@blamejs/exceptd-skills 0.13.80 → 0.13.81

package/data/atlas-ttps.json

@@ -1527,7 +1527,8 @@
     "stix_id": "attack-pattern--f13dede7-12ee-5f0e-985a-4f801aecb681",
     "is_subtechnique": false,
     "cve_refs": [
-      "CVE-2023-48022"
+      "CVE-2023-48022",
+      "CVE-2025-64496"
     ]
   },
   "AML.T0029": {
@@ -1696,7 +1697,9 @@
     "stix_id": "attack-pattern--ebeed0c7-c5de-5049-8f27-efcae5f88b00",
     "is_subtechnique": false,
     "cve_refs": [
-      "CVE-2023-48022"
+      "CVE-2023-48022",
+      "CVE-2025-64496",
+      "CVE-2026-0766"
     ]
   },
   "AML.T0050": {

package/data/attack-techniques.json

@@ -281,7 +281,9 @@
       "CVE-2025-54136",
       "CVE-2025-55319",
       "CVE-2025-60455",
+      "CVE-2025-64496",
       "CVE-2025-68664",
+      "CVE-2026-0766",
       "CVE-2026-22252",
       "CVE-2026-22688",
       "CVE-2026-22778",
@@ -930,6 +932,7 @@
       "CVE-2025-62847",
       "CVE-2025-62848",
       "CVE-2025-64328",
+      "CVE-2025-64496",
       "CVE-2025-6554",
       "CVE-2025-6558",
       "CVE-2025-66644",
@@ -942,6 +945,7 @@
       "CVE-2025-9242",
       "CVE-2025-9377",
       "CVE-2026-0300",
+      "CVE-2026-0766",
       "CVE-2026-1281",
       "CVE-2026-1340",
       "CVE-2026-1731",

