@blamejs/exceptd-skills 0.13.98 → 0.13.99

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (14) hide show
  1. package/CHANGELOG.md +4 -0
  2. package/data/_indexes/_meta.json +9 -9
  3. package/data/_indexes/activity-feed.json +2 -2
  4. package/data/_indexes/catalog-summaries.json +2 -2
  5. package/data/_indexes/chains.json +770 -0
  6. package/data/atlas-ttps.json +6 -0
  7. package/data/attack-techniques.json +6 -0
  8. package/data/cve-catalog.json +212 -0
  9. package/data/cwe-catalog.json +2 -0
  10. package/data/framework-control-gaps.json +16 -0
  11. package/data/zeroday-lessons.json +100 -0
  12. package/manifest.json +44 -44
  13. package/package.json +2 -2
  14. package/sbom.cdx.json +25 -25
package/data/_indexes/chains.json CHANGED
@@ -36811,6 +36811,730 @@
36811
36811
  ]
36812
36812
  }
36813
36813
  },
36814
+ "CVE-2025-33236": {
36815
+ "name": "NVIDIA NeMo Framework Malicious Model Import Code Injection RCE",
36816
+ "rwep": 27,
36817
+ "cvss": 7.8,
36818
+ "cisa_kev": false,
36819
+ "epss_score": null,
36820
+ "referencing_skills": [
36821
+ "kernel-lpe-triage",
36822
+ "ai-attack-surface",
36823
+ "compliance-theater",
36824
+ "attack-surface-pentest",
36825
+ "ot-ics-security",
36826
+ "coordinated-vuln-disclosure",
36827
+ "sector-energy"
36828
+ ],
36829
+ "chain": {
36830
+ "cwes": [
36831
+ {
36832
+ "id": "CWE-1037",
36833
+ "name": "Processor Optimization Removal or Modification of Security-critical Code",
36834
+ "category": "Hardware / Side Channel"
36835
+ },
36836
+ {
36837
+ "id": "CWE-1039",
36838
+ "name": "Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations",
36839
+ "category": "AI/ML"
36840
+ },
36841
+ {
36842
+ "id": "CWE-125",
36843
+ "name": "Out-of-bounds Read",
36844
+ "category": "Memory Safety"
36845
+ },
36846
+ {
36847
+ "id": "CWE-1357",
36848
+ "name": "Reliance on Insufficiently Trustworthy Component",
36849
+ "category": "Supply Chain"
36850
+ },
36851
+ {
36852
+ "id": "CWE-1395",
36853
+ "name": "Dependency on Vulnerable Third-Party Component",
36854
+ "category": "Supply Chain"
36855
+ },
36856
+ {
36857
+ "id": "CWE-1426",
36858
+ "name": "Improper Validation of Generative AI Output",
36859
+ "category": "AI/ML"
36860
+ },
36861
+ {
36862
+ "id": "CWE-22",
36863
+ "name": "Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)",
36864
+ "category": "Path/Resource"
36865
+ },
36866
+ {
36867
+ "id": "CWE-269",
36868
+ "name": "Improper Privilege Management",
36869
+ "category": "Authorization"
36870
+ },
36871
+ {
36872
+ "id": "CWE-287",
36873
+ "name": "Improper Authentication",
36874
+ "category": "Authentication"
36875
+ },
36876
+ {
36877
+ "id": "CWE-306",
36878
+ "name": "Missing Authentication for Critical Function",
36879
+ "category": "Authentication"
36880
+ },
36881
+ {
36882
+ "id": "CWE-352",
36883
+ "name": "Cross-Site Request Forgery (CSRF)",
36884
+ "category": "Session"
36885
+ },
36886
+ {
36887
+ "id": "CWE-362",
36888
+ "name": "Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)",
36889
+ "category": "Concurrency"
36890
+ },
36891
+ {
36892
+ "id": "CWE-416",
36893
+ "name": "Use After Free",
36894
+ "category": "Memory Safety"
36895
+ },
36896
+ {
36897
+ "id": "CWE-434",
36898
+ "name": "Unrestricted Upload of File with Dangerous Type",
36899
+ "category": "File Handling"
36900
+ },
36901
+ {
36902
+ "id": "CWE-672",
36903
+ "name": "Operation on a Resource after Expiration or Release",
36904
+ "category": "Memory Safety"
36905
+ },
36906
+ {
36907
+ "id": "CWE-732",
36908
+ "name": "Incorrect Permission Assignment for Critical Resource",
36909
+ "category": "Authorization"
36910
+ },
36911
+ {
36912
+ "id": "CWE-78",
36913
+ "name": "Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)",
36914
+ "category": "Injection"
36915
+ },
36916
+ {
36917
+ "id": "CWE-787",
36918
+ "name": "Out-of-bounds Write",
36919
+ "category": "Memory Safety"
36920
+ },
36921
+ {
36922
+ "id": "CWE-79",
36923
+ "name": "Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)",
36924
+ "category": "Injection"
36925
+ },
36926
+ {
36927
+ "id": "CWE-798",
36928
+ "name": "Use of Hard-coded Credentials",
36929
+ "category": "Credentials"
36930
+ },
