@blamejs/exceptd-skills 0.15.1 → 0.15.2

package/data/cve-catalog.json

@@ -2302,7 +2302,15 @@
         "severity": "high",
         "published_date": "2024-04-08"
       }
-    ]
+    ],
+    "iocs": {
+      "behavioral": [
+        "A container process whose working directory or a bind/volume resolves into the host via /proc/self/fd/<N> (the leaked file descriptor), reaching host paths outside the container rootfs.",
+        "runc exec/run where the process cwd is set to /proc/self/fd/* or a WORKDIR that escapes the rootfs.",
+        "Files written by a container to host directories that are not part of any declared mount."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2024-21626, CISA KEV, and the Snyk 'Leaky Vessels' analysis."
+    }
   },
   "CVE-2024-3094": {
     "ai_assisted_weaponization": false,
@@ -2395,7 +2403,15 @@
         "severity": "critical",
         "published_date": "2024-04-03"
       }
-    ]
+    ],
+    "iocs": {
+      "behavioral": [
+        "liblzma / xz-utils version 5.6.0 or 5.6.1 present on a host where sshd links libsystemd (and thus liblzma).",
+        "An sshd login latency regression (~0.5s) traced to liblzma symbol resolution / IFUNC resolver activity.",
+        "sshd routing specific attacker-supplied RSA public keys to a non-standard code path (the Ed448-gated backdoor trigger)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2024-3094, the openwall oss-security disclosure, and research.swtch.com/xz-script."
+    }
   },
   "CVE-2024-3154": {
     "ai_assisted_weaponization": false,
@@ -2460,7 +2476,15 @@
       "https://github.com/cri-o/cri-o/security/advisories"
     ],
     "last_updated": "2026-05-15",
-    "discovery_attribution_note": "Reported by the OpenShift / CRI-O upstream security team via Red Hat Bugzilla 2272532; no individual researcher byline in the public advisory and no AI-tool credit. Bug class (systemd property injection through pod annotations) is conventional argument-injection. Source: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2024-3154."
+    "discovery_attribution_note": "Reported by the OpenShift / CRI-O upstream security team via Red Hat Bugzilla 2272532; no individual researcher byline in the public advisory and no AI-tool credit. Bug class (systemd property injection through pod annotations) is conventional argument-injection. Source: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2024-3154.",
+    "iocs": {
+      "behavioral": [
+        "CRI-O nodes on 1.27.x < 1.27.10 / 1.28.x < 1.28.7 / 1.29.x < 1.29.4 accepting pod-create from non-cluster-admin RBAC subjects.",
+        "modprobe / kernel-module load events on a node correlated with a pod creation whose spec carried module-name attributes.",
+        "newly present kernel modules in /proc/modules on a worker node with no matching node-image or DaemonSet provenance."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2024-3154 and the cri-o GitHub security advisory cited in verification_sources."
+    }
   },
   "CVE-2023-43472": {
     "ai_assisted_weaponization": false,
@@ -2521,7 +2545,16 @@
       "https://huntr.com/bounties/"
     ],
     "last_updated": "2026-05-15",
-    "discovery_attribution_note": "Discovered by Joseph Beeton, senior security researcher at Contrast Security, via the Protect AI Huntr bug bounty program. Named human researcher; no AI-tool credited. Source: https://securityonline.info/cve-2023-43472-critical-vulnerability-uncovered-in-mlflow/ and https://github.com/advisories/GHSA-wqxf-447m-6f5f."
+    "discovery_attribution_note": "Discovered by Joseph Beeton, senior security researcher at Contrast Security, via the Protect AI Huntr bug bounty program. Named human researcher; no AI-tool credited. Source: https://securityonline.info/cve-2023-43472-critical-vulnerability-uncovered-in-mlflow/ and https://github.com/advisories/GHSA-wqxf-447m-6f5f.",
+    "iocs": {
+      "behavioral": [
+        "GET requests to the MLflow /model-versions/get-artifact endpoint whose path parameter contains ../ traversal sequences.",
+        "MLflow tracking server below 2.9.0 reachable and serving artifact-fetch requests.",
+        "MLflow artifact reads resolving to files outside the configured artifact root (e.g. /etc/passwd, SSH keys) returned through get-artifact responses.",
+        "Encoded/stacked traversal tokens (%2e%2e%2f, ....//) targeting MLflow artifact endpoints."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2023-43472 and the Protect AI Huntr report cited in verification_sources."
+    }
   },
   "CVE-2020-10148": {
     "ai_assisted_weaponization": false,
@@ -2598,7 +2631,15 @@
         "severity": "critical",
         "published_date": "2020-12-17"
       }
-    ]
+    ],
+    "iocs": {
+      "behavioral": [
+        "SolarWinds Orion API requests that bypass authentication by including a crafted request path containing the GUID parameter (e.g. paths with 'WebResource.axd', 'ScriptResource.axd', 'i18n.ashx' segments) to reach SolarWinds.Orion.Core.* endpoints unauthenticated.",
+        "The trojanized SolarWinds.Orion.Core.BusinessLayer.dll (SUNBURST) and beaconing to avsvmcloud.com or DGA-derived subdomains.",
+        "Orion server initiating outbound C2 after a dormancy period, with traffic masqueraded as the Orion Improvement Program protocol."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2020-10148 and CISA advisory AA20-352A (SolarWinds SUNBURST)."
+    }
   },
   "CVE-2023-3519": {
     "ai_assisted_weaponization": false,
@@ -2677,7 +2718,15 @@
         "severity": "critical",
         "published_date": "2023-07-18"
       }
-    ]
+    ],
+    "iocs": {
+      "behavioral": [
+        "Web shells written under the NetScaler web root (e.g. /var/netscaler/logon/LogonPoint/, /netscaler/ns_gui/) following unauthenticated POSTs to the SAML/GWTest endpoints.",
+        "Crash artifacts in /var/core on the NetScaler ADC/Gateway appliance from the stack overflow.",
+        "An internet-facing NetScaler ADC/Gateway configured as a Gateway/AAA virtual server below the patched build."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2023-3519 and Citrix advisory CTX561482."