package/data/cve-catalog.json

@@ -11408,6 +11408,215 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "Anyscale Ray's Job Submission / Dashboard API runs attacker-supplied code without authentication; internet-exposed clusters are mass-exploited (ShadowRay 2.0) for crypto mining and AI-artifact / credential theft. Vendor-disputed, no code patch — mitigate with token auth (2.52.0+) and network isolation."
   },
+  "CVE-2026-0766": {
+    "name": "Open WebUI Tool Module Code Injection RCE",
+    "type": "RCE",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "ZDI (CNA) CVSS v3.0 base 8.8 (HIGH); NVD enrichment pending at curation. Authenticated code injection in load_tool_module_by_id.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory (Zero Day Initiative): an authenticated request drives the server to execute an unvalidated string as code.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via coordinated advisory against Open WebUI, a widely deployed self-hosted AI chat front end. The abused surface is the tool-module loading path.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; code injection in an AI chat application.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Open WebUI 0.6.32 (the version named in the Zero Day Initiative advisory).",
+    "affected_versions": [
+      "Open WebUI 0.6.32"
+    ],
+    "vector": "Open WebUI's load_tool_module_by_id function does not validate a user-supplied string before using it to execute Python code (CWE-94). An authenticated attacker supplies a crafted value that the server runs, achieving remote code execution on the Open WebUI host.",
+    "complexity": "low",
+    "complexity_notes": "NVD/CNA AC:L. PR:L — requires an authenticated account.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is an application upgrade to the fixed Open WebUI release (coordinated ZDI disclosure against 0.6.32); redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Open WebUI to a release that fixes the load_tool_module_by_id validation (the flaw was reported via coordinated ZDI disclosure against 0.6.32); restrict who can configure tools and run Open WebUI least-privilege."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track self-hosted AI chat front ends as managed, RCE-bearing software.",
+      "NIST-800-53-SI-10": "Input-validation control is not applied to strings the AI app turns into executable code, nor to content from an external model server.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the AI chat app's tool-loading / external-model-connection paths as code-execution surfaces.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the AI chat app's dynamic-code paths as a privileged execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model code injection via an AI front end's tool or model-connection features.",
+      "UK-CAF-B4": "System Security objective has no objective for neutralizing strings the AI app executes as code.",
+      "AU-ISM-1546": "Patch-application control does not single out self-hosted AI chat front ends.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats tool-module strings or external-model-server content as untrusted input the AI app must not execute as code."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 29,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 24,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 29, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 + blast_radius=24 (Open WebUI is a widely deployed self-hosted AI front end) minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-0766",
+    "cwe_refs": [
+      "CWE-94"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Open WebUI spawning Python execution from a tool module id that came from user input rather than a pinned tool registry.",
+        "Unexpected processes or imports during Open WebUI tool-module loading.",
+        "Authenticated requests to the tool-loading path carrying code-like or path-like payloads.",
+        "Open WebUI 0.6.32 — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2026-0766 (CWE-94) and the Zero Day Initiative advisory (https://www.zerodayinitiative.com/advisories/published/)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-0766",
+      "https://www.zerodayinitiative.com/advisories/published/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "Zero Day Initiative",
+        "advisory_id": "CVE-2026-0766",
+        "url": "https://www.zerodayinitiative.com/advisories/published/",
+        "severity": "high",
+        "published_date": "2026-01-22"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-0766",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0766",
+        "severity": "high",
+        "published_date": "2026-01-22"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-94; CVSS 8.8) + the Zero Day Initiative advisory. Open WebUI code-injection RCE.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Open WebUI's load_tool_module_by_id runs an unvalidated user-supplied string as Python (CWE-94), giving an authenticated attacker remote code execution."
+  },
+  "CVE-2025-64496": {
+    "name": "Open WebUI Malicious Model Server Code Injection (Account Takeover to RCE)",
+    "type": "RCE",
+    "cvss_score": 8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 8.0 (HIGH). Code injection via server-sent events from a malicious external model server; requires the Direct Connections feature and luring a user to connect (UI:R).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory (GitHub Security Advisory): a malicious external model server injects executable content into the Open WebUI client/back end.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via coordinated advisory against Open WebUI, a widely deployed self-hosted AI chat front end. The abused surface is the external-model-server connection path.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; code injection in an AI chat application.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Open WebUI 0.6.34 and prior, when the Direct Connections feature is enabled (patched in 0.6.35 per GHSA-cm35-v4vp-5xvx).",
+    "affected_versions": [
+      "Open WebUI <= 0.6.34 (Direct Connections enabled)"
+    ],
+    "vector": "When Open WebUI's Direct Connections feature is enabled and a user is lured into connecting to a malicious external model server, that server's server-sent events inject and execute JavaScript in the user's browser (CWE-95 / CWE-829), enabling token theft and account takeover, and with extended permissions remote code execution on the backend.",
+    "complexity": "low",
+    "complexity_notes": "NVD/CNA AC:L. UI:R — requires luring a user to connect to a malicious model server.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is an application upgrade to Open WebUI 0.6.35 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Open WebUI to 0.6.35 or later. Disable Direct Connections unless required, and treat external model servers as untrusted."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track self-hosted AI chat front ends as managed, RCE-bearing software.",
+      "NIST-800-53-SI-10": "Input-validation control is not applied to strings the AI app turns into executable code, nor to content from an external model server.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the AI chat app's tool-loading / external-model-connection paths as code-execution surfaces.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the AI chat app's dynamic-code paths as a privileged execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model code injection via an AI front end's tool or model-connection features.",
+      "UK-CAF-B4": "System Security objective has no objective for neutralizing strings the AI app executes as code.",
+      "AU-ISM-1546": "Patch-application control does not single out self-hosted AI chat front ends.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats tool-module strings or external-model-server content as untrusted input the AI app must not execute as code."
+    },
+    "atlas_refs": [
+      "AML.T0049",
+      "AML.T0025"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 29,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 24,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 29, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 + blast_radius=24 (Open WebUI is a widely deployed self-hosted AI front end) minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-64496",
+    "cwe_refs": [
+      "CWE-95",
+      "CWE-501",
+      "CWE-829"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Open WebUI clients connecting to external model servers via the Direct Connections feature from untrusted endpoints.",
+        "Unexpected JavaScript execution / token use in Open WebUI sessions following a Direct Connection to a new model server.",
+        "Account-takeover indicators (session token reuse, privilege changes) after a user connects to an external model server.",
+        "Open WebUI <= 0.6.34 (Direct Connections enabled) — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2025-64496 (CWE-95/CWE-501/CWE-829) and the GitHub Security Advisory advisory (https://github.com/open-webui/open-webui/security/advisories/GHSA-cm35-v4vp-5xvx)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-64496",
+      "https://github.com/open-webui/open-webui/security/advisories/GHSA-cm35-v4vp-5xvx"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2025-64496",
+        "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-cm35-v4vp-5xvx",
+        "severity": "high",
+        "published_date": "2025-11-07"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-64496",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64496",
+        "severity": "high",
+        "published_date": "2025-11-07"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-95/CWE-501/CWE-829; CVSS 8) + the GitHub Security Advisory advisory. Open WebUI code-injection RCE.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Open WebUI's Direct Connections feature lets a malicious external model server inject JavaScript via SSE (CWE-95), leading to account takeover and, with extended permissions, RCE; fixed in 0.6.35."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -382,6 +382,7 @@
       "CVE-2025-62848",
       "CVE-2025-8875",
       "CVE-2025-8876",
+      "CVE-2026-0766",
       "CVE-2026-1281",
       "CVE-2026-1340",
       "CVE-2026-20045",
@@ -1668,6 +1669,7 @@
     "evidence_cves": [
       "CVE-2025-32463",
       "CVE-2025-54136",
+      "CVE-2025-64496",
       "MAL-2026-NODE-IPC-STEALER",
       "MAL-2026-SHAI-HULUD-OSS"
     ],
@@ -2202,6 +2204,7 @@
     "related_weaknesses": [],
     "evidence_cves": [
       "CVE-2025-24893",
+      "CVE-2025-64496",
       "CVE-2026-33017"
     ],
     "last_verified": "2026-05-18",
@@ -3176,7 +3179,9 @@
       "CWE-2000"
     ],
     "related_weaknesses": [],
-    "evidence_cves": [],
+    "evidence_cves": [
+      "CVE-2025-64496"
+    ],
     "last_verified": "2026-05-19",
     "notes": "Bulk-imported v0.13.18 from the canonical MITRE Top 25 + commonly-referenced-class expansion.",
     "_auto_imported": true,

