@blamejs/exceptd-skills 0.13.90 → 0.13.92

package/data/atlas-ttps.json

@@ -1715,6 +1715,9 @@
       "CVE-2023-48022",
       "CVE-2023-51449",
       "CVE-2024-1561",
+      "CVE-2024-21575",
+      "CVE-2024-21576",
+      "CVE-2024-27132",
       "CVE-2024-37032",
       "CVE-2024-39722",
       "CVE-2024-42478",

package/data/attack-techniques.json

@@ -278,6 +278,8 @@
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
+      "CVE-2024-21575",
+      "CVE-2024-21576",
       "CVE-2024-37032",
       "CVE-2024-42479",
       "CVE-2024-50050",
@@ -384,6 +386,7 @@
     "cve_refs": [
       "CVE-2021-26829",
       "CVE-2024-11182",
+      "CVE-2024-27132",
       "CVE-2024-27443",
       "CVE-2024-42009",
       "CVE-2025-0133",
@@ -852,6 +855,8 @@
       "CVE-2024-12987",
       "CVE-2024-1561",
       "CVE-2024-1709",
+      "CVE-2024-21575",
+      "CVE-2024-21576",
       "CVE-2024-21762",
       "CVE-2024-37032",
       "CVE-2024-37079",
@@ -2481,6 +2486,7 @@
     "name": "Drive-by Compromise",
     "version": "v19",
     "cve_refs": [
+      "CVE-2024-27132",
       "CVE-2025-10585",
       "CVE-2025-14174",
       "CVE-2025-24201",

package/data/cve-catalog.json

@@ -13817,6 +13817,316 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "vLLM binds its multi-node XPUB ZeroMQ socket to all interfaces (CWE-770), exposing broadcast data and enabling DoS; fixed in 0.8.5."
   },
+  "CVE-2024-27132": {
+    "name": "MLflow Recipe Template Injection XSS to Client-Side RCE",
+    "type": "RCE",
+    "cvss_score": 9.6,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 9.6 (CRITICAL, Scope:Changed). Insufficient sanitization of template variables when running an untrusted MLflow recipe leads to stored XSS and client-side code execution in the victim's browser/session.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the HiddenLayer security advisory and the MLflow GitHub advisory: running an untrusted MLflow recipe renders attacker-controlled template variables without sanitization, executing JavaScript in the victim's MLflow session (XSS, CWE-79) and enabling client-side remote code execution.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via HiddenLayer / the MLflow project. The abused surface is the recipe-rendering UI of MLflow, a widely used MLOps experiment-tracking platform.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; template injection / XSS in the MLOps platform UI.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "MLflow up to and including 2.9.2 (fixed in 2.10.0).",
+    "affected_versions": [
+      "MLflow <= 2.9.2"
+    ],
+    "vector": "MLflow does not sufficiently sanitize template variables when rendering a recipe, so an untrusted recipe injects script that executes in the victim's MLflow session (CWE-79 stored XSS, rooted in template injection / CWE-94). Because the MLflow UI is a privileged control surface, the resulting client-side code execution can pivot to tracking-server actions.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N / UI:R — requires a victim to run/view an untrusted recipe.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading MLflow to 2.10.0 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade MLflow to 2.10.0 or later. Do not run or render untrusted recipes, and do not expose the MLflow UI / tracking server to untrusted users."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track the MLOps experiment-tracking platform as managed, user-facing software.",
+      "NIST-800-53-SI-10": "Output-encoding / input-sanitization control is not applied to recipe template variables rendered in the MLflow UI.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the MLOps platform's recipe-rendering UI as an injection surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the MLOps platform UI as a privileged control surface.",
+      "DORA-Art-9": "ICT protection measures do not model XSS-to-RCE in an MLOps platform as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for output-encoding untrusted content in the MLOps UI.",
+      "AU-ISM-1546": "Patch-application control does not single out MLOps experiment-tracking platforms.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an untrusted MLflow recipe's template content as untrusted input requiring sanitization before rendering; the MLOps UI is a privileged surface."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1189",
+      "T1059.007"
+    ],
+    "rwep_score": 29,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 24,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 29, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 + blast_radius=24 (MLflow is a widely used MLOps platform) minus patch 15. Note: NVD rates 9.6 CRITICAL; the client-side-RCE-via-XSS chain requires a victim to run an untrusted recipe (UI:R).",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-27132",
+    "cwe_refs": [
