更新: 1 个文件 - 2026-04-02 05:50:37

更新: 1 个文件 - 2026-04-02 05:45:25
更新: 1 个文件 - 2026-04-02 05:45:07
2026-04-02 05:50:37 -07:00 · 2026-04-02 05:45:25 -07:00 · 2026-04-02 05:45:07 -07:00 · 2026-04-02 05:40:07 -07:00 · 2026-04-02 05:34:52 -07:00 · 2026-04-02 05:30:07 -07:00
--- a/.DS_Store
+++ b/.DS_Store
--- a/00-environments/.DS_Store
+++ b/00-environments/.DS_Store
--- a/01-sql-injection/.DS_Store
+++ b/01-sql-injection/.DS_Store
--- a/02-xss/.DS_Store
+++ b/02-xss/.DS_Store
--- a/03-authentication/.DS_Store
+++ b/03-authentication/.DS_Store
--- a/04-server-security/.DS_Store
+++ b/04-server-security/.DS_Store
--- a/05-defense/.DS_Store
+++ b/05-defense/.DS_Store
--- a/06-case-studies/.DS_Store
+++ b/06-case-studies/.DS_Store
--- a/07-framework-security/.DS_Store
+++ b/07-framework-security/.DS_Store
--- a/07-framework-security/cms/directus/INDEX.md
+++ b/07-framework-security/cms/directus/INDEX.md
@@ -5,14 +5,14 @@
 - 系统 ID: `directus`
 - 分类: `cms`
 - 覆盖策略: `rolling-24m`
- 总案例数: `0`
+- 总案例数: `29`
 - 近 30 天新增/更新: `0`
 - 重点 Markdown 案例数: `0`
 - 已实证(真实版本): `0`
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
- 待人工/缺浏览器证据: `0`
- 最近渲染时间: `2026-03-18T04:06:05+00:00`
+- 待人工/缺浏览器证据: `29`
+- 最近渲染时间: `2026-04-02T09:18:51+00:00`

 ## 目标约束

@@ -31,4 +31,35 @@

 | 标题 | 严重度 | 案例状态 | 实证状态 | 实证方式 | 来源置信度 | 更新时间 | 案例页 |
 |------|--------|----------|----------|----------|------------|----------|--------|
-| No advisories yet | `n/a` | `empty` | `n/a` | `n/a` | `n/a` | `n/a` | - |
+| Insights | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Open redirect in SAML | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| directus | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Skip to content | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Actions | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Improper Permission Handling on Deleted Fields in Directus | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| 5 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Projects | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Conceal fields are searchable if read permissions enabled | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Information Leakage: Existing Collections | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| User Enumeration via Password Reset Timing Attack | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| 3 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Issues 
+           344 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Security 
+           46 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Store XSS | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Missing permission checks for manual trigger Flows | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Pull requests 
+           40 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| 2 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| directus | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Notifications | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Discussions | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Unauthenticated file upload and file modification due to lacking input sanitization | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| 4 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Sign up | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| S3 assets become unavailable after a burst of malformed transformations | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Report a vulnerability | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Policy | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Sign in | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Directus version number disclosure | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
--- a/07-framework-security/cms/discourse/INDEX.md
+++ b/07-framework-security/cms/discourse/INDEX.md
@@ -5,14 +5,14 @@
 - 系统 ID: `discourse`
 - 分类: `cms`
 - 覆盖策略: `rolling-24m`
- 总案例数: `0`
+- 总案例数: `31`
 - 近 30 天新增/更新: `0`
 - 重点 Markdown 案例数: `0`
 - 已实证(真实版本): `0`
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
- 待人工/缺浏览器证据: `0`
- 最近渲染时间: `2026-03-18T04:06:05+00:00`
+- 待人工/缺浏览器证据: `31`
+- 最近渲染时间: `2026-04-02T09:18:51+00:00`

 ## 目标约束

@@ -25,10 +25,43 @@
 ## 来源

 - `official` [Discourse Meta Security](https://meta.discourse.org/c/bug/security/40) (mode=core)
- `official` [GitHub Discourse Advisories](https://github.com/discourse/discourse/security/advisories) (mode=core)
+- `official` [Discourse Release Notes RSS](https://meta.discourse.org/tag/release-notes.rss) (mode=core)
+- `official` [Discourse Security RSS](https://meta.discourse.org/tag/security.rss) (mode=core)
+- `official` [GitHub Discourse Advisories](https://github.com/advisories) (ecosystem=rubygems; mode=core)
+- `ecosystem-authority` [OSV Discourse](https://osv.dev/) (mode=core)

 ## 案例列表

 | 标题 | 严重度 | 案例状态 | 实证状态 | 实证方式 | 来源置信度 | 更新时间 | 案例页 |
 |------|--------|----------|----------|----------|------------|----------|--------|
-| No advisories yet | `n/a` | `empty` | `n/a` | `n/a` | `n/a` | `n/a` | - |
+| 3.5.0.beta5: Improved admin search, AI forum research, easier site appearance configuration, and simpler plugin development | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Wed, 28 May 2025 05:22:52 +0000` | - |
+| 3.4.4: Bug fix and UX release | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Wed, 28 May 2025 05:22:48 +0000` | - |
+| January 2026 Releases | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Wed, 28 Jan 2026 17:35:34 +0000` | - |
+| Release v2025.11.0: AI translations improvements, chat search, new review queue, and improvements for posts with images | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Wed, 26 Nov 2025 11:02:53 +0000` | - |
+| 3.4.2: Security and bug fix release | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Wed, 26 Mar 2025 02:46:36 +0000` | - |
+| 3.5.0.beta2: Review Queue, Welcome Banner, Admin Interface, and more | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Wed, 26 Mar 2025 02:46:32 +0000` | - |
+| 3.4.6: Security fix release | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Wed, 25 Jun 2025 03:38:49 +0000` | - |
+| 3.5.0.beta7: Smart link editing, better invite tracking, unique icons, and fixing name management | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Wed, 25 Jun 2025 03:38:45 +0000` | - |
+| 3.4.0.beta4: Redesigned emojis, exporting user data, flagging illegal content and more | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Wed, 05 Feb 2025 14:26:56 +0000` | - |
+| 3.3.4: Security and maintenance release | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Wed, 05 Feb 2025 14:26:22 +0000` | - |
+| March 2026 monthly release | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Tue, 31 Mar 2026 14:35:49 +0000` | - |
+| 3.5.1: Security and maintenance release | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Tue, 30 Sep 2025 02:59:22 +0000` | - |
+| 3.6.0.beta1: Color palette editing, user fields on sign up, themeable site setting discovery, images with Google AI, and reliable drafts | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Tue, 30 Sep 2025 02:59:19 +0000` | - |
+| Release v3.5.3: Security and maintenance release | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Tue, 30 Dec 2025 15:07:18 +0000` | - |
+| Release v2025.11.1: Security and maintenance release | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Tue, 30 Dec 2025 15:07:04 +0000` | - |
+| Release v2025.12.0: Discourse Rewind, new review queue and UI to create tags, Chat channel customisation, and live PR statuses | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Tue, 30 Dec 2025 15:06:45 +0000` | - |
+| 3.4.7: Security and maintenance release | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Tue, 29 Jul 2025 03:46:36 +0000` | - |
+| 3.5.0.beta8: Bundled plugins, a new theme, better color management, powerful filtering, and advanced image controls | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Tue, 29 Jul 2025 03:46:34 +0000` | - |
+| 3.4.3: Bug fix and UX release | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Tue, 29 Apr 2025 04:43:02 +0000` | - |
+| 3.5.0beta3: Full admin search, better font selection, more robust site search, category personalization, and easier configuration management | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Tue, 29 Apr 2025 04:43:00 +0000` | - |
+| 3.5.2: Security and maintenance release | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Tue, 28 Oct 2025 07:33:40 +0000` | - |
+| 3.6.0.beta2: Built-in palette editing, live AI translation progress, and better wiki tracking | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Tue, 28 Oct 2025 07:33:37 +0000` | - |
+| 3.5.0: Major release | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Tue, 19 Aug 2025 08:07:12 +0000` | - |
+| 3.5.0.beta9: Improving color management, core welcome banner, and staff action log filters | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Tue, 19 Aug 2025 08:07:02 +0000` | - |
+| 3.4.0: Major Release | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Tue, 04 Feb 2025 17:07:48 +0000` | - |
+| 3.4.0.beta3: Check for updates on What’s New page, filter by user in the review queue, threading in Chat DMs and group chats, and more | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Thu, 19 Dec 2024 16:53:54 +0000` | - |
+| 3.4.1: Bug fix and UX release | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Mon, 24 Feb 2025 05:42:05 +0000` | - |
+| 3.5.0.beta1: Dark/light mode selector, better flagging info, and encouraging more valuable conversations | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Mon, 24 Feb 2025 05:42:02 +0000` | - |
+| 3.5.0.beta6 Security fixes release | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Mon, 09 Jun 2025 05:30:17 +0000` | - |
+| 3.4.5 Security fixes release | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Mon, 09 Jun 2025 03:57:43 +0000` | - |
+| 3.5.0.beta4 Security fix release | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Mon, 05 May 2025 17:04:14 +0000` | - |
--- a/07-framework-security/cms/drupal/INDEX.md
+++ b/07-framework-security/cms/drupal/INDEX.md
@@ -5,14 +5,14 @@
 - 系统 ID: `drupal`
 - 分类: `cms`
 - 覆盖策略: `history-full`
- 总案例数: `0`
+- 总案例数: `70`
 - 近 30 天新增/更新: `0`
 - 重点 Markdown 案例数: `0`
 - 已实证(真实版本): `0`
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
- 待人工/缺浏览器证据: `0`
- 最近渲染时间: `2026-03-18T04:06:05+00:00`
+- 待人工/缺浏览器证据: `70`
+- 最近渲染时间: `2026-04-02T09:18:51+00:00`

