@blamejs/exceptd-skills 0.13.87 → 0.13.88

package/data/atlas-ttps.json

@@ -144,6 +144,9 @@
     "last_verified": "2026-05-19",
     "cve_refs": [
       "CVE-2023-43654",
+      "CVE-2024-11392",
+      "CVE-2024-11393",
+      "CVE-2024-11394",
       "CVE-2024-37032",
       "CVE-2025-1550",
       "CVE-2025-8747",
@@ -1265,6 +1268,9 @@
     "exceptd_skills": [],
     "last_verified": "2026-05-19",
     "cve_refs": [
+      "CVE-2024-11392",
+      "CVE-2024-11393",
+      "CVE-2024-11394",
       "CVE-2025-1550",
       "CVE-2025-8747",
       "MAL-2024-PYPI-ULTRALYTICS-XMRIG"
@@ -2803,6 +2809,9 @@
     "is_subtechnique": true,
     "cve_refs": [
       "CVE-2022-1471",
+      "CVE-2024-11392",
+      "CVE-2024-11393",
+      "CVE-2024-11394",
       "CVE-2025-1550",
       "CVE-2025-8747"
     ]

package/data/attack-techniques.json

@@ -272,6 +272,9 @@
       "CVE-2022-1471",
       "CVE-2023-43654",
       "CVE-2023-48022",
+      "CVE-2024-11392",
+      "CVE-2024-11393",
+      "CVE-2024-11394",
       "CVE-2024-37032",
       "CVE-2024-42479",
       "CVE-2024-50050",
@@ -1084,6 +1087,9 @@
     "name": "Supply Chain Compromise: Software Supply Chain",
     "version": "v19",
     "cve_refs": [
+      "CVE-2024-11392",
+      "CVE-2024-11393",
+      "CVE-2024-11394",
       "CVE-2024-3094",
       "CVE-2025-1550",
       "CVE-2025-8747",
@@ -4259,6 +4265,9 @@
     "stix_id": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
     "is_subtechnique": false,
     "cve_refs": [
+      "CVE-2024-11392",
+      "CVE-2024-11393",
+      "CVE-2024-11394",
       "CVE-2025-1550",
       "CVE-2025-8747"
     ]

