@blamejs/exceptd-skills 0.13.82 → 0.13.84

package/data/framework-control-gaps.json

@@ -36,7 +36,10 @@
     "evidence_cves": [
       "CVE-2023-48022",
       "CVE-2024-0132",
+      "CVE-2024-42478",
+      "CVE-2024-42479",
       "CVE-2024-50050",
+      "CVE-2025-1550",
       "CVE-2025-23254",
       "CVE-2025-23266",
       "CVE-2025-30165",
@@ -45,6 +48,7 @@
       "CVE-2025-54136",
       "CVE-2025-60455",
       "CVE-2025-64496",
+      "CVE-2025-8747",
       "CVE-2026-0766",
       "CVE-2026-22252",
       "CVE-2026-22688",
@@ -55,6 +59,7 @@
       "CVE-2026-30617",
       "CVE-2026-30624",
       "CVE-2026-30625",
+      "CVE-2026-34159",
       "CVE-2026-40933"
     ],
     "atlas_refs": [
@@ -1366,6 +1371,8 @@
       "CVE-2024-27443",
       "CVE-2024-37079",
       "CVE-2024-42009",
+      "CVE-2024-42478",
+      "CVE-2024-42479",
       "CVE-2024-43468",
       "CVE-2024-50050",
       "CVE-2024-54085",
@@ -1385,6 +1392,7 @@
       "CVE-2025-14174",
       "CVE-2025-14611",
       "CVE-2025-14733",
+      "CVE-2025-1550",
       "CVE-2025-15556",
       "CVE-2025-20281",
       "CVE-2025-20333",
@@ -1511,6 +1519,7 @@
       "CVE-2025-7775",
       "CVE-2025-8088",
       "CVE-2025-8110",
+      "CVE-2025-8747",
       "CVE-2025-8875",
       "CVE-2025-8876",
       "CVE-2025-9242",
@@ -1561,6 +1570,7 @@
       "CVE-2026-32201",
       "CVE-2026-33017",
       "CVE-2026-33634",
+      "CVE-2026-34159",
       "CVE-2026-34197",
       "CVE-2026-34621",
       "CVE-2026-34926",
@@ -1759,10 +1769,13 @@
     "evidence_cves": [
       "CVE-2023-48022",
       "CVE-2024-0132",
+      "CVE-2024-42478",
+      "CVE-2024-42479",
       "CVE-2024-50050",
       "CVE-2025-10585",
       "CVE-2025-1094",
       "CVE-2025-14174",
+      "CVE-2025-1550",
       "CVE-2025-23254",
       "CVE-2025-23266",
       "CVE-2025-30165",
@@ -1773,6 +1786,7 @@
       "CVE-2025-54136",
       "CVE-2025-60455",
       "CVE-2025-64496",
+      "CVE-2025-8747",
       "CVE-2026-0766",
       "CVE-2026-22252",
       "CVE-2026-22688",
@@ -1785,6 +1799,7 @@
       "CVE-2026-30624",
       "CVE-2026-30625",
       "CVE-2026-31431",
+      "CVE-2026-34159",
       "CVE-2026-34926",
       "CVE-2026-39884",
       "CVE-2026-40933",
@@ -2120,8 +2135,11 @@
       "CVE-2023-48022",
       "CVE-2024-0132",
       "CVE-2024-40635",
+      "CVE-2024-42478",
+      "CVE-2024-42479",
       "CVE-2025-23266",
       "CVE-2025-53767",
+      "CVE-2026-34159",
       "CVE-2026-42897"
     ],
     "atlas_refs": [
@@ -2192,11 +2210,13 @@
       "CVE-2024-50050",
       "CVE-2025-0133",
       "CVE-2025-1094",
+      "CVE-2025-1550",
       "CVE-2025-23254",
       "CVE-2025-30165",
       "CVE-2025-60455",
       "CVE-2025-64496",
       "CVE-2025-6965",
+      "CVE-2025-8747",
       "CVE-2026-0766",
       "CVE-2026-39884",
       "CVE-2026-42208",
@@ -2343,6 +2363,8 @@
       "CVE-2024-27443",
       "CVE-2024-37079",
       "CVE-2024-42009",
+      "CVE-2024-42478",
+      "CVE-2024-42479",
       "CVE-2024-43468",
       "CVE-2024-50050",
       "CVE-2024-54085",
@@ -2363,6 +2385,7 @@
       "CVE-2025-14174",
       "CVE-2025-14611",
       "CVE-2025-14733",
+      "CVE-2025-1550",
       "CVE-2025-15556",
       "CVE-2025-20281",
       "CVE-2025-20333",
@@ -2494,6 +2517,7 @@
       "CVE-2025-7775",
       "CVE-2025-8088",
       "CVE-2025-8110",
+      "CVE-2025-8747",
       "CVE-2025-8875",
       "CVE-2025-8876",
       "CVE-2025-9242",
@@ -2548,6 +2572,7 @@
       "CVE-2026-33017",
       "CVE-2026-33634",
       "CVE-2026-33825",
+      "CVE-2026-34159",
       "CVE-2026-34197",
       "CVE-2026-34621",
       "CVE-2026-34926",
@@ -4811,7 +4836,10 @@
