@blamejs/exceptd-skills 0.9.1

package/data/cwe-catalog.json

@@ -0,0 +1,1017 @@
+{
+  "_meta": {
+    "schema_version": "1.0.0",
+    "last_updated": "2026-05-11",
+    "cwe_version": "4.16",
+    "cwe_version_release_date": "2024-11-19",
+    "source": "https://cwe.mitre.org",
+    "view_general": "CWE View 1003 (Weaknesses for Simplified Mapping of Published Vulnerabilities)",
+    "view_research": "CWE View 1000 (Research Concepts)",
+    "view_ai_ml": "CWE View 1425 (AI/ML Weaknesses)",
+    "view_top_25_2024": "CWE View 1430 (2024 CWE Top 25 Most Dangerous Software Weaknesses)",
+    "skill_refs_field": "cwe_refs",
+    "note": "CWE Top 25 ranks reflect the 2024 release published by MITRE / CISA on 2024-11-20 (View CWE-1430). The 2025 release was not yet published as of pin date 2026-05-11; top_25_rank_2025 is null for all entries until the next list ships. CVE-to-CWE assignments use the primary NVD classification where known; secondary classes are noted in lag_notes. Per AGENTS.md hard rule #10, this file contains real CWE IDs only — entries without a defensible public mapping were omitted rather than fabricated. Some CVE-to-CWE mappings could not be confidently justified (see project report); those CVEs do not appear in evidence_cves for the relevant CWE entry.",
+    "tlp": "CLEAR",
+    "source_confidence": {
+      "scheme": "Admiralty (A-F + 1-6)",
+      "default": "A1",
+      "note": "B = usually reliable; 2 = probably true. Per-entry overrides via entry-level source_confidence field. Public-record catalogs (NVD, ATLAS, CWE, RFC, framework publishers) get A1 (completely reliable, confirmed). Project-curated catalogs (zeroday-lessons, exploit-availability) default to B2 with source citations."
+    },
+    "freshness_policy": {
+      "default_review_cadence_days": 90,
+      "stale_after_days": 180,
+      "rebuild_after_days": 365,
+      "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
+    }
+  },
+  "CWE-787": {
+    "id": "CWE-787",
+    "name": "Out-of-bounds Write",
+    "abstraction": "Base",
+    "category": "Memory Safety",
+    "description": "The product writes data past the end, or before the beginning, of the intended buffer. Out-of-bounds writes corrupt adjacent memory and are the dominant root cause of kernel and userland remote/local code execution exploits in C/C++ codebases.",
+    "top_25_rank_2024": 2,
+    "top_25_rank_2025": null,
+    "view_memberships": [
+      "CWE-1003",
+      "CWE-1000",
+      "CWE-1430"
+    ],
+    "related_attack_patterns_capec": [
+      "CAPEC-100",
+      "CAPEC-14",
+      "CAPEC-46",
+      "CAPEC-540"
+    ],
+    "skills_referencing": [
+      "kernel-lpe-triage",
+      "exploit-scoring",
+      "zeroday-gap-learn"
+    ],
+    "evidence_cves": [
+      "CVE-2026-31431"
+    ],
+    "framework_controls_partially_addressing": [
+      "NIST-800-53-SI-10",
+      "NIST-800-53-SI-16",
+      "ISO-27001-2022-A.8.28",
+      "ISO-27001-2022-A.8.25"
+    ],
+    "real_requirement": "Mandatory memory-safe language adoption for new kernel and security-boundary code (Rust-for-Linux, eBPF verifier, hypervisor); KASAN/UBSAN/HWASAN in continuous fuzzing for legacy C; structured bounds-checking annotations enforced at compile time. SI-10 input validation alone is insufficient — write-path bounds checking must be a structural property of the type system, not a runtime check the developer must remember.",
+    "lag_notes": "NIST SI-10 frames bounds violations as 'input validation' failures, which mischaracterizes the weakness — Copy Fail (CVE-2026-31431) had no untrusted input boundary in the traditional sense; it was a deterministic write past a kernel-internal buffer. ISO-27001 A.8.28 (secure coding) does not mandate memory-safe language adoption.",
+    "last_verified": "2026-05-11"
+  },
+  "CWE-79": {
+    "id": "CWE-79",
+    "name": "Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)",
+    "abstraction": "Base",
+    "category": "Injection",
+    "description": "The product does not neutralize user-controllable input before placing it in output used as a web page served to other users. XSS remains the number one weakness in the 2024 Top 25 due to template-engine misuse, framework escape-hatch APIs, and DOM-clobbering in single-page applications.",
+    "top_25_rank_2024": 1,
+    "top_25_rank_2025": null,
+    "view_memberships": [
+      "CWE-1003",
+      "CWE-1000",
+      "CWE-1430"
+    ],
+    "related_attack_patterns_capec": [
+      "CAPEC-63",
+      "CAPEC-588",
+      "CAPEC-591",
+      "CAPEC-592"
+    ],
+    "skills_referencing": [
+      "exploit-scoring"
+    ],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": [
+      "NIST-800-53-SI-10",
+      "NIST-800-53-SC-18",
+      "ISO-27001-2022-A.8.28",
+      "PCI-DSS-4.0-6.2.4"
+    ],
+    "real_requirement": "Context-aware auto-escaping enforced by the framework with no opt-out for user-influenced data; CSP with nonce-based strict-dynamic; Trusted Types enforced in production for browser-rendered output. Code review alone does not catch XSS in modern SPA codebases.",
+    "lag_notes": "PCI-DSS 6.2.4 still treats XSS as a code-review finding rather than a framework configuration finding. NIST SC-18 (mobile code) predates the SPA / DOM-XSS era and does not contemplate Trusted Types or CSP nonce enforcement.",
+    "last_verified": "2026-05-11"
+  },
+  "CWE-89": {
+    "id": "CWE-89",
+    "name": "Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)",
+    "abstraction": "Base",
+    "category": "Injection",
+    "description": "The product constructs SQL using externally-influenced input without neutralizing special elements. SQLi remains in the Top 5 despite parameterized-query availability for two decades because ORM raw-query escape hatches, AI-generated string-concat code, and second-order injection through caches keep reintroducing it.",
+    "top_25_rank_2024": 3,
+    "top_25_rank_2025": null,
+    "view_memberships": [
+      "CWE-1003",
+      "CWE-1000",
+      "CWE-1430"
+    ],
+    "related_attack_patterns_capec": [
