notes": "NVD AC:L. Reachability: adjacent (per the CVSS vector).",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No code patch shipped; mitigate via the project's recommended configuration (see vendor_update_paths) and network isolation of the deserialization channel.",
+    "vendor_update_paths": [
+      "Do not enable the legacy V0 engine; it is off by default since vLLM 0.8.0 and that default is the recommended mitigation. If V0 multi-node is required, isolate the ZeroMQ socket on a trusted network segment."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track AI inference engines and their IPC/socket serialization layers as managed, RCE-bearing software, nor account for the same flaw recurring across projects via code reuse.",
+      "NIST-800-53-SI-10": "Input-validation control is not applied to data deserialized from an inference engine's internal socket; the unsafe serializer is treated as trusted.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates an AI inference engine's deserialization channel as an injection surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach AI-inference IPC deserialization as a privileged execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model insecure deserialization in an AI inference engine as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for validating data deserialized from an inference engine's socket.",
+      "AU-ISM-1546": "Patch-application control does not single out AI inference engines, nor the code-reuse propagation of one flaw across many.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an inference engine's socket serialization as untrusted input requiring a safe serializer; code reuse spread the same CWE-502 across vLLM, TensorRT-LLM, Llama Stack and Modular Max."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 46,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 26,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Elevated (RWEP 46, \"patch within 7 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, no code patch shipped. poc_available=20 (Oligo ShadowMQ technique) + blast_radius=26.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-30165",
+    "cwe_refs": [
+      "CWE-502"
+    ],
+    "iocs": {
+      "behavioral": [
+        "vLLM deserializing data received over a ZeroMQ / IPC socket from an untrusted or unexpected peer.",
+        "Inbound connections to the inference engine's internal serialization socket from outside the trusted node set.",
+        "Python subprocess or interpreter activity spawned during deserialization of socket data.",
+        "Affected version present: vLLM >= 0.5.2 (V0 engine, multi-node) — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2025-30165 (CWE-502 insecure deserialization) and Oligo Security's ShadowMQ research (https://www.oligo.security/blog/shadowmq-how-code-reuse-spread-critical-vulnerabilities-across-the-ai-ecosystem) describing the recv_pyobj code-reuse pattern."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-30165",
+      "https://www.oligo.security/blog/shadowmq-how-code-reuse-spread-critical-vulnerabilities-across-the-ai-ecosystem"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2025-30165",
+        "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-9pcc-gvx5-r5wm",
+        "severity": "high",
+        "published_date": "2025-05-06"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-30165",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30165",
+        "severity": "high",
+        "published_date": "2025-05-06"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-502; NIST CVSS 8) + Oligo Security's ShadowMQ research. Member of the ShadowMQ code-reuse family (insecure deserialization over ZeroMQ propagated across AI inference engines).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "vLLM's legacy V0 engine deserializes untrusted data over ZeroMQ in multi-node deployments, allowing adjacent-network RCE; no code patch shipped — the V0 engine is off by default since 0.8.0; part of the ShadowMQ code-reuse family."