       "CVE-2023-48022",
       "CVE-2024-0132",
       "CVE-2024-21762",
+      "CVE-2024-42478",
+      "CVE-2024-42479",
       "CVE-2024-50050",
+      "CVE-2025-1550",
       "CVE-2025-23254",
       "CVE-2025-23266",
       "CVE-2025-30165",
@@ -4820,6 +4848,7 @@
       "CVE-2025-54136",
       "CVE-2025-60455",
       "CVE-2025-64496",
+      "CVE-2025-8747",
       "CVE-2026-0300",
       "CVE-2026-0766",
       "CVE-2026-20182",
@@ -4833,6 +4862,7 @@
       "CVE-2026-30617",
       "CVE-2026-30624",
       "CVE-2026-30625",
+      "CVE-2026-34159",
       "CVE-2026-34926",
       "CVE-2026-40933",
       "CVE-2026-41091",
@@ -5329,7 +5359,10 @@
     "evidence_cves": [
       "CVE-2024-0132",
       "CVE-2024-21762",
+      "CVE-2024-42478",
+      "CVE-2024-42479",
       "CVE-2024-50050",
+      "CVE-2025-1550",
       "CVE-2025-23254",
       "CVE-2025-23266",
       "CVE-2025-30165",
@@ -5338,6 +5371,7 @@
       "CVE-2025-54136",
       "CVE-2025-60455",
       "CVE-2025-64496",
+      "CVE-2025-8747",
       "CVE-2026-0766",
       "CVE-2026-22252",
       "CVE-2026-22688",
@@ -5347,6 +5381,7 @@
       "CVE-2026-30617",
       "CVE-2026-30624",
       "CVE-2026-30625",
+      "CVE-2026-34159",
       "CVE-2026-34926",
       "CVE-2026-40933",
       "CVE-2026-41091",
@@ -5388,7 +5423,10 @@
       "CVE-2023-48022",
       "CVE-2024-0132",
       "CVE-2024-21762",
+      "CVE-2024-42478",
+      "CVE-2024-42479",
       "CVE-2024-50050",
+      "CVE-2025-1550",
       "CVE-2025-23254",
       "CVE-2025-23266",
       "CVE-2025-30165",
@@ -5397,6 +5435,7 @@
       "CVE-2025-54136",
       "CVE-2025-60455",
       "CVE-2025-64496",
+      "CVE-2025-8747",
       "CVE-2026-0766",
       "CVE-2026-22252",
       "CVE-2026-22688",
@@ -5408,6 +5447,7 @@
       "CVE-2026-30617",
       "CVE-2026-30624",
       "CVE-2026-30625",
+      "CVE-2026-34159",
       "CVE-2026-34926",
       "CVE-2026-40933",
       "CVE-2026-41091",

package/data/zeroday-lessons.json

@@ -7083,6 +7083,256 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2025-1550": {
+    "name": "Keras .keras Model Deserialization Arbitrary Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Keras's .keras model parser uses importlib on names from the model archive, so a crafted model executes arbitrary Python at load time (CWE-94) — no Lambda layer or custom object, no need to call the model.",
+      "privileges_required": "none beyond getting a victim to load an untrusted .keras model",
+      "complexity": "low",
+      "ai_factor": "The abused surface is the ML model file format itself — the canonical AI supply-chain risk: an untrusted model artifact is executable code at load time. The lesson, sharpened by the CVE-2025-1550 -> CVE-2025-8747 sequence, is that model artifacts must be treated as untrusted code (provenance, scanning, safe formats like safetensors), and a partial mitigation such as safe_mode is necessary-but-insufficient when it can be bypassed."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track ML frameworks' model-loading paths as RCE-bearing, nor that the first fix (safe_mode) was bypassable."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Model artifacts are treated as data, but Keras executes code while parsing them; no validation is applied to the artifact."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an ML model file as untrusted executable input; loading one from an untrusted source is RCE."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 72,
+      "basis": "ML pipelines pull models from hubs and user uploads and treat them as data; safe_mode is assumed sufficient despite the documented bypass.",
