@blamejs/exceptd-skills 0.15.20 → 0.15.21

package/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 0.15.21 — 2026-05-29
+
+Draft-curation pass 19 — legacy browser/reader client-side RCEs. Six CISA KEV-listed client-side memory-corruption CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: Adobe Acrobat/Reader (CVE-2020-9715 use-after-free, CVE-2009-3459 heap overflow), Internet Explorer (CVE-2010-0249 the Operation Aurora zero-day, CVE-2010-0806 iepeers, CVE-2013-3893 the SetMouseCapture watering-hole flaw), and Mozilla Firefox (CVE-2010-3765). All map T1203 (Exploitation for Client Execution). The lessons frame these as long-tail KEV re-listings — the fixes shipped years ago, but unpatched and end-of-life estates (notably the unsupported Internet Explorer) remain exposed; retiring end-of-life browsers and application hardening (Protected Mode/View, ASR rules) are the load-bearing controls.
+
 ## 0.15.20 — 2026-05-29
 
 Draft-curation pass 18 — internet-facing network devices. Eight CISA KEV-listed unauthenticated CVEs on SOHO routers, a telephony appliance, and a firewall are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: TP-Link routers (CVE-2023-50224 authentication bypass, CVE-2025-9377 and CVE-2023-33538 command injection), DrayTek Vigor command injection (CVE-2024-12987), Sangoma FreePBX (CVE-2025-64328 command injection, CVE-2025-57819 authentication bypass + SQL injection), and WatchGuard Firebox out-of-bounds-write RCE (CVE-2025-14733, CVE-2025-9242). All map T1190, with per-class T1059 (command injection) or T1078 (auth bypass). The lessons account for the realities of edge devices: end-of-life firmware that can only be replaced, recruitment into botnets and operational-relay networks, telephony toll fraud on the PBX, and the requirement to re-flash/rebuild and rotate secrets rather than patch in place.

package/data/_indexes/_meta.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-29T22:55:20.691Z",
+  "generated_at": "2026-05-29T23:31:13.024Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "7640dcd9f6dc38db1d06746d3c36ef7e0a6b0a45efcd4f9b142fede7f3f2ba2e",
+    "manifest.json": "5bb0e383ababb4b8232b7bc77737fb09f11f0aebf8fd3f6b06949aa13603fcbc",
     "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
-    "data/attack-techniques.json": "490dfaf830d6a0f56e63389ef8815ea92aed95a35daf043862ffe56c13577ae5",
-    "data/cve-catalog.json": "b338560dddd999310946c1ee58bf8eb69ef732bd01238f104091745a0a682a95",
+    "data/attack-techniques.json": "10d21befa5e9e9f56594d93227d4c8621dcbf6deebe2a10018b8d054aaf51fa3",
+    "data/cve-catalog.json": "c336e8c05685ae3a32c6760d559bc03949c0d1a0a2d8465c0a4cfe5b0dabee5b",
     "data/cwe-catalog.json": "0fd275c2a61754958d68cea03a92794a67cf1c1d4d609f81a5728334df013ee3",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
@@ -15,7 +15,7 @@
     "data/framework-control-gaps.json": "29e7b6aa841ddf2530ca5971bdb60d7a715684b2f6264141ad49f0de9a039d78",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
-    "data/zeroday-lessons.json": "69c8ac314be428c81c53834d180414f34d3c838c7d09349d1a546742ec305c2f",
+    "data/zeroday-lessons.json": "d76a7223bc4d9d613a397120ae1f3edb7c6640adfdac69100d34c2d5fa18a4fe",
     "skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
     "skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
     "skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",

package/data/_indexes/activity-feed.json

@@ -165,7 +165,7 @@
       "artifact": "data/zeroday-lessons.json",
       "path": "data/zeroday-lessons.json",
       "schema_version": "1.1.0",
-      "entry_count": 422
+      "entry_count": 425
     },
     {
       "date": "2026-05-17",

package/data/_indexes/catalog-summaries.json

@@ -238,7 +238,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 422,
+      "entry_count": 425,
       "sample_keys": [
         "CVE-2026-31431",
         "CVE-2025-53773",

package/data/attack-techniques.json

@@ -924,9 +924,7 @@
     "version": "v19",
     "cve_refs": [
       "CVE-2008-0015",
-      "CVE-2010-3765",
       "CVE-2012-1854",
-      "CVE-2013-3893",
       "CVE-2014-6278",
       "CVE-2016-10033",
       "CVE-2016-7836",
@@ -1328,8 +1326,10 @@
       "CVE-2009-3459",
       "CVE-2010-0249",
       "CVE-2010-0806",
+      "CVE-2010-3765",
       "CVE-2010-3962",
       "CVE-2011-3402",
+      "CVE-2013-3893",
       "CVE-2013-3918",
       "CVE-2014-3931",
       "CVE-2020-9715",

