@blamejs/exceptd-skills 0.13.97 → 0.13.98

package/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 0.13.98 — 2026-05-25
+
+CVE catalog — Anyscale Ray dashboard. Adds the Ray dashboard CVE pair (fixed in Ray 2.8.1), complementing the disputed ShadowRay Job-API entry. **CVE-2023-6019** (CWE-78, NIST CVSS 9.8) — the dashboard's `cpu_profile` URL parameter is injected into a system command, giving unauthenticated remote code execution on the dashboard host. **CVE-2023-6021** (CWE-22, NIST CVSS 7.5) — the dashboard log API allows path traversal to read any file on the host without authentication. Both map ATLAS AML.T0049 and ATT&CK T1190 (+ T1059 / T1083), and reuse the AI-compute control-plane authentication control (NEW-CTRL-088) shared with ShadowRay — the AI compute dashboard/control plane must authenticate every caller and never be network-exposed. Unlike the disputed ShadowRay Job-API issue, these were patched in 2.8.1. CVE count 374 → 376.
+
 ## 0.13.97 — 2026-05-25
 
 CVE catalog — Milvus vector-database authentication bypass. Adds the vector-DB / RAG-persistence surface with two Milvus auth-bypass flaws. **CVE-2025-64513** (CWE-287, CNA GitHub CVSS v4.0 9.3; NVD unscored) — the Milvus Proxy trusts forged HTTP headers, letting an unauthenticated attacker bypass all authentication; fixed in 2.4.24 / 2.5.21 / 2.6.5. **CVE-2026-26190** (CWE-306, NIST CVSS 9.8) — TCP port 9091 is exposed with weak default tokens and unauthenticated API access, enabling arbitrary expression evaluation and full unauthenticated control; fixed in 2.5.27 / 2.6.10. Both map ATLAS AML.T0049 / AML.T0035 and ATT&CK T1190 (+ T1078 / T1059), with a zero-day lesson (NEW-CTRL-101) treating the vector database as a sensitive RAG data store whose every API/management port (including metrics ports) must authenticate, with default tokens replaced and no untrusted-network exposure. CVE count 372 → 374.

package/data/_indexes/_meta.json

@@ -1,21 +1,21 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-26T04:34:39.040Z",
+  "generated_at": "2026-05-26T04:51:38.614Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "39bdc34295a0b69ab99fa3d5728be5c0949722cee01aeb564d83328eb6c0175b",
-    "data/atlas-ttps.json": "53ee907ca896977bb32a4a96fe47df71c1ba8e308424524b7753c17a3eed0771",
-    "data/attack-techniques.json": "e63c2c74dca7be7403007849aff6e2cd3816c6af0a74b2ae60ed74e8b6dd567f",
-    "data/cve-catalog.json": "0a59345736d92144319aa9993f214176b77d8d334fe0bc946393fb950eb6032d",
-    "data/cwe-catalog.json": "779f617a5b6b8ee513b285f5e0aca2ab6bc0b7a1a57a1f640523a81daaf9d15c",
+    "manifest.json": "b31130eeee1fe94d86e670af47cf3e97731dd6bcb43c7532710a0637204f87ad",
+    "data/atlas-ttps.json": "c9fccac02543c9f7a56506afecff8bc8f55676ccf25cc4f29da5782eed588911",
+    "data/attack-techniques.json": "fdb50ee41944dc8960eee08f9a47eaa302cf281478e305ab106011f7b77a2e27",
+    "data/cve-catalog.json": "f61a3a9e2d2d33fc04525675e30a135b338c45912b50c96f0fa5624d3c06c528",
+    "data/cwe-catalog.json": "0a9e011a43deda10c3e9b36182cd7f8bdfdf55634491ee25911b7ca460ff6c45",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
     "data/exploit-availability.json": "ec2656f0d9a893610e27b43eb6035fe9b18e057c9f6dfaac7e7d4959bbcbb795",
-    "data/framework-control-gaps.json": "cf37f9969a0ca2b363247b80a5cdbdcc0fe56502374e90aca726fadc7725a2cd",
+    "data/framework-control-gaps.json": "f89921805bc4637fa897270eab7f7de4f0fae50d27ee3177d0a9d977bec28ec6",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "66ef2e1f444a2cf0c2700a754f0a66030bb8a91d9e68394b9537ea1fe8b904fe",
-    "data/zeroday-lessons.json": "3ee40096a702fd4277be4ce40af7a37fce7a5a59b104522892c61300bf867072",
+    "data/zeroday-lessons.json": "c9666a2f303ac8919faf43bf73cdfbb1966d532abfd3c14c130d44f6cd117c2e",
     "skills/kernel-lpe-triage/skill.md": "08b3e9815ba481c57c80f5fc0ccbf5bb7cbb41f570c235ba6ff9596b8c07354d",
     "skills/ai-attack-surface/skill.md": "c4c1eb22a38ca7a959b5725222bab8fbd4f4044a548a93f3e288e6f698334b72",
     "skills/mcp-agent-trust/skill.md": "89ac89084391d2341b6513fefb1be2d36b93de1c130f057696219c1c59440f13",
@@ -72,7 +72,7 @@
       "dlp_refs": 0
     },
     "trigger_table_entries": 538,
-    "chains_cve_entries": 363,
+    "chains_cve_entries": 365,
     "chains_cwe_entries": 171,
     "jurisdictions_indexed": 29,
     "handoff_dag_nodes": 42,

package/data/_indexes/activity-feed.json

@@ -149,7 +149,7 @@
       "artifact": "data/cve-catalog.json",
       "path": "data/cve-catalog.json",
       "schema_version": "1.0.0",
-      "entry_count": 374
+      "entry_count": 376
     },
     {
       "date": "2026-05-18",
@@ -165,7 +165,7 @@
       "artifact": "data/zeroday-lessons.json",
       "path": "data/zeroday-lessons.json",
       "schema_version": "1.1.0",
-      "entry_count": 369
+      "entry_count": 371
     },
     {
       "date": "2026-05-17",

package/data/_indexes/catalog-summaries.json

@@ -62,7 +62,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 374,
+      "entry_count": 376,
       "sample_keys": [
         "CVE-2025-53773",
         "CVE-2026-30615",
@@ -238,7 +238,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 369,
+      "entry_count": 371,
       "sample_keys": [
         "CVE-2026-31431",
         "CVE-2025-53773",