@blamejs/exceptd-skills 0.15.40 → 0.15.41

package/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 0.15.41 — 2026-05-29
+
+Draft-curation pass 38 — access-control and security-control bypass. Four CISA KEV-listed CVEs that defeat an access-enforcement mechanism are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: the CrushFTP unprotected-alternate-channel admin bypass (CVE-2025-54309), the SonicWall SMA1000 missing-authorization flaw (CVE-2025-40602), the SolarWinds Web Help Desk security-control bypass (CVE-2025-40536), and the Craft CMS assumed-immutable-parameter tampering flaw (CVE-2025-35939). All map T1190; the authorization-bypass trio also maps T1078. The lessons make the point that the access-control posture (passwords, roles) is irrelevant when the enforcement mechanism itself is bypassed — restricting the management plane to a trusted network is the load-bearing compensating control — and that the parameter-tampering flaw is chained to code execution, so it requires web-shell hunting and key rotation beyond the patch.
+
 ## 0.15.40 — 2026-05-29
 
 Draft-curation pass 37 — unauthenticated upload-or-injection RCE. Six CISA KEV-listed CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: unrestricted file uploads in SmarterTools SmarterMail (CVE-2025-52691) and TeamT5 ThreatSonar (CVE-2024-7694), and command/argument injection in the React Native Community CLI Metro dev server (CVE-2025-11953), GNU InetUtils (CVE-2026-24061), the Smartbedded Meteobridge device (CVE-2025-4008), and Motex LANSCOPE Endpoint Manager (CVE-2025-61932). All map T1190; the uploads add T1505.003 (web shell) and the injections add T1059. The lessons flag the trust-inversion of a compromised security product (ThreatSonar), the supply-chain risk of an exposed developer build server (React Native CLI), and the fleet-wide reach of an endpoint manager (LANSCOPE) — each demanding downstream review beyond the patched host.

package/data/_indexes/_meta.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-30T05:45:36.968Z",
+  "generated_at": "2026-05-30T06:05:46.422Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "59355be76cb1ccff92a7bcf8846b2c54865e63ea83881e10d9b902f1f77db0e3",
+    "manifest.json": "36a32308e02f7ab019a04684d57cb7391761d3a3ced05c0d9866244a538affe5",
     "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
-    "data/attack-techniques.json": "55293b8b9adc7371ba6450baf973a8e2d13ac810e709b598a2d042d41b074a37",
-    "data/cve-catalog.json": "2f63e64ac7dd3bfd08f0eaa5293b374934a90f0cad959c29e9cf7cba95f46ea8",
+    "data/attack-techniques.json": "95a196f3125417cb5a41c392f147d66d02c06f07aba5b05cb8f1a1ad39123c82",
+    "data/cve-catalog.json": "826b2174320f96b02ebe3a1c1c1f050931a3cd7703cb7b634c22d496d1babe3d",
     "data/cwe-catalog.json": "0fd275c2a61754958d68cea03a92794a67cf1c1d4d609f81a5728334df013ee3",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
@@ -15,7 +15,7 @@
     "data/framework-control-gaps.json": "29e7b6aa841ddf2530ca5971bdb60d7a715684b2f6264141ad49f0de9a039d78",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
-    "data/zeroday-lessons.json": "963d7687ac5f2baafc1771731483504ec32504b50ab0ecd5b5a5fa060b241cbb",
+    "data/zeroday-lessons.json": "0d035b099f10ed055d23bc556ff74df0f72f07e25d147d20baca85c2db1f6315",
     "skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
     "skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
     "skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",

package/data/attack-techniques.json

@@ -636,9 +636,12 @@
       "CVE-2025-32975",
       "CVE-2025-34026",
       "CVE-2025-3935",
+      "CVE-2025-40536",
+      "CVE-2025-40602",
       "CVE-2025-4427",
       "CVE-2025-49706",
       "CVE-2025-54236",
+      "CVE-2025-54309",
       "CVE-2025-57819",
       "CVE-2025-61757",
       "CVE-2025-6205",
@@ -1101,6 +1104,7 @@
       "CVE-2025-4008",
       "CVE-2025-40536",
       "CVE-2025-40551",
+      "CVE-2025-40602",
       "CVE-2025-42999",
       "CVE-2025-4427",
       "CVE-2025-4428",

package/data/cve-catalog.json

@@ -24793,7 +24793,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1078"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -24814,7 +24815,7 @@
     "cwe_refs": [
       "CWE-693"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm",
@@ -24844,11 +24845,21 @@
         "published_date": "2026-02-12"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-12; due date 2026-02-15. Notes reference: https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm ; https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40536 ; https://nvd",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "SolarWinds Web Help Desk contains a security control bypass vulnerability that could allow an unauthenticated attacker to gain access to certain restricted functionality."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "SolarWinds Web Help Desk contains a security control bypass vulnerability that could allow an unauthenticated attacker to gain access to certain restricted functionality.",
+    "iocs": {
+      "behavioral": [
+        "SolarWinds Web Help Desk reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Web Help Desk consistent with security-control-bypass flaw.",
+        "Access to administrative or protected functionality on the Web Help Desk with no corresponding legitimate login — sessions from unexpected sources, configuration/account changes, or admin actions without authentication (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-40536, CISA KEV (added 2026-02-12), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1078 access bypass) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-21513": {
     "name": "Microsoft MSHTML Framework Protection Mechanism Failure Vulnerability",
@@ -28288,7 +28299,9 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1068"
+      "T1068",
+      "T1190",
+      "T1078"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -28310,7 +28323,7 @@
       "CWE-862",
       "CWE-250"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0019",
@@ -28339,11 +28352,21 @@
         "published_date": "2025-12-17"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-17; due date 2025-12-24. Notes reference: Check for signs of potential compromise on all internet accessible SonicWall SMA1000 instances after applying mitigations. For more information please see: https://psirt.global.sonicwall.com/vuln-deta",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "SonicWall SMA1000 contains a missing authorization vulnerability that could allow for privilege escalation appliance management console (AMC) of affected devices."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "SonicWall SMA1000 contains a missing authorization vulnerability that could allow for privilege escalation appliance management console (AMC) of affected devices.",
+    "iocs": {
+      "behavioral": [
+        "SonicWall SMA1000 reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the SMA1000 appliance consistent with missing-authorization flaw.",
+        "Access to administrative or protected functionality on the SMA1000 appliance with no corresponding legitimate login — sessions from unexpected sources, configuration/account changes, or admin actions without authentication (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-40602, CISA KEV (added 2025-12-17), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1078 access bypass) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-20393": {
     "name": "Cisco Multiple Products Improper Input Validation Vulnerability",
@@ -37876,7 +37899,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1078"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -37897,7 +37921,7 @@
     "cwe_refs": [
       "CWE-420"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025",
@@ -37926,11 +37950,21 @@
