npm - @blamejs/exceptd-skills - Versions diffs - 0.15.4 → 0.15.6 - Mend

@blamejs/exceptd-skills 0.15.4 → 0.15.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/CHANGELOG.md +8 -0
package/data/_indexes/_meta.json +5 -5
package/data/attack-techniques.json +7 -3
package/data/cve-catalog.json +161 -57
package/data/zeroday-lessons.json +390 -130
package/manifest.json +44 -44
package/package.json +1 -1
package/sbom.cdx.json +18 -18

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,13 @@
 # Changelog
+## 0.15.6 — 2026-05-29
+Draft-curation pass 4 — enterprise management-plane and infrastructure. Six CISA KEV-listed CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: the Cisco Catalyst SD-WAN Manager cluster — incorrect privileged-API use (CVE-2026-20122), sensitive-information exposure (CVE-2026-20133), and recoverable password storage (CVE-2026-20128) — plus Microsoft SharePoint Server improper input validation (CVE-2026-32201), Fortinet FortiClient EMS improper access control (CVE-2026-35616), and Dell RecoverPoint for VMs hard-coded credentials (CVE-2026-22769).
+## 0.15.5 — 2026-05-29
+Draft-curation pass 3 — the client-side memory-corruption class. Four CISA KEV-listed browser/document-reader RCEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, a matching zero-day lesson, and ATT&CK enrichment to T1203 (Exploitation for Client Execution) rather than the network-service T1190: Google Chrome Skia out-of-bounds write (CVE-2026-3909), Chrome Dawn/WebGPU use-after-free (CVE-2026-5281), Chrome V8 memory-buffer flaw (CVE-2026-3910), and Adobe Acrobat/Reader prototype pollution (CVE-2026-34621). The lessons frame remediation as endpoint/browser patch-SLA (same-day auto-update vs. managed change windows) rather than perimeter patching.
 ## 0.15.4 — 2026-05-29
 Draft-curation pass 2. Eight more CISA KEV-listed CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons — the network-service authentication-bypass and code-injection class: Ivanti EPMM (CVE-2026-1281), SmarterTools SmarterMail auth bypass (CVE-2026-23760) and missing-auth (CVE-2026-24423), Cisco Unified Communications code injection (CVE-2026-20045), cPanel & WHM / WP2 missing authentication (CVE-2026-41940), Ivanti EPM authentication bypass (CVE-2026-1603), Cisco Catalyst SD-WAN improper authentication (CVE-2026-20127), and Fortinet multi-product authentication bypass (CVE-2026-24858).

package/data/_indexes/_meta.json CHANGED Viewed

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-29T16:17:03.003Z",
+  "generated_at": "2026-05-29T18:03:19.614Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "6890a34b6c35eb92b41a78659b2ac070023943602061fd0285da67ae0c8b8700",
+    "manifest.json": "de945cd44af7f0c8c05d165bbc4e4e3fa909cef74e19812f7643dc0bcf933551",
     "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
-    "data/attack-techniques.json": "ecf58df3bb4828d160c489ec8bba98aef9f7f66eca9bfdd569ed4839178a6a78",
-    "data/cve-catalog.json": "b25afd0b41e24cdb15e3c792e9fd12e2fbdc10975541e39328a41bd25693edee",
+    "data/attack-techniques.json": "c2045b7be150b50a605e555ed3573194ce21f4cd109a99de6fee3d75e8daf2c7",
+    "data/cve-catalog.json": "70f75c1d6812d251dd4819800662dc16329856d18a5b5907912cc0cc30328a6f",
     "data/cwe-catalog.json": "0fd275c2a61754958d68cea03a92794a67cf1c1d4d609f81a5728334df013ee3",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
@@ -15,7 +15,7 @@
     "data/framework-control-gaps.json": "29e7b6aa841ddf2530ca5971bdb60d7a715684b2f6264141ad49f0de9a039d78",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
-    "data/zeroday-lessons.json": "4435378f8b4870e1088843e78adf69ea22c8b27e21969db061ebea56da412639",
+    "data/zeroday-lessons.json": "16d1bba0c2bde1be54c590ef5d0cf34ce5d6b012781a7a7dcb8a828e258f0bb9",
     "skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
     "skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
     "skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",

package/data/attack-techniques.json CHANGED Viewed

@@ -486,6 +486,7 @@
       "CVE-2025-62215",
       "CVE-2025-62849",
       "CVE-2026-0300",
+      "CVE-2026-20122",
       "CVE-2026-31431",
       "CVE-2026-31635",
       "CVE-2026-33825",
@@ -564,6 +565,7 @@
       "CVE-2026-20127",
       "CVE-2026-20182",
       "CVE-2026-21858",
+      "CVE-2026-22769",
       "CVE-2026-23760",
       "CVE-2026-24061",
       "CVE-2026-24423",
@@ -1121,11 +1123,8 @@
       "CVE-2026-33634",
       "CVE-2026-34159",
       "CVE-2026-34197",
-      "CVE-2026-34621",
       "CVE-2026-3502",
       "CVE-2026-35616",
-      "CVE-2026-3909",
-      "CVE-2026-3910",
       "CVE-2026-39987",
       "CVE-2026-40933",