 ## 目标约束

@@ -26,10 +26,79 @@

 - `official` [Drupal Security Advisories RSS](https://www.drupal.org/security/rss.xml) (mode=core)
 - `official` [NVD Drupal](https://nvd.nist.gov/vuln/search) (keyword=Drupal; mode=core)
- `ecosystem-authority` [Drupal Security Advisories Site](https://www.drupal.org/security) (mode=module)
+- `ecosystem-authority` [OSV Drupal](https://osv.dev/) (mode=core)

 ## 案例列表

 | 标题 | 严重度 | 案例状态 | 实证状态 | 实证方式 | 来源置信度 | 更新时间 | 案例页 |
 |------|--------|----------|----------|----------|------------|----------|--------|
-| No advisories yet | `n/a` | `empty` | `n/a` | `n/a` | `n/a` | `n/a` | - |
+| Drupal core - Critical - Cache poisoning - SA-CORE-2023-006 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Wed, 20 Sep 2023 16:23:05 +0000` | - |
+| Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-008 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Wed, 20 Nov 2024 17:29:59 +0000` | - |
+| Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-007 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Wed, 20 Nov 2024 17:27:28 +0000` | - |
+| Drupal core - Less critical - Gadget chain - SA-CORE-2024-006 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Wed, 20 Nov 2024 17:25:47 +0000` | - |
+| Drupal core - Critical - Cross Site Scripting - SA-CORE-2024-005 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Wed, 20 Nov 2024 17:24:02 +0000` | - |
+| Drupal core - Moderately critical - Access bypass - SA-CORE-2024-004 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Wed, 20 Nov 2024 17:21:58 +0000` | - |
+| Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2024-003 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Wed, 20 Nov 2024 17:20:16 +0000` | - |
+| Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2025-004 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Wed, 19 Mar 2025 18:54:35 +0000` | - |
+| Drupal core - Moderately critical - Gadget Chain - SA-CORE-2025-003 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Wed, 19 Feb 2025 17:03:28 +0000` | - |
+| Drupal core - Moderately critical - Access bypass - SA-CORE-2025-002 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Wed, 19 Feb 2025 16:58:10 +0000` | - |
+| Drupal core - Critical - Cross site scripting - SA-CORE-2025-001 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Wed, 19 Feb 2025 16:49:28 +0000` | - |
+| Drupal core - Moderately critical - Access bypass - SA-CORE-2023-005 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Wed, 19 Apr 2023 17:06:18 +0000` | - |
+| Drupal core - Moderately critical - Denial of Service - SA-CORE-2024-001 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Wed, 17 Jan 2024 17:04:39 +0000` | - |
+| Drupal core - Moderately critical - Improper error handling - SA-CORE-2024-002 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Wed, 16 Oct 2024 16:27:27 +0000` | - |
+| Drupal core - Moderately critical - Access bypass - SA-CORE-2023-004 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Wed, 15 Mar 2023 16:26:24 +0000` | - |
+| Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-003 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Wed, 15 Mar 2023 16:24:29 +0000` | - |
+| Drupal core - Moderately critical - Information disclosure - SA-CORE-2025-008 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Wed, 12 Nov 2025 20:16:22 +0000` | - |
+| Drupal core - Moderately critical - Defacement - SA-CORE-2025-007 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Wed, 12 Nov 2025 20:16:21 +0000` | - |
+| Drupal core - Moderately critical - Gadget chain - SA-CORE-2025-006 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Wed, 12 Nov 2025 18:34:02 +0000` | - |
+| Drupal core - Moderately critical - Denial of Service - SA-CORE-2025-005 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Wed, 12 Nov 2025 18:33:05 +0000` | - |
+| CVE-2007-0505 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2007-0506 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2007-0136 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2007-0124 | `low` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2006-6646 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2006-6647 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2006-6528 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2006-6529 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2006-6530 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2006-6531 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2006-6386 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2006-5608 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2006-5475 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2006-5476 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2006-5477 | `low` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2006-4947 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4949 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4821 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4717 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4646 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4355 | `low` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4356 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4360 | `low` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4120 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4107 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4108 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4109 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4002 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-3570 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-3473 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-2831 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-2832 | `low` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-2833 | `low` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-2742 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-2743 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-2260 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-1225 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-1226 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-1227 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-1228 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-0070 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2005-3973 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2005-3974 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2005-3975 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2005-2498 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2005-1921 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2005-2106 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2005-1871 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2005-0682 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2002-1806 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
--- a/07-framework-security/cms/ghost/INDEX.md
+++ b/07-framework-security/cms/ghost/INDEX.md
@@ -4,15 +4,15 @@

 - 系统 ID: `ghost`
 - 分类: `cms`
- 覆盖策略: `rolling-24m`
- 总案例数: `0`
+- 覆盖策略: `history-full`
+- 总案例数: `23`
 - 近 30 天新增/更新: `0`
 - 重点 Markdown 案例数: `0`
 - 已实证(真实版本): `0`
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
- 待人工/缺浏览器证据: `0`
- 最近渲染时间: `2026-03-18T04:06:05+00:00`
+- 待人工/缺浏览器证据: `23`
+- 最近渲染时间: `2026-04-02T09:18:51+00:00`

 ## 目标约束

@@ -26,9 +26,35 @@

 - `official` [Ghost GitHub Advisories](https://github.com/TryGhost/Ghost/security/advisories) (mode=core)
 - `official` [NVD Ghost](https://nvd.nist.gov/vuln/search) (keyword=Ghost CMS; mode=core)
+- `ecosystem-authority` [OSV Ghost](https://osv.dev/) (mode=core)

 ## 案例列表

 | 标题 | 严重度 | 案例状态 | 实证状态 | 实证方式 | 来源置信度 | 更新时间 | 案例页 |
 |------|--------|----------|----------|----------|------------|----------|--------|
-| No advisories yet | `n/a` | `empty` | `n/a` | `n/a` | `n/a` | `n/a` | - |
+| Issues 
+           63 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Incomplete CSRF protections around OTC use | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| SQL Injection in Members Activity Feed | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Sign in | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| SQL injection in Content API | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| TryGhost | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| 2 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| SSRF via External Media Inliner | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Pull requests 
+           307 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Insights | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Improper authentication allows access to member information and actions | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Sign up | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Staff 2FA bypass | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| XSS via malicious Portal preview links | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Staff Token permission bypass | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Ghost | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Notifications | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Skip to content | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Security 
+           18 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Actions | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Remote Code Execution via Malicious Themes | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| SSRF via oEmbed Bookmark | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Policy | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
--- a/07-framework-security/cms/ghost/README.md
+++ b/07-framework-security/cms/ghost/README.md
@@ -3,7 +3,7 @@
 > `LAB ONLY` | `AUTHORIZED TARGETS ONLY`

 - 分类: `cms`
- 覆盖层级: `rolling-24m`
+- 覆盖层级: `history-full`
 - Advisory 模式: core
 - 输出目录: `07-framework-security/cms/ghost`
 - 修复主题: authz-server-side-recheck, xss-output-encoding, token-cookie-storage
--- a/07-framework-security/cms/joomla/INDEX.md
+++ b/07-framework-security/cms/joomla/INDEX.md
@@ -5,14 +5,14 @@
 - 系统 ID: `joomla`
 - 分类: `cms`
 - 覆盖策略: `history-full`
- 总案例数: `0`
+- 总案例数: `100`
 - 近 30 天新增/更新: `0`
 - 重点 Markdown 案例数: `0`
 - 已实证(真实版本): `0`
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
- 待人工/缺浏览器证据: `0`
- 最近渲染时间: `2026-03-18T04:06:05+00:00`
+- 待人工/缺浏览器证据: `100`
+- 最近渲染时间: `2026-04-02T09:18:51+00:00`

 ## 目标约束

@@ -26,9 +26,109 @@

 - `official` [Joomla Security Centre](https://developer.joomla.org/security-centre.html) (mode=core)
 - `official` [NVD Joomla](https://nvd.nist.gov/vuln/search) (keyword=Joomla; mode=core)
+- `ecosystem-authority` [OSV Joomla](https://osv.dev/) (mode=core)

