@blamejs/exceptd-skills 0.15.44 → 0.15.45
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/AGENTS.md +1 -1
- package/CHANGELOG.md +53 -39
- package/README.md +5 -5
- package/bin/exceptd.js +109 -15
- package/data/_indexes/_meta.json +7 -7
- package/data/_indexes/activity-feed.json +8 -8
- package/data/_indexes/catalog-summaries.json +1 -1
- package/data/_indexes/section-offsets.json +41 -41
- package/data/_indexes/token-budget.json +32 -32
- package/data/cve-catalog.json +2 -2
- package/lib/flag-suggest.js +1 -1
- package/lib/refresh-external.js +4 -2
- package/lib/source-osv.js +3 -1
- package/manifest.json +47 -47
- package/orchestrator/index.js +21 -3
- package/package.json +1 -1
- package/sbom.cdx.json +34 -34
- package/skills/attack-surface-pentest/skill.md +6 -6
- package/skills/cloud-iam-incident/skill.md +2 -2
- package/skills/sector-financial/skill.md +1 -1
package/AGENTS.md
CHANGED
|
@@ -163,7 +163,7 @@ Cross-cutting playbook `framework` is the natural correlation layer — many pla
|
|
|
163
163
|
| `exceptd run-all` | Multi-playbook batch run. `--scope <type>` filters. |
|
|
164
164
|
| `exceptd ci` | Top-level CI gate for a single playbook with exit-code semantics. Preferred over `run --ci`. |
|
|
165
165
|
| `exceptd discover` | Repo discovery — scans cwd and surfaces matching playbooks + collection hints. |
|
|
166
|
-
| `exceptd ask <
|
|
166
|
+
| `exceptd ask "<question>"` | Plain-English router: all arguments are joined into one question and routed to the most relevant playbook(s). There is no per-playbook Q&A mode — pass the question, not a playbook id. |
|
|
167
167
|
| `exceptd attest diff <sid>` | Replay analyze against a stored evidence bundle for drift detection. `--against <other-sid>` compares two sessions. `--playbook <id>` + `--since <ISO>` accepted with `--latest`. `exceptd reattest` remains a short-form alias — preserved (no removal scheduled). |
|
|
168
168
|
| `exceptd attest verify <sid>` | Verify a persisted attestation's signature + evidence hash. |
|
|
169
169
|
| `exceptd attest list` | Inventory `.exceptd/attestations/` — newest first. `--playbook <id>` filters. |
|
package/CHANGELOG.md
CHANGED
|
@@ -1,160 +1,174 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## 0.15.45 — 2026-05-30
|
|
4
|
+
|
|
5
|
+
An operator-experience pass.
|
|
6
|
+
|
|
7
|
+
Running a platform-gated playbook on a host it does not target — for example a Linux-only kernel playbook on macOS or Windows — now prints a one-line blocked summary with the reason and the next step instead of dumping the raw JSON envelope. `--json` and `--pretty` still return the full body for machine consumers, and the exit code is unchanged.
|
|
8
|
+
|
|
9
|
+
A single named playbook given `--evidence-dir` (a contract-run input) now refuses loudly rather than running against empty evidence and reporting a false all-clear: pass `--evidence <file|->` for one playbook, or run a contract over a directory of evidence. Piping empty stdin into `run <playbook>` no longer writes an advisory note that corrupted `run ... 2>&1 | jq`; an explicit `--evidence -` with empty input still warns.
|
|
10
|
+
|
|
11
|
+
Skills are discoverable. `exceptd skill` with no arguments lists every skill ID and description, and the not-found hint points there instead of at the playbook list. `brief <playbook>` ends with the `collect | run` pipeline so brief-first operators see where evidence comes from. `recipes --help` and `report --help` show real per-verb help, and `report --help` states that its default output is Markdown.
|
|
12
|
+
|
|
13
|
+
New global `--quiet` flag suppresses advisory stderr chatter — notes, tips, and the deprecation and unsigned-attestation banners — while keeping the result on stdout and all errors on stderr. It is narrower than `--json-stdout-only`, which silences all stderr and forces JSON.
|
|
14
|
+
|
|
15
|
+
`doctor --registry-check` prints an actionable message when it cannot compare versions instead of an internal "raw exit=?" token. The `refresh` help text describes the OSV/GHSA import surface as it actually is — one advisory ID per invocation, no bulk import — rather than advertising unbuilt work.
|
|
16
|
+
|
|
3
17
|
## 0.15.44 — 2026-05-30
|
|
4
18
|
|
|
5
|
-
|
|
19
|
+
Final pass; the bulk-imported KEV draft backlog is now fully curated. Six remaining CISA KEV-listed CVEs, each a distinct vulnerability class, are promoted from auto-imported drafts to fully-curated entries with mechanism-specific behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: the WhatsApp linked-device zero-click authorization flaw used as the delivery half of a mobile-spyware chain (CVE-2025-55177, T1190), the IGEL OS expired-key Secure Boot signature bypass (CVE-2025-47827, T1553), the Windows WebDAV Internet-Shortcut remote-code-execution flaw exploited by Stealth Falcon (CVE-2025-33053, T1203 + T1204.002), a network-reachable Windows NULL-pointer dereference (CVE-2026-21525, T1190), the PaperCut NG/MF cross-site request forgery used in its exploitation chain (CVE-2023-2533, T1190), and the Multi-Router Looking Glass buffer overflow on route servers (CVE-2014-3931, T1190 + T1059). With this pass every CVE entry in the catalog carries behavioral IOCs, an ATT&CK mapping, and a defense-chain zero-day lesson.
|
|
6
20
|
|
|
7
21
|
## 0.15.43 — 2026-05-30
|
|
8
22
|
|
|
9
|
-
|
|
23
|
+
Supply-chain embedded malicious code. Two CISA KEV-listed CVEs where malicious code shipped through a trusted distribution channel are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: the ASUS Live Update updater (CVE-2025-59374), which executes attacker code in the trusted context of the vendor update utility, and the eslint-config-prettier npm package (CVE-2025-54313), where a maintainer-account compromise published versions carrying a malicious install-time payload that runs on developer and CI machines. Both map T1195.002 (Compromise Software Supply Chain). The lessons frame the defense as enforced signature and provenance verification (code signing, Sigstore/in-toto, SLSA), dependency pinning, and publishing-account protections — not patching — and note that response is environment-wide because the tainted code reaches every host that installed it.
