@blamejs/exceptd-skills 0.13.92 → 0.13.93

package/data/atlas-ttps.json

@@ -545,6 +545,8 @@
     "maturity": "high",
     "last_verified": "2026-05-19",
     "cve_refs": [
+      "CVE-2023-44467",
+      "CVE-2024-21513",
       "CVE-2025-53773",
       "CVE-2025-55319",
       "CVE-2025-68664",
@@ -1268,9 +1270,11 @@
     "exceptd_skills": [],
     "last_verified": "2026-05-19",
     "cve_refs": [
+      "CVE-2023-44467",
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
+      "CVE-2024-21513",
       "CVE-2025-1550",
       "CVE-2025-8747",
       "MAL-2024-PYPI-ULTRALYTICS-XMRIG"

package/data/attack-techniques.json

@@ -274,10 +274,12 @@
     "cve_refs": [
       "CVE-2022-1471",
       "CVE-2023-43654",
+      "CVE-2023-44467",
       "CVE-2023-48022",
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
+      "CVE-2024-21513",
       "CVE-2024-21575",
       "CVE-2024-21576",
       "CVE-2024-37032",
@@ -361,6 +363,8 @@
     "name": "Command and Scripting Interpreter: Python",
     "version": "v19",
     "cve_refs": [
+      "CVE-2023-44467",
+      "CVE-2024-21513",
       "CVE-2025-49844",
       "MAL-2026-3083"
     ],