       "CVE-2026-41940",
@@ -1303,6 +1302,9 @@
       "CVE-2026-21385",
       "CVE-2026-2441",
       "CVE-2026-25592",
+      "CVE-2026-34621",
+      "CVE-2026-3909",
+      "CVE-2026-3910",
       "CVE-2026-5281",
       "MAL-2025-AI-FOUND-FFMPEG-BIGSLEEP"
     ],
@@ -1368,6 +1370,7 @@
     ],
     "cve_refs": [
       "CVE-2024-12450",
+      "CVE-2026-20133",
       "CVE-2026-21858",
       "CVE-2026-22218",
       "CVE-2026-41950"
@@ -1631,6 +1634,7 @@
       "CVE-2025-30154",
       "CVE-2025-68664",
       "CVE-2025-68665",
+      "CVE-2026-20128",
       "CVE-2026-22219",
       "CVE-2026-48027",
       "MAL-2025-PYPI-COLORAMA-SOLANA-STEALER",

package/data/cve-catalog.json CHANGED Viewed

@@ -8212,7 +8212,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -8233,7 +8234,7 @@
     "cwe_refs": [
       "CWE-648"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems",
@@ -8264,11 +8265,21 @@
         "published_date": "2026-04-20"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-20; due date 2026-04-23. Notes reference: CISA Mitigation Instructions: https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems ; https://www.cisa.gov/news-events/directives/supplemental-direction-ed",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Cisco Catalyst SD-WAN Manager contains an incorrect use of privileged APIs vulnerability due to improper file handling on the API interface of an affected system. An attacker could exploit this vulnerability by uploading a malicious file on the local file system. A successful exploit could allow the attacker to overwrite arbitrary files on the affected system and gain vmanage user privileges."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Cisco Catalyst SD-WAN Manager contains an incorrect use of privileged APIs vulnerability due to improper file handling on the API interface of an affected system. An attacker could exploit this vulnerability by uploading a malicious file on the local file system. A successful exploit could allow the attacker to overwrite arbitrary files on the affected system and gain vmanage user privileges.",
+    "iocs": {
+      "behavioral": [
+        "Cisco Catalyst SD-WAN Manager reachable on the network at a release below the fixed version named in the vendor advisory.",
+        "Activity against the SD-WAN Manager management plane consistent with an incorrect use of privileged APIs (CWE-648) reachable by an unauthenticated attacker, enabling privileged actions on the management plane.",
+        "Indicators of the exploited weakness on the SD-WAN Manager management plane — unexpected privileged actions, data exposure, credential use, or new accounts — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-20122, CISA KEV (added 2026-04-20), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-20133": {
     "name": "Cisco Catalyst SD-WAN Manager Exposure of Sensitive Information to an Unauthorized Actor Vulnerability",
@@ -8310,7 +8321,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1213"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -8331,7 +8343,7 @@
     "cwe_refs": [
       "CWE-200"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems",
@@ -8362,11 +8374,21 @@
         "published_date": "2026-04-20"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-20; due date 2026-04-23. Notes reference: CISA Mitigation Instructions: https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems ; https://www.cisa.gov/news-events/directives/supplemental-direction-ed",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Cisco Catalyst SD-WAN Manager contains an exposure of sensitive information to an unauthorized actor vulnerability that could allow remote attackers to view sensitive information on affected systems."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Cisco Catalyst SD-WAN Manager contains an exposure of sensitive information to an unauthorized actor vulnerability that could allow remote attackers to view sensitive information on affected systems.",
+    "iocs": {
+      "behavioral": [
+        "Cisco Catalyst SD-WAN Manager reachable on the network at a release below the fixed version named in the vendor advisory.",
+        "Activity against the SD-WAN Manager management plane consistent with exposure of sensitive information to an unauthorized actor (CWE-200) from the management plane.",
+        "Indicators of the exploited weakness on the SD-WAN Manager management plane — unexpected privileged actions, data exposure, credential use, or new accounts — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-20133, CISA KEV (added 2026-04-20), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-2749": {
