@blamejs/exceptd-skills 0.13.86 → 0.13.87

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (14) hide show
  1. package/CHANGELOG.md +4 -0
  2. package/data/_indexes/_meta.json +9 -9
  3. package/data/_indexes/activity-feed.json +2 -2
  4. package/data/_indexes/catalog-summaries.json +2 -2
  5. package/data/_indexes/chains.json +912 -0
  6. package/data/atlas-ttps.json +4 -0
  7. package/data/attack-techniques.json +6 -0
  8. package/data/cve-catalog.json +213 -0
  9. package/data/cwe-catalog.json +3 -0
  10. package/data/framework-control-gaps.json +16 -0
  11. package/data/zeroday-lessons.json +100 -0
  12. package/manifest.json +44 -44
  13. package/package.json +2 -2
  14. package/sbom.cdx.json +25 -25
package/CHANGELOG.md CHANGED
@@ -1,5 +1,9 @@
1
1
  # Changelog
2
2
 
3
+ ## 0.13.87 — 2026-05-25
4
+
5
+ CVE catalog — Gradio file-access (Hugging Face Spaces secret theft). Adds the two Horizon3.ai-disclosed file-read flaws in Gradio, the ML demo/UI framework behind Hugging Face Spaces and countless public ML demos. **CVE-2024-1561** (CWE-22, NIST CVSS 7.5) — the `/component_server` endpoint invokes arbitrary Component methods with attacker-controlled arguments, abused via `move_resource_to_block_cache()` to read host files (and steal HF Spaces secrets); fixed in 4.13.0. **CVE-2023-51449** (CWE-22 + SSRF, NIST CVSS 7.5) — the `/file` route's directory-containment check was flawed, allowing arbitrary file read (and full-read SSRF) on a publicly reachable app; fixed in 4.11.0. Both map MITRE ATLAS AML.T0049 + AML.T0055 (unsecured credentials) and ATT&CK T1190 / T1083 / T1005; their shared zero-day lesson (NEW-CTRL-095) requires the framework's file-serving routes to enforce directory containment, not expose arbitrary method invocation or SSRF, and keep secret-bearing apps off untrusted networks. CVE count 353 → 355.
6
+
3
7
  ## 0.13.86 — 2026-05-25
4
8
 