package/data/framework-control-gaps.json

@@ -42,6 +42,8 @@
       "CVE-2025-49596",
       "CVE-2025-54136",
       "CVE-2025-60455",
+      "CVE-2025-64496",
+      "CVE-2026-0766",
       "CVE-2026-22252",
       "CVE-2026-22688",
       "CVE-2026-24206",
@@ -1493,6 +1495,7 @@
       "CVE-2025-62221",
       "CVE-2025-64328",
       "CVE-2025-64446",
+      "CVE-2025-64496",
       "CVE-2025-6543",
       "CVE-2025-6554",
       "CVE-2025-6558",
@@ -1509,6 +1512,7 @@
       "CVE-2025-9242",
       "CVE-2025-9377",
       "CVE-2026-0300",
+      "CVE-2026-0766",
       "CVE-2026-1281",
       "CVE-2026-1340",
       "CVE-2026-1603",
@@ -1762,6 +1766,8 @@
       "CVE-2025-49596",
       "CVE-2025-54136",
       "CVE-2025-60455",
+      "CVE-2025-64496",
+      "CVE-2026-0766",
       "CVE-2026-22252",
       "CVE-2026-22688",
       "CVE-2026-24206",
@@ -2181,7 +2187,9 @@
       "CVE-2025-23254",
       "CVE-2025-30165",
       "CVE-2025-60455",
+      "CVE-2025-64496",
       "CVE-2025-6965",
+      "CVE-2026-0766",
       "CVE-2026-39884",
       "CVE-2026-42208",
       "CVE-2026-9082"
@@ -2464,6 +2472,7 @@
       "CVE-2025-62849",
       "CVE-2025-64328",
       "CVE-2025-64446",
+      "CVE-2025-64496",
       "CVE-2025-6543",
       "CVE-2025-6554",
       "CVE-2025-6558",
@@ -2480,6 +2489,7 @@
       "CVE-2025-9242",
       "CVE-2025-9377",
       "CVE-2026-0300",
+      "CVE-2026-0766",
       "CVE-2026-1281",
       "CVE-2026-1340",
       "CVE-2026-1603",
@@ -4797,7 +4807,9 @@
       "CVE-2025-49596",
       "CVE-2025-54136",
       "CVE-2025-60455",
+      "CVE-2025-64496",
       "CVE-2026-0300",
+      "CVE-2026-0766",
       "CVE-2026-20182",
       "CVE-2026-22252",
       "CVE-2026-22688",
@@ -5311,6 +5323,8 @@
       "CVE-2025-49596",
       "CVE-2025-54136",
       "CVE-2025-60455",
+      "CVE-2025-64496",
+      "CVE-2026-0766",
       "CVE-2026-22252",
       "CVE-2026-22688",
       "CVE-2026-25592",
@@ -5366,6 +5380,8 @@
       "CVE-2025-49596",
       "CVE-2025-54136",
       "CVE-2025-60455",
+      "CVE-2025-64496",
+      "CVE-2026-0766",
       "CVE-2026-22252",
       "CVE-2026-22688",
       "CVE-2026-24206",