36931
+ {
36932
+ "id": "CWE-89",
36933
+ "name": "Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)",
36934
+ "category": "Injection"
36935
+ },
36936
+ {
36937
+ "id": "CWE-918",
36938
+ "name": "Server-Side Request Forgery (SSRF)",
36939
+ "category": "Network"
36940
+ },
36941
+ {
36942
+ "id": "CWE-94",
36943
+ "name": "Improper Control of Generation of Code (Code Injection)",
36944
+ "category": "Injection"
36945
+ }
36946
+ ],
36947
+ "atlas": [
36948
+ {
36949
+ "id": "AML.T0010",
36950
+ "name": "ML Supply Chain Compromise",
36951
+ "tactic": "Initial Access"
36952
+ },
36953
+ {
36954
+ "id": "AML.T0016",
36955
+ "name": "Obtain Capabilities: Develop Capabilities",
36956
+ "tactic": "Resource Development"
36957
+ },
36958
+ {
36959
+ "id": "AML.T0017",
36960
+ "name": "Discover ML Model Ontology",
36961
+ "tactic": "Discovery"
36962
+ },
36963
+ {
36964
+ "id": "AML.T0018",
36965
+ "name": "Backdoor ML Model",
36966
+ "tactic": "Persistence"
36967
+ },
36968
+ {
36969
+ "id": "AML.T0020",
36970
+ "name": "Poison Training Data",
36971
+ "tactic": "ML Attack Staging"
36972
+ },
36973
+ {
36974
+ "id": "AML.T0043",
36975
+ "name": "Craft Adversarial Data",
36976
+ "tactic": "ML Attack Staging"
36977
+ },
36978
+ {
36979
+ "id": "AML.T0051",
36980
+ "name": "LLM Prompt Injection",
36981
+ "tactic": "Execution"
36982
+ },
36983
+ {
36984
+ "id": "AML.T0054",
36985
+ "name": "LLM Jailbreak",
36986
+ "tactic": "Defense Evasion"
36987
+ },
36988
+ {
36989
+ "id": "AML.T0096",
36990
+ "name": "AI API as Covert C2 Channel",
36991
+ "tactic": "Command and Control"
36992
+ }
36993
+ ],
36994
+ "d3fend": [
36995
+ {
36996
+ "id": "D3-ASLR",
36997
+ "name": "Address Space Layout Randomization",
36998
+ "tactic": "Harden"
36999
+ },
37000
+ {
37001
+ "id": "D3-CSPP",
37002
+ "name": "Client-server Payload Profiling",
37003
+ "tactic": "Detect"
37004
+ },
37005
+ {
37006
+ "id": "D3-EAL",
37007
+ "name": "Executable Allowlisting",
37008
+ "tactic": "Harden"
37009
+ },
37010
+ {
37011
+ "id": "D3-IOPR",
37012
+ "name": "Input/Output Profiling Resource",
37013
+ "tactic": "Detect"
37014
+ },
37015
+ {
37016
+ "id": "D3-NTA",
37017
+ "name": "Network Traffic Analysis",
37018
+ "tactic": "Detect"
37019
+ },
37020
+ {
37021
+ "id": "D3-PHRA",
37022
+ "name": "Process Hardware Resource Access",
37023
+ "tactic": "Isolate"
37024
+ },
37025
+ {
37026
+ "id": "D3-PSEP",
37027
+ "name": "Process Segment Execution Prevention",
37028
+ "tactic": "Harden"
37029
+ }
37030
+ ],
37031
+ "framework_gaps": [
37032
+ {
37033
+ "id": "ALL-AI-PIPELINE-INTEGRITY",
37034
+ "framework": "ALL",
37035
+ "control_name": "AI Pipeline Integrity"
37036
+ },
37037
+ {
37038
+ "id": "ALL-PROMPT-INJECTION-ACCESS-CONTROL",
37039
+ "framework": "ALL",
37040
+ "control_name": "Prompt Injection as Access Control Failure"
37041
+ },
37042
+ {
37043
+ "id": "CIS-Controls-v8-Control7",
37044
+ "framework": "CIS Controls v8",
37045
+ "control_name": "Continuous Vulnerability Management"
37046
+ },
37047
+ {
37048
+ "id": "CMMC-2.0-Level-2",
37049
+ "framework": "CMMC 2.0 (Cybersecurity Maturity Model Certification) Level 2",
37050
+ "control_name": "Level 2 — Advanced (110 NIST 800-171 Rev 2 controls)"
37051
+ },
37052
+ {
37053
+ "id": "FedRAMP-Rev5-Moderate",
37054
+ "framework": "FedRAMP Rev 5 Moderate",
37055
+ "control_name": "FedRAMP Moderate baseline (NIST 800-53 Rev 5 tailoring)"
37056
+ },
37057
+ {
37058
+ "id": "IEC-62443-3-3",
37059
+ "framework": "IEC 62443-3-3 (Industrial communication networks — security for IACS)",
37060
+ "control_name": "System security requirements and security levels"
37061
+ },
37062
+ {
37063
+ "id": "ISO-27001-2022-A.8.28",
37064
+ "framework": "ISO/IEC 27001:2022",
37065
+ "control_name": "Secure coding"
37066
+ },
37067
+ {
37068
+ "id": "ISO-27001-2022-A.8.8",
37069
+ "framework": "ISO/IEC 27001:2022",
37070
+ "control_name": "Management of technical vulnerabilities"
37071
+ },
37072
+ {
37073
+ "id": "ISO-IEC-23894-2023-clause-7",
37074
+ "framework": "ISO/IEC 23894:2023 (AI Risk Management Guidance)",
37075
+ "control_name": "AI risk management process"
37076
+ },
37077
+ {
37078
+ "id": "NERC-CIP-007-6-R4",
37079
