npm - @blamejs/exceptd-skills - Versions diffs - 0.15.27 → 0.15.29 - Mend

@blamejs/exceptd-skills 0.15.27 → 0.15.29

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/CHANGELOG.md +8 -0
package/data/_indexes/_meta.json +5 -5
package/data/attack-techniques.json +12 -0
package/data/cve-catalog.json +172 -60
package/data/zeroday-lessons.json +414 -134
package/manifest.json +44 -44
package/package.json +1 -1
package/sbom.cdx.json +18 -18

package/data/zeroday-lessons.json CHANGED Viewed

@@ -7563,35 +7563,63 @@
   },
   "CVE-2024-27199": {
     "name": "JetBrains TeamCity Relative Path Traversal Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "JetBrains TeamCity contains a relative path traversal vulnerability that could allow limited admin actions to be performed.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a relative path-traversal flaw (CWE-23) letting an unauthenticated attacker reach restricted endpoints and bypass authentication. CISA KEV-listed 2026-04-20 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the application's public interface)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the JetBrains TeamCity update; the bypass grants admin/CI access, so rotate CI tokens and signing keys and review build configurations for injected steps — CI compromise is a software-supply-chain risk.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary but insufficient alone — web shells and stolen credentials/CI access survive the patch and require explicit cleanup."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the TeamCity: exploit-shaped requests, new web-shell files, unexpected process execution, and admin/CI actions without a matching session.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary to catch resident persistence or credential abuse after patching."
+      },
+      "response": {
+        "what_would_have_worked": "Patch immediately, hunt and remove web shells, rotate application/CI credentials and signing keys, and review for downstream/supply-chain impact (CI and dev tools can taint build artifacts).",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; patch-in-place without secret rotation / web-shell hunting leaves the attacker resident or re-authenticable."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated web-application/dev-tool flaw; these are mass-exploited within days, and CI/dev-tool compromise carries software-supply-chain risk."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing web application or developer tool."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats internet-facing applications as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / secret-rotation cleanup these RCEs and file-disclosure flaws need."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing web application or developer tool in or adjacent to the CDE."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 75,
-      "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
+      "percent_audit_passing_orgs_still_exposed": 74,
+      "basis": "Internet-facing JetBrains TeamCity is run by audited organizations on a standard patch SLA and is mass-exploited within days; the required secret rotation / web-shell hunt is rarely part of the documented patch procedure, and dev-tool/CI exposure adds software-supply-chain blast radius.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2026-34197": {
     "name": "Apache ActiveMQ Improper Input Validation Vulnerability",
@@ -11136,35 +11164,63 @@
   },
   "CVE-2025-54068": {
     "name": "Laravel Livewire Code Injection Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Laravel Livewire contain a code injection vulnerability that could allow unauthenticated attackers to achieve remote command execution in specific scenarios.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a code-injection flaw (CWE-94) enabling unauthenticated remote code execution on the web server. CISA KEV-listed 2026-03-20 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the application's public interface)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Laravel Livewire update; hunt for web shells and rotate the application key (APP_KEY) and secrets — code-injection RCE leaves resident persistence.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary but insufficient alone — web shells and stolen credentials/CI access survive the patch and require explicit cleanup."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the Livewire: exploit-shaped requests, new web-shell files, unexpected process execution, and admin/CI actions without a matching session.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary to catch resident persistence or credential abuse after patching."