     "name": "Kentico Xperience Path Traversal Vulnerability",
@@ -8697,7 +8719,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1552"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -8718,7 +8741,7 @@
     "cwe_refs": [
       "CWE-257"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems",
@@ -8749,11 +8772,21 @@
         "published_date": "2026-04-20"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-20; due date 2026-04-23. Notes reference: CISA Mitigation Instructions: https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems ; https://www.cisa.gov/news-events/directives/supplemental-direction-ed",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Cisco Catalyst SD-WAN Manager contains a storing passwords in a recoverable format vulnerability that allows an authenticated, local attacker to gain DCA user privileges by accessing a credential file for the DCA user on the filesystem as a low-privileged user."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Cisco Catalyst SD-WAN Manager contains a storing passwords in a recoverable format vulnerability that allows an authenticated, local attacker to gain DCA user privileges by accessing a credential file for the DCA user on the filesystem as a low-privileged user.",
+    "iocs": {
+      "behavioral": [
+        "Cisco Catalyst SD-WAN Manager reachable on the network at a release below the fixed version named in the vendor advisory.",
+        "Activity against the SD-WAN Manager consistent with storage of passwords in a recoverable format (CWE-257), allowing an attacker with access to recover credentials.",
+        "Indicators of the exploited weakness on the SD-WAN Manager — unexpected privileged actions, data exposure, credential use, or new accounts — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-20128, CISA KEV (added 2026-04-20), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-32975": {
     "name": "Quest KACE Systems Management Appliance (SMA) Improper Authentication Vulnerability",
@@ -9214,7 +9247,7 @@
     "cwe_refs": [
       "CWE-20"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-32201",
@@ -9243,11 +9276,21 @@
         "published_date": "2026-04-14"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-14; due date 2026-04-28. Notes reference: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-32201 ; https://nvd.nist.gov/vuln/detail/CVE-2026-32201",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft SharePoint Server contains an improper input validation vulnerability that allows an unauthorized attacker to perform spoofing over a network."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft SharePoint Server contains an improper input validation vulnerability that allows an unauthorized attacker to perform spoofing over a network.",
+    "iocs": {
+      "behavioral": [
+        "Microsoft SharePoint Server reachable on the network at a release below the fixed version named in the vendor advisory.",
+        "Activity against the SharePoint Server surface consistent with improper input validation (CWE-20) reachable by an unauthorized attacker, leading to compromise of the SharePoint server.",
+        "Indicators of the exploited weakness on the SharePoint Server surface — unexpected privileged actions, data exposure, credential use, or new accounts — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-32201, CISA KEV (added 2026-04-14), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2012-1854": {
     "name": "Microsoft Visual Basic for Applications Insecure Library Loading Vulnerability",
@@ -9874,7 +9917,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -9895,7 +9938,7 @@
     "cwe_refs": [
       "CWE-1321"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://helpx.adobe.com/security/products/acrobat/apsb26-43.html",
@@ -9924,11 +9967,21 @@
         "published_date": "2026-04-13"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-13; due date 2026-04-27. Notes reference: https://helpx.adobe.com/security/products/acrobat/apsb26-43.html ; https://nvd.nist.gov/vuln/detail/CVE-2026-34621",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Adobe Acrobat and Reader contain a prototype pollution vulnerability that allows for arbitrary code execution."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Adobe Acrobat and Reader contain a prototype pollution vulnerability that allows for arbitrary code execution.",
+    "iocs": {
+      "behavioral": [
+        "Adobe Acrobat and Reader below the patched build on an endpoint exposed to a crafted PDF document.",
