@blamejs/exceptd-skills 0.13.80 → 0.13.82

package/data/framework-control-gaps.json

@@ -35,13 +35,17 @@
     "opened_date": "2026-01-01",
     "evidence_cves": [
       "CVE-2023-48022",
+      "CVE-2024-0132",
       "CVE-2024-50050",
       "CVE-2025-23254",
+      "CVE-2025-23266",
       "CVE-2025-30165",
       "CVE-2025-34291",
       "CVE-2025-49596",
       "CVE-2025-54136",
       "CVE-2025-60455",
+      "CVE-2025-64496",
+      "CVE-2026-0766",
       "CVE-2026-22252",
       "CVE-2026-22688",
       "CVE-2026-24206",
@@ -1183,7 +1187,9 @@
     "status": "open",
     "opened_date": "2026-05-17",
     "evidence_cves": [
-      "CVE-2024-21626"
+      "CVE-2024-0132",
+      "CVE-2024-21626",
+      "CVE-2025-23266"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -1493,6 +1499,7 @@
       "CVE-2025-62221",
       "CVE-2025-64328",
       "CVE-2025-64446",
+      "CVE-2025-64496",
       "CVE-2025-6543",
       "CVE-2025-6554",
       "CVE-2025-6558",
@@ -1509,6 +1516,7 @@
       "CVE-2025-9242",
       "CVE-2025-9377",
       "CVE-2026-0300",
+      "CVE-2026-0766",
       "CVE-2026-1281",
       "CVE-2026-1340",
       "CVE-2026-1603",
@@ -1750,11 +1758,13 @@
     "opened_date": "2026-03-15",
     "evidence_cves": [
       "CVE-2023-48022",
+      "CVE-2024-0132",
       "CVE-2024-50050",
       "CVE-2025-10585",
       "CVE-2025-1094",
       "CVE-2025-14174",
       "CVE-2025-23254",
+      "CVE-2025-23266",
       "CVE-2025-30165",
       "CVE-2025-34291",
       "CVE-2025-38352",
@@ -1762,6 +1772,8 @@
       "CVE-2025-49596",
       "CVE-2025-54136",
       "CVE-2025-60455",
+      "CVE-2025-64496",
+      "CVE-2026-0766",
       "CVE-2026-22252",
       "CVE-2026-22688",
       "CVE-2026-24206",
@@ -2106,7 +2118,9 @@
     "opened_date": "2026-05-01",
     "evidence_cves": [
       "CVE-2023-48022",
+      "CVE-2024-0132",
       "CVE-2024-40635",
+      "CVE-2025-23266",
       "CVE-2025-53767",
       "CVE-2026-42897"
     ],
@@ -2181,7 +2195,9 @@
       "CVE-2025-23254",
       "CVE-2025-30165",
       "CVE-2025-60455",
+      "CVE-2025-64496",
       "CVE-2025-6965",
+      "CVE-2026-0766",
       "CVE-2026-39884",
       "CVE-2026-42208",
       "CVE-2026-9082"
@@ -2317,6 +2333,7 @@
       "CVE-2023-43000",
       "CVE-2023-50224",
       "CVE-2023-52163",
+      "CVE-2024-0132",
       "CVE-2024-0769",
       "CVE-2024-11182",
       "CVE-2024-12987",
@@ -2358,6 +2375,7 @@
       "CVE-2025-21479",
       "CVE-2025-21480",
       "CVE-2025-23254",
+      "CVE-2025-23266",
       "CVE-2025-24016",
       "CVE-2025-24201",
       "CVE-2025-24893",
@@ -2464,6 +2482,7 @@
       "CVE-2025-62849",
       "CVE-2025-64328",
       "CVE-2025-64446",
+      "CVE-2025-64496",
       "CVE-2025-6543",
       "CVE-2025-6554",
       "CVE-2025-6558",
@@ -2480,6 +2499,7 @@
       "CVE-2025-9242",
       "CVE-2025-9377",
       "CVE-2026-0300",
+      "CVE-2026-0766",
       "CVE-2026-1281",
       "CVE-2026-1340",
       "CVE-2026-1603",
@@ -4789,15 +4809,19 @@
     "opened_date": "2026-05-15",
     "evidence_cves": [
       "CVE-2023-48022",
+      "CVE-2024-0132",
       "CVE-2024-21762",
       "CVE-2024-50050",
       "CVE-2025-23254",
+      "CVE-2025-23266",
       "CVE-2025-30165",
       "CVE-2025-34291",
       "CVE-2025-49596",
       "CVE-2025-54136",
       "CVE-2025-60455",
+      "CVE-2025-64496",
       "CVE-2026-0300",
+      "CVE-2026-0766",
       "CVE-2026-20182",
       "CVE-2026-22252",
       "CVE-2026-22688",
@@ -5303,14 +5327,18 @@
     "status": "open",
     "opened_date": "2026-05-17",
     "evidence_cves": [
+      "CVE-2024-0132",
       "CVE-2024-21762",
       "CVE-2024-50050",
       "CVE-2025-23254",
+      "CVE-2025-23266",
       "CVE-2025-30165",
       "CVE-2025-34291",
       "CVE-2025-49596",
       "CVE-2025-54136",
       "CVE-2025-60455",
+      "CVE-2025-64496",
+      "CVE-2026-0766",
       "CVE-2026-22252",
       "CVE-2026-22688",
       "CVE-2026-25592",
@@ -5358,14 +5386,18 @@
     "opened_date": "2026-05-17",
     "evidence_cves": [
       "CVE-2023-48022",
+      "CVE-2024-0132",
       "CVE-2024-21762",
       "CVE-2024-50050",
       "CVE-2025-23254",
+      "CVE-2025-23266",
       "CVE-2025-30165",
       "CVE-2025-34291",
       "CVE-2025-49596",
       "CVE-2025-54136",
       "CVE-2025-60455",
+      "CVE-2025-64496",
+      "CVE-2026-0766",
       "CVE-2026-22252",
       "CVE-2026-22688",
       "CVE-2026-24206",

package/data/zeroday-lessons.json

@@ -6883,6 +6883,206 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2026-0766": {
+    "name": "Open WebUI Tool Module Code Injection RCE",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Open WebUI's load_tool_module_by_id runs an unvalidated user-supplied string as Python (CWE-94), giving an authenticated attacker remote code execution on the host.",
+      "privileges_required": "authenticated Open WebUI user (PR:L)",
+      "complexity": "low (NVD/CNA AC:L)",