+    }
   },
   "CVE-2024-1709": {
     "ai_assisted_weaponization": false,
@@ -2760,7 +2809,15 @@
         "severity": "critical",
         "published_date": "2024-02-22"
       }
-    ]
+    ],
+    "iocs": {
+      "behavioral": [
+        "Unauthenticated requests to SetupWizard.aspx with an appended path segment (e.g. /SetupWizard.aspx/anything) on a ScreenConnect server, re-triggering the initial setup flow.",
+        "A new administrative user created on the ScreenConnect instance with no corresponding operator action.",
+        "ScreenConnect deploying unexpected extensions or remote-control tooling immediately after the setup-wizard access."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2024-1709 and the ConnectWise ScreenConnect 23.9.8 security bulletin."
+    }
   },
   "CVE-2026-20182": {
     "ai_assisted_weaponization": false,
@@ -2845,7 +2902,15 @@
         "severity": "critical",
         "published_date": "2026-05-14"
       }
-    ]
+    ],
+    "iocs": {
+      "behavioral": [
+        "Unauthenticated requests reaching administrative functions on the Cisco SD-WAN manager/controller (admin actions without a preceding authenticated session).",
+        "New administrative accounts or unexpected configuration/template changes on the SD-WAN management plane.",
+        "An internet-facing Cisco SD-WAN management interface running a release below the fixed version."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-20182, CISA KEV, and the Cisco security advisory."
+    }
   },
   "CVE-2024-40635": {
     "ai_assisted_weaponization": false,
@@ -2905,7 +2970,16 @@
     ],
     "last_updated": "2026-05-15",
     "discovery_attribution_note": "Reported via the containerd security team (GO-2025-3528, Snyk SNYK-GOLANG-GITHUBCOMCONTAINERDCONTAINERDV2PKGOCI-9479987); no individual researcher byline in the advisory and no AI-tool credited. Bug class is straight integer overflow in WithUser() UID handling. Source: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMCONTAINERDCONTAINERDV2PKGOCI-9479987.",
-    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: 0."
+    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: 0.",
+    "iocs": {
+      "behavioral": [
+        "containerd 1.6.x < 1.6.34 or 1.7.x < 1.7.21 with CNI IP allocation in scope.",
+        "Containers receiving an IP mask inconsistent with their assigned CNI subnet (spurious/oversized mask from the 32-bit overflow).",
+        "CNI IPAM configs or pod network requests specifying CIDR values large enough to overflow the mask conversion path.",
+        "Cross-namespace network reachability or address-mask leakage between containers that should be CNI-isolated."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2024-40635 and the containerd GitHub security advisory / Snyk Labs PoC cited in verification_sources."
+    }
   },
   "MAL-2026-TANSTACK-MINI": {
     "ai_assisted_weaponization": false,
@@ -2979,7 +3053,16 @@
     "related_threats": [
       "MAL-2026-SHAI-HULUD-OSS"
     ],
-    "related_threats_note": "MAL-2026-TANSTACK-MINI is a Mini-Shai-Hulud-wave incident (Microsoft Security Research, 2026-05-11). The framework was open-sourced 2026-05-12 (MAL-2026-SHAI-HULUD-OSS) — TanStack predates the public release by ~24h. Same threat-actor authorship class; same registry-pivot tradecraft."
+    "related_threats_note": "MAL-2026-TANSTACK-MINI is a Mini-Shai-Hulud-wave incident (Microsoft Security Research, 2026-05-11). The framework was open-sourced 2026-05-12 (MAL-2026-SHAI-HULUD-OSS) — TanStack predates the public release by ~24h. Same threat-actor authorship class; same registry-pivot tradecraft.",
+    "iocs": {
+      "behavioral": [
+        "Installation of any @tanstack/* package version flagged in the 2026-05-11 advisory (84 malicious versions across 42 packages).",
+        "Postinstall lifecycle hooks executing during @tanstack/* installs that read ~/.npmrc, ~/.aws/credentials, or GitHub PAT files.",
+        "Outbound network activity or npm publish/republication attempts originating from a postinstall script during @tanstack/* installation.",
+        "Credential-file reads (~/.npmrc, ~/.aws/credentials, GitHub token files) by a node/npm child process spawned from an @tanstack/* install."
+      ],
+      "_ioc_source_note": "Anchored to the TanStack security advisory 2026-05-11 and the npm advisories cited in verification_sources."
+    }
   },
   "CVE-2026-30623": {
     "ai_assisted_weaponization": false,
@@ -3044,7 +3127,16 @@
       "https://github.com/anthropics/anthropic-sdk-python/security/advisories"
     ],
     "last_updated": "2026-05-15",
-    "discovery_attribution_note": "OX Security advisory 2026-04-15; researchers Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok. Same disclosure cluster as CVE-2026-30615. Named-human research; no AI-tool credit. Source: https://www.ox.security/blog/the-mother-of-all-ai-supply-chains-critical-systemic-vulnerability-at-the-core-of-the-mcp/."
+    "discovery_attribution_note": "OX Security advisory 2026-04-15; researchers Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok. Same disclosure cluster as CVE-2026-30615. Named-human research; no AI-tool credit. Source: https://www.ox.security/blog/the-mother-of-all-ai-supply-chains-critical-systemic-vulnerability-at-the-core-of-the-mcp/.",
+    "iocs": {
+      "behavioral": [
+        "Anthropic MCP SDK stdio transport at a pre-fix version spawning MCP servers from an operator-supplied command string.",
+        "MCP server-spawn command strings containing shell metacharacters (;, |, &, $(), backticks) reaching subprocess exec without argv-array separation.",
+        "Child processes spawned by the MCP-client stdio transport whose command line differs from the configured server binary.",
+        "Unexpected subprocess execution (shells, downloaders) parented to the MCP client process at server-launch time."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-30623 and the anthropic MCP SDK GitHub security advisory cited in verification_sources."
+    }
   },
   "CVE-2025-12686": {
     "ai_assisted_weaponization": false,
@@ -3102,7 +3194,15 @@
     ],
     "last_updated": "2026-05-15",
     "discovery_attribution_note": "Pwn2Own Ireland 2025 (Cork, 2025-10-21) — exploited by @Tek_7987 and @_Anyfun of Synacktiv's offensive security team. Disclosure methodology: attack-surface enumeration + manual code auditing + exploit development per Synacktiv's published writeup; no AI-tool credit. Source: https://www.synacktiv.com/en/publications/breaking-the-beestation-inside-our-pwn2own-2025-exploit-journey.",
-    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: -5 (50 -> 45)."
+    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: -5 (50 -> 45).",
+    "iocs": {
+      "behavioral": [
+        "Synology BeeStation Manager below 1.4.0-65374 exposing its web management interface.",
+        "Unauthenticated requests to the BeeStation web management surface resulting in OS-command execution (CWE-78).",
+        "Command-shell or unexpected child processes spawned by the BeeStation web management service without a preceding authenticated session."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-12686 and the Zero Day Initiative Pwn2Own Ireland 2025 disclosure cited in verification_sources."