+      "theater_pattern": "model_artifact_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-091",
+        "name": "UNTRUSTED-MODEL-ARTIFACT-LOADING",
+        "description": "Treat ML model artifacts as untrusted code: never load .keras / pickle-based models from untrusted sources, verify provenance, prefer safe formats (e.g. safetensors), and load untrusted models only in a sandboxed, network-isolated, least-privilege environment. Upgrade Keras to the fixed release (>= 3.8.0 for CVE-2025-1550; past 3.10.0 for the CVE-2025-8747 safe_mode bypass) and do not rely on safe_mode alone — it was bypassable. The distinguishing test: load an attacker-crafted .keras archive with safe_mode enabled on a sandboxed instance and confirm no code executes.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2025-1550",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2025-8747": {
+    "name": "Keras safe_mode Bypass Model Deserialization Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "The safe_mode mitigation added for CVE-2025-1550 is bypassable through Keras 3.10.0: Model.load_model still lets a crafted .keras archive execute code via arguments to built-in modules (CWE-502), even with safe_mode enabled.",
+      "privileges_required": "none beyond getting a victim to load an untrusted .keras model",
+      "complexity": "low",
+      "ai_factor": "The abused surface is the ML model file format itself — the canonical AI supply-chain risk: an untrusted model artifact is executable code at load time. The lesson, sharpened by the CVE-2025-1550 -> CVE-2025-8747 sequence, is that model artifacts must be treated as untrusted code (provenance, scanning, safe formats like safetensors), and a partial mitigation such as safe_mode is necessary-but-insufficient when it can be bypassed."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track ML frameworks' model-loading paths as RCE-bearing, nor that the first fix (safe_mode) was bypassable."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "A mitigation (safe_mode) is asserted as the control, but it is bypassable; the artifact is still deserialized unsafely."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an ML model file as untrusted executable input; loading one from an untrusted source is RCE."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 74,
+      "basis": "ML pipelines pull models from hubs and user uploads and treat them as data; safe_mode is assumed sufficient despite the documented bypass.",
+      "theater_pattern": "incomplete_fix_assumed_complete"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-091",
+        "name": "UNTRUSTED-MODEL-ARTIFACT-LOADING",
+        "description": "Treat ML model artifacts as untrusted code: never load .keras / pickle-based models from untrusted sources, verify provenance, prefer safe formats (e.g. safetensors), and load untrusted models only in a sandboxed, network-isolated, least-privilege environment. Upgrade Keras to the fixed release (>= 3.8.0 for CVE-2025-1550; past 3.10.0 for the CVE-2025-8747 safe_mode bypass) and do not rely on safe_mode alone — it was bypassable. The distinguishing test: load an attacker-crafted .keras archive with safe_mode enabled on a sandboxed instance and confirm no code executes.",
+        "evidence": "https://github.com/advisories/GHSA-c9rc-mg46-23w3",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2024-42479": {
+    "name": "llama.cpp RPC Backend SET_TENSOR Out-of-Bounds Write RCE",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "llama.cpp's RPC backend deserializes attacker-controlled tensor pointers without bounds validation (CWE-787/CWE-123 write-what-where via SET_TENSOR), so an unauthenticated TCP client to the RPC server (default port 50052) reads/writes arbitrary memory and achieves code execution.",