+      "ai_factor": "The abused surface is a widely deployed self-hosted AI chat front end. The lesson: an AI app must never turn a user-supplied string or external-model-server content into executable code; tool-loading and model-connection paths are untrusted input that needs validation, not convenience features that bypass it."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track self-hosted AI chat front ends as managed, RCE-bearing software."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Input validation is not applied to the tool-module identifier before it is used to execute Python."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats tool-module strings or external-model-server content as untrusted input the AI app must not execute as code."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 68,
+      "basis": "Self-hosted AI front ends are rarely in the managed vulnerability program, and their tool/model-connection features are trusted by design.",
+      "theater_pattern": "secure_coding_theater"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-089",
+        "name": "AI-APP-DYNAMIC-CODE-EXECUTION-CONTROL",
+        "description": "An AI application must not turn user-supplied strings or external-model-server content into executable code: validate/allow-list tool-module identifiers before loading, treat external model servers as untrusted (no execution of their content), and keep features like Direct Connections disabled unless required. Upgrade Open WebUI to the fixed release (0.6.35+ for CVE-2025-64496; the ZDI-coordinated fix for CVE-2026-0766). The distinguishing test: on a staging instance, attempt to load a tool by an arbitrary id and connect to an attacker-controlled model server, and confirm neither results in code execution.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2026-0766",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2025-64496": {
+    "name": "Open WebUI Malicious Model Server Code Injection (Account Takeover to RCE)",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "With Direct Connections enabled and a user lured to a malicious external model server, that server's SSE stream injects and executes JavaScript in the client (CWE-95/829), enabling token theft, account takeover, and with extended permissions RCE.",
+      "privileges_required": "authenticated user lured to a malicious model server (PR:L / UI:R)",
+      "complexity": "low (NVD/CNA AC:L)",
+      "ai_factor": "The abused surface is a widely deployed self-hosted AI chat front end. The lesson: an AI app must never turn a user-supplied string or external-model-server content into executable code; tool-loading and model-connection paths are untrusted input that needs validation, not convenience features that bypass it."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track self-hosted AI chat front ends as managed, RCE-bearing software."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Content received from an external model server is rendered/executed without treating it as untrusted input."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats tool-module strings or external-model-server content as untrusted input the AI app must not execute as code."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 66,
+      "basis": "Self-hosted AI front ends are rarely in the managed vulnerability program, and their tool/model-connection features are trusted by design.",
+      "theater_pattern": "third_party_model_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-089",
+        "name": "AI-APP-DYNAMIC-CODE-EXECUTION-CONTROL",
+        "description": "An AI application must not turn user-supplied strings or external-model-server content into executable code: validate/allow-list tool-module identifiers before loading, treat external model servers as untrusted (no execution of their content), and keep features like Direct Connections disabled unless required. Upgrade Open WebUI to the fixed release (0.6.35+ for CVE-2025-64496; the ZDI-coordinated fix for CVE-2026-0766). The distinguishing test: on a staging instance, attempt to load a tool by an arbitrary id and connect to an attacker-controlled model server, and confirm neither results in code execution.",
+        "evidence": "https://github.com/open-webui/open-webui/security/advisories/GHSA-cm35-v4vp-5xvx",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2024-0132": {
+    "name": "NVIDIA Container Toolkit TOCTOU Container Escape",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "NVIDIA Container Toolkit (CWE-367 TOCTOU race) lets a crafted container image escape its container and execute code on the host, crossing the tenant boundary on shared GPU infrastructure. Disclosed by Wiz Research.",
+      "privileges_required": "ability to run or schedule a crafted container image on a GPU node",
+      "complexity": "low (a crafted image / short Dockerfile is sufficient)",
+      "ai_factor": "The GPU container runtime underpins essentially all containerized AI/ML GPU workloads. A single escape on a shared GPU host crosses the tenant boundary and exposes co-tenant models, training data, and cloud credentials. The lesson: the GPU container runtime is an AI-pipeline trust boundary that must be patched and hardened like any isolation control, not assumed safe."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the GPU container runtime as managed, escape-bearing software under every AI/ML GPU workload."