         "published_date": "2025-07-22"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-22; due date 2025-08-12. Notes reference: https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025 ; https://nvd.nist.gov/vuln/detail/CVE-2025-54309 ",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "CrushFTP contains an unprotected alternate channel vulnerability. When the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "CrushFTP contains an unprotected alternate channel vulnerability. When the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS.",
+    "iocs": {
+      "behavioral": [
+        "CrushFTP reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the CrushFTP consistent with unprotected-alternate-channel flaw.",
+        "Access to administrative or protected functionality on the CrushFTP with no corresponding legitimate login — sessions from unexpected sources, configuration/account changes, or admin actions without authentication (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-54309, CISA KEV (added 2025-07-22), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1078 access bypass) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-49704": {
     "name": "Microsoft SharePoint Code Injection Vulnerability",
@@ -41165,7 +41199,7 @@
     "cwe_refs": [
       "CWE-472"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://github.com/craftcms/cms/pull/17220",
@@ -41194,11 +41228,21 @@
         "published_date": "2025-06-02"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-02; due date 2025-06-23. Notes reference: https://github.com/craftcms/cms/pull/17220 ;   https://nvd.nist.gov/vuln/detail/CVE-2025-35939",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Craft CMS contains an external control of assumed-immutable web parameter vulnerability. This vulnerability could allow an unauthenticated client to introduce arbitrary values, such as PHP code, to a known local file location on the server. This vulnerability could be chained with CVE-2024-58136 as represented by CVE-2025-32432."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Craft CMS contains an external control of assumed-immutable web parameter vulnerability. This vulnerability could allow an unauthenticated client to introduce arbitrary values, such as PHP code, to a known local file location on the server. This vulnerability could be chained with CVE-2024-58136 as represented by CVE-2025-32432.",
+    "iocs": {
+      "behavioral": [
+        "Craft CMS reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Craft CMS consistent with external-control-of-assumed-immutable-web-parameter flaw.",
+        "Tampered or unexpected parameter values reaching the Craft CMS, followed by web shells or code execution as part of a chain (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-35939, CISA KEV (added 2025-06-02), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2024-56145": {
     "name": "Craft CMS Code Injection Vulnerability (variant: CVE-2024-56145)",

package/data/zeroday-lessons.json

@@ -13348,35 +13348,63 @@
   },
   "CVE-2025-40536": {
     "name": "SolarWinds Web Help Desk Security Control Bypass Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "SolarWinds Web Help Desk contains a security control bypass vulnerability that could allow an unauthenticated attacker to gain access to certain restricted functionality.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a security-control-bypass flaw (CWE-693) on SolarWinds Web Help Desk, letting an unauthenticated attacker bypass an intended security control to reach protected functionality. CISA KEV-listed 2026-02-12 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker and defeats the access-control mechanism)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the SolarWinds Web Help Desk update; review privileged-function access during the exposure window and rotate service credentials — Web Help Desk has been a repeated exploitation target.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary; restricting the management plane to a trusted network is the compensating control when the access-control enforcement is itself bypassed."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the Web Help Desk: requests exercising the bypass, administrative actions without a matching authentication event.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary because a bypass produces access that looks authorized; the anomaly is the absence of a legitimate authentication event."
+      },
+      "response": {
+        "what_would_have_worked": "Patch immediately, restrict the management plane, rotate credentials and keys, review configuration/account changes during the exposure window, and audit privileged actions and (for file-transfer/secure-access) data exposure.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; an access-control bypass typically leaves administrative persistence or a code-execution foothold that a patch alone does not remove."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed access-control/security-control bypass on an internet-facing system; these grant unauthorized access to protected functionality and are mass-exploited within days."
+      },
+      "NIST-800-53-AC-3-enforcement": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Access-enforcement is required, but these flaws defeat the enforcement mechanism itself (alternate channel, missing authorization check, security-control bypass, assumed-immutable parameter); restricting the management plane to a trusted network is the load-bearing compensating control when enforcement fails."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing application or appliance whose access control is bypassed."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing application or appliance (file-transfer / secure-access / help-desk) in or adjacent to the CDE."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
-      "theater_pattern": "patch_management"
+      "percent_audit_passing_orgs_still_exposed": 77,
+      "basis": "Internet-facing SolarWinds Web Help Desk is run by audited organizations whose access-control posture is irrelevant when the enforcement mechanism is bypassed; without management-plane restriction and prompt patching the system is exposed, and the required privileged-action review / web-shell hunt is rarely documented.",
+      "theater_pattern": "access_control"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2026-21513": {
     "name": "Microsoft MSHTML Framework Protection Mechanism Failure Vulnerability",
@@ -15171,35 +15199,63 @@
   },
   "CVE-2025-40602": {
     "name": "SonicWall SMA1000 Missing Authorization Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "SonicWall SMA1000 contains a missing authorization vulnerability that could allow for privilege escalation appliance management console (AMC) of affected devices.",
-      "privileges_required": "unprivileged local user",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a missing-authorization flaw (CWE-862/CWE-250) on the SonicWall SMA1000 secure-access appliance, letting an attacker reach functionality with unnecessary privileges without proper authorization. CISA KEV-listed 2025-12-17 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker and defeats the access-control mechanism)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the SonicWall SMA1000 update and restrict management access; treat an exposed secure-access appliance as high-value — review sessions and rotate secrets, since it fronts remote access to the internal network.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary; restricting the management plane to a trusted network is the compensating control when the access-control enforcement is itself bypassed."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the SMA1000 appliance: requests exercising the bypass, administrative actions without a matching authentication event.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary because a bypass produces access that looks authorized; the anomaly is the absence of a legitimate authentication event."