|
|
10
24
|
|
|
11
25
|
## 0.15.42 — 2026-05-29
|
|
12
26
|
|
|
13
|
-
|
|
27
|
+
Sensitive data exposure. Three CISA KEV-listed CVEs that leak credentials and plaintext data through diagnostic surfaces are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: the two TeleMessage TM SGNL flaws — a core-dump file exposed to an unauthorized control sphere (CVE-2025-48928) and an insecure-default Spring Boot Actuator `/heapdump` endpoint (CVE-2025-48927), which together leaked plaintext messages and credentials from the Signal-clone server — and the Wing FTP error-message disclosure (CVE-2025-47813). All map T1190 and T1552. The lessons make the point that an encryption-in-transit posture is undermined when the server holds and leaks plaintext through memory dumps and diagnostic endpoints, that least-functionality (disabling Actuator and core-dump generation in production) is the durable control, and that response must rotate every exposed secret and treat the disclosed data's confidentiality as already breached — a patch cannot recall data the attacker has.
|
|
14
28
|
|
|
15
29
|
## 0.15.41 — 2026-05-29
|
|
16
30
|
|
|
17
|
-
|
|
31
|
+
Access-control and security-control bypass. Four CISA KEV-listed CVEs that defeat an access-enforcement mechanism are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: the CrushFTP unprotected-alternate-channel admin bypass (CVE-2025-54309), the SonicWall SMA1000 missing-authorization flaw (CVE-2025-40602), the SolarWinds Web Help Desk security-control bypass (CVE-2025-40536), and the Craft CMS assumed-immutable-parameter tampering flaw (CVE-2025-35939). All map T1190; the authorization-bypass trio also maps T1078. The lessons make the point that the access-control posture (passwords, roles) is irrelevant when the enforcement mechanism itself is bypassed — restricting the management plane to a trusted network is the load-bearing compensating control — and that the parameter-tampering flaw is chained to code execution, so it requires web-shell hunting and key rotation beyond the patch.
|
|
18
32
|
|
|
19
33
|
## 0.15.40 — 2026-05-29
|
|
20
34
|
|
|
21
|
-
|
|
35
|
+
Unauthenticated upload-or-injection RCE. Six CISA KEV-listed CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: unrestricted file uploads in SmarterTools SmarterMail (CVE-2025-52691) and TeamT5 ThreatSonar (CVE-2024-7694), and command/argument injection in the React Native Community CLI Metro dev server (CVE-2025-11953), GNU InetUtils (CVE-2026-24061), the Smartbedded Meteobridge device (CVE-2025-4008), and Motex LANSCOPE Endpoint Manager (CVE-2025-61932). All map T1190; the uploads add T1505.003 (web shell) and the injections add T1059. The lessons flag the trust-inversion of a compromised security product (ThreatSonar), the supply-chain risk of an exposed developer build server (React Native CLI), and the fleet-wide reach of an endpoint manager (LANSCOPE) — each demanding downstream review beyond the patched host.
|
|
22
36
|
|
|
23
37
|
## 0.15.39 — 2026-05-29
|
|
24
38
|
|
|
25
|
-
|
|
39
|
+
Webmail cross-site scripting. Three CISA KEV-listed webmail XSS CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: the MDaemon WorldClient webmail flaw (CVE-2024-11182) and two Roundcube Webmail flaws (CVE-2024-42009, CVE-2025-68461). Script runs in the victim's authenticated mail session the moment they view a crafted email, so they map T1190 alongside T1539 (steal web session cookie). The lessons stress that patching the specific bug is not enough — a strict Content-Security-Policy and HttpOnly+SameSite session cookies are the durable controls that stop the next XSS from exfiltrating a session — and that response must invalidate webmail sessions and review mailboxes for unauthorized access and forwarding rules, because this class is repeatedly used by espionage actors for silent mailbox theft.
|
|
26
40
|
|
|
27
41
|
## 0.15.38 — 2026-05-29
|
|
28
42
|
|
|
29
|
-
|
|
43
|
+
Path traversal file access. Four CISA KEV-listed unauthenticated path-traversal CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: Ruby on Rails Action View arbitrary file read (CVE-2019-5418), Srimax Output Messenger directory traversal chained to code execution (CVE-2025-27920), ZKTeco BioTime arbitrary file read (CVE-2023-38950), and the end-of-life D-Link DIR-859 router configuration disclosure (CVE-2024-0769). All map T1190; the secret-leaking file-read variants also map T1552. The lessons stress that patching does not undo the disclosure — every secret a traversal read must be rotated — that file-write traversals require hunting for dropped payloads, and that an end-of-life device (DIR-859) can only be replaced, not patched.
|
|
30
44
|
|
|
31
45
|
## 0.15.37 — 2026-05-29
|
|
32
46
|
|
|
33
|
-
|
|
47
|
+
Local and host privilege escalation. Four CISA KEV-listed escalation CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons, spanning four platforms: the Sudo chroot-handling local-to-root flaw (CVE-2025-32463), an Android Runtime privilege escalation (CVE-2025-48543), a VMware Aria Operations / VMware Tools guest privilege-management flaw (CVE-2025-41244), and the Windows SMB client NTLM-reflection-to-SYSTEM flaw (CVE-2025-33073). All map T1068; the SMB-client case also maps T1557.001 (NTLM relay). The lessons frame these as the escalation half of an intrusion chain and name the platform-specific backstops the frameworks leave unstated — SELinux/seccomp and least privilege on Linux, MDM-enforced OTA SLAs on Android, management-account segmentation for virtualization, and — most importantly — SMB signing plus NTLM disablement for the reflection class, which breaks the attack regardless of patch state.