+ "framework": "NERC CIP-007-6 (BES Cyber System Security Management)",
37080
+ "control_name": "Security event monitoring"
37081
+ },
37082
+ {
37083
+ "id": "NIS2-Art21-patch-management",
37084
+ "framework": "EU NIS2 Directive",
37085
+ "control_name": "Vulnerability handling and disclosure"
37086
+ },
37087
+ {
37088
+ "id": "NIST-800-115",
37089
+ "framework": "NIST SP 800-115 (Technical Guide to Information Security Testing and Assessment)",
37090
+ "control_name": "Technical Guide to Information Security Testing and Assessment"
37091
+ },
37092
+ {
37093
+ "id": "NIST-800-218-SSDF",
37094
+ "framework": "NIST SP 800-218 (Secure Software Development Framework v1.1)",
37095
+ "control_name": "Secure Software Development Framework"
37096
+ },
37097
+ {
37098
+ "id": "NIST-800-53-AC-2",
37099
+ "framework": "NIST SP 800-53 Rev 5",
37100
+ "control_name": "Account Management"
37101
+ },
37102
+ {
37103
+ "id": "NIST-800-53-SC-8",
37104
+ "framework": "NIST SP 800-53 Rev 5",
37105
+ "control_name": "Transmission Confidentiality and Integrity"
37106
+ },
37107
+ {
37108
+ "id": "NIST-800-53-SI-2",
37109
+ "framework": "NIST SP 800-53 Rev 5",
37110
+ "control_name": "Flaw Remediation"
37111
+ },
37112
+ {
37113
+ "id": "NIST-800-53-SI-3",
37114
+ "framework": "NIST SP 800-53 Rev 5",
37115
+ "control_name": "Malicious Code Protection"
37116
+ },
37117
+ {
37118
+ "id": "NIST-800-82r3",
37119
+ "framework": "NIST SP 800-82 Rev 3 (Guide to OT Security)",
37120
+ "control_name": "Guide to Operational Technology (OT) Security"
37121
+ },
37122
+ {
37123
+ "id": "OWASP-LLM-Top-10-2025-LLM01",
37124
+ "framework": "OWASP Top 10 for LLM Applications 2025",
37125
+ "control_name": "Prompt Injection"
37126
+ },
37127
+ {
37128
+ "id": "OWASP-LLM-Top-10-2025-LLM02",
37129
+ "framework": "OWASP Top 10 for LLM Applications 2025",
37130
+ "control_name": "Sensitive Information Disclosure"
37131
+ },
37132
+ {
37133
+ "id": "OWASP-Pen-Testing-Guide-v5",
37134
+ "framework": "OWASP Web Security Testing Guide v5 (WSTG)",
37135
+ "control_name": "Web application penetration testing methodology"
37136
+ },
37137
+ {
37138
+ "id": "PCI-DSS-4.0-6.3.3",
37139
+ "framework": "PCI DSS 4.0",
37140
+ "control_name": "All system components are protected from known vulnerabilities by installing applicable security patches/updates"
37141
+ },
37142
+ {
37143
+ "id": "PTES-Pre-engagement",
37144
+ "framework": "Penetration Testing Execution Standard (PTES)",
37145
+ "control_name": "Pre-engagement Interactions"
37146
+ },
37147
+ {
37148
+ "id": "SOC2-CC6-logical-access",
37149
+ "framework": "SOC 2 (AICPA Trust Services Criteria)",
37150
+ "control_name": "Logical and Physical Access Controls"
37151
+ },
37152
+ {
37153
+ "id": "SOC2-CC9-vendor-management",
37154
+ "framework": "SOC 2 (AICPA Trust Services Criteria)",
37155
+ "control_name": "Risk Mitigation — Vendor and Business Partner Risk"
37156
+ }
37157
+ ],
37158
+ "attack_refs": [
37159
+ "T0855",
37160
+ "T0883",
37161
+ "T1059",
37162
+ "T1068",
37163
+ "T1078",
37164
+ "T1133",
37165
+ "T1190",
37166
+ "T1548.001",
37167
+ "T1566"
37168
+ ],
37169
+ "rfc_refs": [
37170
+ "RFC-4301",
37171
+ "RFC-4303",
37172
+ "RFC-7296"
37173
+ ]
37174
+ }
37175
+ },
37176
+ "CVE-2024-0129": {
37177
+ "name": "NVIDIA NeMo SaveRestoreConnector .tar Path Traversal to Code Execution",
37178
+ "rwep": 25,
37179
+ "cvss": 7.8,
37180
+ "cisa_kev": false,
37181
+ "epss_score": null,
37182
+ "referencing_skills": [
37183
+ "kernel-lpe-triage",
37184
+ "ai-attack-surface",
37185
+ "compliance-theater",
37186
+ "attack-surface-pentest",
37187
+ "ot-ics-security",
37188
+ "coordinated-vuln-disclosure",
37189
+ "sector-energy"
37190
+ ],
37191
+ "chain": {
37192
+ "cwes": [
37193
+ {
37194
+ "id": "CWE-1037",
37195
+ "name": "Processor Optimization Removal or Modification of Security-critical Code",
37196
+ "category": "Hardware / Side Channel"
37197
+ },
37198
+ {
37199
+ "id": "CWE-1039",
37200
+ "name": "Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations",
37201
+ "category": "AI/ML"
37202
+ },
37203
+ {
37204
+ "id": "CWE-125",
37205
+ "name": "Out-of-bounds Read",
37206
+ "category": "Memory Safety"
37207
+ },