+  },
+  "CVE-2024-50050": {
+    "name": "Meta Llama Stack Socket Deserialization RCE (ShadowMQ)",
+    "type": "RCE",
+    "cvss_score": 6.3,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
+    "cvss_note": "NVD CISA-ADP CVSS v3.1 base 6.3 (MEDIUM); Oligo and Snyk originally scored the same flaw 9.3 (CRITICAL) — a documented CVSS dispute. The serialization format was replaced with JSON in the fix.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in Oligo Security's ShadowMQ research (code reuse spread an insecure ZeroMQ recv_pyobj deserialization pattern across AI inference engines) and the project advisory: an attacker who reaches the deserialization channel supplies a crafted payload that executes code.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by Oligo Security (ShadowMQ research). The abused surface is the IPC/socket layer of an AI inference engine; the propagation mechanism is copy-paste code reuse of an insecure deserialization pattern across projects.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; classic CWE-502 insecure deserialization, notable for spreading via code reuse across the AI inference ecosystem.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research disclosure (Oligo ShadowMQ); no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Meta Llama Stack prior to the JSON-migration revision 7a8aa775e5a267cf8660d83140011a0b7f91e005 (released as 0.0.41).",
+    "affected_versions": [
+      "Meta Llama Stack < 0.0.41"
+    ],
+    "vector": "Meta Llama Stack used pickle as the serialization format for socket communication and deserialized untrusted data without validation (CWE-502), allowing a network attacker who reaches the socket to execute code. The fix replaced the unsafe format with JSON.",
+    "complexity": "low",
+    "complexity_notes": "NVD AC:L. Reachability: network (per the CVSS vector).",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is an application upgrade to 0.0.41 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Meta Llama Stack to 0.0.41 or later (serialization migrated to JSON). Isolate the inference socket on a trusted network segment."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track AI inference engines and their IPC/socket serialization layers as managed, RCE-bearing software, nor account for the same flaw recurring across projects via code reuse.",
+      "NIST-800-53-SI-10": "Input-validation control is not applied to data deserialized from an inference engine's internal socket; the unsafe serializer is treated as trusted.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates an AI inference engine's deserialization channel as an injection surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach AI-inference IPC deserialization as a privileged execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model insecure deserialization in an AI inference engine as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for validating data deserialized from an inference engine's socket.",
+      "AU-ISM-1546": "Patch-application control does not single out AI inference engines, nor the code-reuse propagation of one flaw across many.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an inference engine's socket serialization as untrusted input requiring a safe serializer; code reuse spread the same CWE-502 across vLLM, TensorRT-LLM, Llama Stack and Modular Max."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 27,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 22,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 27, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 (Oligo ShadowMQ technique) + blast_radius=22 minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-50050",
+    "cwe_refs": [
+      "CWE-502"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Meta deserializing data received over a ZeroMQ / IPC socket from an untrusted or unexpected peer.",
+        "Inbound connections to the inference engine's internal serialization socket from outside the trusted node set.",
+        "Python subprocess or interpreter activity spawned during deserialization of socket data.",
+        "Affected version present: Meta Llama Stack < 0.0.41 — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2024-50050 (CWE-502 insecure deserialization) and Oligo Security's ShadowMQ research (https://www.oligo.security/blog/shadowmq-how-code-reuse-spread-critical-vulnerabilities-across-the-ai-ecosystem) describing the recv_pyobj code-reuse pattern."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-50050",
+      "https://www.oligo.security/blog/shadowmq-how-code-reuse-spread-critical-vulnerabilities-across-the-ai-ecosystem"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2024-50050",
+        "url": "https://github.com/meta-llama/llama-stack/security/advisories",
+        "severity": "medium",
+        "published_date": "2024-10-23"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-50050",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50050",
+        "severity": "medium",
+        "published_date": "2024-10-23"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-502; NIST CVSS 6.3) + Oligo Security's ShadowMQ research. Member of the ShadowMQ code-reuse family (insecure deserialization over ZeroMQ propagated across AI inference engines).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Meta Llama Stack used an unsafe socket serialization format and deserialized untrusted data, allowing network RCE; fixed by migrating to JSON in 0.0.41; the seed of the ShadowMQ code-reuse family."
