@blamejs/exceptd-skills 0.13.86 → 0.13.88

package/data/atlas-ttps.json

@@ -144,6 +144,9 @@
     "last_verified": "2026-05-19",
     "cve_refs": [
       "CVE-2023-43654",
+      "CVE-2024-11392",
+      "CVE-2024-11393",
+      "CVE-2024-11394",
       "CVE-2024-37032",
       "CVE-2025-1550",
       "CVE-2025-8747",
@@ -669,6 +672,8 @@
     "maturity": "moderate",
     "last_verified": "2026-05-19",
     "cve_refs": [
+      "CVE-2023-51449",
+      "CVE-2024-1561",
       "CVE-2026-42208",
       "MAL-2026-3083"
     ],
@@ -1263,6 +1268,9 @@
     "exceptd_skills": [],
     "last_verified": "2026-05-19",
     "cve_refs": [
+      "CVE-2024-11392",
+      "CVE-2024-11393",
+      "CVE-2024-11394",
       "CVE-2025-1550",
       "CVE-2025-8747",
       "MAL-2024-PYPI-ULTRALYTICS-XMRIG"
@@ -1705,6 +1713,8 @@
     "cve_refs": [
       "CVE-2023-43654",
       "CVE-2023-48022",
+      "CVE-2023-51449",
+      "CVE-2024-1561",
       "CVE-2024-37032",
       "CVE-2024-39722",
       "CVE-2024-42478",
@@ -2799,6 +2809,9 @@
     "is_subtechnique": true,
     "cve_refs": [
       "CVE-2022-1471",
+      "CVE-2024-11392",
+      "CVE-2024-11393",
+      "CVE-2024-11394",
       "CVE-2025-1550",
       "CVE-2025-8747"
     ]

package/data/attack-techniques.json

@@ -272,6 +272,9 @@
       "CVE-2022-1471",
       "CVE-2023-43654",
       "CVE-2023-48022",
+      "CVE-2024-11392",
+      "CVE-2024-11393",
+      "CVE-2024-11394",
       "CVE-2024-37032",
       "CVE-2024-42479",
       "CVE-2024-50050",
@@ -838,8 +841,10 @@
       "CVE-2023-39780",
       "CVE-2023-43654",
       "CVE-2023-48022",
+      "CVE-2023-51449",
       "CVE-2023-52163",
       "CVE-2024-12987",
+      "CVE-2024-1561",
       "CVE-2024-1709",
       "CVE-2024-21762",
       "CVE-2024-37032",
@@ -1082,6 +1087,9 @@
     "name": "Supply Chain Compromise: Software Supply Chain",
     "version": "v19",
     "cve_refs": [
+      "CVE-2024-11392",
+      "CVE-2024-11393",
+      "CVE-2024-11394",
       "CVE-2024-3094",
       "CVE-2025-1550",
       "CVE-2025-8747",
@@ -2429,6 +2437,8 @@
     "version": "v19",
     "cve_refs": [
       "CVE-2023-36424",
+      "CVE-2023-51449",
+      "CVE-2024-1561",
       "CVE-2025-14847",
       "CVE-2025-22226",
       "CVE-2025-47813",
@@ -3512,6 +3522,8 @@
     "stix_id": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
     "is_subtechnique": false,
     "cve_refs": [
+      "CVE-2023-51449",
+      "CVE-2024-1561",
       "CVE-2024-39722",
       "CVE-2026-34926"
     ]
@@ -4253,6 +4265,9 @@
     "stix_id": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
     "is_subtechnique": false,
     "cve_refs": [
+      "CVE-2024-11392",
+      "CVE-2024-11393",
+      "CVE-2024-11394",
       "CVE-2025-1550",
       "CVE-2025-8747"
     ]

package/data/cve-catalog.json

@@ -12766,6 +12766,540 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "Ollama's api/push route path traversal (CWE-22) lets an unauthenticated attacker disclose file existence on the host; fixed in 0.1.46."