+      },
+      "response": {
+        "what_would_have_worked": "Patch immediately, hunt and remove web shells, rotate application/CI credentials and signing keys, and review for downstream/supply-chain impact (CI and dev tools can taint build artifacts).",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; patch-in-place without secret rotation / web-shell hunting leaves the attacker resident or re-authenticable."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated web-application/dev-tool flaw; these are mass-exploited within days, and CI/dev-tool compromise carries software-supply-chain risk."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing web application or developer tool."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats internet-facing applications as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / secret-rotation cleanup these RCEs and file-disclosure flaws need."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing web application or developer tool in or adjacent to the CDE."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 74,
+      "basis": "Internet-facing Laravel Livewire is run by audited organizations on a standard patch SLA and is mass-exploited within days; the required secret rotation / web-shell hunt is rarely part of the documented patch procedure, and dev-tool/CI exposure adds software-supply-chain blast radius.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-43510": {
     "name": "Apple Multiple Products Improper Locking Vulnerability",
@@ -11655,35 +11711,63 @@
   },
   "CVE-2025-68613": {
     "name": "n8n Improper Control of Dynamically-Managed Code Resources Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "n8n contains an improper control of dynamically managed code resources vulnerability in its workflow expression evaluation system that allows for remote code execution.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an improper-control-of-dynamically-managed-code flaw (CWE-913), enabling code execution through the workflow-automation engine. CISA KEV-listed 2026-03-11 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the application's public interface)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the n8n update; n8n executes workflows with broad credential access, so rotate stored credentials and API tokens and review executed workflows for tampering.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary but insufficient alone — web shells and stolen credentials/CI access survive the patch and require explicit cleanup."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the n8n: exploit-shaped requests, new web-shell files, unexpected process execution, and admin/CI actions without a matching session.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary to catch resident persistence or credential abuse after patching."
+      },
+      "response": {
+        "what_would_have_worked": "Patch immediately, hunt and remove web shells, rotate application/CI credentials and signing keys, and review for downstream/supply-chain impact (CI and dev tools can taint build artifacts).",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; patch-in-place without secret rotation / web-shell hunting leaves the attacker resident or re-authenticable."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated web-application/dev-tool flaw; these are mass-exploited within days, and CI/dev-tool compromise carries software-supply-chain risk."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing web application or developer tool."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats internet-facing applications as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / secret-rotation cleanup these RCEs and file-disclosure flaws need."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing web application or developer tool in or adjacent to the CDE."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 74,
+      "basis": "Internet-facing n8n is run by audited organizations on a standard patch SLA and is mass-exploited within days; the required secret rotation / web-shell hunt is rarely part of the documented patch procedure, and dev-tool/CI exposure adds software-supply-chain blast radius.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2021-22054": {
     "name": "Omnissa Workspace ONE Server-Side Request Forgery",
@@ -11839,67 +11923,123 @@
   },
   "CVE-2017-7921": {
     "name": "Hikvision Multiple Products Improper Authentication Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Multiple Hikvision products contain an improper authentication vulnerability that could allow a malicious user to escalate privileges on the system and gain access to sensitive information.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an improper-authentication flaw (CWE-287) on Hikvision IP cameras, letting an unauthenticated attacker escalate to administrator and access the device and its video feed. CISA KEV-listed 2026-03-05 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the device is reachable by an unauthenticated attacker; exposure is amplified when the OT zone is not segmented)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the vendor firmware/update where one exists; where the device cannot be patched, isolate it in a segmented OT zone (zones-and-conduits / Purdue model), block all IT and internet reachability, and restrict access to authenticated engineering workstations.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation) + IEC 62443-3-3",
+        "adequacy": "Patching is often impossible on OT; segmentation and access restriction are the real controls, and a flat or internet-exposed OT network defeats them."
+      },
+      "detection": {
+        "what_would_have_worked": "OT-network monitoring for unauthorized connections to the Hikvision camera, unexpected configuration/logic changes, and access from outside the device's intended zone.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary because unpatched OT devices may stay exploitable indefinitely; behavioral detection is the backstop."
+      },
+      "response": {
+        "what_would_have_worked": "Isolate the device, validate and restore its configuration/logic from a known-good baseline, rotate any credentials/keys it held, and investigate for safety-impacting manipulation; engage OT/safety engineering before any change.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-82r3 + NIST 800-53 IR-4",
+        "adequacy": "Mandatory; OT compromise can have physical/safety consequences, so response must include process-integrity validation, not just IT cleanup."