+      "CAPEC-66",
+      "CAPEC-7",
+      "CAPEC-470"
+    ],
+    "skills_referencing": [
+      "exploit-scoring"
+    ],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": [
+      "NIST-800-53-SI-10",
+      "ISO-27001-2022-A.8.28",
+      "PCI-DSS-4.0-6.2.4"
+    ],
+    "real_requirement": "Parameterized queries enforced at the ORM/driver level with raw-query usage gated by code-owner approval; AI-assisted code review flagging string-concat SQL patterns from LLM-generated code (a documented regression vector in 2024-2026 codebases).",
+    "lag_notes": "DR-5 applies: AI code generation is a current re-introduction vector for SQLi in codebases that had previously eliminated it. No framework control acknowledges LLM-generated code as a regression source.",
+    "last_verified": "2026-05-11"
+  },
+  "CWE-416": {
+    "id": "CWE-416",
+    "name": "Use After Free",
+    "abstraction": "Variant",
+    "category": "Memory Safety",
+    "description": "Referencing memory after it has been freed causes a program to crash, use unexpected values, or execute attacker-controlled code. UAF is the dominant kernel/browser RCE primitive of the last decade and a frequent root cause for IPsec, netfilter, and io_uring class kernel CVEs.",
+    "top_25_rank_2024": 8,
+    "top_25_rank_2025": null,
+    "view_memberships": [
+      "CWE-1003",
+      "CWE-1000",
+      "CWE-1430"
+    ],
+    "related_attack_patterns_capec": [
+      "CAPEC-129"
+    ],
+    "skills_referencing": [
+      "kernel-lpe-triage",
+      "exploit-scoring"
+    ],
+    "evidence_cves": [
+      "CVE-2026-43284",
+      "CVE-2026-43500"
+    ],
+    "framework_controls_partially_addressing": [
+      "NIST-800-53-SI-16",
+      "NIST-800-53-SI-2",
+      "ISO-27001-2022-A.8.28"
+    ],
+    "real_requirement": "Memory-safe rewrite of attack-surface subsystems (IPsec stack, packet reassembly, allocators); SLAB_VIRTUAL / heap hardening enabled in production kernels; KASAN-enabled fleet canaries. SI-16 'memory protection' as defined in NIST is satisfied by NX/ASLR, which UAF exploits routinely bypass via heap spray plus grooming.",
+    "lag_notes": "NIST SI-16 considers UAF mitigation 'addressed' if ASLR and NX are enabled. Modern UAF exploitation pipelines defeat both. NIST has not introduced a control for memory-safe-by-default for high-blast-radius subsystems.",
+    "last_verified": "2026-05-11"
+  },
+  "CWE-20": {
+    "id": "CWE-20",
+    "name": "Improper Input Validation",
+    "abstraction": "Class",
+    "category": "Validation",
+    "description": "The product receives input but does not validate or incorrectly validates that the input has the properties required to safely process it. CWE-20 is the parent class for many concrete injection and overflow CWEs and remains in the Top 25 as a backstop classification.",
+    "top_25_rank_2024": 6,
+    "top_25_rank_2025": null,
+    "view_memberships": [
+      "CWE-1003",
+      "CWE-1000",
+      "CWE-1430"
+    ],
+    "related_attack_patterns_capec": [
+      "CAPEC-3",
+      "CAPEC-10",
+      "CAPEC-22"
+    ],
+    "skills_referencing": [
+      "ai-attack-surface",
+      "rag-pipeline-security",
+      "exploit-scoring"
+    ],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": [
+      "NIST-800-53-SI-10",
+      "ISO-27001-2022-A.8.28",
+      "PCI-DSS-4.0-6.2.4"
+    ],
+    "real_requirement": "Schema-based input validation at trust boundaries with deny-by-default; for AI pipelines, input validation must include semantic-class validation (is this prompt text? Is it a tool-call structure?) not just syntactic validation. Prompt content cannot be validated by SI-10 syntactically.",
+    "lag_notes": "SI-10 treats validation as a syntactic operation. For LLM/RAG inputs, semantic validation is required (the input may be syntactically valid JSON but semantically a jailbreak payload). No framework operationalizes semantic validation for AI inputs.",
+    "last_verified": "2026-05-11"
+  },
+  "CWE-78": {
+    "id": "CWE-78",
+    "name": "Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)",
+    "abstraction": "Base",
+    "category": "Injection",
+    "description": "The product constructs an OS command using externally-influenced input without neutralizing special elements. OS command injection is the canonical class for CI/CD pipeline RCE, MCP tool shell-wrapper RCE, and developer-tooling agentic RCE.",
+    "top_25_rank_2024": 7,
+    "top_25_rank_2025": null,
+    "view_memberships": [
+      "CWE-1003",
+      "CWE-1000",
+      "CWE-1430"
+    ],
+    "related_attack_patterns_capec": [
+      "CAPEC-88",
+      "CAPEC-6"
+    ],
+    "skills_referencing": [
+      "mcp-agent-trust",
+      "ai-attack-surface",
+      "exploit-scoring"
+    ],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": [
+      "NIST-800-53-SI-10",
+      "ISO-27001-2022-A.8.28"
+    ],
+    "real_requirement": "Avoid shell invocation entirely; use execve-style arg arrays. For MCP tools that wrap shells, allowlist tool argv structure at the protocol layer; refuse any tool that accepts unstructured string commands as input. NIST SI-10 does not contemplate AI agents as command-injection vectors.",
+    "lag_notes": "MCP tools that accept natural-language commands and translate to shell are a CWE-78 vector that no framework treats as a first-class issue. Treated as 'tool design' rather than 'injection.'",
+    "last_verified": "2026-05-11"
+  },
+  "CWE-94": {
+    "id": "CWE-94",
+    "name": "Improper Control of Generation of Code (Code Injection)",
+    "abstraction": "Class",
+    "category": "Injection",
+    "description": "The product constructs code from externally-influenced input without neutralizing special elements that could modify the syntax or behavior of the generated code. CWE-94 is the canonical class for prompt-injection-to-RCE in agentic tools where the LLM emits executable code or tool calls based on attacker-influenced context.",
+    "top_25_rank_2024": 11,
+    "top_25_rank_2025": null,
+    "view_memberships": [