+    }
   },
   "CVE-2025-62847": {
     "ai_assisted_weaponization": false,
@@ -3162,7 +3262,15 @@
     ],
     "last_updated": "2026-05-15",
     "discovery_attribution_note": "Pwn2Own Ireland 2025 — exploited by DEVCORE Research Team (chained injection + format-string bug, $40,000 + 4 Master of Pwn points). Named-human team via ZDI live-blog credit; no AI-tool attribution. Source: https://www.thezdi.com/blog/2025/10/21/pwn2own-ireland-2025-day-one-results.",
-    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: -5 (45 -> 40)."
+    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: -5 (45 -> 40).",
+    "iocs": {
+      "behavioral": [
+        "QNAP QTS < 5.2.4.2950 or QuTS hero < h5.2.4.2950 with the web management interface reachable.",
+        "Requests to QTS/QuTS hero management endpoints carrying OS-command metacharacters (CWE-78), consistent with the first component of the Pwn2Own chain.",
+        "Unexpected command-shell or child processes spawned by QTS/QuTS hero web services without a corresponding administrative action."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-62847 and the QNAP security advisory cited in verification_sources."
+    }
   },
   "CVE-2025-62848": {
     "ai_assisted_weaponization": false,
@@ -3222,7 +3330,15 @@
     ],
     "last_updated": "2026-05-15",
     "discovery_attribution_note": "Pwn2Own Ireland 2025 — chain 2/3 of the DEVCORE Research Team QNAP TS-453E exploit. Same researcher attribution as CVE-2025-62847; ZDI live-blog credit. No AI-tool attribution. Source: https://www.thezdi.com/blog/2025/10/21/pwn2own-ireland-2025-day-one-results.",
-    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: -5 (45 -> 40)."
+    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: -5 (45 -> 40).",
+    "iocs": {
+      "behavioral": [
+        "QNAP QTS < 5.2.4.2950 or QuTS hero < h5.2.4.2950 with management services reachable.",
+        "Input reaching a QTS/QuTS hero code-evaluation path (CWE-94), the second component of the Pwn2Own chain — injected code executing within a QNAP management process.",
+        "QTS/QuTS hero management processes evaluating attacker-supplied script/code fragments not present in stock firmware."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-62848 and the QNAP security advisory cited in verification_sources."
+    }
   },
   "CVE-2025-62849": {
     "ai_assisted_weaponization": false,
@@ -3282,7 +3398,15 @@
     ],
     "last_updated": "2026-05-15",
     "discovery_attribution_note": "Pwn2Own Ireland 2025 — chain 3/3 of the DEVCORE Research Team QNAP TS-453E exploit (post-auth elevation). Same attribution as CVE-2025-62847/62848; ZDI credit. No AI-tool attribution. Source: https://www.thezdi.com/blog/2025/10/21/pwn2own-ireland-2025-day-one-results.",
-    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: -5 (40 -> 35)."
+    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: -5 (40 -> 35).",
+    "iocs": {
+      "behavioral": [
+        "QNAP QTS < 5.2.4.2950 or QuTS hero < h5.2.4.2950 where a low-privilege session escalates privilege.",
+        "A QTS/QuTS hero process or session gaining privileges beyond its authenticated account (CWE-269), the post-auth elevation component of the Pwn2Own chain.",
+        "Post-authentication privilege transitions on the appliance not initiated through a legitimate admin role assignment."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-62849 and the QNAP security advisory cited in verification_sources."
+    }
   },
   "CVE-2025-59389": {
     "ai_assisted_weaponization": false,
@@ -3341,7 +3465,15 @@
     ],
     "last_updated": "2026-05-15",
     "discovery_attribution_note": "Pwn2Own Ireland 2025 — Sina Kheirkhah of Summoning Team chained a hardcoded-credential issue with an injection flaw against QNAP Hyper Data Protector ($20,000 award). Named-human researcher; no AI-tool credit. Source: https://www.thezdi.com/blog/2025/10/21/pwn2own-ireland-2025-day-one-results and https://www.qnap.com/en/security-advisory/qsa-25-48.",
-    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: 0."
+    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: 0.",
+    "iocs": {
+      "behavioral": [
+        "QNAP Hyper Data Protector below 2.1.4.0420 exposing its management surface.",
+        "Unauthenticated requests to the Hyper Data Protector management interface resulting in OS-command execution (CWE-78).",
+        "Command-shell or unexpected child processes spawned by the Hyper Data Protector backup-orchestration service without a preceding authenticated session."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-59389 and the QNAP / Pwn2Own Ireland 2025 advisory cited in verification_sources."
+    }
   },
   "CVE-2025-11837": {
     "ai_assisted_weaponization": false,
@@ -3401,7 +3533,15 @@
       "https://www.qnap.com/en/security-advisory/"
     ],
     "last_updated": "2026-05-15",
-    "discovery_attribution_note": "Pwn2Own Ireland 2025 — Chumy Tsai of CyCraft Technology demonstrated the code-injection on QNAP TS-453E ($20,000 award). Named-human researcher via ZDI credit; no AI-tool attribution. Source: https://www.qnap.com/en/security-advisory/qsa-25-47 and https://cybersecuritynews.com/qnap-zero-day-vulnerabilities-exploited/."
+    "discovery_attribution_note": "Pwn2Own Ireland 2025 — Chumy Tsai of CyCraft Technology demonstrated the code-injection on QNAP TS-453E ($20,000 award). Named-human researcher via ZDI credit; no AI-tool attribution. Source: https://www.qnap.com/en/security-advisory/qsa-25-47 and https://cybersecuritynews.com/qnap-zero-day-vulnerabilities-exploited/.",
+    "iocs": {
+      "behavioral": [
+        "QNAP Malware Remover below 6.6.8.20251023 fetching or applying malware-definition updates.",
+        "The definition-handling path processing a crafted/tampered definition update, leading to code execution within the security tool's process (CWE-94).",
+        "The malware-definition-fetch channel redirected/hijacked (download from an unexpected host or over a tampered channel) supplying attacker-controlled content."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-11837 and the QNAP security advisory cited in verification_sources."