+      "CWE-79",
+      "CWE-94"
+    ],
+    "iocs": {
+      "behavioral": [
+        "An MLflow recipe containing script / HTML in template-variable fields rendered by the MLflow UI.",
+        "JavaScript executing in an MLflow user's session after viewing/running a recipe from an untrusted source.",
+        "Tracking-server actions (model registration, deletion) originating from a user's session shortly after rendering an untrusted recipe.",
+        "MLflow <= 2.9.2 with the recipe UI reachable by untrusted users — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2024-27132 (CWE-79) and the HiddenLayer / MLflow GitHub security advisory. The unsanitized recipe template variable rendered in the UI is the indicator anchor."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-27132",
+      "https://github.com/mlflow/mlflow/security/advisories"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "HiddenLayer / MLflow advisory",
+        "advisory_id": "CVE-2024-27132",
+        "url": "https://github.com/mlflow/mlflow/security/advisories",
+        "severity": "critical",
+        "published_date": "2024-02-23"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-27132",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27132",
+        "severity": "critical",
+        "published_date": "2024-02-23"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-79; NIST CVSS 9.6) + the HiddenLayer / MLflow security advisory. MLflow recipe template-injection XSS to client-side RCE; complements the existing MLflow path-traversal entry (CVE-2023-43472).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "MLflow renders untrusted recipe template variables without sanitization (CWE-79), executing script in the victim's session for client-side RCE; fixed in 2.10.0."
+  },
+  "CVE-2024-21575": {
+    "name": "ComfyUI-Impact-Pack Path Traversal Arbitrary File Write to RCE",
+    "type": "RCE",
+    "cvss_score": 8.6,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
+    "cvss_note": "NVD CVSS v3.1 base 8.6 (HIGH, Scope:Changed, integrity-only). Missing validation of image.filename on /upload/temp allows path-traversal arbitrary file write (CWE-35).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Public exploitation research exists (Snyk Labs, 'Don't Get Too Comfortable: Hacking ComfyUI Through Custom Nodes'): an unauthenticated /upload/temp request with a traversal filename writes a .py into ./custom_nodes for RCE on restart.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by Snyk Labs research into the ComfyUI custom-node ecosystem. The abused surface is a popular ComfyUI custom node; ComfyUI auto-loads node code, so custom nodes are an execution boundary.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; path-traversal file write in a ComfyUI custom node.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research disclosure with coordinated fixes. Note the broader context: in April 2026, reporting described a cryptomining botnet mass-targeting internet-exposed ComfyUI instances via the custom-node attack surface (ComfyUI-Manager install endpoint); this specific CVE is not confirmed as that campaign's vector, but it is the same exposed-custom-node class.",
+    "affected": "ComfyUI-Impact-Pack (the /upload/temp handler) prior to the patched release (GHSA-6mx8-m8xp-f2vc).",
+    "affected_versions": [
+      "ComfyUI-Impact-Pack (pre-fix, GHSA-6mx8-m8xp-f2vc)"
+    ],
+    "vector": "ComfyUI-Impact-Pack does not validate the image.filename field in a POST to /upload/temp, so an unauthenticated attacker writes a file to an arbitrary path (CWE-35 path traversal). Dropping a .py file into ComfyUI's ./custom_nodes directory, which is auto-loaded on restart, escalates the write to remote code execution.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N — unauthenticated against a reachable ComfyUI instance.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is updating the custom node to its patched version (custom nodes are git-versioned; pull the fix commit) and restarting ComfyUI.",
+    "vendor_update_paths": [
+      "Update the affected ComfyUI custom node to its patched version, never expose ComfyUI to untrusted networks, treat custom nodes as code (review before install), and run ComfyUI as a least-privilege user."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track third-party ComfyUI custom nodes as managed, RCE-bearing software.",
+      "NIST-800-53-SC-7": "Boundary-protection control does not flag internet-exposed ComfyUI instances as a custom-node RCE surface.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates ComfyUI custom nodes (which auto-load and run code) as an in-scope execution surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach third-party AI-tool plugins as a privileged execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model custom-node RCE in an AI image-generation tool as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for treating AI-tool custom nodes / plugins as code requiring review.",