+      "CWE-1003",
+      "CWE-1000",
+      "CWE-1430"
+    ],
+    "related_attack_patterns_capec": [
+      "CAPEC-242",
+      "CAPEC-35"
+    ],
+    "skills_referencing": [
+      "ai-attack-surface",
+      "mcp-agent-trust",
+      "rag-pipeline-security",
+      "ai-c2-detection"
+    ],
+    "evidence_cves": [
+      "CVE-2025-53773",
+      "CVE-2026-30615"
+    ],
+    "framework_controls_partially_addressing": [
+      "NIST-800-53-SI-10",
+      "NIST-800-53-AC-2",
+      "ISO-27001-2022-A.8.28"
+    ],
+    "real_requirement": "For agentic tools: structural separation of instruction channels (system prompt) from data channels (retrieved content, tool outputs); no prompt-controlled code emission without out-of-band human confirmation for high-impact actions; capability-scoped tool sandboxes. SI-10 input validation cannot remediate CWE-94 in an LLM context because the 'code' is generated post-validation by the model itself.",
+    "lag_notes": "Microsoft's NVD advisory for CVE-2025-53773 maps the Copilot RCE to CWE-94. Some vendor advisories use CWE-77 (Command Injection) as a secondary classification — both are defensible. AGENTS.md DR-1 applies: no framework treats LLM code or tool-call emission as a CWE-94 class, so SI-10 cannot be claimed adequate.",
+    "last_verified": "2026-05-11"
+  },
+  "CWE-22": {
+    "id": "CWE-22",
+    "name": "Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)",
+    "abstraction": "Base",
+    "category": "Path/Resource",
+    "description": "The product uses external input to construct a pathname intended to identify a file or directory but does not properly neutralize sequences such as dot-dot that can resolve outside the restricted directory. Re-emerged as critical via MCP tools that expose file-read primitives to LLM-driven argument selection.",
+    "top_25_rank_2024": 5,
+    "top_25_rank_2025": null,
+    "view_memberships": [
+      "CWE-1003",
+      "CWE-1000",
+      "CWE-1430"
+    ],
+    "related_attack_patterns_capec": [
+      "CAPEC-126",
+      "CAPEC-76"
+    ],
+    "skills_referencing": [
+      "mcp-agent-trust"
+    ],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": [
+      "NIST-800-53-AC-3",
+      "NIST-800-53-SI-10",
+      "ISO-27001-2022-A.5.15"
+    ],
+    "real_requirement": "Canonicalize-then-prefix-check; openat2 with RESOLVE_BENEATH on Linux; chroot or per-tool filesystem capabilities for MCP tools. AC-3 enforcement is satisfied by the OS file ACL — which is irrelevant when the agent has legitimate read access to the parent directory but should not have access to subpaths revealed by traversal.",
+    "lag_notes": "No framework requires per-tool filesystem capability scoping for AI agents — agents inherit their host process's full filesystem access, making CWE-22 effectively a privilege escalation in the agentic context.",
+    "last_verified": "2026-05-11"
+  },
+  "CWE-352": {
+    "id": "CWE-352",
+    "name": "Cross-Site Request Forgery (CSRF)",
+    "abstraction": "Compound",
+    "category": "Session",
+    "description": "The web application does not, or cannot, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. SameSite cookie defaults reduced CSRF risk but did not eliminate it for cross-origin POST and JSON APIs.",
+    "top_25_rank_2024": 9,
+    "top_25_rank_2025": null,
+    "view_memberships": [
+      "CWE-1003",
+      "CWE-1000",
+      "CWE-1430"
+    ],
+    "related_attack_patterns_capec": [
+      "CAPEC-62"
+    ],
+    "skills_referencing": [],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": [
+      "NIST-800-53-SC-23",
+      "ISO-27001-2022-A.8.26"
+    ],
+    "real_requirement": "SameSite=Strict on session cookies; double-submit token or origin check on all state-changing endpoints; deny cross-origin requests with credentials by default at the framework layer.",
+    "lag_notes": "SC-23 'session authenticity' is satisfied by session tokens but does not require origin-binding or SameSite enforcement. Frameworks lag the modern SPA plus cross-origin reality.",
+    "last_verified": "2026-05-11"
+  },
+  "CWE-862": {
+    "id": "CWE-862",
+    "name": "Missing Authorization",
+    "abstraction": "Class",
+    "category": "Authorization",
+    "description": "The product does not perform an authorization check when an actor attempts to access a resource or perform an action. Top 25 number four in 2024; the canonical broken-access-control class for API endpoints that authenticate but do not authorize per-object.",
+    "top_25_rank_2024": 4,
+    "top_25_rank_2025": null,
+    "view_memberships": [
+      "CWE-1003",
+      "CWE-1000",
+      "CWE-1430"
+    ],
+    "related_attack_patterns_capec": [
+      "CAPEC-1",
+      "CAPEC-115"
+    ],
+    "skills_referencing": [],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": [
+      "NIST-800-53-AC-3",
+      "NIST-800-53-AC-6",
+      "ISO-27001-2022-A.5.15",
+      "SOC2-CC6.1"
+    ],
+    "real_requirement": "Authorization enforced as a policy decision point separate from authentication; per-object access control with deny-by-default; AI agent invocations require session-level authorization context distinct from the underlying service account's authorization.",
+    "lag_notes": "SOC 2 CC6.1 (per DR-1) defines logical access controls but does not require per-object authorization checks or AI-agent-session authorization contexts.",
+    "last_verified": "2026-05-11"
+  },
+  "CWE-434": {
+    "id": "CWE-434",
+    "name": "Unrestricted Upload of File with Dangerous Type",
+    "abstraction": "Base",
+    "category": "File Handling",
+    "description": "The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.",
+    "top_25_rank_2024": 10,
+    "top_25_rank_2025": null,
+    "view_memberships": [
+      "CWE-1003",
+      "CWE-1000",
+      "CWE-1430"
+    ],
+    "related_attack_patterns_capec": [
+      "CAPEC-1",
+      "CAPEC-650"
+    ],
+    "skills_referencing": [],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": [
+      "NIST-800-53-SI-3",
+      "NIST-800-53-SI-10",
