@blamejs/exceptd-skills 0.13.87 → 0.13.89

package/data/cwe-catalog.json

@@ -463,6 +463,7 @@
       "CVE-2025-48633",
       "CVE-2025-5419",
       "CVE-2025-5777",
+      "CVE-2026-24213",
       "CVE-2026-3055"
     ],
     "framework_controls_partially_addressing": [
@@ -1310,6 +1311,9 @@
     "evidence_cves": [
       "CVE-2022-1471",
       "CVE-2023-21529",
+      "CVE-2024-11392",
+      "CVE-2024-11393",
+      "CVE-2024-11394",
       "CVE-2024-50050",
       "CVE-2024-8069",
       "CVE-2025-10035",
@@ -2329,7 +2333,8 @@
     "evidence_cves": [
       "CVE-2018-14634",
       "CVE-2021-30952",
-      "CVE-2026-21385"
+      "CVE-2026-21385",
+      "CVE-2026-24214"
     ],
     "last_verified": "2026-05-18",
     "notes": "Added v0.13.17 KEV bulk-import."
@@ -2942,6 +2947,7 @@
     ],
     "related_weaknesses": [],
     "evidence_cves": [
+      "CVE-2026-24215",
       "CVE-2026-45498"
     ],
     "last_verified": "2026-05-19",

package/data/framework-control-gaps.json

@@ -39,6 +39,9 @@
       "CVE-2023-48022",
       "CVE-2023-51449",
       "CVE-2024-0132",
+      "CVE-2024-11392",
+      "CVE-2024-11393",
+      "CVE-2024-11394",
       "CVE-2024-1561",
       "CVE-2024-37032",
       "CVE-2024-39722",
@@ -60,6 +63,9 @@
       "CVE-2026-22688",
       "CVE-2026-24206",
       "CVE-2026-24207",
+      "CVE-2026-24213",
+      "CVE-2026-24214",
+      "CVE-2026-24215",
       "CVE-2026-26015",
       "CVE-2026-30616",
       "CVE-2026-30617",
@@ -1373,6 +1379,9 @@
       "CVE-2023-52163",
       "CVE-2024-0769",
       "CVE-2024-11182",
+      "CVE-2024-11392",
+      "CVE-2024-11393",
+      "CVE-2024-11394",
       "CVE-2024-12987",
       "CVE-2024-1561",
       "CVE-2024-1708",
@@ -1566,6 +1575,9 @@
       "CVE-2026-22769",
       "CVE-2026-23760",
       "CVE-2026-24061",
+      "CVE-2026-24213",
+      "CVE-2026-24214",
+      "CVE-2026-24215",
       "CVE-2026-2441",
       "CVE-2026-24423",
       "CVE-2026-24858",
@@ -1784,6 +1796,9 @@
       "CVE-2023-48022",
       "CVE-2023-51449",
       "CVE-2024-0132",
+      "CVE-2024-11392",
+      "CVE-2024-11393",
+      "CVE-2024-11394",
       "CVE-2024-1561",
       "CVE-2024-37032",
       "CVE-2024-39722",
@@ -1810,6 +1825,9 @@
       "CVE-2026-22688",
       "CVE-2026-24206",
       "CVE-2026-24207",
+      "CVE-2026-24213",
+      "CVE-2026-24214",
+      "CVE-2026-24215",
       "CVE-2026-25592",
       "CVE-2026-26015",
       "CVE-2026-30616",
@@ -2227,6 +2245,9 @@
     "status": "open",
     "opened_date": "2026-05-13",
     "evidence_cves": [
+      "CVE-2024-11392",
+      "CVE-2024-11393",
+      "CVE-2024-11394",
       "CVE-2024-37032",
       "CVE-2024-39722",
       "CVE-2024-50050",
@@ -2240,6 +2261,9 @@
       "CVE-2025-6965",
       "CVE-2025-8747",
       "CVE-2026-0766",
+      "CVE-2026-24213",
+      "CVE-2026-24214",
+      "CVE-2026-24215",
       "CVE-2026-39884",
       "CVE-2026-42208",
       "CVE-2026-9082"
@@ -2381,6 +2405,9 @@
       "CVE-2024-0132",
       "CVE-2024-0769",
       "CVE-2024-11182",
+      "CVE-2024-11392",
+      "CVE-2024-11393",
+      "CVE-2024-11394",
       "CVE-2024-12987",
       "CVE-2024-1561",
       "CVE-2024-1708",
@@ -2582,6 +2609,9 @@
       "CVE-2026-24061",
       "CVE-2026-24206",
       "CVE-2026-24207",
+      "CVE-2026-24213",
+      "CVE-2026-24214",
+      "CVE-2026-24215",
       "CVE-2026-2441",
       "CVE-2026-24423",
       "CVE-2026-24858",
@@ -4868,6 +4898,9 @@
       "CVE-2023-48022",
       "CVE-2023-51449",
       "CVE-2024-0132",
+      "CVE-2024-11392",
+      "CVE-2024-11393",
+      "CVE-2024-11394",
       "CVE-2024-1561",
       "CVE-2024-21762",
       "CVE-2024-37032",
@@ -4892,6 +4925,9 @@
       "CVE-2026-22688",
       "CVE-2026-24206",
       "CVE-2026-24207",
+      "CVE-2026-24213",
+      "CVE-2026-24214",
+      "CVE-2026-24215",
       "CVE-2026-25592",
       "CVE-2026-26015",
       "CVE-2026-30616",
@@ -5395,6 +5431,9 @@
     "evidence_cves": [
       "CVE-2023-51449",
       "CVE-2024-0132",
+      "CVE-2024-11392",
+      "CVE-2024-11393",
+      "CVE-2024-11394",
       "CVE-2024-1561",
       "CVE-2024-21762",
       "CVE-2024-37032",
@@ -5415,6 +5454,9 @@
       "CVE-2026-0766",
       "CVE-2026-22252",
       "CVE-2026-22688",
+      "CVE-2026-24213",
+      "CVE-2026-24214",
+      "CVE-2026-24215",
       "CVE-2026-25592",
       "CVE-2026-26015",
       "CVE-2026-30616",
@@ -5465,6 +5507,9 @@
       "CVE-2023-48022",
       "CVE-2023-51449",
       "CVE-2024-0132",
+      "CVE-2024-11392",
+      "CVE-2024-11393",
+      "CVE-2024-11394",
       "CVE-2024-1561",
       "CVE-2024-21762",
       "CVE-2024-37032",
@@ -5487,6 +5532,9 @@
       "CVE-2026-22688",
       "CVE-2026-24206",
       "CVE-2026-24207",
+      "CVE-2026-24213",
+      "CVE-2026-24214",
+      "CVE-2026-24215",
       "CVE-2026-25592",
       "CVE-2026-26015",
       "CVE-2026-30616",

package/data/zeroday-lessons.json

@@ -6783,6 +6783,156 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2026-24213": {