+      "privileges_required": "none (NVD AV:N / PR:N) — unauthenticated TCP access to the RPC server",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is the distributed-inference RPC backend of the most widely used local LLM runtime. The lesson: the inference RPC backend is an unauthenticated execution boundary that must validate all deserialized tensor bounds on every command path and never be network-exposed. The CVE-2024-42478/42479 -> CVE-2026-34159 sequence shows per-command patching (GET/SET) left GRAPH_COMPUTE exploitable — the fix belongs in deserialize_tensor itself."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the local-LLM runtime's RPC backend as RCE-bearing, nor that the first fix left the GRAPH_COMPUTE path unpatched."
+      },
+      "NIST-800-53-SC-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not flag the unauthenticated RPC server (port 50052) as a network-exposed execution surface."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework requires the inference RPC backend to validate deserialized tensor bounds on every command path."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "Local-LLM RPC servers are run on trusted-network assumptions and rarely tracked; per-command patches are assumed complete despite the GRAPH_COMPUTE bypass.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-092",
+        "name": "AI-INFERENCE-RPC-BACKEND-HARDENING",
+        "description": "The inference RPC backend (llama.cpp / ggml) must validate all deserialized tensor bounds inside deserialize_tensor itself — every command path (GET_TENSOR, SET_TENSOR, GRAPH_COMPUTE), not per-handler — and must never be exposed to untrusted networks (the RPC server on port 50052 has no authentication; bind to localhost or a trusted segment). Upgrade llama.cpp to b8492 or later — b3561 fixed only GET_TENSOR / SET_TENSOR (CVE-2024-42478 / CVE-2024-42479), and builds b3561 through b8491 remain exploitable via the GRAPH_COMPUTE buffer=0 path (CVE-2026-34159), which b8492 closes. The distinguishing test: send a crafted rpc_tensor with buffer=0 / out-of-range data pointer via GRAPH_COMPUTE to a staging RPC server and confirm it is rejected, not dereferenced.",
+        "evidence": "https://github.com/ggerganov/llama.cpp/security/advisories/GHSA-wcr5-566p-9cwj",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SC-7",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2024-42478": {
+    "name": "llama.cpp RPC Backend GET_TENSOR Out-of-Bounds Read",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "llama.cpp's RPC backend deserializes attacker-controlled tensor pointers without bounds validation (CWE-125 arbitrary read via GET_TENSOR), so an unauthenticated TCP client to the RPC server (default port 50052) reads/writes arbitrary memory and achieves code execution.",
+      "privileges_required": "none (NVD AV:N / PR:N) — unauthenticated TCP access to the RPC server",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is the distributed-inference RPC backend of the most widely used local LLM runtime. The lesson: the inference RPC backend is an unauthenticated execution boundary that must validate all deserialized tensor bounds on every command path and never be network-exposed. The CVE-2024-42478/42479 -> CVE-2026-34159 sequence shows per-command patching (GET/SET) left GRAPH_COMPUTE exploitable — the fix belongs in deserialize_tensor itself."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the local-LLM runtime's RPC backend as RCE-bearing, nor that the first fix left the GRAPH_COMPUTE path unpatched."