+      "ISO-27001-2022-A.8.7"
+    ],
+    "real_requirement": "Content-type validation by magic bytes (not Content-Type header); rename uploaded files with random IDs; store outside webroot; serve via signed-URL proxy; for AI/RAG pipelines, validate uploaded document types are within the corpus schema.",
+    "lag_notes": "SI-3 (malicious code protection) checks AV signatures but does not contemplate uploaded prompt-injection payloads inside documents that are dangerous-by-content rather than dangerous-by-type.",
+    "last_verified": "2026-05-11"
+  },
+  "CWE-77": {
+    "id": "CWE-77",
+    "name": "Improper Neutralization of Special Elements used in a Command (Command Injection)",
+    "abstraction": "Class",
+    "category": "Injection",
+    "description": "The product constructs all or part of a command using externally-influenced input without neutralizing special elements that could modify the intended command. Parent class of CWE-78 (OS) and CWE-89 (SQL); a secondary classification used in some MCP and agentic-tool advisories.",
+    "top_25_rank_2024": 16,
+    "top_25_rank_2025": null,
+    "view_memberships": [
+      "CWE-1003",
+      "CWE-1000",
+      "CWE-1430"
+    ],
+    "related_attack_patterns_capec": [
+      "CAPEC-248",
+      "CAPEC-15"
+    ],
+    "skills_referencing": [
+      "mcp-agent-trust",
+      "ai-attack-surface"
+    ],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": [
+      "NIST-800-53-SI-10",
+      "ISO-27001-2022-A.8.28"
+    ],
+    "real_requirement": "Structured command APIs at every command boundary (DB driver, OS exec, MCP tool argv); reject unstructured-string command interfaces in new MCP tool designs.",
+    "lag_notes": "Used as the parent classification by some vendor advisories where the precise sub-class (CWE-78 vs CWE-94) is ambiguous; cited here so skill authors can defensibly use either.",
+    "last_verified": "2026-05-11"
+  },
+  "CWE-502": {
+    "id": "CWE-502",
+    "name": "Deserialization of Untrusted Data",
+    "abstraction": "Base",
+    "category": "Serialization",
+    "description": "The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid. Code-executing serialization formats used for ML model checkpoint loading from HuggingFace and similar registries keep CWE-502 critical for AI/ML pipelines.",
+    "top_25_rank_2024": 15,
+    "top_25_rank_2025": null,
+    "view_memberships": [
+      "CWE-1003",
+      "CWE-1000",
+      "CWE-1425",
+      "CWE-1430"
+    ],
+    "related_attack_patterns_capec": [
+      "CAPEC-586"
+    ],
+    "skills_referencing": [
+      "ai-attack-surface",
+      "mcp-agent-trust"
+    ],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": [
+      "NIST-800-53-SI-10",
+      "NIST-800-53-SA-12",
+      "ISO-27001-2022-A.8.30"
+    ],
+    "real_requirement": "Reject code-executing serialization formats for model loading in production; require safetensors or equivalent type-safe formats; for legacy code-executing formats, run inside an unprivileged, network-isolated sandbox; verify cryptographic signatures of model artifacts before deserialization.",
+    "lag_notes": "SA-12 supply-chain controls assume binaries can be hash-verified — they do not address that certain serialization formats execute code on load, making hash-of-bad-blob still dangerous.",
+    "last_verified": "2026-05-11"
+  },
+  "CWE-918": {
+    "id": "CWE-918",
+    "name": "Server-Side Request Forgery (SSRF)",
+    "abstraction": "Base",
+    "category": "Network",
+    "description": "The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL but does not sufficiently ensure that the request is being sent to the expected destination. SSRF is the canonical primitive for cloud metadata service abuse and is amplified in AI/RAG pipelines that fetch URLs from prompt-controlled context.",
+    "top_25_rank_2024": 19,
+    "top_25_rank_2025": null,
+    "view_memberships": [
+      "CWE-1003",
+      "CWE-1000",
+      "CWE-1430"
+    ],
+    "related_attack_patterns_capec": [
+      "CAPEC-664"
+    ],
+    "skills_referencing": [
+      "rag-pipeline-security",
+      "ai-attack-surface"
+    ],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": [
+      "NIST-800-53-SC-7",
+      "ISO-27001-2022-A.8.22"
+    ],
+    "real_requirement": "Egress allowlist enforced at the network layer; IMDSv2 with hop-limit=1; for RAG/agent URL fetchers, allowlist of fetchable domains and explicit rejection of RFC 1918 / link-local / metadata IPs after DNS resolution (resolve-then-check, not check-then-resolve).",
+    "lag_notes": "SC-7 boundary protection assumes the application is the trust boundary; SSRF makes the application the attacker's proxy across the boundary. Cloud IMDS abuse remains a top SSRF outcome.",
+    "last_verified": "2026-05-11"
+  },
+  "CWE-287": {
+    "id": "CWE-287",
+    "name": "Improper Authentication",
+    "abstraction": "Class",
+    "category": "Authentication",
+    "description": "When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.",
+    "top_25_rank_2024": 14,
+    "top_25_rank_2025": null,
+    "view_memberships": [
+      "CWE-1003",
+      "CWE-1000",
+      "CWE-1430"
+    ],
+    "related_attack_patterns_capec": [
+      "CAPEC-115",
+      "CAPEC-22"
+    ],
+    "skills_referencing": [],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": [
+      "NIST-800-53-IA-2",
+      "NIST-800-53-IA-8",
+      "ISO-27001-2022-A.5.17"
+    ],
+    "real_requirement": "Phishing-resistant MFA (FIDO2/WebAuthn) for all human users; mTLS or signed JWT with audience binding for service-to-service; for AI agents, cryptographic agent identity tied to invocation context not the host service account.",
+    "lag_notes": "IA-2 still accepts SMS OTP as a valid MFA factor under some configurations; modern phishing kits defeat SMS OTP. AI agent authentication is undefined in IA-2/IA-8.",
+    "last_verified": "2026-05-11"
+  },
+  "CWE-269": {
+    "id": "CWE-269",
+    "name": "Improper Privilege Management",
+    "abstraction": "Class",
+    "category": "Authorization",