package/data/cve-catalog.json

@@ -9823,7 +9823,7 @@
     "cwe_refs": [
       "CWE-416"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://helpx.adobe.com/security/products/acrobat/apsb20-48.html",
@@ -9852,11 +9852,21 @@
         "published_date": "2026-04-13"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-13; due date 2026-04-27. Notes reference: https://helpx.adobe.com/security/products/acrobat/apsb20-48.html ; https://nvd.nist.gov/vuln/detail/CVE-2020-9715",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Adobe Acrobat contains a use-after-free vulnerability that allows for code execution"
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Adobe Acrobat contains a use-after-free vulnerability that allows for code execution",
+    "iocs": {
+      "behavioral": [
+        "Adobe Acrobat and Reader at a build below the fixed version named in the vendor advisory on an endpoint exposed to attacker-controlled PDFs.",
+        "Process crashes or memory-corruption signatures consistent with use-after-free (CWE-416) in Adobe Acrobat and Reader on an affected endpoint.",
+        "Inbound delivery of weaponized PDF documents followed by unexpected child-process execution from the Acrobat/Reader process (KEV-confirmed in-the-wild exploitation; legacy re-listing means long-tail unpatched/end-of-life estates remain exposed)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2020-9715, CISA KEV (added 2026-04-13), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-21643": {
     "name": "Fortinet FortiClient EMS SQL Injection Vulnerability",
@@ -20428,7 +20438,7 @@
     "cwe_refs": [
       "CWE-122"
     ],
-    "source_verified": "2026-05-25",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://nvd.nist.gov/vuln/detail/CVE-2009-3459"
@@ -20442,11 +20452,21 @@
         "published_date": "2026-05-20"
       }
     ],
-    "last_updated": "2026-05-25",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Manual KEV-gap-fill: legacy CVE re-listed to CISA KEV 2026-05-20. Draft pending enrichment.",
-    "_auto_imported": true,
-    "_intake_method": "manual-kev-gap-fill-2026-05-20",
-    "_kev_short_description": "Adobe Acrobat and Reader heap-based buffer overflow allowing remote code execution via a crafted PDF."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Adobe Acrobat and Reader heap-based buffer overflow allowing remote code execution via a crafted PDF.",
+    "iocs": {
+      "behavioral": [
+        "Adobe Acrobat and Reader at a build below the fixed version named in the vendor advisory on an endpoint exposed to attacker-controlled PDFs.",
+        "Process crashes or memory-corruption signatures consistent with heap-based buffer overflow (CWE-122) in Adobe Acrobat and Reader on an affected endpoint.",
+        "Inbound delivery of weaponized PDF documents followed by unexpected child-process execution from the Acrobat/Reader process (KEV-confirmed in-the-wild exploitation; legacy re-listing means long-tail unpatched/end-of-life estates remain exposed)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2009-3459, CISA KEV (added 2026-05-20), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2010-0249": {
     "name": "Microsoft Internet Explorer Use-After-Free (Operation Aurora)",
@@ -20509,7 +20529,7 @@
     "cwe_refs": [
       "CWE-416"
     ],
-    "source_verified": "2026-05-25",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://nvd.nist.gov/vuln/detail/CVE-2010-0249"
@@ -20523,11 +20543,21 @@
         "published_date": "2026-05-20"
       }
     ],
-    "last_updated": "2026-05-25",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Manual KEV-gap-fill: legacy CVE (Operation Aurora) re-listed to CISA KEV 2026-05-20. Draft pending enrichment.",
-    "_auto_imported": true,
-    "_intake_method": "manual-kev-gap-fill-2026-05-20",
-    "_kev_short_description": "Microsoft Internet Explorer use-after-free allowing remote code execution via a crafted web page (Operation Aurora)."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Internet Explorer use-after-free allowing remote code execution via a crafted web page (Operation Aurora).",
+    "iocs": {
+      "behavioral": [
+        "Microsoft Internet Explorer at a build below the fixed version named in the vendor advisory on an endpoint exposed to attacker-controlled web content.",
+        "Process crashes or memory-corruption signatures consistent with use-after-free (CWE-416) in Internet Explorer (the 'Operation Aurora' zero-day) on an affected endpoint.",
+        "Inbound delivery of weaponized web content followed by unexpected child-process execution from the Internet Explorer process (KEV-confirmed in-the-wild exploitation; legacy re-listing means long-tail unpatched/end-of-life estates remain exposed)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2010-0249, CISA KEV (added 2026-05-20), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2010-0806": {
     "name": "Microsoft Internet Explorer Use-After-Free (iepeers)",
@@ -20590,7 +20620,7 @@
     "cwe_refs": [
       "CWE-416"
     ],
-    "source_verified": "2026-05-25",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://nvd.nist.gov/vuln/detail/CVE-2010-0806"
@@ -20604,11 +20634,21 @@
         "published_date": "2026-05-20"
       }
     ],
-    "last_updated": "2026-05-25",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Manual KEV-gap-fill: legacy CVE re-listed to CISA KEV 2026-05-20. Draft pending enrichment.",
-    "_auto_imported": true,
-    "_intake_method": "manual-kev-gap-fill-2026-05-20",
-    "_kev_short_description": "Microsoft Internet Explorer iepeers.dll use-after-free allowing remote code execution via a crafted web page."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Internet Explorer iepeers.dll use-after-free allowing remote code execution via a crafted web page.",
+    "iocs": {
+      "behavioral": [
+        "Microsoft Internet Explorer at a build below the fixed version named in the vendor advisory on an endpoint exposed to attacker-controlled web content.",
+        "Process crashes or memory-corruption signatures consistent with use-after-free (CWE-416) in the Internet Explorer iepeers component on an affected endpoint.",
+        "Inbound delivery of weaponized web content followed by unexpected child-process execution from the Internet Explorer process (KEV-confirmed in-the-wild exploitation; legacy re-listing means long-tail unpatched/end-of-life estates remain exposed)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2010-0806, CISA KEV (added 2026-05-20), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-32432": {
     "name": "Craft CMS Code Injection Vulnerability",
@@ -32789,7 +32829,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -32810,7 +32850,7 @@
     "cwe_refs": [
       "CWE-94"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.mozilla.org/en-US/security/advisories/mfsa2010-73",
@@ -32839,11 +32879,21 @@
         "published_date": "2025-10-06"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-06; due date 2025-10-27. Notes reference: https://www.mozilla.org/en-US/security/advisories/mfsa2010-73 ; https://nvd.nist.gov/vuln/detail/CVE-2010-3765",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Mozilla Firefox, SeaMonkey, and Thunderbird contain an unspecified vulnerability when JavaScript is enabled. This allows remote attackers to execute arbitrary code via vectors related to nsCSSFrameConstructor::ContentAppended, the appendChild method, incorrect index tracking, and the creation of multiple frames, which triggers memory corruption."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Mozilla Firefox, SeaMonkey, and Thunderbird contain an unspecified vulnerability when JavaScript is enabled. This allows remote attackers to execute arbitrary code via vectors related to nsCSSFrameConstructor::ContentAppended, the appendChild method, incorrect index tracking, and the creation of multiple frames, which triggers memory corruption.",
+    "iocs": {
+      "behavioral": [
+        "Mozilla Firefox and related products at a build below the fixed version named in the vendor advisory on an endpoint exposed to attacker-controlled web content.",
+        "Process crashes or memory-corruption signatures consistent with memory-corruption code-execution flaw (CWE-94) in Mozilla Firefox and related products on an affected endpoint.",
+        "Inbound delivery of weaponized web content followed by unexpected child-process execution from the Firefox process (KEV-confirmed in-the-wild exploitation; legacy re-listing means long-tail unpatched/end-of-life estates remain exposed)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2010-3765, CISA KEV (added 2025-10-06), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-61882": {
     "name": "Oracle E-Business Suite Unspecified Vulnerability",
@@ -35904,7 +35954,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -35925,7 +35975,7 @@
     "cwe_refs": [
       "CWE-399"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://learn.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-080",
@@ -35954,11 +36004,21 @@
         "published_date": "2025-08-12"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-08-12; due date 2025-09-02. Notes reference: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-080 ; https://nvd.nist.gov/vuln/detail/CVE-2013-3893",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Internet Explorer contains a memory corruption vulnerability that allows for remote code execution. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Internet Explorer contains a memory corruption vulnerability that allows for remote code execution. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
+    "iocs": {
+      "behavioral": [
+        "Microsoft Internet Explorer at a build below the fixed version named in the vendor advisory on an endpoint exposed to attacker-controlled web content.",
+        "Process crashes or memory-corruption signatures consistent with resource-management memory-corruption use-after-free (CWE-399) in Internet Explorer (the SetMouseCapture flaw used in watering-hole attacks) on an affected endpoint.",
+        "Inbound delivery of weaponized web content followed by unexpected child-process execution from the Internet Explorer process (KEV-confirmed in-the-wild exploitation; legacy re-listing means long-tail unpatched/end-of-life estates remain exposed)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2013-3893, CISA KEV (added 2025-08-12), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2020-25078": {
     "name": "D-Link DCS-2530L and DCS-2670L Devices Unspecified Vulnerability",