+    }
   },
   "CVE-2026-42945": {
     "name": "NGINX Rift",
@@ -3478,7 +3618,16 @@
     ],
     "last_updated": "2026-05-15",
     "discovery_attribution_note": "Discovered by depthfirst's autonomous vulnerability-analysis platform; flagged the heap-buffer-overflow in nginx ngx_http_rewrite_module (present since nginx 0.6.27, 2008) within six hours of scan time. First publicly-attributed AI-discovered nginx CVE; jointly disclosed by F5 + depthfirst on 2026-05-13. Source: https://depthfirst.com/nginx-rift and https://github.com/depthfirstdisclosures/nginx-rift.",
-    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors to satisfy Shape B invariant (Σ factors === rwep_score). Prior values used non-canonical weights and/or blast_radius > 30 (over-cap). Stored rwep_score unchanged; factor block now reproducible from canonical RWEP_WEIGHTS + operational fields."
+    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors to satisfy Shape B invariant (Σ factors === rwep_score). Prior values used non-canonical weights and/or blast_radius > 30 (over-cap). Stored rwep_score unchanged; factor block now reproducible from canonical RWEP_WEIGHTS + operational fields.",
+    "iocs": {
+      "behavioral": [
+        "nginx 0.6.27 through 1.30.0 or nginx Plus R32-R36 with a rewrite directive using unnamed PCRE captures in its configuration.",
+        "Single HTTP requests whose URI matches a rewrite rule using unnamed captures, triggering the out-of-bounds heap write (CWE-787) in PCRE handling.",
+        "nginx worker process crashes/segfaults/restarts correlated with requests matching unnamed-capture rewrite rules.",
+        "Crafted URIs designed to match unnamed-capture rewrite patterns reaching nginx instances on the affected version range."
+      ],
+      "_ioc_source_note": "Anchored to the F5 advisory K000150420 and the nginx.org security advisories cited in verification_sources."
+    }
   },
   "CVE-2026-0300": {
     "name": "PAN-UID — Palo Alto Networks PAN-OS User-ID Authentication Portal RCE",
@@ -4363,7 +4512,16 @@
     ],
     "_draft": false,
     "last_updated": "2026-05-17",
-    "discovery_attribution_note": "Qualys Threat Research Unit human research, publicly disclosed 2026-05-14. The underlying logic flaw was originally surfaced in a 2020 patch proposal by Jann Horn that was never merged; Qualys identified the exploitable consequence six years later. No AI involvement on either the discovery or weaponization side."
+    "discovery_attribution_note": "Qualys Threat Research Unit human research, publicly disclosed 2026-05-14. The underlying logic flaw was originally surfaced in a 2020 patch proposal by Jann Horn that was never merged; Qualys identified the exploitable consequence six years later. No AI involvement on either the discovery or weaponization side.",
+    "iocs": {
+      "behavioral": [
+        "A Linux host on a kernel built without the 2020 ptrace exit-race fix, running the setuid ssh-keysign helper.",
+        "A process ptrace-attaching to a privileged helper (ssh-keysign) during its shutdown window to exploit the exit_mm()/exit_files() race (CWE-362/CWE-672).",
+        "An unprivileged local user obtaining access to privileged file descriptors / key material via the ssh-keysign exit race.",
+        "Kernel/audit signatures of ptrace attach to a setuid binary immediately before its exit on an affected kernel."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-46333 and the public analysis cited in verification_sources."
+    }
   },
   "MAL-2026-SHAI-HULUD-OSS": {
     "name": "Shai-Hulud worm framework (TeamPCP open-source release)",
@@ -4447,7 +4605,16 @@
       "https://snyk.io/blog/tanstack-npm-packages-compromised/"
     ],
     "last_updated": "2026-05-17",
-    "discovery_attribution_note": "TeamPCP threat-actor framework, not a vulnerability discovery. The framework was open-sourced 2026-05-12 on GitHub under MIT license by the same actor group responsible for the September 2025 / November 2025 / May 2026 Shai-Hulud npm-worm waves. TeamPCP self-describes the framework as \"vibe coded\" — AI-coding-assistant-mediated authoring. Adoption-side weaponization is accelerated by AI coding assistants + the BreachForums-hosted $1,000 USD bounty contest."
+    "discovery_attribution_note": "TeamPCP threat-actor framework, not a vulnerability discovery. The framework was open-sourced 2026-05-12 on GitHub under MIT license by the same actor group responsible for the September 2025 / November 2025 / May 2026 Shai-Hulud npm-worm waves. TeamPCP self-describes the framework as \"vibe coded\" — AI-coding-assistant-mediated authoring. Adoption-side weaponization is accelerated by AI coding assistants + the BreachForums-hosted $1,000 USD bounty contest.",
+    "iocs": {
+      "behavioral": [
+        "Any of the 170+ confirmed npm packages (May 2026 wave), the 2 confirmed PyPI packages, or the affected GitHub Action present in a lockfile/install.",
+        "Package postinstall OR require-time code reading cloud credentials, AI-assistant configs, and version-control tokens (the worm's credential-harvest phase).",
+        "Self-republication attempts from a package-install context and creation of attacker-controlled public repositories for exfiltration (worm propagation via maintainer-account pivot).",
+        "Outbound exfiltration of harvested secrets from a CI runner or developer host shortly after an affected dependency install."
+      ],
+      "_ioc_source_note": "Anchored to NVD/advisory references and the public Shai-Hulud worm analyses cited in verification_sources."
+    }
   },
   "CVE-2024-21762": {
     "ai_assisted_weaponization": false,
@@ -4565,7 +4732,15 @@
         "severity": "critical",
         "published_date": "2024-02-09"
       }
-    ]
+    ],
+    "iocs": {
+      "behavioral": [
+        "sslvpnd process crashes or segfaults on a FortiGate, and crafted unauthenticated HTTP requests to the SSL-VPN web surface (/remote/* endpoints).",
+        "Read-only symlinks left in the SSL-VPN language-file directory (the documented post-exploitation persistence that survives a firmware update).",
+        "An internet-facing FortiGate with SSL-VPN enabled on a FortiOS/FortiProxy build below the fixed version."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2024-21762, Fortinet FG-IR-24-015, and the CISA 2025-04 post-exploitation advisory."
+    }
   },
   "CVE-2025-10585": {
     "id": "CVE-2025-10585",
@@ -4633,7 +4808,15 @@
     "live_patch_tools": [],
     "cwe_refs": [
       "CWE-843"
-    ]
+    ],
+    "iocs": {
+      "behavioral": [
+        "Google Chrome (and Chromium-based browsers) on a build below the emergency-patched version, exposed to attacker-controlled web content.",
+        "Renderer-process crashes consistent with a V8 type-confusion trigger, followed by anomalous child-process spawning from the browser.",
+        "Drive-by navigation to a malicious page delivering the V8 exploit as part of a sandbox-escape chain."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-10585 and the Google TAG / Chrome stable-channel security advisory."