   },
+  "CVE-2024-1561": {
+    "name": "Gradio /component_server Local File Read (Hugging Face Spaces Secret Theft)",
+    "type": "INFO-DISCLOSURE",
+    "cvss_score": 7.5,
+    "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
+    "cvss_note": "NVD CVSS v3.0 base 7.5 (HIGH). NVD assigns CWE-29 (a path-traversal variant); the parent class is CWE-22. The /component_server endpoint invokes any Component method with attacker-controlled arguments, abused via move_resource_to_block_cache() to read host files.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Public exploitation research exists (Horizon3.ai 'Exploiting File Read Vulnerabilities in Gradio to Steal Secrets from Hugging Face Spaces'): an unauthenticated request to a public Gradio app reads arbitrary host files, including HF Spaces secrets.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by Horizon3.ai. The abused surface is Gradio, the ML demo/UI framework behind Hugging Face Spaces and countless public ML demos.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; file-read / SSRF in the ML web framework.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Gradio 4.12.0 up to but excluding 4.13.0 (fixed in 4.13.0).",
+    "affected_versions": [
+      "Gradio >= 4.12.0, < 4.13.0"
+    ],
+    "vector": "Gradio's /component_server endpoint permits invoking arbitrary methods on a Component class with attacker-controlled arguments. An unauthenticated request invokes move_resource_to_block_cache() to copy an arbitrary host file into the served cache and read it (path traversal, CWE-22). On Hugging Face Spaces this reads secrets/tokens from the host. Disclosed by Horizon3.ai.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N — unauthenticated, against a publicly reachable Gradio app.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading Gradio to 4.13.0 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Gradio to 4.13.0 or later. Do not expose Gradio apps with sensitive host secrets to untrusted networks, run them least-privilege, and avoid storing secrets readable by the app process (relevant for Hugging Face Spaces)."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track the ML demo/UI framework (Gradio) as managed, network-exposed software.",
+      "NIST-800-53-SC-7": "Boundary-protection control does not flag publicly reachable Gradio apps as a file-read / SSRF surface to host secrets.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the ML demo framework's file-serving routes as an access-control surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the ML demo framework as a privileged, internet-exposed surface.",
+      "DORA-Art-9": "ICT protection measures do not model file-read / SSRF in an ML demo framework leaking host secrets as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for directory containment on the ML framework's file routes.",
+      "AU-ISM-1546": "Patch-application control does not single out ML demo/UI frameworks.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats the ML demo framework's file-serving / component routes as an untrusted-input access-control surface; a public Gradio app leaks host secrets (HF Spaces tokens)."
+    },
+    "atlas_refs": [
+      "AML.T0049",
+      "AML.T0055"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1083",
+      "T1005"
+    ],
+    "rwep_score": 31,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 26,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 31, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 + blast_radius=26 (Gradio underpins Hugging Face Spaces and countless public ML demos) minus patch 15. Note: secret theft from internet-exposed apps raises operational urgency beyond the RWEP number.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-1561",
+    "cwe_refs": [
+      "CWE-22"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Requests to a public Gradio app's /component_server endpoint invoking move_resource_to_block_cache with attacker-controlled paths.",
+        "Gradio serving files from outside its temp/cache directory (e.g. /proc, app secrets, .env, HF Spaces secret mounts).",
+        "Anomalous reads of credential/secret files by the Gradio app process following inbound requests.",
+        "Gradio at an affected version (Gradio >= 4.12.0, < 4.13.0) reachable from untrusted networks — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from Horizon3.ai's research (https://horizon3.ai/attack-research/disclosures/exploiting-file-read-vulnerabilities-in-gradio-to-steal-secrets-from-hugging-face-spaces/), the Gradio GitHub security advisory (https://github.com/advisories/GHSA-g9cj-cfpp-4g2x), and NVD CVE-2024-1561 (CWE-22)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-1561",
+      "https://github.com/advisories/GHSA-g9cj-cfpp-4g2x",
+      "https://horizon3.ai/attack-research/disclosures/exploiting-file-read-vulnerabilities-in-gradio-to-steal-secrets-from-hugging-face-spaces/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2024-1561",
+        "url": "https://github.com/advisories/GHSA-g9cj-cfpp-4g2x",
+        "severity": "high",
+        "published_date": "2024-04-15"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-1561",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1561",
+        "severity": "high",
+        "published_date": "2024-04-15"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-22; NIST CVSS 7.5) + Horizon3.ai research + the gradio-app GitHub advisory. Member of the Gradio file-access family (Hugging Face Spaces secret theft).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Gradio's /component_server lets an unauthenticated caller invoke move_resource_to_block_cache() to read arbitrary host files (CWE-22), stealing Hugging Face Spaces secrets; fixed in 4.13.0."