package/data/zeroday-lessons.json

@@ -17,7 +17,7 @@
       "rebuild_after_days": 365,
       "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
     },
-    "entry_count": 422
+    "entry_count": 425
   },
   "CVE-2026-31431": {
     "name": "Copy Fail",
@@ -7860,35 +7860,58 @@
   },
   "CVE-2020-9715": {
     "name": "Adobe Acrobat Use-After-Free Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Adobe Acrobat contains a use-after-free vulnerability that allows for code execution",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a use-after-free (CWE-416) in Adobe Acrobat and Reader, exploitable by an attacker-controlled PDF for code execution in the reader process. CISA KEV-listed 2026-04-13 with confirmed in-the-wild exploitation; the legacy re-listing exists because long-tail unpatched/end-of-life estates remain exposed.",
+      "privileges_required": "none (the victim opens the attacker's document or visits the attacker's web content)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization (predates the AI-discovered-zeroday era)."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the vendor security update for Adobe Acrobat and Reader; enforce centralized patch management on the long tail; harden the client (Acrobat Protected Mode / Office Protected View, ASR rules) and retire end-of-life software such as Internet Explorer.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive on a managed estate; legacy KEV re-listings exist because patch hygiene on the long tail (and continued use of end-of-life browsers) is the failure mode."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR signatures for child-process execution from Acrobat/Reader after attacker-content open, exploit telemetry, and inbound-content filtering (mail/web).",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet patched on the long tail; necessary for unmanaged or end-of-life estates that cannot be patched promptly."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch across the estate (or retire the end-of-life client), isolate exploited endpoints, hunt for follow-on payloads (client-RCE chains drop loaders), and review for credential theft.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; browser/reader RCE typically leads to credential harvest and lateral movement, which a bare patch does not remediate."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited client-side browser/reader RCE; legacy KEV re-listings document organizations still running unpatched or end-of-life builds."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited client RCE, and the legacy re-listing exists because organizations still run vulnerable browser/reader builds (Internet Explorer is end-of-life and unsupported)."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (48h at ML3) is closer to the reality for a client RCE than 30 days, but legacy KEV re-listings show long-tail unpatched estates persist; centralized update management, application hardening (Protected View, ASR rules), and retiring end-of-life software (Internet Explorer) are the load-bearing controls."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 52,
+      "basis": "Adobe Acrobat and Reader is ubiquitous on endpoints; audited organizations that maintain long-tail legacy estates (end-of-life Internet Explorer, old Acrobat/Reader, unpatched browsers) are exposed even after newer estates are patched, which is why CISA re-lists these older KEV entries.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2026-21643": {
     "name": "Fortinet FortiClient EMS SQL Injection Vulnerability",
@@ -16347,35 +16370,58 @@
   },
   "CVE-2010-3765": {
     "name": "Mozilla Multiple Products Remote Code Execution Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Mozilla Firefox, SeaMonkey, and Thunderbird contain an unspecified vulnerability when JavaScript is enabled. This allows remote attackers to execute arbitrary code via vectors related to nsCSSFrameConstructor::ContentAppended, the appendChild method, incorrect index tracking, and the creation of multiple frames, which triggers memory corruption.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a memory-corruption code-execution flaw (CWE-94) in Mozilla Firefox and related products, exploitable by an attacker-controlled web page for code execution in the browser. CISA KEV-listed 2025-10-06 with confirmed in-the-wild exploitation; the legacy re-listing exists because long-tail unpatched/end-of-life estates remain exposed.",
+      "privileges_required": "none (the victim opens the attacker's document or visits the attacker's web content)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization (predates the AI-discovered-zeroday era)."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the vendor security update for Mozilla Firefox and related products; enforce centralized patch management on the long tail; harden the client (Acrobat Protected Mode / Office Protected View, ASR rules) and retire end-of-life software such as Internet Explorer.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive on a managed estate; legacy KEV re-listings exist because patch hygiene on the long tail (and continued use of end-of-life browsers) is the failure mode."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR signatures for child-process execution from Firefox after attacker-content open, exploit telemetry, and inbound-content filtering (mail/web).",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet patched on the long tail; necessary for unmanaged or end-of-life estates that cannot be patched promptly."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch across the estate (or retire the end-of-life client), isolate exploited endpoints, hunt for follow-on payloads (client-RCE chains drop loaders), and review for credential theft.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; browser/reader RCE typically leads to credential harvest and lateral movement, which a bare patch does not remediate."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited client-side browser/reader RCE; legacy KEV re-listings document organizations still running unpatched or end-of-life builds."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited client RCE, and the legacy re-listing exists because organizations still run vulnerable browser/reader builds (Internet Explorer is end-of-life and unsupported)."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (48h at ML3) is closer to the reality for a client RCE than 30 days, but legacy KEV re-listings show long-tail unpatched estates persist; centralized update management, application hardening (Protected View, ASR rules), and retiring end-of-life software (Internet Explorer) are the load-bearing controls."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 52,
+      "basis": "Mozilla Firefox and related products is ubiquitous on endpoints; audited organizations that maintain long-tail legacy estates (end-of-life Internet Explorer, old Acrobat/Reader, unpatched browsers) are exposed even after newer estates are patched, which is why CISA re-lists these older KEV entries.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-61882": {
     "name": "Oracle E-Business Suite Unspecified Vulnerability",
@@ -17642,35 +17688,58 @@
   },
   "CVE-2013-3893": {
     "name": "Microsoft Internet Explorer Resource Management Errors Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Microsoft Internet Explorer contains a memory corruption vulnerability that allows for remote code execution. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a resource-management memory-corruption use-after-free (CWE-399) in Internet Explorer (the SetMouseCapture flaw used in watering-hole attacks), exploitable by an attacker-controlled web page for code execution in the browser. CISA KEV-listed 2025-08-12 with confirmed in-the-wild exploitation; the legacy re-listing exists because long-tail unpatched/end-of-life estates remain exposed.",
+      "privileges_required": "none (the victim opens the attacker's document or visits the attacker's web content)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization (predates the AI-discovered-zeroday era)."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the vendor security update for Microsoft Internet Explorer; enforce centralized patch management on the long tail; harden the client (Acrobat Protected Mode / Office Protected View, ASR rules) and retire end-of-life software such as Internet Explorer.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive on a managed estate; legacy KEV re-listings exist because patch hygiene on the long tail (and continued use of end-of-life browsers) is the failure mode."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR signatures for child-process execution from Internet Explorer after attacker-content open, exploit telemetry, and inbound-content filtering (mail/web).",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet patched on the long tail; necessary for unmanaged or end-of-life estates that cannot be patched promptly."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch across the estate (or retire the end-of-life client), isolate exploited endpoints, hunt for follow-on payloads (client-RCE chains drop loaders), and review for credential theft.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; browser/reader RCE typically leads to credential harvest and lateral movement, which a bare patch does not remediate."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited client-side browser/reader RCE; legacy KEV re-listings document organizations still running unpatched or end-of-life builds."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited client RCE, and the legacy re-listing exists because organizations still run vulnerable browser/reader builds (Internet Explorer is end-of-life and unsupported)."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (48h at ML3) is closer to the reality for a client RCE than 30 days, but legacy KEV re-listings show long-tail unpatched estates persist; centralized update management, application hardening (Protected View, ASR rules), and retiring end-of-life software (Internet Explorer) are the load-bearing controls."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 52,
