@blamejs/exceptd-skills 0.13.91 → 0.13.92

package/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 0.13.92 — 2026-05-25
+
+CVE catalog — ComfyUI custom-node RCE. Adds the two Snyk-disclosed flaws in the ComfyUI custom-node ecosystem, the AI image-generation tool whose nodes auto-load and run code. **CVE-2024-21575** (ComfyUI-Impact-Pack, CWE-35, NIST CVSS 8.6) — missing validation of `image.filename` on `/upload/temp` allows path-traversal arbitrary file write; dropping a `.py` into the auto-loaded `./custom_nodes` directory escalates to remote code execution. **CVE-2024-21576** (ComfyUI-Bmad-Nodes, CWE-94, NIST CVSS 10.0) — several nodes pass a workflow-supplied string to a dynamic-code-evaluation call, so a crafted workflow yields unauthenticated RCE. Both map ATLAS AML.T0049 and ATT&CK T1190 / T1059; their shared zero-day lesson (NEW-CTRL-098) treats auto-loaded AI-tool custom nodes as an untrusted-code supply-chain and execution surface (allow-list before install, validate node inputs, never expose the tool to untrusted networks). The entries note the April 2026 cryptomining-botnet campaign mass-targeting exposed ComfyUI via this surface, without attributing it to these specific CVEs. CVE count 364 → 366.
+
 ## 0.13.91 — 2026-05-25
 
 CVE catalog — MLflow recipe template-injection XSS. Adds **CVE-2024-27132** (CWE-79, NIST CVSS 9.6 CRITICAL): MLflow renders recipe template variables without sufficient sanitization, so running an untrusted recipe executes script in the victim's MLflow session (stored XSS) and pivots to client-side remote code execution against the tracking-server UI; fixed in 2.10.0. Maps ATLAS AML.T0049 and ATT&CK T1189 / T1059.007, with a zero-day lesson (NEW-CTRL-097) requiring the MLOps platform UI to output-encode all user/community-supplied content it renders (recipe variables, run metadata, model cards) and stay off untrusted networks. Complements the existing MLflow path-traversal entry (CVE-2023-43472). CVE count 363 → 364.

package/data/_indexes/_meta.json

@@ -1,21 +1,21 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-26T01:37:09.110Z",
+  "generated_at": "2026-05-26T01:59:04.683Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "a4eac1fd8a86e102e599b78383b701c7711dfab4a783ae62a85737babb34fc2f",
-    "data/atlas-ttps.json": "1a6452f10f8919689c664fe01651513bf14041533de01e86521d1fef93a78b84",
-    "data/attack-techniques.json": "cea9e6be34a28b3fd4b8d5d0987f6b1e0579df59944c4a2580577a0255eb209c",
-    "data/cve-catalog.json": "71467957a802aa26762120adecf504d9d15f073e229c996147883348e8888f79",
-    "data/cwe-catalog.json": "6efc5e5d437b3057deda7e2892d758ae602d21bb9db5de99710d27675e12ea54",
+    "manifest.json": "9d6426f67cdfafee9e4833838eaf960ae38ce1e9090357d04f1ee1cd0d296ae9",
+    "data/atlas-ttps.json": "b5d275632c4d178fdc0aecf1e7e87329efd7e14a74178238cc2f0763e633fade",
+    "data/attack-techniques.json": "20659c54554046dd72a862c4581a1cb683546437306444039a990eeabb9e7f65",
+    "data/cve-catalog.json": "77ca00bffb395a5b4ad1e79b799f23c9531cfffad9955d8f08a7a80bd292ac83",
+    "data/cwe-catalog.json": "69f45c04a42109a82f3178319e89b73c63aa19c58e849bb08828149a39865d2b",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
     "data/exploit-availability.json": "ec2656f0d9a893610e27b43eb6035fe9b18e057c9f6dfaac7e7d4959bbcbb795",
-    "data/framework-control-gaps.json": "9791a8528960a5443dcb6cdc18fef55d43462cd0550870ed8898107123823df5",
+    "data/framework-control-gaps.json": "56cb069123aef3ebe0eeb04eb841b07458c448ffebe71b67a604f52118e9b06a",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "66ef2e1f444a2cf0c2700a754f0a66030bb8a91d9e68394b9537ea1fe8b904fe",
-    "data/zeroday-lessons.json": "ec7a19887bc372240279f28271010d3c9db18c76c62c9c8fb15b7685a484d5d5",
+    "data/zeroday-lessons.json": "b2aae495b7e30d33635073dc71db6912e79e6b5ddc6a5534dbe4712ad3f8fce1",
     "skills/kernel-lpe-triage/skill.md": "08b3e9815ba481c57c80f5fc0ccbf5bb7cbb41f570c235ba6ff9596b8c07354d",
     "skills/ai-attack-surface/skill.md": "c4c1eb22a38ca7a959b5725222bab8fbd4f4044a548a93f3e288e6f698334b72",
     "skills/mcp-agent-trust/skill.md": "89ac89084391d2341b6513fefb1be2d36b93de1c130f057696219c1c59440f13",
@@ -72,7 +72,7 @@
       "dlp_refs": 0
     },
     "trigger_table_entries": 538,
-    "chains_cve_entries": 353,
+    "chains_cve_entries": 355,
     "chains_cwe_entries": 171,
     "jurisdictions_indexed": 29,
     "handoff_dag_nodes": 42,

package/data/_indexes/activity-feed.json

@@ -149,7 +149,7 @@
       "artifact": "data/cve-catalog.json",
       "path": "data/cve-catalog.json",
       "schema_version": "1.0.0",
-      "entry_count": 364
+      "entry_count": 366
     },
     {
       "date": "2026-05-18",
@@ -165,7 +165,7 @@
       "artifact": "data/zeroday-lessons.json",
       "path": "data/zeroday-lessons.json",
       "schema_version": "1.1.0",
-      "entry_count": 359
+      "entry_count": 361
     },
     {
       "date": "2026-05-17",

package/data/_indexes/catalog-summaries.json

@@ -62,7 +62,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 364,
+      "entry_count": 366,
       "sample_keys": [
         "CVE-2025-53773",
         "CVE-2026-30615",
@@ -238,7 +238,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 359,
+      "entry_count": 361,
       "sample_keys": [
         "CVE-2026-31431",
         "CVE-2025-53773",