+    "name": "NVIDIA Triton DALI Backend Out-of-Bounds Read",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "NVIDIA Triton's DALI data-augmentation backend mishandles attacker-supplied inference input (CWE-125 out-of-bounds read), which can corrupt memory and lead to code execution or information disclosure.",
+      "privileges_required": "none (NVD AV:N / PR:N) — network-reachable inference input",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is the media/data-augmentation backend of a widely deployed AI inference server, which processes untrusted inference input. The lesson: inference backends that decode or transform attacker-supplied data are memory-safety and availability surfaces that must bounds-check and resource-limit, and the inference endpoint must not be network-exposed to untrusted clients. This is also a clean CVSS-vs-RWEP case (NVD CRITICAL, but patched + no exploitation = low real-world priority)."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the inference server's media-processing backends as managed, memory-unsafe software."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Input validation is not applied to the size/shape of inference inputs reaching the DALI backend."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats the inference data-augmentation backend's handling of untrusted input as a memory-safety / availability surface."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 60,
+      "basis": "Inference servers' media backends are not tracked as memory-unsafe attack surface; input size/shape limits on inference requests are rarely enforced.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-096",
+        "name": "AI-INFERENCE-BACKEND-INPUT-HARDENING",
+        "description": "An AI inference server's media/data-augmentation backends (e.g. NVIDIA Triton DALI) must validate and bound the size and shape of untrusted inference input, enforce resource limits, and run with memory-safety mitigations; the inference endpoint must not be exposed to untrusted networks. Upgrade Triton to r26.03 or later. The distinguishing test: send crafted inference inputs (oversized dimensions, malformed media headers) to a staging DALI model and confirm they are rejected/bounded rather than causing crashes or resource exhaustion.",
+        "evidence": "https://nvidia.custhelp.com/app/answers/detail/a_id/5828",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2026-24214": {
+    "name": "NVIDIA Triton DALI Backend Integer Overflow",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "NVIDIA Triton's DALI data-augmentation backend mishandles attacker-supplied inference input (CWE-190 integer overflow), which can corrupt memory and lead to code execution or information disclosure.",
+      "privileges_required": "none (NVD AV:N / PR:N) — network-reachable inference input",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is the media/data-augmentation backend of a widely deployed AI inference server, which processes untrusted inference input. The lesson: inference backends that decode or transform attacker-supplied data are memory-safety and availability surfaces that must bounds-check and resource-limit, and the inference endpoint must not be network-exposed to untrusted clients. This is also a clean CVSS-vs-RWEP case (NVD CRITICAL, but patched + no exploitation = low real-world priority)."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the inference server's media-processing backends as managed, memory-unsafe software."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Input validation is not applied to the size/shape of inference inputs reaching the DALI backend."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats the inference data-augmentation backend's handling of untrusted input as a memory-safety / availability surface."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 60,
+      "basis": "Inference servers' media backends are not tracked as memory-unsafe attack surface; input size/shape limits on inference requests are rarely enforced.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-096",
+        "name": "AI-INFERENCE-BACKEND-INPUT-HARDENING",
+        "description": "An AI inference server's media/data-augmentation backends (e.g. NVIDIA Triton DALI) must validate and bound the size and shape of untrusted inference input, enforce resource limits, and run with memory-safety mitigations; the inference endpoint must not be exposed to untrusted networks. Upgrade Triton to r26.03 or later. The distinguishing test: send crafted inference inputs (oversized dimensions, malformed media headers) to a staging DALI model and confirm they are rejected/bounded rather than causing crashes or resource exhaustion.",
+        "evidence": "https://nvidia.custhelp.com/app/answers/detail/a_id/5828",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2026-24215": {