+  },
+  "CVE-2025-60455": {
+    "name": "Modular Max Server KVCache-Agent Deserialization RCE (ShadowMQ)",
+    "type": "RCE",
+    "cvss_score": 8.4,
+    "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 8.4 (HIGH). Unsafe deserialization reachable when --experimental-enable-kvcache-agent is enabled.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in Oligo Security's ShadowMQ research (code reuse spread an insecure ZeroMQ recv_pyobj deserialization pattern across AI inference engines) and the project advisory: an attacker who reaches the deserialization channel supplies a crafted payload that executes code.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by Oligo Security (ShadowMQ research). The abused surface is the IPC/socket layer of an AI inference engine; the propagation mechanism is copy-paste code reuse of an insecure deserialization pattern across projects.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; classic CWE-502 insecure deserialization, notable for spreading via code reuse across the AI inference ecosystem.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research disclosure (Oligo ShadowMQ); no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Modular Max Server before 25.6.0 when the --experimental-enable-kvcache-agent feature is enabled.",
+    "affected_versions": [
+      "Modular Max Server < 25.6.0 (kvcache-agent enabled)"
+    ],
+    "vector": "Modular Max Server deserializes untrusted pickle data over its inter-process channel when the experimental KVCache agent is enabled (CWE-502), allowing arbitrary code execution on the server.",
+    "complexity": "low",
+    "complexity_notes": "NVD AC:L. Reachability: local (per the CVSS vector).",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is an application upgrade to 25.6.0 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Modular Max Server to 25.6.0 or later. Until then, do not run with --experimental-enable-kvcache-agent."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track AI inference engines and their IPC/socket serialization layers as managed, RCE-bearing software, nor account for the same flaw recurring across projects via code reuse.",
+      "NIST-800-53-SI-10": "Input-validation control is not applied to data deserialized from an inference engine's internal socket; the unsafe serializer is treated as trusted.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates an AI inference engine's deserialization channel as an injection surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach AI-inference IPC deserialization as a privileged execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model insecure deserialization in an AI inference engine as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for validating data deserialized from an inference engine's socket.",
+      "AU-ISM-1546": "Patch-application control does not single out AI inference engines, nor the code-reuse propagation of one flaw across many.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an inference engine's socket serialization as untrusted input requiring a safe serializer; code reuse spread the same CWE-502 across vLLM, TensorRT-LLM, Llama Stack and Modular Max."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1059"
+    ],
+    "rwep_score": 23,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 18,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 23, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 (Oligo ShadowMQ technique) + blast_radius=18 minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-60455",
+    "cwe_refs": [
+      "CWE-502"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Modular deserializing data received over a ZeroMQ / IPC socket from an untrusted or unexpected peer.",
+        "Inbound connections to the inference engine's internal serialization socket from outside the trusted node set.",
+        "Python subprocess or interpreter activity spawned during deserialization of socket data.",
+        "Affected version present: Modular Max Server < 25.6.0 (kvcache-agent enabled) — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2025-60455 (CWE-502 insecure deserialization) and Oligo Security's ShadowMQ research (https://www.oligo.security/blog/shadowmq-how-code-reuse-spread-critical-vulnerabilities-across-the-ai-ecosystem) describing the recv_pyobj code-reuse pattern."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-60455",
+      "https://www.oligo.security/blog/shadowmq-how-code-reuse-spread-critical-vulnerabilities-across-the-ai-ecosystem"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2025-60455",
+        "url": "https://github.com/modular/modular/security/advisories",
+        "severity": "high",
+        "published_date": "2025-11-18"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-60455",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60455",
+        "severity": "high",
+        "published_date": "2025-11-18"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-502; NIST CVSS 8.4) + Oligo Security's ShadowMQ research. Member of the ShadowMQ code-reuse family (insecure deserialization over ZeroMQ propagated across AI inference engines).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Modular Max Server deserializes untrusted data when the experimental KVCache agent is enabled, allowing code execution; part of the ShadowMQ code-reuse family; fixed in 25.6.0."