+      }
     },
     "framework_coverage": {
-      "NIST-800-53-SI-2": {
+      "NIST-800-82r3-ICS": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "OT/ICS devices often cannot be patched on an IT cadence (availability and safety constraints, vendor re-certification), so the exposure window for a KEV-listed flaw is months-to-years; the standard treats patching as primary but for OT the load-bearing control is network segmentation and access restriction."
+      },
+      "IEC-62443-3-3-zones-conduits": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Zones-and-conduits segmentation is required, but it is frequently unimplemented or bypassed (flat OT networks, internet-exposed HMIs/cameras/PLCs); the device itself is exploitable whenever it is reachable, and the standard does not force a compromised-device response plan."
+      },
+      "NIS2-Art21-OT": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats OT/ICS as essential-function infrastructure but lacks a device-level compressed remediation expectation and does not address the reality that many OT devices are end-of-life or unpatchable and must be isolated rather than fixed."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined and ill-suited to OT, where patching may be impossible; compensating controls (segmentation, monitoring, restricted engineering-workstation access) carry the load and must be explicit."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 82,
+      "basis": "Hikvision IP cameras is OT/ICS equipment that frequently cannot be patched on an IT cadence and is often reachable on flat or internet-exposed networks; audited organizations that rely on a patch SLA rather than enforced segmentation remain exposed for this KEV-listed, actively-exploited flaw.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2021-22681": {
     "name": "Rockwell Multiple Products Insufficient Protected Credentials Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Multiple Rockwell products contain an insufficient protected credentials vulnerability. Studio 5000 Logix Designer software may allow a key to be discovered. This key is used to verify Logix controllers are communicating with Rockwell Automation design software. If successfully exploited, this vulnerability could allow an unauthorized application to connect with Logix controllers. To leverage this vulnerability, an unauthorized user would require network access to the controller.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an insufficiently-protected-credentials flaw (CWE-522) in the Studio 5000 / Logix secret-key handling, letting an unauthenticated attacker bypass authentication and connect to the PLC to alter its configuration or control logic. CISA KEV-listed 2026-03-05 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the device is reachable by an unauthenticated attacker; exposure is amplified when the OT zone is not segmented)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the vendor firmware/update where one exists; where the device cannot be patched, isolate it in a segmented OT zone (zones-and-conduits / Purdue model), block all IT and internet reachability, and restrict access to authenticated engineering workstations.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation) + IEC 62443-3-3",
+        "adequacy": "Patching is often impossible on OT; segmentation and access restriction are the real controls, and a flat or internet-exposed OT network defeats them."
+      },
+      "detection": {
+        "what_would_have_worked": "OT-network monitoring for unauthorized connections to the Rockwell Logix PLC, unexpected configuration/logic changes, and access from outside the device's intended zone.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary because unpatched OT devices may stay exploitable indefinitely; behavioral detection is the backstop."
+      },
+      "response": {
+        "what_would_have_worked": "Isolate the device, validate and restore its configuration/logic from a known-good baseline, rotate any credentials/keys it held, and investigate for safety-impacting manipulation; engage OT/safety engineering before any change.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-82r3 + NIST 800-53 IR-4",
+        "adequacy": "Mandatory; OT compromise can have physical/safety consequences, so response must include process-integrity validation, not just IT cleanup."
+      }
     },
     "framework_coverage": {
-      "NIST-800-53-SI-2": {
+      "NIST-800-82r3-ICS": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "OT/ICS devices often cannot be patched on an IT cadence (availability and safety constraints, vendor re-certification), so the exposure window for a KEV-listed flaw is months-to-years; the standard treats patching as primary but for OT the load-bearing control is network segmentation and access restriction."
+      },
+      "IEC-62443-3-3-zones-conduits": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Zones-and-conduits segmentation is required, but it is frequently unimplemented or bypassed (flat OT networks, internet-exposed HMIs/cameras/PLCs); the device itself is exploitable whenever it is reachable, and the standard does not force a compromised-device response plan."
