@blamejs/exceptd-skills 0.13.79 → 0.13.81

package/data/atlas-ttps.json

@@ -1525,7 +1525,11 @@
       "ATLAS"
     ],
     "stix_id": "attack-pattern--f13dede7-12ee-5f0e-985a-4f801aecb681",
-    "is_subtechnique": false
+    "is_subtechnique": false,
+    "cve_refs": [
+      "CVE-2023-48022",
+      "CVE-2025-64496"
+    ]
   },
   "AML.T0029": {
     "id": "AML.T0029",
@@ -1573,7 +1577,10 @@
       "ATLAS"
     ],
     "stix_id": "attack-pattern--7bbac64e-2b1d-5cb0-a442-bb7573b0a328",
-    "is_subtechnique": false
+    "is_subtechnique": false,
+    "cve_refs": [
+      "CVE-2023-48022"
+    ]
   },
   "AML.T0035": {
     "id": "AML.T0035",
@@ -1589,7 +1596,10 @@
       "ATLAS"
     ],
     "stix_id": "attack-pattern--801658f2-81cd-5935-93c7-5e6e2d80e669",
-    "is_subtechnique": false
+    "is_subtechnique": false,
+    "cve_refs": [
+      "CVE-2023-48022"
+    ]
   },
   "AML.T0036": {
     "id": "AML.T0036",
@@ -1685,7 +1695,12 @@
       "ATLAS"
     ],
     "stix_id": "attack-pattern--ebeed0c7-c5de-5049-8f27-efcae5f88b00",
-    "is_subtechnique": false
+    "is_subtechnique": false,
+    "cve_refs": [
+      "CVE-2023-48022",
+      "CVE-2025-64496",
+      "CVE-2026-0766"
+    ]
   },
   "AML.T0050": {
     "id": "AML.T0050",

package/data/attack-techniques.json

@@ -269,6 +269,7 @@
       "DS0017"
     ],
     "cve_refs": [
+      "CVE-2023-48022",
       "CVE-2024-50050",
       "CVE-2025-1094",
       "CVE-2025-11837",
@@ -280,7 +281,9 @@
       "CVE-2025-54136",
       "CVE-2025-55319",
       "CVE-2025-60455",
+      "CVE-2025-64496",
       "CVE-2025-68664",
+      "CVE-2026-0766",
       "CVE-2026-22252",
       "CVE-2026-22688",
       "CVE-2026-22778",
@@ -825,6 +828,7 @@
       "CVE-2023-33538",
       "CVE-2023-3519",
       "CVE-2023-39780",
+      "CVE-2023-48022",
       "CVE-2023-52163",
       "CVE-2024-12987",
       "CVE-2024-1709",
@@ -928,6 +932,7 @@
       "CVE-2025-62847",
       "CVE-2025-62848",
       "CVE-2025-64328",
+      "CVE-2025-64496",
       "CVE-2025-6554",
       "CVE-2025-6558",
       "CVE-2025-66644",
@@ -940,6 +945,7 @@
       "CVE-2025-9242",
       "CVE-2025-9377",
       "CVE-2026-0300",
+      "CVE-2026-0766",
       "CVE-2026-1281",
       "CVE-2026-1340",
       "CVE-2026-1731",
@@ -2458,6 +2464,7 @@
     "name": "Resource Hijacking",
     "version": "v19",
     "cve_refs": [
+      "CVE-2023-48022",
       "MAL-2024-PYPI-ULTRALYTICS-XMRIG"
     ],
     "description_full": "Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. Resource hijacking may take a number of different forms. For example, adversaries may: * Leverage compute resources in order to mine cryptocurrency * Sell network bandwidth to proxy networks * Generate SMS traffic for profit * Abuse cloud-based messaging services to send large quantities of spam messages In some cases, adversaries may leverage multiple types of Resource Hijacking at once.(Citation: Sysdig Cryptojacking Proxyjacking 2023)",

package/data/cve-catalog.json

@@ -11296,6 +11296,327 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "NVIDIA Triton Inference Server has a second authentication bypass (CWE-288) reachable unauthenticated over the network, enabling privilege escalation and information disclosure; fixed in r26.03. NVD scores 9.8; NVIDIA scores 7.3."