37208
+ {
37209
+ "id": "CWE-1357",
37210
+ "name": "Reliance on Insufficiently Trustworthy Component",
37211
+ "category": "Supply Chain"
37212
+ },
37213
+ {
37214
+ "id": "CWE-1395",
37215
+ "name": "Dependency on Vulnerable Third-Party Component",
37216
+ "category": "Supply Chain"
37217
+ },
37218
+ {
37219
+ "id": "CWE-1426",
37220
+ "name": "Improper Validation of Generative AI Output",
37221
+ "category": "AI/ML"
37222
+ },
37223
+ {
37224
+ "id": "CWE-22",
37225
+ "name": "Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)",
37226
+ "category": "Path/Resource"
37227
+ },
37228
+ {
37229
+ "id": "CWE-269",
37230
+ "name": "Improper Privilege Management",
37231
+ "category": "Authorization"
37232
+ },
37233
+ {
37234
+ "id": "CWE-287",
37235
+ "name": "Improper Authentication",
37236
+ "category": "Authentication"
37237
+ },
37238
+ {
37239
+ "id": "CWE-306",
37240
+ "name": "Missing Authentication for Critical Function",
37241
+ "category": "Authentication"
37242
+ },
37243
+ {
37244
+ "id": "CWE-352",
37245
+ "name": "Cross-Site Request Forgery (CSRF)",
37246
+ "category": "Session"
37247
+ },
37248
+ {
37249
+ "id": "CWE-362",
37250
+ "name": "Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)",
37251
+ "category": "Concurrency"
37252
+ },
37253
+ {
37254
+ "id": "CWE-416",
37255
+ "name": "Use After Free",
37256
+ "category": "Memory Safety"
37257
+ },
37258
+ {
37259
+ "id": "CWE-434",
37260
+ "name": "Unrestricted Upload of File with Dangerous Type",
37261
+ "category": "File Handling"
37262
+ },
37263
+ {
37264
+ "id": "CWE-672",
37265
+ "name": "Operation on a Resource after Expiration or Release",
37266
+ "category": "Memory Safety"
37267
+ },
37268
+ {
37269
+ "id": "CWE-732",
37270
+ "name": "Incorrect Permission Assignment for Critical Resource",
37271
+ "category": "Authorization"
37272
+ },
37273
+ {
37274
+ "id": "CWE-78",
37275
+ "name": "Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)",
37276
+ "category": "Injection"
37277
+ },
37278
+ {
37279
+ "id": "CWE-787",
37280
+ "name": "Out-of-bounds Write",
37281
+ "category": "Memory Safety"
37282
+ },
37283
+ {
37284
+ "id": "CWE-79",
37285
+ "name": "Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)",
37286
+ "category": "Injection"
37287
+ },
37288
+ {
37289
+ "id": "CWE-798",
37290
+ "name": "Use of Hard-coded Credentials",
37291
+ "category": "Credentials"
37292
+ },
37293
+ {
37294
+ "id": "CWE-89",
37295
+ "name": "Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)",
37296
+ "category": "Injection"
37297
+ },
37298
+ {
37299
+ "id": "CWE-918",
37300
+ "name": "Server-Side Request Forgery (SSRF)",
37301
+ "category": "Network"
37302
+ },
37303
+ {
37304
+ "id": "CWE-94",
37305
+ "name": "Improper Control of Generation of Code (Code Injection)",
37306
+ "category": "Injection"
37307
+ }
37308
+ ],
37309
+ "atlas": [
37310
+ {
37311
+ "id": "AML.T0010",
37312
+ "name": "ML Supply Chain Compromise",
37313
+ "tactic": "Initial Access"
37314
+ },
37315
+ {
37316
+ "id": "AML.T0016",
37317
+ "name": "Obtain Capabilities: Develop Capabilities",
37318
+ "tactic": "Resource Development"
37319
+ },
37320
+ {
37321
+ "id": "AML.T0017",
37322
+ "name": "Discover ML Model Ontology",
37323
+ "tactic": "Discovery"
37324
+ },
37325
+ {
37326
+ "id": "AML.T0018",
37327
+ "name": "Backdoor ML Model",
37328
+ "tactic": "Persistence"
37329
+ },
37330
+ {
37331
+ "id": "AML.T0020",
37332
+ "name": "Poison Training Data",
37333
+ "tactic": "ML Attack Staging"
37334
+ },
37335
+ {
37336
+ "id": "AML.T0043",
37337
+ "name": "Craft Adversarial Data",
37338
+ "tactic": "ML Attack Staging"
37339
+ },
37340
+ {
37341
+ "id": "AML.T0051",
37342
+ "name": "LLM Prompt Injection",
37343
+ "tactic": "Execution"
37344
+ },
37345
+ {
37346
+ "id": "AML.T0054",
37347
+ "name": "LLM Jailbreak",
37348
+ "tactic": "Defense Evasion"
37349
+ },
37350
+ {
37351
+ "id": "AML.T0096",
37352
+ "name": "AI API as Covert C2 Channel",
37353
+ "tactic": "Command and Control"
37354
+ }
37355
+ ],
37356
+ "d3fend": [
37357
+ {
37358
+ "id": "D3-ASLR",
37359
+ "name": "Address Space Layout Randomization",
37360
+ "tactic": "Harden"
37361
+ },
37362
+ {
37363
+ "id": "D3-CSPP",