+        "Renderer/process crashes consistent with a prototype-pollution flaw (CWE-1321) in Acrobat/Reader enabling arbitrary code execution when a crafted PDF is opened when processing a crafted PDF document.",
+        "Delivery of a crafted PDF document immediately preceding anomalous child-process spawning from the PDF reader (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-34621, CISA KEV (added 2026-04-13), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-1340": {
     "name": "Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability",
@@ -10100,7 +10153,7 @@
     "cwe_refs": [
       "CWE-284"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://fortiguard.fortinet.com/psirt/FG-IR-26-099",
@@ -10129,11 +10182,21 @@
         "published_date": "2026-04-06"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-06; due date 2026-04-09. Notes reference: Please adhere to Fortinet's guidelines to assess exposure and mitigate risks. Check for signs of potential compromise on all internet accessible Fortinet products affected by this vulnerability. Apply",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Fortinet FortiClient EMS contains an improper access control vulnerability that may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Fortinet FortiClient EMS contains an improper access control vulnerability that may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.",
+    "iocs": {
+      "behavioral": [
+        "Fortinet FortiClient EMS reachable on the network at a release below the fixed version named in the vendor advisory.",
+        "Activity against the FortiClient EMS management server consistent with an improper access-control flaw (CWE-284) allowing an unauthenticated attacker to access functions or data beyond authorization.",
+        "Indicators of the exploited weakness on the FortiClient EMS management server — unexpected privileged actions, data exposure, credential use, or new accounts — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-35616, CISA KEV (added 2026-04-06), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-3502": {
     "name": "TrueConf Client Download of Code Without Integrity Check Vulnerability",
@@ -10292,7 +10355,7 @@
     "cwe_refs": [
       "CWE-416"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_31.html",
@@ -10321,11 +10384,21 @@
         "published_date": "2026-04-01"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-01; due date 2026-04-15. Notes reference: This vulnerability affects an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https://ch",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Google Dawn contains an use-after-free vulnerability that could allow a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. This vulnerability could affect multiple Chromium-based products including, but not limited to, Google Chrome, Microsoft Edge, and Opera."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Google Dawn contains an use-after-free vulnerability that could allow a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. This vulnerability could affect multiple Chromium-based products including, but not limited to, Google Chrome, Microsoft Edge, and Opera.",
+    "iocs": {
+      "behavioral": [
+        "Google Chrome (Dawn / WebGPU) below the patched build on an endpoint exposed to attacker-controlled web content after a renderer compromise.",
+        "Renderer/process crashes consistent with a use-after-free in Dawn / WebGPU (CWE-416) usable by an attacker who has already compromised the renderer, as a sandbox-escape step in an exploit chain when processing attacker-controlled web content after a renderer compromise.",
+        "Delivery of attacker-controlled web content after a renderer compromise immediately preceding anomalous child-process spawning from the browser renderer / GPU process (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-5281, CISA KEV (added 2026-04-01), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-3055": {
     "name": "Citrix NetScaler Out-of-Bounds Read Vulnerability",
@@ -21381,7 +21454,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -21402,7 +21475,7 @@
     "cwe_refs": [
       "CWE-119"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_12.html",
@@ -21431,11 +21504,21 @@
         "published_date": "2026-03-13"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-13; due date 2026-03-27. Notes reference: https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_12.html ; https://nvd.nist.gov/vuln/detail/CVE-2026-3910",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Google Chromium V8 contains an improper restriction of operations within the bounds of a memory buffer vulnerability that could allow a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Google Chromium V8 contains an improper restriction of operations within the bounds of a memory buffer vulnerability that could allow a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.",