|
|
34
48
|
|
|
35
49
|
## 0.15.36 — 2026-05-29
|
|
36
50
|
|
|
37
|
-
|
|
51
|
+
Client-side file and content handling. Four CISA KEV-listed CVEs where a victim processes attacker-supplied content are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: WinRAR archive-extraction path traversals that drop a payload into an autorun location (CVE-2025-6218, CVE-2025-8088 — the latter used by espionage actors), the Microsoft Video ActiveX (msvidctl) Internet Explorer drive-by (CVE-2008-0015), and the Git link-following flaw that lets a malicious repository write outside the working tree on clone/checkout (CVE-2025-48384). They map T1203 (exploitation for client execution) with T1547.001 for the archive autorun drops, and T1204.002 (user execution of a malicious file) for the Git repository case. The lessons name the load-bearing controls beyond patching: Mark-of-the-Web propagation to extracted files, ASR rules, ActiveX kill-bits and retiring end-of-life Internet Explorer, and hardened version-control clone settings (protectNTFS, disabling symlinks) on developer machines.
|
|
38
52
|
|
|
39
53
|
## 0.15.35 — 2026-05-29
|
|
40
54
|
|
|
41
|
-
|
|
55
|
+
Server-side processing of untrusted data. Seven CISA KEV-listed unauthenticated CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons. The remote-code-execution set — SAP NetWeaver deserialization (CVE-2025-42999), Wazuh server deserialization (CVE-2025-24016), Meta React Server Components (CVE-2025-55182), and XWiki eval injection (CVE-2025-24893) — maps T1190 and T1059; the forgery/disclosure set — OSGeo GeoServer XXE (CVE-2025-58360), Adminer SSRF (CVE-2021-21311), and Oracle E-Business Suite SSRF (CVE-2025-61884) — maps T1190. The lessons separate the RCE response (web-shell hunting and secret rotation) from the SSRF/XXE response (egress filtering, cloud-metadata blocking, disabling external entities), and flag two amplifiers: a compromised Wazuh monitoring server blinds detection across the estate, and SAP/Oracle E-Business Suite sit adjacent to financial data in PCI scope.
|
|
42
56
|
|
|
43
57
|
## 0.15.34 — 2026-05-29
|
|
44
58
|
|
|
45
|
-
|
|
59
|
+
Authentication bypass and missing authentication. Seven CISA KEV-listed CVEs that grant access without valid credentials are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: the Juniper ScreenOS hardcoded-backdoor credential (CVE-2015-7755), Sangoma FreePBX (CVE-2019-19006) and SKYSEA Client View (CVE-2016-7836) improper authentication, AMI MegaRAC SPx baseboard-management-controller authentication bypass by spoofing (CVE-2024-54085), the Erlang/OTP SSH server pre-authentication remote code execution (CVE-2025-32433), Oracle Fusion Middleware missing authentication (CVE-2025-61757), and the TP-Link TL-WA855RE extender missing authentication (CVE-2020-24363). All map T1190 and T1078; the Erlang flaw also maps T1059. The lessons make the load-bearing point that multi-factor authentication and password policy are irrelevant once authentication is bypassed — the compensating control is restricting the management plane to a trusted network — and that below-the-OS targets (the BMC) and planted backdoors require device rebuild, because firmware-level persistence survives an OS reinstall.
|
|
46
60
|
|
|
47
61
|
## 0.15.33 — 2026-05-29
|
|
48
62
|
|
|
49
|
-
|
|
63
|
+
Unauthenticated command/code-injection RCE. Eight CISA KEV-listed CVEs where attacker input reaches a shell or interpreter are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: Array Networks ArrayOS AG (CVE-2025-66644), CWP Control Web Panel (CVE-2025-48703), Libraesva Email Security Gateway (CVE-2025-59689), Trend Micro Apex One console (CVE-2025-54948), GNU Bash Shellshock-family parsing (CVE-2014-6278), PHPMailer sender-address injection (CVE-2016-10033), Jenkins CLI Java deserialization (CVE-2017-1000353), and Fortra GoAnywhere MFT license-servlet deserialization (CVE-2025-10035). All map T1190 and T1059. The lessons highlight a high-fidelity detection signal — a shell or interpreter spawned from a web/daemon process — and stress that bundled-library flaws (Bash, PHPMailer) require updating every consumer, while CI, MFT, and EDR-console compromise carries downstream supply-chain and data reach beyond the patched host.
|
|
50
64
|
|
|
51
65
|
## 0.15.32 — 2026-05-29
|
|
52
66
|
|
|
53
|
-
|
|
67
|
+
Network devices and edge appliances. Seven CISA KEV-listed unauthenticated CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons, spanning enterprise appliances — F5 BIG-IP stack overflow (CVE-2025-53521), HPE OneView code injection (CVE-2025-37164), Versa Concerto SD-WAN orchestrator authentication bypass (CVE-2025-34026) — and SOHO/embedded devices: ASUS router OS command injection (CVE-2023-39780) and authentication bypass (CVE-2021-32030), Digiever DVR missing authorization (CVE-2023-52163), and Sierra Wireless AirLink ALEOS unrestricted upload (CVE-2018-4063). All map T1190, with per-class T1059, T1078, or T1505.003. The lessons split remediation by device class: enterprise appliances must be rebuilt and re-keyed after compromise, while embedded/SOHO devices — often end-of-life and recruited into botnets — require firmware re-flash or replacement rather than patch-in-place.
|
|
54
68
|
|
|
55
69
|
## 0.15.31 — 2026-05-29
|
|
56
70
|
|
|
57
|
-
|
|
71
|
+
Internet-facing server-side web applications. Seven CISA KEV-listed unauthenticated CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: server-side request forgery in GitLab (CVE-2021-22175, CVE-2021-39935) and Omnissa Workspace ONE UEM (CVE-2021-22054), PaperCut NG/MF authentication bypass (CVE-2023-27351), the Adobe Commerce/Magento "SessionReaper" session-takeover flaw (CVE-2025-54236), Adobe Experience Manager Forms code execution (CVE-2025-54253), and Sitecore ViewState deserialization via a known machine key (CVE-2025-53690). All map T1190, with per-class T1059 (code injection/deserialization) or T1078 (auth bypass/session takeover). The lessons separate the SSRF defense (egress filtering and cloud-metadata blocking as compensating controls) from the RCE/auth defense (web-shell hunting, machine-key rotation, and session invalidation beyond the patch).
