@blamejs/exceptd-skills 0.13.88 → 0.13.89

package/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 0.13.89 — 2026-05-25
+
+CVE catalog — NVIDIA Triton DALI backend memory safety. Completes the May 2026 Triton bulletin coverage with the three DALI (data-augmentation) backend flaws disclosed by researcher Navtej Kathuria, all fixed in r26.03: **CVE-2026-24213** (CWE-125 out-of-bounds read, NIST CVSS 9.8), **CVE-2026-24214** (CWE-190 integer overflow, NIST CVSS 9.8), and **CVE-2026-24215** (CWE-400 uncontrolled resource consumption / DoS, NIST CVSS 7.5). All process attacker-supplied inference input on a network-reachable backend. These are deliberate CVSS-versus-RWEP cases: NVD rates two of them CRITICAL, but with no CISA KEV listing, no confirmed in-the-wild exploitation, no public proof-of-concept, and a patch available, the Real-World Exploit Priority is P4 — the catalog scores priority on exploitation reality, not CVSS alone. Their shared zero-day lesson (NEW-CTRL-096) requires inference backends to bound and validate untrusted input size/shape and enforce resource limits, with the inference endpoint off untrusted networks. CVE count 358 → 361.
+
 ## 0.13.88 — 2026-05-25
 
 CVE catalog — Hugging Face Transformers model-loader deserialization RCE. Adds the three ZDI-coordinated deserialization flaws in the foundational ML library's model loaders, all CWE-502 and fixed in 4.48.0: **CVE-2024-11392** (MobileViTV2 configuration files), **CVE-2024-11393** (MaskFormer model files), and **CVE-2024-11394** (Trax model files), each NIST CVSS 8.8 — loading a malicious model/config of the affected type executes attacker code in the user's process. All map MITRE ATLAS AML.T0010 / AML.T0011 / AML.T0011.000 and ATT&CK T1204 / T1059 / T1195.002, and they reuse the existing untrusted-model-artifact control (NEW-CTRL-091) — the same control that closes the Keras model-deserialization CVEs, because the class is "a model file is executable code", not a single loader. CVE count 355 → 358.

package/data/_indexes/_meta.json

@@ -1,21 +1,21 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-25T20:41:49.355Z",
+  "generated_at": "2026-05-26T00:55:52.645Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "4d074cf22843f7c2ddb7fd2f333dc9428f96a71af9cff2092e4452bbb893ef18",
-    "data/atlas-ttps.json": "e4c1ad94999ba94dc90991000b4174a8d64f5de2ca7b679a3462f639fd92b2d8",
-    "data/attack-techniques.json": "27cda2490c20678be9c2d918cfc68217a2e92d3a393b73c7ac9b8345c7ac56e1",
-    "data/cve-catalog.json": "c12aa304e7e1803a867693c45cad86bbd4740aa601a2ce21c798b956b7a434a6",
-    "data/cwe-catalog.json": "bad9276482e74c0ce05e4b8843f6130d077ca698a6bc1121586a897a70cc40a7",
+    "manifest.json": "4696ac730af56b3d1e3792f13011dbe9df415fa6ed6db039f3d5831f98dfd4d7",
+    "data/atlas-ttps.json": "35db40b134ee32ed429a62970c2b05c8937cd8c3df64f5f84e5d725df7cbb5a5",
+    "data/attack-techniques.json": "fef078610c1533ffc17da09a0720ad86cd1a86baadecac9776501059d9ab99b9",
+    "data/cve-catalog.json": "6574013902f68e32cb3b495eef64ca62a7441ef1b0f904a14065a5d08dfa96a5",
+    "data/cwe-catalog.json": "253af97e89506cf61de0e455f1d42a25c8b04594b0e8795737cbe9dc696d09b1",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
     "data/exploit-availability.json": "ec2656f0d9a893610e27b43eb6035fe9b18e057c9f6dfaac7e7d4959bbcbb795",
-    "data/framework-control-gaps.json": "15c8f700c9fd14e956e53a29cfc20dececd8a4d8df665f2e357bd3ad3c50fd10",
+    "data/framework-control-gaps.json": "9cf7fce07276c1049f7cd28e20becedf981a18709f094cae9686d452031213e5",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "66ef2e1f444a2cf0c2700a754f0a66030bb8a91d9e68394b9537ea1fe8b904fe",
-    "data/zeroday-lessons.json": "b2233cf8f47dc59f609f356576c240d0638340cd5eb249881ce77b1b50b20f11",
+    "data/zeroday-lessons.json": "a153d695e8f088e1da3c6fbc63285f5eff330fca192df2f7a9a5eac70abf4017",
     "skills/kernel-lpe-triage/skill.md": "08b3e9815ba481c57c80f5fc0ccbf5bb7cbb41f570c235ba6ff9596b8c07354d",
     "skills/ai-attack-surface/skill.md": "c4c1eb22a38ca7a959b5725222bab8fbd4f4044a548a93f3e288e6f698334b72",
     "skills/mcp-agent-trust/skill.md": "89ac89084391d2341b6513fefb1be2d36b93de1c130f057696219c1c59440f13",
@@ -72,7 +72,7 @@
       "dlp_refs": 0
     },
     "trigger_table_entries": 538,
-    "chains_cve_entries": 347,
+    "chains_cve_entries": 350,
     "chains_cwe_entries": 171,
     "jurisdictions_indexed": 29,
     "handoff_dag_nodes": 42,

package/data/_indexes/activity-feed.json

@@ -149,7 +149,7 @@
       "artifact": "data/cve-catalog.json",
       "path": "data/cve-catalog.json",
       "schema_version": "1.0.0",
-      "entry_count": 358
+      "entry_count": 361
     },
     {
       "date": "2026-05-18",
@@ -165,7 +165,7 @@
       "artifact": "data/zeroday-lessons.json",
       "path": "data/zeroday-lessons.json",
       "schema_version": "1.1.0",
-      "entry_count": 353
+      "entry_count": 356
     },
     {
       "date": "2026-05-17",

package/data/_indexes/catalog-summaries.json

@@ -62,7 +62,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 358,
+      "entry_count": 361,
       "sample_keys": [
         "CVE-2025-53773",
         "CVE-2026-30615",
@@ -238,7 +238,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 353,
+      "entry_count": 356,
       "sample_keys": [
         "CVE-2026-31431",
         "CVE-2025-53773",