npm - @blamejs/exceptd-skills - Versions diffs - 0.15.37 → 0.15.38 - Mend

@blamejs/exceptd-skills 0.15.37 → 0.15.38

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/CHANGELOG.md +4 -0
package/data/_indexes/_meta.json +5 -5
package/data/attack-techniques.json +7 -0
package/data/cve-catalog.json +71 -24
package/data/zeroday-lessons.json +164 -52
package/manifest.json +44 -44
package/package.json +1 -1
package/sbom.cdx.json +18 -18

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,9 @@
 # Changelog
+## 0.15.38 — 2026-05-29
+Draft-curation pass 35 — path traversal file access. Four CISA KEV-listed unauthenticated path-traversal CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: Ruby on Rails Action View arbitrary file read (CVE-2019-5418), Srimax Output Messenger directory traversal chained to code execution (CVE-2025-27920), ZKTeco BioTime arbitrary file read (CVE-2023-38950), and the end-of-life D-Link DIR-859 router configuration disclosure (CVE-2024-0769). All map T1190; the secret-leaking file-read variants also map T1552. The lessons stress that patching does not undo the disclosure — every secret a traversal read must be rotated — that file-write traversals require hunting for dropped payloads, and that an end-of-life device (DIR-859) can only be replaced, not patched.
 ## 0.15.37 — 2026-05-29
 Draft-curation pass 34 — local and host privilege escalation. Four CISA KEV-listed escalation CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons, spanning four platforms: the Sudo chroot-handling local-to-root flaw (CVE-2025-32463), an Android Runtime privilege escalation (CVE-2025-48543), a VMware Aria Operations / VMware Tools guest privilege-management flaw (CVE-2025-41244), and the Windows SMB client NTLM-reflection-to-SYSTEM flaw (CVE-2025-33073). All map T1068; the SMB-client case also maps T1557.001 (NTLM relay). The lessons frame these as the escalation half of an intrusion chain and name the platform-specific backstops the frameworks leave unstated — SELinux/seccomp and least privilege on Linux, MDM-enforced OTA SLAs on Android, management-account segmentation for virtualization, and — most importantly — SMB signing plus NTLM disablement for the reflection class, which breaks the attack regardless of patch state.

package/data/_indexes/_meta.json CHANGED Viewed

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-30T04:47:47.792Z",
+  "generated_at": "2026-05-30T05:05:33.943Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "4db3fbdad74120fea41c942cdc85622ac77d69d47a850acb3575d56674aeff58",
+    "manifest.json": "a98d7f6abe573e5ba73e7e1097cc30a1703fff81ccc9922b00630341b2ade670",
     "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
-    "data/attack-techniques.json": "a402836f7d4443f6cccc3c6b4cc387f714dc001a266708b7d25bb0cafcbec842",
-    "data/cve-catalog.json": "1fa6bfad96c5ba8a89270a8aafb4433c3c03f1f107697e83f15dba4562737844",
+    "data/attack-techniques.json": "b8799721fb6d455811f555410845423ec87f2c26f70fe1222ee19088aa6e43f5",
+    "data/cve-catalog.json": "0ca079ef9ae7f74755398ad434c2c0c5fe3ee7be488549af3a5ecf2394ae0ba8",
     "data/cwe-catalog.json": "0fd275c2a61754958d68cea03a92794a67cf1c1d4d609f81a5728334df013ee3",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
@@ -15,7 +15,7 @@
     "data/framework-control-gaps.json": "29e7b6aa841ddf2530ca5971bdb60d7a715684b2f6264141ad49f0de9a039d78",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
-    "data/zeroday-lessons.json": "1e7bd615bc5516d11db4c83a5dcf631a7826c26e626a6c65abe925401a525f7e",
+    "data/zeroday-lessons.json": "adf769626f304dd6cbd700f6f3bfe8359de02282929008e16599599470377c5c",
     "skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
     "skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
     "skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",

package/data/attack-techniques.json CHANGED Viewed

@@ -970,6 +970,7 @@
       "CVE-2017-7921",
       "CVE-2018-4063",
       "CVE-2019-19006",
+      "CVE-2019-5418",
       "CVE-2019-6693",
       "CVE-2019-9621",
       "CVE-2020-10148",
@@ -996,6 +997,7 @@
       "CVE-2023-27351",
       "CVE-2023-33538",
       "CVE-2023-3519",
+      "CVE-2023-38950",
       "CVE-2023-39780",
       "CVE-2023-43654",
       "CVE-2023-43791",
@@ -1008,6 +1010,7 @@
       "CVE-2023-6019",
       "CVE-2023-6021",
       "CVE-2023-6038",
+      "CVE-2024-0769",
       "CVE-2024-12450",
       "CVE-2024-12776",
       "CVE-2024-12987",
@@ -1069,6 +1072,7 @@
       "CVE-2025-2775",
       "CVE-2025-2776",
       "CVE-2025-27915",
+      "CVE-2025-27920",
       "CVE-2025-29635",
       "CVE-2025-30165",
       "CVE-2025-30202",
@@ -1730,9 +1734,12 @@
     "name": "Unsecured Credentials",
     "version": "v19",
     "cve_refs": [
+      "CVE-2019-5418",
       "CVE-2021-22681",
       "CVE-2021-43798",
+      "CVE-2023-38950",
       "CVE-2023-47117",
+      "CVE-2024-0769",
       "CVE-2024-12450",
       "CVE-2025-11371",
       "CVE-2025-14611",

package/data/cve-catalog.json CHANGED Viewed

@@ -38656,7 +38656,9 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1592"
+      "T1592",
+      "T1190",
+      "T1552"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -38677,7 +38679,7 @@
     "cwe_refs": [
       "CWE-22"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://web.archive.org/web/20190313201629/https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/",
@@ -38706,11 +38708,21 @@
         "published_date": "2025-07-07"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-07; due date 2025-07-28. Notes reference: https://web.archive.org/web/20190313201629/https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/ ; https://nvd.nist.gov/vuln/detail/CVE-2019-5418",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Rails Ruby on Rails contains a path traversal vulnerability in Action View. Specially crafted accept headers in combination with calls to `render file:` can cause arbitrary files on the target server to be rendered, disclosing the file contents."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Rails Ruby on Rails contains a path traversal vulnerability in Action View. Specially crafted accept headers in combination with calls to `render file:` can cause arbitrary files on the target server to be rendered, disclosing the file contents.",
+    "iocs": {
+      "behavioral": [
+        "Ruby on Rails reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Rails containing traversal sequences (../, encoded variants) targeting files outside the intended directory.",
+        "Reads of configuration, credential, or secret files on the Rails followed by use of the disclosed credentials elsewhere (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2019-5418, CISA KEV (added 2025-07-07), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1552 unsecured credentials) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2016-10033": {
     "name": "PHPMailer Command Injection Vulnerability",
@@ -39453,7 +39465,9 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1068"
+      "T1068",
+      "T1190",
+      "T1552"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -39474,7 +39488,7 @@
     "cwe_refs": [
       "CWE-22"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10371",