|
|
58
72
|
|
|
59
73
|
## 0.15.30 — 2026-05-29
|
|
60
74
|
|
|
61
|
-
|
|
75
|
+
Software supply-chain code integrity. Three CISA KEV-listed CVEs where code is trusted without integrity verification are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: the TrueConf client and Notepad++ download code/updates without an integrity check (CVE-2026-3502, CVE-2025-15556), and a Trivy distribution shipped embedded malicious code that runs in the trusted context of the vulnerability scanner (CVE-2026-33634). All map T1195.002 (Compromise Software Supply Chain). The lessons frame the defense as enforced signature and provenance verification — code signing, Sigstore/in-toto, SLSA build provenance, TLS-pinned update channels — rather than patching, and note that response is environment-wide because a compromised updater or scanner reaches every host it runs on.
|
|
62
76
|
|
|
63
77
|
## 0.15.29 — 2026-05-29
|
|
64
78
|
|
|
65
|
-
|
|
79
|
+
ICS/OT devices. Four CISA KEV-listed industrial-control and operational-technology CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: OpenPLC ScadaBR SCADA/HMI (CVE-2021-26828 unrestricted file upload, CVE-2021-26829 cross-site scripting), Hikvision IP camera authentication bypass (CVE-2017-7921), and the Rockwell Automation Logix protected-credential weakness (CVE-2021-22681). All map T1190, with per-class T1505.003, T1078, or T1552. The lessons carry an OT-specific framing: these devices frequently cannot be patched on an IT cadence, so the load-bearing controls are IEC 62443 zones-and-conduits segmentation, removal of IT/internet reachability, and OT-network monitoring — and response must validate process/control-logic integrity, not just perform IT cleanup, because compromise can have physical and safety consequences.
|
|
66
80
|
|
|
67
81
|
## 0.15.28 — 2026-05-29
|
|
68
82
|
|
|
69
|
-
|
|
83
|
+
Web applications and developer tooling. Six CISA KEV-listed unauthenticated server-side CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: Laravel Livewire code injection (CVE-2025-54068), n8n dynamic-code execution (CVE-2025-68613), JetBrains TeamCity authentication bypass via path traversal (CVE-2024-27199), and arbitrary file-read path traversals in Grafana (CVE-2021-43798), Gogs (CVE-2025-8110), and the Vite dev server (CVE-2025-31125). All map T1190, with per-class T1059 (code injection), T1078 (auth bypass), or T1552 (file reads that leak configuration/source secrets). The lessons stress that file-disclosure flaws demand rotation of every exposed secret, and that CI/developer-tool compromise (TeamCity) carries software-supply-chain risk to build artifacts beyond the server itself.
|
|
70
84
|
|
|
71
85
|
## 0.15.27 — 2026-05-29
|
|
72
86
|
|
|
73
|
-
|
|
87
|
+
Mobile device exploitation. Four CISA KEV-listed mobile CVEs that together form a mobile-spyware chain are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: Samsung image-parsing-library out-of-bounds writes exploited zero-click via a malicious image (CVE-2025-21042, CVE-2025-21043) map T1203, and Android Framework local privilege escalation and an information-disclosure primitive (CVE-2025-48572, CVE-2025-48633) map T1068. The lessons frame these as the initial-access and local-escalation halves of a commercial-surveillance chain, and name OEM/carrier OTA cadence (Samsung SMR, Android Security Bulletin), MDM-enforced update SLAs, and mobile-threat-defense as the load-bearing controls — patch reach, not just patch availability, is the gap.
|
|
74
88
|
|
|
75
89
|
## 0.15.26 — 2026-05-29
|
|
76
90
|
|
|
77
|
-
|
|
91
|
+
Unauthenticated network-service RCE. Five CISA KEV-listed server-side CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: Samsung MagicINFO 9 Server (CVE-2024-7399 path traversal + file upload, CVE-2025-4632 the path-traversal patch-bypass variant), Wing FTP Server remote code execution (CVE-2025-47812, exploitable via anonymous login), VMware vCenter Server DCE/RPC out-of-bounds write (CVE-2024-37079), and the wormable Windows Server Service RPC overflow MS08-067 (CVE-2008-4250, exploited by Conficker). All map T1190, with T1505.003 for the upload-to-web-shell flaw and T1059 for the injection RCE. The lessons carry the long-tail patch-hygiene warning that MS08-067 still exemplifies, and require web-shell hunting or host rebuild beyond the patch.
|
|
78
92
|
|
|
79
93
|
## 0.15.24 — 2026-05-29
|
|
80
94
|
|
|
81
|
-
|
|
95
|
+
IT-management and enterprise platforms. Eight CISA KEV-listed unauthenticated server-side CVEs on platforms whose compromise reaches the managed estate are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: N-able N-Central RMM (CVE-2025-8876 command injection, CVE-2025-8875 insecure deserialization), SysAid On-Prem ITSM XXE (CVE-2025-2775, CVE-2025-2776), SimpleHelp remote support (CVE-2024-57728 path traversal, CVE-2024-57726 missing authorization), Quest KACE Systems Management Appliance authentication bypass (CVE-2025-32975), and Oracle E-Business Suite remote code execution (CVE-2025-61882). All map T1190, with per-class T1059 (code injection/deserialization) or T1078 (auth bypass). The lessons stress that management-platform compromise is fleet-wide — response must rotate credentials and audit every action pushed to downstream managed systems during the exposure window, not just patch the server.
|
|
82
96
|
|
|
83
97
|
## 0.15.23 — 2026-05-29
|
|
84
98
|
|
|
85
|
-
|
|
99
|
+
Microsoft client-side document/web exploitation and protection bypass. Eight CISA KEV-listed CVEs that all begin with a victim opening attacker-controlled content are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons. They are mapped by technique class: memory-corruption code execution (CVE-2025-30397 Scripting Engine type confusion, CVE-2026-21519 type confusion, CVE-2009-1537 DirectShow media parsing) maps T1203; Mark-of-the-Web / SmartScreen protection bypass (CVE-2026-21513 MSHTML, CVE-2026-21510 Windows Shell) maps T1211 with T1553.005; Office security-feature bypass (CVE-2026-21514 Word Protected View, CVE-2026-21509 Office) maps T1211; and VBA insecure library loading (CVE-2012-1854) maps T1574.001. The lessons stress that the protection-bypass flaws prove a single control (SmartScreen, Protected View, Mark-of-the-Web) cannot be the only barrier — layered defenses (ASR rules, application control, content filtering) are required.