+      },
+      "response": {
+        "what_would_have_worked": "Patch immediately, restrict the management plane, rotate credentials and keys, review configuration/account changes during the exposure window, and audit privileged actions and (for file-transfer/secure-access) data exposure.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; an access-control bypass typically leaves administrative persistence or a code-execution foothold that a patch alone does not remove."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed access-control/security-control bypass on an internet-facing system; these grant unauthorized access to protected functionality and are mass-exploited within days."
+      },
+      "NIST-800-53-AC-3-enforcement": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Access-enforcement is required, but these flaws defeat the enforcement mechanism itself (alternate channel, missing authorization check, security-control bypass, assumed-immutable parameter); restricting the management plane to a trusted network is the load-bearing compensating control when enforcement fails."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing application or appliance whose access control is bypassed."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing application or appliance (file-transfer / secure-access / help-desk) in or adjacent to the CDE."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
-      "theater_pattern": "patch_management"
+      "percent_audit_passing_orgs_still_exposed": 77,
+      "basis": "Internet-facing SonicWall SMA1000 is run by audited organizations whose access-control posture is irrelevant when the enforcement mechanism is bypassed; without management-plane restriction and prompt patching the system is exposed, and the required privileged-action review / web-shell hunt is rarely documented.",
+      "theater_pattern": "access_control"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-20393": {
     "name": "Cisco Multiple Products Improper Input Validation Vulnerability",
@@ -20329,35 +20385,63 @@
   },
   "CVE-2025-54309": {
     "name": " CrushFTP Unprotected Alternate Channel Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "CrushFTP contains an unprotected alternate channel vulnerability. When the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an unprotected-alternate-channel flaw (CWE-420) letting an unauthenticated attacker reach administrative functionality via the alternate (AS2) path and gain admin control of the file-transfer server. CISA KEV-listed 2025-07-22 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker and defeats the access-control mechanism)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the CrushFTP update, restrict the admin interface to a trusted network, rotate admin credentials, and review for unauthorized admin actions and transferred-file exposure — MFT compromise targets data in transit.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary; restricting the management plane to a trusted network is the compensating control when the access-control enforcement is itself bypassed."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the CrushFTP: requests exercising the bypass, administrative actions without a matching authentication event.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary because a bypass produces access that looks authorized; the anomaly is the absence of a legitimate authentication event."
+      },
+      "response": {
+        "what_would_have_worked": "Patch immediately, restrict the management plane, rotate credentials and keys, review configuration/account changes during the exposure window, and audit privileged actions and (for file-transfer/secure-access) data exposure.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; an access-control bypass typically leaves administrative persistence or a code-execution foothold that a patch alone does not remove."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed access-control/security-control bypass on an internet-facing system; these grant unauthorized access to protected functionality and are mass-exploited within days."
+      },
+      "NIST-800-53-AC-3-enforcement": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Access-enforcement is required, but these flaws defeat the enforcement mechanism itself (alternate channel, missing authorization check, security-control bypass, assumed-immutable parameter); restricting the management plane to a trusted network is the load-bearing compensating control when enforcement fails."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing application or appliance whose access control is bypassed."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing application or appliance (file-transfer / secure-access / help-desk) in or adjacent to the CDE."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
-      "theater_pattern": "patch_management"
+      "percent_audit_passing_orgs_still_exposed": 77,
+      "basis": "Internet-facing CrushFTP is run by audited organizations whose access-control posture is irrelevant when the enforcement mechanism is bypassed; without management-plane restriction and prompt patching the system is exposed, and the required privileged-action review / web-shell hunt is rarely documented.",
+      "theater_pattern": "access_control"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-49704": {
     "name": "Microsoft SharePoint Code Injection Vulnerability",
@@ -22014,35 +22098,63 @@
   },
   "CVE-2025-35939": {
     "name": "Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Craft CMS contains an external control of assumed-immutable web parameter vulnerability. This vulnerability could allow an unauthenticated client to introduce arbitrary values, such as PHP code, to a known local file location on the server. This vulnerability could be chained with CVE-2024-58136 as represented by CVE-2025-32432.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an external-control-of-assumed-immutable-web-parameter flaw (CWE-472) in Craft CMS, letting an unauthenticated attacker tamper with a parameter the application assumes is fixed (a step in a chain toward code execution). CISA KEV-listed 2025-06-02 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker and defeats the access-control mechanism)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Craft CMS update, rotate the Craft security key, and hunt for web shells — this parameter flaw is chained with the Craft code-injection RCE in the wild.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary but insufficient alone — the parameter flaw is chained to code execution, so web-shell hunting and key rotation are required cleanup."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the Craft CMS: requests exercising the bypass, tampered parameters followed by web shells or unexpected process execution.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary because a bypass produces access that looks authorized; the anomaly is the absence of a legitimate authentication event."