37364
+ "name": "Client-server Payload Profiling",
37365
+ "tactic": "Detect"
37366
+ },
37367
+ {
37368
+ "id": "D3-EAL",
37369
+ "name": "Executable Allowlisting",
37370
+ "tactic": "Harden"
37371
+ },
37372
+ {
37373
+ "id": "D3-IOPR",
37374
+ "name": "Input/Output Profiling Resource",
37375
+ "tactic": "Detect"
37376
+ },
37377
+ {
37378
+ "id": "D3-NTA",
37379
+ "name": "Network Traffic Analysis",
37380
+ "tactic": "Detect"
37381
+ },
37382
+ {
37383
+ "id": "D3-PHRA",
37384
+ "name": "Process Hardware Resource Access",
37385
+ "tactic": "Isolate"
37386
+ },
37387
+ {
37388
+ "id": "D3-PSEP",
37389
+ "name": "Process Segment Execution Prevention",
37390
+ "tactic": "Harden"
37391
+ }
37392
+ ],
37393
+ "framework_gaps": [
37394
+ {
37395
+ "id": "ALL-AI-PIPELINE-INTEGRITY",
37396
+ "framework": "ALL",
37397
+ "control_name": "AI Pipeline Integrity"
37398
+ },
37399
+ {
37400
+ "id": "ALL-PROMPT-INJECTION-ACCESS-CONTROL",
37401
+ "framework": "ALL",
37402
+ "control_name": "Prompt Injection as Access Control Failure"
37403
+ },
37404
+ {
37405
+ "id": "CIS-Controls-v8-Control7",
37406
+ "framework": "CIS Controls v8",
37407
+ "control_name": "Continuous Vulnerability Management"
37408
+ },
37409
+ {
37410
+ "id": "CMMC-2.0-Level-2",
37411
+ "framework": "CMMC 2.0 (Cybersecurity Maturity Model Certification) Level 2",
37412
+ "control_name": "Level 2 — Advanced (110 NIST 800-171 Rev 2 controls)"
37413
+ },
37414
+ {
37415
+ "id": "FedRAMP-Rev5-Moderate",
37416
+ "framework": "FedRAMP Rev 5 Moderate",
37417
+ "control_name": "FedRAMP Moderate baseline (NIST 800-53 Rev 5 tailoring)"
37418
+ },
37419
+ {
37420
+ "id": "IEC-62443-3-3",
37421
+ "framework": "IEC 62443-3-3 (Industrial communication networks — security for IACS)",
37422
+ "control_name": "System security requirements and security levels"
37423
+ },
37424
+ {
37425
+ "id": "ISO-27001-2022-A.8.28",
37426
+ "framework": "ISO/IEC 27001:2022",
37427
+ "control_name": "Secure coding"
37428
+ },
37429
+ {
37430
+ "id": "ISO-27001-2022-A.8.8",
37431
+ "framework": "ISO/IEC 27001:2022",
37432
+ "control_name": "Management of technical vulnerabilities"
37433
+ },
37434
+ {
37435
+ "id": "ISO-IEC-23894-2023-clause-7",
37436
+ "framework": "ISO/IEC 23894:2023 (AI Risk Management Guidance)",
37437
+ "control_name": "AI risk management process"
37438
+ },
37439
+ {
37440
+ "id": "NERC-CIP-007-6-R4",
37441
+ "framework": "NERC CIP-007-6 (BES Cyber System Security Management)",
37442
+ "control_name": "Security event monitoring"
37443
+ },
37444
+ {
37445
+ "id": "NIS2-Art21-patch-management",
37446
+ "framework": "EU NIS2 Directive",
37447
+ "control_name": "Vulnerability handling and disclosure"
37448
+ },
37449
+ {
37450
+ "id": "NIST-800-115",
37451
+ "framework": "NIST SP 800-115 (Technical Guide to Information Security Testing and Assessment)",
37452
+ "control_name": "Technical Guide to Information Security Testing and Assessment"
37453
+ },
37454
+ {
37455
+ "id": "NIST-800-218-SSDF",
37456
+ "framework": "NIST SP 800-218 (Secure Software Development Framework v1.1)",
37457
+ "control_name": "Secure Software Development Framework"
37458
+ },
37459
+ {
37460
+ "id": "NIST-800-53-AC-2",
37461
+ "framework": "NIST SP 800-53 Rev 5",
37462
+ "control_name": "Account Management"
37463
+ },
37464
+ {
37465
+ "id": "NIST-800-53-SC-8",
37466
+ "framework": "NIST SP 800-53 Rev 5",
37467
+ "control_name": "Transmission Confidentiality and Integrity"
37468
+ },
37469
+ {
37470
+ "id": "NIST-800-53-SI-2",
37471
+ "framework": "NIST SP 800-53 Rev 5",
37472
+ "control_name": "Flaw Remediation"
37473
+ },
37474
+ {
37475
+ "id": "NIST-800-53-SI-3",
37476
+ "framework": "NIST SP 800-53 Rev 5",
37477
+ "control_name": "Malicious Code Protection"
37478
+ },
37479
+ {
37480
+ "id": "NIST-800-82r3",
37481
+ "framework": "NIST SP 800-82 Rev 3 (Guide to OT Security)",
37482
+ "control_name": "Guide to Operational Technology (OT) Security"
37483
+ },
37484
+ {
37485
+ "id": "OWASP-LLM-Top-10-2025-LLM01",
37486
+ "framework": "OWASP Top 10 for LLM Applications 2025",
37487
+ "control_name": "Prompt Injection"
37488
+ },
37489
+ {
37490
+ "id": "OWASP-LLM-Top-10-2025-LLM02",
37491