+    "name": "NVIDIA Triton DALI Backend Uncontrolled Resource Consumption (DoS)",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "NVIDIA Triton's DALI data-augmentation backend mishandles attacker-supplied inference input (CWE-400 uncontrolled resource consumption), letting an unauthenticated attacker exhaust resources and deny service.",
+      "privileges_required": "none (NVD AV:N / PR:N) — network-reachable inference input",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is the media/data-augmentation backend of a widely deployed AI inference server, which processes untrusted inference input. The lesson: inference backends that decode or transform attacker-supplied data are memory-safety and availability surfaces that must bounds-check and resource-limit, and the inference endpoint must not be network-exposed to untrusted clients. This is also a clean CVSS-vs-RWEP case (NVD rates it HIGH, but patched + no exploitation = low real-world priority)."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the inference server's media-processing backends as managed, memory-unsafe software."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Input validation is not applied to the size/shape of inference inputs reaching the DALI backend."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats the inference data-augmentation backend's handling of untrusted input as a memory-safety / availability surface."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 58,
+      "basis": "Inference servers' media backends are not tracked as memory-unsafe attack surface; input size/shape limits on inference requests are rarely enforced.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-096",
+        "name": "AI-INFERENCE-BACKEND-INPUT-HARDENING",
+        "description": "An AI inference server's media/data-augmentation backends (e.g. NVIDIA Triton DALI) must validate and bound the size and shape of untrusted inference input, enforce resource limits, and run with memory-safety mitigations; the inference endpoint must not be exposed to untrusted networks. Upgrade Triton to r26.03 or later. The distinguishing test: send crafted inference inputs (oversized dimensions, malformed media headers) to a staging DALI model and confirm they are rejected/bounded rather than causing crashes or resource exhaustion.",
+        "evidence": "https://nvidia.custhelp.com/app/answers/detail/a_id/5828",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2026-24206": {
     "name": "NVIDIA Triton Inference Server Authentication Bypass (Alternate Channel)",
     "lesson_date": "2026-05-25",
@@ -7483,6 +7633,156 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2024-11392": {
+    "name": "Hugging Face Transformers MobileViTV2 Deserialization Remote Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Hugging Face Transformers' MobileViTV2 loader deserializes untrusted configuration files without validation (CWE-502), so loading a malicious MobileViTV2 model/config executes attacker code in the user's process.",
+      "privileges_required": "none beyond getting a user to load an untrusted MobileViTV2 model/config (NVD UI:R)",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is a model loader in the foundational ML library (Hugging Face Transformers). The lesson is the same one the Keras CVEs teach at ecosystem scale: a model artifact is executable code at load time, so artifacts must be treated as untrusted (provenance, safe formats, sandboxed loading) — pulling from a model hub is a supply-chain trust decision, not a data fetch."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the foundational ML library's model loaders as RCE-bearing software."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Input validation is not applied to model artifacts/configs the library deserializes at load time."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an ML model artifact as untrusted executable input; loading one from an untrusted source through Transformers is RCE."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 73,
+      "basis": "ML pipelines pull models from hubs and treat them as data; the foundational library's loaders are assumed safe despite per-loader deserialization RCEs.",
+      "theater_pattern": "model_artifact_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-091",
+        "name": "UNTRUSTED-MODEL-ARTIFACT-LOADING",
+        "description": "Treat ML model artifacts as untrusted code: never load models/configs from untrusted sources, verify provenance, prefer safe formats (e.g. safetensors), and load untrusted models only in a sandboxed, network-isolated, least-privilege environment. Upgrade Hugging Face Transformers to 4.48.0 or later (which fixes the MobileViTV2 loader deserialization, CVE-2024-11392). The control is the same one that closes the Keras model-deserialization CVEs — the class is 'model file equals executable code', not a single loader. The distinguishing test: load an attacker-crafted MobileViTV2 artifact on a sandboxed instance and confirm no code executes.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2024-11392",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2024-11393": {