package/data/cve-catalog.json

@@ -14127,6 +14127,216 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "ComfyUI-Bmad-Nodes passes a workflow-supplied string to a dynamic-code-evaluation call (CWE-94), so a crafted workflow yields unauthenticated RCE."
   },
+  "CVE-2024-21513": {
+    "name": "LangChain-Experimental VectorSQLDatabaseChain Code Execution",
+    "type": "RCE",
+    "cvss_score": 8.5,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 8.5 (HIGH). VectorSQLDatabaseChain runs a dynamic-code-evaluation call (eval()) on values retrieved from the database (CWE-94); an attacker controlling the input prompt executes Python.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the Snyk / GitHub advisory and Unit 42 LangChain research: a prompt-injection payload steers the chain into executing attacker-controlled Python.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via Snyk / the LangChain advisories (Unit 42 also analyzed the class). The abused surface is LangChain's experimental chains that execute LLM-generated or prompt-influenced code.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "Prompt-injection-mediated: the LLM-app input prompt is the attack vector that steers code generation/evaluation. Not AI-assisted exploit development, but an AI-native attack surface.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory / research disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "langchain-experimental 0.0.15 through 0.0.20 (fixed 0.0.21).",
+    "affected_versions": [
+      "langchain-experimental >= 0.0.15, <= 0.0.20"
+    ],
+    "vector": "With VectorSQLDatabaseChain configured, langchain-experimental passes database-retrieved values to a dynamic-code-evaluation call without sanitization (CWE-94). An attacker who controls the input prompt steers what is retrieved/evaluated, achieving arbitrary Python code execution in the application.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N. The precondition is an LLM application exposing the affected experimental chain to attacker-influenced prompts.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to langchain-experimental 0.0.21 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade to langchain-experimental 0.0.21 or later. Do not expose chains that execute generated code (PALChain, VectorSQLDatabaseChain, LLMMathChain) to untrusted prompts; sandbox or disable code execution and treat all prompt-derived code as untrusted."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track LLM-orchestration libraries' code-executing chains as managed, RCE-bearing software.",
+      "NIST-800-53-SI-10": "Input-validation control does not cover prompt-influenced strings that an LLM chain turns into executable code.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates LLM chains that execute generated code as a code-execution surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach LLM-orchestration code-execution chains as a privileged surface.",
+      "DORA-Art-9": "ICT protection measures do not model prompt-injection-to-code-execution in an LLM app as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for sandboxing code an LLM chain generates or evaluates.",
+      "AU-ISM-1546": "Patch-application control does not single out LLM-orchestration libraries.",
+      "ALL-PROMPT-INJECTION-ACCESS-CONTROL": "No framework treats prompt-influenced input to a code-executing LLM chain as untrusted code; prompt injection becomes arbitrary code execution."
+    },
+    "atlas_refs": [
+      "AML.T0051",
+      "AML.T0011"
+    ],
+    "attack_refs": [
+      "T1059",
+      "T1059.006"
+    ],
+    "rwep_score": 27,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 22,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 27, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 + blast_radius=22 (langchain-experimental is widely used in LLM apps) minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-21513",
+    "cwe_refs": [
+      "CWE-94"
+    ],
+    "iocs": {
+      "behavioral": [
+        "An LLM chain (PALChain / VectorSQLDatabaseChain / LLMMathChain) executing or evaluating code derived from a user-supplied prompt.",
+        "Prompt payloads containing Python constructs (the dunder-import builtin, OS command invocations, code embedded in math/SQL fields) reaching a LangChain experimental chain.",
+        "Python subprocess / import activity in an LLM application correlated with a chain invocation.",
+        "langchain-experimental at an affected version (langchain-experimental >= 0.0.15, <= 0.0.20) exposing a code-executing chain to untrusted prompts - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2024-21513 (CWE-94) and the Snyk / LangChain advisory + Unit 42 LangChain research (https://unit42.paloaltonetworks.com/langchain-vulnerabilities/)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-21513",
+      "https://github.com/advisories/GHSA-cgcg-p68q-3w7v",
+      "https://unit42.paloaltonetworks.com/langchain-vulnerabilities/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "Snyk / GitHub Advisory",
+        "advisory_id": "CVE-2024-21513",
+        "url": "https://github.com/advisories/GHSA-cgcg-p68q-3w7v",
+        "severity": "high",
+        "published_date": "2024-07-15"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-21513",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21513",
+        "severity": "high",
+        "published_date": "2024-07-15"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-94; NIST CVSS 8.5) + Snyk / LangChain advisory + Unit 42 research. Member of the LangChain experimental-chain code-execution family (prompt injection to RCE); distinct from the LangGrinch serialization (CVE-2025-68664) and Chatchat MCP (CVE-2026-30617) entries.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "langchain-experimental's VectorSQLDatabaseChain evaluates prompt-influenced database values as code (CWE-94), giving arbitrary code execution; fixed in 0.0.21."