+ "framework": "OWASP Top 10 for LLM Applications 2025",
37492
+ "control_name": "Sensitive Information Disclosure"
37493
+ },
37494
+ {
37495
+ "id": "OWASP-Pen-Testing-Guide-v5",
37496
+ "framework": "OWASP Web Security Testing Guide v5 (WSTG)",
37497
+ "control_name": "Web application penetration testing methodology"
37498
+ },
37499
+ {
37500
+ "id": "PCI-DSS-4.0-6.3.3",
37501
+ "framework": "PCI DSS 4.0",
37502
+ "control_name": "All system components are protected from known vulnerabilities by installing applicable security patches/updates"
37503
+ },
37504
+ {
37505
+ "id": "PTES-Pre-engagement",
37506
+ "framework": "Penetration Testing Execution Standard (PTES)",
37507
+ "control_name": "Pre-engagement Interactions"
37508
+ },
37509
+ {
37510
+ "id": "SOC2-CC6-logical-access",
37511
+ "framework": "SOC 2 (AICPA Trust Services Criteria)",
37512
+ "control_name": "Logical and Physical Access Controls"
37513
+ },
37514
+ {
37515
+ "id": "SOC2-CC9-vendor-management",
37516
+ "framework": "SOC 2 (AICPA Trust Services Criteria)",
37517
+ "control_name": "Risk Mitigation — Vendor and Business Partner Risk"
37518
+ }
37519
+ ],
37520
+ "attack_refs": [
37521
+ "T0855",
37522
+ "T0883",
37523
+ "T1059",
37524
+ "T1068",
37525
+ "T1078",
37526
+ "T1133",
37527
+ "T1190",
37528
+ "T1548.001",
37529
+ "T1566"
37530
+ ],
37531
+ "rfc_refs": [
37532
+ "RFC-4301",
37533
+ "RFC-4303",
37534
+ "RFC-7296"
37535
+ ]
37536
+ }
37537
+ },
36814
37538
  "CVE-2026-41091": {
36815
37539
  "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
36816
37540
  "rwep": 45,
@@ -63194,6 +63918,7 @@
63194
63918
  "CVE-2023-51449",
63195
63919
  "CVE-2023-6019",
63196
63920
  "CVE-2023-6021",
63921
+ "CVE-2024-0129",
63197
63922
  "CVE-2024-0132",
63198
63923
  "CVE-2024-11392",
63199
63924
  "CVE-2024-11393",
@@ -63224,6 +63949,7 @@
63224
63949
  "CVE-2025-30165",
63225
63950
  "CVE-2025-30202",
63226
63951
  "CVE-2025-32444",
63952
+ "CVE-2025-33236",
63227
63953
  "CVE-2025-34291",
63228
63954
  "CVE-2025-38352",
63229
63955
  "CVE-2025-43300",
@@ -63597,6 +64323,7 @@
63597
64323
  "CVE-2023-51449",
63598
64324
  "CVE-2023-6019",
63599
64325
  "CVE-2023-6021",
64326
+ "CVE-2024-0129",
63600
64327
  "CVE-2024-0132",
63601
64328
  "CVE-2024-11392",
63602
64329
  "CVE-2024-11393",
@@ -63625,6 +64352,7 @@
63625
64352
  "CVE-2025-30165",
63626
64353
  "CVE-2025-30202",
63627
64354
  "CVE-2025-32444",
64355
+ "CVE-2025-33236",
63628
64356
  "CVE-2025-34291",
63629
64357
  "CVE-2025-38352",
63630
64358
  "CVE-2025-43300",
@@ -63791,6 +64519,7 @@
63791
64519
  "CVE-2023-51449",
63792
64520
  "CVE-2023-6019",
63793
64521
  "CVE-2023-6021",
64522
+ "CVE-2024-0129",
63794
64523
  "CVE-2024-0132",
63795
64524
  "CVE-2024-11392",
63796
64525
  "CVE-2024-11393",
@@ -63819,6 +64548,7 @@
63819
64548
  "CVE-2025-30165",
63820
64549
  "CVE-2025-30202",
63821
64550
  "CVE-2025-32444",
64551
+ "CVE-2025-33236",
63822
64552
  "CVE-2025-34291",
63823
64553
  "CVE-2025-38352",
63824
64554
  "CVE-2025-43300",
@@ -63999,6 +64729,7 @@
63999
64729
  "CVE-2023-51449",
64000
64730
  "CVE-2023-6019",
64001
64731
  "CVE-2023-6021",
64732
+ "CVE-2024-0129",
64002
64733
  "CVE-2024-0132",
64003
64734
  "CVE-2024-11392",
64004
64735
  "CVE-2024-11393",
@@ -64027,6 +64758,7 @@
64027
64758
  "CVE-2025-30165",
64028
64759
  "CVE-2025-30202",
64029
64760
  "CVE-2025-32444",
64761
+ "CVE-2025-33236",
64030
64762
  "CVE-2025-34291",
64031
64763
  "CVE-2025-38352",
64032
64764
  "CVE-2025-43300",
@@ -64311,6 +65043,7 @@
64311
65043
  "CVE-2023-51449",
64312
65044
  "CVE-2023-6019",
64313
65045
  "CVE-2023-6021",
65046
+ "CVE-2024-0129",
64314
65047
  "CVE-2024-0132",
64315
65048
  "CVE-2024-11392",
64316
65049
  "CVE-2024-11393",
@@ -64340,6 +65073,7 @@
64340
65073
  "CVE-2025-30165",
64341
65074
  "CVE-2025-30202",
64342
65075
  "CVE-2025-32444",
65076
+ "CVE-2025-33236",
64343
65077
  "CVE-2025-34291",
64344
65078
  "CVE-2025-49596",
64345
65079
  "CVE-2025-49844",
@@ -64579,6 +65313,7 @@
64579
65313
  "CVE-2023-52163",
64580
65314
  "CVE-2023-6019",
64581
65315
  "CVE-2023-6021",
65316
+ "CVE-2024-0129",
64582
65317
  "CVE-2024-0132",
64583
65318
  "CVE-2024-0769",
64584
65319
  "CVE-2024-11182",