package/data/cve-catalog.json

@@ -12979,6 +12979,327 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "Gradio's /file route containment check was flawed, allowing path traversal arbitrary file read (and SSRF) on a public Gradio app (CWE-22); fixed in 4.11.0."
   },
+  "CVE-2024-11392": {
+    "name": "Hugging Face Transformers MobileViTV2 Deserialization Remote Code Execution",
+    "type": "RCE",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 8.8 (HIGH). Deserialization of untrusted data in the MobileViTV2 loader's configuration files (CWE-502); requires a user to load a malicious model/config (UI:R).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Disclosed via the Trend Micro Zero Day Initiative and tracked in the Hugging Face Transformers advisory issue (#34840): a crafted MobileViTV2 configuration file contains a serialized object that executes code when Hugging Face Transformers loads it.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed through the Trend Micro Zero Day Initiative. The abused surface is a model loader in Hugging Face Transformers, the foundational ML library; an untrusted model artifact is executable code at load time.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; unsafe deserialization of ML model artifacts.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "ZDI coordinated disclosure with a fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Hugging Face Transformers before 4.48.0 (the MobileViTV2 loader). Fixed in 4.48.0.",
+    "affected_versions": [
+      "Hugging Face Transformers < 4.48.0"
+    ],
+    "vector": "Hugging Face Transformers' MobileViTV2 loader deserializes untrusted data from configuration files without validation (CWE-502). A user who loads a malicious MobileViTV2 model/config from an untrusted source (e.g. a model hub) executes attacker-controlled code in their process.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N / UI:R — requires a user to load the malicious model/config.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading Hugging Face Transformers to 4.48.0 or later; no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Hugging Face Transformers to 4.48.0 or later. Only load models/configs from trusted sources, verify provenance, and load untrusted models in a sandboxed, least-privilege environment."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track the foundational ML library's model loaders as managed, RCE-bearing software.",
+      "NIST-800-53-SI-10": "Input-validation control is not applied to model artifacts/configs the library deserializes at load time.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the ML library's model-loading path as a code-execution surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach ML-library model loading as a privileged execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model untrusted-model-artifact loading in the core ML library as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for treating model artifacts as untrusted code.",
+      "AU-ISM-1546": "Patch-application control does not single out the foundational ML library's model loaders.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an ML model artifact as untrusted executable input; loading one from an untrusted source through Transformers is RCE."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0011",
+      "AML.T0011.000"
+    ],
+    "attack_refs": [
+      "T1204",
+      "T1059",
+      "T1195.002"
+    ],
+    "rwep_score": 33,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 28,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 33, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3). poc_available=20 + blast_radius=28 (Hugging Face Transformers is the foundational ML library) minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-11392",
+    "cwe_refs": [
+      "CWE-502"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Python subprocess / interpreter activity during Hugging Face Transformers loading of a MobileViTV2 model or config from an external source.",
+        "A MobileViTV2 model artifact / config from a model hub or user upload whose serialized content resolves to code execution.",
+        "Loading models without provenance verification through Transformers < 4.48.0.",
+        "Hugging Face Transformers < 4.48.0 loading untrusted MobileViTV2 artifacts — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from the Hugging Face Transformers advisory issue (https://github.com/huggingface/transformers/issues/34840, ZDI-coordinated) and NVD CVE-2024-11392 (CWE-502). The MobileViTV2 loader deserialization is the indicator anchor."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-11392",
+      "https://github.com/huggingface/transformers/issues/34840",
+      "https://github.com/huggingface/transformers/issues/34840"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "Hugging Face Transformers advisory (ZDI-coordinated)",
+        "advisory_id": "CVE-2024-11392",
+        "url": "https://github.com/huggingface/transformers/issues/34840",
+        "severity": "high",
+        "published_date": "2024-11-22"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-11392",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11392",
+        "severity": "high",
+        "published_date": "2024-11-22"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-502; NIST CVSS 8.8) + the Trend Micro Zero Day Initiative advisory. Member of the Hugging Face Transformers model-loader deserialization family (untrusted model artifact equals executable code); same class as the Keras model-deserialization entries.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Hugging Face Transformers' MobileViTV2 loader deserializes untrusted configuration files (CWE-502), so loading a malicious model/config executes code; fixed in 4.48.0."
+  },
+  "CVE-2024-11393": {
+    "name": "Hugging Face Transformers MaskFormer Deserialization Remote Code Execution",
+    "type": "RCE",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 8.8 (HIGH). Deserialization of untrusted data in the MaskFormer loader's model files (CWE-502); requires a user to load a malicious model/config (UI:R).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Disclosed via the Trend Micro Zero Day Initiative and tracked in the Hugging Face Transformers advisory issue (#34840): a crafted MaskFormer model file contains a serialized object that executes code when Hugging Face Transformers loads it.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed through the Trend Micro Zero Day Initiative. The abused surface is a model loader in Hugging Face Transformers, the foundational ML library; an untrusted model artifact is executable code at load time.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; unsafe deserialization of ML model artifacts.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "ZDI coordinated disclosure with a fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Hugging Face Transformers before 4.48.0 (the MaskFormer loader). Fixed in 4.48.0.",
+    "affected_versions": [
+      "Hugging Face Transformers < 4.48.0"
+    ],
+    "vector": "Hugging Face Transformers' MaskFormer loader deserializes untrusted data from model files without validation (CWE-502). A user who loads a malicious MaskFormer model/config from an untrusted source (e.g. a model hub) executes attacker-controlled code in their process.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N / UI:R — requires a user to load the malicious model/config.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading Hugging Face Transformers to 4.48.0 or later; no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Hugging Face Transformers to 4.48.0 or later. Only load models/configs from trusted sources, verify provenance, and load untrusted models in a sandboxed, least-privilege environment."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track the foundational ML library's model loaders as managed, RCE-bearing software.",
+      "NIST-800-53-SI-10": "Input-validation control is not applied to model artifacts/configs the library deserializes at load time.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the ML library's model-loading path as a code-execution surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach ML-library model loading as a privileged execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model untrusted-model-artifact loading in the core ML library as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for treating model artifacts as untrusted code.",