+      "AU-ISM-1546": "Patch-application control does not single out third-party AI-tool extensions.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an AI tool's auto-loaded custom nodes / plugins as an untrusted-code supply-chain and execution surface; a single vulnerable node is unauthenticated RCE."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 29,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 24,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 29, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, patched at/after disclosure (Hard Rule #3); active_exploitation kept 'none' for this specific CVE despite the broader ComfyUI botnet campaign (unconfirmed vector). poc_available=20 + blast_radius=24 (ComfyUI is a widely deployed AI image-generation tool) minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-21575",
+    "cwe_refs": [
+      "CWE-35"
+    ],
+    "iocs": {
+      "behavioral": [
+        "POST requests to /upload/temp on a ComfyUI instance with traversal sequences or a .py extension in image.filename.",
+        "New or modified .py files appearing in ComfyUI's ./custom_nodes directory not from a known install.",
+        "Code execution after a ComfyUI restart correlated with a prior file-upload request.",
+        "ComfyUI exposed to untrusted networks with the affected custom node installed — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2024-21575 (CWE-35) and Snyk Labs' ComfyUI custom-node research (https://labs.snyk.io/resources/hacking-comfyui-through-custom-nodes/) and GHSA-6mx8-m8xp-f2vc."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-21575",
+      "https://labs.snyk.io/resources/hacking-comfyui-through-custom-nodes/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "Snyk Labs / GitHub Advisory",
+        "advisory_id": "CVE-2024-21575",
+        "url": "https://github.com/advisories/GHSA-6mx8-m8xp-f2vc",
+        "severity": "high",
+        "published_date": "2024-12-12"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-21575",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21575",
+        "severity": "high",
+        "published_date": "2024-12-12"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-35; NIST CVSS 8.6) + Snyk Labs' ComfyUI custom-node research. Member of the ComfyUI custom-node RCE family (auto-loaded node code as an unauthenticated execution surface).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "ComfyUI-Impact-Pack's /upload/temp lacks filename validation (CWE-35), letting an unauthenticated attacker write to ./custom_nodes for auto-loaded RCE."
+  },
+  "CVE-2024-21576": {
+    "name": "ComfyUI-Bmad-Nodes Workflow Code Injection RCE",
+    "type": "RCE",
+    "cvss_score": 10,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 10.0 (CRITICAL, Scope:Changed). A validation bypass in the BuildColorRangeHSVAdvanced / FilterContour / FindContour custom nodes reaches a dynamic-code-evaluation call on a crafted workflow string (CWE-94 code injection).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Public exploitation research exists (Snyk Labs, 'Don't Get Too Comfortable: Hacking ComfyUI Through Custom Nodes'): a crafted workflow reaches the node's dynamic-code-evaluation path to execute arbitrary code.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by Snyk Labs research into the ComfyUI custom-node ecosystem. The abused surface is a popular ComfyUI custom node; ComfyUI auto-loads node code, so custom nodes are an execution boundary.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; code injection via dynamic evaluation in a ComfyUI custom node.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research disclosure with coordinated fixes. Note the broader context: in April 2026, reporting described a cryptomining botnet mass-targeting internet-exposed ComfyUI instances via the custom-node attack surface (ComfyUI-Manager install endpoint); this specific CVE is not confirmed as that campaign's vector, but it is the same exposed-custom-node class.",
+    "affected": "ComfyUI-Bmad-Nodes prior to the patched release.",
+    "affected_versions": [
+      "ComfyUI-Bmad-Nodes (pre-fix)"
+    ],
+    "vector": "ComfyUI-Bmad-Nodes' BuildColorRangeHSVAdvanced, FilterContour and FindContour nodes bypass validation and pass a workflow-supplied string to a dynamic-code-evaluation call (eval(), CWE-94). A crafted ComfyUI workflow therefore executes arbitrary Python on the host with no authentication.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N — unauthenticated against a reachable ComfyUI instance.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is updating the custom node to its patched version (custom nodes are git-versioned; pull the fix commit) and restarting ComfyUI.",
+    "vendor_update_paths": [