+    "description": "The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.",
+    "top_25_rank_2024": 22,
+    "top_25_rank_2025": null,
+    "view_memberships": [
+      "CWE-1003",
+      "CWE-1000",
+      "CWE-1430"
+    ],
+    "related_attack_patterns_capec": [
+      "CAPEC-122",
+      "CAPEC-233"
+    ],
+    "skills_referencing": [
+      "kernel-lpe-triage",
+      "mcp-agent-trust"
+    ],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": [
+      "NIST-800-53-AC-6",
+      "ISO-27001-2022-A.8.2"
+    ],
+    "real_requirement": "Least-privilege enforced through capability tokens, not role labels; per-action privilege drop for tool invocations; namespace plus cgroup plus seccomp for any process that spawns LLM-controlled subprocesses.",
+    "lag_notes": "AC-6 'least privilege' is reviewed at account provisioning, not at action invocation. For AI agents whose actions vary per-prompt, account-level least privilege is insufficient granularity.",
+    "last_verified": "2026-05-11"
+  },
+  "CWE-200": {
+    "id": "CWE-200",
+    "name": "Exposure of Sensitive Information to an Unauthorized Actor",
+    "abstraction": "Class",
+    "category": "Information Exposure",
+    "description": "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. In AI/RAG systems, sensitive-data exfiltration via prompt-controlled context retrieval is a CWE-200 instance.",
+    "top_25_rank_2024": 17,
+    "top_25_rank_2025": null,
+    "view_memberships": [
+      "CWE-1003",
+      "CWE-1000",
+      "CWE-1430"
+    ],
+    "related_attack_patterns_capec": [
+      "CAPEC-116",
+      "CAPEC-118"
+    ],
+    "skills_referencing": [
+      "rag-pipeline-security",
+      "ai-attack-surface"
+    ],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": [
+      "NIST-800-53-AC-3",
+      "NIST-800-53-SC-28",
+      "ISO-27001-2022-A.8.12"
+    ],
+    "real_requirement": "RAG corpus access enforced at retrieval-time with caller identity, not at ingestion-time with corpus labels; redaction filters on LLM output for PII and secrets; logging that excludes prompt content containing secrets.",
+    "lag_notes": "Data-at-rest controls (SC-28) do not protect against context-window exfiltration where authorized data is retrieved by an authorized agent but exfiltrated via prompt-injection-induced output.",
+    "last_verified": "2026-05-11"
+  },
+  "CWE-863": {
+    "id": "CWE-863",
+    "name": "Incorrect Authorization",
+    "abstraction": "Class",
+    "category": "Authorization",
+    "description": "The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.",
+    "top_25_rank_2024": 24,
+    "top_25_rank_2025": null,
+    "view_memberships": [
+      "CWE-1003",
+      "CWE-1000",
+      "CWE-1430"
+    ],
+    "related_attack_patterns_capec": [
+      "CAPEC-1"
+    ],
+    "skills_referencing": [
+      "mcp-agent-trust"
+    ],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": [
+      "NIST-800-53-AC-3",
+      "ISO-27001-2022-A.5.15"
+    ],
+    "real_requirement": "Policy-as-code authorization with explicit deny-list-then-allowlist test coverage; per-tool authorization tests for MCP servers; invocation-time authorization for AI agent actions, separate from the agent's account-level permissions.",
+    "lag_notes": "Often distinguished from CWE-862 only at post-mortem; both classes are commonly conflated by framework controls that say 'authorization is enforced' without specifying the granularity.",
+    "last_verified": "2026-05-11"
+  },
+  "CWE-125": {
+    "id": "CWE-125",
+    "name": "Out-of-bounds Read",
+    "abstraction": "Base",
+    "category": "Memory Safety",
+    "description": "The product reads data past the end, or before the beginning, of the intended buffer. Frequent root cause for information disclosure (KASLR break, cryptographic key leak) in kernel CVEs.",
+    "top_25_rank_2024": 12,
+    "top_25_rank_2025": null,
+    "view_memberships": [
+      "CWE-1003",
+      "CWE-1000",
+      "CWE-1430"
+    ],
+    "related_attack_patterns_capec": [
+      "CAPEC-540"
+    ],
+    "skills_referencing": [
+      "kernel-lpe-triage",
+      "exploit-scoring"
+    ],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": [
+      "NIST-800-53-SI-10",
+      "NIST-800-53-SI-16",
+      "ISO-27001-2022-A.8.28"
+    ],
+    "real_requirement": "Same memory-safety requirements as CWE-787; additionally, KASLR is not a sufficient compensating control because OOB-read CVEs are routinely used to defeat KASLR before exploiting an OOB-write CVE.",
+    "lag_notes": "Treated as 'information disclosure' severity by frameworks; in practice OOB-read is the enabler for OOB-write chained RCE and should be scored as a precursor to code execution.",
+    "last_verified": "2026-05-11"
+  },
+  "CWE-672": {
+    "id": "CWE-672",
+    "name": "Operation on a Resource after Expiration or Release",
+    "abstraction": "Class",
+    "category": "Memory Safety",
+    "description": "The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked. Parent class for CWE-416 (UAF) and related lifetime-management weaknesses; sometimes cited as the canonical class for kernel buffer-lifetime bugs where the specific UAF-vs-write classification is ambiguous.",
+    "top_25_rank_2024": null,
+    "top_25_rank_2025": null,
+    "view_memberships": [
+      "CWE-1000"
+    ],
+    "related_attack_patterns_capec": [],
+    "skills_referencing": [
+      "kernel-lpe-triage"
+    ],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": [
+      "NIST-800-53-SI-16",
+      "ISO-27001-2022-A.8.28"
+    ],
+    "real_requirement": "Resource lifetime expressed in the type system (Rust ownership, RAII); static analyzers that prove no use-after-release on hot paths.",
+    "lag_notes": "Listed as a candidate primary class for Copy Fail (CVE-2026-31431) in some draft NVD threads; the primary NVD assignment is CWE-787 — CWE-672 is included here so skill authors can cite it for borderline kernel-lifetime cases.",
+    "last_verified": "2026-05-11"
+  },
+  "CWE-732": {
+    "id": "CWE-732",