@@ -39503,11 +39517,21 @@
         "published_date": "2025-06-25"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-25; due date 2025-07-16. Notes reference: https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10371 ; https://nvd.nist.gov/vuln/detail/CVE-2024-0769",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "D-Link DIR-859 routers contain a path traversal vulnerability in the file /hedwig.cgi of the component HTTP POST Request Handler. Manipulation of the argument service with the input ../../../../htdocs/webinc/getcfg/DHCPS6.BRIDGE-1.xml allows for the leakage of session data potentially enabling privilege escalation and unauthorized control of the device. This vulnerability affects legacy D-Link products. All associated hardware revisions have reached their end-of-life (EOL) or end-of-service (EOS) life cycle and should be retired and replaced per vendor instructions."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "D-Link DIR-859 routers contain a path traversal vulnerability in the file /hedwig.cgi of the component HTTP POST Request Handler. Manipulation of the argument service with the input ../../../../htdocs/webinc/getcfg/DHCPS6.BRIDGE-1.xml allows for the leakage of session data potentially enabling privilege escalation and unauthorized control of the device. This vulnerability affects legacy D-Link products. All associated hardware revisions have reached their end-of-life (EOL) or end-of-service (EOS) life cycle and should be retired and replaced per vendor instructions.",
+    "iocs": {
+      "behavioral": [
+        "D-Link DIR-859 router reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the DIR-859 router containing traversal sequences (../, encoded variants) targeting files outside the intended directory.",
+        "Reads of configuration, credential, or secret files on the DIR-859 router followed by use of the disclosed credentials elsewhere (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2024-0769, CISA KEV (added 2025-06-25), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1552 unsecured credentials) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2024-54085": {
     "name": "AMI MegaRAC SPx Authentication Bypass by Spoofing Vulnerability",
@@ -41445,7 +41469,9 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1592"
+      "T1592",
+      "T1190",
+      "T1552"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -41466,7 +41492,7 @@
     "cwe_refs": [
       "CWE-22"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.zkteco.com/en/Security_Bulletinsibs",
@@ -41495,11 +41521,21 @@
         "published_date": "2025-05-19"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-05-19; due date 2025-06-09. Notes reference: https://www.zkteco.com/en/Security_Bulletinsibs ; https://nvd.nist.gov/vuln/detail/CVE-2023-38950",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "ZKTeco BioTime contains a path traversal vulnerability in the iclock API that allows an unauthenticated attacker to read arbitrary files via supplying a crafted payload."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "ZKTeco BioTime contains a path traversal vulnerability in the iclock API that allows an unauthenticated attacker to read arbitrary files via supplying a crafted payload.",
+    "iocs": {
+      "behavioral": [
+        "ZKTeco BioTime reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the ZKTeco BioTime containing traversal sequences (../, encoded variants) targeting files outside the intended directory.",
+        "Reads of configuration, credential, or secret files on the ZKTeco BioTime followed by use of the disclosed credentials elsewhere (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2023-38950, CISA KEV (added 2025-05-19), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1552 unsecured credentials) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2024-27443": {
     "name": "Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability",
@@ -41648,7 +41684,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1592"
+      "T1592",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -41669,7 +41706,7 @@
     "cwe_refs": [
       "CWE-22"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.outputmessenger.com/cve-2025-27920/",
@@ -41698,11 +41735,21 @@
         "published_date": "2025-05-19"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-05-19; due date 2025-06-09. Notes reference: https://www.outputmessenger.com/cve-2025-27920/ ; https://nvd.nist.gov/vuln/detail/CVE-2025-27920",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Srimax Output Messenger contains a directory traversal vulnerability that allows an attacker to access sensitive files outside the intended directory, potentially leading to configuration leakage or arbitrary file access."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Srimax Output Messenger contains a directory traversal vulnerability that allows an attacker to access sensitive files outside the intended directory, potentially leading to configuration leakage or arbitrary file access.",
+    "iocs": {
+      "behavioral": [
+        "Srimax Output Messenger reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Output Messenger containing traversal sequences (../, encoded variants) targeting files outside the intended directory.",
+        "Files written outside the intended directory on the Output Messenger — especially startup/autorun paths or web shells — followed by code execution (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-27920, CISA KEV (added 2025-05-19), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2024-11182": {
     "name": "MDaemon Email Server Cross-Site Scripting (XSS) Vulnerability",

package/data/zeroday-lessons.json CHANGED Viewed

@@ -20585,35 +20585,63 @@
   },
   "CVE-2019-5418": {
     "name": "Rails Ruby on Rails Path Traversal Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Rails Ruby on Rails contains a path traversal vulnerability in Action View. Specially crafted accept headers in combination with calls to `render file:` can cause arbitrary files on the target server to be rendered, disclosing the file contents.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a path-traversal flaw (CWE-22) in Ruby on Rails Action View (crafted Accept header), letting an unauthenticated attacker read arbitrary files including configuration and secrets. CISA KEV-listed 2025-07-07 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the application/device interface)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Rails update; rotate any credentials, secret_key_base, and data-source passwords the file read could disclose, and restrict the app's filesystem access.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary but insufficient alone — any secret the traversal disclosed survives the patch and must be rotated; an EOL device must be replaced."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the Rails: requests containing traversal sequences, reads of credential/secret files and subsequent use of disclosed secrets.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary to catch exploitation and the secret-disclosure or file-write consequence after patching."