+      "Update the affected ComfyUI custom node to its patched version, never expose ComfyUI to untrusted networks, treat custom nodes as code (review before install), and run ComfyUI as a least-privilege user."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track third-party ComfyUI custom nodes as managed, RCE-bearing software.",
+      "NIST-800-53-SC-7": "Boundary-protection control does not flag internet-exposed ComfyUI instances as a custom-node RCE surface.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates ComfyUI custom nodes (which auto-load and run code) as an in-scope execution surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach third-party AI-tool plugins as a privileged execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model custom-node RCE in an AI image-generation tool as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for treating AI-tool custom nodes / plugins as code requiring review.",
+      "AU-ISM-1546": "Patch-application control does not single out third-party AI-tool extensions.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an AI tool's auto-loaded custom nodes / plugins as an untrusted-code supply-chain and execution surface; a single vulnerable node is unauthenticated RCE."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 29,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 24,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 29, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, patched at/after disclosure (Hard Rule #3); active_exploitation kept 'none' for this specific CVE despite the broader ComfyUI botnet campaign (unconfirmed vector). poc_available=20 + blast_radius=24 (ComfyUI is a widely deployed AI image-generation tool) minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-21576",
+    "cwe_refs": [
+      "CWE-94"
+    ],
+    "iocs": {
+      "behavioral": [
+        "ComfyUI workflows invoking BuildColorRangeHSVAdvanced / FilterContour / FindContour nodes with code-like string parameters.",
+        "Python interpreter / subprocess activity triggered during ComfyUI workflow execution.",
+        "Crafted workflow JSON submitted to a ComfyUI instance from an untrusted source.",
+        "ComfyUI exposed to untrusted networks with the affected custom node installed — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2024-21576 (CWE-94) and Snyk Labs' ComfyUI custom-node research (https://labs.snyk.io/resources/hacking-comfyui-through-custom-nodes/)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-21576",
+      "https://labs.snyk.io/resources/hacking-comfyui-through-custom-nodes/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "Snyk Labs / GitHub Advisory",
+        "advisory_id": "CVE-2024-21576",
+        "url": "https://labs.snyk.io/resources/hacking-comfyui-through-custom-nodes/",
+        "severity": "critical",
+        "published_date": "2024-12-13"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-21576",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21576",
+        "severity": "critical",
+        "published_date": "2024-12-13"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-94; NIST CVSS 10) + Snyk Labs' ComfyUI custom-node research. Member of the ComfyUI custom-node RCE family (auto-loaded node code as an unauthenticated execution surface).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "ComfyUI-Bmad-Nodes passes a workflow-supplied string to a dynamic-code-evaluation call (CWE-94), so a crafted workflow yields unauthenticated RCE."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -252,6 +252,7 @@
     "evidence_cves": [
       "CVE-2021-26829",
       "CVE-2024-11182",
+      "CVE-2024-27132",
       "CVE-2024-27443",
       "CVE-2024-42009",
       "CVE-2025-27915",
@@ -372,6 +373,8 @@
       "CVE-2017-1000353",
       "CVE-2020-25078",
       "CVE-2022-48503",
+      "CVE-2024-21576",
+      "CVE-2024-27132",
       "CVE-2024-56145",
       "CVE-2025-11837",
       "CVE-2025-1550",
@@ -2716,6 +2719,7 @@
     ],
     "related_weaknesses": [],
     "evidence_cves": [
+      "CVE-2024-21575",
       "CVE-2025-8088"
     ],
     "last_verified": "2026-05-18",

package/data/framework-control-gaps.json

@@ -43,6 +43,9 @@
       "CVE-2024-11393",
       "CVE-2024-11394",
       "CVE-2024-1561",
+      "CVE-2024-21575",
+      "CVE-2024-21576",
+      "CVE-2024-27132",
       "CVE-2024-37032",
       "CVE-2024-39722",
       "CVE-2024-42478",
@@ -1387,7 +1390,10 @@
       "CVE-2024-12987",
       "CVE-2024-1561",
       "CVE-2024-1708",
+      "CVE-2024-21575",
+      "CVE-2024-21576",
       "CVE-2024-21762",
+      "CVE-2024-27132",
       "CVE-2024-27199",
       "CVE-2024-27443",
       "CVE-2024-37032",
@@ -1804,6 +1810,9 @@
       "CVE-2024-11393",
       "CVE-2024-11394",
       "CVE-2024-1561",
+      "CVE-2024-21575",
+      "CVE-2024-21576",
+      "CVE-2024-27132",
       "CVE-2024-37032",
       "CVE-2024-39722",