+      "basis": "Microsoft Internet Explorer is ubiquitous on endpoints; audited organizations that maintain long-tail legacy estates (end-of-life Internet Explorer, old Acrobat/Reader, unpatched browsers) are exposed even after newer estates are patched, which is why CISA re-lists these older KEV entries.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2020-25078": {
     "name": "D-Link DCS-2530L and DCS-2670L Devices Unspecified Vulnerability",
@@ -21491,5 +21560,170 @@
     "ai_discovered_zeroday": false,
     "ai_discovery_source": "vendor_research",
     "ai_assist_factor": "none"
+  },
+  "CVE-2009-3459": {
+    "name": "Adobe Acrobat and Reader Heap-Based Buffer Overflow",
+    "lesson_date": "2026-05-29",
+    "attack_vector": {
+      "description": "a heap-based buffer overflow (CWE-122) in Adobe Acrobat and Reader, exploitable by an attacker-controlled PDF for code execution in the reader process. CISA KEV-listed 2026-05-20 with confirmed in-the-wild exploitation; the legacy re-listing exists because long-tail unpatched/end-of-life estates remain exposed.",
+      "privileges_required": "none (the victim opens the attacker's document or visits the attacker's web content)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization (predates the AI-discovered-zeroday era)."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the vendor security update for Adobe Acrobat and Reader; enforce centralized patch management on the long tail; harden the client (Acrobat Protected Mode / Office Protected View, ASR rules) and retire end-of-life software such as Internet Explorer.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive on a managed estate; legacy KEV re-listings exist because patch hygiene on the long tail (and continued use of end-of-life browsers) is the failure mode."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR signatures for child-process execution from Acrobat/Reader after attacker-content open, exploit telemetry, and inbound-content filtering (mail/web).",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet patched on the long tail; necessary for unmanaged or end-of-life estates that cannot be patched promptly."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch across the estate (or retire the end-of-life client), isolate exploited endpoints, hunt for follow-on payloads (client-RCE chains drop loaders), and review for credential theft.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; browser/reader RCE typically leads to credential harvest and lateral movement, which a bare patch does not remediate."
+      }
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited client-side browser/reader RCE; legacy KEV re-listings document organizations still running unpatched or end-of-life builds."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited client RCE, and the legacy re-listing exists because organizations still run vulnerable browser/reader builds (Internet Explorer is end-of-life and unsupported)."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (48h at ML3) is closer to the reality for a client RCE than 30 days, but legacy KEV re-listings show long-tail unpatched estates persist; centralized update management, application hardening (Protected View, ASR rules), and retiring end-of-life software (Internet Explorer) are the load-bearing controls."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 52,
+      "basis": "Adobe Acrobat and Reader is ubiquitous on endpoints; audited organizations that maintain long-tail legacy estates (end-of-life Internet Explorer, old Acrobat/Reader, unpatched browsers) are exposed even after newer estates are patched, which is why CISA re-lists these older KEV entries.",
+      "theater_pattern": "patch_management"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
+  },
+  "CVE-2010-0249": {
+    "name": "Microsoft Internet Explorer Use-After-Free (Operation Aurora)",
+    "lesson_date": "2026-05-29",
+    "attack_vector": {
+      "description": "a use-after-free (CWE-416) in Internet Explorer (the 'Operation Aurora' zero-day), exploitable by an attacker-controlled web page for code execution in the browser. CISA KEV-listed 2026-05-20 with confirmed in-the-wild exploitation; the legacy re-listing exists because long-tail unpatched/end-of-life estates remain exposed.",
+      "privileges_required": "none (the victim opens the attacker's document or visits the attacker's web content)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization (predates the AI-discovered-zeroday era)."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the vendor security update for Microsoft Internet Explorer; enforce centralized patch management on the long tail; harden the client (Acrobat Protected Mode / Office Protected View, ASR rules) and retire end-of-life software such as Internet Explorer.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive on a managed estate; legacy KEV re-listings exist because patch hygiene on the long tail (and continued use of end-of-life browsers) is the failure mode."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR signatures for child-process execution from Internet Explorer after attacker-content open, exploit telemetry, and inbound-content filtering (mail/web).",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet patched on the long tail; necessary for unmanaged or end-of-life estates that cannot be patched promptly."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch across the estate (or retire the end-of-life client), isolate exploited endpoints, hunt for follow-on payloads (client-RCE chains drop loaders), and review for credential theft.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; browser/reader RCE typically leads to credential harvest and lateral movement, which a bare patch does not remediate."
+      }
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited client-side browser/reader RCE; legacy KEV re-listings document organizations still running unpatched or end-of-life builds."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited client RCE, and the legacy re-listing exists because organizations still run vulnerable browser/reader builds (Internet Explorer is end-of-life and unsupported)."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (48h at ML3) is closer to the reality for a client RCE than 30 days, but legacy KEV re-listings show long-tail unpatched estates persist; centralized update management, application hardening (Protected View, ASR rules), and retiring end-of-life software (Internet Explorer) are the load-bearing controls."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 52,
+      "basis": "Microsoft Internet Explorer is ubiquitous on endpoints; audited organizations that maintain long-tail legacy estates (end-of-life Internet Explorer, old Acrobat/Reader, unpatched browsers) are exposed even after newer estates are patched, which is why CISA re-lists these older KEV entries.",
+      "theater_pattern": "patch_management"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
+  },
+  "CVE-2010-0806": {
+    "name": "Microsoft Internet Explorer Use-After-Free (iepeers)",
+    "lesson_date": "2026-05-29",
+    "attack_vector": {
+      "description": "a use-after-free (CWE-416) in the Internet Explorer iepeers component, exploitable by an attacker-controlled web page for code execution in the browser. CISA KEV-listed 2026-05-20 with confirmed in-the-wild exploitation; the legacy re-listing exists because long-tail unpatched/end-of-life estates remain exposed.",
+      "privileges_required": "none (the victim opens the attacker's document or visits the attacker's web content)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization (predates the AI-discovered-zeroday era)."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the vendor security update for Microsoft Internet Explorer; enforce centralized patch management on the long tail; harden the client (Acrobat Protected Mode / Office Protected View, ASR rules) and retire end-of-life software such as Internet Explorer.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive on a managed estate; legacy KEV re-listings exist because patch hygiene on the long tail (and continued use of end-of-life browsers) is the failure mode."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR signatures for child-process execution from Internet Explorer after attacker-content open, exploit telemetry, and inbound-content filtering (mail/web).",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet patched on the long tail; necessary for unmanaged or end-of-life estates that cannot be patched promptly."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch across the estate (or retire the end-of-life client), isolate exploited endpoints, hunt for follow-on payloads (client-RCE chains drop loaders), and review for credential theft.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; browser/reader RCE typically leads to credential harvest and lateral movement, which a bare patch does not remediate."
+      }
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited client-side browser/reader RCE; legacy KEV re-listings document organizations still running unpatched or end-of-life builds."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited client RCE, and the legacy re-listing exists because organizations still run vulnerable browser/reader builds (Internet Explorer is end-of-life and unsupported)."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (48h at ML3) is closer to the reality for a client RCE than 30 days, but legacy KEV re-listings show long-tail unpatched estates persist; centralized update management, application hardening (Protected View, ASR rules), and retiring end-of-life software (Internet Explorer) are the load-bearing controls."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 52,
+      "basis": "Microsoft Internet Explorer is ubiquitous on endpoints; audited organizations that maintain long-tail legacy estates (end-of-life Internet Explorer, old Acrobat/Reader, unpatched browsers) are exposed even after newer estates are patched, which is why CISA re-lists these older KEV entries.",
+      "theater_pattern": "patch_management"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   }
 }