+      },
+      "NIST-800-53-SC-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Boundary protection assumes the container is the tenant boundary; a runtime escape crosses it on shared GPU infrastructure."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats the GPU container runtime as an AI-pipeline trust boundary whose escape exposes co-tenant AI assets."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "Organizations treat container isolation as a given and do not track the GPU container runtime version; shared GPU clouds run mixed-tenant workloads on the same hosts.",
+      "theater_pattern": "container_isolation_assumed"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-090",
+        "name": "AI-GPU-CONTAINER-RUNTIME-ISOLATION",
+        "description": "Treat the GPU container runtime (NVIDIA Container Toolkit / GPU Operator) as a patch-prioritized isolation boundary: keep it current (upgrade to 1.16.2+), do not run untrusted or mixed-tenant container images on the same GPU host, restrict who can schedule GPU workloads, and run workloads least-privilege. The distinguishing test: on a staging GPU node, run a crafted image that manipulates init hooks / mounts and confirm it cannot read host paths or load host-side code outside its container.",
+        "evidence": "https://nvidia.custhelp.com/app/answers/detail/a_id/5582",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SC-7",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2025-23266": {
+    "name": "NVIDIA Container Toolkit Init-Hook Untrusted Search Path Container Escape (NVIDIAScape)",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "NVIDIA Container Toolkit (CWE-426 untrusted search path in init hooks) lets a crafted container image escape its container and execute code on the host, crossing the tenant boundary on shared GPU infrastructure. Disclosed by Wiz Research.",
+      "privileges_required": "ability to run or schedule a crafted container image on a GPU node",
+      "complexity": "low (a crafted image / short Dockerfile is sufficient)",
+      "ai_factor": "The GPU container runtime underpins essentially all containerized AI/ML GPU workloads. A single escape on a shared GPU host crosses the tenant boundary and exposes co-tenant models, training data, and cloud credentials. The lesson: the GPU container runtime is an AI-pipeline trust boundary that must be patched and hardened like any isolation control, not assumed safe."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the GPU container runtime as managed, escape-bearing software under every AI/ML GPU workload."
+      },
+      "NIST-800-53-SC-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Boundary protection assumes the container is the tenant boundary; a runtime escape crosses it on shared GPU infrastructure."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats the GPU container runtime as an AI-pipeline trust boundary whose escape exposes co-tenant AI assets."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "Organizations treat container isolation as a given and do not track the GPU container runtime version; shared GPU clouds run mixed-tenant workloads on the same hosts.",
+      "theater_pattern": "container_isolation_assumed"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-090",
+        "name": "AI-GPU-CONTAINER-RUNTIME-ISOLATION",
+        "description": "Treat the GPU container runtime (NVIDIA Container Toolkit / GPU Operator) as a patch-prioritized isolation boundary: keep it current (Container Toolkit 1.17.8+ / GPU Operator 25.3.1+), do not run untrusted or mixed-tenant container images on the same GPU host, restrict who can schedule GPU workloads, and run workloads least-privilege. The distinguishing test: on a staging GPU node, run a crafted image that manipulates init hooks / mounts and confirm it cannot read host paths or load host-side code outside its container.",
+        "evidence": "https://nvidia.custhelp.com/app/answers/detail/a_id/5659",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SC-7",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2025-34291": {
     "name": "Langflow Account Takeover + RCE (CORS / refresh-token chain)",
     "lesson_date": "2026-05-24",