+      "AU-ISM-1546": "Patch-application control does not single out the foundational ML library's model loaders.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an ML model artifact as untrusted executable input; loading one from an untrusted source through Transformers is RCE."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0011",
+      "AML.T0011.000"
+    ],
+    "attack_refs": [
+      "T1204",
+      "T1059",
+      "T1195.002"
+    ],
+    "rwep_score": 33,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 28,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 33, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3). poc_available=20 + blast_radius=28 (Hugging Face Transformers is the foundational ML library) minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-11393",
+    "cwe_refs": [
+      "CWE-502"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Python subprocess / interpreter activity during Hugging Face Transformers loading of a MaskFormer model or config from an external source.",
+        "A MaskFormer model artifact / config from a model hub or user upload whose serialized content resolves to code execution.",
+        "Loading models without provenance verification through Transformers < 4.48.0.",
+        "Hugging Face Transformers < 4.48.0 loading untrusted MaskFormer artifacts — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from the Hugging Face Transformers advisory issue (https://github.com/huggingface/transformers/issues/34840, ZDI-coordinated) and NVD CVE-2024-11393 (CWE-502). The MaskFormer loader deserialization is the indicator anchor."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-11393",
+      "https://github.com/huggingface/transformers/issues/34840",
+      "https://github.com/huggingface/transformers/issues/34840"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "Hugging Face Transformers advisory (ZDI-coordinated)",
+        "advisory_id": "CVE-2024-11393",
+        "url": "https://github.com/huggingface/transformers/issues/34840",
+        "severity": "high",
+        "published_date": "2024-11-22"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-11393",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11393",
+        "severity": "high",
+        "published_date": "2024-11-22"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-502; NIST CVSS 8.8) + the Trend Micro Zero Day Initiative advisory. Member of the Hugging Face Transformers model-loader deserialization family (untrusted model artifact equals executable code); same class as the Keras model-deserialization entries.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Hugging Face Transformers' MaskFormer loader deserializes untrusted model files (CWE-502), so loading a malicious model/config executes code; fixed in 4.48.0."
+  },
+  "CVE-2024-11394": {
+    "name": "Hugging Face Transformers Trax Deserialization Remote Code Execution",
+    "type": "RCE",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 8.8 (HIGH). Deserialization of untrusted data in the Trax loader's model files (CWE-502); requires a user to load a malicious model/config (UI:R).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Disclosed via the Trend Micro Zero Day Initiative and tracked in the Hugging Face Transformers advisory issue (#34840): a crafted Trax model file contains a serialized object that executes code when Hugging Face Transformers loads it.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed through the Trend Micro Zero Day Initiative. The abused surface is a model loader in Hugging Face Transformers, the foundational ML library; an untrusted model artifact is executable code at load time.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; unsafe deserialization of ML model artifacts.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "ZDI coordinated disclosure with a fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Hugging Face Transformers before 4.48.0 (the Trax loader). Fixed in 4.48.0.",
+    "affected_versions": [
+      "Hugging Face Transformers < 4.48.0"
+    ],
+    "vector": "Hugging Face Transformers' Trax loader deserializes untrusted data from model files without validation (CWE-502). A user who loads a malicious Trax model/config from an untrusted source (e.g. a model hub) executes attacker-controlled code in their process.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N / UI:R — requires a user to load the malicious model/config.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading Hugging Face Transformers to 4.48.0 or later; no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Hugging Face Transformers to 4.48.0 or later. Only load models/configs from trusted sources, verify provenance, and load untrusted models in a sandboxed, least-privilege environment."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track the foundational ML library's model loaders as managed, RCE-bearing software.",
+      "NIST-800-53-SI-10": "Input-validation control is not applied to model artifacts/configs the library deserializes at load time.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the ML library's model-loading path as a code-execution surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach ML-library model loading as a privileged execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model untrusted-model-artifact loading in the core ML library as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for treating model artifacts as untrusted code.",
+      "AU-ISM-1546": "Patch-application control does not single out the foundational ML library's model loaders.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an ML model artifact as untrusted executable input; loading one from an untrusted source through Transformers is RCE."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0011",
+      "AML.T0011.000"
+    ],
+    "attack_refs": [
+      "T1204",
+      "T1059",
+      "T1195.002"
+    ],
+    "rwep_score": 33,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 28,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 33, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3). poc_available=20 + blast_radius=28 (Hugging Face Transformers is the foundational ML library) minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-11394",
+    "cwe_refs": [
+      "CWE-502"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Python subprocess / interpreter activity during Hugging Face Transformers loading of a Trax model or config from an external source.",
+        "A Trax model artifact / config from a model hub or user upload whose serialized content resolves to code execution.",
+        "Loading models without provenance verification through Transformers < 4.48.0.",
+        "Hugging Face Transformers < 4.48.0 loading untrusted Trax artifacts — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from the Hugging Face Transformers advisory issue (https://github.com/huggingface/transformers/issues/34840, ZDI-coordinated) and NVD CVE-2024-11394 (CWE-502). The Trax loader deserialization is the indicator anchor."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-11394",
+      "https://github.com/huggingface/transformers/issues/34840",
+      "https://github.com/huggingface/transformers/issues/34840"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "Hugging Face Transformers advisory (ZDI-coordinated)",
+        "advisory_id": "CVE-2024-11394",
+        "url": "https://github.com/huggingface/transformers/issues/34840",
+        "severity": "high",
+        "published_date": "2024-11-22"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-11394",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11394",
+        "severity": "high",
+        "published_date": "2024-11-22"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-502; NIST CVSS 8.8) + the Trend Micro Zero Day Initiative advisory. Member of the Hugging Face Transformers model-loader deserialization family (untrusted model artifact equals executable code); same class as the Keras model-deserialization entries.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Hugging Face Transformers' Trax loader deserializes untrusted model files (CWE-502), so loading a malicious model/config executes code; fixed in 4.48.0."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -1310,6 +1310,9 @@
     "evidence_cves": [
       "CVE-2022-1471",
       "CVE-2023-21529",
+      "CVE-2024-11392",
+      "CVE-2024-11393",
+      "CVE-2024-11394",
       "CVE-2024-50050",
       "CVE-2024-8069",
       "CVE-2025-10035",