+      },
+      "response": {
+        "what_would_have_worked": "Patch (or replace an EOL device); rotate every secret reachable through the file read, and review for follow-on access using disclosed material.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; patch-in-place without secret rotation / file cleanup leaves the attacker with a usable foothold."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated path-traversal flaw; arbitrary file read leaks secrets that enable follow-on access, and EOL devices (DIR-859) cannot be patched at all."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing application or device, and the disclosed-secret exposure persists until the secrets are rotated."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats internet-facing applications/devices as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the secret-rotation cleanup a file-read flaw needs or the replacement an EOL device needs."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing application/device whose file-read can disclose CDE-adjacent secrets."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 73,
+      "basis": "Internet-facing Ruby on Rails is run by audited organizations on a standard patch SLA and is exploited within days; the required secret rotation (or EOL-device replacement) is rarely part of the documented patch procedure, leaving disclosed credentials usable.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2016-10033": {
     "name": "PHPMailer Command Injection Vulnerability",
@@ -20948,35 +20976,63 @@
   },
   "CVE-2024-0769": {
     "name": " D-Link DIR-859 Router Path Traversal Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "D-Link DIR-859 routers contain a path traversal vulnerability in the file /hedwig.cgi of the component HTTP POST Request Handler. Manipulation of the argument service with the input ../../../../htdocs/webinc/getcfg/DHCPS6.BRIDGE-1.xml allows for the leakage of session data potentially enabling privilege escalation and unauthorized control of the device. This vulnerability affects legacy D-Link products. All associated hardware revisions have reached their end-of-life (EOL) or end-of-service (EOS) life cycle and should be retired and replaced per vendor instructions.",
-      "privileges_required": "unprivileged local user",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a path-traversal flaw (CWE-22) on the D-Link DIR-859 router, letting an attacker read sensitive files including credentials from the device configuration. CISA KEV-listed 2025-06-25 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the application/device interface)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "The DIR-859 is end-of-life; replace it. Where still deployed, restrict management access and rotate device/Wi-Fi credentials — EOL routers are recruited into botnets via flaws like this.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary but insufficient alone — any secret the traversal disclosed survives the patch and must be rotated; an EOL device must be replaced."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the DIR-859 router: requests containing traversal sequences, reads of credential/secret files and subsequent use of disclosed secrets.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary to catch exploitation and the secret-disclosure or file-write consequence after patching."
+      },
+      "response": {
+        "what_would_have_worked": "Patch (or replace an EOL device); rotate every secret reachable through the file read, and review for follow-on access using disclosed material.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; patch-in-place without secret rotation / file cleanup leaves the attacker with a usable foothold."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated path-traversal flaw; arbitrary file read leaks secrets that enable follow-on access, and EOL devices (DIR-859) cannot be patched at all."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing application or device, and the disclosed-secret exposure persists until the secrets are rotated."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats internet-facing applications/devices as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the secret-rotation cleanup a file-read flaw needs or the replacement an EOL device needs."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing application/device whose file-read can disclose CDE-adjacent secrets."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 73,
+      "basis": "Internet-facing D-Link DIR-859 router is run by audited organizations on a standard patch SLA and is exploited within days; the required secret rotation (or EOL-device replacement) is rarely part of the documented patch procedure, leaving disclosed credentials usable.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2024-54085": {
     "name": "AMI MegaRAC SPx Authentication Bypass by Spoofing Vulnerability",
@@ -21946,35 +22002,63 @@
   },
   "CVE-2023-38950": {
     "name": "ZKTeco BioTime Path Traversal Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "ZKTeco BioTime contains a path traversal vulnerability in the iclock API that allows an unauthenticated attacker to read arbitrary files via supplying a crafted payload.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a path-traversal flaw (CWE-22) in ZKTeco BioTime, letting an unauthenticated attacker read arbitrary files on the biometric time-attendance server. CISA KEV-listed 2025-05-19 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the application/device interface)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the ZKTeco BioTime update; rotate database and application credentials the read could disclose, and restrict access to the management interface — biometric data is sensitive.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary but insufficient alone — any secret the traversal disclosed survives the patch and must be rotated; an EOL device must be replaced."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the ZKTeco BioTime: requests containing traversal sequences, reads of credential/secret files and subsequent use of disclosed secrets.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary to catch exploitation and the secret-disclosure or file-write consequence after patching."