+  },
+  "CVE-2023-51449": {
+    "name": "Gradio /file Route Path Traversal and SSRF Arbitrary File Read",
+    "type": "INFO-DISCLOSURE",
+    "cvss_score": 7.5,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
+    "cvss_note": "NVD CVSS v3.1 base 7.5 (HIGH). A flawed containment check on the /file route allows path traversal outside the Gradio temp directory, and the route was also abusable for server-side request forgery (CWE-22 + SSRF).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Public exploitation research exists (Horizon3.ai 'Exploiting File Read Vulnerabilities in Gradio to Steal Secrets from Hugging Face Spaces'): an unauthenticated request to a public Gradio app reads arbitrary host files, including HF Spaces secrets.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by Horizon3.ai. The abused surface is Gradio, the ML demo/UI framework behind Hugging Face Spaces and countless public ML demos.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; file-read / SSRF in the ML web framework.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Gradio before 4.11.0 (the /file route containment check; SSRF via download_temp_copy_if_needed affects 3.47–3.50.2). Fixed in 4.11.0.",
+    "affected_versions": [
+      "Gradio < 4.11.0"
+    ],
+    "vector": "Gradio's /file route was meant to serve only files under the temp directory, but the containment check was flawed, allowing path traversal to read arbitrary files on a publicly reachable Gradio app (CWE-22). The same route could be abused for full-read SSRF. Disclosed by Horizon3.ai.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N — unauthenticated, against a publicly reachable Gradio app.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading Gradio to 4.11.0 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Gradio to 4.11.0 or later. Do not expose Gradio apps with sensitive host secrets to untrusted networks, run them least-privilege, and avoid storing secrets readable by the app process (relevant for Hugging Face Spaces)."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track the ML demo/UI framework (Gradio) as managed, network-exposed software.",
+      "NIST-800-53-SC-7": "Boundary-protection control does not flag publicly reachable Gradio apps as a file-read / SSRF surface to host secrets.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the ML demo framework's file-serving routes as an access-control surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the ML demo framework as a privileged, internet-exposed surface.",
+      "DORA-Art-9": "ICT protection measures do not model file-read / SSRF in an ML demo framework leaking host secrets as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for directory containment on the ML framework's file routes.",
+      "AU-ISM-1546": "Patch-application control does not single out ML demo/UI frameworks.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats the ML demo framework's file-serving / component routes as an untrusted-input access-control surface; a public Gradio app leaks host secrets (HF Spaces tokens)."
+    },
+    "atlas_refs": [
+      "AML.T0049",
+      "AML.T0055"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1083",
+      "T1005"
+    ],
+    "rwep_score": 31,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 26,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 31, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 + blast_radius=26 (Gradio underpins Hugging Face Spaces and countless public ML demos) minus patch 15. Note: secret theft from internet-exposed apps raises operational urgency beyond the RWEP number.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2023-51449",
+    "cwe_refs": [
+      "CWE-22",
+      "CWE-918"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Requests to a public Gradio app's /file route containing path-traversal sequences or external URLs (SSRF).",
+        "Gradio serving files from outside its temp/cache directory (e.g. /proc, app secrets, .env, HF Spaces secret mounts).",
+        "Anomalous reads of credential/secret files by the Gradio app process following inbound requests.",
+        "Gradio at an affected version (Gradio < 4.11.0) reachable from untrusted networks — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from Horizon3.ai's research (https://horizon3.ai/attack-research/disclosures/exploiting-file-read-vulnerabilities-in-gradio-to-steal-secrets-from-hugging-face-spaces/), the Gradio GitHub security advisory (https://github.com/advisories/GHSA-6qm2-wpxq-7qh2), and NVD CVE-2023-51449 (CWE-22/CWE-918)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2023-51449",
+      "https://github.com/advisories/GHSA-6qm2-wpxq-7qh2",
+      "https://horizon3.ai/attack-research/disclosures/exploiting-file-read-vulnerabilities-in-gradio-to-steal-secrets-from-hugging-face-spaces/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2023-51449",
+        "url": "https://github.com/advisories/GHSA-6qm2-wpxq-7qh2",
+        "severity": "high",
+        "published_date": "2023-12-22"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2023-51449",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51449",
+        "severity": "high",
+        "published_date": "2023-12-22"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-22/CWE-918; NIST CVSS 7.5) + Horizon3.ai research + the gradio-app GitHub advisory. Member of the Gradio file-access family (Hugging Face Spaces secret theft).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Gradio's /file route containment check was flawed, allowing path traversal arbitrary file read (and SSRF) on a public Gradio app (CWE-22); fixed in 4.11.0."