+      },
+      "response": {
+        "what_would_have_worked": "Patch immediately, restrict the management plane, rotate credentials and keys, review configuration/account changes during the exposure window, and hunt for web shells from the chained RCE.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; an access-control bypass typically leaves administrative persistence or a code-execution foothold that a patch alone does not remove."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed access-control/security-control bypass on an internet-facing system; these grant unauthorized access to protected functionality and are mass-exploited within days."
+      },
+      "NIST-800-53-AC-3-enforcement": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Access-enforcement is required, but these flaws defeat the enforcement mechanism itself (alternate channel, missing authorization check, security-control bypass, assumed-immutable parameter); restricting the management plane to a trusted network is the load-bearing compensating control when enforcement fails."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing application or appliance whose access control is bypassed."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing application or appliance (file-transfer / secure-access / help-desk) in or adjacent to the CDE."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
-      "theater_pattern": "patch_management"
+      "percent_audit_passing_orgs_still_exposed": 77,
+      "basis": "Internet-facing Craft CMS is run by audited organizations whose access-control posture is irrelevant when the enforcement mechanism is bypassed; without management-plane restriction and prompt patching the system is exposed, and the required privileged-action review / web-shell hunt is rarely documented.",
+      "theater_pattern": "access_control"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2024-56145": {
     "name": "Craft CMS Code Injection Vulnerability (variant: CVE-2024-56145)",

package/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "exceptd-security",
-  "version": "0.15.40",
+  "version": "0.15.41",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
   "homepage": "https://exceptd.com",
   "license": "Apache-2.0",
@@ -53,7 +53,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "0H+JfyUVmo/pVFEi5rLENATHjlukPVUqnOWmNPEH77wm8svKGK0aNJ46k6QU5GdHb8c9X9pVJKiuhON6AxDjDw==",
-      "signed_at": "2026-05-30T05:42:17.887Z",
+      "signed_at": "2026-05-30T06:02:24.924Z",
       "cwe_refs": [
         "CWE-125",
         "CWE-362",
@@ -123,7 +123,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "PHwHEsoy7ctBYOtlAfAdCDVfsq2Bpk9+qESSF+5dVkDcez2zp2v9Ihsv2vqMEs3QxMndyQ+t7NVezyt5VamSCg==",
-      "signed_at": "2026-05-30T05:42:17.888Z",
+      "signed_at": "2026-05-30T06:02:24.926Z",
       "cwe_refs": [
         "CWE-1039",
         "CWE-1426",
@@ -196,7 +196,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "dD4p7lcRtMyfITOncqLkpOeMy6x6gM0V7UlWHgLEdcxqODb1s75ar1cBtTqDWPbMv6ZAzVo2HJLDK1hVjjU2AQ==",
-      "signed_at": "2026-05-30T05:42:17.889Z",
+      "signed_at": "2026-05-30T06:02:24.926Z",
       "cwe_refs": [
         "CWE-22",
         "CWE-345",
@@ -248,7 +248,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-22",
       "signature": "wsw8Mlr/gyw6S7Iaao9BVHdU5LFPWl8WVymW17Lkq9J1Mui0+fCrTg6UbrsaeE3s7EW3TVgzBuK+8EFd1+H5AA==",
-      "signed_at": "2026-05-30T05:42:17.889Z"
+      "signed_at": "2026-05-30T06:02:24.927Z"
     },
     {
       "name": "compliance-theater",
@@ -279,7 +279,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "uVTc1QRKOKcIVDajBz+q2egjiEAyOQaDNsvVI2ghj5FD0VvquoUBBE5Naca2FkaZa790EHWCsVZ4hhdaSQs2DQ==",
-      "signed_at": "2026-05-30T05:42:17.890Z"
+      "signed_at": "2026-05-30T06:02:24.927Z"
     },
     {
       "name": "exploit-scoring",
@@ -308,7 +308,7 @@
       ],
       "last_threat_review": "2026-05-18",
       "signature": "QuNpwnZ6HkCEAXTPC/jLbXSmMIc1JnBczqZAAIZmZj8OcEMVnw9mJYAnU3CxaEI7rvbcMkN2uS5E8yUCm/NiAg==",
-      "signed_at": "2026-05-30T05:42:17.891Z"
+      "signed_at": "2026-05-30T06:02:24.928Z"
     },
     {
       "name": "rag-pipeline-security",
@@ -345,7 +345,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "5rw2i39SxY2WphBbDLEP28wufnbPPE9+PWt54hmaGdwHXr9RLiVt5liL/5xp14sehlVgFsfpR/bg9vy//xV0DA==",
-      "signed_at": "2026-05-30T05:42:17.891Z",
+      "signed_at": "2026-05-30T06:02:24.928Z",
       "cwe_refs": [
         "CWE-1395",
         "CWE-1426"
@@ -405,7 +405,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "Vqu49nzntFWjn9A/QeJzm7q/2xk/cZJ6HFQKtiNi1zgcxzXKm+MlFdkaLgYHWj5/9HJohxyIDyBJQTvcJ20eDQ==",
-      "signed_at": "2026-05-30T05:42:17.891Z",