+      },
+      "NIS2-Art21-OT": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats OT/ICS as essential-function infrastructure but lacks a device-level compressed remediation expectation and does not address the reality that many OT devices are end-of-life or unpatchable and must be isolated rather than fixed."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined and ill-suited to OT, where patching may be impossible; compensating controls (segmentation, monitoring, restricted engineering-workstation access) carry the load and must be explicit."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 82,
+      "basis": "Rockwell Automation Logix controllers is OT/ICS equipment that frequently cannot be patched on an IT cadence and is often reachable on flat or internet-exposed networks; audited organizations that rely on a patch SLA rather than enforced segmentation remain exposed for this KEV-listed, actively-exploited flaw.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2023-43000": {
     "name": "Apple Multiple products Use-After-Free Vulnerability",
@@ -14054,35 +14194,63 @@
   },
   "CVE-2025-31125": {
     "name": "Vite Vitejs Improper Access Control Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Vite Vitejs contains an improper access control vulnerability that exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an improper-access-control flaw (CWE-200/CWE-284) in the Vite dev server, letting a remote attacker read files including source and environment secrets outside the served root. CISA KEV-listed 2026-01-22 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the application's public interface)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Vite update and do not expose the dev server to untrusted networks; rotate any source-tree secrets (.env, keys) the file read could have exposed.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary but insufficient alone — any secret the file read disclosed survives the patch and must be rotated."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the Vite dev server: exploit-shaped requests, out-of-root file reads and subsequent use of disclosed secrets.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary to catch resident persistence or credential abuse after patching."
+      },
+      "response": {
+        "what_would_have_worked": "Patch immediately, rotate every secret reachable through the file read (config, data-source, API, .env), and review for downstream/supply-chain impact (CI and dev tools can taint build artifacts).",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; patch-in-place without secret rotation / web-shell hunting leaves the attacker resident or re-authenticable."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated web-application/dev-tool flaw; these are mass-exploited within days, and CI/dev-tool compromise carries software-supply-chain risk."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing web application or developer tool."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats internet-facing applications as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / secret-rotation cleanup these RCEs and file-disclosure flaws need."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing web application or developer tool in or adjacent to the CDE."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 74,
+      "basis": "Internet-facing Vite is run by audited organizations on a standard patch SLA and is mass-exploited within days; the required secret rotation / web-shell hunt is rarely part of the documented patch procedure, and dev-tool/CI exposure adds software-supply-chain blast radius.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-54313": {
     "name": "Prettier eslint-config-prettier Embedded Malicious Code Vulnerability",
@@ -14233,35 +14401,63 @@
   },
   "CVE-2025-8110": {
     "name": "Gogs Path Traversal Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Gogs contains a path traversal vulnerability affecting improper Symbolic link handling in the PutContents API that could allow for code execution.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a path-traversal flaw (CWE-22) letting an attacker read or write files outside the intended directory on the Git server. CISA KEV-listed 2026-01-12 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the application's public interface)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Gogs update; review repository and server files for tampering and rotate any credentials the Git server held.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary but insufficient alone — web shells and stolen credentials/CI access survive the patch and require explicit cleanup."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the Gogs: exploit-shaped requests, new web-shell files, unexpected process execution, and admin/CI actions without a matching session.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary to catch resident persistence or credential abuse after patching."