+  },
+  "CVE-2024-11392": {
+    "name": "Hugging Face Transformers MobileViTV2 Deserialization Remote Code Execution",
+    "type": "RCE",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 8.8 (HIGH). Deserialization of untrusted data in the MobileViTV2 loader's configuration files (CWE-502); requires a user to load a malicious model/config (UI:R).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Disclosed via the Trend Micro Zero Day Initiative and tracked in the Hugging Face Transformers advisory issue (#34840): a crafted MobileViTV2 configuration file contains a serialized object that executes code when Hugging Face Transformers loads it.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed through the Trend Micro Zero Day Initiative. The abused surface is a model loader in Hugging Face Transformers, the foundational ML library; an untrusted model artifact is executable code at load time.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; unsafe deserialization of ML model artifacts.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "ZDI coordinated disclosure with a fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Hugging Face Transformers before 4.48.0 (the MobileViTV2 loader). Fixed in 4.48.0.",
+    "affected_versions": [
+      "Hugging Face Transformers < 4.48.0"
+    ],
+    "vector": "Hugging Face Transformers' MobileViTV2 loader deserializes untrusted data from configuration files without validation (CWE-502). A user who loads a malicious MobileViTV2 model/config from an untrusted source (e.g. a model hub) executes attacker-controlled code in their process.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N / UI:R — requires a user to load the malicious model/config.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading Hugging Face Transformers to 4.48.0 or later; no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Hugging Face Transformers to 4.48.0 or later. Only load models/configs from trusted sources, verify provenance, and load untrusted models in a sandboxed, least-privilege environment."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track the foundational ML library's model loaders as managed, RCE-bearing software.",
+      "NIST-800-53-SI-10": "Input-validation control is not applied to model artifacts/configs the library deserializes at load time.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the ML library's model-loading path as a code-execution surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach ML-library model loading as a privileged execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model untrusted-model-artifact loading in the core ML library as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for treating model artifacts as untrusted code.",
+      "AU-ISM-1546": "Patch-application control does not single out the foundational ML library's model loaders.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an ML model artifact as untrusted executable input; loading one from an untrusted source through Transformers is RCE."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0011",
+      "AML.T0011.000"
+    ],
+    "attack_refs": [
+      "T1204",
+      "T1059",
+      "T1195.002"
+    ],
+    "rwep_score": 33,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 28,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 33, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3). poc_available=20 + blast_radius=28 (Hugging Face Transformers is the foundational ML library) minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-11392",
+    "cwe_refs": [
+      "CWE-502"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Python subprocess / interpreter activity during Hugging Face Transformers loading of a MobileViTV2 model or config from an external source.",
+        "A MobileViTV2 model artifact / config from a model hub or user upload whose serialized content resolves to code execution.",
+        "Loading models without provenance verification through Transformers < 4.48.0.",
+        "Hugging Face Transformers < 4.48.0 loading untrusted MobileViTV2 artifacts — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from the Hugging Face Transformers advisory issue (https://github.com/huggingface/transformers/issues/34840, ZDI-coordinated) and NVD CVE-2024-11392 (CWE-502). The MobileViTV2 loader deserialization is the indicator anchor."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-11392",
+      "https://github.com/huggingface/transformers/issues/34840",
+      "https://github.com/huggingface/transformers/issues/34840"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "Hugging Face Transformers advisory (ZDI-coordinated)",
+        "advisory_id": "CVE-2024-11392",
+        "url": "https://github.com/huggingface/transformers/issues/34840",
+        "severity": "high",
+        "published_date": "2024-11-22"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-11392",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11392",
+        "severity": "high",
+        "published_date": "2024-11-22"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-502; NIST CVSS 8.8) + the Trend Micro Zero Day Initiative advisory. Member of the Hugging Face Transformers model-loader deserialization family (untrusted model artifact equals executable code); same class as the Keras model-deserialization entries.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Hugging Face Transformers' MobileViTV2 loader deserializes untrusted configuration files (CWE-502), so loading a malicious model/config executes code; fixed in 4.48.0."