package/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "exceptd-security",
-  "version": "0.15.20",
+  "version": "0.15.21",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
   "homepage": "https://exceptd.com",
   "license": "Apache-2.0",
@@ -53,7 +53,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "0H+JfyUVmo/pVFEi5rLENATHjlukPVUqnOWmNPEH77wm8svKGK0aNJ46k6QU5GdHb8c9X9pVJKiuhON6AxDjDw==",
-      "signed_at": "2026-05-29T22:52:05.022Z",
+      "signed_at": "2026-05-29T23:12:39.999Z",
       "cwe_refs": [
         "CWE-125",
         "CWE-362",
@@ -123,7 +123,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "PHwHEsoy7ctBYOtlAfAdCDVfsq2Bpk9+qESSF+5dVkDcez2zp2v9Ihsv2vqMEs3QxMndyQ+t7NVezyt5VamSCg==",
-      "signed_at": "2026-05-29T22:52:05.023Z",
+      "signed_at": "2026-05-29T23:12:40.001Z",
       "cwe_refs": [
         "CWE-1039",
         "CWE-1426",
@@ -196,7 +196,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "dD4p7lcRtMyfITOncqLkpOeMy6x6gM0V7UlWHgLEdcxqODb1s75ar1cBtTqDWPbMv6ZAzVo2HJLDK1hVjjU2AQ==",
-      "signed_at": "2026-05-29T22:52:05.023Z",
+      "signed_at": "2026-05-29T23:12:40.001Z",
       "cwe_refs": [
         "CWE-22",
         "CWE-345",
@@ -248,7 +248,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-22",
       "signature": "wsw8Mlr/gyw6S7Iaao9BVHdU5LFPWl8WVymW17Lkq9J1Mui0+fCrTg6UbrsaeE3s7EW3TVgzBuK+8EFd1+H5AA==",
-      "signed_at": "2026-05-29T22:52:05.024Z"
+      "signed_at": "2026-05-29T23:12:40.001Z"
     },
     {
       "name": "compliance-theater",
@@ -279,7 +279,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "uVTc1QRKOKcIVDajBz+q2egjiEAyOQaDNsvVI2ghj5FD0VvquoUBBE5Naca2FkaZa790EHWCsVZ4hhdaSQs2DQ==",
-      "signed_at": "2026-05-29T22:52:05.024Z"
+      "signed_at": "2026-05-29T23:12:40.002Z"
     },
     {
       "name": "exploit-scoring",
@@ -308,7 +308,7 @@
       ],
       "last_threat_review": "2026-05-18",
       "signature": "QuNpwnZ6HkCEAXTPC/jLbXSmMIc1JnBczqZAAIZmZj8OcEMVnw9mJYAnU3CxaEI7rvbcMkN2uS5E8yUCm/NiAg==",
-      "signed_at": "2026-05-29T22:52:05.025Z"
+      "signed_at": "2026-05-29T23:12:40.002Z"
     },
     {
       "name": "rag-pipeline-security",
@@ -345,7 +345,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "5rw2i39SxY2WphBbDLEP28wufnbPPE9+PWt54hmaGdwHXr9RLiVt5liL/5xp14sehlVgFsfpR/bg9vy//xV0DA==",
-      "signed_at": "2026-05-29T22:52:05.025Z",
+      "signed_at": "2026-05-29T23:12:40.003Z",
       "cwe_refs": [
         "CWE-1395",
         "CWE-1426"
@@ -405,7 +405,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "Vqu49nzntFWjn9A/QeJzm7q/2xk/cZJ6HFQKtiNi1zgcxzXKm+MlFdkaLgYHWj5/9HJohxyIDyBJQTvcJ20eDQ==",
-      "signed_at": "2026-05-29T22:52:05.026Z",
+      "signed_at": "2026-05-29T23:12:40.003Z",
       "d3fend_refs": [
         "D3-CA",
         "D3-CSPP",
@@ -440,7 +440,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-22",
       "signature": "W87VdyVdAxAdcRI6P/8StaV+MS8ZSPKM9HOCK9n/bBO6BM3ZSE3uImVoyJVpAXQlUpUGN+A3lCJZXv64LuxwDg==",
-      "signed_at": "2026-05-29T22:52:05.026Z",
+      "signed_at": "2026-05-29T23:12:40.003Z",
       "cwe_refs": [
         "CWE-1188"
       ],
@@ -474,7 +474,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-18",
       "signature": "wdVX+edeNekpaIldqkhvtraV6DquLvIsKAjuZVwPQYn3l1vS99HXuFxmNsD7UeMlO3qgC6Dysfsto9EnuH0RBg==",
-      "signed_at": "2026-05-29T22:52:05.026Z",
+      "signed_at": "2026-05-29T23:12:40.004Z",
       "forward_watch": [
         "New AI attack classes as ATLAS v6 publishes",
         "Post-quantum adversary capability timeline",
@@ -513,7 +513,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "b5miTiY0cnxETd2btxorfZBdJKt/fLnQx20sGYUb9zEqGqtm0LMLpghkW68j4/9k48KNyuGMtNWiKTSnodUGBw==",
-      "signed_at": "2026-05-29T22:52:05.027Z"
+      "signed_at": "2026-05-29T23:12:40.004Z"
     },
     {
       "name": "zeroday-gap-learn",
@@ -540,7 +540,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-18",
       "signature": "xbkip0AQtWQKAu+O6r/gYECNjezS6O9k9xkkJsYbMlr+j8CdqH3p5/0l+GZmDidImRC/DL07GCnKrk9HRR/yDQ==",
-      "signed_at": "2026-05-29T22:52:05.027Z",
+      "signed_at": "2026-05-29T23:12:40.004Z",
       "forward_watch": [
         "New CISA KEV entries",
         "New ATLAS TTP additions in each ATLAS release",
@@ -604,7 +604,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "li2NnC1oeVIr22ComP5QbcQoh5xpWITuaKpza1s2SsUkH6kGnnt4wFfFAzaC1ORmH9x2cr8hN8kaNANG/eIMBQ==",
-      "signed_at": "2026-05-29T22:52:05.027Z",
+      "signed_at": "2026-05-29T23:12:40.005Z",
       "cwe_refs": [
         "CWE-327"
       ],
@@ -652,7 +652,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "sZHlJ7ueHPdtzVbR+yXQ5+wKgNyjWsa1LKVg9aWTmg/Onl71DvEILMyJiLpPQjseT56Mnr1DMYJE8xOGlffBAw==",
-      "signed_at": "2026-05-29T22:52:05.028Z"
+      "signed_at": "2026-05-29T23:12:40.005Z"
     },
     {
       "name": "security-maturity-tiers",
@@ -689,7 +689,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "3AwFnEJu6DukPPNep/3SnuPWEuV060fJEQIwThFm7ujmdbFk0/Ii0XwGv1dkvbbK7ymMdOQpp35l4aLONAucDA==",
-      "signed_at": "2026-05-29T22:52:05.028Z",
+      "signed_at": "2026-05-29T23:12:40.005Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -724,7 +724,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-11",
       "signature": "iJWevUBurLvt2v8X+Ch2eHmZkPWpKeAtIpxTIP4MwbUHyco3igDeBywJCyaR2vURYRx8LkzzIMM8DxQM4LAXBQ==",
-      "signed_at": "2026-05-29T22:52:05.028Z"
+      "signed_at": "2026-05-29T23:12:40.006Z"
     },
     {
       "name": "attack-surface-pentest",
@@ -796,7 +796,7 @@