+      },
+      "response": {
+        "what_would_have_worked": "Patch immediately, hunt and remove web shells, rotate application/CI credentials and signing keys, and review for downstream/supply-chain impact (CI and dev tools can taint build artifacts).",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; patch-in-place without secret rotation / web-shell hunting leaves the attacker resident or re-authenticable."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated web-application/dev-tool flaw; these are mass-exploited within days, and CI/dev-tool compromise carries software-supply-chain risk."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing web application or developer tool."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats internet-facing applications as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / secret-rotation cleanup these RCEs and file-disclosure flaws need."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing web application or developer tool in or adjacent to the CDE."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 74,
+      "basis": "Internet-facing Gogs is run by audited organizations on a standard patch SLA and is mass-exploited within days; the required secret rotation / web-shell hunt is rarely part of the documented patch procedure, and dev-tool/CI exposure adds software-supply-chain blast radius.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2009-0556": {
     "name": "Microsoft Office PowerPoint Code Injection Vulnerability",
@@ -14963,35 +15159,63 @@
   },
   "CVE-2021-26828": {
     "name": "OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "OpenPLC ScadaBR contains an unrestricted upload of file with dangerous type vulnerability that allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an unrestricted file-upload flaw (CWE-434) on the ScadaBR SCADA/HMI web interface, letting an unauthenticated attacker upload a file (e.g. a web shell) for code execution on the HMI server. CISA KEV-listed 2025-12-03 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the device is reachable by an unauthenticated attacker; exposure is amplified when the OT zone is not segmented)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the vendor firmware/update where one exists; where the device cannot be patched, isolate it in a segmented OT zone (zones-and-conduits / Purdue model), block all IT and internet reachability, and restrict access to authenticated engineering workstations.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation) + IEC 62443-3-3",
+        "adequacy": "Patching is often impossible on OT; segmentation and access restriction are the real controls, and a flat or internet-exposed OT network defeats them."
+      },
+      "detection": {
+        "what_would_have_worked": "OT-network monitoring for unauthorized connections to the ScadaBR HMI, unexpected configuration/logic changes, and access from outside the device's intended zone.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary because unpatched OT devices may stay exploitable indefinitely; behavioral detection is the backstop."
+      },
+      "response": {
+        "what_would_have_worked": "Isolate the device, validate and restore its configuration/logic from a known-good baseline, rotate any credentials/keys it held, and investigate for safety-impacting manipulation; engage OT/safety engineering before any change.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-82r3 + NIST 800-53 IR-4",
+        "adequacy": "Mandatory; OT compromise can have physical/safety consequences, so response must include process-integrity validation, not just IT cleanup."
+      }
     },
     "framework_coverage": {
-      "NIST-800-53-SI-2": {
+      "NIST-800-82r3-ICS": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "OT/ICS devices often cannot be patched on an IT cadence (availability and safety constraints, vendor re-certification), so the exposure window for a KEV-listed flaw is months-to-years; the standard treats patching as primary but for OT the load-bearing control is network segmentation and access restriction."
+      },
+      "IEC-62443-3-3-zones-conduits": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Zones-and-conduits segmentation is required, but it is frequently unimplemented or bypassed (flat OT networks, internet-exposed HMIs/cameras/PLCs); the device itself is exploitable whenever it is reachable, and the standard does not force a compromised-device response plan."
+      },
+      "NIS2-Art21-OT": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats OT/ICS as essential-function infrastructure but lacks a device-level compressed remediation expectation and does not address the reality that many OT devices are end-of-life or unpatchable and must be isolated rather than fixed."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined and ill-suited to OT, where patching may be impossible; compensating controls (segmentation, monitoring, restricted engineering-workstation access) carry the load and must be explicit."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 82,
+      "basis": "OpenPLC ScadaBR is OT/ICS equipment that frequently cannot be patched on an IT cadence and is often reachable on flat or internet-exposed networks; audited organizations that rely on a patch SLA rather than enforced segmentation remain exposed for this KEV-listed, actively-exploited flaw.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-48633": {
     "name": "Android Framework Information Disclosure Vulnerability",
@@ -15105,35 +15329,63 @@
   },
   "CVE-2021-26829": {
     "name": "OpenPLC ScadaBR Cross-site Scripting Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "OpenPLC ScadaBR contains a cross-site scripting vulnerability via system_settings.shtm.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a cross-site scripting flaw (CWE-79) on the ScadaBR SCADA/HMI web interface, letting an attacker run script in an operator's authenticated session. CISA KEV-listed 2025-11-28 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the device is reachable by an unauthenticated attacker; exposure is amplified when the OT zone is not segmented)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the vendor firmware/update where one exists; where the device cannot be patched, isolate it in a segmented OT zone (zones-and-conduits / Purdue model), block all IT and internet reachability, and restrict access to authenticated engineering workstations.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation) + IEC 62443-3-3",
+        "adequacy": "Patching is often impossible on OT; segmentation and access restriction are the real controls, and a flat or internet-exposed OT network defeats them."