+    }
   },
   "CVE-2025-14174": {
     "id": "CVE-2025-14174",
@@ -4706,7 +4889,15 @@
     "cwe_refs": [
       "CWE-787",
       "CWE-119"
-    ]
+    ],
+    "iocs": {
+      "behavioral": [
+        "Apple WebKit on an OS build below the patched version processing attacker-controlled web content (1-click delivery via message/link).",
+        "WebContent (WebKit) process memory-corruption crashes on targeted devices, consistent with a commercial-spyware delivery chain.",
+        "Indicators of targeted-spyware staging following web content rendering on a high-risk-user device (Lockdown Mode relevant)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-14174 and the Apple security update notes for the targeted-exploitation fix."
+    }
   },
   "CVE-2025-43529": {
     "id": "CVE-2025-43529",
@@ -4774,7 +4965,15 @@
     "live_patch_tools": [],
     "cwe_refs": [
       "CWE-416"
-    ]
+    ],
+    "iocs": {
+      "behavioral": [
+        "WebKit use-after-free crashes on an Apple device below the patched build, triggered by crafted web content in a 1-click chain.",
+        "Anomalous process activity following a WebKit crash on a targeted device (spyware sandbox-escape follow-on).",
+        "Delivery of a malicious link/page to a high-risk user as the chain's entry point."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-43529 and the Apple security update notes."
+    }
   },
   "CVE-2025-4919": {
     "id": "CVE-2025-4919",
@@ -4839,7 +5038,16 @@
     "live_patch_tools": [],
     "cwe_refs": [
       "CWE-843"
-    ]
+    ],
+    "iocs": {
+      "behavioral": [
+        "Mozilla Firefox < 138.0.4, Firefox ESR < 128.10.1 / < 115.23.1, or Thunderbird < 138.0.2 exposed to attacker-controlled web content.",
+        "Renderer-process crashes consistent with a SpiderMonkey JIT type-confusion trigger (CWE-843).",
+        "Crafted JavaScript / WebAssembly compiled through the SpiderMonkey JIT granting renderer read/write primitives.",
+        "Drive-by navigation to a malicious page delivering the type-confusion exploit."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-4919 and the Mozilla security advisory (Pwn2Own Berlin) cited in verification_sources."
+    }
   },
   "CVE-2025-24201": {
     "id": "CVE-2025-24201",
@@ -4910,7 +5118,15 @@
     "live_patch_tools": [],
     "cwe_refs": [
       "CWE-1395"
-    ]
+    ],
+    "iocs": {
+      "behavioral": [
+        "WebKit out-of-bounds write on an Apple device below the patched build, used to break out of the Web Content sandbox.",
+        "Web Content process crashes followed by privilege/sandbox-boundary anomalies on iOS/macOS.",
+        "Targeted delivery of malicious web content as part of a multi-stage exploit chain."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-24201 and the Apple security update notes (supplementary fix for a previously-mitigated attack)."
+    }
   },
   "CVE-2025-43300": {
     "id": "CVE-2025-43300",
@@ -4981,7 +5197,15 @@
     "live_patch_tools": [],
     "cwe_refs": [
       "CWE-1395"
-    ]
+    ],
+    "iocs": {
+      "behavioral": [
+        "ImageIO processing a malformed DNG / JPEG-lossless image triggering an out-of-bounds write (zero-click delivery via a received image).",
+        "imagent / Messages / preview pipelines crashing on image decode on a device below the patched build.",
+        "Indicators of a zero-click spyware chain on a targeted device following inbound media."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-43300 and the Apple security update notes for the in-the-wild ImageIO fix."
+    }
   },
   "CVE-2025-38352": {
     "id": "CVE-2025-38352",
@@ -5053,7 +5277,15 @@
     "discovery_attribution_note": "Google Android Security Bulletin September 2025 attribution; no AI-tool credit. Source: https://nvd.nist.gov/vuln/detail/CVE-2025-38352",
     "cwe_refs": [
       "CWE-1395"
-    ]
+    ],
+    "iocs": {
+      "behavioral": [
+        "A Linux/Android host below the patched kernel exhibiting a race on POSIX CPU timers (posix_cpu_timer teardown vs. expiry) leading to a use-after-free.",
+        "A sandboxed Android app or low-privileged process escalating to kernel context via the timer race.",
+        "Kernel crash/oops signatures referencing posix_cpu_timer on an affected build."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-38352 and the Android Security Bulletin / upstream kernel fix."
+    }
   },
   "CVE-2025-55241": {
     "id": "CVE-2025-55241",
@@ -5122,7 +5354,16 @@
     "live_patch_tools": [],
     "cwe_refs": [
       "CWE-1395"
-    ]
+    ],
+    "iocs": {
+      "behavioral": [
+        "Requests presenting an undocumented 'Actor' token to the legacy Azure AD Graph endpoint in a target Entra ID tenant.",
+        "Cross-tenant access where the originating-tenant claim is not validated by the legacy Azure AD Graph API.",
+        "Entra ID sign-in / audit-log entries showing cross-tenant impersonation via Azure AD Graph (observable in historical logs; Microsoft fixed server-side).",
+        "Tenants still exposing the legacy Azure AD Graph endpoint as the precondition."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-55241 and the Microsoft / researcher analysis cited in verification_sources."
+    }
   },
   "CVE-2025-21085": {
     "id": "CVE-2025-21085",
@@ -5187,7 +5428,16 @@
     "live_patch_tools": [],
     "cwe_refs": [
       "CWE-1395"
-    ]
+    ],
+    "iocs": {
+      "behavioral": [
+        "Cisco Duo Authentication Proxy below 6.5.3 with debug-level logging enabled.",
+        "Cleartext credentials present in authproxy.log emitted during LDAP/AD password-change operations (CWE-1395).",
+        "A local authenticated user or post-compromise lateral mover reading authproxy.log to recover credentials.",
+        "Debug-level Auth Proxy logging retained on disk where lower-privilege accounts can read it."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-21085 and the Cisco security advisory cited in verification_sources."