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — Microsoft Edge 4-bug sandbox escape by Orange Tsai (DEVCORE); forward-watch only (browser sandbox, out of current playbook scope); track Microsoft Edge security advisory and KEV add"
       ],
       "signature": "C7lv65/Ecm8JJgSKxrX5lxx0YFzKWtrIQSKp+vy50I5e8945s1JmifGUUrnQwRQhq/Pkv7EmfiH5XSO8h75bDg==",
-      "signed_at": "2026-05-29T22:52:05.029Z"
+      "signed_at": "2026-05-29T23:12:40.006Z"
     },
     {
       "name": "fuzz-testing-strategy",
@@ -856,7 +856,7 @@
         "OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
       ],
       "signature": "dJB0iAstIUbyny+udl3OIkaLScEmqS97LNP73yQ8mxt+0bcqxZjpfXaWLzLuIQblGYvUvz75/H6rO2EJuGd4AQ==",
-      "signed_at": "2026-05-29T22:52:05.029Z"
+      "signed_at": "2026-05-29T23:12:40.006Z"
     },
     {
       "name": "dlp-gap-analysis",
@@ -931,7 +931,7 @@
         "Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
       ],
       "signature": "KEAoMji3VcPX/ZXXqVe6OStxSkTssfY9fIRPyPcDYqh50GzOFQ6koNOTBVAiWOvjDjQ38g12xun5srbqgmvRAw==",
-      "signed_at": "2026-05-29T22:52:05.029Z"
+      "signed_at": "2026-05-29T23:12:40.007Z"
     },
     {
       "name": "supply-chain-integrity",
@@ -1010,7 +1010,7 @@
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Megatron Bridge path traversal by haehae; AI training-stack file-system trust boundary; track patch and SBOM-attestation impact"
       ],
       "signature": "UY3tBi0n1K/OtSrWPkHcOCSuHEwKuPmRqGIf3MyPVXGWS72elGTWGXt4AN/uStLmefeEody1LuhnJR9PWjr4Cg==",
-      "signed_at": "2026-05-29T22:52:05.030Z"
+      "signed_at": "2026-05-29T23:12:40.007Z"
     },
     {
       "name": "defensive-countermeasure-mapping",
@@ -1067,7 +1067,7 @@
       ],
       "last_threat_review": "2026-05-11",
       "signature": "Qe0Hg9BrX3Zm5pj0n2z/oiHbAXWdA2Dq461zc4izkkUjEX2CZ02rODjCI2ELbrVOU3GC7edxqAxA+5U/ObnHDQ==",
-      "signed_at": "2026-05-29T22:52:05.030Z"
+      "signed_at": "2026-05-29T23:12:40.007Z"
     },
     {
       "name": "identity-assurance",
@@ -1134,7 +1134,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "UV3458QXSkEpenzrOmdlTTfPHUD4hNyKMDHoeZDq/kiFb4mAG0ghQGTTgI9Ru8cJbSmYM1++m9N5TFIJ6JJPBg==",
-      "signed_at": "2026-05-29T22:52:05.030Z"
+      "signed_at": "2026-05-29T23:12:40.008Z"
     },
     {
       "name": "ot-ics-security",
@@ -1190,7 +1190,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "kIVzsPsJ72PzzWQwTuvjoHHoVEDCday5I52M9ohjB3/Ak+zlA8oyWLO/BKb/XuYY4fOApjfxTErSWv5uHQ2zDw==",
-      "signed_at": "2026-05-29T22:52:05.031Z"
+      "signed_at": "2026-05-29T23:12:40.008Z"
     },
     {
       "name": "coordinated-vuln-disclosure",
@@ -1242,7 +1242,7 @@
         "NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
       ],
       "signature": "bWr27Q1uN9xCe1ib4QulszBa7YIDNkGqo72k5nm2cK98LyPblicD+sO9MnGckAyB22BTN/cIB+FwFMcI5IxvBw==",
-      "signed_at": "2026-05-29T22:52:05.031Z"
+      "signed_at": "2026-05-29T23:12:40.008Z"
     },
     {
       "name": "threat-modeling-methodology",
@@ -1292,7 +1292,7 @@
         "PASTA v2 updates incorporating AI/ML application threats"
       ],
       "signature": "Q854yzLqXdOazc6EyQbZzgAlivuq2vGFDVUCrxSldSvx/HX/ZM/uzmJyP7aBG7ZsMHxj6Lmj/H82YQoo1e+NCQ==",
-      "signed_at": "2026-05-29T22:52:05.031Z"
+      "signed_at": "2026-05-29T23:12:40.009Z"
     },
     {
       "name": "webapp-security",
@@ -1366,7 +1366,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "4ccahkJpGJZtwD7EBpnGcN0sEGPMEw8eqV+tvePVS04YAkLgYVWtlkasI/8n0be9xB+77x+Sjj3kIi2j2Lf9CA==",
-      "signed_at": "2026-05-29T22:52:05.031Z",
+      "signed_at": "2026-05-29T23:12:40.009Z",
       "forward_watch": [
         "NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; AI-assisted discovery angle; track for active-exploitation confirmation and patch advisory affecting front-door web app deployments"
       ]
@@ -1419,7 +1419,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-15",
       "signature": "SBB7c3wNYfIdkyOp4g4nW0WP7xS+YokMzg32aaeJdbf14LTGQRzQUvSqb2TCj2HFUSHESOyKT1JpkAfyHLSQBQ==",
-      "signed_at": "2026-05-29T22:52:05.032Z"
+      "signed_at": "2026-05-29T23:12:40.009Z"
     },
     {
       "name": "sector-healthcare",
@@ -1479,7 +1479,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "U04GNLyRas1VmfEsB8khH4iqFZPwx96sPY0Kw9iVsSPU+KTeEFqwgtWK1X1pzgb+T16Pc7HSrCaXDOpTFvQEDw==",
-      "signed_at": "2026-05-29T22:52:05.032Z"
+      "signed_at": "2026-05-29T23:12:40.010Z"
     },
     {
       "name": "sector-financial",
@@ -1560,7 +1560,7 @@
         "TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
       ],
       "signature": "QFKM76TdR408niqvDmF95HmmQuVmu9bLjOoQ9ydoBNPVOfFmF3AcpCv7zNWlLdLa2ZLxFqiBcND2qt9VDUn2Dg==",
-      "signed_at": "2026-05-29T22:52:05.033Z"
+      "signed_at": "2026-05-29T23:12:40.010Z"
     },
     {
       "name": "sector-federal-government",
@@ -1629,7 +1629,7 @@
         "Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
       ],
       "signature": "C9c3JuBhUbwcb7uZpDdy+PNT8sYmYIxzD4uRHu421ePW1aSFJ8fkMvuTzSO8vD/F/jOOg5opM4kov/xSAn+qCg==",
-      "signed_at": "2026-05-29T22:52:05.033Z"
+      "signed_at": "2026-05-29T23:12:40.011Z"
     },
     {
       "name": "sector-energy",
@@ -1694,7 +1694,7 @@
         "ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
       ],
       "signature": "oz8Q5WVaY8au4IjbaZahx/DSaC00Q44ylSL3mDkTerCEpW/EyPUeiLeGxSrWxBCwVFEKSSJvnhJjhvX5lDPcCg==",
-      "signed_at": "2026-05-29T22:52:05.034Z"
+      "signed_at": "2026-05-29T23:12:40.011Z"
     },
     {
       "name": "sector-telecom",
@@ -1780,7 +1780,7 @@
         "O-RAN SFG / WG11 security specifications"
       ],
       "signature": "NAtyzfLPXlUuB78Snb9nWmbZalC1CNlIYN9rYhdEmtB/xQGC6vVnThgrEAHlm7v/jMCFuknvEpUHKdscUnUADw==",