+  },
+  "CVE-2023-44467": {
+    "name": "LangChain-Experimental PALChain dunder-import Code Execution (CVE-2023-36258 bypass)",
+    "type": "RCE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 9.8 (CRITICAL); NVD assigned no CWE - the operational class is CWE-94 (code injection). PALChain executes generated Python; the dunder-import builtin was not prohibited, bypassing the CVE-2023-36258 fix.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the Snyk / GitHub advisory and Unit 42 LangChain research: a prompt-injection payload steers the chain into executing attacker-controlled Python.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via Snyk / the LangChain advisories (Unit 42 also analyzed the class). The abused surface is LangChain's experimental chains that execute LLM-generated or prompt-influenced code.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "Prompt-injection-mediated: the LLM-app input prompt is the attack vector that steers code generation/evaluation. Not AI-assisted exploit development, but an AI-native attack surface.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory / research disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "langchain_experimental before 0.0.306 (PALChain).",
+    "affected_versions": [
+      "langchain_experimental < 0.0.306"
+    ],
+    "vector": "PALChain (program-aided language model) executes Python generated from the prompt. The CVE-2023-36258 fix did not prohibit the dunder-import builtin, so a prompt-injection payload using it in the generated code bypasses the restriction and executes arbitrary code (CWE-94).",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N. The precondition is an LLM application exposing the affected experimental chain to attacker-influenced prompts.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to langchain-experimental 0.0.306 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade to langchain-experimental 0.0.306 or later. Do not expose chains that execute generated code (PALChain, VectorSQLDatabaseChain, LLMMathChain) to untrusted prompts; sandbox or disable code execution and treat all prompt-derived code as untrusted."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track LLM-orchestration libraries' code-executing chains as managed, RCE-bearing software.",
+      "NIST-800-53-SI-10": "Input-validation control does not cover prompt-influenced strings that an LLM chain turns into executable code.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates LLM chains that execute generated code as a code-execution surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach LLM-orchestration code-execution chains as a privileged surface.",
+      "DORA-Art-9": "ICT protection measures do not model prompt-injection-to-code-execution in an LLM app as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for sandboxing code an LLM chain generates or evaluates.",
+      "AU-ISM-1546": "Patch-application control does not single out LLM-orchestration libraries.",
+      "ALL-PROMPT-INJECTION-ACCESS-CONTROL": "No framework treats prompt-influenced input to a code-executing LLM chain as untrusted code; prompt injection becomes arbitrary code execution."
+    },
+    "atlas_refs": [
+      "AML.T0051",
+      "AML.T0011"
+    ],
+    "attack_refs": [
+      "T1059",
+      "T1059.006"
+    ],
+    "rwep_score": 27,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 22,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 27, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 + blast_radius=22 (langchain-experimental is widely used in LLM apps) minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2023-44467",
+    "cwe_refs": [
+      "CWE-94"
+    ],
+    "iocs": {
+      "behavioral": [
+        "An LLM chain (PALChain / VectorSQLDatabaseChain / LLMMathChain) executing or evaluating code derived from a user-supplied prompt.",
+        "Prompt payloads containing Python constructs (the dunder-import builtin, OS command invocations, code embedded in math/SQL fields) reaching a LangChain experimental chain.",
+        "Python subprocess / import activity in an LLM application correlated with a chain invocation.",
+        "langchain-experimental at an affected version (langchain_experimental < 0.0.306) exposing a code-executing chain to untrusted prompts - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2023-44467 (CWE-94) and the Snyk / LangChain advisory + Unit 42 LangChain research (https://unit42.paloaltonetworks.com/langchain-vulnerabilities/)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2023-44467",
+      "https://github.com/advisories/GHSA-gjjr-63x4-v8cq",
+      "https://unit42.paloaltonetworks.com/langchain-vulnerabilities/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "GHSA-gjjr-63x4-v8cq",
+        "url": "https://github.com/advisories/GHSA-gjjr-63x4-v8cq",
+        "severity": "critical",
+        "published_date": "2023-10-09"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2023-44467",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44467",
+        "severity": "critical",
+        "published_date": "2023-10-09"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-94; NIST CVSS 9.8) + Snyk / LangChain advisory + Unit 42 research. Member of the LangChain experimental-chain code-execution family (prompt injection to RCE); distinct from the LangGrinch serialization (CVE-2025-68664) and Chatchat MCP (CVE-2026-30617) entries.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "langchain_experimental's PALChain runs prompt-generated Python and did not block the dunder-import builtin, bypassing the CVE-2023-36258 fix for arbitrary code execution; fixed in 0.0.306."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -373,6 +373,8 @@
       "CVE-2017-1000353",
       "CVE-2020-25078",
       "CVE-2022-48503",
+      "CVE-2023-44467",
+      "CVE-2024-21513",
       "CVE-2024-21576",
       "CVE-2024-27132",
       "CVE-2024-56145",