+  },
+  "CVE-2024-11393": {
+    "name": "Hugging Face Transformers MaskFormer Deserialization Remote Code Execution",
+    "type": "RCE",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 8.8 (HIGH). Deserialization of untrusted data in the MaskFormer loader's model files (CWE-502); requires a user to load a malicious model/config (UI:R).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Disclosed via the Trend Micro Zero Day Initiative and tracked in the Hugging Face Transformers advisory issue (#34840): a crafted MaskFormer model file contains a serialized object that executes code when Hugging Face Transformers loads it.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed through the Trend Micro Zero Day Initiative. The abused surface is a model loader in Hugging Face Transformers, the foundational ML library; an untrusted model artifact is executable code at load time.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; unsafe deserialization of ML model artifacts.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "ZDI coordinated disclosure with a fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Hugging Face Transformers before 4.48.0 (the MaskFormer loader). Fixed in 4.48.0.",
+    "affected_versions": [
+      "Hugging Face Transformers < 4.48.0"
+    ],
+    "vector": "Hugging Face Transformers' MaskFormer loader deserializes untrusted data from model files without validation (CWE-502). A user who loads a malicious MaskFormer model/config from an untrusted source (e.g. a model hub) executes attacker-controlled code in their process.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N / UI:R — requires a user to load the malicious model/config.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading Hugging Face Transformers to 4.48.0 or later; no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Hugging Face Transformers to 4.48.0 or later. Only load models/configs from trusted sources, verify provenance, and load untrusted models in a sandboxed, least-privilege environment."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track the foundational ML library's model loaders as managed, RCE-bearing software.",
+      "NIST-800-53-SI-10": "Input-validation control is not applied to model artifacts/configs the library deserializes at load time.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the ML library's model-loading path as a code-execution surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach ML-library model loading as a privileged execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model untrusted-model-artifact loading in the core ML library as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for treating model artifacts as untrusted code.",
+      "AU-ISM-1546": "Patch-application control does not single out the foundational ML library's model loaders.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an ML model artifact as untrusted executable input; loading one from an untrusted source through Transformers is RCE."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0011",
+      "AML.T0011.000"
+    ],
+    "attack_refs": [
+      "T1204",
+      "T1059",
+      "T1195.002"
+    ],
+    "rwep_score": 33,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 28,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 33, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3). poc_available=20 + blast_radius=28 (Hugging Face Transformers is the foundational ML library) minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-11393",
+    "cwe_refs": [
+      "CWE-502"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Python subprocess / interpreter activity during Hugging Face Transformers loading of a MaskFormer model or config from an external source.",
+        "A MaskFormer model artifact / config from a model hub or user upload whose serialized content resolves to code execution.",
+        "Loading models without provenance verification through Transformers < 4.48.0.",
+        "Hugging Face Transformers < 4.48.0 loading untrusted MaskFormer artifacts — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from the Hugging Face Transformers advisory issue (https://github.com/huggingface/transformers/issues/34840, ZDI-coordinated) and NVD CVE-2024-11393 (CWE-502). The MaskFormer loader deserialization is the indicator anchor."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-11393",
+      "https://github.com/huggingface/transformers/issues/34840",
+      "https://github.com/huggingface/transformers/issues/34840"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "Hugging Face Transformers advisory (ZDI-coordinated)",
+        "advisory_id": "CVE-2024-11393",
+        "url": "https://github.com/huggingface/transformers/issues/34840",
+        "severity": "high",
+        "published_date": "2024-11-22"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-11393",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11393",
+        "severity": "high",
+        "published_date": "2024-11-22"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-502; NIST CVSS 8.8) + the Trend Micro Zero Day Initiative advisory. Member of the Hugging Face Transformers model-loader deserialization family (untrusted model artifact equals executable code); same class as the Keras model-deserialization entries.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Hugging Face Transformers' MaskFormer loader deserializes untrusted model files (CWE-502), so loading a malicious model/config executes code; fixed in 4.48.0."