|
|
86
100
|
|
|
87
101
|
## 0.15.22 — 2026-05-29
|
|
88
102
|
|
|
89
|
-
|
|
103
|
+
Windows kernel/driver LPE. Five CISA KEV-listed Windows local-privilege-escalation CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: an Ancillary Function Driver for WinSock use-after-free (CVE-2025-32709), a Common Log File System driver heap overflow (CVE-2025-32706), a kernel use-after-free (CVE-2025-62221), an improper-privilege-management flaw (CVE-2026-21533), and an improper-access-control elevation in a privileged service (CVE-2025-59230). All map T1068 (Exploitation for Privilege Escalation). The lessons frame these as the escalation half of the ransomware chain (initial access → unpatched LPE → SYSTEM within hours) and name hypervisor-protected code integrity (HVCI/VBS) and the Microsoft Vulnerable Driver Blocklist as load-bearing endpoint controls beyond the patch.
|
|
90
104
|
|
|
91
105
|
## 0.15.21 — 2026-05-29
|
|
92
106
|
|
|
93
|
-
|
|
107
|
+
Legacy browser/reader client-side RCEs. Six CISA KEV-listed client-side memory-corruption CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: Adobe Acrobat/Reader (CVE-2020-9715 use-after-free, CVE-2009-3459 heap overflow), Internet Explorer (CVE-2010-0249 the Operation Aurora zero-day, CVE-2010-0806 iepeers, CVE-2013-3893 the SetMouseCapture watering-hole flaw), and Mozilla Firefox (CVE-2010-3765). All map T1203 (Exploitation for Client Execution). The lessons frame these as long-tail KEV re-listings — the fixes shipped years ago, but unpatched and end-of-life estates (notably the unsupported Internet Explorer) remain exposed; retiring end-of-life browsers and application hardening (Protected Mode/View, ASR rules) are the load-bearing controls.
|
|
94
108
|
|
|
95
109
|
## 0.15.20 — 2026-05-29
|
|
96
110
|
|
|
97
|
-
|
|
111
|
+
Internet-facing network devices. Eight CISA KEV-listed unauthenticated CVEs on SOHO routers, a telephony appliance, and a firewall are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: TP-Link routers (CVE-2023-50224 authentication bypass, CVE-2025-9377 and CVE-2023-33538 command injection), DrayTek Vigor command injection (CVE-2024-12987), Sangoma FreePBX (CVE-2025-64328 command injection, CVE-2025-57819 authentication bypass + SQL injection), and WatchGuard Firebox out-of-bounds-write RCE (CVE-2025-14733, CVE-2025-9242). All map T1190, with per-class T1059 (command injection) or T1078 (auth bypass). The lessons account for the realities of edge devices: end-of-life firmware that can only be replaced, recruitment into botnets and operational-relay networks, telephony toll fraud on the PBX, and the requirement to re-flash/rebuild and rotate secrets rather than patch in place.
|
|
98
112
|
|
|
99
113
|
## 0.15.19 — 2026-05-29
|
|
100
114
|
|
|
101
|
-
|
|
115
|
+
Enterprise server-side applications. Eight CISA KEV-listed unauthenticated CVEs across manufacturing-operations, file-sharing, and remote-management software are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: Dassault Systèmes DELMIA Apriso (CVE-2025-6204 code injection, CVE-2025-5086 deserialization, CVE-2025-6205 missing authorization), Gladinet CentreStack/Triofox (CVE-2025-14611 hard-coded cryptographic key, CVE-2025-11371 file disclosure leaking the machine key, CVE-2025-12480 improper access control), and ConnectWise ScreenConnect (CVE-2024-1708 path traversal, CVE-2025-3935 authentication bypass). All map T1190, with per-class T1059, T1078, T1552 (key disclosure/forgery), or T1505.003. The lessons stress that key-disclosure and authentication-bypass flaws require cryptographic-key rotation — not just patching — and that RMM/file-sharing/MES compromise extends the blast radius to downstream and OT-adjacent systems.
|
|
102
116
|
|
|
103
117
|
## 0.15.18 — 2026-05-29
|
|
104
118
|
|
|
105
|
-
|
|
119
|
+
Non-Windows kernel/driver LPE. Seven CISA KEV-listed local-privilege-escalation CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: Qualcomm Adreno GPU / chipset flaws (CVE-2026-21385 integer overflow, CVE-2025-21479 and CVE-2025-21480 incorrect-authorization GPU flaws used in Android targeted chains, CVE-2025-27038 use-after-free) and Linux kernel flaws (CVE-2018-14634 "Mutagen Astronomy" integer overflow, CVE-2021-22555 netfilter heap out-of-bounds write, CVE-2023-0386 OverlayFS ownership). All map T1068 (Exploitation for Privilege Escalation). The lessons give platform-correct remediation — Android Security Bulletin OTA updates and MDM-enforced SLAs for the chipset entries, distribution kernel updates or live-patching plus kernel hardening for the Linux entries — and frame these as the escalation half of the attack chain.
|
|
106
120
|
|
|
107
121
|
## 0.15.17 — 2026-05-29
|
|
108
122
|
|
|
109
|
-
|
|
123
|
+
Chromium browser zero-days. Five CISA KEV-listed Google Chromium client-side CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: V8 JavaScript engine flaws (CVE-2025-13223 and CVE-2025-6554 type confusion, CVE-2025-5419 out-of-bounds read/write), a CSS use-after-free (CVE-2026-2441), and an ANGLE/GPU sandbox escape (CVE-2025-6558). All map T1203 (Exploitation for Client Execution); the sandbox-escape entry also maps T1068. The lessons stress same-day Chrome component-updater rollout — not gating browser updates behind a managed change window — as the load-bearing control, since these are weaponized within days in targeted-spyware and watering-hole chains.
|
|
110
124
|
|
|
111
125
|
## 0.15.16 — 2026-05-29
|
|
112
126
|
|
|
113
|
-
|
|
127
|
+
Web-application server-side RCE. Eight CISA KEV-listed unauthenticated web-app CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: Kentico Xperience CMS (CVE-2025-2749 path-traversal + file upload, CVE-2025-2746 and CVE-2025-2747 alternate-channel authentication bypasses), Craft CMS code injection (CVE-2025-32432 and the related CVE-2024-56145), Roundcube Webmail deserialization (CVE-2025-49113), and SolarWinds Web Help Desk deserialization (CVE-2025-26399, CVE-2025-40551). All map T1190, with per-class T1059 (code injection / deserialization), T1078 (auth bypass), or T1505.003 (upload → web shell). The lessons stress web-shell hunting and application-secret rotation as required cleanup beyond the patch.
|
|
114
128
|
|
|
115
129
|
## 0.15.15 — 2026-05-29
|
|
116
130
|
|
|
117
|
-
|
|
131
|
+
Windows kernel/driver LPE. Seven CISA KEV-listed Windows local-privilege-escalation CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: a Common Log File System (CLFS) driver use-after-free (CVE-2025-32701 — CLFS is a recurring kernel-LPE target), a race condition (CVE-2025-62215), an untrusted-pointer dereference (CVE-2025-24990), link-following (CVE-2025-60710), a kernel out-of-bounds read primitive (CVE-2023-36424), an information-disclosure primitive (CVE-2026-20805), and improper privilege management (CVE-2021-43226). All map T1068 (Exploitation for Privilege Escalation). The lessons frame these as the second half of the ransomware chain (initial access → unpatched LPE → SYSTEM within hours) and stress hypervisor-protected code integrity (HVCI/VBS) and the Microsoft Vulnerable Driver Blocklist as load-bearing endpoint controls beyond the patch.
|
|
118
132
|
|
|
119
133
|
## 0.15.14 — 2026-05-29
|
|
120
134
|
|
|
121
|
-
|
|
135
|
+
Legacy Microsoft client-side RCEs. Six CISA KEV-listed older Microsoft document / browser / font-parsing RCEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: Office (CVE-2009-0238), PowerPoint (CVE-2009-0556), Excel (CVE-2007-0671), Internet Explorer (CVE-2010-3962 — a landmark IE zero-day from the Operation Aurora era), Windows TrueType font parsing (CVE-2011-3402 — the Duqu zero-day), and Windows InformationCardSigninHelper ActiveX (CVE-2013-3918). All map T1203 (Exploitation for Client Execution). The lessons frame these as long-tail KEV re-listings — the patch landed years ago, but CISA re-lists because unpatched legacy estates remain exposed; centralized patch management plus Office hardening (Protected View, ASR rules) are the load-bearing controls.
|
|
122
136
|
|
|
123
137
|
## 0.15.13 — 2026-05-29
|
|
124
138
|
|
|
125
|
-
|
|
139
|
+
Citrix. Six CISA KEV-listed Citrix CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: four NetScaler ADC/Gateway appliance flaws (CVE-2026-3055 and CVE-2025-5777 — the CitrixBleed-class out-of-bounds reads that disclose authenticated session material; CVE-2025-7775 and CVE-2025-6543 memory-corruption buffer flaws) and two Session Recording flaws (CVE-2024-8069 deserialization RCE and CVE-2024-8068 privilege escalation). The CitrixBleed entries map T1552 alongside T1190 to surface session-token theft, and the lessons stress session termination + secret rotation (memory-disclosure class) and appliance rebuild (RCE class) as required steps beyond the patch.
|
|
126
140
|
|
|
127
141
|
## 0.15.12 — 2026-05-29
|
|
128
142
|
|
|
129
|
-
|
|
143
|
+
Zimbra mail server. Seven CISA KEV-listed Synacor Zimbra Collaboration Suite (ZCS) CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: the cross-site scripting cluster (CVE-2025-48700, CVE-2025-66376, CVE-2025-27915, CVE-2024-27443), the server-side request forgery pair (CVE-2020-7796, CVE-2019-9621), and the PHP remote-file-inclusion RCE (CVE-2025-68645). The lessons note ZCS is a recurring mass-exploited mail-server target where web-shell hunting and session-secret rotation are needed beyond the patch.
|
|
130
144
|
|
|
131
145
|
## 0.15.11 — 2026-05-29
|
|
132
146
|
|
|
133
|
-
|
|
147
|
+
Apple client-side zero-days. Nine CISA KEV-listed Apple memory-corruption CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons. They map T1203 (Exploitation for Client Execution) — and T1068 for the sandbox-escape steps that act as privilege links in a multi-stage chain — rather than the network-service T1190: improper locking (CVE-2025-43510), buffer overflows (CVE-2025-43520, CVE-2025-31277, CVE-2026-20700), use-after-frees (CVE-2023-43000, CVE-2023-41974), an integer overflow (CVE-2021-30952), and two code-execution flaws (CVE-2022-48503, CVE-2025-43200). The lessons frame these as targeted-spyware-chain components and stress same-day OS update vs. MDM change windows, with Lockdown Mode for high-risk users.
|
|
134
148
|
|
|
135
149
|
## 0.15.10 — 2026-05-29
|
|
136
150
|
|
|
137
|
-
|
|
151
|
+
Microsoft server-side RCE. Six CISA KEV-listed CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: Exchange Server deserialization (CVE-2023-21529), Configuration Manager SQL injection (CVE-2024-43468), Windows Server Update Services deserialization (CVE-2025-59287), and the SharePoint Server "ToolShell" chain — improper authentication (CVE-2025-49706), code injection (CVE-2025-49704), and deserialization (CVE-2025-53770). The lessons stress that for these deserialization RCEs patching alone is insufficient: stolen machine keys and dropped web shells survive the patch and require explicit key rotation and web-shell hunting.
|
|
138
152
|
|
|
139
153
|
## 0.15.9 — 2026-05-29
|
|
140
154
|
|
|
141
|
-
|
|
155
|
+
Network devices and the Ivanti EPMM chain. Seven CISA KEV-listed unauthenticated CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: D-Link DIR-823X command injection (CVE-2025-29635), router buffer overflow (CVE-2022-37055), DCS-2530L/2670L camera code execution (CVE-2020-25078) and command injection (CVE-2020-25079), DNR-322L download-without-integrity (CVE-2022-40799), and the Ivanti EPMM authentication-bypass + code-injection preauth chain (CVE-2025-4427, CVE-2025-4428). The device lessons note that end-of-life consumer hardware is unpatchable, making network isolation the load-bearing control, and that firmware implants survive a reboot without a reflash.
|
|
142
156
|
|
|
143
157
|
## 0.15.8 — 2026-05-29
|
|
144
158
|
|
|
145
|
-
|
|
159
|
+
Cisco network devices. Seven CISA KEV-listed Cisco CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: SD-WAN path traversal (CVE-2022-20775), multi-product improper input validation (CVE-2025-20393), IOS/IOS XE SNMP DoS+RCE (CVE-2025-20352), the Secure Firewall ASA/FTD missing-authorization (CVE-2025-20362) and buffer-overflow (CVE-2025-20333) chain, and the Identity Services Engine injection pair (CVE-2025-20337, CVE-2025-20281). The ASA and device lessons note that network-device implants survive patching without explicit recovery steps.
|
|
146
160
|
|
|
147
161
|
## 0.15.7 — 2026-05-29
|
|
148
162
|
|
|
149
|
-
|
|
163
|
+
Fortinet network appliances. Six CISA KEV-listed Fortinet CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: FortiWeb OS command injection (CVE-2025-58034), path traversal (CVE-2025-64446), and SQL injection (CVE-2025-25257); FortiOS hard-coded credentials (CVE-2019-6693); and the multi-product improper-signature-verification (CVE-2025-59718) and stack-based buffer overflow (CVE-2025-32756).
|
|
150
164
|
|
|
151
165
|
## 0.15.6 — 2026-05-29
|
|
152
166
|
|
|
153
|
-
|
|
167
|
+
Enterprise management-plane and infrastructure. Six CISA KEV-listed CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: the Cisco Catalyst SD-WAN Manager cluster — incorrect privileged-API use (CVE-2026-20122), sensitive-information exposure (CVE-2026-20133), and recoverable password storage (CVE-2026-20128) — plus Microsoft SharePoint Server improper input validation (CVE-2026-32201), Fortinet FortiClient EMS improper access control (CVE-2026-35616), and Dell RecoverPoint for VMs hard-coded credentials (CVE-2026-22769).
|
|
154
168
|
|
|
155
169
|
## 0.15.5 — 2026-05-29
|
|
156
170
|
|
|
157
|
-
|
|
171
|
+
The client-side memory-corruption class. Four CISA KEV-listed browser/document-reader RCEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, a matching zero-day lesson, and ATT&CK enrichment to T1203 (Exploitation for Client Execution) rather than the network-service T1190: Google Chrome Skia out-of-bounds write (CVE-2026-3909), Chrome Dawn/WebGPU use-after-free (CVE-2026-5281), Chrome V8 memory-buffer flaw (CVE-2026-3910), and Adobe Acrobat/Reader prototype pollution (CVE-2026-34621). The lessons frame remediation as endpoint/browser patch-SLA (same-day auto-update vs. managed change windows) rather than perimeter patching.
|
|
158
172
|
|
|
159
173
|
## 0.15.4 — 2026-05-29
|
|
160
174
|
|
package/README.md
CHANGED
|
@@ -30,7 +30,7 @@ This platform surfaces what is actually happening right now. Every skill explici
|
|
|
30
30
|
|
|
31
31
|
## Status
|
|
32
32
|
|
|
33
|
-
Pre-1.0. Latest release lives on [GitHub Releases](https://github.com/blamejs/exceptd-skills/releases) and on npm as [`@blamejs/exceptd-skills`](https://www.npmjs.com/package/@blamejs/exceptd-skills) with signed npm provenance attestation and Ed25519-signed skill bodies. The package ships 42 skills across kernel LPE, MCP supply chain, AI-as-C2, prompt injection, post-quantum crypto, SBOM integrity, identity-incident response, and 35 other AI/security domains, plus 11 intelligence catalogs (CVE / ATLAS / ATT&CK / CWE / D3FEND / DLP / RFC / framework gaps / global frameworks / zero-day lessons / exploit availability) covering 35 jurisdictions
|
|
33
|
+
Pre-1.0. Latest release lives on [GitHub Releases](https://github.com/blamejs/exceptd-skills/releases) and on npm as [`@blamejs/exceptd-skills`](https://www.npmjs.com/package/@blamejs/exceptd-skills) with signed npm provenance attestation and Ed25519-signed skill bodies. The package ships 42 skills across kernel LPE, MCP supply chain, AI-as-C2, prompt injection, post-quantum crypto, SBOM integrity, identity-incident response, and 35 other AI/security domains, plus 11 intelligence catalogs (CVE / ATLAS / ATT&CK / CWE / D3FEND / DLP / RFC / framework gaps / global frameworks / zero-day lessons / exploit availability) covering 35 jurisdictions; the CVE catalog holds 427 actively-exploited and high-priority entries, each carrying behavioral indicators, an ATT&CK technique mapping, and a defense-chain zero-day lesson. 24 investigation playbooks (kernel, MCP, AI-API, framework, SBOM, runtime, hardening, secrets, cred-stores, containers, crypto, plus `webhook-callback-abuse`, `cicd-pipeline-compromise`, `identity-sso-compromise`, `llm-tool-use-exfil`, `post-quantum-migration`, `ai-discovered-cve-triage`, `supply-chain-recovery`, `citation-hygiene`, and more), a CLI for discovery and investigation built around `discover → brief → run → attest` (each run executes the playbook's seven-phase contract), and a nightly auto-refresh job that pulls KEV / NVD / EPSS / GHSA / OSV / IETF deltas plus 15 primary-source advisory, research-blog, and tech-press feeds (Qualys TRU, Red Hat RHSA, Ubuntu USN, ZDI, kernel.org, oss-security, JFrog, CISA, Microsoft Security Blog, Sysdig, Trail of Bits, Embrace the Red, BleepingComputer security, and The Hacker News) into auto-PRs for editorial review, alongside a silent-regression watcher that flags historical CVEs re-broken without a new identifier.