@@ -64671,6 +65406,7 @@
64671
65406
  "CVE-2025-32975",
64672
65407
  "CVE-2025-33053",
64673
65408
  "CVE-2025-33073",
65409
+ "CVE-2025-33236",
64674
65410
  "CVE-2025-34026",
64675
65411
  "CVE-2025-34291",
64676
65412
  "CVE-2025-35939",
@@ -65435,6 +66171,7 @@
65435
66171
  "CVE-2023-51449",
65436
66172
  "CVE-2023-6019",
65437
66173
  "CVE-2023-6021",
66174
+ "CVE-2024-0129",
65438
66175
  "CVE-2024-0132",
65439
66176
  "CVE-2024-11392",
65440
66177
  "CVE-2024-11393",
@@ -65465,6 +66202,7 @@
65465
66202
  "CVE-2025-30165",
65466
66203
  "CVE-2025-30202",
65467
66204
  "CVE-2025-32444",
66205
+ "CVE-2025-33236",
65468
66206
  "CVE-2025-34291",
65469
66207
  "CVE-2025-38352",
65470
66208
  "CVE-2025-43300",
@@ -66068,6 +66806,7 @@
66068
66806
  "CVE-2023-51449",
66069
66807
  "CVE-2023-6019",
66070
66808
  "CVE-2023-6021",
66809
+ "CVE-2024-0129",
66071
66810
  "CVE-2024-0132",
66072
66811
  "CVE-2024-11392",
66073
66812
  "CVE-2024-11393",
@@ -66098,6 +66837,7 @@
66098
66837
  "CVE-2025-30165",
66099
66838
  "CVE-2025-30202",
66100
66839
  "CVE-2025-32444",
66840
+ "CVE-2025-33236",
66101
66841
  "CVE-2025-34291",
66102
66842
  "CVE-2025-38352",
66103
66843
  "CVE-2025-43300",
@@ -66339,6 +67079,7 @@
66339
67079
  "CVE-2023-51449",
66340
67080
  "CVE-2023-6019",
66341
67081
  "CVE-2023-6021",
67082
+ "CVE-2024-0129",
66342
67083
  "CVE-2024-0132",
66343
67084
  "CVE-2024-11392",
66344
67085
  "CVE-2024-11393",
@@ -66367,6 +67108,7 @@
66367
67108
  "CVE-2025-30165",
66368
67109
  "CVE-2025-30202",
66369
67110
  "CVE-2025-32444",
67111
+ "CVE-2025-33236",
66370
67112
  "CVE-2025-34291",
66371
67113
  "CVE-2025-38352",
66372
67114
  "CVE-2025-43300",
@@ -67036,6 +67778,7 @@
67036
67778
  "CVE-2023-51449",
67037
67779
  "CVE-2023-6019",
67038
67780
  "CVE-2023-6021",
67781
+ "CVE-2024-0129",
67039
67782
  "CVE-2024-0132",
67040
67783
  "CVE-2024-11392",
67041
67784
  "CVE-2024-11393",
@@ -67066,6 +67809,7 @@
67066
67809
  "CVE-2025-30165",
67067
67810
  "CVE-2025-30202",
67068
67811
  "CVE-2025-32444",
67812
+ "CVE-2025-33236",
67069
67813
  "CVE-2025-34291",
67070
67814
  "CVE-2025-38352",
67071
67815
  "CVE-2025-43300",
@@ -67311,6 +68055,7 @@
67311
68055
  "CVE-2023-52163",
67312
68056
  "CVE-2023-6019",
67313
68057
  "CVE-2023-6021",
68058
+ "CVE-2024-0129",
67314
68059
  "CVE-2024-0132",
67315
68060
  "CVE-2024-0769",
67316
68061
  "CVE-2024-11182",
@@ -67403,6 +68148,7 @@
67403
68148
  "CVE-2025-32975",
67404
68149
  "CVE-2025-33053",
67405
68150
  "CVE-2025-33073",
68151
+ "CVE-2025-33236",
67406
68152
  "CVE-2025-34026",
67407
68153
  "CVE-2025-34291",
67408
68154
  "CVE-2025-35939",
@@ -67765,6 +68511,7 @@
67765
68511
  "CVE-2023-52163",
67766
68512
  "CVE-2023-6019",
67767
68513
  "CVE-2023-6021",
68514
+ "CVE-2024-0129",
67768
68515
  "CVE-2024-0132",
67769
68516
  "CVE-2024-0769",
67770
68517
  "CVE-2024-11182",
@@ -67857,6 +68604,7 @@
67857
68604
  "CVE-2025-32975",
67858
68605
  "CVE-2025-33053",
67859
68606
  "CVE-2025-33073",
68607
+ "CVE-2025-33236",
67860
68608
  "CVE-2025-34026",
67861
68609
  "CVE-2025-34291",
67862
68610
  "CVE-2025-35939",
@@ -68250,6 +68998,7 @@
68250
68998
  "CVE-2023-51449",
68251
68999
  "CVE-2023-6019",
68252
69000
  "CVE-2023-6021",
69001
+ "CVE-2024-0129",
68253
69002
  "CVE-2024-0132",
68254
69003
  "CVE-2024-11392",
68255
69004
  "CVE-2024-11393",
@@ -68280,6 +69029,7 @@
68280
69029
  "CVE-2025-30165",
68281
69030
  "CVE-2025-30202",
68282
69031
  "CVE-2025-32444",
69032
+ "CVE-2025-33236",
68283
69033
  "CVE-2025-34291",
68284
69034
  "CVE-2025-38352",
68285
69035
  "CVE-2025-43300",
@@ -69077,6 +69827,7 @@
69077
69827
  "CVE-2023-52163",
69078
69828
  "CVE-2023-6019",
69079
69829
  "CVE-2023-6021",
69830
+ "CVE-2024-0129",
69080
69831
  "CVE-2024-0132",
69081
69832
  "CVE-2024-0769",
69082
69833
  "CVE-2024-11182",
@@ -69169,6 +69920,7 @@
69169
69920
  "CVE-2025-32975",
69170
69921
  "CVE-2025-33053",
69171
69922
  "CVE-2025-33073",
69923
+ "CVE-2025-33236",
69172
69924
  "CVE-2025-34026",
69173
69925
  "CVE-2025-34291",
69174
69926
  "CVE-2025-35939",
@@ -69626,6 +70378,7 @@
69626
70378
  "CVE-2023-51449",
69627
70379
  "CVE-2023-6019",
69628
70380
  "CVE-2023-6021",