 ## 案例列表

 | 标题 | 严重度 | 案例状态 | 实证状态 | 实证方式 | 来源置信度 | 更新时间 | 案例页 |
 |------|--------|----------|----------|----------|------------|----------|--------|
-| No advisories yet | `n/a` | `empty` | `n/a` | `n/a` | `n/a` | `n/a` | - |
+| CVE-2006-4553 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4556 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4466 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4468 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4469 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4470 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4471 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4472 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4473 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4474 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4475 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4476 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4378 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4348 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4320 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4282 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4263 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4269 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4242 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4229 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4129 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4130 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4074 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-3990 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-3995 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-3969 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-3970 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-3773 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-3774 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-3750 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-3530 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-3480 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-3481 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-2960 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-2815 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-1956 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-1957 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-1047 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-1048 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-1049 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-1027 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-1028 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-1029 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-1030 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-0303 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-0114 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2005-4650 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2005-3771 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2005-3772 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2005-3773 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| API Documentation | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Joomla!  Framework | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Events | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| [20260101] - Core - Inadequate content filtering for data URLs | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Joomla Home | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Tracker | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Project Roadmap | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Developer Network | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| [20260102] - Core - XSS vectors in the pagebreak and pagenavigation plugins | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| [20250902] - Core - User-Enumeration in passkey authentication method | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Developer Network™ | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Forum | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| What is Joomla? | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Sponsor | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Community Portal | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| User Groups | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Contribute | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Framework | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| News | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| CMS | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| The Joomla Foundation | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| [20250901] - Core - Inadequate content filtering within the checkAttribute filter code | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Trademark & Licensing | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Site Showcase | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Languages | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Benefits & Features | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Service Providers Directory | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Announcements | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| [20250401] - Framework - SQL injection vulnerability in quoteNameStr method of Database package | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Issue Tracker | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Partner | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Downloads | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| About | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| GitHub | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Project & Leadership | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Extensions | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Security Centre | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| RSS reader. | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Certification | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Blogs | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Shop | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Get a domain | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Volunteers Portal | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Magazine | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Documentation | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Vulnerable Extensions List | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Download | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Get a free site | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Training | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Joomla! Security Centre | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
--- a/07-framework-security/cms/mediawiki/INDEX.md
+++ b/07-framework-security/cms/mediawiki/INDEX.md
@@ -5,14 +5,14 @@
 - 系统 ID: `mediawiki`
 - 分类: `cms`
 - 覆盖策略: `rolling-24m`
- 总案例数: `0`
+- 总案例数: `73`
 - 近 30 天新增/更新: `0`
 - 重点 Markdown 案例数: `0`
 - 已实证(真实版本): `0`
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
- 待人工/缺浏览器证据: `0`
- 最近渲染时间: `2026-03-18T04:06:05+00:00`
+- 待人工/缺浏览器证据: `73`
+- 最近渲染时间: `2026-04-02T09:18:51+00:00`

 ## 目标约束

@@ -25,10 +25,84 @@
 ## 来源

 - `official` [MediaWiki Security Releases](https://www.mediawiki.org/wiki/Security) (mode=core)
+- `official` [MediaWiki Announce RSS](https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/feed/) (mode=core)
 - `official` [NVD MediaWiki](https://nvd.nist.gov/vuln/search) (keyword=MediaWiki; mode=core)
+- `ecosystem-authority` [OSV MediaWiki](https://osv.dev/) (mode=core)

 ## 案例列表

 | 标题 | 严重度 | 案例状态 | 实证状态 | 实证方式 | 来源置信度 | 更新时间 | 案例页 |
 |------|--------|----------|----------|----------|------------|----------|--------|
-| No advisories yet | `n/a` | `empty` | `n/a` | `n/a` | `n/a` | `n/a` | - |
+| [MediaWiki-announce] MediaWiki Extensions and Skins Security Release Supplement (1.39.14/1.43.4/1.44.1) | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Wed, 22 Oct 2025 21:44:43 +0000` | - |
+| [MediaWiki-announce] Security and maintenance release: 1.39.16 / 1.43.6 / 1.44.3 / 1.45.1 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Wed, 10 Dec 2025 22:22:38 +0000` | - |
+| [MediaWiki-announce] MediaWiki Extensions and Skins Security Release Supplement (1.39.13/1.42.7/1.43.2) | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Wed, 09 Jul 2025 16:53:41 +0000` | - |
+| [MediaWiki-announce] Security pre-release announcement: 1.39.12 / 1.42.6 / 1.43.1 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Wed, 09 Apr 2025 20:57:04 +0000` | - |
+| [MediaWiki-announce] Re: MediaWiki 1.44-beta has been branched | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Wed, 07 May 2025 07:47:35 +0000` | - |
+| [MediaWiki-announce] Announcing MediaWiki 1.44.0 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Wed, 02 Jul 2025 21:30:40 +0000` | - |
+| [MediaWiki-announce] Security pre-release announcement: 1.39.14 / 1.43.4 / 1.44.1 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Wed, 01 Oct 2025 20:33:01 +0000` | - |
+| [MediaWiki-announce] Maintenance release: MediaWiki 1.43.8 / 1.44.5 / 1.45.3 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Wed, 01 Apr 2026 13:09:42 +0000` | - |
+| [MediaWiki-announce] Security and maintenance release: 1.43.7 / 1.44.4 / 1.45.2 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Tue, 31 Mar 2026 23:06:16 +0000` | - |
+| [MediaWiki-announce] Maintenance release: MediaWiki 1.39.17 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Tue, 16 Dec 2025 18:21:00 +0000` | - |
+| [MediaWiki-announce] MediaWiki Extensions and Skins Security Release Supplement (1.39.11/1.41.5/1.42.4) | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Tue, 14 Jan 2025 19:41:18 +0000` | - |
+| [MediaWiki-announce] MediaWiki 1.45-alpha will be branched as a beta on 28-10-2025 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Tue, 07 Oct 2025 15:18:36 +0000` | - |
+| [MediaWiki-announce] MediaWiki 1.44-beta has been branched | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Tue, 06 May 2025 19:13:18 +0000` | - |
+| [MediaWiki-announce] MediaWiki 1.45-beta has been branched | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Tue, 04 Nov 2025 13:27:41 +0000` | - |
+| [MediaWiki-announce] Maintenance release: MediaWiki 1.43.3 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Tue, 01 Jul 2025 15:18:58 +0000` | - |
+| [MediaWiki-announce] MediaWiki 1.45.0-rc.0 is ready for testing | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Thu, 20 Nov 2025 13:30:34 +0000` | - |
+| [MediaWiki-announce] Security and maintenance release: 1.39.12 / 1.42.6 / 1.43.1 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Thu, 10 Apr 2025 16:23:30 +0000` | - |
+| [MediaWiki-announce] Security and maintenance release: 1.39.14 / 1.43.4 / 1.44.1 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Thu, 02 Oct 2025 17:37:08 +0000` | - |
+| [MediaWiki-announce] MediaWiki 1.41 is End of Life | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Sat, 21 Dec 2024 10:46:44 +0000` | - |
+| [MediaWiki-announce] Security pre-release announcement: 1.43.7 / 1.44.4 / 1.45.2 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Mon, 30 Mar 2026 17:50:26 +0000` | - |
+| [MediaWiki-announce] MediaWiki 1.42 is End of Life | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Mon, 30 Jun 2025 23:15:16 +0000` | - |
+| [MediaWiki-announce] Security and maintenance release: 1.39.13 / 1.42.7 / 1.43.2 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Mon, 30 Jun 2025 18:02:30 +0000` | - |
+| [MediaWiki-announce] MediaWiki 1.39 is End of Life | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Mon, 29 Dec 2025 20:36:35 +0000` | - |
+| [MediaWiki-announce] Security pre-release announcement: 1.39.16 / 1.43.6 / 1.44.3 / 1.45.1 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Mon, 08 Dec 2025 23:43:45 +0000` | - |
+| [MediaWiki-announce] Announcing MediaWiki 1.45.0 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Mon, 08 Dec 2025 17:01:47 +0000` | - |
+| [MediaWiki-announce] Maintenance release: MediaWiki 1.42.5 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Mon, 03 Feb 2025 17:39:30 +0000` | - |
+| [MediaWiki-announce] Security pre-release announcement: 1.39.13 / 1.42.7 / 1.43.2 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Fri, 27 Jun 2025 22:25:47 +0000` | - |
+| [MediaWiki-announce] Maintenance release: MediaWiki 1.39.11, 1.41.5 and 1.42.4 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Fri, 20 Dec 2024 17:57:58 +0000` | - |
+| [MediaWiki-announce] MediaWiki Extensions and Skins Security Release Supplement (1.39.12/1.42.6/1.43.1) | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Fri, 11 Apr 2025 20:47:11 +0000` | - |
+| [MediaWiki-announce] Re: The Recent MediaWiki Extensions and Skins Security Release Supplement | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Fri, 11 Apr 2025 20:34:58 +0000` | - |
+| [MediaWiki-announce] MediaWiki Extensions and Skins Security Release Supplement (1.39.9/1.41.3/1.42.2) | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Fri, 11 Apr 2025 16:56:23 +0000` | - |
+| [MediaWiki-announce] MediaWiki Extensions and Skins Security Release Supplement (1.39.16/1.43.6/1.44.3/1.45.1) | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Fri, 09 Jan 2026 17:54:29 +0000` | - |
+| [MediaWiki-announce] Security and maintenance release: 1.39.15 / 1.43.5 / 1.44.2 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Fri, 03 Oct 2025 18:45:04 +0000` | - |
+| CVE-2010-1190 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-11T00:51:21.963` | - |
+| CVE-2010-1189 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-11T00:51:21.963` | - |
+| CVE-2009-4589 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2009-0737 | `low` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2008-5688 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2008-5687 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2008-5252 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2008-5250 | `low` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2008-5249 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2008-4408 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2008-1318 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2008-0460 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2007-4883 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2007-4828 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2007-1054 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2007-1055 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2007-0894 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2007-0788 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2007-0177 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2006-2895 | `low` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-2611 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-1498 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-0322 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2005-4501 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2005-4031 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2005-3165 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2005-3166 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2005-3167 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2005-2396 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2005-2215 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2005-1888 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2005-0534 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2005-0536 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2005-1245 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2005-0535 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2004-1405 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2004-2152 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2004-2185 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2004-2186 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2004-2187 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
--- a/07-framework-security/cms/moodle/INDEX.md
+++ b/07-framework-security/cms/moodle/INDEX.md
@@ -5,14 +5,14 @@
 - 系统 ID: `moodle`
 - 分类: `cms`
 - 覆盖策略: `rolling-24m`
- 总案例数: `0`
+- 总案例数: `40`
 - 近 30 天新增/更新: `0`
 - 重点 Markdown 案例数: `0`
 - 已实证(真实版本): `0`
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
- 待人工/缺浏览器证据: `0`
- 最近渲染时间: `2026-03-18T04:06:05+00:00`
+- 待人工/缺浏览器证据: `40`
+- 最近渲染时间: `2026-04-02T09:18:51+00:00`