+  },
+  "CVE-2026-24207": {
+    "name": "NVIDIA Triton Inference Server Authentication Bypass (Alternate Path) RCE",
+    "type": "AUTH-BYPASS",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD/NIST CVSS v3.1 base 9.8 (CRITICAL). Unauthenticated, network-reachable authentication bypass via an alternate path or channel (CWE-288); a successful bypass can lead to code execution, privilege escalation, data tampering, DoS, or information disclosure.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in NVIDIA's May 2026 Triton Inference Server security bulletin and follow-on security reporting: an unauthenticated network request reaches Triton's control plane via an alternate path/channel that the authentication layer does not cover (CWE-288).",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed through NVIDIA's coordinated security bulletin (May 2026). The abused surface is the authentication layer of a widely deployed AI inference server.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization reported; an authentication-bypass design flaw in the inference server control plane.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Vendor bulletin disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "NVIDIA Triton Inference Server versions prior to r26.03.",
+    "affected_versions": [
+      "NVIDIA Triton Inference Server < 26.03"
+    ],
+    "vector": "NVIDIA Triton Inference Server exposes a control-plane path that bypasses the authentication layer (CWE-288, authentication bypass using an alternate path or channel). An unauthenticated network attacker reaches privileged functionality without credentials.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N / UI:N — network-reachable, unauthenticated, low-complexity.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is an application upgrade to Triton Inference Server r26.03 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade NVIDIA Triton Inference Server to r26.03 or later. Until then, do not expose Triton's HTTP/gRPC endpoints to untrusted networks and place it behind an authenticating reverse proxy."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-IA-2": "Identification-and-authentication control is asserted for the application but not verified to cover every control-plane path of the AI inference server; an alternate path bypasses it.",
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track AI inference servers as managed, network-exposed control planes requiring rapid patching.",
+      "ISO-27001-2022-A.5.15": "Access-control policy does not enumerate the inference server's alternate request paths as in-scope, so an alternate path bypasses authentication.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the AI inference server's authentication layer as a privileged control plane.",
+      "DORA-Art-9": "ICT protection measures do not model an unauthenticated bypass of an AI inference server's control plane as an ICT-risk event.",
+      "UK-CAF-B2": "Identity and Access Control objective has no objective for proving authentication covers every path into the inference server.",
+      "AU-ISM-1546": "Patch-application control does not single out network-exposed AI inference servers.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework requires the AI inference server's authentication to be proven complete across all request paths; an alternate-path bypass exposes the model control plane unauthenticated."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190"
+    ],
+    "rwep_score": 31,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 26,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 31, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3). poc_available=20 + blast_radius=26 (Triton is among the most widely deployed inference servers) minus patch 15. Note: unauthenticated network reachability on a critical AI control plane raises operational urgency beyond the RWEP number.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-24207",
+    "cwe_refs": [
+      "CWE-288"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Triton HTTP/gRPC requests reaching privileged control-plane endpoints (model load/unload, repository management) without a valid authentication context.",
+        "Model repository changes or inference-config changes not attributable to an authenticated operator.",
+        "Triton Inference Server below r26.03 exposed to a network reachable by untrusted clients — the exposed precondition.",
+        "Unexpected processes or model artifacts appearing on the Triton host following anomalous control-plane traffic."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2026-24207 (CWE-288 authentication bypass) and NVIDIA's May 2026 Triton Inference Server security bulletin (https://nvidia.custhelp.com/app/answers/detail/a_id/5828)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-24207",
+      "https://nvidia.custhelp.com/app/answers/detail/a_id/5828"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "NVIDIA Product Security",
+        "advisory_id": "NVIDIA-5828",
+        "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5828",
+        "severity": "critical",
+        "published_date": "2026-05-20"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-24207",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24207",
+        "severity": "critical",
+        "published_date": "2026-05-20"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-288; NIST CVSS 9.8) + NVIDIA's May 2026 Triton Inference Server security bulletin. One of two authentication-bypass CVEs (with CVE-2026-24206) patched in r26.03.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "NVIDIA Triton Inference Server lets an unauthenticated network attacker bypass authentication via an alternate path (CWE-288), enabling code execution and full compromise; fixed in r26.03."