70381
+ "CVE-2024-0129",
69629
70382
  "CVE-2024-0132",
69630
70383
  "CVE-2024-11392",
69631
70384
  "CVE-2024-11393",
@@ -69656,6 +70409,7 @@
69656
70409
  "CVE-2025-30165",
69657
70410
  "CVE-2025-30202",
69658
70411
  "CVE-2025-32444",
70412
+ "CVE-2025-33236",
69659
70413
  "CVE-2025-34291",
69660
70414
  "CVE-2025-38352",
69661
70415
  "CVE-2025-43300",
@@ -69979,6 +70733,7 @@
69979
70733
  "CVE-2023-52163",
69980
70734
  "CVE-2023-6019",
69981
70735
  "CVE-2023-6021",
70736
+ "CVE-2024-0129",
69982
70737
  "CVE-2024-0132",
69983
70738
  "CVE-2024-0769",
69984
70739
  "CVE-2024-11182",
@@ -70074,6 +70829,7 @@
70074
70829
  "CVE-2025-32975",
70075
70830
  "CVE-2025-33053",
70076
70831
  "CVE-2025-33073",
70832
+ "CVE-2025-33236",
70077
70833
  "CVE-2025-34026",
70078
70834
  "CVE-2025-34291",
70079
70835
  "CVE-2025-35939",
@@ -70547,6 +71303,7 @@
70547
71303
  "CVE-2023-51449",
70548
71304
  "CVE-2023-6019",
70549
71305
  "CVE-2023-6021",
71306
+ "CVE-2024-0129",
70550
71307
  "CVE-2024-0132",
70551
71308
  "CVE-2024-11392",
70552
71309
  "CVE-2024-11393",
@@ -70576,6 +71333,7 @@
70576
71333
  "CVE-2025-30165",
70577
71334
  "CVE-2025-30202",
70578
71335
  "CVE-2025-32444",
71336
+ "CVE-2025-33236",
70579
71337
  "CVE-2025-34291",
70580
71338
  "CVE-2025-38352",
70581
71339
  "CVE-2025-43300",
@@ -71515,6 +72273,7 @@
71515
72273
  "CVE-2023-51449",
71516
72274
  "CVE-2023-6019",
71517
72275
  "CVE-2023-6021",
72276
+ "CVE-2024-0129",
71518
72277
  "CVE-2024-0132",
71519
72278
  "CVE-2024-11392",
71520
72279
  "CVE-2024-11393",
@@ -71545,6 +72304,7 @@
71545
72304
  "CVE-2025-30165",
71546
72305
  "CVE-2025-30202",
71547
72306
  "CVE-2025-32444",
72307
+ "CVE-2025-33236",
71548
72308
  "CVE-2025-34291",
71549
72309
  "CVE-2025-38352",
71550
72310
  "CVE-2025-43300",
@@ -71647,6 +72407,7 @@
71647
72407
  "CVE-2023-51449",
71648
72408
  "CVE-2023-6019",
71649
72409
  "CVE-2023-6021",
72410
+ "CVE-2024-0129",
71650
72411
  "CVE-2024-0132",
71651
72412
  "CVE-2024-11392",
71652
72413
  "CVE-2024-11393",
@@ -71674,6 +72435,7 @@
71674
72435
  "CVE-2025-30165",
71675
72436
  "CVE-2025-30202",
71676
72437
  "CVE-2025-32444",
72438
+ "CVE-2025-33236",
71677
72439
  "CVE-2025-34291",
71678
72440
  "CVE-2025-38352",
71679
72441
  "CVE-2025-43300",
@@ -71849,6 +72611,7 @@
71849
72611
  "CVE-2023-51449",
71850
72612
  "CVE-2023-6019",
71851
72613
  "CVE-2023-6021",
72614
+ "CVE-2024-0129",
71852
72615
  "CVE-2024-0132",
71853
72616
  "CVE-2024-11392",
71854
72617
  "CVE-2024-11393",
@@ -71876,6 +72639,7 @@
71876
72639
  "CVE-2025-30165",
71877
72640
  "CVE-2025-30202",
71878
72641
  "CVE-2025-32444",
72642
+ "CVE-2025-33236",
71879
72643
  "CVE-2025-34291",
71880
72644
  "CVE-2025-49596",
71881
72645
  "CVE-2025-53773",
@@ -72301,6 +73065,7 @@
72301
73065
  "CVE-2023-52163",
72302
73066
  "CVE-2023-6019",
72303
73067
  "CVE-2023-6021",
73068
+ "CVE-2024-0129",
72304
73069
  "CVE-2024-0769",
72305
73070
  "CVE-2024-11182",
72306
73071
  "CVE-2024-11392",
@@ -72390,6 +73155,7 @@
72390
73155
  "CVE-2025-32975",
72391
73156
  "CVE-2025-33053",
72392
73157
  "CVE-2025-33073",
73158
+ "CVE-2025-33236",
72393
73159
  "CVE-2025-34026",
72394
73160
  "CVE-2025-34291",
72395
73161
  "CVE-2025-35939",
@@ -72775,6 +73541,7 @@
72775
73541
  "CVE-2023-51449",
72776
73542
  "CVE-2023-6019",
72777
73543
  "CVE-2023-6021",
73544
+ "CVE-2024-0129",
72778
73545
  "CVE-2024-0132",
72779
73546
  "CVE-2024-11392",
72780
73547
  "CVE-2024-11393",
@@ -72805,6 +73572,7 @@
72805
73572
  "CVE-2025-30165",
72806
73573
  "CVE-2025-30202",
72807
73574
  "CVE-2025-32444",
73575
+ "CVE-2025-33236",
72808
73576
  "CVE-2025-34291",
72809
73577
  "CVE-2025-38352",
72810
73578
  "CVE-2025-43300",
@@ -73100,6 +73868,7 @@
73100
73868
  "CVE-2023-51449",
73101
73869
  "CVE-2023-6019",
73102
73870
  "CVE-2023-6021",
73871
+ "CVE-2024-0129",
73103
73872
  "CVE-2024-0132",
73104
73873
  "CVE-2024-11392",
73105
73874
  "CVE-2024-11393",
@@ -73131,6 +73900,7 @@
73131
73900
  "CVE-2025-30165",
73132
73901
  "CVE-2025-30202",
73133
73902
  "CVE-2025-32444",
73903
+ "CVE-2025-33236",
73134
73904
  "CVE-2025-34291",
73135
73905
  "CVE-2025-49596",
73136
73906
  "CVE-2025-53767",