 ## 目标约束

@@ -26,9 +26,49 @@

 - `official` [Moodle Security News](https://moodle.org/security/) (mode=core)
 - `official` [NVD Moodle](https://nvd.nist.gov/vuln/search) (keyword=Moodle; mode=core)
+- `ecosystem-authority` [OSV Moodle](https://osv.dev/) (mode=core)

 ## 案例列表

 | 标题 | 严重度 | 案例状态 | 实证状态 | 实证方式 | 来源置信度 | 更新时间 | 案例页 |
 |------|--------|----------|----------|----------|------------|----------|--------|
-| No advisories yet | `n/a` | `empty` | `n/a` | `n/a` | `n/a` | `n/a` | - |
+| CVE-2008-3325 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2008-1502 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2008-0123 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2007-6538 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2007-3555 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2007-1647 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2007-1429 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2006-7048 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2006-6625 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2006-6626 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2006-5219 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2006-4935 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4936 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4937 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4938 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4939 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4940 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4941 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4942 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4943 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4784 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4785 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4786 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-3951 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-0146 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-0147 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2005-3648 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2005-3649 | `low` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2005-2247 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2004-1424 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2004-1425 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2004-2232 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2004-2233 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2004-2234 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2004-2235 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2004-2236 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2004-2237 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2004-1711 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2004-0725 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2004-1978 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
--- a/07-framework-security/cms/strapi/INDEX.md
+++ b/07-framework-security/cms/strapi/INDEX.md
@@ -5,14 +5,14 @@
 - 系统 ID: `strapi`
 - 分类: `cms`
 - 覆盖策略: `rolling-24m`
- 总案例数: `0`
+- 总案例数: `26`
 - 近 30 天新增/更新: `0`
 - 重点 Markdown 案例数: `0`
 - 已实证(真实版本): `0`
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
- 待人工/缺浏览器证据: `0`
- 最近渲染时间: `2026-03-18T04:06:05+00:00`
+- 待人工/缺浏览器证据: `26`
+- 最近渲染时间: `2026-04-02T09:18:51+00:00`

 ## 目标约束

@@ -31,4 +31,33 @@

 | 标题 | 严重度 | 案例状态 | 实证状态 | 实证方式 | 来源置信度 | 更新时间 | 案例页 |
 |------|--------|----------|----------|----------|------------|----------|--------|
-| No advisories yet | `n/a` | `empty` | `n/a` | `n/a` | `n/a` | `n/a` | - |
+| Skip to content | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Security 
+           16 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Pull requests 
+           214 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Sign in | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Unauthorized Access to Private Fields via parms.lookup | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Weak Password Length Validation | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Insights | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Server - Side Request Forgery in Webhook function | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Leaking data via relations via the Admin Panel | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| 3rd party token leak and authentication bypass | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Denial-of-Service via Improper Exception Handling | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Actions | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Star
+            71.6k | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Sign up | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Unauthorized Access to Private Fields in User Registration API | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Issues 
+           573 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Policy | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Leaking sensitive user information, user reset password, tokens via content-manager views | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Next | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Field level permissions not being respected in  relationship title | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Discussions | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| strapi | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| CORS Misconfiguration Leads to Sensitive Data Exposure | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Projects | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Report a vulnerability | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| strapi | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
--- a/07-framework-security/cms/wordpress/INDEX.md
+++ b/07-framework-security/cms/wordpress/INDEX.md
@@ -5,14 +5,14 @@
 - 系统 ID: `wordpress`
 - 分类: `cms`
 - 覆盖策略: `history-full`
- 总案例数: `0`
+- 总案例数: `140`
 - 近 30 天新增/更新: `0`
 - 重点 Markdown 案例数: `0`
 - 已实证(真实版本): `0`
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
- 待人工/缺浏览器证据: `0`
- 最近渲染时间: `2026-03-18T04:06:05+00:00`
+- 待人工/缺浏览器证据: `140`
+- 最近渲染时间: `2026-04-02T09:18:51+00:00`

 ## 目标约束

@@ -24,7 +24,7 @@

 ## 来源

- `official` [WordPress Security News](https://wordpress.org/news/category/security/) (mode=core)
+- `official` [WordPress Security News RSS](https://wordpress.org/news/category/security/feed/) (mode=core)
 - `official` [NVD WordPress](https://nvd.nist.gov/vuln/search) (keyword=WordPress; mode=core)
 - `ecosystem-authority` [Wordfence Vulnerability Database](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/) (mode=plugin)
 - `ecosystem-authority` [Patchstack Database](https://patchstack.com/database/) (mode=plugin)
@@ -35,4 +35,143 @@

 | 标题 | 严重度 | 案例状态 | 实证状态 | 实证方式 | 来源置信度 | 更新时间 | 案例页 |
 |------|--------|----------|----------|----------|------------|----------|--------|
-| No advisories yet | `n/a` | `empty` | `n/a` | `n/a` | `n/a` | `n/a` | - |
+| CVE-2007-1893 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2007-1894 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2007-1732 | `low` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2007-1622 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2007-1599 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2007-1409 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2007-1277 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2007-1244 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2007-1230 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2007-1049 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2007-0539 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2007-0540 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2007-0541 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2007-0262 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2007-0233 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2007-0106 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2007-0107 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2007-0109 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2006-6863 | `critical` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2006-6808 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2006-6016 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2006-6017 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2006-5705 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2006-4743 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4208 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-4028 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-3389 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-3390 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-2702 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-2667 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-1796 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-1263 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-1012 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-0985 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-0986 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2006-0733 | `low` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2005-4463 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2005-3330 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2005-2612 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2005-1921 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2005-2107 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2005-2108 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2005-2109 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2005-2110 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2005-1810 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2005-1687 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2005-1688 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2005-1102 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2004-1559 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| CVE-2004-1584 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-03T01:03:51.193` | - |
+| Interviews | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Forums | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Swag Store  ↗ ︎ | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Booster for WooCommerce  < 7.11.3    Broken Access Control vulnerability | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Blocks | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Events | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Wicked Folders  <= 4.1.0    Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary Folder Deletion vulnerability | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Features | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Surge of JavaScript Malware in sites with vulnerable versions of LiteSpeed Cache Plugin | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Manage subscriptions | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Performance | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| How to Install WPScan | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Stats  WordPress stats | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Documentation | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Modern Events Calendar  <= 7.29.0    Broken Access Control vulnerability | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Gutenberg  ↗ ︎ | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Showcase | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| WordPress.org | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Education | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Documentation | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Education | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Subscriptions for WooCommerce  <= 1.9.2    Missing Authorization to Unauthenticated Arbitrary Subscription Cancellation vulnerability | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Submit vulnerabilities | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| CLI scanner | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Patterns | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Design | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Developers | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| WordPress | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Writeprint Stylometry  <= 0.1    Reflected Cross-Site Scripting via 'p' Parameter vulnerability | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Skip to content | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Hosting | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| CLI Scanner | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| General | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| WowStore  <= 4.4.3    WordPress WowStore - Store Builder & Product Blocks for WooCommerce plugin <= 4.4.3 - Unauthenticated SQL Injection via 'search' Parameter vulnerability | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Disclosure policy | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Five for the Future | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Features | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Unpatched Vulnerability in TI WooCommerce Wishlist Plugin | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Jannah  <= 7.6.3    Local File Inclusion vulnerability | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Month in WordPress | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Report this content | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Contextual Related Posts  < 4.2.2    Broken Access Control vulnerability | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Log in now. | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Awards | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| All Posts | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| News | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Enterprise | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| WordPress.tv  ↗ ︎ | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| News | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| About WordPress | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| [CR]Paid Link Manager  <= 0.5    Reflected Cross-Site Scripting vulnerability | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| WordPress | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| WP User Frontend  <= 4.2.8    Missing Authorization to Unauthenticated Arbitrary Post Modification via 'post_id' Parameter vulnerability | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Duplicate Post  <= 4.5    Authenticated (Contributor+) Missing Authorization to Arbitrary Post Duplication and Overwrite vulnerability | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Pricing | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Object Injection vulnerability fixed in SEOPress 7.9 | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Unauthorized Plugin Installation/Activation in Hunk Companion | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Sign up | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| View site in Reader | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Unauthenticated Privilege Escalation in Profile-Builder plugin | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| New Malware Campaign Targets WP-Automatic Plugin | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Plugins | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| NEX-Forms  <= 9.1.9    WordPress NEX-Forms - Ultimate Forms Plugin for WordPress plugin <= 9.1.9 - Missing Authorization to Unauthenticated Arbitrary Form Entry Modification via nf_set_entry_update_id vulnerability | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Make WordPress | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Photo Directory | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| NEX-Forms  <= 9.1.9    WordPress NEX-Forms - Ultimate Forms Plugin for WordPress plugin <= 9.1.9 - Missing Authorization to Authenticated (Subscriber+) License Deactivation via deactivate_license vulnerability | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Job Board  ↗ ︎ | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Thim Elementor Kit  <= 1.3.7    Missing Authorization to Unauthenticated Private Course Disclosure vulnerability | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Plugins | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Meta | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Development | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Our Stats | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Managed VDP   New | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Community | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Vulnerability statistics | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Whitepaper 2026   New | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Events | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Get WordPress | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| WP EasyPay  <= 4.2.11    Broken Access Control vulnerability | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Master Addons for Elementor  <= 2.1.3    Cross Site Scripting (XSS) vulnerability | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| WP Go Maps  <= 10.0.05    Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via admin_post_wpgmza_save_settings vulnerability | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| WordPress plugin | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Themes | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Software vendors | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Enterprise Features | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| LearnPress &#8211; Sepay Payment  <= 4.0.0    Broken Authentication vulnerability | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| The 10 Best Vulnerability Scanners for Effective Web Security | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Flexmls® IDX  <= 3.15.9    Reflected Cross Site Scripting (XSS) vulnerability | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Learn WordPress | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Royal Elementor Addons  <= 1.7.1049    WordPress Royal Addons for Elementor - Addons and Templates Kit for Elementor plugin <= 1.7.1049 - Missing Authorization to Unauthenticated Custom Post Type Contents Exposure vulnerability | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
--- a/07-framework-security/ecommerce/adobe-commerce/INDEX.md
+++ b/07-framework-security/ecommerce/adobe-commerce/INDEX.md
@@ -5,14 +5,14 @@
 - 系统 ID: `adobe-commerce`
 - 分类: `ecommerce`
 - 覆盖策略: `history-full`
- 总案例数: `0`
+- 总案例数: `81`
 - 近 30 天新增/更新: `0`
 - 重点 Markdown 案例数: `0`
 - 已实证(真实版本): `0`
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
- 待人工/缺浏览器证据: `0`
- 最近渲染时间: `2026-03-18T04:06:05+00:00`
+- 待人工/缺浏览器证据: `81`
+- 最近渲染时间: `2026-04-02T09:18:51+00:00`