+    "name": "Incorrect Permission Assignment for Critical Resource",
+    "abstraction": "Class",
+    "category": "Authorization",
+    "description": "The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. Frequent root cause for K8s RBAC, IAM policy, and cloud-bucket misconfigurations.",
+    "top_25_rank_2024": 13,
+    "top_25_rank_2025": null,
+    "view_memberships": [
+      "CWE-1003",
+      "CWE-1000",
+      "CWE-1430"
+    ],
+    "related_attack_patterns_capec": [
+      "CAPEC-1"
+    ],
+    "skills_referencing": [],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": [
+      "NIST-800-53-AC-3",
+      "NIST-800-53-AC-6",
+      "ISO-27001-2022-A.5.15"
+    ],
+    "real_requirement": "IaC-scanned permission policies in CI; deny-by-default cloud account baselines; periodic effective-permission graph review (not just per-policy review).",
+    "lag_notes": "AC-3 review at policy-grant time misses transitive permission graphs in cloud IAM and K8s RBAC. The effective permission, not the granted permission, is what an attacker exploits.",
+    "last_verified": "2026-05-11"
+  },
+  "CWE-345": {
+    "id": "CWE-345",
+    "name": "Insufficient Verification of Data Authenticity",
+    "abstraction": "Class",
+    "category": "Authenticity / Supply Chain",
+    "description": "The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. Canonical class for supply-chain compromise where a malicious model, plugin, or dependency is loaded because its provenance was not verified.",
+    "top_25_rank_2024": null,
+    "top_25_rank_2025": null,
+    "view_memberships": [
+      "CWE-1000"
+    ],
+    "related_attack_patterns_capec": [
+      "CAPEC-141",
+      "CAPEC-148"
+    ],
+    "skills_referencing": [
+      "mcp-agent-trust",
+      "ai-attack-surface"
+    ],
+    "evidence_cves": [
+      "CVE-2026-30615"
+    ],
+    "framework_controls_partially_addressing": [
+      "NIST-800-53-SA-12",
+      "NIST-800-53-SI-7",
+      "ISO-27001-2022-A.8.30"
+    ],
+    "real_requirement": "Sigstore / cosign signature verification on all model and MCP plugin loads; SLSA Level 3+ provenance attestation; transparency-log inclusion proof checked at install time. Hash-pinning alone is insufficient if the publishing key is compromised.",
+    "lag_notes": "SA-12 supply chain risk management does not mandate cryptographic provenance verification for AI artifacts (models, MCP servers, agent plugins). Treated as 'vendor management' rather than 'authentication.'",
+    "last_verified": "2026-05-11"
+  },
+  "CWE-494": {
+    "id": "CWE-494",
+    "name": "Download of Code Without Integrity Check",
+    "abstraction": "Base",
+    "category": "Supply Chain",
+    "description": "The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.",
+    "top_25_rank_2024": null,
+    "top_25_rank_2025": null,
+    "view_memberships": [
+      "CWE-1000"
+    ],
+    "related_attack_patterns_capec": [
+      "CAPEC-185"
+    ],
+    "skills_referencing": [
+      "mcp-agent-trust",
+      "ai-attack-surface"
+    ],
+    "evidence_cves": [
+      "CVE-2026-30615"
+    ],
+    "framework_controls_partially_addressing": [
+      "NIST-800-53-SI-7",
+      "NIST-800-53-SA-12",
+      "ISO-27001-2022-A.8.30"
+    ],
+    "real_requirement": "All package, model, and plugin installs require signature verification against pinned publishing keys; key rotation procedures published and monitored; package-registry typosquat scanning for AI and MCP ecosystems specifically (PyPI, npm, HuggingFace, MCP registries).",
+    "lag_notes": "SI-7 covers software integrity but does not specifically address developer-installed AI tooling (MCP servers, VS Code AI extensions) as a high-trust class. Windsurf MCP RCE (CVE-2026-30615) is a CWE-494 instance reachable because developer tooling installs bypass enterprise package-integrity controls.",
+    "last_verified": "2026-05-11"
+  },
+  "CWE-829": {
+    "id": "CWE-829",
+    "name": "Inclusion of Functionality from Untrusted Control Sphere",
+    "abstraction": "Class",
+    "category": "Supply Chain",
+    "description": "The product imports, requires, or includes executable functionality from a source that is outside of the intended control sphere.",
+    "top_25_rank_2024": null,
+    "top_25_rank_2025": null,
+    "view_memberships": [
+      "CWE-1000"
+    ],
+    "related_attack_patterns_capec": [
+      "CAPEC-538"
+    ],
+    "skills_referencing": [
+      "mcp-agent-trust",
+      "rag-pipeline-security"
+    ],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": [
+      "NIST-800-53-SA-12",
+      "ISO-27001-2022-A.8.30"
+    ],
+    "real_requirement": "Allowlist of approved MCP server publishers; private package registry mirrors for enterprise; CI-time scanning for newly-included dependencies (including transitive); for AI agents, allowlist of tool sources distinct from the agent's general internet access.",
+    "lag_notes": "SA-12 evaluates suppliers; CWE-829 occurs at runtime when an agent or developer adds a dependency post-evaluation. No framework requires runtime dependency-introduction review for AI tooling.",
+    "last_verified": "2026-05-11"
+  },
+  "CWE-1357": {
+    "id": "CWE-1357",
+    "name": "Reliance on Insufficiently Trustworthy Component",
+    "abstraction": "Class",
+    "category": "Supply Chain",
+    "description": "The product is built from multiple separate components, but it uses a component that is not sufficiently trusted to meet expectations for security, reliability, updateability, and maintainability.",
+    "top_25_rank_2024": null,
+    "top_25_rank_2025": null,
+    "view_memberships": [
+      "CWE-1000"
+    ],
+    "related_attack_patterns_capec": [],
+    "skills_referencing": [
+      "mcp-agent-trust"
+    ],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": [
+      "NIST-800-53-SA-12",
+      "ISO-27001-2022-A.5.21",
+      "ISO-27001-2022-A.8.30"
+    ],
+    "real_requirement": "Tiered trust assessment for components based on blast radius (kernel module vs. CLI lint plugin); periodic re-evaluation of trust as a function of maintainer responsiveness, signing-key hygiene, and CVE history; SBOM-tracked component criticality scoring.",
