@blamejs/exceptd-skills 0.13.93 → 0.13.95

package/data/atlas-ttps.json

@@ -1718,6 +1718,7 @@
       "CVE-2023-43654",
       "CVE-2023-48022",
       "CVE-2023-51449",
+      "CVE-2024-13059",
       "CVE-2024-1561",
       "CVE-2024-21575",
       "CVE-2024-21576",

package/data/attack-techniques.json

@@ -279,6 +279,7 @@
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
+      "CVE-2024-13059",
       "CVE-2024-21513",
       "CVE-2024-21575",
       "CVE-2024-21576",
@@ -288,6 +289,7 @@
       "CVE-2025-1094",
       "CVE-2025-11837",
       "CVE-2025-1550",
+      "CVE-2025-1753",
       "CVE-2025-23254",
       "CVE-2025-30165",
       "CVE-2025-32444",
@@ -857,6 +859,7 @@
       "CVE-2023-51449",
       "CVE-2023-52163",
       "CVE-2024-12987",
+      "CVE-2024-13059",
       "CVE-2024-1561",
       "CVE-2024-1709",
       "CVE-2024-21575",

package/data/cve-catalog.json

@@ -55,7 +55,7 @@
     "ai_discovery_methodology": {
       "field_added": "2026-05-15",
       "agents_md_target": "Hard Rule #7 — '41% of 2025 zero-days were AI-discovered'. Catalog target rate floor: 0.40.",
-      "current_rate": 0.033,
+      "current_rate": 0.032,
       "current_floor_enforced_by_test": 0.03,
       "ladder_to_target": [
         0.03,
@@ -14337,6 +14337,211 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "langchain_experimental's PALChain runs prompt-generated Python and did not block the dunder-import builtin, bypassing the CVE-2023-36258 fix for arbitrary code execution; fixed in 0.0.306."
   },
+  "CVE-2024-13059": {
+    "name": "AnythingLLM Non-ASCII Filename Path Traversal Arbitrary File Write to RCE",
+    "type": "RCE",
+    "cvss_score": 7.2,
+    "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "CNA (huntr.dev) CVSS v3.0 base 7.2 (HIGH); NVD has not published its own assessed score for this CVE. Improper handling of non-ASCII filenames in the multer upload library introduces unsanitized ../ sequences (CWE-22), allowing a manager/admin user to write files to arbitrary paths and achieve RCE.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in OffSec and Nox90 research: a manager/admin uploads a file whose non-ASCII filename transforms into a path-traversal sequence, writing attacker content to an arbitrary location (e.g. a startup script / cron path) for remote code execution.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via OffSec / Nox90 research. AnythingLLM is a widely used self-hosted RAG / AI chat application; the abused surface is its document-upload handler.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; path-traversal file write in the AI app's upload handler.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "AnythingLLM (mintplex-labs) before 1.3.1.",
+    "affected_versions": [
+      "AnythingLLM < 1.3.1"
+    ],
+    "vector": "AnythingLLM's upload handler relies on the multer library, which mishandles non-ASCII filenames so that a crafted name decodes to include ../ traversal sequences left unsanitized (CWE-22). A manager/admin user uploads such a file to write attacker-controlled content to an arbitrary path; placing it in a system-executed directory yields remote code execution on the host.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:H — requires a manager or admin account, but no user interaction.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading AnythingLLM to 1.3.1 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade AnythingLLM to 1.3.1 or later, restrict manager/admin roles, run the app as a least-privilege user, and do not expose it to untrusted users."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track self-hosted RAG / AI chat applications as managed, RCE-bearing software.",
+      "NIST-800-53-SI-10": "Input-validation control is not applied to uploaded filenames (including non-ASCII transformations) in the AI app's upload handler.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the AI app's upload/file handling as a path-traversal surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the self-hosted AI app as a privileged surface.",
+      "DORA-Art-9": "ICT protection measures do not model path-traversal file write in a RAG application as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for validating upload filenames in the AI app.",
+      "AU-ISM-1546": "Patch-application control does not single out self-hosted RAG / AI chat applications.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats the AI app's document-upload filename as untrusted input reaching the filesystem; a manager-role upload becomes host RCE."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 25,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 20,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 25, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3); requires a manager/admin account (PR:H), which lowers reachability. poc_available=20 + blast_radius=20 minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-13059",
+    "cwe_refs": [
+      "CWE-22"
+    ],
+    "iocs": {
+      "behavioral": [
+        "AnythingLLM document uploads with non-ASCII filenames that decode to include ../ traversal sequences.",
+        "Files written by AnythingLLM outside its intended document-storage directory (startup scripts, cron paths, app directories).",
+        "Code execution on the AnythingLLM host following a manager/admin file upload.",
+        "AnythingLLM < 1.3.1 with manager/admin accounts reachable by untrusted users — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2024-13059 (CWE-22) and the OffSec / Nox90 research (https://www.offsec.com/blog/cve-2024-13059/). The non-ASCII-filename multer traversal is the indicator anchor."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-13059",
+      "https://www.offsec.com/blog/cve-2024-13059/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "OffSec / Nox90 research",
+        "advisory_id": "CVE-2024-13059",
+        "url": "https://www.offsec.com/blog/cve-2024-13059/",
+        "severity": "high",
+        "published_date": "2025-02-10"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-13059",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13059",
+        "severity": "high",