 ## 目标约束

@@ -25,11 +25,93 @@
 ## 来源

 - `official` [Adobe Security Bulletins](https://helpx.adobe.com/security/products/magento.html) (mode=core)
+- `official` [Adobe Magento Security Index](https://helpx.adobe.com/security/products/magento.html) (mode=core)
 - `official` [NVD Adobe Commerce](https://nvd.nist.gov/vuln/search) (keyword=Adobe Commerce; mode=core)
+- `ecosystem-authority` [GHSA Adobe Commerce](https://github.com/advisories) (ecosystem=composer; mode=core)
 - `ecosystem-authority` [Sansec Research](https://sansec.io/research) (mode=extension)

 ## 案例列表

 | 标题 | 严重度 | 案例状态 | 实证状态 | 实证方式 | 来源置信度 | 更新时间 | 案例页 |
 |------|--------|----------|----------|----------|------------|----------|--------|
-| No advisories yet | `n/a` | `empty` | `n/a` | `n/a` | `n/a` | `n/a` | - |
+| CVE-2024-20759 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-02-11T15:59:16.957` | - |
+| CVE-2024-20758 | `critical` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-16T14:53:40.187` | - |
+| CVE-2024-20720 | `critical` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T08:53:01.000` | - |
+| CVE-2024-20719 | `critical` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T08:53:00.843` | - |
+| CVE-2024-20718 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T08:53:00.647` | - |
+| CVE-2024-20717 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T08:52:59.233` | - |
+| CVE-2024-20716 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T08:52:59.103` | - |
+| CVE-2023-38251 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T08:13:11.070` | - |
+| CVE-2023-38250 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T08:13:10.920` | - |
+| CVE-2023-38249 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T08:13:10.773` | - |
+| CVE-2023-38221 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T08:13:07.010` | - |
+| CVE-2023-38220 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T08:13:06.863` | - |
+| CVE-2023-38219 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T08:13:06.720` | - |
+| CVE-2023-38218 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T08:13:06.583` | - |
+| CVE-2023-26367 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T07:51:12.530` | - |
+| CVE-2023-26366 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T07:51:12.390` | - |
+| CVE-2022-24093 | `critical` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T06:49:47.413` | - |
+| CVE-2023-38209 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T08:13:05.447` | - |
+| CVE-2023-38208 | `critical` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T08:13:05.317` | - |
+| CVE-2023-38207 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T08:13:05.193` | - |
+| CVE-2023-29297 | `critical` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T07:56:49.170` | - |
+| CVE-2023-29296 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T07:56:49.063` | - |
+| CVE-2023-29295 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T07:56:48.960` | - |
+| CVE-2023-29294 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T07:56:48.850` | - |
+| CVE-2023-29293 | `low` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T07:56:48.747` | - |
+| CVE-2023-29292 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T07:56:48.640` | - |
+| CVE-2023-29291 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T07:56:48.530` | - |
+| CVE-2023-29290 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T07:56:48.423` | - |
+| CVE-2023-29289 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T07:56:48.313` | - |
+| CVE-2023-29288 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T07:56:48.197` | - |
+| CVE-2023-29287 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T07:56:48.080` | - |
+| CVE-2023-22248 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T07:44:23.877` | - |
+| CVE-2023-22251 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T07:44:24.210` | - |
+| CVE-2023-22250 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T07:44:24.110` | - |
+| CVE-2023-22249 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T07:44:24.003` | - |
+| CVE-2023-22247 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T07:44:23.737` | - |
+| CVE-2022-42344 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T07:24:47.620` | - |
+| CVE-2022-35698 | `critical` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T07:11:30.073` | - |
+| CVE-2022-35689 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T07:11:28.990` | - |
+| CVE-2022-35692 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T07:11:29.357` | - |
+| CVE-2022-34259 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T07:09:10.063` | - |
+| CVE-2022-34258 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T07:09:09.953` | - |
+| CVE-2022-34257 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T07:09:09.827` | - |
+| CVE-2022-34256 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T07:09:09.690` | - |
+| CVE-2022-34255 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T07:09:09.567` | - |
+| CVE-2022-34254 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T07:09:09.437` | - |
+| CVE-2022-34253 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T07:09:09.320` | - |
+| CVE-2022-24086 | `critical` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-10-23T14:51:16.013` | - |
+| CVE-2021-39864 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T06:20:25.057` | - |
+| CVE-2021-36035 | `critical` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T06:12:59.820` | - |
+| APSB26-05  : Security update available for Adobe Commerce | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| APSB21-86  Security updates available for Adobe Commerce | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| APSB20-22  Security updates available for Magento | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| APSB20-41  Security updates available for Magento | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| APSB24-61  : Security update available for Adobe Commerce | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| APSB25-88 :  Security update available for Adobe Commerce | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| APSB22-38  : Security update available for Adobe Commerce | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| APSB23-42  : Security update available for Adobe Commerce | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| APSB21-30  Security updates available for Magento | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| APSB25-26  : Security update available for Adobe Commerce | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Back to top | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| APSB24-73  : Security update available for Adobe Commerce | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| APSB23-17  : Security update available for Adobe Commerce | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| APSB24-18  : Security update available for Adobe Commerce | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| APSB23-50  : Security update available for Adobe Commerce | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| APSB23-35  : Security update available for Adobe Commerce | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| APSB25-71  : Security update available for Adobe Commerce | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| APSB22-12  Security updates available for Magento | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| APSB21-08  Security updates available for Magento | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| APSB24-40  : Security update available for Adobe Commerce | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| APSB24-90  : Security update available for Adobe Commerce | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| APSB25-08  : Security update available for Adobe Commerce | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| APSB25-94  : Security update available for Adobe Commerce | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| APSB22-48 : Security updates available for Adobe Commerce | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| APSB20-02  Security updates available for Magento | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| APSB20-59  Security updates available for Magento | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| APSB22-13  : Security update available for Adobe Commerce | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| APSB21-64  Security updates available for Magento | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| APSB25-50 :  Security update available for Adobe Commerce | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| APSB24-03  : Security update available for Adobe Commerce | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| APSB20-47  Security updates available for Magento | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
--- a/07-framework-security/ecommerce/magento-open-source/INDEX.md
+++ b/07-framework-security/ecommerce/magento-open-source/INDEX.md
@@ -5,14 +5,14 @@
 - 系统 ID: `magento-open-source`
 - 分类: `ecommerce`
 - 覆盖策略: `history-full`
- 总案例数: `0`
+- 总案例数: `89`
 - 近 30 天新增/更新: `0`
 - 重点 Markdown 案例数: `0`
 - 已实证(真实版本): `0`
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
- 待人工/缺浏览器证据: `0`
- 最近渲染时间: `2026-03-18T04:06:05+00:00`
+- 待人工/缺浏览器证据: `89`
+- 最近渲染时间: `2026-04-02T09:18:51+00:00`