|
|
34
34
|
|
|
35
35
|
---
|
|
36
36
|
|
|
@@ -154,7 +154,7 @@ Air-gapped operation: run `exceptd refresh --prefetch` on a connected host, copy
|
|
|
154
154
|
|
|
155
155
|
Fresh-disclosure workflow (v0.12.0): the nightly auto-PR job pulls KEV / NVD / EPSS / IETF / **GHSA** (added in v0.12.0) / **OSV** (added in v0.12.10). KEV typically takes days; NVD ~10 days; GHSA fires within hours of disclosure and covers npm + PyPI + Maven + Go + NuGet + …; OSV aggregates the OSSF Malicious Packages dataset (`MAL-*` keys) + Snyk + RustSec + Mageia + Ubuntu USN + Go Vuln DB + PYSEC + UVI on top of GHSA — useful for malicious-package compromises that don't have CVEs yet (`exceptd refresh --advisory MAL-2026-3083`). New IDs land as drafts (`_auto_imported: true`, `_draft: true`) that the catalog validator treats as warnings, not errors — operators get the fresh entry immediately, editorial review (framework gaps, IoCs, ATLAS/ATT&CK refs) follows via `exceptd refresh --curate <ID>`. For "I want this advisory today, not tomorrow": `exceptd refresh --advisory <CVE-or-GHSA-or-MAL-or-SNYK-or-RUSTSEC-ID> --apply`.
|
|
156
156
|
|
|
157
|
-
Primary-source advisory polling: `exceptd refresh --check-advisories` polls 15 vendor and coordinated-disclosure feeds — 8 advisory/coordinated-disclosure venues (Qualys TRU, Red Hat RHSA, Ubuntu USN, Zero Day Initiative, kernel.org commits, oss-security mailing list, JFrog SecOps, CISA current advisories), 4 vendor security research blogs
|
|
157
|
+
Primary-source advisory polling: `exceptd refresh --check-advisories` polls 15 vendor and coordinated-disclosure feeds — 8 advisory/coordinated-disclosure venues (Qualys TRU, Red Hat RHSA, Ubuntu USN, Zero Day Initiative, kernel.org commits, oss-security mailing list, JFrog SecOps, CISA current advisories), 4 vendor security research blogs (Microsoft Security Blog, Sysdig, Trail of Bits, Embrace the Red), and 3 more (BleepingComputer security, The Hacker News, and a researcher activity-feed tracker). Combined coverage publishes CVE IDs at T+0 to T+1 — typically 3–14 days ahead of NVD enrichment. The command is report-only: it returns a structured `diffs[]` listing each newly-seen CVE ID with its source attributions and advisory URLs, but does not mutate the catalog. A complementary silent-regression watcher (`lib/cve-regression-watcher.js`) cross-checks poller diffs for historical-CVE references (year ≤ currentYear − 2) and surfaces candidate silent-regression cases — historical CVEs re-broken by a new proof-of-concept without a new ID being assigned. Operators triage the output and route promising IDs through `exceptd refresh --advisory <CVE-ID> --apply`. Pairs naturally with the daily scheduled remote agent below.
|
|
158
158
|
|
|
159
159
|
CVE-class alert surfacing: `exceptd watchlist --alerts` matches the live `cve-catalog.json` against five operational patterns (`kernel_lpe_with_poc`, `supply_chain_family`, `ai_discovered_kev`, `active_exploitation_unpatched`, `recent_poc_no_kev_yet`) and returns the matches sorted critical-severity-first, then by RWEP. Use as a fast operational triage on a refreshed catalog without scanning every entry by hand.
|
|
160
160
|
|
|
@@ -426,7 +426,7 @@ exceptd refresh Refresh upstream catalogs + indexes.
|
|
|
426
426
|
advisories, Microsoft Security Blog,
|
|
427
427
|
Sysdig, Trail of Bits, Embrace the Red,
|
|
428
428
|
BleepingComputer, The Hacker News,
|
|
429
|
-
|
|
429
|
+
researcher activity-feed tracker) for
|
|
430
430
|
CVE IDs disclosed at T+0 to T+1 —
|
|
431
431
|
days ahead of NVD enrichment.
|
|
432
432
|
Report-only: emits structured diffs[]
|
|
@@ -557,13 +557,13 @@ Every `run` (and every per-playbook result inside a `ci` body) hoists the headli
|
|
|
557
557
|
| `precondition_check_source` | object | Per-precondition: `submission` / `runOpts` / `merged` |
|
|
558
558
|
| `phases` | object | Full per-phase outputs — `govern`, `direct`, `look`, `detect`, `analyze`, `validate`, `close` |
|
|
559
559
|
|
|
560
|
-
On a blocked result (preflight halt, missing precondition), `ok` is `false` and the envelope additionally carries `blocked_by` / `reason` / `remediation` / `phase: 'preflight'` / `verdict: 'blocked'`. `evidence_completeness` reports `not-evaluated`.
|
|
560
|
+
On a blocked result (preflight halt, missing precondition), `ok` is `false` and the envelope additionally carries `blocked_by` / `reason` / `remediation` / `phase: 'preflight'` / `verdict: 'blocked'`. `evidence_completeness` reports `not-evaluated`. In default human output a blocked result renders as a one-line `[blocked]` summary with the reason and a next step; `--json` / `--pretty` return the full envelope.
|
|
561
561
|
|
|
562
562
|
### Default terminal output vs `--json` / `--pretty`
|
|
563
563
|
|
|
564
564
|
By default `ci`, `run`, `attest verify`, `attest diff`, and `discover` emit a human-readable digest at the terminal — verdict line, per-playbook table (for `ci`), next-step block keyed on verdict (BLOCKED → `exceptd lint <pb> -`; NO_EVIDENCE → lint + `--evidence-dir`; FAIL → `--format markdown` / `--format csaf-2.0` per detected playbook; CLOCK_STARTED → CSAF advisory), pending jurisdiction obligations grouped by `clock_start_event`, deduped session warnings, framework-gap rollup.
|
|
565
565
|
|
|
566
|
-
Pass `--json` (compact) or `--pretty` (indented) to reach the structured envelope when automating. Setting `EXCEPTD_RAW_JSON=1` in the environment has the same effect.
|
|
566
|
+
Pass `--json` (compact) or `--pretty` (indented) to reach the structured envelope when automating. Setting `EXCEPTD_RAW_JSON=1` in the environment has the same effect. `--quiet` keeps human output but drops advisory stderr notes (and the deprecation / unsigned-attestation banners) so `run … 2>&1 | jq` stays clean; `--json-stdout-only` goes further and silences all stderr.
|
|
567
567
|
|
|
568
568
|
## Invoking a skill from your AI assistant
|
|
569
569
|
|