+        "published_date": "2025-02-10"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-22; CNA huntr.dev CVSS 7.2, no NVD-assessed score) + OffSec / Nox90 research. AnythingLLM upload path-traversal to RCE; same path-traversal class as the Ollama API entries (shares NEW-CTRL-094).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "AnythingLLM's upload handler mishandles non-ASCII filenames (multer) so a manager/admin upload path-traverses to an arbitrary write and RCE (CWE-22); fixed in 1.3.1."
+  },
+  "CVE-2025-1753": {
+    "name": "LlamaIndex CLI --files OS Command Injection",
+    "type": "RCE",
+    "cvss_score": 7.8,
+    "cvss_vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "CNA (huntr.dev) CVSS v3.0 base 7.8 (HIGH); NVD has not published its own assessed score. The LlamaIndex CLI passes the --files argument directly to a shell-execution call (os.system) without neutralization (CWE-78).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the huntr.dev advisory: the LlamaIndex CLI passes the --files argument into a shell-execution call unsanitized, so shell metacharacters in --files execute arbitrary OS commands. The fix introduces shlex escaping.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via huntr.dev. LlamaIndex is a widely used RAG / LLM data-framework; the abused surface is its command-line interface.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; classic OS command injection in the framework CLI.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "LlamaIndex CLI (llama-index-cli) at v0.12.20 (fixed by the shlex-escaping patch).",
+    "affected_versions": [
+      "LlamaIndex CLI 0.12.20"
+    ],
+    "vector": "The LlamaIndex CLI builds a shell command from the user-supplied --files argument and runs it through a shell-execution call without neutralizing special elements (CWE-78). A user who can influence the --files value (e.g. via a wrapper, script, or automation that forwards untrusted input) executes arbitrary OS commands. The fix escapes input with shlex.",
+    "complexity": "low",
+    "complexity_notes": "CNA AV:L / AC:L / PR:L — local execution context; the precondition is untrusted input reaching the CLI --files argument.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading llama-index-cli to the release that adds shlex escaping; no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade llama-index-cli past 0.12.20 to the shlex-escaped release. Do not forward untrusted input into the CLI's --files argument; prefer argv-array invocation over shell strings in any wrapper."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track LLM data-framework CLIs as managed, command-injection-bearing software.",
+      "NIST-800-53-SI-10": "Input-validation control is not applied to CLI arguments the framework forwards to a shell.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates an LLM framework's CLI argument handling as a command-injection surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach LLM-framework tooling as a managed surface.",
+      "DORA-Art-9": "ICT protection measures do not model command injection in an LLM data-framework CLI as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for neutralizing shell input in AI-framework CLIs.",
+      "AU-ISM-1546": "Patch-application control does not single out LLM data-framework tooling.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an AI tool's CLI arguments as untrusted input that must be neutralized before shell execution; building shell strings from arguments is command injection."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1059"
+    ],
+    "rwep_score": 23,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 18,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 23, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3); local execution context (CNA AV:L) lowers reachability. poc_available=20 + blast_radius=18 minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-1753",
+    "cwe_refs": [
+      "CWE-78"
+    ],
+    "iocs": {
+      "behavioral": [
+        "LlamaIndex CLI invocations whose --files value contains shell metacharacters (;, |, $(), backticks).",
+        "Unexpected child processes spawned by the llama-index CLI during a --files operation.",
+        "Wrappers/automation forwarding untrusted input into the llama-index CLI --files argument.",
+        "llama-index-cli at 0.12.20 (pre-shlex-fix) reachable with untrusted --files input — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the primary disclosure: the huntr bounty report (https://huntr.com/bounties/19e1c67e-1d77-451d-b10b-acbe99900b22), the GitHub Security Advisory GHSA-g99h-56mw-8263, and the fix commit run-llama/llama_index b57e76738c53ca82d88658b82f2d82d1c7839c7d (which adds shlex.quote escaping to the --files argument). The shell metacharacters in --files reaching the shell-exec call, and child processes spawned during a --files operation, are the indicator anchors; NVD CVE-2025-1753 (CWE-78) corroborates."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-1753",
+      "https://huntr.com/bounties/19e1c67e-1d77-451d-b10b-acbe99900b22",
+      "https://github.com/advisories/GHSA-g99h-56mw-8263",
+      "https://github.com/run-llama/llama_index/commit/b57e76738c53ca82d88658b82f2d82d1c7839c7d"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "GHSA-g99h-56mw-8263",
+        "url": "https://github.com/advisories/GHSA-g99h-56mw-8263",
+        "severity": "high",
+        "published_date": "2025-05-28"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-1753",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1753",
+        "severity": "high",
+        "published_date": "2025-05-28"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-78; CNA huntr.dev CVSS 7.8, no NVD-assessed score) + the huntr.dev advisory. LlamaIndex CLI OS command injection (shell-string built from --files).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "LlamaIndex's CLI builds a shell command from the --files argument and runs it unsanitized (CWE-78), executing arbitrary OS commands; fixed by adding shlex escaping."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -96,6 +96,7 @@
       "CVE-2023-43472",
       "CVE-2023-51449",
       "CVE-2024-0769",
+      "CVE-2024-13059",
       "CVE-2024-1561",
       "CVE-2024-1708",
       "CVE-2024-37032",
@@ -196,6 +197,7 @@
       "CVE-2024-12987",
       "CVE-2025-11953",
       "CVE-2025-12686",
+      "CVE-2025-1753",
       "CVE-2025-48703",
       "CVE-2025-54136",
       "CVE-2025-54948",