+    "iocs": {
+      "behavioral": [
+        "Google Chrome (V8 JavaScript engine) below the patched build on an endpoint exposed to crafted web content.",
+        "Renderer/process crashes consistent with an out-of-bounds memory access in the V8 JavaScript engine (CWE-119) when processing crafted web content.",
+        "Delivery of crafted web content immediately preceding anomalous child-process spawning from the browser renderer (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-3910, CISA KEV (added 2026-03-13), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-3909": {
     "name": "Google Skia Out-of-Bounds Write Vulnerability",
@@ -21477,7 +21560,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -21498,7 +21581,7 @@
     "cwe_refs": [
       "CWE-787"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_13.html",
@@ -21527,11 +21610,21 @@
         "published_date": "2026-03-13"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-13; due date 2026-03-27. Notes reference: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For mor",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Google Skia contains an out-of-bounds write vulnerability that could allow a remote attacker to perform out of bounds memory access via a crafted HTML page. This vulnerability affects Google Chrome and ChromeOS, Android, Flutter, and possibly other products."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Google Skia contains an out-of-bounds write vulnerability that could allow a remote attacker to perform out of bounds memory access via a crafted HTML page. This vulnerability affects Google Chrome and ChromeOS, Android, Flutter, and possibly other products.",
+    "iocs": {
+      "behavioral": [
+        "Google Chrome (Skia graphics library) below the patched build on an endpoint exposed to attacker-controlled web content.",
+        "Renderer/process crashes consistent with an out-of-bounds write in the Skia graphics library (CWE-787) when processing attacker-controlled web content.",
+        "Delivery of attacker-controlled web content immediately preceding anomalous child-process spawning from the browser renderer (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-3909, CISA KEV (added 2026-03-13), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-68613": {
     "name": "n8n Improper Control of Dynamically-Managed Code Resources Vulnerability",
@@ -23259,7 +23352,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1078"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -23280,7 +23374,7 @@
     "cwe_refs": [
       "CWE-798"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.dell.com/support/kbdoc/en-us/000426773/dsa-2026-079",
@@ -23311,11 +23405,21 @@
         "published_date": "2026-02-18"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-18; due date 2026-02-21. Notes reference: https://www.dell.com/support/kbdoc/en-us/000426773/dsa-2026-079 ; https://www.dell.com/support/kbdoc/en-us/000426742/recoverpoint-for-vms-apply-the-remediation-script-for-dsa ; https://cloud.google.co",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Dell RecoverPoint for Virtual Machines (RP4VMs) contains an use of hard-coded credentials vulnerability that could allow an unauthenticated remote attacker to gain unauthorized access to the underlying operating system and root-level persistence."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Dell RecoverPoint for Virtual Machines (RP4VMs) contains an use of hard-coded credentials vulnerability that could allow an unauthenticated remote attacker to gain unauthorized access to the underlying operating system and root-level persistence.",
+    "iocs": {
+      "behavioral": [
+        "Dell RecoverPoint for Virtual Machines (RP4VMs) reachable on the network at a release below the fixed version named in the vendor advisory.",
+        "Activity against the RP4VMs appliance consistent with use of hard-coded credentials (CWE-798), allowing an attacker to authenticate with built-in credentials.",
+        "Indicators of the exploited weakness on the RP4VMs appliance — unexpected privileged actions, data exposure, credential use, or new accounts — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-22769, CISA KEV (added 2026-02-18), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2020-7796": {
     "name": "Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability",