@blamejs/exceptd-skills 0.13.78 → 0.13.79

package/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 0.13.79 — 2026-05-25
+
+CVE catalog — NVIDIA Triton Inference Server authentication bypass. Adds the two CWE-288 authentication-bypass CVEs from NVIDIA's May 2026 Triton bulletin: **CVE-2026-24207** and **CVE-2026-24206**, both NIST CVSS 9.8 and reachable unauthenticated over the network against one of the most widely deployed AI inference servers. A successful bypass reaches Triton's model control plane (model load/unload, repository management) without credentials. Fixed in r26.03. NVD enriched CVE-2026-24206 to 9.8 while NVIDIA scored it 7.3 — the entry stores the NVD primary and records the dispute. Their shared zero-day lesson adds a control requiring inference-server authentication to be proven complete across every request path, not assumed from the primary API. CVE count 337 → 339.
+
 ## 0.13.78 — 2026-05-25
 
 CVE catalog — ShadowMQ code-reuse family: adds the four AI-inference-engine CVEs from Oligo Security's ShadowMQ research, where one insecure deserialization-over-ZeroMQ primitive (CWE-502) spread across projects by copy-paste code reuse. **CVE-2025-23254** (NVIDIA TensorRT-LLM, NIST CVSS 8.8) — Python executor deserializes untrusted data over its ZeroMQ socket; fixed in 0.18.2. **CVE-2025-30165** (vLLM, NIST CVSS 8.0) — legacy V0 engine deserializes over ZeroMQ in multi-node deployments; no code patch shipped, the V0 engine is off by default since 0.8.0, so it scores higher (RWEP 46) than its patched siblings. **CVE-2024-50050** (Meta Llama Stack, NIST CVSS 6.3, originally scored 9.3 by the disclosing researchers) — the seed of the family, fixed by migrating socket serialization to JSON. **CVE-2025-60455** (Modular Max Server, NIST CVSS 8.4) — deserialization reachable with the experimental KVCache agent enabled; fixed in 25.6.0. All four converge on one control: AI inference engines must use a safe serializer, authenticate socket peers, and isolate the channel — applied across every engine in the estate, since the flaw propagated by reuse. CVE count 333 → 337.

package/data/_indexes/_meta.json

@@ -1,21 +1,21 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-25T16:17:04.291Z",
+  "generated_at": "2026-05-25T16:42:34.062Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "8d4f57898be7e9ba7c09ed4288538a81a742819788e9bffbbea40d404fa79bc6",
+    "manifest.json": "4f7bed02332724fc70706387c682a16111eeba29020f81bdc2ec96e9844ae4fc",
     "data/atlas-ttps.json": "07e28f5fe196d8e16082968ce36e4d33b720a024a9c00afd10ddc076a8ae8935",
-    "data/attack-techniques.json": "14cdcea3dc23d48cdd90b98a71bece0a7bb9d784a69e608fce8adfcf15ca20a6",
-    "data/cve-catalog.json": "53e523ccea943bb1392d9cf275001cd5746150d40c2808bdf6250e4d030dfd61",
-    "data/cwe-catalog.json": "982c40578b66dfc1d4b6bdbc5b347e73112c582f25306ceb43976ce543002f0d",
+    "data/attack-techniques.json": "17d33816b3c5d8266166b2bf13e03d1404df1617e8c6d58f4af53199a1400fe6",
+    "data/cve-catalog.json": "737b00a7f6ec4f47a72c3d018a1661393e869f0e9d667715d71d948d7e92c373",
+    "data/cwe-catalog.json": "56d65a2cb3c5a2f2e354ee9e391c9cd3dbf2b1a8b308777e9ab77694710a3c76",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
     "data/exploit-availability.json": "ec2656f0d9a893610e27b43eb6035fe9b18e057c9f6dfaac7e7d4959bbcbb795",
-    "data/framework-control-gaps.json": "e87ea8c4878b91f01133df611aeb3087a2ca4c1cac317731b165bc4d6e7e86cb",
+    "data/framework-control-gaps.json": "c2406c9486687d902a0deee3398cd5efa75a500c89136df5c8a014bf90313c1e",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "66ef2e1f444a2cf0c2700a754f0a66030bb8a91d9e68394b9537ea1fe8b904fe",
-    "data/zeroday-lessons.json": "8f8eb6c7f5ca669b055d362dbc58d66c58b6bb4eada09da67e494d44a02a6b88",
+    "data/zeroday-lessons.json": "b813b3a35fed6214a0eec2f1ff95a8947b3096458c7136ebc1882e6867220823",
     "skills/kernel-lpe-triage/skill.md": "08b3e9815ba481c57c80f5fc0ccbf5bb7cbb41f570c235ba6ff9596b8c07354d",
     "skills/ai-attack-surface/skill.md": "c4c1eb22a38ca7a959b5725222bab8fbd4f4044a548a93f3e288e6f698334b72",
     "skills/mcp-agent-trust/skill.md": "89ac89084391d2341b6513fefb1be2d36b93de1c130f057696219c1c59440f13",
@@ -72,7 +72,7 @@
       "dlp_refs": 0
     },
     "trigger_table_entries": 538,
-    "chains_cve_entries": 326,
+    "chains_cve_entries": 328,
     "chains_cwe_entries": 171,
     "jurisdictions_indexed": 29,
     "handoff_dag_nodes": 42,

package/data/_indexes/activity-feed.json

@@ -149,7 +149,7 @@
       "artifact": "data/cve-catalog.json",
       "path": "data/cve-catalog.json",
       "schema_version": "1.0.0",
-      "entry_count": 337
+      "entry_count": 339
     },
     {
       "date": "2026-05-18",
@@ -165,7 +165,7 @@
       "artifact": "data/zeroday-lessons.json",
       "path": "data/zeroday-lessons.json",
       "schema_version": "1.1.0",
-      "entry_count": 332
+      "entry_count": 334
     },
     {
       "date": "2026-05-17",

package/data/_indexes/catalog-summaries.json

@@ -62,7 +62,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 337,
+      "entry_count": 339,
       "sample_keys": [
         "CVE-2025-53773",
         "CVE-2026-30615",
@@ -238,7 +238,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 332,
+      "entry_count": 334,
       "sample_keys": [
         "CVE-2026-31431",
         "CVE-2025-53773",