 ## 目标约束

@@ -25,6 +25,7 @@
 ## 来源

 - `official` [Magento GitHub Advisories](https://github.com/magento/magento2/security/advisories) (mode=core)
+- `official` [OSV Magento Open Source](https://osv.dev/) (mode=core)
 - `official` [NVD Magento](https://nvd.nist.gov/vuln/search) (keyword=Magento; mode=core)
 - `ecosystem-authority` [Sansec Research](https://sansec.io/research) (mode=extension)

@@ -32,4 +33,95 @@

 | 标题 | 严重度 | 案例状态 | 实证状态 | 实证方式 | 来源置信度 | 更新时间 | 案例页 |
 |------|--------|----------|----------|----------|------------|----------|--------|
-| No advisories yet | `n/a` | `empty` | `n/a` | `n/a` | `n/a` | `n/a` | - |
+| CVE-2019-7885 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:48:54.997` | - |
+| CVE-2019-7882 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:48:54.893` | - |
+| CVE-2019-7881 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:48:54.783` | - |
+| CVE-2019-7880 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:48:54.670` | - |
+| CVE-2019-7877 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:48:54.560` | - |
+| CVE-2019-7876 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:48:54.450` | - |
+| CVE-2019-7875 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:48:54.337` | - |
+| CVE-2019-7874 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:48:54.227` | - |
+| CVE-2019-7873 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:48:54.113` | - |
+| CVE-2019-7872 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:48:54.003` | - |
+| CVE-2019-7871 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:48:53.883` | - |
+| CVE-2019-7869 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:48:53.650` | - |
+| CVE-2019-7868 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:48:53.527` | - |
+| CVE-2019-7867 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:48:53.407` | - |
+| CVE-2019-7866 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:48:53.287` | - |
+| CVE-2019-7865 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:48:53.163` | - |
+| CVE-2019-7864 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:48:53.043` | - |
+| CVE-2019-7863 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:48:52.933` | - |
+| CVE-2019-7862 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:48:52.820` | - |
+| CVE-2019-7861 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:48:52.697` | - |
+| CVE-2019-7860 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:48:52.580` | - |
+| CVE-2019-7859 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:48:52.463` | - |
+| CVE-2019-7858 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:48:52.343` | - |
+| CVE-2019-7857 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:48:52.230` | - |
+| CVE-2019-7855 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:48:52.113` | - |
+| CVE-2019-7854 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:48:52.000` | - |
+| CVE-2019-7853 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:48:51.883` | - |
+| CVE-2019-7852 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:48:51.770` | - |
+| CVE-2019-7851 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:48:51.660` | - |
+| CVE-2019-7849 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:48:51.440` | - |
+| CVE-2019-7139 | `critical` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:47:38.667` | - |
+| CVE-2018-5301 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:08:32.663` | - |
+| CVE-2016-10704 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-20T01:37:25.860` | - |
+| CVE-2015-8707 | `critical` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-20T01:37:25.860` | - |
+| CVE-2014-9758 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-20T01:37:25.860` | - |
+| CVE-2017-13761 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-20T01:37:25.860` | - |
+| CVE-2016-6485 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-20T01:37:25.860` | - |
+| CVE-2016-4010 | `critical` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-20T01:37:25.860` | - |
+| CVE-2016-2212 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-12T10:46:40.837` | - |
+| CVE-2012-3243 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-12T10:46:40.837` | - |
+| CVE-2015-3458 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-12T10:46:40.837` | - |
+| CVE-2015-3457 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-12T10:46:40.837` | - |
+| CVE-2015-1399 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-12T10:46:40.837` | - |
+| CVE-2015-1398 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-12T10:46:40.837` | - |
+| CVE-2015-1397 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-12T10:46:40.837` | - |
+| CVE-2015-2068 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-12T10:46:40.837` | - |
+| CVE-2015-2067 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-12T10:46:40.837` | - |
+| CVE-2014-8770 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-12T10:46:40.837` | - |
+| CVE-2011-5240 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-11T00:51:21.963` | - |
+| CVE-2009-0541 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| Surge in Magento 2 template attacks   2022-09-22  The critical template vulnerability in Magento 2 (CVE-2022-24086) is gaining popularity among eCommerce cyber criminals. The majority of recent Sansec forensic cases concern this attack method. In this article we share our findings of 3 template hacks, and hope it will help you if you are confron...   skimming   trojanorder | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| MagentoCore group hacks 7,339 stores and counting   2018-08-30  A single group is responsible for planting skimmers on 7339 individual stores in the last 6 months. The MagentoCore skimmer is now the most successful to date. Update 2018-09-07: Because Google Chrome has added the campaign to its blocklist last Saturday, the skimmers are now rapidly replacing &q...   skimming   MagentoCore   skimmer | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Wiki | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Competing digital skimmers sabotage each other   2018-11-20  Skimmers found to subtly sabotage each others fraud operations. Competition is grim in the online skimming business (aka "MageCart"). The aggressive MagentoCore skimmer was previously observed to kick contending parasites from its victim hosts. But this week, we discovered that the bat...   skimming | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Case Study: How eCommerce Hackers Silently Steal Credit Card Data   2021-05-03  The majority of online stores have never been hacked and, as a result, take a somewhat lax approach to cybersecurity. However, no less than 20% of all online stores get hacked every year, which means it might only be a matter of time until yours becomes the next victim.   skimming | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Magento wish list exploit bypasses WAF protection   2023-12-18  Found your Magento 2 store hacked recently? Chances are, that attackers injected a malicious wish list. Just before Christmas? Oh the irony.   skimming   trojanorder | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Magento Security Release APSB25-08 [Impact Analysis]   2025-02-12  Critical (CVSS 9.4) release enables attackers to take control of customer accounts.   skimming | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Bad extensions now main source of Magento hacks: a solution!   2019-01-29  In October last year I discovered several Magento extension 0days. As it turns out, this was only the tip of the iceberg: today, insecure 3rd party extensions are used to hack into thousands of stores. A group of Magento professionals have identified 63 vulnerable extensions, and are now releasin...   skimming | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Magento and the Log4j vulnerability   2021-12-13  Updated Dec 20th. This article describes how Magento is affected by the critical log4j vulnerability, and what you can (and should) do to prevent a hack. A critical vulnerability in the popular Log4j Java library has been massively exploited since December 1st. It exposes full control to a remote...   skimming | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Persistent Magento backdoor hidden in XML   2024-04-04  Does your Interceptor.php keep getting infected? Attackers are using a new method for malware persistence on Magento servers. Sansec discovered a cleverly crafted layout template in the database, which was used to automatically inject malware.   skimming | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Persistent parasite in EOL Magento 2   2020-12-02  Over the last months, hackers have quietly added a subtle security flaw to over 50 large online stores, only to exploit them right before Black Friday, Sansec research shows. The flaw's presence would ensure future access for the attackers, even if their primary operation was blown. Sansec has be...   skimming | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Policy | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Magento security extentions vendor got hacked   2019-10-07  The store of a US Magento extension vendor was found compromised. Attackers had write access to the server selling extensions. We are awaiting a statement on the integrity of downloaded software. Our malware crawlers detected a compromise of Extendware, a vendor of Magento extensions such as &quo...   skimming | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Magento PolyShell: unrestricted file upload in Magento and Adobe Commerce   2026-03-17  A new vulnerability in the Magento and Adobe Commerce REST API allows attackers to upload executable files to any store. Adobe fixed the issue in a pre-release version but has not backported the patch. Many stores run web server configurations that enable either remote code execution (RCE) or acc...   skimming   magento   adobe-commerce   rce   +3 | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| magento2 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Sign up | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Vendors defeat Magento security patch (+ simple check)   2023-01-17  Magento and Adobe Commerce stores around the world have been hammered with Trojan Order attacks this winter. And even if you have patched or installed Adobeâs 2.4.4 release, you may still be vulnerable. Sansec discovered that several vendors and agencies are actively bypassing this security fix, ...   skimming   trojanorder | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Warning: fake Magento patch 9789 contains virus   2017-04-21  Update May 21st: a similar phishing mail circulates about a fake patch SUPEE-1798. Update Apr 22nd: added reference to Neutrino Bot and POS systems This week a mail was sent out to announce the new Magento patch SUPEE-9789. It is fake and it contains malware. There is no patch 9789. The message...   skimming | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| An OpenCart/Magento hacking dashboard   2017-04-07  This post shows how sophisticated Magento hacking operations have become nowadays. While investigating a bruteforced Magento store, we noticed that the hacker logged in using a curious referrer site: "GET /rss/catalog/notifystock/ HTTP/1.1" 200 5676 "http://194.87.232.147:777/"...   skimming | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Pull requests 
+           804 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| SessionReaper attacks have started, 3 in 5 stores still vulnerable   2025-10-22  Six weeks after Adobe's emergency patch, SessionReaper (CVE-2025-54236) has entered active exploitation. Sansec Shield blocked dozens of attacks today. With only 38% of stores patched and exploit details now public, mass abuse will follow in the coming hours.   skimming   CVE-2025-54236   magento   adobe-commerce   +6 | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Claude finds 353 zero-days on Packagist   2026-01-22  We built an AI-powered security pipeline to audit popular ecommerce extensions on Packagist. The vulnerabilities we found range from password leaks to full remote code execution.   skimming   magento   adobe-commerce   supply-chain   +1 | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| magento | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| CosmicSting attack threatens 75% of Adobe Commerce stores   2024-06-18  One week after the release of a critical security fix, just a quarter of all Adobe Commerce and Magento stores has been patched.   skimming | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| SessionReaper, unauthenticated RCE in Magento & Adobe Commerce (CVE-2025-54236)   2025-09-08  SessionReaper (CVE-2025-54236) is a critical bug in Magento & Adobe Commerce. The bug may hand full control of a store to unauthenticated attackers. Automated attacks have hit over 50% of all stores globally. Merchants should act immediately.   skimming   CVE-2025-54236   magento   adobe-commerce   +5 | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| CosmicSting attack & defense overview   2024-09-16  CosmicSting (aka CVE-2024-34102) is the worst bug to hit Magento and Adobe Commerce stores in two years. Sansec observes that stores are getting hacked at a rate of 5 to 30 per hour. Merchants need to implement these counter measures as soon as possible.   skimming | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Thousands of Adobe Commerce stores hacked in competing CosmicSting campaigns   2024-10-01  Cybercriminals have hacked 5% of all Adobe Commerce and Magento stores this summer. Among the victims are large international brands. Seven distinct groups are using CosmicSting attacks to plant malicious code on victim stores.   skimming | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Adobe patches critical Magento admin takeover via menu injection   2025-06-12  A new attack on Adobe Commerce may break the menu bar for admin users. If your menu bar is missing, someone is stealing your session via CVE-2025-47110.   skimming | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Notifications | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Fake Klaviyo accounts added to Magento   2022-12-21  Are your Magento admin accounts legitimate? Chances are, that a klaviyo_support_XXXX account was added this week. Best to quickly remove it and read this article.   skimming | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Do these two things to keep your Magento 1 store running after June   2020-05-28  Over a 100 thousands Magento 1 stores will be running after Adobe terminates support in June (end-of-life). Many merchants need more time to transition to Magento 2 or another platform. No need to panic, your store will not suddenly crash on July 1st. But you should make two important arrangement...   skimming   magento 1   deadline | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Extortion of Magento merchants   2022-11-07  Sansec has received reports of criminals trying to extort Magento merchants with the message below. As long as the sender does not produce evidence, they almost certainly did not steal your sensitive data. Ignoring them is best.   skimming | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Projects | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Security 
+           0 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Critical Magento 2 flaw exploited within 16 hours   2019-05-10  The number of hacked Magento 2 stores spiked in the last four weeks, after a critical security flaw was discovered in March and criminals stole admin passwords within 16 hours. Merchants are advised to implement emergency measures, even if they had already patched. Update June 12th: While there w...   skimming | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| A Magento breach analysis: part 1   2017-04-12  Part of a series where Magento security professionals share their case notes, so that we can ultimately distill a set of best practices, tools and workflow. Part of the job of running the MageReport service is that I get to investigate tons of hacked stores. About 50-200 new stores get hacked pe...   skimming | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Cardbleed: 3% of Magento install base hacked   2020-09-14  Update Sept 18: Cardbleed has infected 2806 Magento1 stores so far (3% of total install base) Over the weekend, almost two thousand Magento 1 stores across the world have been hacked in the largest documented campaign to date. It was a typical Magecart attack: injected malicious code would inter...   skimming | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Issues 
+           1.2k | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Adobe Commerce merchants to be hit with TrojanOrders this season   2022-11-15  At least seven Magecart groups are injecting TrojanOrders at approximately 38% of Magento and Adobe Commerce websites in November.   skimming   trojanorder | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
--- a/07-framework-security/ecommerce/medusa/INDEX.md
+++ b/07-framework-security/ecommerce/medusa/INDEX.md
@@ -5,14 +5,14 @@
 - 系统 ID: `medusa`
 - 分类: `ecommerce`
 - 覆盖策略: `rolling-24m`
- 总案例数: `0`
+- 总案例数: `15`
 - 近 30 天新增/更新: `0`
 - 重点 Markdown 案例数: `0`
 - 已实证(真实版本): `0`
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
- 待人工/缺浏览器证据: `0`
- 最近渲染时间: `2026-03-18T04:06:05+00:00`
+- 待人工/缺浏览器证据: `15`
+- 最近渲染时间: `2026-04-02T09:18:51+00:00`

 ## 目标约束

@@ -31,4 +31,22 @@

 | 标题 | 严重度 | 案例状态 | 实证状态 | 实证方式 | 来源置信度 | 更新时间 | 案例页 |
 |------|--------|----------|----------|----------|------------|----------|--------|
-| No advisories yet | `n/a` | `empty` | `n/a` | `n/a` | `n/a` | `n/a` | - |
+| Sign in | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Issues 
+           69 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Skip to content | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| medusajs | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Pull requests 
+           63 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Discussions | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Policy | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Report a vulnerability | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| medusa | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Security 
+           0 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Star
+            32.4k | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Projects | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Sign up | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Insights | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Actions | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
--- a/07-framework-security/ecommerce/opencart/INDEX.md
+++ b/07-framework-security/ecommerce/opencart/INDEX.md
@@ -5,14 +5,14 @@
 - 系统 ID: `opencart`
 - 分类: `ecommerce`
 - 覆盖策略: `history-full`
- 总案例数: `0`
+- 总案例数: `100`
 - 近 30 天新增/更新: `0`
 - 重点 Markdown 案例数: `0`
 - 已实证(真实版本): `0`
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
- 待人工/缺浏览器证据: `0`
- 最近渲染时间: `2026-03-18T04:06:05+00:00`
+- 待人工/缺浏览器证据: `100`
+- 最近渲染时间: `2026-04-02T09:18:51+00:00`

 ## 目标约束

@@ -26,9 +26,113 @@

 - `official` [OpenCart Releases](https://github.com/opencart/opencart/releases) (mode=core)
 - `official` [NVD OpenCart](https://nvd.nist.gov/vuln/search) (keyword=OpenCart; mode=core)
+- `ecosystem-authority` [OSV OpenCart](https://osv.dev/) (mode=core)

 ## 案例列表

 | 标题 | 严重度 | 案例状态 | 实证状态 | 实证方式 | 来源置信度 | 更新时间 | 案例页 |
 |------|--------|----------|----------|----------|------------|----------|--------|
-| No advisories yet | `n/a` | `empty` | `n/a` | `n/a` | `n/a` | `n/a` | - |
+| CVE-2025-1749 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-05-07T19:49:23.300` | - |
+| CVE-2025-1748 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-05-07T19:47:43.517` | - |
+| CVE-2025-1747 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-05-07T19:47:20.830` | - |
+| CVE-2025-1746 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-05-07T19:47:12.877` | - |
+| CVE-2025-1117 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-02-08T13:15:07.843` | - |
+| CVE-2025-1116 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-02-08T12:15:39.660` | - |
+| CVE-2025-0974 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-02-03T02:15:26.433` | - |
+| CVE-2025-0841 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-01-29T21:15:20.973` | - |
+| CVE-2025-0580 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-01-20T03:15:08.540` | - |
+| CVE-2025-0579 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-01-20T03:15:08.353` | - |
+| CVE-2025-0460 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-01-14T16:15:34.800` | - |
+| CVE-2025-22335 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-01-07T16:15:42.703` | - |
+| CVE-2025-0214 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-01-04T17:15:07.507` | - |
+| CVE-2024-36694 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-22T15:36:02.527` | - |
+| CVE-2024-51835 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-19T21:56:45.533` | - |
+| CVE-2024-21519 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T08:54:36.377` | - |
+| CVE-2024-21518 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T08:54:36.223` | - |
+| CVE-2024-21517 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-01-14T17:15:16.380` | - |
+| CVE-2024-21516 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-01-14T17:15:15.903` | - |
+| CVE-2024-21515 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-01-14T17:15:15.357` | - |
+| CVE-2024-21514 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T08:54:35.600` | - |
+| CVE-2023-47444 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T08:30:17.177` | - |
+| CVE-2023-2315 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T07:58:22.310` | - |
+| CVE-2023-40834 | `critical` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T08:20:11.673` | - |
+| CVE-2020-20491 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-12-10T20:15:07.187` | - |
+| CVE-2021-37823 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-05-05T14:15:21.957` | - |
+| CVE-2022-41403 | `critical` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-05-15T19:15:54.980` | - |
+| CVE-2013-1891 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T01:50:35.890` | - |
+| CVE-2022-24108 | `critical` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T06:49:49.213` | - |
+| CVE-2020-29471 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T05:24:03.283` | - |
+| CVE-2020-29470 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T05:24:03.120` | - |
+| CVE-2020-28838 | `low` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T05:23:10.513` | - |
+| CVE-2020-15478 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T05:05:35.830` | - |
+| CVE-2020-13980 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T05:02:17.100` | - |
+| CVE-2020-10596 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:55:40.073` | - |
+| CVE-2019-15081 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:28:00.747` | - |
+| CVE-2018-1000640 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T03:40:18.203` | - |
+| CVE-2018-13067 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T03:46:20.270` | - |
+| CVE-2018-11495 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T03:43:29.193` | - |
+| CVE-2018-11494 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T03:43:29.020` | - |
+| CVE-2018-11231 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T03:42:57.327` | - |
+| CVE-2014-3990 | `critical` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T02:09:17.240` | - |
+| CVE-2016-10509 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-20T01:37:25.860` | - |
+| CVE-2015-4671 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-12T10:46:40.837` | - |
+| CVE-2011-3763 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-11T00:51:21.963` | - |
+| CVE-2010-1610 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-11T00:51:21.963` | - |
+| CVE-2010-0956 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-11T00:51:21.963` | - |
+| CVE-2009-1621 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2009-1027 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2008-3130 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| #14937 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Skip to content | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| 3.0.5.0 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| opencart | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| #14933 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| 3.0.5.0 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| #14961 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Latest | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| #14936 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Sign up | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| #14943 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| #15029 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| #15012 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| #14874 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Discussions | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| #14929 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Insights | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| #15010 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| #14941 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| #14940 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| #14938 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| #14980 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Actions | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| View all tags | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| #15011 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| #14879 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| #14875 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Sign in | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| /pull/14942 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Star
+            8.1k | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| #14877 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| #14928 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Projects | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Pull requests 
+           27 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| #14955 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| #14930 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| #14931 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| #14932 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| #14934 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| #14979 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| #15034 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| opencart | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Wiki | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| #14939 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| #14956 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| bf120c7 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| #14935 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| #14916 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Issues 
+           112 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Security 
+           0 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
--- a/07-framework-security/ecommerce/openmage/INDEX.md
+++ b/07-framework-security/ecommerce/openmage/INDEX.md
@@ -5,14 +5,14 @@
 - 系统 ID: `openmage`
 - 分类: `ecommerce`
 - 覆盖策略: `rolling-24m`
- 总案例数: `0`
+- 总案例数: `27`
 - 近 30 天新增/更新: `0`
 - 重点 Markdown 案例数: `0`
 - 已实证(真实版本): `0`
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
- 待人工/缺浏览器证据: `0`
- 最近渲染时间: `2026-03-18T04:06:05+00:00`
+- 待人工/缺浏览器证据: `27`
+- 最近渲染时间: `2026-04-02T09:18:51+00:00`