package/data/zeroday-lessons.json

@@ -6883,6 +6883,106 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2026-0766": {
+    "name": "Open WebUI Tool Module Code Injection RCE",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Open WebUI's load_tool_module_by_id runs an unvalidated user-supplied string as Python (CWE-94), giving an authenticated attacker remote code execution on the host.",
+      "privileges_required": "authenticated Open WebUI user (PR:L)",
+      "complexity": "low (NVD/CNA AC:L)",
+      "ai_factor": "The abused surface is a widely deployed self-hosted AI chat front end. The lesson: an AI app must never turn a user-supplied string or external-model-server content into executable code; tool-loading and model-connection paths are untrusted input that needs validation, not convenience features that bypass it."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track self-hosted AI chat front ends as managed, RCE-bearing software."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Input validation is not applied to the tool-module identifier before it is used to execute Python."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats tool-module strings or external-model-server content as untrusted input the AI app must not execute as code."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 68,
+      "basis": "Self-hosted AI front ends are rarely in the managed vulnerability program, and their tool/model-connection features are trusted by design.",
+      "theater_pattern": "secure_coding_theater"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-089",
+        "name": "AI-APP-DYNAMIC-CODE-EXECUTION-CONTROL",
+        "description": "An AI application must not turn user-supplied strings or external-model-server content into executable code: validate/allow-list tool-module identifiers before loading, treat external model servers as untrusted (no execution of their content), and keep features like Direct Connections disabled unless required. Upgrade Open WebUI to the fixed release (0.6.35+ for CVE-2025-64496; the ZDI-coordinated fix for CVE-2026-0766). The distinguishing test: on a staging instance, attempt to load a tool by an arbitrary id and connect to an attacker-controlled model server, and confirm neither results in code execution.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2026-0766",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2025-64496": {
+    "name": "Open WebUI Malicious Model Server Code Injection (Account Takeover to RCE)",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "With Direct Connections enabled and a user lured to a malicious external model server, that server's SSE stream injects and executes JavaScript in the client (CWE-95/829), enabling token theft, account takeover, and with extended permissions RCE.",
+      "privileges_required": "authenticated user lured to a malicious model server (PR:L / UI:R)",
+      "complexity": "low (NVD/CNA AC:L)",
+      "ai_factor": "The abused surface is a widely deployed self-hosted AI chat front end. The lesson: an AI app must never turn a user-supplied string or external-model-server content into executable code; tool-loading and model-connection paths are untrusted input that needs validation, not convenience features that bypass it."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track self-hosted AI chat front ends as managed, RCE-bearing software."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Content received from an external model server is rendered/executed without treating it as untrusted input."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats tool-module strings or external-model-server content as untrusted input the AI app must not execute as code."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 66,
+      "basis": "Self-hosted AI front ends are rarely in the managed vulnerability program, and their tool/model-connection features are trusted by design.",
+      "theater_pattern": "third_party_model_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-089",
+        "name": "AI-APP-DYNAMIC-CODE-EXECUTION-CONTROL",
+        "description": "An AI application must not turn user-supplied strings or external-model-server content into executable code: validate/allow-list tool-module identifiers before loading, treat external model servers as untrusted (no execution of their content), and keep features like Direct Connections disabled unless required. Upgrade Open WebUI to the fixed release (0.6.35+ for CVE-2025-64496; the ZDI-coordinated fix for CVE-2026-0766). The distinguishing test: on a staging instance, attempt to load a tool by an arbitrary id and connect to an attacker-controlled model server, and confirm neither results in code execution.",
+        "evidence": "https://github.com/open-webui/open-webui/security/advisories/GHSA-cm35-v4vp-5xvx",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2025-34291": {
     "name": "Langflow Account Takeover + RCE (CORS / refresh-token chain)",
     "lesson_date": "2026-05-24",