+  },
+  "CVE-2024-11394": {
+    "name": "Hugging Face Transformers Trax Deserialization Remote Code Execution",
+    "type": "RCE",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 8.8 (HIGH). Deserialization of untrusted data in the Trax loader's model files (CWE-502); requires a user to load a malicious model/config (UI:R).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Disclosed via the Trend Micro Zero Day Initiative and tracked in the Hugging Face Transformers advisory issue (#34840): a crafted Trax model file contains a serialized object that executes code when Hugging Face Transformers loads it.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed through the Trend Micro Zero Day Initiative. The abused surface is a model loader in Hugging Face Transformers, the foundational ML library; an untrusted model artifact is executable code at load time.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; unsafe deserialization of ML model artifacts.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "ZDI coordinated disclosure with a fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Hugging Face Transformers before 4.48.0 (the Trax loader). Fixed in 4.48.0.",
+    "affected_versions": [
+      "Hugging Face Transformers < 4.48.0"
+    ],
+    "vector": "Hugging Face Transformers' Trax loader deserializes untrusted data from model files without validation (CWE-502). A user who loads a malicious Trax model/config from an untrusted source (e.g. a model hub) executes attacker-controlled code in their process.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N / UI:R — requires a user to load the malicious model/config.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading Hugging Face Transformers to 4.48.0 or later; no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Hugging Face Transformers to 4.48.0 or later. Only load models/configs from trusted sources, verify provenance, and load untrusted models in a sandboxed, least-privilege environment."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track the foundational ML library's model loaders as managed, RCE-bearing software.",
+      "NIST-800-53-SI-10": "Input-validation control is not applied to model artifacts/configs the library deserializes at load time.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the ML library's model-loading path as a code-execution surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach ML-library model loading as a privileged execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model untrusted-model-artifact loading in the core ML library as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for treating model artifacts as untrusted code.",
+      "AU-ISM-1546": "Patch-application control does not single out the foundational ML library's model loaders.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an ML model artifact as untrusted executable input; loading one from an untrusted source through Transformers is RCE."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0011",
+      "AML.T0011.000"
+    ],
+    "attack_refs": [
+      "T1204",
+      "T1059",
+      "T1195.002"
+    ],
+    "rwep_score": 33,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 28,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 33, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3). poc_available=20 + blast_radius=28 (Hugging Face Transformers is the foundational ML library) minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-11394",
+    "cwe_refs": [
+      "CWE-502"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Python subprocess / interpreter activity during Hugging Face Transformers loading of a Trax model or config from an external source.",
+        "A Trax model artifact / config from a model hub or user upload whose serialized content resolves to code execution.",
+        "Loading models without provenance verification through Transformers < 4.48.0.",
+        "Hugging Face Transformers < 4.48.0 loading untrusted Trax artifacts — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from the Hugging Face Transformers advisory issue (https://github.com/huggingface/transformers/issues/34840, ZDI-coordinated) and NVD CVE-2024-11394 (CWE-502). The Trax loader deserialization is the indicator anchor."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-11394",
+      "https://github.com/huggingface/transformers/issues/34840",
+      "https://github.com/huggingface/transformers/issues/34840"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "Hugging Face Transformers advisory (ZDI-coordinated)",
+        "advisory_id": "CVE-2024-11394",
+        "url": "https://github.com/huggingface/transformers/issues/34840",
+        "severity": "high",
+        "published_date": "2024-11-22"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-11394",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11394",
+        "severity": "high",
+        "published_date": "2024-11-22"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-502; NIST CVSS 8.8) + the Trend Micro Zero Day Initiative advisory. Member of the Hugging Face Transformers model-loader deserialization family (untrusted model artifact equals executable code); same class as the Keras model-deserialization entries.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Hugging Face Transformers' Trax loader deserializes untrusted model files (CWE-502), so loading a malicious model/config executes code; fixed in 4.48.0."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",