package/data/framework-control-gaps.json

@@ -145,6 +145,8 @@
     "status": "open",
     "opened_date": "2026-01-01",
     "evidence_cves": [
+      "CVE-2023-44467",
+      "CVE-2024-21513",
       "CVE-2026-25592"
     ],
     "atlas_refs": [
@@ -1379,6 +1381,7 @@
       "CVE-2023-41974",
       "CVE-2023-43000",
       "CVE-2023-43654",
+      "CVE-2023-44467",
       "CVE-2023-50224",
       "CVE-2023-51449",
       "CVE-2023-52163",
@@ -1390,6 +1393,7 @@
       "CVE-2024-12987",
       "CVE-2024-1561",
       "CVE-2024-1708",
+      "CVE-2024-21513",
       "CVE-2024-21575",
       "CVE-2024-21576",
       "CVE-2024-21762",
@@ -1803,6 +1807,7 @@
     "evidence_cves": [
       "CVE-2022-1471",
       "CVE-2023-43654",
+      "CVE-2023-44467",
       "CVE-2023-48022",
       "CVE-2023-51449",
       "CVE-2024-0132",
@@ -1810,6 +1815,7 @@
       "CVE-2024-11393",
       "CVE-2024-11394",
       "CVE-2024-1561",
+      "CVE-2024-21513",
       "CVE-2024-21575",
       "CVE-2024-21576",
       "CVE-2024-27132",
@@ -2264,9 +2270,11 @@
     "status": "open",
     "opened_date": "2026-05-13",
     "evidence_cves": [
+      "CVE-2023-44467",
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
+      "CVE-2024-21513",
       "CVE-2024-27132",
       "CVE-2024-37032",
       "CVE-2024-39722",
@@ -2419,6 +2427,7 @@
       "CVE-2023-41974",
       "CVE-2023-43000",
       "CVE-2023-43654",
+      "CVE-2023-44467",
       "CVE-2023-50224",
       "CVE-2023-51449",
       "CVE-2023-52163",
@@ -2431,6 +2440,7 @@
       "CVE-2024-12987",
       "CVE-2024-1561",
       "CVE-2024-1708",
+      "CVE-2024-21513",
       "CVE-2024-21575",
       "CVE-2024-21576",
       "CVE-2024-21762",
@@ -4920,6 +4930,7 @@
     "evidence_cves": [
       "CVE-2022-1471",
       "CVE-2023-43654",
+      "CVE-2023-44467",
       "CVE-2023-48022",
       "CVE-2023-51449",
       "CVE-2024-0132",
@@ -4927,6 +4938,7 @@
       "CVE-2024-11393",
       "CVE-2024-11394",
       "CVE-2024-1561",
+      "CVE-2024-21513",
       "CVE-2024-21575",
       "CVE-2024-21576",
       "CVE-2024-21762",
@@ -5459,12 +5471,14 @@
     "status": "open",
     "opened_date": "2026-05-17",
     "evidence_cves": [
+      "CVE-2023-44467",
       "CVE-2023-51449",
       "CVE-2024-0132",
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
       "CVE-2024-1561",
+      "CVE-2024-21513",
       "CVE-2024-21575",
       "CVE-2024-21576",
       "CVE-2024-21762",
@@ -5539,6 +5553,7 @@
     "evidence_cves": [
       "CVE-2022-1471",
       "CVE-2023-43654",
+      "CVE-2023-44467",
       "CVE-2023-48022",
       "CVE-2023-51449",
       "CVE-2024-0132",
@@ -5546,6 +5561,7 @@
       "CVE-2024-11393",
       "CVE-2024-11394",
       "CVE-2024-1561",
+      "CVE-2024-21513",
       "CVE-2024-21575",
       "CVE-2024-21576",
       "CVE-2024-21762",