5
9
  CVE catalog — Ollama API path traversal. Adds the two path-traversal flaws in Ollama, the most widely used local LLM runtime. **CVE-2024-37032** (Wiz "Probllama", CWE-22, NIST CVSS 8.8) — Ollama does not validate that a model-blob digest is a 64-character hex SHA256, so a manifest from a rogue registry embeds traversal sequences that make a model pull write attacker content to an arbitrary path, achieving remote code execution; fixed in 0.1.34. **CVE-2024-39722** (Oligo "More Models, More ProbLLMs", CWE-22, NIST CVSS 7.5) — the api/push route discloses host file existence via path traversal to an unauthenticated caller; fixed in 0.1.46. Both map ATLAS AML.T0049 (+ AML.T0010 for the rogue-registry RCE) and ATT&CK T1190 (+ T1059 / T1083); their shared zero-day lesson (NEW-CTRL-094) requires the runtime API to validate digests and path parameters before filesystem access, stay off untrusted networks, and pull only from trusted registries. CVE count 351 → 353.
package/data/_indexes/_meta.json CHANGED
@@ -1,21 +1,21 @@
1
1
  {
2
2
  "schema_version": "1.1.0",
3
- "generated_at": "2026-05-25T20:03:36.367Z",
3
+ "generated_at": "2026-05-25T20:20:21.658Z",
4
4
  "generator": "scripts/build-indexes.js",
5
5
  "source_count": 54,
6
6
  "source_hashes": {
7
- "manifest.json": "7c9fdfd1cffc4498b847f777943ec4aa07d98aa8f5aadf77f60c83d93fccc3f2",
8
- "data/atlas-ttps.json": "af3a2274f30e450efb1db2e00f1f328dd512a4d5b4c2ea4a58074621719e800f",
9
- "data/attack-techniques.json": "927e61dab97fc54f798e33dd47649133e3e97c61e1f07661fc6d380e8034532b",
10
- "data/cve-catalog.json": "27489dcdeba658f3c6142f8df1c5eb739f9b4e096ca713321d3ad667a0792db3",
11
- "data/cwe-catalog.json": "af3be094b3273dd7214a792fe4606d74026b42e9e5abf63227b4a57d270dcdf0",
7
+ "manifest.json": "439dedebe750531eb56ca6945a3f21486234d95f6517ac710d111980f358a079",
8
+ "data/atlas-ttps.json": "7e81fb7e2202749c3fc6e68fa437d1f6d79ba3b9a7cba999127143205f366041",
9
+ "data/attack-techniques.json": "490aed27f8f62cbf5f077ff66eaa095598097952fa2a332d0f25027b07c51e1a",
10
+ "data/cve-catalog.json": "31f12e733ac9f24650c62997f72fa476d88ec3cec8fbaad60e43b2cbd9ad3cc9",
11
+ "data/cwe-catalog.json": "219ddfa7e4a2464d9e217fb19f181cf6594edb369604780cbb226bbb31b8f439",
12
12
  "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
13
13
  "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
14
14
  "data/exploit-availability.json": "ec2656f0d9a893610e27b43eb6035fe9b18e057c9f6dfaac7e7d4959bbcbb795",
15
- "data/framework-control-gaps.json": "b4155147d2a79b8acb7373445716327163c0714aabaf83229d07f724f6f280ca",
15
+ "data/framework-control-gaps.json": "1194be6f0806b027ed2d6dbdf106e291727ed82da480badb49d3b2779ed70951",
16
16
  "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
17
17
  "data/rfc-references.json": "66ef2e1f444a2cf0c2700a754f0a66030bb8a91d9e68394b9537ea1fe8b904fe",
18
- "data/zeroday-lessons.json": "0f8da4cff30862c76ac0e105ee1e10273fa0e43fffdec4303916b97bb36941d7",
18
+ "data/zeroday-lessons.json": "885bd899b2475cab39d4c1f1a1bf8618750f5492e58d616cd7048e5cb715c294",
19
19
  "skills/kernel-lpe-triage/skill.md": "08b3e9815ba481c57c80f5fc0ccbf5bb7cbb41f570c235ba6ff9596b8c07354d",
20
20
  "skills/ai-attack-surface/skill.md": "c4c1eb22a38ca7a959b5725222bab8fbd4f4044a548a93f3e288e6f698334b72",
21
21
  "skills/mcp-agent-trust/skill.md": "89ac89084391d2341b6513fefb1be2d36b93de1c130f057696219c1c59440f13",
@@ -72,7 +72,7 @@
72
72
  "dlp_refs": 0
73
73
  },
74
74
  "trigger_table_entries": 538,
75
- "chains_cve_entries": 342,
75
+ "chains_cve_entries": 344,
76
76
  "chains_cwe_entries": 171,
77
77
  "jurisdictions_indexed": 29,
78
78
  "handoff_dag_nodes": 42,
package/data/_indexes/activity-feed.json CHANGED
@@ -149,7 +149,7 @@
149
149
  "artifact": "data/cve-catalog.json",
150
150
  "path": "data/cve-catalog.json",
151
151
  "schema_version": "1.0.0",
152
- "entry_count": 353
152
+ "entry_count": 355
153
153
  },
154
154
  {
155
155
  "date": "2026-05-18",
@@ -165,7 +165,7 @@
165
165
  "artifact": "data/zeroday-lessons.json",
166
166
  "path": "data/zeroday-lessons.json",
167
167
  "schema_version": "1.1.0",
168
- "entry_count": 348
168
+ "entry_count": 350
169
169
  },
170
170
  {
171
171
  "date": "2026-05-17",
package/data/_indexes/catalog-summaries.json CHANGED
@@ -62,7 +62,7 @@
62
62
  "rebuild_after_days": 365,
63
63
  "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
64
64
  },
65
- "entry_count": 353,
65
+ "entry_count": 355,
66
66
  "sample_keys": [
67
67
  "CVE-2025-53773",
68
68
  "CVE-2026-30615",
@@ -238,7 +238,7 @@
238
238
  "rebuild_after_days": 365,
239
239
  "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
240
240
  },
241
- "entry_count": 348,
241
+ "entry_count": 350,
242
242
  "sample_keys": [
243
243
  "CVE-2026-31431",
244
244
  "CVE-2025-53773",