+      "signed_at": "2026-05-30T06:02:24.928Z",
       "d3fend_refs": [
         "D3-CA",
         "D3-CSPP",
@@ -440,7 +440,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-22",
       "signature": "W87VdyVdAxAdcRI6P/8StaV+MS8ZSPKM9HOCK9n/bBO6BM3ZSE3uImVoyJVpAXQlUpUGN+A3lCJZXv64LuxwDg==",
-      "signed_at": "2026-05-30T05:42:17.892Z",
+      "signed_at": "2026-05-30T06:02:24.929Z",
       "cwe_refs": [
         "CWE-1188"
       ],
@@ -474,7 +474,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-18",
       "signature": "wdVX+edeNekpaIldqkhvtraV6DquLvIsKAjuZVwPQYn3l1vS99HXuFxmNsD7UeMlO3qgC6Dysfsto9EnuH0RBg==",
-      "signed_at": "2026-05-30T05:42:17.892Z",
+      "signed_at": "2026-05-30T06:02:24.929Z",
       "forward_watch": [
         "New AI attack classes as ATLAS v6 publishes",
         "Post-quantum adversary capability timeline",
@@ -513,7 +513,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "b5miTiY0cnxETd2btxorfZBdJKt/fLnQx20sGYUb9zEqGqtm0LMLpghkW68j4/9k48KNyuGMtNWiKTSnodUGBw==",
-      "signed_at": "2026-05-30T05:42:17.893Z"
+      "signed_at": "2026-05-30T06:02:24.929Z"
     },
     {
       "name": "zeroday-gap-learn",
@@ -540,7 +540,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-18",
       "signature": "xbkip0AQtWQKAu+O6r/gYECNjezS6O9k9xkkJsYbMlr+j8CdqH3p5/0l+GZmDidImRC/DL07GCnKrk9HRR/yDQ==",
-      "signed_at": "2026-05-30T05:42:17.893Z",
+      "signed_at": "2026-05-30T06:02:24.930Z",
       "forward_watch": [
         "New CISA KEV entries",
         "New ATLAS TTP additions in each ATLAS release",
@@ -604,7 +604,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "li2NnC1oeVIr22ComP5QbcQoh5xpWITuaKpza1s2SsUkH6kGnnt4wFfFAzaC1ORmH9x2cr8hN8kaNANG/eIMBQ==",
-      "signed_at": "2026-05-30T05:42:17.893Z",
+      "signed_at": "2026-05-30T06:02:24.930Z",
       "cwe_refs": [
         "CWE-327"
       ],
@@ -652,7 +652,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "sZHlJ7ueHPdtzVbR+yXQ5+wKgNyjWsa1LKVg9aWTmg/Onl71DvEILMyJiLpPQjseT56Mnr1DMYJE8xOGlffBAw==",
-      "signed_at": "2026-05-30T05:42:17.894Z"
+      "signed_at": "2026-05-30T06:02:24.930Z"
     },
     {
       "name": "security-maturity-tiers",
@@ -689,7 +689,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "3AwFnEJu6DukPPNep/3SnuPWEuV060fJEQIwThFm7ujmdbFk0/Ii0XwGv1dkvbbK7ymMdOQpp35l4aLONAucDA==",
-      "signed_at": "2026-05-30T05:42:17.894Z",
+      "signed_at": "2026-05-30T06:02:24.931Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -724,7 +724,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-11",
       "signature": "iJWevUBurLvt2v8X+Ch2eHmZkPWpKeAtIpxTIP4MwbUHyco3igDeBywJCyaR2vURYRx8LkzzIMM8DxQM4LAXBQ==",
-      "signed_at": "2026-05-30T05:42:17.894Z"
+      "signed_at": "2026-05-30T06:02:24.931Z"
     },
     {
       "name": "attack-surface-pentest",
@@ -796,7 +796,7 @@
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — Microsoft Edge 4-bug sandbox escape by Orange Tsai (DEVCORE); forward-watch only (browser sandbox, out of current playbook scope); track Microsoft Edge security advisory and KEV add"
       ],
       "signature": "C7lv65/Ecm8JJgSKxrX5lxx0YFzKWtrIQSKp+vy50I5e8945s1JmifGUUrnQwRQhq/Pkv7EmfiH5XSO8h75bDg==",
-      "signed_at": "2026-05-30T05:42:17.895Z"
+      "signed_at": "2026-05-30T06:02:24.931Z"
     },
     {
       "name": "fuzz-testing-strategy",
@@ -856,7 +856,7 @@
         "OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
       ],
       "signature": "dJB0iAstIUbyny+udl3OIkaLScEmqS97LNP73yQ8mxt+0bcqxZjpfXaWLzLuIQblGYvUvz75/H6rO2EJuGd4AQ==",
-      "signed_at": "2026-05-30T05:42:17.895Z"
+      "signed_at": "2026-05-30T06:02:24.932Z"
     },
     {
       "name": "dlp-gap-analysis",
@@ -931,7 +931,7 @@
         "Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
       ],
       "signature": "KEAoMji3VcPX/ZXXqVe6OStxSkTssfY9fIRPyPcDYqh50GzOFQ6koNOTBVAiWOvjDjQ38g12xun5srbqgmvRAw==",
-      "signed_at": "2026-05-30T05:42:17.896Z"
+      "signed_at": "2026-05-30T06:02:24.932Z"
     },
     {
       "name": "supply-chain-integrity",
@@ -1010,7 +1010,7 @@
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Megatron Bridge path traversal by haehae; AI training-stack file-system trust boundary; track patch and SBOM-attestation impact"
       ],
       "signature": "UY3tBi0n1K/OtSrWPkHcOCSuHEwKuPmRqGIf3MyPVXGWS72elGTWGXt4AN/uStLmefeEody1LuhnJR9PWjr4Cg==",
-      "signed_at": "2026-05-30T05:42:17.896Z"
+      "signed_at": "2026-05-30T06:02:24.932Z"
     },
     {
       "name": "defensive-countermeasure-mapping",
@@ -1067,7 +1067,7 @@
       ],
       "last_threat_review": "2026-05-11",
       "signature": "Qe0Hg9BrX3Zm5pj0n2z/oiHbAXWdA2Dq461zc4izkkUjEX2CZ02rODjCI2ELbrVOU3GC7edxqAxA+5U/ObnHDQ==",
-      "signed_at": "2026-05-30T05:42:17.896Z"