-      "signed_at": "2026-05-29T22:52:05.034Z"
+      "signed_at": "2026-05-29T23:12:40.011Z"
     },
     {
       "name": "api-security",
@@ -1849,7 +1849,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-18",
       "signature": "1UTjZNC5Lyrgw93LAizdXVeSmv3jS8YQNT1db5OKsldub50+o1FXmAH4+3MxZozaOGDCX3yXbdDJSJaaSmfuAA==",
-      "signed_at": "2026-05-29T22:52:05.035Z",
+      "signed_at": "2026-05-29T23:12:40.012Z",
       "forward_watch": [
         "NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; track for active-exploitation confirmation and patch advisory affecting API gateway / reverse-proxy deployments",
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — LiteLLM 3-bug SSRF + Code Injection chain by k3vg3n; LLM-proxy API surface; track upstream patch and CVE assignments",
@@ -1935,7 +1935,7 @@
         "CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
       ],
       "signature": "EdsY4xe7YA8X8m+KZUbq49JwoCXgRKEz2eg3m86O37rvBmpm8ppvl9hrsekygvpBh2VmCHL2dEYiOD8OM2n7CA==",
-      "signed_at": "2026-05-29T22:52:05.035Z"
+      "signed_at": "2026-05-29T23:12:40.012Z"
     },
     {
       "name": "container-runtime-security",
@@ -1997,7 +1997,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-15",
       "signature": "fnLKPLkjjRCJ/F9wdmZ1w1lXmqEJvTYkv6Uu+9OTd5vZTWKz3QMuxKOsas+ctCdOvTaeloqPUUprXx+ZZdDpCg==",
-      "signed_at": "2026-05-29T22:52:05.036Z",
+      "signed_at": "2026-05-29T23:12:40.012Z",
       "forward_watch": [
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Container Toolkit container escape ($50K award) by chompie / IBM X-Force XOR; high-severity container/hypervisor boundary break; track patch and KEV add post-embargo"
       ]
@@ -2071,7 +2071,7 @@
         "MITRE ATLAS v5.6.0 (released May 2026) shipped the AML.T0010 sub-technique expansion this forecast tracked plus new techniques (\"Publish Poisoned AI Agent Tool\", \"Escape to Host\"); inventory now 16 tactics, 84 techniques, 56 sub-techniques. Forward watch: subsequent ATLAS minor and major releases — track next-cadence updates to agentic-AI TTPs and MLOps-pipeline-specific techniques"
       ],
       "signature": "t3dkdpTX04zvjitEeOJThpgjurLd1UO9GOut4LXSZgY3ULhfknI4zT7G5+m2RSZZTo7yyeZrwpg+7vEg9K6mAw==",
-      "signed_at": "2026-05-29T22:52:05.036Z"
+      "signed_at": "2026-05-29T23:12:40.013Z"
     },
     {
       "name": "incident-response-playbook",
@@ -2133,7 +2133,7 @@
         "NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
       ],
       "signature": "+1kmtA6rAvIyDjjy+cJHK6BcfylyVsa5cUjRFijlFR9GsQfB93JnmkEJOqML50pdlcxtJI3yUodHpL3/YJGtCA==",
-      "signed_at": "2026-05-29T22:52:05.036Z"
+      "signed_at": "2026-05-29T23:12:40.013Z"
     },
     {
       "name": "ransomware-response",
@@ -2213,7 +2213,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "h48ASCz63aBfHzLKxMVDADMuT4atriK0iE6bJeVzZTsx/e8+hyv4fLP7+zYxT9Oe0Gss3v/Xy+t+Wd9uwzV+Aw==",
-      "signed_at": "2026-05-29T22:52:05.037Z"
+      "signed_at": "2026-05-29T23:12:40.013Z"
     },
     {
       "name": "email-security-anti-phishing",
@@ -2266,7 +2266,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-18",
       "signature": "FVBn4ex2qPIo9SHMVJ6tntoz4tVwjbIq3m6wDjjZyv2JODlS+90GBYCOkNamxxkmw/6de6SMs0YHQiF/xjo/DQ==",
-      "signed_at": "2026-05-29T22:52:05.037Z"
+      "signed_at": "2026-05-29T23:12:40.014Z"
     },
     {
       "name": "age-gates-child-safety",
@@ -2334,7 +2334,7 @@
         "US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
       ],
       "signature": "ZHVdGWCcfG98tSVB0b9mwrsYwv71V3uUEl+6ss7omSQhmNvqV5s6MAZM5YladBt9MK/8T/zBrTYN4gAonOP+BQ==",
-      "signed_at": "2026-05-29T22:52:05.037Z"
+      "signed_at": "2026-05-29T23:12:40.014Z"
     },
     {
       "name": "cloud-iam-incident",
@@ -2414,7 +2414,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "e/kij7GtKaytROyIj7V5RH+FC9WtmVFzrmG2kIlNDNn29ep/CRNlIQKwXLpzo/81AIf634pmdr1qy/+vwIuUDA==",
-      "signed_at": "2026-05-29T22:52:05.038Z",
+      "signed_at": "2026-05-29T23:12:40.014Z",
       "forward_watch": [
         "AWS IAM Identity Center session-policy refresh and step-up-on-admin enforcement (anticipated 2026-H2 release)",
         "GCP Workload Identity Federation principal-set attribute mapping tightening (post-2026 Q3 Federation hardening guide)",
@@ -2508,7 +2508,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "9mfDtMApMAg9V/lmwpniNxo/6gNZoOEoYDfyFvyWvKrPMtc7H9F8uz06FVoARe/J49saAKTVXOurNE1D/KtpCQ==",
-      "signed_at": "2026-05-29T22:52:05.038Z",
+      "signed_at": "2026-05-29T23:12:40.015Z",
       "forward_watch": [
         "Entra ID conditional access evolution post-Midnight Blizzard — Microsoft's 2025-2026 commitments on legacy-tenant MFA enforcement and OAuth-app consent gating",
         "Okta IPSIE (Interoperability Profile for Secure Identity in the Enterprise) OpenID Foundation working-group output and adoption timeline",
@@ -2526,6 +2526,6 @@
   ],
   "manifest_signature": {
     "algorithm": "Ed25519",
-    "signature_base64": "LAzokhANorDxMur31qMKdClGKLSDOTiE+Wf+h9v6yIP7R7P750UttTfDDrbrQowrUO1zDeD4RM4s15D2ZuZIBw=="
+    "signature_base64": "lJKBz06MBGuSmvCoeCWJSAkZYgNAqt093MXcFBI568ZkhrY0oJrIJ5SlDLiPyk1xDQlWTlbeeT/6P6NPkb0WAw=="
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/exceptd-skills",
-  "version": "0.15.20",
+  "version": "0.15.21",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 11 catalogs (427 CVEs / 173 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 8888 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
   "keywords": [
     "ai-security",