+      },
+      "response": {
+        "what_would_have_worked": "Patch (or replace an EOL device); rotate every secret reachable through the file read, and review for follow-on access using disclosed material.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; patch-in-place without secret rotation / file cleanup leaves the attacker with a usable foothold."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated path-traversal flaw; arbitrary file read leaks secrets that enable follow-on access, and EOL devices (DIR-859) cannot be patched at all."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing application or device, and the disclosed-secret exposure persists until the secrets are rotated."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats internet-facing applications/devices as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the secret-rotation cleanup a file-read flaw needs or the replacement an EOL device needs."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing application/device whose file-read can disclose CDE-adjacent secrets."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 73,
+      "basis": "Internet-facing ZKTeco BioTime is run by audited organizations on a standard patch SLA and is exploited within days; the required secret rotation (or EOL-device replacement) is rarely part of the documented patch procedure, leaving disclosed credentials usable.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2024-27443": {
     "name": "Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability",
@@ -22038,35 +22122,63 @@
   },
   "CVE-2025-27920": {
     "name": "Srimax Output Messenger Directory Traversal Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Srimax Output Messenger contains a directory traversal vulnerability that allows an attacker to access sensitive files outside the intended directory, potentially leading to configuration leakage or arbitrary file access.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a directory-traversal flaw (CWE-22) in Srimax Output Messenger, letting an unauthenticated attacker read or write files outside the intended directory (used in the wild to write to startup paths for code execution). CISA KEV-listed 2025-05-19 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the application/device interface)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Output Messenger update; hunt for files written to startup/autorun paths and web shells, and rotate server credentials — the traversal was chained to code execution.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary but insufficient alone — files the traversal wrote (startup payloads, web shells) survive the patch and require explicit cleanup."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the Output Messenger: requests containing traversal sequences, files written outside the intended directory and execution of newly-dropped payloads.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary to catch exploitation and the secret-disclosure or file-write consequence after patching."
+      },
+      "response": {
+        "what_would_have_worked": "Patch (or replace an EOL device); remove files written via the traversal and hunt for web shells, and review for follow-on access using disclosed material.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; patch-in-place without secret rotation / file cleanup leaves the attacker with a usable foothold."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated path-traversal flaw; arbitrary file read leaks secrets that enable follow-on access, and EOL devices (DIR-859) cannot be patched at all."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing application or device, and the disclosed-secret exposure persists until the secrets are rotated."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats internet-facing applications/devices as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the secret-rotation cleanup a file-read flaw needs or the replacement an EOL device needs."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing application/device whose file-read can disclose CDE-adjacent secrets."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 73,
+      "basis": "Internet-facing Srimax Output Messenger is run by audited organizations on a standard patch SLA and is exploited within days; the required secret rotation (or EOL-device replacement) is rarely part of the documented patch procedure, leaving disclosed credentials usable.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2024-11182": {
     "name": "MDaemon Email Server Cross-Site Scripting (XSS) Vulnerability",

package/manifest.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "exceptd-security",
-  "version": "0.15.37",
+  "version": "0.15.38",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
   "homepage": "https://exceptd.com",
   "license": "Apache-2.0",
@@ -53,7 +53,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "0H+JfyUVmo/pVFEi5rLENATHjlukPVUqnOWmNPEH77wm8svKGK0aNJ46k6QU5GdHb8c9X9pVJKiuhON6AxDjDw==",
-      "signed_at": "2026-05-30T04:44:25.652Z",
+      "signed_at": "2026-05-30T05:02:13.741Z",
       "cwe_refs": [
         "CWE-125",
         "CWE-362",