+    "lag_notes": "SA-12 treats supplier trust as a procurement-time decision. CWE-1357 requires continuous re-evaluation as maintainer behavior changes (key compromise, sale of package, abandonment).",
+    "last_verified": "2026-05-11"
+  },
+  "CWE-1395": {
+    "id": "CWE-1395",
+    "name": "Dependency on Vulnerable Third-Party Component",
+    "abstraction": "Class",
+    "category": "Supply Chain",
+    "description": "The product has a dependency on a third-party component that contains one or more known vulnerabilities.",
+    "top_25_rank_2024": null,
+    "top_25_rank_2025": null,
+    "view_memberships": [
+      "CWE-1000",
+      "CWE-1425"
+    ],
+    "related_attack_patterns_capec": [],
+    "skills_referencing": [
+      "mcp-agent-trust",
+      "ai-attack-surface"
+    ],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": [
+      "NIST-800-53-SA-12",
+      "NIST-800-53-SI-2",
+      "ISO-27001-2022-A.8.8",
+      "ISO-27001-2022-A.8.30"
+    ],
+    "real_requirement": "SBOM plus continuous VEX-aware vulnerability matching; reachability analysis (is the vulnerable code path actually invoked?); for AI: HuggingFace, npm, PyPI model and plugin dependency CVE tracking with the same SLA as first-party code.",
+    "lag_notes": "SI-2 patch SLAs apply to first-party software; for transitive dependencies (especially Python ML stack), patching depends on upstream maintainer response. Reachability gating is not required by any framework.",
+    "last_verified": "2026-05-11"
+  },
+  "CWE-1426": {
+    "id": "CWE-1426",
+    "name": "Improper Validation of Generative AI Output",
+    "abstraction": "Base",
+    "category": "AI/ML",
+    "description": "The product invokes a generative AI / large language model (LLM) and does not validate or insufficiently validates the outputs to ensure they align with the intended security, content, or privacy policy.",
+    "top_25_rank_2024": null,
+    "top_25_rank_2025": null,
+    "view_memberships": [
+      "CWE-1000",
+      "CWE-1425"
+    ],
+    "related_attack_patterns_capec": [],
+    "skills_referencing": [
+      "ai-attack-surface",
+      "rag-pipeline-security",
+      "ai-c2-detection",
+      "mcp-agent-trust"
+    ],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": [
+      "NIST-AI-RMF-MEASURE-2.5",
+      "NIST-AI-RMF-MEASURE-2.7",
+      "ISO-27001-2022-A.8.28"
+    ],
+    "real_requirement": "Output validation pipelines that match the action class of the output: tool-call outputs require argv allowlist plus capability scoping; code outputs require sandbox execution plus static analysis; natural-language outputs to users require PII and secret redaction. For high-impact actions, human-in-the-loop confirmation. Validation must be on the output channel, not (only) on the input.",
+    "lag_notes": "NIST AI RMF MEASURE 2.5 (validity and reliability) treats AI output quality as a model-evaluation problem (accuracy metrics). It does not treat malicious output (jailbroken code, exfiltration, harmful content) as a CWE class requiring output-side controls.",
+    "last_verified": "2026-05-11"
+  },
+  "CWE-1039": {
+    "id": "CWE-1039",
+    "name": "Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations",
+    "abstraction": "Base",
+    "category": "AI/ML",
+    "description": "The product uses an automated mechanism such as machine learning to recognize complex data inputs but it does not adequately detect or handle inputs that have been crafted to cause the mechanism to misclassify or otherwise produce an incorrect result.",
+    "top_25_rank_2024": null,
+    "top_25_rank_2025": null,
+    "view_memberships": [
+      "CWE-1000",
+      "CWE-1425"
+    ],
+    "related_attack_patterns_capec": [],
+    "skills_referencing": [
+      "ai-attack-surface"
+    ],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": [
+      "NIST-AI-RMF-MEASURE-2.5",
+      "NIST-AI-RMF-MEASURE-2.7"
+    ],
+    "real_requirement": "Adversarial robustness testing in the model evaluation lifecycle (FGSM, PGD, transfer attacks); confidence calibration on out-of-distribution inputs; out-of-band human review for high-stakes classifications (biometric auth, fraud).",
+    "lag_notes": "Adversarial robustness testing is not required by any compliance framework. Maps to ATLAS AML.T0043 (Craft Adversarial Data), for which the framework_gap is true.",
+    "last_verified": "2026-05-11"
+  },
+  "CWE-1037": {
+    "id": "CWE-1037",
+    "name": "Processor Optimization Removal or Modification of Security-critical Code",
+    "abstraction": "Base",
+    "category": "Hardware / Side Channel",
+    "description": "The developer builds a security-critical protection mechanism into the software, but the processor optimizes the execution of the program such that the mechanism is removed or modified. Canonical class for Spectre/Meltdown-family speculative-execution side channels.",
+    "top_25_rank_2024": null,
+    "top_25_rank_2025": null,
+    "view_memberships": [
+      "CWE-1000"
+    ],
+    "related_attack_patterns_capec": [],
+    "skills_referencing": [
+      "pqc-first"
+    ],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": [
+      "NIST-800-53-SI-16",
+      "ISO-27001-2022-A.8.28"
+    ],
+    "real_requirement": "Retpoline / IBRS / hardware mitigations enabled; constant-time cryptographic implementations verified post-compile; site-isolation in browsers; speculative-execution-aware compiler hardening for cryptographic code paths.",
+    "lag_notes": "Microarchitectural side channels are not addressed by any framework control. SI-16 (memory protection) is satisfied by software-level NX/ASLR and does not contemplate the CPU as the attacker.",
+    "last_verified": "2026-05-11"
+  },
+  "CWE-327": {
+    "id": "CWE-327",
+    "name": "Use of a Broken or Risky Cryptographic Algorithm",
+    "abstraction": "Class",
+    "category": "Cryptography",