package/sbom.cdx.json

@@ -1,22 +1,22 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:505a5e81-6592-4960-9576-babc6758beb5",
+  "serialNumber": "urn:uuid:db1cee6f-d924-417b-83d1-94eb3729f665",
   "version": 1,
   "metadata": {
-    "timestamp": "2068-09-20T00:08:33.000Z",
+    "timestamp": "2142-06-29T12:39:11.000Z",
     "tools": [
       {
         "vendor": "blamejs",
         "name": "scripts/refresh-sbom.js",
-        "version": "0.15.20"
+        "version": "0.15.21"
       }
     ],
     "component": {
-      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.15.20",
+      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.15.21",
       "type": "application",
       "name": "@blamejs/exceptd-skills",
-      "version": "0.15.20",
+      "version": "0.15.21",
       "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 11 catalogs (427 CVEs / 173 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 8888 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
       "licenses": [
         {
@@ -25,17 +25,17 @@
           }
         }
       ],
-      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.15.20",
+      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.15.21",
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "0478c3111bf16560b0aff40b94bb3498e248bf0e2079ce973d7b747570a53687"
+          "content": "959745f152655eb85b6eedd5d985797b6ab5f9afcdc22e07652c58b641ac90f4"
         }
       ],
       "externalReferences": [
         {
           "type": "distribution",
-          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.15.20"
+          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.15.21"
         },
         {
           "type": "vcs",
@@ -116,11 +116,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "209ffe998294f8689251a8b5c0f48d392e165762052612b791c2a0b560d3dfb0"
+          "content": "86a6bcc03a48929fdb1b5f120f8e7969fac67394e34ba6a8c03f8ab9c020e92c"
         },
         {
           "alg": "SHA3-512",
-          "content": "d07aca7103e9c8a64e941bde2cb11f9b85668fce2f7848aa815baa069a8447a8c03fe10cc5b72ccb0a8a18c0c30840bf1f4b02168fc92b8a9ef53cde37267c9f"
+          "content": "97e7380e63a9fb27008f25f61e6d6d296b11246c1c8e87889a0b774c3da5c503a61ab7c683c7ffc13eae77826df49c3cb16da20829cd05a33ee44ed2ee1cf4c2"
         }
       ]
     },
@@ -311,11 +311,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "490dfaf830d6a0f56e63389ef8815ea92aed95a35daf043862ffe56c13577ae5"
+          "content": "10d21befa5e9e9f56594d93227d4c8621dcbf6deebe2a10018b8d054aaf51fa3"
         },
         {
           "alg": "SHA3-512",
-          "content": "b77a28286e70dabfefe7ca26b2bdfc42b0f758cc445179731b2394ffde02b15bfe50e12bc2c9e6fce857e3fe19e79b8894e985db27008edddc45fe56580a555f"
+          "content": "30ffe33ed4f6dd2dc501da719aa08c1484c5b4e9545207f9db00e1533f40dd60f322573b5d4baf4549d3ae42d668c1674f1dbbef8e9b1d8123432f97e4d5f8ab"
         }
       ]
     },
@@ -326,11 +326,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "b338560dddd999310946c1ee58bf8eb69ef732bd01238f104091745a0a682a95"
+          "content": "c336e8c05685ae3a32c6760d559bc03949c0d1a0a2d8465c0a4cfe5b0dabee5b"
         },
         {
           "alg": "SHA3-512",
-          "content": "ff398cbda41a43b6a049bad4033d4b85a4a1c2de80a263f6b97ce392be42104acb5eae3265bf24d3d3af4100a915a13ac7a5038605dab424b19f5461f0bde299"
+          "content": "2991d7cf1ea15f088faa09170f3851045b44128a6be06b2b1c3c57aaae37713090fcb4a29174d5f7e2a5108f94bad5746b17b5dfbe713d9afde7ad50480b3264"
         }
       ]
     },
@@ -806,11 +806,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "69c8ac314be428c81c53834d180414f34d3c838c7d09349d1a546742ec305c2f"
+          "content": "d76a7223bc4d9d613a397120ae1f3edb7c6640adfdac69100d34c2d5fa18a4fe"
         },
         {
           "alg": "SHA3-512",
-          "content": "92b0a6bd2f14674e56bdb178dad8e3bdea4e3c16c98f5c7cc86a8bd7f01838949e898caa23cd148195fc024a107a6ab377fc1ffe602ddf8ced2c03ea975cab6a"
+          "content": "20d69067e63a4ec984d660406fc457ab8d2151d77ddff12a4221c73442acf114c4da0b9587d9a9d2e10d2bb04e28b364bfe6cbea818fa805b91cac93cc222ba3"
         }
       ]
     },
@@ -1751,11 +1751,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "7640dcd9f6dc38db1d06746d3c36ef7e0a6b0a45efcd4f9b142fede7f3f2ba2e"
+          "content": "5bb0e383ababb4b8232b7bc77737fb09f11f0aebf8fd3f6b06949aa13603fcbc"
         },
         {
           "alg": "SHA3-512",
-          "content": "2f3cbfe8fe5b51d0a52388212ecabdf3acb011a48c6bae7c1ac2fb4da0d5d3f12ce4215ab1b3c2ce236642d6ba8a445ae0aae8a7ea9d3fe8229af2a9327f9589"
+          "content": "dfc90d82721f9a0332b235777970a9927603da5f236653d646012328378eb86cb172e795f2e6072801672f7623c001bbcc9046fdc5ff1c034aa7ba1aa839c690"
         }
       ]
     },