+    }
   },
   "CVE-2025-1094": {
     "id": "CVE-2025-1094",
@@ -5260,7 +5510,15 @@
     "live_patch_tools": [],
     "cwe_refs": [
       "CWE-1395"
-    ]
+    ],
+    "iocs": {
+      "behavioral": [
+        "psql (or libpq client) processing input containing invalid UTF-8 byte sequences that survive quoting and enable SQL injection.",
+        "SQL injection escalating to arbitrary code execution via psql meta-commands (e.g. \\! shell execution) on the client host.",
+        "PostgreSQL/psql client below the patched version in a chain following an application-layer injection (the BeyondTrust RS exploitation pattern)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-1094 and the PostgreSQL project security advisory."
+    }
   },
   "CVE-2025-49844": {
     "id": "CVE-2025-49844",
@@ -5329,7 +5587,16 @@
     "live_patch_tools": [],
     "cwe_refs": [
       "CWE-416"
-    ]
+    ],
+    "iocs": {
+      "behavioral": [
+        "A network-reachable Redis instance (below the fixed 7.x/8.x builds) accepting EVAL/EVALSHA of attacker-supplied Lua from untrusted clients.",
+        "redis-server crashes or native code execution consistent with a use-after-free escape from the Lua sandbox (CWE-416).",
+        "Crafted Lua scripts submitted to a Redis instance exposed without authentication or network isolation.",
+        "Unexpected child processes or outbound connections originating from the redis-server process after a Lua EVAL."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-49844 and the Redis 'RediShell' advisory cited in verification_sources."
+    }
   },
   "CVE-2025-14847": {
     "id": "CVE-2025-14847",
@@ -5396,7 +5663,16 @@
     "live_patch_tools": [],
     "cwe_refs": [
       "CWE-1395"
-    ]
+    ],
+    "iocs": {
+      "behavioral": [
+        "A MongoDB Server on an affected branch reachable to unauthenticated clients.",
+        "Crafted compressed wire-protocol messages with mismatched length fields sent to the server.",
+        "Server responses containing uninitialized heap memory (potentially prior request data) returned to an unauthenticated client (the 'MongoBleed' over-read).",
+        "Anomalous compressed-message traffic to MongoDB preceding memory-disclosure responses."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-14847 and the Bitsight 'MongoBleed' analysis cited in verification_sources."
+    }
   },
   "CVE-2025-8671": {
     "id": "CVE-2025-8671",
@@ -5467,7 +5743,16 @@
     "live_patch_tools": [],
     "cwe_refs": [
       "CWE-1395"
-    ]
+    ],
+    "iocs": {
+      "behavioral": [
+        "An affected HTTP/2 server (e.g. Apache Tomcat, Netty, Varnish, and other enumerated implementations) reachable over HTTP/2.",
+        "Malformed HTTP/2 control frames over a single connection causing server-emitted stream resets while backend work stays in flight, bypassing the concurrency limit ('MadeYouReset').",
+        "Stream-reset storms and elevated backend resource consumption disproportionate to the visible request count on one connection.",
+        "Resource exhaustion / denial of service under crafted HTTP/2 control-frame load."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-8671 and the 'MadeYouReset' HTTP/2 advisory cited in verification_sources."
+    }
   },
   "CVE-2025-6965": {
     "id": "CVE-2025-6965",
@@ -5537,7 +5822,16 @@
     "cwe_refs": [
       "CWE-787",
       "CWE-119"
-    ]
+    ],
+    "iocs": {
+      "behavioral": [
+        "An application embedding SQLite below 3.50.2 that processes attacker-influenced SQL.",
+        "Injected SQL causing an integer overflow that yields an out-of-bounds array read (CWE-787/CWE-119).",
+        "Memory disclosure or corruption in a SQLite-backed component following injected SQL statements.",
+        "SQLite-backed services accepting untrusted SQL on an unpatched library version (broad embedded/downstream footprint)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-6965 and the SQLite / Big Sleep disclosure cited in verification_sources."
+    }
   },
   "CVE-2026-22778": {
     "id": "CVE-2026-22778",
@@ -5608,7 +5902,16 @@
     "cwe_refs": [
       "CWE-122",
       "CWE-787"
-    ]
+    ],
+    "iocs": {
+      "behavioral": [
+        "A vLLM multimodal endpoint below 0.14.1 reachable to unauthenticated clients.",
+        "Submission of a malicious video URL to the vLLM multimodal API triggering the bundled FFmpeg JPEG2000 decoder heap overflow (CWE-122/CWE-787).",
+        "Code execution as the vLLM service user, or vLLM service crashes / unexpected child processes on multimodal decode.",
+        "vLLM (with bundled FFmpeg 5.1.x via OpenCV) processing untrusted media URLs."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-22778 and the vLLM security advisory cited in verification_sources."
+    }
   },
   "CVE-2026-7482": {
     "id": "CVE-2026-7482",
@@ -5676,7 +5979,16 @@
     "live_patch_tools": [],
     "cwe_refs": [
       "CWE-1395"
-    ]
+    ],
+    "iocs": {
+      "behavioral": [
+        "Ollama below 0.17.1 (Linux/macOS/Windows) reachable to unauthenticated clients.",
+        "Unauthenticated upload of a crafted file to the Ollama API where the quantization pipeline reads beyond allocated bounds.",
+        "Ollama API responses returning heap contents (the 'Bleeding Llama' over-read disclosure).",
+        "Anomalous crafted-file uploads to Ollama preceding memory-disclosure responses."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-7482 and the Ollama security advisory cited in verification_sources."
+    }
   },
   "CVE-2025-68664": {
     "id": "CVE-2025-68664",
@@ -5750,7 +6062,16 @@
     "live_patch_tools": [],
     "cwe_refs": [
       "CWE-502"
-    ]
+    ],
+    "iocs": {
+      "behavioral": [
+        "langchain-core below 1.2.5 (1.x) or below 0.3.81 (0.x) on a pipeline that serializes LLM responses with dumps()/dumpd().",
+        "Deserialization (loads/load) of LLM response content where attacker-controlled fields (additional_kwargs / response_metadata) carry the internal 'lc' key marker, rehydrating a free-form dict as a LangChain object.",
+        "Secret/credential values appearing in objects reconstructed from a dumps->loads round-trip of model output.",
+        "Prompt-injection-bearing model responses whose serialized form survives the dumps/loads cycle with the 'lc' marker unescaped."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-68664 and the Cyata 'LangGrinch' analysis cited in verification_sources."