@@ -123,7 +123,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "PHwHEsoy7ctBYOtlAfAdCDVfsq2Bpk9+qESSF+5dVkDcez2zp2v9Ihsv2vqMEs3QxMndyQ+t7NVezyt5VamSCg==",
-      "signed_at": "2026-05-30T04:44:25.654Z",
+      "signed_at": "2026-05-30T05:02:13.743Z",
       "cwe_refs": [
         "CWE-1039",
         "CWE-1426",
@@ -196,7 +196,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "dD4p7lcRtMyfITOncqLkpOeMy6x6gM0V7UlWHgLEdcxqODb1s75ar1cBtTqDWPbMv6ZAzVo2HJLDK1hVjjU2AQ==",
-      "signed_at": "2026-05-30T04:44:25.654Z",
+      "signed_at": "2026-05-30T05:02:13.743Z",
       "cwe_refs": [
         "CWE-22",
         "CWE-345",
@@ -248,7 +248,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-22",
       "signature": "wsw8Mlr/gyw6S7Iaao9BVHdU5LFPWl8WVymW17Lkq9J1Mui0+fCrTg6UbrsaeE3s7EW3TVgzBuK+8EFd1+H5AA==",
-      "signed_at": "2026-05-30T04:44:25.654Z"
+      "signed_at": "2026-05-30T05:02:13.744Z"
     },
     {
       "name": "compliance-theater",
@@ -279,7 +279,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "uVTc1QRKOKcIVDajBz+q2egjiEAyOQaDNsvVI2ghj5FD0VvquoUBBE5Naca2FkaZa790EHWCsVZ4hhdaSQs2DQ==",
-      "signed_at": "2026-05-30T04:44:25.655Z"
+      "signed_at": "2026-05-30T05:02:13.744Z"
     },
     {
       "name": "exploit-scoring",
@@ -308,7 +308,7 @@
       ],
       "last_threat_review": "2026-05-18",
       "signature": "QuNpwnZ6HkCEAXTPC/jLbXSmMIc1JnBczqZAAIZmZj8OcEMVnw9mJYAnU3CxaEI7rvbcMkN2uS5E8yUCm/NiAg==",
-      "signed_at": "2026-05-30T04:44:25.655Z"
+      "signed_at": "2026-05-30T05:02:13.745Z"
     },
     {
       "name": "rag-pipeline-security",
@@ -345,7 +345,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "5rw2i39SxY2WphBbDLEP28wufnbPPE9+PWt54hmaGdwHXr9RLiVt5liL/5xp14sehlVgFsfpR/bg9vy//xV0DA==",
-      "signed_at": "2026-05-30T04:44:25.656Z",
+      "signed_at": "2026-05-30T05:02:13.745Z",
       "cwe_refs": [
         "CWE-1395",
         "CWE-1426"
@@ -405,7 +405,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "Vqu49nzntFWjn9A/QeJzm7q/2xk/cZJ6HFQKtiNi1zgcxzXKm+MlFdkaLgYHWj5/9HJohxyIDyBJQTvcJ20eDQ==",
-      "signed_at": "2026-05-30T04:44:25.656Z",
+      "signed_at": "2026-05-30T05:02:13.745Z",
       "d3fend_refs": [
         "D3-CA",
         "D3-CSPP",
@@ -440,7 +440,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-22",
       "signature": "W87VdyVdAxAdcRI6P/8StaV+MS8ZSPKM9HOCK9n/bBO6BM3ZSE3uImVoyJVpAXQlUpUGN+A3lCJZXv64LuxwDg==",
-      "signed_at": "2026-05-30T04:44:25.656Z",
+      "signed_at": "2026-05-30T05:02:13.746Z",
       "cwe_refs": [
         "CWE-1188"
       ],
@@ -474,7 +474,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-18",
       "signature": "wdVX+edeNekpaIldqkhvtraV6DquLvIsKAjuZVwPQYn3l1vS99HXuFxmNsD7UeMlO3qgC6Dysfsto9EnuH0RBg==",
-      "signed_at": "2026-05-30T04:44:25.657Z",
+      "signed_at": "2026-05-30T05:02:13.746Z",
       "forward_watch": [
         "New AI attack classes as ATLAS v6 publishes",
         "Post-quantum adversary capability timeline",
@@ -513,7 +513,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "b5miTiY0cnxETd2btxorfZBdJKt/fLnQx20sGYUb9zEqGqtm0LMLpghkW68j4/9k48KNyuGMtNWiKTSnodUGBw==",
-      "signed_at": "2026-05-30T04:44:25.657Z"
+      "signed_at": "2026-05-30T05:02:13.747Z"
     },
     {
       "name": "zeroday-gap-learn",
@@ -540,7 +540,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-18",
       "signature": "xbkip0AQtWQKAu+O6r/gYECNjezS6O9k9xkkJsYbMlr+j8CdqH3p5/0l+GZmDidImRC/DL07GCnKrk9HRR/yDQ==",
-      "signed_at": "2026-05-30T04:44:25.657Z",
+      "signed_at": "2026-05-30T05:02:13.747Z",
       "forward_watch": [
         "New CISA KEV entries",
         "New ATLAS TTP additions in each ATLAS release",
@@ -604,7 +604,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "li2NnC1oeVIr22ComP5QbcQoh5xpWITuaKpza1s2SsUkH6kGnnt4wFfFAzaC1ORmH9x2cr8hN8kaNANG/eIMBQ==",
-      "signed_at": "2026-05-30T04:44:25.658Z",
+      "signed_at": "2026-05-30T05:02:13.747Z",
       "cwe_refs": [
         "CWE-327"
       ],
@@ -652,7 +652,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "sZHlJ7ueHPdtzVbR+yXQ5+wKgNyjWsa1LKVg9aWTmg/Onl71DvEILMyJiLpPQjseT56Mnr1DMYJE8xOGlffBAw==",
-      "signed_at": "2026-05-30T04:44:25.658Z"
+      "signed_at": "2026-05-30T05:02:13.748Z"
     },
     {
       "name": "security-maturity-tiers",
@@ -689,7 +689,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "3AwFnEJu6DukPPNep/3SnuPWEuV060fJEQIwThFm7ujmdbFk0/Ii0XwGv1dkvbbK7ymMdOQpp35l4aLONAucDA==",
-      "signed_at": "2026-05-30T04:44:25.658Z",
+      "signed_at": "2026-05-30T05:02:13.748Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -724,7 +724,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-11",
       "signature": "iJWevUBurLvt2v8X+Ch2eHmZkPWpKeAtIpxTIP4MwbUHyco3igDeBywJCyaR2vURYRx8LkzzIMM8DxQM4LAXBQ==",
-      "signed_at": "2026-05-30T04:44:25.659Z"
+      "signed_at": "2026-05-30T05:02:13.748Z"
     },
     {
       "name": "attack-surface-pentest",
@@ -796,7 +796,7 @@
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — Microsoft Edge 4-bug sandbox escape by Orange Tsai (DEVCORE); forward-watch only (browser sandbox, out of current playbook scope); track Microsoft Edge security advisory and KEV add"
       ],
       "signature": "C7lv65/Ecm8JJgSKxrX5lxx0YFzKWtrIQSKp+vy50I5e8945s1JmifGUUrnQwRQhq/Pkv7EmfiH5XSO8h75bDg==",