+      },
+      "NIST-800-53-SC-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not flag the unauthenticated RPC server (port 50052) as a network-exposed execution surface."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework requires the inference RPC backend to validate deserialized tensor bounds on every command path."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "Local-LLM RPC servers are run on trusted-network assumptions and rarely tracked; per-command patches are assumed complete despite the GRAPH_COMPUTE bypass.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-092",
+        "name": "AI-INFERENCE-RPC-BACKEND-HARDENING",
+        "description": "The inference RPC backend (llama.cpp / ggml) must validate all deserialized tensor bounds inside deserialize_tensor itself — every command path (GET_TENSOR, SET_TENSOR, GRAPH_COMPUTE), not per-handler — and must never be exposed to untrusted networks (the RPC server on port 50052 has no authentication; bind to localhost or a trusted segment). Upgrade llama.cpp to b8492 or later — b3561 fixed only GET_TENSOR / SET_TENSOR (CVE-2024-42478 / CVE-2024-42479), and builds b3561 through b8491 remain exploitable via the GRAPH_COMPUTE buffer=0 path (CVE-2026-34159), which b8492 closes. The distinguishing test: send a crafted rpc_tensor with buffer=0 / out-of-range data pointer via GRAPH_COMPUTE to a staging RPC server and confirm it is rejected, not dereferenced.",
+        "evidence": "https://github.com/ggerganov/llama.cpp/security/advisories/GHSA-5vm9-p64x-gqw9",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SC-7",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2026-34159": {
+    "name": "llama.cpp RPC Backend GRAPH_COMPUTE deserialize_tensor Bounds Bypass RCE",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "llama.cpp's RPC backend deserializes attacker-controlled tensor pointers without bounds validation (CWE-119 bounds bypass via GRAPH_COMPUTE (buffer=0)), so an unauthenticated TCP client to the RPC server (default port 50052) reads/writes arbitrary memory and achieves code execution.",
+      "privileges_required": "none (NVD AV:N / PR:N) — unauthenticated TCP access to the RPC server",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is the distributed-inference RPC backend of the most widely used local LLM runtime. The lesson: the inference RPC backend is an unauthenticated execution boundary that must validate all deserialized tensor bounds on every command path and never be network-exposed. The CVE-2024-42478/42479 -> CVE-2026-34159 sequence shows per-command patching (GET/SET) left GRAPH_COMPUTE exploitable — the fix belongs in deserialize_tensor itself."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the local-LLM runtime's RPC backend as RCE-bearing, nor that the first fix left the GRAPH_COMPUTE path unpatched."
+      },
+      "NIST-800-53-SC-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not flag the unauthenticated RPC server (port 50052) as a network-exposed execution surface."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework requires the inference RPC backend to validate deserialized tensor bounds on every command path."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 74,
+      "basis": "Local-LLM RPC servers are run on trusted-network assumptions and rarely tracked; per-command patches are assumed complete despite the GRAPH_COMPUTE bypass.",
+      "theater_pattern": "incomplete_fix_assumed_complete"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-092",
+        "name": "AI-INFERENCE-RPC-BACKEND-HARDENING",
+        "description": "The inference RPC backend (llama.cpp / ggml) must validate all deserialized tensor bounds inside deserialize_tensor itself — every command path (GET_TENSOR, SET_TENSOR, GRAPH_COMPUTE), not per-handler — and must never be exposed to untrusted networks (the RPC server on port 50052 has no authentication; bind to localhost or a trusted segment). Upgrade llama.cpp to b8492 or later. The distinguishing test: send a crafted rpc_tensor with buffer=0 / out-of-range data pointer via GRAPH_COMPUTE to a staging RPC server and confirm it is rejected, not dereferenced.",
+        "evidence": "https://github.com/ggml-org/llama.cpp/security/advisories/GHSA-j8rj-fmpv-wcxw",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SC-7",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2025-34291": {
     "name": "Langflow Account Takeover + RCE (CORS / refresh-token chain)",
     "lesson_date": "2026-05-24",