+      "signed_at": "2026-05-30T06:02:24.933Z"
     },
     {
       "name": "identity-assurance",
@@ -1134,7 +1134,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "UV3458QXSkEpenzrOmdlTTfPHUD4hNyKMDHoeZDq/kiFb4mAG0ghQGTTgI9Ru8cJbSmYM1++m9N5TFIJ6JJPBg==",
-      "signed_at": "2026-05-30T05:42:17.897Z"
+      "signed_at": "2026-05-30T06:02:24.933Z"
     },
     {
       "name": "ot-ics-security",
@@ -1190,7 +1190,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "kIVzsPsJ72PzzWQwTuvjoHHoVEDCday5I52M9ohjB3/Ak+zlA8oyWLO/BKb/XuYY4fOApjfxTErSWv5uHQ2zDw==",
-      "signed_at": "2026-05-30T05:42:17.897Z"
+      "signed_at": "2026-05-30T06:02:24.933Z"
     },
     {
       "name": "coordinated-vuln-disclosure",
@@ -1242,7 +1242,7 @@
         "NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
       ],
       "signature": "bWr27Q1uN9xCe1ib4QulszBa7YIDNkGqo72k5nm2cK98LyPblicD+sO9MnGckAyB22BTN/cIB+FwFMcI5IxvBw==",
-      "signed_at": "2026-05-30T05:42:17.897Z"
+      "signed_at": "2026-05-30T06:02:24.933Z"
     },
     {
       "name": "threat-modeling-methodology",
@@ -1292,7 +1292,7 @@
         "PASTA v2 updates incorporating AI/ML application threats"
       ],
       "signature": "Q854yzLqXdOazc6EyQbZzgAlivuq2vGFDVUCrxSldSvx/HX/ZM/uzmJyP7aBG7ZsMHxj6Lmj/H82YQoo1e+NCQ==",
-      "signed_at": "2026-05-30T05:42:17.898Z"
+      "signed_at": "2026-05-30T06:02:24.934Z"
     },
     {
       "name": "webapp-security",
@@ -1366,7 +1366,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "4ccahkJpGJZtwD7EBpnGcN0sEGPMEw8eqV+tvePVS04YAkLgYVWtlkasI/8n0be9xB+77x+Sjj3kIi2j2Lf9CA==",
-      "signed_at": "2026-05-30T05:42:17.898Z",
+      "signed_at": "2026-05-30T06:02:24.934Z",
       "forward_watch": [
         "NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; AI-assisted discovery angle; track for active-exploitation confirmation and patch advisory affecting front-door web app deployments"
       ]
@@ -1419,7 +1419,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-15",
       "signature": "SBB7c3wNYfIdkyOp4g4nW0WP7xS+YokMzg32aaeJdbf14LTGQRzQUvSqb2TCj2HFUSHESOyKT1JpkAfyHLSQBQ==",
-      "signed_at": "2026-05-30T05:42:17.899Z"
+      "signed_at": "2026-05-30T06:02:24.934Z"
     },
     {
       "name": "sector-healthcare",
@@ -1479,7 +1479,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "U04GNLyRas1VmfEsB8khH4iqFZPwx96sPY0Kw9iVsSPU+KTeEFqwgtWK1X1pzgb+T16Pc7HSrCaXDOpTFvQEDw==",
-      "signed_at": "2026-05-30T05:42:17.899Z"
+      "signed_at": "2026-05-30T06:02:24.935Z"
     },
     {
       "name": "sector-financial",
@@ -1560,7 +1560,7 @@
         "TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
       ],
       "signature": "QFKM76TdR408niqvDmF95HmmQuVmu9bLjOoQ9ydoBNPVOfFmF3AcpCv7zNWlLdLa2ZLxFqiBcND2qt9VDUn2Dg==",
-      "signed_at": "2026-05-30T05:42:17.900Z"
+      "signed_at": "2026-05-30T06:02:24.935Z"
     },
     {
       "name": "sector-federal-government",
@@ -1629,7 +1629,7 @@
         "Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
       ],
       "signature": "C9c3JuBhUbwcb7uZpDdy+PNT8sYmYIxzD4uRHu421ePW1aSFJ8fkMvuTzSO8vD/F/jOOg5opM4kov/xSAn+qCg==",
-      "signed_at": "2026-05-30T05:42:17.900Z"
+      "signed_at": "2026-05-30T06:02:24.936Z"
     },
     {
       "name": "sector-energy",
@@ -1694,7 +1694,7 @@
         "ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
       ],
       "signature": "oz8Q5WVaY8au4IjbaZahx/DSaC00Q44ylSL3mDkTerCEpW/EyPUeiLeGxSrWxBCwVFEKSSJvnhJjhvX5lDPcCg==",
-      "signed_at": "2026-05-30T05:42:17.901Z"
+      "signed_at": "2026-05-30T06:02:24.936Z"
     },
     {
       "name": "sector-telecom",
@@ -1780,7 +1780,7 @@
         "O-RAN SFG / WG11 security specifications"
       ],
       "signature": "NAtyzfLPXlUuB78Snb9nWmbZalC1CNlIYN9rYhdEmtB/xQGC6vVnThgrEAHlm7v/jMCFuknvEpUHKdscUnUADw==",
-      "signed_at": "2026-05-30T05:42:17.901Z"
+      "signed_at": "2026-05-30T06:02:24.936Z"
     },
     {
       "name": "api-security",
@@ -1849,7 +1849,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-18",
       "signature": "1UTjZNC5Lyrgw93LAizdXVeSmv3jS8YQNT1db5OKsldub50+o1FXmAH4+3MxZozaOGDCX3yXbdDJSJaaSmfuAA==",
-      "signed_at": "2026-05-30T05:42:17.901Z",
+      "signed_at": "2026-05-30T06:02:24.937Z",
       "forward_watch": [
         "NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; track for active-exploitation confirmation and patch advisory affecting API gateway / reverse-proxy deployments",
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — LiteLLM 3-bug SSRF + Code Injection chain by k3vg3n; LLM-proxy API surface; track upstream patch and CVE assignments",
@@ -1935,7 +1935,7 @@
         "CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
       ],
       "signature": "EdsY4xe7YA8X8m+KZUbq49JwoCXgRKEz2eg3m86O37rvBmpm8ppvl9hrsekygvpBh2VmCHL2dEYiOD8OM2n7CA==",
-      "signed_at": "2026-05-30T05:42:17.901Z"
+      "signed_at": "2026-05-30T06:02:24.937Z"
     },
     {
       "name": "container-runtime-security",
@@ -1997,7 +1997,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-15",
       "signature": "fnLKPLkjjRCJ/F9wdmZ1w1lXmqEJvTYkv6Uu+9OTd5vZTWKz3QMuxKOsas+ctCdOvTaeloqPUUprXx+ZZdDpCg==",
-      "signed_at": "2026-05-30T05:42:17.902Z",
+      "signed_at": "2026-05-30T06:02:24.937Z",
       "forward_watch": [
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Container Toolkit container escape ($50K award) by chompie / IBM X-Force XOR; high-severity container/hypervisor boundary break; track patch and KEV add post-embargo"
       ]
@@ -2071,7 +2071,7 @@
         "MITRE ATLAS v5.6.0 (released May 2026) shipped the AML.T0010 sub-technique expansion this forecast tracked plus new techniques (\"Publish Poisoned AI Agent Tool\", \"Escape to Host\"); inventory now 16 tactics, 84 techniques, 56 sub-techniques. Forward watch: subsequent ATLAS minor and major releases — track next-cadence updates to agentic-AI TTPs and MLOps-pipeline-specific techniques"
       ],
       "signature": "t3dkdpTX04zvjitEeOJThpgjurLd1UO9GOut4LXSZgY3ULhfknI4zT7G5+m2RSZZTo7yyeZrwpg+7vEg9K6mAw==",
-      "signed_at": "2026-05-30T05:42:17.902Z"
+      "signed_at": "2026-05-30T06:02:24.938Z"
     },
     {
       "name": "incident-response-playbook",
@@ -2133,7 +2133,7 @@
         "NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
       ],
       "signature": "+1kmtA6rAvIyDjjy+cJHK6BcfylyVsa5cUjRFijlFR9GsQfB93JnmkEJOqML50pdlcxtJI3yUodHpL3/YJGtCA==",
-      "signed_at": "2026-05-30T05:42:17.903Z"
+      "signed_at": "2026-05-30T06:02:24.938Z"
     },
     {
       "name": "ransomware-response",
@@ -2213,7 +2213,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "h48ASCz63aBfHzLKxMVDADMuT4atriK0iE6bJeVzZTsx/e8+hyv4fLP7+zYxT9Oe0Gss3v/Xy+t+Wd9uwzV+Aw==",
-      "signed_at": "2026-05-30T05:42:17.903Z"
+      "signed_at": "2026-05-30T06:02:24.938Z"
     },
     {
       "name": "email-security-anti-phishing",
@@ -2266,7 +2266,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-18",
       "signature": "FVBn4ex2qPIo9SHMVJ6tntoz4tVwjbIq3m6wDjjZyv2JODlS+90GBYCOkNamxxkmw/6de6SMs0YHQiF/xjo/DQ==",
-      "signed_at": "2026-05-30T05:42:17.903Z"
+      "signed_at": "2026-05-30T06:02:24.939Z"
     },
     {
       "name": "age-gates-child-safety",
@@ -2334,7 +2334,7 @@
         "US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
       ],
       "signature": "ZHVdGWCcfG98tSVB0b9mwrsYwv71V3uUEl+6ss7omSQhmNvqV5s6MAZM5YladBt9MK/8T/zBrTYN4gAonOP+BQ==",
-      "signed_at": "2026-05-30T05:42:17.904Z"
+      "signed_at": "2026-05-30T06:02:24.939Z"
     },
     {
       "name": "cloud-iam-incident",
@@ -2414,7 +2414,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "e/kij7GtKaytROyIj7V5RH+FC9WtmVFzrmG2kIlNDNn29ep/CRNlIQKwXLpzo/81AIf634pmdr1qy/+vwIuUDA==",
-      "signed_at": "2026-05-30T05:42:17.904Z",
+      "signed_at": "2026-05-30T06:02:24.939Z",
       "forward_watch": [
         "AWS IAM Identity Center session-policy refresh and step-up-on-admin enforcement (anticipated 2026-H2 release)",
         "GCP Workload Identity Federation principal-set attribute mapping tightening (post-2026 Q3 Federation hardening guide)",
@@ -2508,7 +2508,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "9mfDtMApMAg9V/lmwpniNxo/6gNZoOEoYDfyFvyWvKrPMtc7H9F8uz06FVoARe/J49saAKTVXOurNE1D/KtpCQ==",
-      "signed_at": "2026-05-30T05:42:17.904Z",
+      "signed_at": "2026-05-30T06:02:24.940Z",
       "forward_watch": [
         "Entra ID conditional access evolution post-Midnight Blizzard — Microsoft's 2025-2026 commitments on legacy-tenant MFA enforcement and OAuth-app consent gating",
         "Okta IPSIE (Interoperability Profile for Secure Identity in the Enterprise) OpenID Foundation working-group output and adoption timeline",
@@ -2526,6 +2526,6 @@
   ],
   "manifest_signature": {
     "algorithm": "Ed25519",
-    "signature_base64": "F/jr+ljnxtm9jhmJ0ami9YElgafDzT3euZIgDOG8tgKRGwyOPArjkfDpeW+OuuiuufGu3r/mYCr/EJHIr1FsDA=="
+    "signature_base64": "j7BL3rxW3U9a43kDLOofSi61gkCkVUK93BlhkZs4w0yrTQUrweJfrAmdFnx0ZYsY5XJGmVTLoTq/EanHXeI5CA=="
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/exceptd-skills",
-  "version": "0.15.40",
+  "version": "0.15.41",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 11 catalogs (427 CVEs / 173 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 8888 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
   "keywords": [
     "ai-security",

package/sbom.cdx.json

@@ -1,22 +1,22 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:f5d06f9c-8530-4794-8b18-2d8794258f3e",
+  "serialNumber": "urn:uuid:24500e8b-b64c-4860-bbe6-96d8719fa622",
   "version": 1,
   "metadata": {
-    "timestamp": "2156-09-08T09:13:00.000Z",
+    "timestamp": "2045-04-22T05:32:59.000Z",
     "tools": [
       {
         "vendor": "blamejs",
         "name": "scripts/refresh-sbom.js",
-        "version": "0.15.40"
+        "version": "0.15.41"
       }
     ],
     "component": {
-      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.15.40",
+      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.15.41",
       "type": "application",
       "name": "@blamejs/exceptd-skills",
-      "version": "0.15.40",
+      "version": "0.15.41",
       "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 11 catalogs (427 CVEs / 173 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 8888 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
       "licenses": [
         {
@@ -25,17 +25,17 @@
           }
         }
       ],
-      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.15.40",
+      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.15.41",
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "d3d1f01bf1c403e1564d3f00a49f1772e06350f3f41b0d94c344e230e1e1802b"
+          "content": "1153939d923eda7514240207432aa522d22d25925529ff262363b3be6b912a7b"
         }
       ],
       "externalReferences": [
         {
           "type": "distribution",
-          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.15.40"
+          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.15.41"
         },
         {
           "type": "vcs",
@@ -116,11 +116,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "7946f859e75fb5d3abdce087857807f672e40d4136229fa0f2e841fb54908013"
+          "content": "9451fab5d673cf8dd8b9fde8612508de5fe7fdc1e0b573c924e7fb426d9d55a1"
         },
         {
           "alg": "SHA3-512",
-          "content": "5bcb2a99c0c9b397db4fc357651dc951db8ae81bd4a113cc1b6c7041424909277dd0964cb87c5b5ff54be009f7c9c01aeb640fea1d21a14fde360f89128ed114"
+          "content": "cbb8dacad1538bf1f8dd00c404225f9b248fb825bbde2e9c31bd4a7b2567ce806078a77f7684416c9837216c153457d8f140c1e6fc1038dc3c10f9f4be1e0f87"
         }
       ]
     },
@@ -311,11 +311,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "55293b8b9adc7371ba6450baf973a8e2d13ac810e709b598a2d042d41b074a37"
+          "content": "95a196f3125417cb5a41c392f147d66d02c06f07aba5b05cb8f1a1ad39123c82"
         },
         {
           "alg": "SHA3-512",
-          "content": "3ac846762604e440b83bbbe5edb606e1f7bcd908cda5ba66a320d51a54ab8958ff1bddcc163e48e2cfd58927a5c6d55193c9f91de70e4becf2fb716d43f48caf"
+          "content": "fa1dc9572ae6335ec87f80cb2b778a1a88f87b4eb74a4216fd34643f873340ab8bb87ffbd8ed0828fdcae889305d66858f90673efff59539519c1117e085f9de"
         }
       ]
     },
@@ -326,11 +326,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "2f63e64ac7dd3bfd08f0eaa5293b374934a90f0cad959c29e9cf7cba95f46ea8"
+          "content": "826b2174320f96b02ebe3a1c1c1f050931a3cd7703cb7b634c22d496d1babe3d"
         },
         {
           "alg": "SHA3-512",
-          "content": "4dfb308a2738c184e1c40d2b11e798db1d97359509fe71d2ac46c7adfbdbe9c425500f117fe2808286c033f39c744d50fea871d3976fbbf0b272b9e274633774"
+          "content": "935e51e8fc75a14806936693a0e14e871f0c349183c8ab41b50b128fbdbcb51fef4e8df2d5cefdcbdcd63160329ab14937afcc2e5b5ffb6f99789434519d112b"
         }
       ]
     },
@@ -806,11 +806,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "963d7687ac5f2baafc1771731483504ec32504b50ab0ecd5b5a5fa060b241cbb"
+          "content": "0d035b099f10ed055d23bc556ff74df0f72f07e25d147d20baca85c2db1f6315"
         },
         {
           "alg": "SHA3-512",
-          "content": "55499edb7dfb0a5ced9bc5e3a38b14245e3211f844dfb6707a4a5e1c48ab8c8921b43e4273a0e1c76732e2451360defcbdb6412f4e205158693c2ebc6dd82802"
+          "content": "af82b3caa545044e14cc8479ce0a146c5280c2624809f220d707355b13e9b4dd1c40fb0c146090d5103078e15d20d09a70f4cbdb19182841c5b08edd6fccf183"
         }
       ]
     },
@@ -1751,11 +1751,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "59355be76cb1ccff92a7bcf8846b2c54865e63ea83881e10d9b902f1f77db0e3"
+          "content": "36a32308e02f7ab019a04684d57cb7391761d3a3ced05c0d9866244a538affe5"
         },
         {
           "alg": "SHA3-512",
-          "content": "1956d40653bb9fe418ee0e923297eaf2e5406b453301c11d7f900f112dc385d48cfe45ec557160052f22c3babf6f91b960f871260f4f371c7f4883c95b4cb19b"
+          "content": "cc4e4712f36eb4050373bbf0c28526ad9cb772a92a2d193a2487158a93865a3ae29f21ddbf014ccca391530813805c49745eaf2a686d5237eea29dc80b8078fb"
         }
       ]
     },