@blamejs/exceptd-skills 0.15.16 → 0.15.18

package/data/cve-catalog.json

@@ -22837,7 +22837,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1203"
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -22858,7 +22858,7 @@
     "cwe_refs": [
       "CWE-190"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://source.android.com/docs/security/bulletin/2026/2026-03-01",
@@ -22887,11 +22887,21 @@
         "published_date": "2026-03-03"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-03; due date 2026-03-24. Notes reference: Please check with specific vendors (OEMs,) for information on patching status. For more information, please see: https://source.android.com/docs/security/bulletin/2026/2026-03-01 ; https://nvd.nist.go",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Multiple Qualcomm chipsets contain a memory corruption vulnerability while using alignments for memory allocation. "
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Multiple Qualcomm chipsets contain a memory corruption vulnerability while using alignments for memory allocation. ",
+    "iocs": {
+      "behavioral": [
+        "Qualcomm chipsets at a patch level below the fixed version named in the Qualcomm / Android Security Bulletin advisory on a device with any local foothold.",
+        "GPU-driver crashes or memory-corruption signatures consistent with integer-overflow memory-corruption flaw (CWE-190) in Qualcomm chipset firmware/driver code, often shortly after an unprivileged process starts.",
+        "An unprivileged process gaining elevated on-device privilege via the affected component with no corresponding legitimate escalation (KEV-confirmed in-the-wild exploitation; the Adreno GPU flaws were used in Android targeted-spyware chains)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-21385, CISA KEV (added 2026-03-03), and the Qualcomm security bulletin advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2022-20775": {
     "name": "Cisco SD-WAN Path Traversal Vulnerability",
@@ -23986,7 +23996,7 @@
     "cwe_refs": [
       "CWE-416"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_13.html",
@@ -24015,11 +24025,21 @@
         "published_date": "2026-02-17"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-17; due date 2026-03-10. Notes reference: https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_13.html ; https://nvd.nist.gov/vuln/detail/CVE-2026-2441",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Google Chromium CSS contains a use-after-free vulnerability that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Google Chromium CSS contains a use-after-free vulnerability that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.",
+    "iocs": {
+      "behavioral": [
+        "Google Chromium below the patched build named in the Chrome/Chromium advisory on an endpoint exposed to web content.",
+        "Renderer/GPU process crashes or memory-corruption signatures consistent with use-after-free (CWE-416) in Chromium's CSS handling on an affected endpoint.",
+        "Inbound navigation to attacker-controlled web content followed by unexpected child-process execution or sandbox-escape behavior from the browser process (KEV-confirmed in-the-wild exploitation; browser zero-days of this class are used in targeted-spyware and watering-hole chains)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-2441, CISA KEV (added 2026-02-17), and the Google Chrome/Chromium security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-1731": {
     "name": "BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) OS Command Injection Vulnerability",
@@ -25973,7 +25993,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1203"
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -25994,7 +26014,7 @@
     "cwe_refs": [
       "CWE-190"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/about/",
@@ -26026,11 +26046,21 @@
         "published_date": "2026-01-26"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-01-26; due date 2026-02-16. Notes reference: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For mor",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Linux Kernel contains an integer overflow vulnerability in the create_elf_tables() function which could allow an unprivileged local user with access to SUID (or otherwise privileged) binary to escalate their privileges on the system."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Linux Kernel contains an integer overflow vulnerability in the create_elf_tables() function which could allow an unprivileged local user with access to SUID (or otherwise privileged) binary to escalate their privileges on the system.",
+    "iocs": {
+      "behavioral": [
+        "Linux kernel at a patch level below the fixed version named in the distribution kernel advisory on a device with any local foothold.",
+        "Kernel crashes or memory-corruption signatures consistent with integer-overflow flaw (CWE-190) in the Linux kernel create_elf_tables() path ('Mutagen Astronomy'), often shortly after an unprivileged process starts.",
+        "An unprivileged process gaining root privilege via the affected component with no corresponding legitimate escalation (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2018-14634, CISA KEV (added 2026-01-26), and the kernel/distribution advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-52691": {
     "name": "SmarterTools SmarterMail Unrestricted Upload of File with Dangerous Type Vulnerability",
@@ -29337,7 +29367,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -29358,7 +29388,7 @@
     "cwe_refs": [
       "CWE-843"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop_17.html",
@@ -29387,11 +29417,21 @@
         "published_date": "2025-11-19"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-11-19; due date 2025-12-10. Notes reference: https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop_17.html ; https://nvd.nist.gov/vuln/detail/CVE-2025-13223",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Google Chromium V8 contains a type confusion vulnerability that allows for heap corruption."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Google Chromium V8 contains a type confusion vulnerability that allows for heap corruption.",
+    "iocs": {
+      "behavioral": [
+        "Google Chromium below the patched build named in the Chrome/Chromium advisory on an endpoint exposed to web content.",
+        "Renderer/GPU process crashes or memory-corruption signatures consistent with type confusion (CWE-843) in the V8 JavaScript engine on an affected endpoint.",
+        "Inbound navigation to attacker-controlled web content followed by unexpected child-process execution or sandbox-escape behavior from the browser process (KEV-confirmed in-the-wild exploitation; browser zero-days of this class are used in targeted-spyware and watering-hole chains)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-13223, CISA KEV (added 2025-11-19), and the Google Chrome/Chromium security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-58034": {
     "name": "Fortinet FortiWeb OS Command Injection Vulnerability",
@@ -32119,7 +32159,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1203"
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -32140,7 +32180,7 @@
     "cwe_refs": [
       "CWE-787"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/netfilter/x_tables.c?id=9fa492cdc160cd27ce1046cb36f47d3b2b1efa21",
@@ -32172,11 +32212,21 @@
         "published_date": "2025-10-06"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-06; due date 2025-10-27. Notes reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/netfilter/x_tables.c?id=9fa492cdc160cd27ce1046cb36f47d3b2b1efa21 ; https://git.kernel.org/pub/scm/linux/kernel/git/torvald",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Linux Kernel contains a heap out-of-bounds write vulnerability that could allow an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Linux Kernel contains a heap out-of-bounds write vulnerability that could allow an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space.",
+    "iocs": {
+      "behavioral": [
+        "Linux kernel at a patch level below the fixed version named in the distribution kernel advisory on a device with any local foothold.",
+        "Kernel crashes or memory-corruption signatures consistent with heap out-of-bounds write (CWE-787) in the Linux kernel netfilter x_tables, often shortly after an unprivileged process starts.",
+        "An unprivileged process gaining root privilege via the affected component with no corresponding legitimate escalation (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2021-22555, CISA KEV (added 2025-10-06), and the kernel/distribution advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2010-3962": {
     "name": "Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability",
@@ -36632,7 +36682,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203",
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -36653,7 +36704,7 @@
     "cwe_refs": [
       "CWE-20"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://chromereleases.googleblog.com/2025/07/stable-channel-update-for-desktop_15.html",
@@ -36682,11 +36733,21 @@
         "published_date": "2025-07-22"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-22; due date 2025-08-12. Notes reference: https://chromereleases.googleblog.com/2025/07/stable-channel-update-for-desktop_15.html ; https://nvd.nist.gov/vuln/detail/CVE-2025-6558",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Google Chromium contains an improper input validation vulnerability in ANGLE and GPU. This vulnerability could allow a remote attacker to potentially perform a sandbox escape via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Google Chromium contains an improper input validation vulnerability in ANGLE and GPU. This vulnerability could allow a remote attacker to potentially perform a sandbox escape via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.",
+    "iocs": {
+      "behavioral": [
+        "Google Chromium below the patched build named in the Chrome/Chromium advisory on an endpoint exposed to web content.",
+        "Renderer/GPU process crashes or memory-corruption signatures consistent with improper-input-validation flaw (CWE-20) in ANGLE and the GPU process on an affected endpoint.",
+        "Inbound navigation to attacker-controlled web content followed by unexpected child-process execution or sandbox-escape behavior from the browser process (KEV-confirmed in-the-wild exploitation; browser zero-days of this class are used in targeted-spyware and watering-hole chains)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-6558, CISA KEV (added 2025-07-22), and the Google Chrome/Chromium security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution + T1068 sandbox escape) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-54309": {
     "name": " CrushFTP Unprotected Alternate Channel Vulnerability",
@@ -37865,7 +37926,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -37886,7 +37947,7 @@
     "cwe_refs": [
       "CWE-843"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop_30.html?m=1",
@@ -37915,11 +37976,21 @@
         "published_date": "2025-07-02"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-02; due date 2025-07-23. Notes reference: https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop_30.html?m=1 ; https://nvd.nist.gov/vuln/detail/CVE-2025-6554",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Google Chromium V8 contains a type confusion vulnerability that could allow a remote attacker to perform arbitrary read/write via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Google Chromium V8 contains a type confusion vulnerability that could allow a remote attacker to perform arbitrary read/write via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.",
+    "iocs": {
+      "behavioral": [
+        "Google Chromium below the patched build named in the Chrome/Chromium advisory on an endpoint exposed to web content.",
+        "Renderer/GPU process crashes or memory-corruption signatures consistent with type confusion (CWE-843) in the V8 JavaScript engine (a variant of the recurring V8 type-confusion class) on an affected endpoint.",
+        "Inbound navigation to attacker-controlled web content followed by unexpected child-process execution or sandbox-escape behavior from the browser process (KEV-confirmed in-the-wild exploitation; browser zero-days of this class are used in targeted-spyware and watering-hole chains)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-6554, CISA KEV (added 2025-07-02), and the Google Chrome/Chromium security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-48928": {
     "name": "TeleMessage TM SGNL Exposure of Core Dump File to an Unauthorized Control Sphere Vulnerability",
@@ -38545,7 +38616,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -38566,7 +38637,7 @@
     "cwe_refs": [
       "CWE-282"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f11ada10d0a",
@@ -38597,11 +38668,21 @@
         "published_date": "2025-06-17"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-17; due date 2025-07-08. Notes reference: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. For more information, please see: https://git.kernel.org/pub/scm/linux/kernel/",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Linux Kernel contains an improper ownership management vulnerability, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Linux Kernel contains an improper ownership management vulnerability, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.",
+    "iocs": {
+      "behavioral": [
+        "Linux kernel at a patch level below the fixed version named in the distribution kernel advisory on a device with any local foothold.",
+        "Kernel crashes or memory-corruption signatures consistent with improper-ownership-management flaw (CWE-282) in the Linux kernel OverlayFS, often shortly after an unprivileged process starts.",
+        "An unprivileged process gaining root privilege via the affected component with no corresponding legitimate escalation (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2023-0386, CISA KEV (added 2025-06-17), and the kernel/distribution advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2023-33538": {
     "name": "TP-Link Multiple Routers Command Injection Vulnerability",
@@ -39235,7 +39316,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1005"
+      "T1005",
+      "T1203"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -39257,7 +39339,7 @@
       "CWE-125",
       "CWE-787"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop.html",
@@ -39286,11 +39368,21 @@
         "published_date": "2025-06-05"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-05; due date 2025-06-26. Notes reference: https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop.html;   https://nvd.nist.gov/vuln/detail/CVE-2025-5419\",",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Google Chromium V8 contains an out-of-bounds read and write vulnerability that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Google Chromium V8 contains an out-of-bounds read and write vulnerability that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.",
+    "iocs": {
+      "behavioral": [
+        "Google Chromium below the patched build named in the Chrome/Chromium advisory on an endpoint exposed to web content.",
+        "Renderer/GPU process crashes or memory-corruption signatures consistent with out-of-bounds read and write (CWE-125/CWE-787) in the V8 JavaScript engine on an affected endpoint.",
+        "Inbound navigation to attacker-controlled web content followed by unexpected child-process execution or sandbox-escape behavior from the browser process (KEV-confirmed in-the-wild exploitation; browser zero-days of this class are used in targeted-spyware and watering-hole chains)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-5419, CISA KEV (added 2025-06-05), and the Google Chrome/Chromium security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-21479": {
     "name": "Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability",
@@ -39331,7 +39423,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1203"
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -39352,7 +39444,7 @@
     "cwe_refs": [
       "CWE-863"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2025-bulletin.html",
@@ -39381,11 +39473,21 @@
         "published_date": "2025-06-03"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-03; due date 2025-06-24. Notes reference: Please check with specific vendors (OEMs,) for information on patching status. For more information, please see: https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2025-bulletin.h",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Multiple Qualcomm chipsets contain an incorrect authorization vulnerability. This vulnerability allows for memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Multiple Qualcomm chipsets contain an incorrect authorization vulnerability. This vulnerability allows for memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands.",
+    "iocs": {
+      "behavioral": [
+        "Qualcomm chipsets at a patch level below the fixed version named in the Qualcomm / Android Security Bulletin advisory on a device with any local foothold.",
+        "GPU-driver crashes or memory-corruption signatures consistent with incorrect-authorization flaw (CWE-863) in the Qualcomm Adreno GPU driver, often shortly after an unprivileged process starts.",
+        "An unprivileged process gaining elevated on-device privilege via the affected component with no corresponding legitimate escalation (KEV-confirmed in-the-wild exploitation; the Adreno GPU flaws were used in Android targeted-spyware chains)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-21479, CISA KEV (added 2025-06-03), and the Qualcomm security bulletin advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-21480": {
     "name": "Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability (variant: CVE-2025-21480)",
@@ -39426,7 +39528,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1203"
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -39447,7 +39549,7 @@
     "cwe_refs": [
       "CWE-863"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2025-bulletin.html",
@@ -39476,11 +39578,21 @@
         "published_date": "2025-06-03"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-03; due date 2025-06-24. Notes reference: Please check with specific vendors (OEMs,) for information on patching status. For more information, please see: https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2025-bulletin.h",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Multiple Qualcomm chipsets contain an incorrect authorization vulnerability. This vulnerability allows for memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Multiple Qualcomm chipsets contain an incorrect authorization vulnerability. This vulnerability allows for memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands.",
+    "iocs": {
+      "behavioral": [
+        "Qualcomm chipsets at a patch level below the fixed version named in the Qualcomm / Android Security Bulletin advisory on a device with any local foothold.",
+        "GPU-driver crashes or memory-corruption signatures consistent with incorrect-authorization flaw (CWE-863) in the Qualcomm Adreno GPU driver (a related variant), often shortly after an unprivileged process starts.",
+        "An unprivileged process gaining elevated on-device privilege via the affected component with no corresponding legitimate escalation (KEV-confirmed in-the-wild exploitation; the Adreno GPU flaws were used in Android targeted-spyware chains)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-21480, CISA KEV (added 2025-06-03), and the Qualcomm security bulletin advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-27038": {
     "name": "Qualcomm Multiple Chipsets Use-After-Free Vulnerability",
@@ -39521,7 +39633,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1203"
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -39542,7 +39654,7 @@
     "cwe_refs": [
       "CWE-416"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2025-bulletin.html",
@@ -39571,11 +39683,21 @@
         "published_date": "2025-06-03"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-03; due date 2025-06-24. Notes reference: Please check with specific vendors (OEMs,) for information on patching status. For more information, please see: https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2025-bulletin.h",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Multiple Qualcomm chipsets contain a use-after-free vulnerability. This vulnerability allows for memory corruption while rendering graphics using Adreno GPU drivers in Chrome."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Multiple Qualcomm chipsets contain a use-after-free vulnerability. This vulnerability allows for memory corruption while rendering graphics using Adreno GPU drivers in Chrome.",
+    "iocs": {
+      "behavioral": [
+        "Qualcomm chipsets at a patch level below the fixed version named in the Qualcomm / Android Security Bulletin advisory on a device with any local foothold.",
+        "GPU-driver crashes or memory-corruption signatures consistent with use-after-free (CWE-416) in the Qualcomm Adreno GPU driver, often shortly after an unprivileged process starts.",
+        "An unprivileged process gaining elevated on-device privilege via the affected component with no corresponding legitimate escalation (KEV-confirmed in-the-wild exploitation; the Adreno GPU flaws were used in Android targeted-spyware chains)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-27038, CISA KEV (added 2025-06-03), and the Qualcomm security bulletin advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2021-32030": {
     "name": "ASUS Routers Improper Authentication Vulnerability",