   },
+  "CVE-2023-48022": {
+    "name": "Anyscale Ray Job Submission API Unauthenticated RCE (ShadowRay)",
+    "type": "RCE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 9.8 (CRITICAL); NVD marks the record DISPUTED. NVD assigns CWE-918; the operational root cause is missing authorization (CWE-862) on the Ray Job Submission / Dashboard API, which accepts and runs attacker-supplied code without authentication.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Public exploit and detection content exist (e.g. github.com/jakabakos/ShadowRay-RCE-PoC-CVE-2023-48022 and a ProjectDiscovery nuclei template): an unauthenticated request to an internet-exposed Ray Dashboard / Job Submission API submits a Python payload that runs on worker nodes.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by Bishop Fox and tracked at scale by Oligo Security (ShadowRay / ShadowRay 2.0). The abused surface is the Job Submission API of a widely deployed AI/ML compute framework.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the significance is that the exposed compute is AI/ML infrastructure (model weights, training data, cloud credentials) and the impact includes AI artifact theft.",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "Confirmed mass exploitation in the wild. Oligo's ShadowRay 2.0 campaign (active since September 2024, reported through 2026) turned exposed Ray clusters into crypto-mining botnets and exfiltrated model weights and cloud credentials; reporting counts on the order of 230,000 internet-exposed Ray environments. Not on the CISA KEV catalog because NVD lists the CVE as disputed.",
+    "affected": "Anyscale Ray (open-source distributed AI/ML compute framework). NVD records 2.6.3 and 2.8.0; the unauthenticated Job Submission / Dashboard API behavior persists across releases until network controls or token authentication (added in 2.52.0) are applied.",
+    "affected_versions": [
+      "Anyscale Ray 2.6.3",
+      "Anyscale Ray 2.8.0",
+      "Anyscale Ray (Job Submission API exposed without token auth, < 2.52.0)"
+    ],
+    "vector": "Ray's Dashboard / Job Submission API accepts a job specification containing Python code and runs it on cluster worker nodes without requiring authentication (missing authorization). An unauthenticated attacker who can reach an exposed Ray dashboard achieves remote code execution across the cluster, then harvests AI artifacts and cloud credentials and hijacks compute for crypto mining.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N / UI:N — network-reachable, unauthenticated, low-complexity. The precondition is an internet-exposed Ray dashboard.",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No code patch — the vendor disputes this is a vulnerability and treats the open Job API as intended for trusted networks. Mitigation: never expose the Ray dashboard / Job Submission API to untrusted networks, enable token authentication (Ray 2.52.0+), and place the cluster behind network controls.",
+    "vendor_update_paths": [
+      "Do not expose the Ray dashboard / Job Submission API to untrusted networks. Enable token authentication (Ray 2.52.0 or later). Restrict the dashboard to a controlled network segment and put an authenticating proxy in front. Treat any internet-exposed Ray cluster as compromised and rotate cloud credentials and model artifacts."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-IA-2": "Authentication is treated as out-of-scope for the Ray Job API because the vendor frames the cluster as a controlled-network deployment; in practice the API is internet-exposed and unauthenticated.",
+      "NIST-800-53-SC-7": "Boundary-protection control assumes the AI compute cluster is network-isolated; reality is hundreds of thousands of internet-exposed dashboards.",
+      "ISO-27001-2022-A.5.15": "Access-control policy does not require authentication on the AI compute framework's job API, relying on an assumed controlled network.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not address a disputed, no-patch vulnerability whose only remediation is configuration and network control.",
+      "DORA-Art-9": "ICT protection measures do not model an unauthenticated, actively-exploited AI compute control plane as an ICT-risk event.",
+      "UK-CAF-B2": "Identity and Access Control objective has no requirement to authenticate the AI compute framework's job submission API.",
+      "AU-ISM-1546": "Patch-application control offers nothing for a disputed, no-patch flaw remediated only by configuration.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework rejects the 'controlled network is the security control' assumption for AI compute; an exposed, unauthenticated Job API is RCE plus AI-artifact and credential theft."