package/data/framework-control-gaps.json

@@ -39,6 +39,9 @@
       "CVE-2023-48022",
       "CVE-2023-51449",
       "CVE-2024-0132",
+      "CVE-2024-11392",
+      "CVE-2024-11393",
+      "CVE-2024-11394",
       "CVE-2024-1561",
       "CVE-2024-37032",
       "CVE-2024-39722",
@@ -1373,6 +1376,9 @@
       "CVE-2023-52163",
       "CVE-2024-0769",
       "CVE-2024-11182",
+      "CVE-2024-11392",
+      "CVE-2024-11393",
+      "CVE-2024-11394",
       "CVE-2024-12987",
       "CVE-2024-1561",
       "CVE-2024-1708",
@@ -1784,6 +1790,9 @@
       "CVE-2023-48022",
       "CVE-2023-51449",
       "CVE-2024-0132",
+      "CVE-2024-11392",
+      "CVE-2024-11393",
+      "CVE-2024-11394",
       "CVE-2024-1561",
       "CVE-2024-37032",
       "CVE-2024-39722",
@@ -2227,6 +2236,9 @@
     "status": "open",
     "opened_date": "2026-05-13",
     "evidence_cves": [
+      "CVE-2024-11392",
+      "CVE-2024-11393",
+      "CVE-2024-11394",
       "CVE-2024-37032",
       "CVE-2024-39722",
       "CVE-2024-50050",
@@ -2381,6 +2393,9 @@
       "CVE-2024-0132",
       "CVE-2024-0769",
       "CVE-2024-11182",
+      "CVE-2024-11392",
+      "CVE-2024-11393",
+      "CVE-2024-11394",
       "CVE-2024-12987",
       "CVE-2024-1561",
       "CVE-2024-1708",
@@ -4868,6 +4883,9 @@
       "CVE-2023-48022",
       "CVE-2023-51449",
       "CVE-2024-0132",
+      "CVE-2024-11392",
+      "CVE-2024-11393",
+      "CVE-2024-11394",
       "CVE-2024-1561",
       "CVE-2024-21762",
       "CVE-2024-37032",
@@ -5395,6 +5413,9 @@
     "evidence_cves": [
       "CVE-2023-51449",
       "CVE-2024-0132",
+      "CVE-2024-11392",
+      "CVE-2024-11393",
+      "CVE-2024-11394",
       "CVE-2024-1561",
       "CVE-2024-21762",
       "CVE-2024-37032",
@@ -5465,6 +5486,9 @@
       "CVE-2023-48022",
       "CVE-2023-51449",
       "CVE-2024-0132",
+      "CVE-2024-11392",
+      "CVE-2024-11393",
+      "CVE-2024-11394",
       "CVE-2024-1561",
       "CVE-2024-21762",
       "CVE-2024-37032",