+    "description": "The product uses a broken or risky cryptographic algorithm or protocol. Maps directly to the post-quantum-cryptography transition risk: classical asymmetric algorithms (RSA, ECDSA, ECDH) become risky once a cryptographically-relevant quantum computer exists, and 'harvest now, decrypt later' attacks make CWE-327 a present-tense risk for long-lived data.",
+    "top_25_rank_2024": null,
+    "top_25_rank_2025": null,
+    "view_memberships": [
+      "CWE-1003",
+      "CWE-1000"
+    ],
+    "related_attack_patterns_capec": [
+      "CAPEC-97"
+    ],
+    "skills_referencing": [
+      "pqc-first"
+    ],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": [
+      "NIST-800-53-SC-13",
+      "ISO-27001-2022-A.8.24"
+    ],
+    "real_requirement": "Crypto-agile design (algorithm selection via configuration, not hardcoded); migration plan to NIST PQC standards (ML-KEM / FIPS-203, ML-DSA / FIPS-204, SLH-DSA / FIPS-205) on a published timeline; hybrid classical-plus-PQC for transition period; inventory of long-lived encrypted data subject to harvest-now-decrypt-later.",
+    "lag_notes": "SC-13 'cryptographic protection' lists approved algorithms but the transition timeline for deprecating classical asymmetric crypto is not enforced. ISO-27001 A.8.24 (use of cryptography) does not require crypto-agility.",
+    "last_verified": "2026-05-11"
+  },
+  "CWE-798": {
+    "id": "CWE-798",
+    "name": "Use of Hard-coded Credentials",
+    "abstraction": "Base",
+    "category": "Credentials",
+    "description": "The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. LLM-generated code is a documented re-introduction vector for hardcoded credentials.",
+    "top_25_rank_2024": 18,
+    "top_25_rank_2025": null,
+    "view_memberships": [
+      "CWE-1003",
+      "CWE-1000",
+      "CWE-1430"
+    ],
+    "related_attack_patterns_capec": [
+      "CAPEC-191"
+    ],
+    "skills_referencing": [
+      "ai-attack-surface"
+    ],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": [
+      "NIST-800-53-IA-5",
+      "ISO-27001-2022-A.8.5"
+    ],
+    "real_requirement": "Secret-scanning in pre-commit and CI with deny-merge on detection; secret manager (HashiCorp Vault, AWS Secrets Manager, etc.) for runtime retrieval; LLM-generated-code-specific scanners that detect placeholder-credential patterns that the model emits.",
+    "lag_notes": "DR-5: LLM-generated code routinely contains placeholder credentials and sometimes real credentials from training data. No framework treats LLM code emission as a CWE-798 vector.",
+    "last_verified": "2026-05-11"
+  },
+  "CWE-306": {
+    "id": "CWE-306",
+    "name": "Missing Authentication for Critical Function",
+    "abstraction": "Base",
+    "category": "Authentication",
+    "description": "The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.",
+    "top_25_rank_2024": 20,
+    "top_25_rank_2025": null,
+    "view_memberships": [
+      "CWE-1003",
+      "CWE-1000",
+      "CWE-1430"
+    ],
+    "related_attack_patterns_capec": [
+      "CAPEC-115"
+    ],
+    "skills_referencing": [
+      "mcp-agent-trust"
+    ],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": [
+      "NIST-800-53-IA-2",
+      "ISO-27001-2022-A.5.17"
+    ],
+    "real_requirement": "Default-deny on all admin, internal, and MCP endpoints; pre-deployment authentication audit of every newly-exposed endpoint; for MCP servers, required client authentication (mTLS or signed token) even on localhost transports.",
+    "lag_notes": "MCP servers on localhost or stdio transports are often unauthenticated by default — the trust boundary is assumed to be the host. CWE-306 applies when a malicious local process or compromised editor exploits this assumption.",
+    "last_verified": "2026-05-11"
+  },
+  "CWE-362": {
+    "id": "CWE-362",
+    "name": "Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)",
+    "abstraction": "Class",
+    "category": "Concurrency",
+    "description": "The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.",
+    "top_25_rank_2024": 21,
+    "top_25_rank_2025": null,
+    "view_memberships": [
+      "CWE-1003",
+      "CWE-1000",
+      "CWE-1430"
+    ],
+    "related_attack_patterns_capec": [
+      "CAPEC-29"
+    ],
+    "skills_referencing": [
+      "kernel-lpe-triage"
+    ],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": [
+      "NIST-800-53-SI-16",
+      "ISO-27001-2022-A.8.28"
+    ],
+    "real_requirement": "Static race detection in CI (Rust Send/Sync, TSan); kernel-specific race detection (KCSAN); replace racy primitives with lock-free or RCU patterns where contention is high. CVSS routinely under-scores race conditions; many become deterministic with AI-assisted timing analysis.",
+    "lag_notes": "DR-5: AI-assisted timing analysis reduces race exploitation from days to minutes. CVSS attack-complexity-high assumption (race conditions are 'hard') is increasingly invalid.",
+    "last_verified": "2026-05-11"
+  },
+  "CWE-1188": {
+    "id": "CWE-1188",
+    "name": "Initialization of a Resource with an Insecure Default",
+    "abstraction": "Base",
+    "category": "Configuration",
+    "description": "The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.",
+    "top_25_rank_2024": null,
+    "top_25_rank_2025": null,
+    "view_memberships": [
+      "CWE-1000"
+    ],
+    "related_attack_patterns_capec": [],
+    "skills_referencing": [
+      "mcp-agent-trust",
+      "security-maturity-tiers"
+    ],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": [
+      "NIST-800-53-CM-6",
+      "ISO-27001-2022-A.8.9"
+    ],
+    "real_requirement": "Secure-by-default configurations shipped; insecure modes require explicit opt-in with a documented risk acknowledgment; for MCP servers, default to no-network, no-fs, requiring explicit capability grants.",
+    "lag_notes": "CM-6 baseline configuration is set per-deployment; CWE-1188 is about the shipped default. Frameworks rarely audit product defaults — they audit organizational deployment.",
+    "last_verified": "2026-05-11"
+  }
+}