package/data/framework-control-gaps.json

@@ -42,6 +42,7 @@
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
+      "CVE-2024-13059",
       "CVE-2024-1561",
       "CVE-2024-21575",
       "CVE-2024-21576",
@@ -52,6 +53,7 @@
       "CVE-2024-42479",
       "CVE-2024-50050",
       "CVE-2025-1550",
+      "CVE-2025-1753",
       "CVE-2025-23254",
       "CVE-2025-23266",
       "CVE-2025-30165",
@@ -1391,6 +1393,7 @@
       "CVE-2024-11393",
       "CVE-2024-11394",
       "CVE-2024-12987",
+      "CVE-2024-13059",
       "CVE-2024-1561",
       "CVE-2024-1708",
       "CVE-2024-21513",
@@ -1427,6 +1430,7 @@
       "CVE-2025-14733",
       "CVE-2025-1550",
       "CVE-2025-15556",
+      "CVE-2025-1753",
       "CVE-2025-20281",
       "CVE-2025-20333",
       "CVE-2025-20337",
@@ -1814,6 +1818,7 @@
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
+      "CVE-2024-13059",
       "CVE-2024-1561",
       "CVE-2024-21513",
       "CVE-2024-21575",
@@ -1828,6 +1833,7 @@
       "CVE-2025-1094",
       "CVE-2025-14174",
       "CVE-2025-1550",
+      "CVE-2025-1753",
       "CVE-2025-23254",
       "CVE-2025-23266",
       "CVE-2025-30165",
@@ -2274,6 +2280,7 @@
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
+      "CVE-2024-13059",
       "CVE-2024-21513",
       "CVE-2024-27132",
       "CVE-2024-37032",
@@ -2282,6 +2289,7 @@
       "CVE-2025-0133",
       "CVE-2025-1094",
       "CVE-2025-1550",
+      "CVE-2025-1753",
       "CVE-2025-23254",
       "CVE-2025-30165",
       "CVE-2025-60455",
@@ -2438,6 +2446,7 @@
       "CVE-2024-11393",
       "CVE-2024-11394",
       "CVE-2024-12987",
+      "CVE-2024-13059",
       "CVE-2024-1561",
       "CVE-2024-1708",
       "CVE-2024-21513",
@@ -2475,6 +2484,7 @@
       "CVE-2025-14733",
       "CVE-2025-1550",
       "CVE-2025-15556",
+      "CVE-2025-1753",
       "CVE-2025-20281",
       "CVE-2025-20333",
       "CVE-2025-20337",
@@ -4937,6 +4947,7 @@
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
+      "CVE-2024-13059",
       "CVE-2024-1561",
       "CVE-2024-21513",
       "CVE-2024-21575",
@@ -4949,6 +4960,7 @@
       "CVE-2024-42479",
       "CVE-2024-50050",
       "CVE-2025-1550",
+      "CVE-2025-1753",
       "CVE-2025-23254",
       "CVE-2025-23266",
       "CVE-2025-30165",
@@ -5477,6 +5489,7 @@
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
+      "CVE-2024-13059",
       "CVE-2024-1561",
       "CVE-2024-21513",
       "CVE-2024-21575",
@@ -5489,6 +5502,7 @@
       "CVE-2024-42479",
       "CVE-2024-50050",
       "CVE-2025-1550",
+      "CVE-2025-1753",
       "CVE-2025-23254",
       "CVE-2025-23266",
       "CVE-2025-30165",
@@ -5560,6 +5574,7 @@
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
+      "CVE-2024-13059",
       "CVE-2024-1561",
       "CVE-2024-21513",
       "CVE-2024-21575",
@@ -5572,6 +5587,7 @@
       "CVE-2024-42479",
       "CVE-2024-50050",
       "CVE-2025-1550",
+      "CVE-2025-1753",
       "CVE-2025-23254",
       "CVE-2025-23266",
       "CVE-2025-30165",