+    },
+    "atlas_refs": [
+      "AML.T0049",
+      "AML.T0034",
+      "AML.T0035",
+      "AML.T0025"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1059",
+      "T1496"
+    ],
+    "rwep_score": 68,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 28,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "P1/High (RWEP 68, >= 60 \"patch within 72 hours\" band per lib/scoring.js timeline). poc_available=20 + active_exploitation confirmed=20 (ShadowRay 2.0 mass exploitation) + blast_radius=28 (≈230k exposed Ray environments) with no patch credit (disputed, configuration-only mitigation). Not on CISA KEV because NVD lists the CVE as disputed — a case where RWEP, not KEV or CVSS alone, captures the real-world priority.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2023-48022",
+    "cwe_refs": [
+      "CWE-862",
+      "CWE-918"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Internet-reachable Ray dashboard (default port 8265) or Job Submission API responding without authentication.",
+        "Ray job specifications submitted from unexpected source IPs that spawn shell commands, miners, or reverse shells on worker nodes.",
+        "Outbound connections from Ray workers to mining pools or attacker infrastructure; cloud credential or model-weight egress following job submission.",
+        "Ray clusters exposed without token authentication (pre-2.52.0 default, or token auth not enabled) — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2023-48022 (disputed; operational root cause missing authorization on the Ray Job Submission API), the Bishop Fox advisory (https://bishopfox.com/blog/ray-versions-2-6-3-2-8-0), and Oligo Security's ShadowRay / ShadowRay 2.0 in-the-wild reporting. MITRE ATLAS case study AML.CS0023."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2023-48022",
+      "https://bishopfox.com/blog/ray-versions-2-6-3-2-8-0",
+      "https://atlas.mitre.org/studies/AML.CS0023",
+      "https://www.darkreading.com/cyber-risk/shadowray-20-ai-clusters-crypto-botnets"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "Anyscale (Ray Security)",
+        "advisory_id": "ray-security-docs",
+        "url": "https://docs.ray.io/en/latest/ray-security/index.html",
+        "severity": "critical",
+        "published_date": "2023-11-28"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2023-48022",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48022",
+        "severity": "critical",
+        "published_date": "2023-11-28"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (disputed; NVD CWE-918, operational root cause CWE-862; NIST CVSS 9.8) + the Bishop Fox advisory + Oligo Security ShadowRay reporting + MITRE ATLAS case study AML.CS0023. A landmark actively-exploited AI-compute exposure that no patch addresses.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Anyscale Ray's Job Submission / Dashboard API runs attacker-supplied code without authentication; internet-exposed clusters are mass-exploited (ShadowRay 2.0) for crypto mining and AI-artifact / credential theft. Vendor-disputed, no code patch — mitigate with token auth (2.52.0+) and network isolation."
+  },
+  "CVE-2026-0766": {
+    "name": "Open WebUI Tool Module Code Injection RCE",
+    "type": "RCE",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "ZDI (CNA) CVSS v3.0 base 8.8 (HIGH); NVD enrichment pending at curation. Authenticated code injection in load_tool_module_by_id.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory (Zero Day Initiative): an authenticated request drives the server to execute an unvalidated string as code.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via coordinated advisory against Open WebUI, a widely deployed self-hosted AI chat front end. The abused surface is the tool-module loading path.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; code injection in an AI chat application.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Open WebUI 0.6.32 (the version named in the Zero Day Initiative advisory).",
+    "affected_versions": [
+      "Open WebUI 0.6.32"
+    ],
+    "vector": "Open WebUI's load_tool_module_by_id function does not validate a user-supplied string before using it to execute Python code (CWE-94). An authenticated attacker supplies a crafted value that the server runs, achieving remote code execution on the Open WebUI host.",
+    "complexity": "low",
+    "complexity_notes": "NVD/CNA AC:L. PR:L — requires an authenticated account.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is an application upgrade to the fixed Open WebUI release (coordinated ZDI disclosure against 0.6.32); redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Open WebUI to a release that fixes the load_tool_module_by_id validation (the flaw was reported via coordinated ZDI disclosure against 0.6.32); restrict who can configure tools and run Open WebUI least-privilege."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track self-hosted AI chat front ends as managed, RCE-bearing software.",
+      "NIST-800-53-SI-10": "Input-validation control is not applied to strings the AI app turns into executable code, nor to content from an external model server.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the AI chat app's tool-loading / external-model-connection paths as code-execution surfaces.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the AI chat app's dynamic-code paths as a privileged execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model code injection via an AI front end's tool or model-connection features.",