+    }
   },
   "CVE-2025-22224": {
     "id": "CVE-2025-22224",
@@ -5823,7 +6144,15 @@
     "live_patch_tools": [],
     "cwe_refs": [
       "CWE-1395"
-    ]
+    ],
+    "iocs": {
+      "behavioral": [
+        "VMX process crashes on an ESXi/Workstation host consistent with a VMCI TOCTOU heap overflow exploited from a guest VM.",
+        "Guest-to-host code execution as the VMX process (VM escape) on an unpatched ESXi build.",
+        "An attacker with administrative/root access inside a guest VM as the precondition for the escape (often post-initial-compromise, ransomware operators)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-22224 and the Broadcom/VMware VMSA security advisory (in-the-wild ESXi escape chain)."
+    }
   },
   "CVE-2025-22225": {
     "id": "CVE-2025-22225",
@@ -5893,7 +6222,15 @@
     "live_patch_tools": [],
     "cwe_refs": [
       "CWE-1395"
-    ]
+    ],
+    "iocs": {
+      "behavioral": [
+        "Arbitrary kernel writes on an ESXi host enabling a sandbox/VM escape, chained with the VMCI overflow.",
+        "Unexpected VMkernel modifications or crashes on an unpatched ESXi build following guest compromise.",
+        "Ransomware-operator activity pivoting from a guest VM to the hypervisor."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-22225 and the Broadcom/VMware VMSA security advisory."
+    }
   },
   "CVE-2025-22226": {
     "id": "CVE-2025-22226",
@@ -5963,7 +6300,15 @@
     "live_patch_tools": [],
     "cwe_refs": [
       "CWE-1395"
-    ]
+    ],
+    "iocs": {
+      "behavioral": [
+        "HGFS (host-guest file system) memory-leak/out-of-bounds-read activity on an ESXi/Workstation host, used as an information-leak helper in the VM-escape chain.",
+        "VMX memory disclosure preceding the VMCI escape on an unpatched build.",
+        "Guest VM with admin access reading host memory via the HGFS path."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-22226 and the Broadcom/VMware VMSA security advisory."
+    }
   },
   "MAL-2024-PYPI-ULTRALYTICS-XMRIG": {
     "id": "MAL-2024-PYPI-ULTRALYTICS-XMRIG",
@@ -6038,7 +6383,16 @@
     "live_patch_tools": [],
     "cwe_refs": [
       "CWE-1395"
-    ]
+    ],
+    "iocs": {
+      "behavioral": [
+        "ultralytics resolving to exactly 8.3.41 or 8.3.42 in a lockfile/requirements/site-packages (8.3.43 is clean).",
+        "Post-install / import-time download of an XMRig binary from attacker infrastructure following an ultralytics install.",
+        "Sustained high CPU and Monero-mining stratum/pool network traffic from a host or CI runner shortly after an ultralytics install step.",
+        "Injected downloader code in the installed wheel not present in the 8.3.43 source (GitHub Actions build-time tampering)."
+      ],
+      "_ioc_source_note": "Anchored to the ReversingLabs, Wiz, HiddenLayer analyses and the ultralytics advisory cited in verification_sources."
+    }
   },
   "MAL-2026-RUBYGEMS-BUFFERZONECORP-SLEEPER": {
     "id": "MAL-2026-RUBYGEMS-BUFFERZONECORP-SLEEPER",
@@ -6116,7 +6470,16 @@
     "live_patch_tools": [],
     "cwe_refs": [
       "CWE-1395"
-    ]
+    ],
+    "iocs": {
+      "behavioral": [
+        "Any BufferZoneCorp-published gem/module impersonating activesupport-logger, devise-jwt, go-retryablehttp, grpc-client, or config-loader in a Gemfile.lock / go.mod / go.sum.",
+        "A newly-published-then-silently-updated package (clean at first publish, malicious payload in a later version) pulled into CI — the sleeper-to-payload pattern.",
+        "Install/CI-time reads of env vars, ~/.ssh keys, AWS credentials, .npmrc, .netrc, GitHub CLI config, and RubyGems credentials followed by exfiltration.",
+        "Go-build tampering: writes to GITHUB_ENV, a poisoned GOPROXY, weakened go.sum checksums, or a fake `go` wrapper on the workflow PATH."
+      ],
+      "_ioc_source_note": "Anchored to the Socket and The Hacker News analyses cited in verification_sources."
+    }
   },
   "MAL-2025-PYPI-COLORAMA-SOLANA-STEALER": {
     "id": "MAL-2025-PYPI-COLORAMA-SOLANA-STEALER",
@@ -6193,7 +6556,16 @@
     "live_patch_tools": [],
     "cwe_refs": [
       "CWE-1395"
-    ]
+    ],
+    "iocs": {
+      "behavioral": [
+        "Any colorama typosquat (coloramapkgsw, coloramapkgsdow, coloramashowtemp, coloramapkgs, readmecolorama, colorizator, coloraiz) resolving where the intended dependency was the legitimate colorama.",
+        "Install-time code reading browser-stored credentials/cookies and Solana wallet artifacts, then exfiltrating them.",
+        "Access at install time to Facebook / Telegram / Roblox session material and crypto-wallet files by the Python install process.",
+        "PyPI packages from the 2025-05-04 to 2025-05-24 window matching the colorama-typosquat naming pattern in resolved dependencies."
+      ],
+      "_ioc_source_note": "Anchored to the Imperva, Checkmarx, Check Point, and The Hacker News analyses cited in verification_sources."
+    }
   },
   "CVE-2025-0133": {
     "id": "CVE-2025-0133",
@@ -6264,7 +6636,15 @@
     "live_patch_tools": [],
     "cwe_refs": [
       "CWE-1395"
-    ]
+    ],
+    "iocs": {
+      "behavioral": [
+        "PAN-OS GlobalProtect portal/gateway on an affected build (11.2 < 11.2.7, 11.1 < 11.1.11, 10.2 < 10.2.17, any 10.1 EoL, or Cloud NGFW).",
+        "Crafted captive-portal links containing reflected XSS payloads in request parameters echoed back unescaped into the portal response.",
+        "JavaScript executing inside the GlobalProtect portal origin driving session-token theft or credential-phishing prompts that appear to originate from the legitimate VPN portal."
+      ],
+      "_ioc_source_note": "Anchored to the Palo Alto Networks advisory for CVE-2025-0133 and the XBOW writeup cited in verification_sources."