       "CVE-2024-42478",
@@ -2178,6 +2187,8 @@
       "CVE-2023-51449",
       "CVE-2024-0132",
       "CVE-2024-1561",
+      "CVE-2024-21575",
+      "CVE-2024-21576",
       "CVE-2024-40635",
       "CVE-2024-42478",
       "CVE-2024-42479",
@@ -2256,6 +2267,7 @@
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
+      "CVE-2024-27132",
       "CVE-2024-37032",
       "CVE-2024-39722",
       "CVE-2024-50050",
@@ -2419,7 +2431,10 @@
       "CVE-2024-12987",
       "CVE-2024-1561",
       "CVE-2024-1708",
+      "CVE-2024-21575",
+      "CVE-2024-21576",
       "CVE-2024-21762",
+      "CVE-2024-27132",
       "CVE-2024-27199",
       "CVE-2024-27443",
       "CVE-2024-37032",
@@ -4912,7 +4927,10 @@
       "CVE-2024-11393",
       "CVE-2024-11394",
       "CVE-2024-1561",
+      "CVE-2024-21575",
+      "CVE-2024-21576",
       "CVE-2024-21762",
+      "CVE-2024-27132",
       "CVE-2024-37032",
       "CVE-2024-39722",
       "CVE-2024-42478",
@@ -5447,7 +5465,10 @@
       "CVE-2024-11393",
       "CVE-2024-11394",
       "CVE-2024-1561",
+      "CVE-2024-21575",
+      "CVE-2024-21576",
       "CVE-2024-21762",
+      "CVE-2024-27132",
       "CVE-2024-37032",
       "CVE-2024-39722",
       "CVE-2024-42478",
@@ -5525,7 +5546,10 @@
       "CVE-2024-11393",
       "CVE-2024-11394",
       "CVE-2024-1561",
+      "CVE-2024-21575",
+      "CVE-2024-21576",
       "CVE-2024-21762",
+      "CVE-2024-27132",
       "CVE-2024-37032",
       "CVE-2024-39722",
       "CVE-2024-42478",

package/data/zeroday-lessons.json

@@ -2142,6 +2142,156 @@
     "ai_discovery_source": "human_researcher",
     "ai_assist_factor": "low"
   },
+  "CVE-2024-27132": {
+    "name": "MLflow Recipe Template Injection XSS to Client-Side RCE",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "MLflow renders recipe template variables without sufficient sanitization (CWE-79, rooted in template injection), so an untrusted recipe executes script in the victim's MLflow session and can pivot to privileged tracking-server actions.",
+      "privileges_required": "none beyond getting a victim to run/view an untrusted recipe (NVD UI:R)",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is the recipe-rendering UI of MLflow, a widely used MLOps experiment-tracking platform. The lesson: MLOps platform UIs render user/community-supplied content (recipes, run metadata, model cards) and must output-encode it — the MLOps UI is a privileged control surface, not a passive viewer."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the MLOps experiment-tracking platform as managed, user-facing software."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Output-encoding is not applied to recipe template variables rendered in the MLflow UI."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats untrusted MLOps content (recipes, run metadata) as requiring sanitization before rendering."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 66,
+      "basis": "MLOps platforms are deployed for internal teams and assumed trusted; untrusted recipes/run metadata are rendered without output encoding.",
+      "theater_pattern": "ai_demo_framework_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-097",
+        "name": "MLOPS-PLATFORM-UNTRUSTED-CONTENT-ENCODING",
+        "description": "An MLOps platform UI must output-encode and sanitize all user/community-supplied content it renders (recipe template variables, run metadata, model cards, artifact names) and must not expose its UI / tracking server to untrusted users. Upgrade MLflow to 2.10.0 or later. The distinguishing test: load a recipe whose template variables contain script payloads into a staging MLflow and confirm the UI renders them inert, not executed.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2024-27132",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2024-21575": {
+    "name": "ComfyUI-Impact-Pack Path Traversal Arbitrary File Write to RCE",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "A ComfyUI custom node (CWE-35 path traversal on /upload/temp -> write into ./custom_nodes) gives an unauthenticated attacker code execution on a reachable ComfyUI instance. ComfyUI auto-loads node code, so a single vulnerable or malicious custom node is an execution boundary.",
+      "privileges_required": "none (NVD AV:N / PR:N) — unauthenticated against a reachable ComfyUI instance",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is the custom-node ecosystem of ComfyUI, a widely deployed AI image-generation tool. The lesson: AI tools with auto-loaded plugin/custom-node systems treat extension code as trusted, so a single vulnerable node is unauthenticated RCE and the node registry is a supply-chain surface. In April 2026 a cryptomining botnet mass-targeted exposed ComfyUI via this surface."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track third-party ComfyUI custom nodes as managed, RCE-bearing software."