package/data/zeroday-lessons.json

@@ -4011,6 +4011,106 @@
     "ai_discovery_date": "2025-12-09",
     "ai_assist_factor": "medium"
   },
+  "CVE-2024-21513": {
+    "name": "LangChain-Experimental VectorSQLDatabaseChain Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "A LangChain experimental chain (CWE-94 dynamic evaluation of prompt-influenced database values) turns prompt-influenced input into executed Python, so prompt injection becomes arbitrary code execution in the LLM application.",
+      "privileges_required": "control of the input prompt to the LLM application (NVD AV:N)",
+      "complexity": "low-to-moderate (steer the chain's generated/evaluated code via the prompt)",
+      "ai_factor": "This is an AI-native attack surface: the LLM-application prompt is the injection vector, and chains that execute generated code (PALChain, VectorSQLDatabaseChain, LLMMathChain) convert prompt injection into RCE. The CVE-2023-36258 -> CVE-2023-44467 sequence shows denylisting builtins is an incomplete fix; code generated under attacker influence must be sandboxed or not executed at all."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track LLM-orchestration libraries' code-executing chains as RCE-bearing software, nor that builtin denylists are an incomplete fix."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Input validation does not cover prompt-influenced strings an LLM chain turns into executable code."
+      },
+      "ALL-PROMPT-INJECTION-ACCESS-CONTROL": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats prompt-influenced input to a code-executing LLM chain as untrusted code; prompt injection becomes arbitrary code execution."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 72,
+      "basis": "LLM apps wire in code-executing chains for convenience and trust the prompt; denylist-based mitigations are assumed sufficient despite documented bypasses.",
+      "theater_pattern": "incomplete_fix_assumed_complete"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "prompt_injection_vector",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-099",
+        "name": "LLM-CHAIN-GENERATED-CODE-EXECUTION-CONTROL",
+        "description": "LLM chains/agents that execute generated or prompt-influenced code (PALChain, VectorSQLDatabaseChain, LLMMathChain, Python/Pandas agents) must sandbox execution in an isolated, least-privilege, network-restricted environment or disable code execution entirely; builtin/function denylists are insufficient (the CVE-2023-36258 fix was bypassed via the dunder-import builtin in CVE-2023-44467). Upgrade langchain-experimental to 0.0.21 or later, and never expose a code-executing chain to untrusted prompts. The distinguishing test: send a prompt-injection payload that requests code execution to a staging chain and confirm it is sandboxed/refused, not run in-process.",
+        "evidence": "https://github.com/advisories/GHSA-cgcg-p68q-3w7v",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-PROMPT-INJECTION-ACCESS-CONTROL"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2023-44467": {
+    "name": "LangChain-Experimental PALChain dunder-import Code Execution (CVE-2023-36258 bypass)",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "A LangChain experimental chain (CWE-94 prompt-generated Python with an incomplete builtin denylist) turns prompt-influenced input into executed Python, so prompt injection becomes arbitrary code execution in the LLM application.",
+      "privileges_required": "control of the input prompt to the LLM application (NVD AV:N)",
+      "complexity": "low-to-moderate (steer the chain's generated/evaluated code via the prompt)",
+      "ai_factor": "This is an AI-native attack surface: the LLM-application prompt is the injection vector, and chains that execute generated code (PALChain, VectorSQLDatabaseChain, LLMMathChain) convert prompt injection into RCE. The CVE-2023-36258 -> CVE-2023-44467 sequence shows denylisting builtins is an incomplete fix; code generated under attacker influence must be sandboxed or not executed at all."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track LLM-orchestration libraries' code-executing chains as RCE-bearing software, nor that builtin denylists are an incomplete fix."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Input validation does not cover prompt-influenced strings an LLM chain turns into executable code."
+      },
+      "ALL-PROMPT-INJECTION-ACCESS-CONTROL": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats prompt-influenced input to a code-executing LLM chain as untrusted code; prompt injection becomes arbitrary code execution."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 72,
+      "basis": "LLM apps wire in code-executing chains for convenience and trust the prompt; denylist-based mitigations are assumed sufficient despite documented bypasses.",
+      "theater_pattern": "incomplete_fix_assumed_complete"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "prompt_injection_vector",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-099",
+        "name": "LLM-CHAIN-GENERATED-CODE-EXECUTION-CONTROL",
+        "description": "LLM chains/agents that execute generated or prompt-influenced code (PALChain, VectorSQLDatabaseChain, LLMMathChain, Python/Pandas agents) must sandbox execution in an isolated, least-privilege, network-restricted environment or disable code execution entirely; builtin/function denylists are insufficient (the CVE-2023-36258 fix was bypassed via the dunder-import builtin in CVE-2023-44467). Upgrade langchain-experimental to 0.0.306 or later, and never expose a code-executing chain to untrusted prompts. The distinguishing test: send a prompt-injection payload that requests code execution to a staging chain and confirm it is sandboxed/refused, not run in-process.",
+        "evidence": "https://github.com/advisories/GHSA-gjjr-63x4-v8cq",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-PROMPT-INJECTION-ACCESS-CONTROL"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2025-22224": {
     "name": "VMware ESXi/Workstation VMCI TOCTOU → VMX Host Code Execution",
     "lesson_date": "2026-05-18",