+  },
+  "CVE-2026-24206": {
+    "name": "NVIDIA Triton Inference Server Authentication Bypass (Alternate Channel)",
+    "type": "AUTH-BYPASS",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD/NIST CVSS v3.1 base 9.8 (CRITICAL); NVIDIA as CNA scored it 7.3 (HIGH, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) — a documented scoring dispute. Unauthenticated, network-reachable authentication bypass via an alternate path or channel (CWE-288).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in NVIDIA's May 2026 Triton Inference Server security bulletin and follow-on security reporting: an unauthenticated network request reaches Triton's control plane via an alternate path/channel that the authentication layer does not cover (CWE-288).",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed through NVIDIA's coordinated security bulletin (May 2026). The abused surface is the authentication layer of a widely deployed AI inference server.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization reported; an authentication-bypass design flaw in the inference server control plane.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Vendor bulletin disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "NVIDIA Triton Inference Server versions prior to r26.03.",
+    "affected_versions": [
+      "NVIDIA Triton Inference Server < 26.03"
+    ],
+    "vector": "NVIDIA Triton Inference Server exposes a control-plane path that bypasses the authentication layer (CWE-288, authentication bypass using an alternate path or channel). An unauthenticated network attacker reaches privileged functionality without credentials.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N / UI:N — network-reachable, unauthenticated, low-complexity.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is an application upgrade to Triton Inference Server r26.03 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade NVIDIA Triton Inference Server to r26.03 or later. Until then, do not expose Triton's HTTP/gRPC endpoints to untrusted networks and place it behind an authenticating reverse proxy."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-IA-2": "Identification-and-authentication control is asserted for the application but not verified to cover every control-plane path of the AI inference server; an alternate path bypasses it.",
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track AI inference servers as managed, network-exposed control planes requiring rapid patching.",
+      "ISO-27001-2022-A.5.15": "Access-control policy does not enumerate the inference server's alternate request paths as in-scope, so an alternate path bypasses authentication.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the AI inference server's authentication layer as a privileged control plane.",
+      "DORA-Art-9": "ICT protection measures do not model an unauthenticated bypass of an AI inference server's control plane as an ICT-risk event.",
+      "UK-CAF-B2": "Identity and Access Control objective has no objective for proving authentication covers every path into the inference server.",
+      "AU-ISM-1546": "Patch-application control does not single out network-exposed AI inference servers.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework requires the AI inference server's authentication to be proven complete across all request paths; an alternate-path bypass exposes the model control plane unauthenticated."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190"
+    ],
+    "rwep_score": 31,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 26,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 31, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3). poc_available=20 + blast_radius=26 (Triton is among the most widely deployed inference servers) minus patch 15. Note: unauthenticated network reachability on a critical AI control plane raises operational urgency beyond the RWEP number.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-24206",
+    "cwe_refs": [
+      "CWE-288"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Triton HTTP/gRPC requests reaching privileged control-plane endpoints (model load/unload, repository management) without a valid authentication context.",
+        "Model repository changes or inference-config changes not attributable to an authenticated operator.",
+        "Triton Inference Server below r26.03 exposed to a network reachable by untrusted clients — the exposed precondition.",
+        "Unexpected processes or model artifacts appearing on the Triton host following anomalous control-plane traffic."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2026-24206 (CWE-288 authentication bypass) and NVIDIA's May 2026 Triton Inference Server security bulletin (https://nvidia.custhelp.com/app/answers/detail/a_id/5828)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-24206",
+      "https://nvidia.custhelp.com/app/answers/detail/a_id/5828"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "NVIDIA Product Security",
+        "advisory_id": "NVIDIA-5828",
+        "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5828",
+        "severity": "critical",
+        "published_date": "2026-05-20"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-24206",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24206",
+        "severity": "critical",
+        "published_date": "2026-05-20"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-288; NIST CVSS 9.8) + NVIDIA's May 2026 Triton Inference Server security bulletin. One of two authentication-bypass CVEs (with CVE-2026-24207) patched in r26.03.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "NVIDIA Triton Inference Server has a second authentication bypass (CWE-288) reachable unauthenticated over the network, enabling privilege escalation and information disclosure; fixed in r26.03. NVD scores 9.8; NVIDIA scores 7.3."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",