+      "UK-CAF-B4": "System Security objective has no objective for neutralizing strings the AI app executes as code.",
+      "AU-ISM-1546": "Patch-application control does not single out self-hosted AI chat front ends.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats tool-module strings or external-model-server content as untrusted input the AI app must not execute as code."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 29,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 24,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 29, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 + blast_radius=24 (Open WebUI is a widely deployed self-hosted AI front end) minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-0766",
+    "cwe_refs": [
+      "CWE-94"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Open WebUI spawning Python execution from a tool module id that came from user input rather than a pinned tool registry.",
+        "Unexpected processes or imports during Open WebUI tool-module loading.",
+        "Authenticated requests to the tool-loading path carrying code-like or path-like payloads.",
+        "Open WebUI 0.6.32 — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2026-0766 (CWE-94) and the Zero Day Initiative advisory (https://www.zerodayinitiative.com/advisories/published/)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-0766",
+      "https://www.zerodayinitiative.com/advisories/published/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "Zero Day Initiative",
+        "advisory_id": "CVE-2026-0766",
+        "url": "https://www.zerodayinitiative.com/advisories/published/",
+        "severity": "high",
+        "published_date": "2026-01-22"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-0766",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0766",
+        "severity": "high",
+        "published_date": "2026-01-22"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-94; CVSS 8.8) + the Zero Day Initiative advisory. Open WebUI code-injection RCE.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Open WebUI's load_tool_module_by_id runs an unvalidated user-supplied string as Python (CWE-94), giving an authenticated attacker remote code execution."
+  },
+  "CVE-2025-64496": {
+    "name": "Open WebUI Malicious Model Server Code Injection (Account Takeover to RCE)",
+    "type": "RCE",
+    "cvss_score": 8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 8.0 (HIGH). Code injection via server-sent events from a malicious external model server; requires the Direct Connections feature and luring a user to connect (UI:R).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory (GitHub Security Advisory): a malicious external model server injects executable content into the Open WebUI client/back end.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via coordinated advisory against Open WebUI, a widely deployed self-hosted AI chat front end. The abused surface is the external-model-server connection path.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; code injection in an AI chat application.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Open WebUI 0.6.34 and prior, when the Direct Connections feature is enabled (patched in 0.6.35 per GHSA-cm35-v4vp-5xvx).",
+    "affected_versions": [
+      "Open WebUI <= 0.6.34 (Direct Connections enabled)"
+    ],
+    "vector": "When Open WebUI's Direct Connections feature is enabled and a user is lured into connecting to a malicious external model server, that server's server-sent events inject and execute JavaScript in the user's browser (CWE-95 / CWE-829), enabling token theft and account takeover, and with extended permissions remote code execution on the backend.",
+    "complexity": "low",
+    "complexity_notes": "NVD/CNA AC:L. UI:R — requires luring a user to connect to a malicious model server.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is an application upgrade to Open WebUI 0.6.35 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Open WebUI to 0.6.35 or later. Disable Direct Connections unless required, and treat external model servers as untrusted."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track self-hosted AI chat front ends as managed, RCE-bearing software.",
+      "NIST-800-53-SI-10": "Input-validation control is not applied to strings the AI app turns into executable code, nor to content from an external model server.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the AI chat app's tool-loading / external-model-connection paths as code-execution surfaces.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the AI chat app's dynamic-code paths as a privileged execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model code injection via an AI front end's tool or model-connection features.",
+      "UK-CAF-B4": "System Security objective has no objective for neutralizing strings the AI app executes as code.",
+      "AU-ISM-1546": "Patch-application control does not single out self-hosted AI chat front ends.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats tool-module strings or external-model-server content as untrusted input the AI app must not execute as code."