-      "signed_at": "2026-05-30T04:44:25.659Z"
+      "signed_at": "2026-05-30T05:02:13.749Z"
     },
     {
       "name": "fuzz-testing-strategy",
@@ -856,7 +856,7 @@
         "OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
       ],
       "signature": "dJB0iAstIUbyny+udl3OIkaLScEmqS97LNP73yQ8mxt+0bcqxZjpfXaWLzLuIQblGYvUvz75/H6rO2EJuGd4AQ==",
-      "signed_at": "2026-05-30T04:44:25.659Z"
+      "signed_at": "2026-05-30T05:02:13.749Z"
     },
     {
       "name": "dlp-gap-analysis",
@@ -931,7 +931,7 @@
         "Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
       ],
       "signature": "KEAoMji3VcPX/ZXXqVe6OStxSkTssfY9fIRPyPcDYqh50GzOFQ6koNOTBVAiWOvjDjQ38g12xun5srbqgmvRAw==",
-      "signed_at": "2026-05-30T04:44:25.660Z"
+      "signed_at": "2026-05-30T05:02:13.749Z"
     },
     {
       "name": "supply-chain-integrity",
@@ -1010,7 +1010,7 @@
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Megatron Bridge path traversal by haehae; AI training-stack file-system trust boundary; track patch and SBOM-attestation impact"
       ],
       "signature": "UY3tBi0n1K/OtSrWPkHcOCSuHEwKuPmRqGIf3MyPVXGWS72elGTWGXt4AN/uStLmefeEody1LuhnJR9PWjr4Cg==",
-      "signed_at": "2026-05-30T04:44:25.660Z"
+      "signed_at": "2026-05-30T05:02:13.750Z"
     },
     {
       "name": "defensive-countermeasure-mapping",
@@ -1067,7 +1067,7 @@
       ],
       "last_threat_review": "2026-05-11",
       "signature": "Qe0Hg9BrX3Zm5pj0n2z/oiHbAXWdA2Dq461zc4izkkUjEX2CZ02rODjCI2ELbrVOU3GC7edxqAxA+5U/ObnHDQ==",
-      "signed_at": "2026-05-30T04:44:25.660Z"
+      "signed_at": "2026-05-30T05:02:13.750Z"
     },
     {
       "name": "identity-assurance",
@@ -1134,7 +1134,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "UV3458QXSkEpenzrOmdlTTfPHUD4hNyKMDHoeZDq/kiFb4mAG0ghQGTTgI9Ru8cJbSmYM1++m9N5TFIJ6JJPBg==",
-      "signed_at": "2026-05-30T04:44:25.661Z"
+      "signed_at": "2026-05-30T05:02:13.750Z"
     },
     {
       "name": "ot-ics-security",
@@ -1190,7 +1190,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "kIVzsPsJ72PzzWQwTuvjoHHoVEDCday5I52M9ohjB3/Ak+zlA8oyWLO/BKb/XuYY4fOApjfxTErSWv5uHQ2zDw==",
-      "signed_at": "2026-05-30T04:44:25.661Z"
+      "signed_at": "2026-05-30T05:02:13.751Z"
     },
     {
       "name": "coordinated-vuln-disclosure",
@@ -1242,7 +1242,7 @@
         "NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
       ],
       "signature": "bWr27Q1uN9xCe1ib4QulszBa7YIDNkGqo72k5nm2cK98LyPblicD+sO9MnGckAyB22BTN/cIB+FwFMcI5IxvBw==",
-      "signed_at": "2026-05-30T04:44:25.661Z"
+      "signed_at": "2026-05-30T05:02:13.751Z"
     },
     {
       "name": "threat-modeling-methodology",
@@ -1292,7 +1292,7 @@
         "PASTA v2 updates incorporating AI/ML application threats"
       ],
       "signature": "Q854yzLqXdOazc6EyQbZzgAlivuq2vGFDVUCrxSldSvx/HX/ZM/uzmJyP7aBG7ZsMHxj6Lmj/H82YQoo1e+NCQ==",
-      "signed_at": "2026-05-30T04:44:25.662Z"
+      "signed_at": "2026-05-30T05:02:13.751Z"
     },
     {
       "name": "webapp-security",
@@ -1366,7 +1366,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "4ccahkJpGJZtwD7EBpnGcN0sEGPMEw8eqV+tvePVS04YAkLgYVWtlkasI/8n0be9xB+77x+Sjj3kIi2j2Lf9CA==",
-      "signed_at": "2026-05-30T04:44:25.662Z",
+      "signed_at": "2026-05-30T05:02:13.752Z",
       "forward_watch": [
         "NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; AI-assisted discovery angle; track for active-exploitation confirmation and patch advisory affecting front-door web app deployments"
       ]
@@ -1419,7 +1419,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-15",
       "signature": "SBB7c3wNYfIdkyOp4g4nW0WP7xS+YokMzg32aaeJdbf14LTGQRzQUvSqb2TCj2HFUSHESOyKT1JpkAfyHLSQBQ==",
-      "signed_at": "2026-05-30T04:44:25.662Z"
+      "signed_at": "2026-05-30T05:02:13.752Z"
     },
     {
       "name": "sector-healthcare",
@@ -1479,7 +1479,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "U04GNLyRas1VmfEsB8khH4iqFZPwx96sPY0Kw9iVsSPU+KTeEFqwgtWK1X1pzgb+T16Pc7HSrCaXDOpTFvQEDw==",
-      "signed_at": "2026-05-30T04:44:25.663Z"
+      "signed_at": "2026-05-30T05:02:13.753Z"
     },
     {
       "name": "sector-financial",
@@ -1560,7 +1560,7 @@
         "TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
       ],
       "signature": "QFKM76TdR408niqvDmF95HmmQuVmu9bLjOoQ9ydoBNPVOfFmF3AcpCv7zNWlLdLa2ZLxFqiBcND2qt9VDUn2Dg==",
-      "signed_at": "2026-05-30T04:44:25.663Z"
+      "signed_at": "2026-05-30T05:02:13.753Z"
     },
     {
       "name": "sector-federal-government",
@@ -1629,7 +1629,7 @@
         "Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
       ],
       "signature": "C9c3JuBhUbwcb7uZpDdy+PNT8sYmYIxzD4uRHu421ePW1aSFJ8fkMvuTzSO8vD/F/jOOg5opM4kov/xSAn+qCg==",
-      "signed_at": "2026-05-30T04:44:25.663Z"
+      "signed_at": "2026-05-30T05:02:13.753Z"
     },
     {
       "name": "sector-energy",
@@ -1694,7 +1694,7 @@
         "ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
       ],
       "signature": "oz8Q5WVaY8au4IjbaZahx/DSaC00Q44ylSL3mDkTerCEpW/EyPUeiLeGxSrWxBCwVFEKSSJvnhJjhvX5lDPcCg==",
-      "signed_at": "2026-05-30T04:44:25.664Z"
+      "signed_at": "2026-05-30T05:02:13.754Z"
     },
     {
       "name": "sector-telecom",
@@ -1780,7 +1780,7 @@