package/data/zeroday-lessons.json

@@ -7483,6 +7483,156 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2024-11392": {
+    "name": "Hugging Face Transformers MobileViTV2 Deserialization Remote Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Hugging Face Transformers' MobileViTV2 loader deserializes untrusted configuration files without validation (CWE-502), so loading a malicious MobileViTV2 model/config executes attacker code in the user's process.",
+      "privileges_required": "none beyond getting a user to load an untrusted MobileViTV2 model/config (NVD UI:R)",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is a model loader in the foundational ML library (Hugging Face Transformers). The lesson is the same one the Keras CVEs teach at ecosystem scale: a model artifact is executable code at load time, so artifacts must be treated as untrusted (provenance, safe formats, sandboxed loading) — pulling from a model hub is a supply-chain trust decision, not a data fetch."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the foundational ML library's model loaders as RCE-bearing software."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Input validation is not applied to model artifacts/configs the library deserializes at load time."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an ML model artifact as untrusted executable input; loading one from an untrusted source through Transformers is RCE."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 73,
+      "basis": "ML pipelines pull models from hubs and treat them as data; the foundational library's loaders are assumed safe despite per-loader deserialization RCEs.",
+      "theater_pattern": "model_artifact_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-091",
+        "name": "UNTRUSTED-MODEL-ARTIFACT-LOADING",
+        "description": "Treat ML model artifacts as untrusted code: never load models/configs from untrusted sources, verify provenance, prefer safe formats (e.g. safetensors), and load untrusted models only in a sandboxed, network-isolated, least-privilege environment. Upgrade Hugging Face Transformers to 4.48.0 or later (which fixes the MobileViTV2 loader deserialization, CVE-2024-11392). The control is the same one that closes the Keras model-deserialization CVEs — the class is 'model file equals executable code', not a single loader. The distinguishing test: load an attacker-crafted MobileViTV2 artifact on a sandboxed instance and confirm no code executes.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2024-11392",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2024-11393": {
+    "name": "Hugging Face Transformers MaskFormer Deserialization Remote Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Hugging Face Transformers' MaskFormer loader deserializes untrusted model files without validation (CWE-502), so loading a malicious MaskFormer model/config executes attacker code in the user's process.",
+      "privileges_required": "none beyond getting a user to load an untrusted MaskFormer model/config (NVD UI:R)",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is a model loader in the foundational ML library (Hugging Face Transformers). The lesson is the same one the Keras CVEs teach at ecosystem scale: a model artifact is executable code at load time, so artifacts must be treated as untrusted (provenance, safe formats, sandboxed loading) — pulling from a model hub is a supply-chain trust decision, not a data fetch."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the foundational ML library's model loaders as RCE-bearing software."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Input validation is not applied to model artifacts/configs the library deserializes at load time."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an ML model artifact as untrusted executable input; loading one from an untrusted source through Transformers is RCE."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 73,
+      "basis": "ML pipelines pull models from hubs and treat them as data; the foundational library's loaders are assumed safe despite per-loader deserialization RCEs.",
+      "theater_pattern": "model_artifact_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-091",
+        "name": "UNTRUSTED-MODEL-ARTIFACT-LOADING",
+        "description": "Treat ML model artifacts as untrusted code: never load models/configs from untrusted sources, verify provenance, prefer safe formats (e.g. safetensors), and load untrusted models only in a sandboxed, network-isolated, least-privilege environment. Upgrade Hugging Face Transformers to 4.48.0 or later (which fixes the MaskFormer loader deserialization, CVE-2024-11393). The control is the same one that closes the Keras model-deserialization CVEs — the class is 'model file equals executable code', not a single loader. The distinguishing test: load an attacker-crafted MaskFormer artifact on a sandboxed instance and confirm no code executes.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2024-11393",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2024-11394": {
+    "name": "Hugging Face Transformers Trax Deserialization Remote Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Hugging Face Transformers' Trax loader deserializes untrusted model files without validation (CWE-502), so loading a malicious Trax model/config executes attacker code in the user's process.",
+      "privileges_required": "none beyond getting a user to load an untrusted Trax model/config (NVD UI:R)",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is a model loader in the foundational ML library (Hugging Face Transformers). The lesson is the same one the Keras CVEs teach at ecosystem scale: a model artifact is executable code at load time, so artifacts must be treated as untrusted (provenance, safe formats, sandboxed loading) — pulling from a model hub is a supply-chain trust decision, not a data fetch."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the foundational ML library's model loaders as RCE-bearing software."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Input validation is not applied to model artifacts/configs the library deserializes at load time."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an ML model artifact as untrusted executable input; loading one from an untrusted source through Transformers is RCE."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 73,
+      "basis": "ML pipelines pull models from hubs and treat them as data; the foundational library's loaders are assumed safe despite per-loader deserialization RCEs.",
+      "theater_pattern": "model_artifact_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-091",
+        "name": "UNTRUSTED-MODEL-ARTIFACT-LOADING",
+        "description": "Treat ML model artifacts as untrusted code: never load models/configs from untrusted sources, verify provenance, prefer safe formats (e.g. safetensors), and load untrusted models only in a sandboxed, network-isolated, least-privilege environment. Upgrade Hugging Face Transformers to 4.48.0 or later (which fixes the Trax loader deserialization, CVE-2024-11394). The control is the same one that closes the Keras model-deserialization CVEs — the class is 'model file equals executable code', not a single loader. The distinguishing test: load an attacker-crafted Trax artifact on a sandboxed instance and confirm no code executes.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2024-11394",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2023-51449": {
     "name": "Gradio /file Route Path Traversal and SSRF Arbitrary File Read",
     "lesson_date": "2026-05-25",