+    }
   },
   "CVE-2025-59529": {
     "id": "CVE-2025-59529",
@@ -6331,7 +6711,15 @@
     "live_patch_tools": [],
     "cwe_refs": [
       "CWE-1395"
-    ]
+    ],
+    "iocs": {
+      "behavioral": [
+        "avahi-daemon with the Simple Protocol Server enabled (pre-fix) on a Linux/IoT/embedded host.",
+        "A client opening repeated Simple Protocol connections to avahi-daemon beyond the configured connection cap without the cap engaging.",
+        "Growing avahi-daemon file-descriptor count and memory footprint correlated with repeated Simple Protocol connection bursts, leading to mDNS/DNS-SD service-discovery denial."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-59529, the ZeroPath writeup, and the Avahi security advisory cited in verification_sources."
+    }
   },
   "CVE-2025-55319": {
     "id": "CVE-2025-55319",
@@ -6403,7 +6791,16 @@
     "live_patch_tools": [],
     "cwe_refs": [
       "CWE-77"
-    ]
+    ],
+    "iocs": {
+      "behavioral": [
+        "VS Code agentic-AI surface (Copilot Chat / MCP-integrated agents) on a pre-fix build on a developer workstation.",
+        "Adversarial content embedded in an AI tool response or external MCP server message reaching a shell-execution primitive inside the agentic integration.",
+        "Shell commands spawned by the VS Code agentic/Copilot process whose argument content traces to model/tool/MCP response text rather than explicit developer input.",
+        "Connection to an untrusted/external MCP server immediately followed by unexpected command execution under the developer's user context."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-55319 and the MSRC advisory / ZeroPath writeup cited in verification_sources."
+    }
   },
   "CVE-2025-53767": {
     "id": "CVE-2025-53767",
@@ -6475,7 +6872,15 @@
     "live_patch_tools": [],
     "cwe_refs": [
       "CWE-1395"
-    ]
+    ],
+    "iocs": {
+      "behavioral": [
+        "Azure OpenAI in its pre-2025-08-19 state (Microsoft fixed server-side before this date).",
+        "An authenticated low-privilege tenant user issuing requests that induce server-side SSRF crossing the cloud-tenant boundary in the Azure OpenAI control plane.",
+        "Outbound fetches initiated by the Azure OpenAI control plane toward internal/metadata or other-tenant endpoints on behalf of a low-privilege caller (observable in historical logs only; server-side patched)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-53767 and the MSRC advisory / ZeroPath writeup cited in verification_sources."
+    }
   },
   "CVE-2025-10725": {
     "id": "CVE-2025-10725",
@@ -6545,7 +6950,15 @@
     "live_patch_tools": [],
     "cwe_refs": [
       "CWE-1395"
-    ]
+    ],
+    "iocs": {
+      "behavioral": [
+        "Red Hat OpenShift AI on a pre-fix release in a managed-Kubernetes environment.",
+        "Kubernetes RBAC/audit events showing a low-privilege OpenShift AI tenant principal gaining cluster/control-plane-scoped permissions it was not granted.",
+        "Privilege transitions in the OpenShift AI control plane originating from a tenant-scoped service account or user rather than a cluster-admin."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-10725 and the Red Hat advisory / ZeroPath writeup cited in verification_sources."
+    }
   },
   "MAL-2025-AI-FOUND-FFMPEG-BIGSLEEP": {
     "id": "MAL-2025-AI-FOUND-FFMPEG-BIGSLEEP",
@@ -6617,7 +7030,16 @@
     "live_patch_tools": [],
     "cwe_refs": [
       "CWE-1395"
-    ]
+    ],
+    "iocs": {
+      "behavioral": [
+        "FFmpeg or ImageMagick on a pre-tranche-fix build (the August 2025 Big Sleep disclosure set) processing untrusted media files.",
+        "Crafted media files passed through a vulnerable decoder/library API triggering memory corruption.",
+        "Crashes / abnormal termination of FFmpeg/ImageMagick (or processes embedding them) when decoding specific attacker-supplied inputs prior to the upstream tranche patches.",
+        "An unpatched library version from the enumerated Big Sleep tranche in a media-processing service's dependency inventory."
+      ],
+      "_ioc_source_note": "Anchored to the Google Project Zero / Big Sleep disclosure posts cited in verification_sources."
+    }
   },
   "CVE-2026-31635": {
     "name": "DirtyDecrypt (rxgk page-cache write)",
@@ -6709,7 +7131,16 @@
       }
     ],
     "last_updated": "2026-05-18",
-    "intake_gap_note": "Catalog entry added 2026-05-18 via manual operator triage AFTER public PoC. The daily exceptd-threat-intake routine missed this CVE — kernel.org Atom feed window had rolled past the 2026-04-25 silent-patch commit by the time the PoC published on 2026-05-17, and the V12 rediscovery report went to maintainers privately rather than to oss-security@openwall. The v0.13.14 release adds a vendor-security-blog source (Microsoft / Sysdig / Trail of Bits) to close this class of gap. See feeds_into supply-chain-recovery + framework playbooks for the chained handling."
+    "intake_gap_note": "Catalog entry added 2026-05-18 via manual operator triage AFTER public PoC. The daily exceptd-threat-intake routine missed this CVE — kernel.org Atom feed window had rolled past the 2026-04-25 silent-patch commit by the time the PoC published on 2026-05-17, and the V12 rediscovery report went to maintainers privately rather than to oss-security@openwall. The v0.13.14 release adds a vendor-security-blog source (Microsoft / Sysdig / Trail of Bits) to close this class of gap. See feeds_into supply-chain-recovery + framework playbooks for the chained handling.",
+    "iocs": {
+      "behavioral": [
+        "A Linux kernel >= 6.13 (when rxgk landed) and pre-2026-04-24 with CONFIG_RXGK enabled (distros tracking upstream master; older LTS kernels without rxgk are not affected).",
+        "An unprivileged local process driving the rxgk_decrypt_skb page-cache write primitive to corrupt page-cache pages backing privileged binaries (missing copy-on-write guard).",
+        "Page-cache contents of privileged/setuid binaries diverging from their on-disk backing without a legitimate write (the Dirty-COW-bypass primitive class).",
+        "An unprivileged user gaining root on an rxgk-enabled host (matching the published PoC)."
+      ],
+      "_ioc_source_note": "Anchored to the public reporting and PoC cited in verification_sources."
+    }
   },
   "CVE-2020-17103-REREGRESSION-2026": {
     "name": "MiniPlasma — Windows cldflt.sys Cloud Files Mini Filter SYSTEM EoP (re-regression of CVE-2020-17103)",