package/data/zeroday-lessons.json

@@ -4061,6 +4061,56 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2025-1753": {
+    "name": "LlamaIndex CLI --files OS Command Injection",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "The LlamaIndex CLI builds a shell command from the user-supplied --files argument and runs it through a shell-execution call without neutralization (CWE-78), so shell metacharacters execute arbitrary OS commands.",
+      "privileges_required": "ability to influence the CLI --files argument (CNA AV:L / PR:L)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is the CLI of a widely used RAG / LLM data-framework. The lesson: AI-framework tooling routinely shells out, and any CLI argument or config forwarded into a shell must be neutralized (argv arrays / shlex), never concatenated into a shell string - this is the same root cause as the MCP-stdio command-injection family, applied to a framework CLI."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track LLM data-framework CLIs as managed, command-injection-bearing software."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Input validation is not applied to CLI arguments the framework forwards to a shell."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an AI tool's CLI arguments as untrusted input requiring neutralization before shell execution."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 60,
+      "basis": "AI-framework CLIs are run in automation/pipelines with forwarded input; shell-string construction from arguments is common and unaudited.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-100",
+        "name": "AI-FRAMEWORK-CLI-SHELL-INPUT-NEUTRALIZATION",
+        "description": "AI-framework CLIs and tools that invoke external commands must never build a shell string from user-supplied arguments or config: use argv-array execution (no shell), or neutralize input with shlex/equivalent. Upgrade llama-index-cli past 0.12.20 to the shlex-escaped release, and in any wrapper/automation pass arguments as a list rather than a shell string. The distinguishing test: pass a --files value containing shell metacharacters to a staging CLI and confirm no subcommand executes.",
+        "evidence": "https://huntr.com/bounties/19e1c67e-1d77-451d-b10b-acbe99900b22",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2023-44467": {
     "name": "LangChain-Experimental PALChain dunder-import Code Execution (CVE-2023-36258 bypass)",
     "lesson_date": "2026-05-25",
@@ -7933,6 +7983,56 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2024-13059": {
+    "name": "AnythingLLM Non-ASCII Filename Path Traversal Arbitrary File Write to RCE",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "AnythingLLM's multer-based upload handler mishandles non-ASCII filenames so they decode into ../ traversal sequences (CWE-22), letting a manager/admin user write to an arbitrary path and achieve RCE.",
+      "privileges_required": "manager or admin account (NVD PR:H)",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is the document-upload handler of a self-hosted RAG / AI chat application. The lesson matches the Ollama path-traversal case: AI-app file/path handling must canonicalize and validate names (including non-ASCII / encoding transforms) before touching the filesystem, and privileged roles are not a substitute for input validation."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track self-hosted RAG / AI chat applications as managed, RCE-bearing software."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Input validation is not applied to uploaded filenames (including non-ASCII transformations) in the AI app's upload handler."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats the AI app's document-upload filename as untrusted input reaching the filesystem."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 66,
+      "basis": "Self-hosted RAG apps are deployed for internal teams and assumed trusted; upload filename handling (especially non-ASCII) is not audited for traversal.",
+      "theater_pattern": "ai_demo_framework_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-094",
+        "name": "AI-RUNTIME-API-PATH-TRAVERSAL-VALIDATION",
+        "description": "An AI application's file/path-bearing inputs (upload filenames, model digests, API route parameters) must be canonicalized and validated — including non-ASCII / encoding transforms — before touching the filesystem, and the app must not be network-exposed to untrusted users. Upgrade AnythingLLM to 1.3.1 or later. This is the same control that closes the Ollama path-traversal CVEs. The distinguishing test: upload a file with a non-ASCII filename that decodes to ../ traversal on a staging AnythingLLM and confirm it is rejected, not written outside the document store.",
+        "evidence": "https://www.offsec.com/blog/cve-2024-13059/",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2024-1561": {
     "name": "Gradio /component_server Local File Read (Hugging Face Spaces Secret Theft)",
     "lesson_date": "2026-05-25",