         "O-RAN SFG / WG11 security specifications"
       ],
       "signature": "NAtyzfLPXlUuB78Snb9nWmbZalC1CNlIYN9rYhdEmtB/xQGC6vVnThgrEAHlm7v/jMCFuknvEpUHKdscUnUADw==",
-      "signed_at": "2026-05-30T04:44:25.664Z"
+      "signed_at": "2026-05-30T05:02:13.754Z"
     },
     {
       "name": "api-security",
@@ -1849,7 +1849,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-18",
       "signature": "1UTjZNC5Lyrgw93LAizdXVeSmv3jS8YQNT1db5OKsldub50+o1FXmAH4+3MxZozaOGDCX3yXbdDJSJaaSmfuAA==",
-      "signed_at": "2026-05-30T04:44:25.664Z",
+      "signed_at": "2026-05-30T05:02:13.754Z",
       "forward_watch": [
         "NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; track for active-exploitation confirmation and patch advisory affecting API gateway / reverse-proxy deployments",
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — LiteLLM 3-bug SSRF + Code Injection chain by k3vg3n; LLM-proxy API surface; track upstream patch and CVE assignments",
@@ -1935,7 +1935,7 @@
         "CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
       ],
       "signature": "EdsY4xe7YA8X8m+KZUbq49JwoCXgRKEz2eg3m86O37rvBmpm8ppvl9hrsekygvpBh2VmCHL2dEYiOD8OM2n7CA==",
-      "signed_at": "2026-05-30T04:44:25.665Z"
+      "signed_at": "2026-05-30T05:02:13.755Z"
     },
     {
       "name": "container-runtime-security",
@@ -1997,7 +1997,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-15",
       "signature": "fnLKPLkjjRCJ/F9wdmZ1w1lXmqEJvTYkv6Uu+9OTd5vZTWKz3QMuxKOsas+ctCdOvTaeloqPUUprXx+ZZdDpCg==",
-      "signed_at": "2026-05-30T04:44:25.665Z",
+      "signed_at": "2026-05-30T05:02:13.755Z",
       "forward_watch": [
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Container Toolkit container escape ($50K award) by chompie / IBM X-Force XOR; high-severity container/hypervisor boundary break; track patch and KEV add post-embargo"
       ]
@@ -2071,7 +2071,7 @@
         "MITRE ATLAS v5.6.0 (released May 2026) shipped the AML.T0010 sub-technique expansion this forecast tracked plus new techniques (\"Publish Poisoned AI Agent Tool\", \"Escape to Host\"); inventory now 16 tactics, 84 techniques, 56 sub-techniques. Forward watch: subsequent ATLAS minor and major releases — track next-cadence updates to agentic-AI TTPs and MLOps-pipeline-specific techniques"
       ],
       "signature": "t3dkdpTX04zvjitEeOJThpgjurLd1UO9GOut4LXSZgY3ULhfknI4zT7G5+m2RSZZTo7yyeZrwpg+7vEg9K6mAw==",
-      "signed_at": "2026-05-30T04:44:25.665Z"
+      "signed_at": "2026-05-30T05:02:13.755Z"
     },
     {
       "name": "incident-response-playbook",
@@ -2133,7 +2133,7 @@
         "NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
       ],
       "signature": "+1kmtA6rAvIyDjjy+cJHK6BcfylyVsa5cUjRFijlFR9GsQfB93JnmkEJOqML50pdlcxtJI3yUodHpL3/YJGtCA==",
-      "signed_at": "2026-05-30T04:44:25.666Z"
+      "signed_at": "2026-05-30T05:02:13.756Z"
     },
     {
       "name": "ransomware-response",
@@ -2213,7 +2213,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "h48ASCz63aBfHzLKxMVDADMuT4atriK0iE6bJeVzZTsx/e8+hyv4fLP7+zYxT9Oe0Gss3v/Xy+t+Wd9uwzV+Aw==",
-      "signed_at": "2026-05-30T04:44:25.666Z"
+      "signed_at": "2026-05-30T05:02:13.756Z"
     },
     {
       "name": "email-security-anti-phishing",
@@ -2266,7 +2266,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-18",
       "signature": "FVBn4ex2qPIo9SHMVJ6tntoz4tVwjbIq3m6wDjjZyv2JODlS+90GBYCOkNamxxkmw/6de6SMs0YHQiF/xjo/DQ==",
-      "signed_at": "2026-05-30T04:44:25.667Z"
+      "signed_at": "2026-05-30T05:02:13.756Z"
     },
     {
       "name": "age-gates-child-safety",
@@ -2334,7 +2334,7 @@
         "US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
       ],
       "signature": "ZHVdGWCcfG98tSVB0b9mwrsYwv71V3uUEl+6ss7omSQhmNvqV5s6MAZM5YladBt9MK/8T/zBrTYN4gAonOP+BQ==",
-      "signed_at": "2026-05-30T04:44:25.667Z"
+      "signed_at": "2026-05-30T05:02:13.757Z"
     },
     {
       "name": "cloud-iam-incident",
@@ -2414,7 +2414,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "e/kij7GtKaytROyIj7V5RH+FC9WtmVFzrmG2kIlNDNn29ep/CRNlIQKwXLpzo/81AIf634pmdr1qy/+vwIuUDA==",
-      "signed_at": "2026-05-30T04:44:25.667Z",
+      "signed_at": "2026-05-30T05:02:13.757Z",
       "forward_watch": [
         "AWS IAM Identity Center session-policy refresh and step-up-on-admin enforcement (anticipated 2026-H2 release)",
         "GCP Workload Identity Federation principal-set attribute mapping tightening (post-2026 Q3 Federation hardening guide)",
@@ -2508,7 +2508,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "9mfDtMApMAg9V/lmwpniNxo/6gNZoOEoYDfyFvyWvKrPMtc7H9F8uz06FVoARe/J49saAKTVXOurNE1D/KtpCQ==",
-      "signed_at": "2026-05-30T04:44:25.668Z",
+      "signed_at": "2026-05-30T05:02:13.758Z",
       "forward_watch": [
         "Entra ID conditional access evolution post-Midnight Blizzard — Microsoft's 2025-2026 commitments on legacy-tenant MFA enforcement and OAuth-app consent gating",
         "Okta IPSIE (Interoperability Profile for Secure Identity in the Enterprise) OpenID Foundation working-group output and adoption timeline",
@@ -2526,6 +2526,6 @@
   ],
   "manifest_signature": {
     "algorithm": "Ed25519",
-    "signature_base64": "WEtfY37wZx+21GmcvvEOsnflrkaOtQb+PpuYZNEdG8IOal+POyFRtLYfRfE0NEIER+X/5bs6khLp+rA5bSACAQ=="