+      },
+      "NIST-800-53-SC-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not flag internet-exposed ComfyUI instances as a custom-node RCE surface."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an AI tool's auto-loaded custom nodes as an untrusted-code supply-chain and execution surface."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "AI image-gen tools are deployed with community custom nodes installed and often internet-exposed; the node ecosystem is trusted by default and not in the vulnerability program.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-098",
+        "name": "AI-TOOL-CUSTOM-NODE-EXTENSION-TRUST",
+        "description": "An AI tool that auto-loads custom nodes / plugins must treat them as code: review/allow-list before install, validate any file paths or workflow strings the nodes consume, never expose the tool (or its node-install endpoint) to untrusted networks, and run least-privilege. Update affected ComfyUI custom nodes to their patched versions. The distinguishing test: from an unauthenticated client, attempt the path-traversal upload and the crafted-workflow code-injection against a staging ComfyUI and confirm neither writes outside the temp dir nor executes node-supplied strings.",
+        "evidence": "https://github.com/advisories/GHSA-6mx8-m8xp-f2vc",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SC-7",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2024-21576": {
+    "name": "ComfyUI-Bmad-Nodes Workflow Code Injection RCE",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "A ComfyUI custom node (CWE-94 code injection via dynamic evaluation of a workflow string) gives an unauthenticated attacker code execution on a reachable ComfyUI instance. ComfyUI auto-loads node code, so a single vulnerable or malicious custom node is an execution boundary.",
+      "privileges_required": "none (NVD AV:N / PR:N) — unauthenticated against a reachable ComfyUI instance",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is the custom-node ecosystem of ComfyUI, a widely deployed AI image-generation tool. The lesson: AI tools with auto-loaded plugin/custom-node systems treat extension code as trusted, so a single vulnerable node is unauthenticated RCE and the node registry is a supply-chain surface. In April 2026 a cryptomining botnet mass-targeted exposed ComfyUI via this surface."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track third-party ComfyUI custom nodes as managed, RCE-bearing software."
+      },
+      "NIST-800-53-SC-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not flag internet-exposed ComfyUI instances as a custom-node RCE surface."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an AI tool's auto-loaded custom nodes as an untrusted-code supply-chain and execution surface."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "AI image-gen tools are deployed with community custom nodes installed and often internet-exposed; the node ecosystem is trusted by default and not in the vulnerability program.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-098",
+        "name": "AI-TOOL-CUSTOM-NODE-EXTENSION-TRUST",
+        "description": "An AI tool that auto-loads custom nodes / plugins must treat them as code: review/allow-list before install, validate any file paths or workflow strings the nodes consume, never expose the tool (or its node-install endpoint) to untrusted networks, and run least-privilege. Update affected ComfyUI custom nodes to their patched versions. The distinguishing test: from an unauthenticated client, attempt the path-traversal upload and the crafted-workflow code-injection against a staging ComfyUI and confirm neither writes outside the temp dir nor executes node-supplied strings.",
+        "evidence": "https://labs.snyk.io/resources/hacking-comfyui-through-custom-nodes/",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SC-7",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2020-10148": {
     "name": "SolarWinds Orion API authentication bypass (SUNBURST chain component)",
     "lesson_date": "2026-05-19",