+    "name": "Hugging Face Transformers MaskFormer Deserialization Remote Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Hugging Face Transformers' MaskFormer loader deserializes untrusted model files without validation (CWE-502), so loading a malicious MaskFormer model/config executes attacker code in the user's process.",
+      "privileges_required": "none beyond getting a user to load an untrusted MaskFormer model/config (NVD UI:R)",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is a model loader in the foundational ML library (Hugging Face Transformers). The lesson is the same one the Keras CVEs teach at ecosystem scale: a model artifact is executable code at load time, so artifacts must be treated as untrusted (provenance, safe formats, sandboxed loading) — pulling from a model hub is a supply-chain trust decision, not a data fetch."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the foundational ML library's model loaders as RCE-bearing software."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Input validation is not applied to model artifacts/configs the library deserializes at load time."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an ML model artifact as untrusted executable input; loading one from an untrusted source through Transformers is RCE."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 73,
+      "basis": "ML pipelines pull models from hubs and treat them as data; the foundational library's loaders are assumed safe despite per-loader deserialization RCEs.",
+      "theater_pattern": "model_artifact_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-091",
+        "name": "UNTRUSTED-MODEL-ARTIFACT-LOADING",
+        "description": "Treat ML model artifacts as untrusted code: never load models/configs from untrusted sources, verify provenance, prefer safe formats (e.g. safetensors), and load untrusted models only in a sandboxed, network-isolated, least-privilege environment. Upgrade Hugging Face Transformers to 4.48.0 or later (which fixes the MaskFormer loader deserialization, CVE-2024-11393). The control is the same one that closes the Keras model-deserialization CVEs — the class is 'model file equals executable code', not a single loader. The distinguishing test: load an attacker-crafted MaskFormer artifact on a sandboxed instance and confirm no code executes.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2024-11393",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2024-11394": {
+    "name": "Hugging Face Transformers Trax Deserialization Remote Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Hugging Face Transformers' Trax loader deserializes untrusted model files without validation (CWE-502), so loading a malicious Trax model/config executes attacker code in the user's process.",
+      "privileges_required": "none beyond getting a user to load an untrusted Trax model/config (NVD UI:R)",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is a model loader in the foundational ML library (Hugging Face Transformers). The lesson is the same one the Keras CVEs teach at ecosystem scale: a model artifact is executable code at load time, so artifacts must be treated as untrusted (provenance, safe formats, sandboxed loading) — pulling from a model hub is a supply-chain trust decision, not a data fetch."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the foundational ML library's model loaders as RCE-bearing software."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Input validation is not applied to model artifacts/configs the library deserializes at load time."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an ML model artifact as untrusted executable input; loading one from an untrusted source through Transformers is RCE."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 73,
+      "basis": "ML pipelines pull models from hubs and treat them as data; the foundational library's loaders are assumed safe despite per-loader deserialization RCEs.",
+      "theater_pattern": "model_artifact_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-091",
+        "name": "UNTRUSTED-MODEL-ARTIFACT-LOADING",
+        "description": "Treat ML model artifacts as untrusted code: never load models/configs from untrusted sources, verify provenance, prefer safe formats (e.g. safetensors), and load untrusted models only in a sandboxed, network-isolated, least-privilege environment. Upgrade Hugging Face Transformers to 4.48.0 or later (which fixes the Trax loader deserialization, CVE-2024-11394). The control is the same one that closes the Keras model-deserialization CVEs — the class is 'model file equals executable code', not a single loader. The distinguishing test: load an attacker-crafted Trax artifact on a sandboxed instance and confirm no code executes.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2024-11394",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2023-51449": {
     "name": "Gradio /file Route Path Traversal and SSRF Arbitrary File Read",
     "lesson_date": "2026-05-25",