+    },
+    "atlas_refs": [
+      "AML.T0049",
+      "AML.T0025"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 29,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 24,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 29, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 + blast_radius=24 (Open WebUI is a widely deployed self-hosted AI front end) minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-64496",
+    "cwe_refs": [
+      "CWE-95",
+      "CWE-501",
+      "CWE-829"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Open WebUI clients connecting to external model servers via the Direct Connections feature from untrusted endpoints.",
+        "Unexpected JavaScript execution / token use in Open WebUI sessions following a Direct Connection to a new model server.",
+        "Account-takeover indicators (session token reuse, privilege changes) after a user connects to an external model server.",
+        "Open WebUI <= 0.6.34 (Direct Connections enabled) — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2025-64496 (CWE-95/CWE-501/CWE-829) and the GitHub Security Advisory advisory (https://github.com/open-webui/open-webui/security/advisories/GHSA-cm35-v4vp-5xvx)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-64496",
+      "https://github.com/open-webui/open-webui/security/advisories/GHSA-cm35-v4vp-5xvx"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2025-64496",
+        "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-cm35-v4vp-5xvx",
+        "severity": "high",
+        "published_date": "2025-11-07"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-64496",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64496",
+        "severity": "high",
+        "published_date": "2025-11-07"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-95/CWE-501/CWE-829; CVSS 8) + the GitHub Security Advisory advisory. Open WebUI code-injection RCE.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Open WebUI's Direct Connections feature lets a malicious external model server inject JavaScript via SSE (CWE-95), leading to account takeover and, with extended permissions, RCE; fixed in 0.6.35."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -382,6 +382,7 @@
       "CVE-2025-62848",
       "CVE-2025-8875",
       "CVE-2025-8876",
+      "CVE-2026-0766",
       "CVE-2026-1281",
       "CVE-2026-1340",
       "CVE-2026-20045",
@@ -1668,6 +1669,7 @@
     "evidence_cves": [
       "CVE-2025-32463",
       "CVE-2025-54136",
+      "CVE-2025-64496",
       "MAL-2026-NODE-IPC-STEALER",
       "MAL-2026-SHAI-HULUD-OSS"
     ],
@@ -1706,6 +1708,7 @@
       "webapp-security"
     ],
     "evidence_cves": [
+      "CVE-2023-48022",
       "CVE-2023-52163",
       "CVE-2024-57726",
       "CVE-2025-20362",
@@ -1819,6 +1822,7 @@
       "CVE-2021-22054",
       "CVE-2021-22175",
       "CVE-2021-39935",
+      "CVE-2023-48022",
       "CVE-2025-61884"
     ],
     "framework_controls_partially_addressing": [
@@ -2200,6 +2204,7 @@
     "related_weaknesses": [],
     "evidence_cves": [
       "CVE-2025-24893",
+      "CVE-2025-64496",
       "CVE-2026-33017"
     ],
     "last_verified": "2026-05-18",
@@ -3174,7 +3179,9 @@
       "CWE-2000"
     ],
     "related_weaknesses": [],
-    "evidence_cves": [],
+    "evidence_cves": [
+      "CVE-2025-64496"
+    ],
     "last_verified": "2026-05-19",
     "notes": "Bulk-imported v0.13.18 from the canonical MITRE Top 25 + commonly-referenced-class expansion.",
     "_auto_imported": true,

package/data/framework-control-gaps.json

@@ -34,6 +34,7 @@
     "status": "open",
     "opened_date": "2026-01-01",
     "evidence_cves": [
+      "CVE-2023-48022",
       "CVE-2024-50050",
       "CVE-2025-23254",
       "CVE-2025-30165",
@@ -41,6 +42,8 @@
       "CVE-2025-49596",
       "CVE-2025-54136",
       "CVE-2025-60455",
+      "CVE-2025-64496",
+      "CVE-2026-0766",
       "CVE-2026-22252",
       "CVE-2026-22688",
       "CVE-2026-24206",
@@ -1492,6 +1495,7 @@
       "CVE-2025-62221",
       "CVE-2025-64328",
       "CVE-2025-64446",
+      "CVE-2025-64496",
       "CVE-2025-6543",
       "CVE-2025-6554",
       "CVE-2025-6558",
@@ -1508,6 +1512,7 @@
       "CVE-2025-9242",
       "CVE-2025-9377",
       "CVE-2026-0300",
+      "CVE-2026-0766",
       "CVE-2026-1281",
       "CVE-2026-1340",
       "CVE-2026-1603",
@@ -1748,6 +1753,7 @@
     "status": "open",
     "opened_date": "2026-03-15",
     "evidence_cves": [
+      "CVE-2023-48022",
       "CVE-2024-50050",
       "CVE-2025-10585",
       "CVE-2025-1094",
@@ -1760,6 +1766,8 @@
       "CVE-2025-49596",
       "CVE-2025-54136",
       "CVE-2025-60455",
+      "CVE-2025-64496",
+      "CVE-2026-0766",
       "CVE-2026-22252",
       "CVE-2026-22688",
       "CVE-2026-24206",
@@ -2103,6 +2111,7 @@
     "status": "open",
     "opened_date": "2026-05-01",
     "evidence_cves": [
+      "CVE-2023-48022",
       "CVE-2024-40635",
       "CVE-2025-53767",
       "CVE-2026-42897"
@@ -2178,7 +2187,9 @@
       "CVE-2025-23254",
       "CVE-2025-30165",
       "CVE-2025-60455",
+      "CVE-2025-64496",
       "CVE-2025-6965",
+      "CVE-2026-0766",
       "CVE-2026-39884",
       "CVE-2026-42208",
       "CVE-2026-9082"
@@ -2461,6 +2472,7 @@
       "CVE-2025-62849",
       "CVE-2025-64328",
       "CVE-2025-64446",
+      "CVE-2025-64496",
       "CVE-2025-6543",
       "CVE-2025-6554",
       "CVE-2025-6558",
@@ -2477,6 +2489,7 @@
       "CVE-2025-9242",
       "CVE-2025-9377",
       "CVE-2026-0300",
+      "CVE-2026-0766",
       "CVE-2026-1281",
       "CVE-2026-1340",
       "CVE-2026-1603",
@@ -3575,6 +3588,7 @@
     "status": "open",
     "opened_date": "2026-05-13",
     "evidence_cves": [
+      "CVE-2023-48022",
       "CVE-2026-24206",
       "CVE-2026-24207"
     ],
@@ -4784,6 +4798,7 @@
     "status": "open",
     "opened_date": "2026-05-15",
     "evidence_cves": [
+      "CVE-2023-48022",
       "CVE-2024-21762",
       "CVE-2024-50050",
       "CVE-2025-23254",
@@ -4792,7 +4807,9 @@
       "CVE-2025-49596",
       "CVE-2025-54136",
       "CVE-2025-60455",
+      "CVE-2025-64496",
       "CVE-2026-0300",
+      "CVE-2026-0766",
       "CVE-2026-20182",
       "CVE-2026-22252",
       "CVE-2026-22688",
@@ -5306,6 +5323,8 @@
       "CVE-2025-49596",
       "CVE-2025-54136",
       "CVE-2025-60455",
+      "CVE-2025-64496",
+      "CVE-2026-0766",
       "CVE-2026-22252",
       "CVE-2026-22688",
       "CVE-2026-25592",
@@ -5352,6 +5371,7 @@
     "status": "open",
     "opened_date": "2026-05-17",
     "evidence_cves": [
+      "CVE-2023-48022",
       "CVE-2024-21762",
       "CVE-2024-50050",
       "CVE-2025-23254",
@@ -5360,6 +5380,8 @@
       "CVE-2025-49596",
       "CVE-2025-54136",
       "CVE-2025-60455",
+      "CVE-2025-64496",
+      "CVE-2026-0766",
       "CVE-2026-22252",
       "CVE-2026-22688",
       "CVE-2026-24206",
@@ -5579,6 +5601,7 @@
     "opened_date": "2026-05-18",
     "evidence_cves": [
       "CVE-2020-10148",
+      "CVE-2023-48022",
       "CVE-2025-55241",
       "CVE-2026-24206",
       "CVE-2026-24207"
@@ -5646,6 +5669,7 @@
     "opened_date": "2026-05-18",
     "evidence_cves": [
       "CVE-2020-10148",
+      "CVE-2023-48022",
       "CVE-2024-1709",
       "CVE-2026-20182",
       "CVE-2026-24206",