+      },
+      "detection": {
+        "what_would_have_worked": "OT-network monitoring for unauthorized connections to the ScadaBR HMI, unexpected configuration/logic changes, and access from outside the device's intended zone.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary because unpatched OT devices may stay exploitable indefinitely; behavioral detection is the backstop."
+      },
+      "response": {
+        "what_would_have_worked": "Isolate the device, validate and restore its configuration/logic from a known-good baseline, rotate any credentials/keys it held, and investigate for safety-impacting manipulation; engage OT/safety engineering before any change.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-82r3 + NIST 800-53 IR-4",
+        "adequacy": "Mandatory; OT compromise can have physical/safety consequences, so response must include process-integrity validation, not just IT cleanup."
+      }
     },
     "framework_coverage": {
-      "NIST-800-53-SI-2": {
+      "NIST-800-82r3-ICS": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "OT/ICS devices often cannot be patched on an IT cadence (availability and safety constraints, vendor re-certification), so the exposure window for a KEV-listed flaw is months-to-years; the standard treats patching as primary but for OT the load-bearing control is network segmentation and access restriction."
+      },
+      "IEC-62443-3-3-zones-conduits": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Zones-and-conduits segmentation is required, but it is frequently unimplemented or bypassed (flat OT networks, internet-exposed HMIs/cameras/PLCs); the device itself is exploitable whenever it is reachable, and the standard does not force a compromised-device response plan."
+      },
+      "NIS2-Art21-OT": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats OT/ICS as essential-function infrastructure but lacks a device-level compressed remediation expectation and does not address the reality that many OT devices are end-of-life or unpatchable and must be isolated rather than fixed."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined and ill-suited to OT, where patching may be impossible; compensating controls (segmentation, monitoring, restricted engineering-workstation access) carry the load and must be explicit."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 82,
+      "basis": "OpenPLC ScadaBR is OT/ICS equipment that frequently cannot be patched on an IT cadence and is often reachable on flat or internet-exposed networks; audited organizations that rely on a patch SLA rather than enforced segmentation remain exposed for this KEV-listed, actively-exploited flaw.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-61757": {
     "name": "Oracle Fusion Middleware Missing Authentication for Critical Function Vulnerability",
@@ -16419,35 +16671,63 @@
   },
   "CVE-2021-43798": {
     "name": "Grafana Path Traversal Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Grafana contains a path traversal vulnerability that could allow access to local files.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a path-traversal flaw (CWE-22) letting an unauthenticated attacker read arbitrary files including configuration and secrets. CISA KEV-listed 2025-10-09 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the application's public interface)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Grafana update; the traversal reads config and secrets, so rotate any credentials, data-source passwords, and API keys reachable from the Grafana host.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary but insufficient alone — any secret the file read disclosed survives the patch and must be rotated."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the Grafana: exploit-shaped requests, out-of-root file reads and subsequent use of disclosed secrets.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary to catch resident persistence or credential abuse after patching."
+      },
+      "response": {
+        "what_would_have_worked": "Patch immediately, rotate every secret reachable through the file read (config, data-source, API, .env), and review for downstream/supply-chain impact (CI and dev tools can taint build artifacts).",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; patch-in-place without secret rotation / web-shell hunting leaves the attacker resident or re-authenticable."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated web-application/dev-tool flaw; these are mass-exploited within days, and CI/dev-tool compromise carries software-supply-chain risk."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing web application or developer tool."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats internet-facing applications as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / secret-rotation cleanup these RCEs and file-disclosure flaws need."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing web application or developer tool in or adjacent to the CDE."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 74,
+      "basis": "Internet-facing Grafana is run by audited organizations on a standard patch SLA and is mass-exploited within days; the required secret rotation / web-shell hunt is rarely part of the documented patch procedure, and dev-tool/CI exposure adds software-supply-chain blast radius.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-27915": {
     "name": "Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability (variant: CVE-2025-27915)",