+    "signature_base64": "1cEfkwTIVieCZG9ReOh2UVf2r0nFePnP8D5qssFFFQ3FLRHmJ8h0iJl6qSY4W3LkCDWVQ1Qiuym4XXkYx2PkDQ=="
   }
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/exceptd-skills",
-  "version": "0.15.37",
+  "version": "0.15.38",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 11 catalogs (427 CVEs / 173 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 8888 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
   "keywords": [
     "ai-security",

package/sbom.cdx.json CHANGED Viewed

@@ -1,22 +1,22 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:207492cb-4777-468a-86df-2fca266d36c1",
+  "serialNumber": "urn:uuid:b16a51db-551d-41d2-9329-c7fa3eb78e6e",
   "version": 1,
   "metadata": {
-    "timestamp": "2043-04-04T04:57:47.000Z",
+    "timestamp": "2120-04-28T15:16:43.000Z",
     "tools": [
       {
         "vendor": "blamejs",
         "name": "scripts/refresh-sbom.js",
-        "version": "0.15.37"
+        "version": "0.15.38"
       }
     ],
     "component": {
-      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.15.37",
+      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.15.38",
       "type": "application",
       "name": "@blamejs/exceptd-skills",
-      "version": "0.15.37",
+      "version": "0.15.38",
       "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 11 catalogs (427 CVEs / 173 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 8888 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
       "licenses": [
         {
@@ -25,17 +25,17 @@
           }
         }
       ],
-      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.15.37",
+      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.15.38",
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "d8d8acf0b8cc6afdf32e3884a056f7b9fa032d82e9f01d9cc7672e4f69dd4d71"
+          "content": "714a135fd916d11a3f6eceef79ad71704425daa1727d14a905b72e5cb85f4040"
         }
       ],
       "externalReferences": [
         {
           "type": "distribution",
-          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.15.37"
+          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.15.38"
         },
         {
           "type": "vcs",
@@ -116,11 +116,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "fa9bea0500c563054cb43d0df498edfd2b36d5f7ced76edae417c179e6062015"
+          "content": "dab67d6205d3359c007931fe174db2a25353878766799036627e0b6eeda41ae2"
         },
         {
           "alg": "SHA3-512",
-          "content": "4632eda2609d2f56ac24f29a218b71d02e3ff51d5c0df45eccc59d01ed0613261ed51c33daacba20fad9c285f4beb6a4d4fb704f7e20ee58739a70df0ba47184"
+          "content": "2e7e1ef53d0656956c8faa6d4bf9535e08790d79bcdeced44ab18083dd7a2a7689404344fbd0e77e649c74940406f08d58a5bd1b55bc4eb94d9e058b4d7eba14"
         }
       ]
     },
@@ -311,11 +311,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "a402836f7d4443f6cccc3c6b4cc387f714dc001a266708b7d25bb0cafcbec842"
+          "content": "b8799721fb6d455811f555410845423ec87f2c26f70fe1222ee19088aa6e43f5"
         },
         {
           "alg": "SHA3-512",
-          "content": "06f50900cdf98f64426117de5e52cb666ab57251c393c9ff0e4ac7891e8811418596fb81bef659493dc5334c12dc2851b2ef11017c340c5ec842121903d1513d"
+          "content": "327ad1d5b88627cf030d5d95bbfb777e1f503f4f115ae29bfd4eadbc5c87398a984d00b9ab98dbf67e0b33e2513a5703bcbd799640a9ceec28884f7d46bd1ca7"
         }
       ]
     },
@@ -326,11 +326,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "1fa6bfad96c5ba8a89270a8aafb4433c3c03f1f107697e83f15dba4562737844"
+          "content": "0ca079ef9ae7f74755398ad434c2c0c5fe3ee7be488549af3a5ecf2394ae0ba8"
         },
         {
           "alg": "SHA3-512",
-          "content": "f90c39c11756efd2e81494af13474c80386a7ead70bebdc877c542537a503c9352fad5524162a0d28d02133e859ff8004185736feab51a1df5bff1d5924809b1"
+          "content": "05d07620864f02596125f32027bd0c7e6f7088a6a577c5253aaf7434084e416b98025880a783114acad1114d58a1d0260d7d02922e263f9a34f9990b92242afa"
         }
       ]
     },
@@ -806,11 +806,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "1e7bd615bc5516d11db4c83a5dcf631a7826c26e626a6c65abe925401a525f7e"
+          "content": "adf769626f304dd6cbd700f6f3bfe8359de02282929008e16599599470377c5c"
         },
         {
           "alg": "SHA3-512",
-          "content": "39193a9e5c82e7f02a558f6273ee716f8b6cce1d5bd41dab7f2a3b9456519bc2ddd50a185cd850fa0f8fdb309c6d759c1b23346c7969afd87aa0ab4d025f65ed"
+          "content": "e7517715aa5d66b332e7c1756d1714855c04d7159a2011730bce45e4889b08115ae7b9c10a02d48ea650f352adac6d547ce09a0fa0f2b1690e46b4161408a89d"
         }
       ]
     },
@@ -1751,11 +1751,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "4db3fbdad74120fea41c942cdc85622ac77d69d47a850acb3575d56674aeff58"
+          "content": "a98d7f6abe573e5ba73e7e1097cc30a1703fff81ccc9922b00630341b2ade670"
         },
         {
           "alg": "SHA3-512",
-          "content": "6b1e49ac716e7c66fff9f197f93274011186b7709b434b4bcbff4435e6eebe87aae85d25c1b49af669f5ed5ba0ed6fa85f19a8d0651a5bcfd22588c484976799"
+          "content": "e621f955940c320845a6ee96caede41dc72fb11cb31eaab9caf1a70a717d029b2c3460de2751badfd532583bde5186d929eda7af706528af949437061b679595"
         }
       ]
     },