 ## 目标约束

@@ -26,9 +26,40 @@

 - `official` [OpenMage GitHub Advisories](https://github.com/OpenMage/magento-lts/security/advisories) (mode=core)
 - `official` [NVD OpenMage](https://nvd.nist.gov/vuln/search) (keyword=OpenMage; mode=core)
+- `ecosystem-authority` [OSV OpenMage](https://osv.dev/) (mode=core)

 ## 案例列表

 | 标题 | 严重度 | 案例状态 | 实证状态 | 实证方式 | 来源置信度 | 更新时间 | 案例页 |
 |------|--------|----------|----------|----------|------------|----------|--------|
-| No advisories yet | `n/a` | `empty` | `n/a` | `n/a` | `n/a` | `n/a` | - |
+| Star
+            914 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| OpenMage | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Stored XSS in theme config fields | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Fix for authenticated remote code execution through layout update | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Projects | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Stored XSS in WYSIWYG Editor | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Sign up | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Insights | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Pull requests 
+           66 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| DataFlow upload remote code execution vulnerability | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Stored XSS in admin file form | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Policy | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Issues 
+           178 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Discussions | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| 3 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| DoS vulnerability in MaliciousCode filter | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Sign in | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Report a vulnerability | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| XSS in Admin Notifications | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Skip to content | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| magento-lts | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Actions | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Stored XSS in admin system configs | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Guest order "protect code" can be brute-forced too easily | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| X-Original-Url header can expose admin url | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Security 
+           22 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Next | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
--- a/07-framework-security/ecommerce/prestashop/INDEX.md
+++ b/07-framework-security/ecommerce/prestashop/INDEX.md
@@ -5,14 +5,14 @@
 - 系统 ID: `prestashop`
 - 分类: `ecommerce`
 - 覆盖策略: `history-full`
- 总案例数: `0`
- 近 30 天新增/更新: `0`
- 重点 Markdown 案例数: `0`
+- 总案例数: `114`
+- 近 30 天新增/更新: `2`
+- 重点 Markdown 案例数: `2`
 - 已实证(真实版本): `0`
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
- 待人工/缺浏览器证据: `0`
- 最近渲染时间: `2026-03-18T04:06:05+00:00`
+- 待人工/缺浏览器证据: `114`
+- 最近渲染时间: `2026-04-02T09:18:51+00:00`

 ## 目标约束

@@ -26,10 +26,136 @@

 - `official` [PrestaShop Security Page](https://build.prestashop-project.org/news/) (mode=core)
 - `official` [GitHub PrestaShop Advisories](https://github.com/PrestaShop/PrestaShop/security/advisories) (mode=core)
+- `official` [NVD PrestaShop](https://nvd.nist.gov/vuln/search) (keyword=PrestaShop; mode=core)
+- `ecosystem-authority` [OSV PrestaShop](https://osv.dev/) (mode=core)
 - `ecosystem-authority` [Friends Of Presta Security](https://security.friendsofpresta.org/) (mode=module)

 ## 案例列表

 | 标题 | 严重度 | 案例状态 | 实证状态 | 实证方式 | 来源置信度 | 更新时间 | 案例页 |
 |------|--------|----------|----------|----------|------------|----------|--------|
-| No advisories yet | `n/a` | `empty` | `n/a` | `n/a` | `n/a` | `n/a` | - |
+| PrestaShop has multiple stored XSS vulnerabilities via unprotected Template variables | `low` | `generated` | `triage-manual` | `synthetic` | `ecosystem-authority` | `2026-03-30T12:26:07.105030Z` | [link](/Users/x/websafe/07-framework-security/ecommerce/prestashop/cases/prestashop-cve-2026-33673.md) |
+| PrestaShop: Improper Use of Validation Framework | `low` | `generated` | `triage-manual` | `synthetic` | `ecosystem-authority` | `2026-03-30T12:26:06.049752Z` | [link](/Users/x/websafe/07-framework-security/ecommerce/prestashop/cases/prestashop-cve-2026-33674.md) |
+| CVE-2020-5294 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T05:33:51.140` | - |
+| CVE-2020-5273 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T05:33:48.777` | - |
+| CVE-2020-5266 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T05:33:47.980` | - |
+| CVE-2020-5277 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T05:33:49.217` | - |
+| CVE-2020-5250 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T05:33:45.950` | - |
+| CVE-2013-6295 | `critical` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T01:58:57.763` | - |
+| CVE-2013-4792 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T01:56:25.330` | - |
+| CVE-2013-4791 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T01:56:25.180` | - |
+| CVE-2012-2517 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T01:39:10.433` | - |
+| CVE-2013-6358 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T01:59:04.000` | - |
+| CVE-2020-6632 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T05:36:04.413` | - |
+| CVE-2019-19595 | `critical` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:35:01.013` | - |
+| CVE-2019-19594 | `critical` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:35:00.853` | - |
+| CVE-2019-15565 | `critical` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:29:01.730` | - |
+| CVE-2019-13461 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:24:56.967` | - |
+| CVE-2019-11876 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:21:56.310` | - |
+| CVE-2018-20717 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:02:01.370` | - |
+| CVE-2018-19355 | `critical` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T03:57:47.527` | - |
+| CVE-2018-19126 | `critical` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T03:57:22.610` | - |
+| CVE-2018-19125 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T03:57:22.450` | - |
+| CVE-2018-19124 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T03:57:22.300` | - |
+| CVE-2018-13784 | `critical` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T03:47:58.403` | - |
+| CVE-2018-8824 | `critical` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:14:23.640` | - |
+| CVE-2018-10942 | `critical` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T03:42:21.540` | - |
+| CVE-2018-8823 | `critical` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:14:23.493` | - |
+| CVE-2018-7491 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:12:14.077` | - |
+| CVE-2018-5682 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:09:09.393` | - |
+| CVE-2018-5681 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:09:09.263` | - |
+| CVE-2015-1175 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-12T10:46:40.837` | - |
+| CVE-2014-2009 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-12T10:46:40.837` | - |
+| CVE-2014-2008 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-12T10:46:40.837` | - |
+| CVE-2012-6641 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-12T10:46:40.837` | - |
+| CVE-2012-5801 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-11T00:51:21.963` | - |
+| CVE-2012-5800 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-11T00:51:21.963` | - |
+| CVE-2012-5799 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-11T00:51:21.963` | - |
+| CVE-2011-4545 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-11T00:51:21.963` | - |
+| CVE-2011-4544 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-11T00:51:21.963` | - |
+| CVE-2011-3796 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-11T00:51:21.963` | - |
+| CVE-2008-6503 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| CVE-2008-5791 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-09T00:30:58.490` | - |
+| Events | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| GitHub
+            Discussions      (external link) | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| 3 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Newsletter | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| [CVE-2024-6648] Absolute Path Traversal vulnerability in AP Page Builder versions prior to 4.0.0 | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| → Discover the PrestaShop example modules repository  A hands-on library of working code examples to help you understand how PrestaShop module development really works. | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| PrestaShop | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Support      (external link) | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Latest Releases | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| XSS can be stored in DB from "add a message form" in order detail page (FO) | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| → PrestaShop Core Monthly - January 2026  9.1 Beta opens for feedback, Developer Conference videos go live, and big features take shape | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Sign in | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Insights | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| [CVE-2025-51586] User enumeration vulnerability in the AdminLogin controller in PrestaShop 1.7 through 8.2.2 | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| → PrestaShop 8.2.4 is available  Security improvements for branch 8.2.x | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| → Hummingbird v2: Architecture, Best Practices, and Contribution Guide  A developer-oriented foundation for modern and scalable PrestaShop themes | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| its members and contributors | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| [CVE-2025-61922] Customer account takeover via email in PrestaShop Checkout module for PrestaShop | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Contributor's Guide | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Path disclosure in JavaScript variable | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| SQL injection possible in search product in BO | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| 6 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Policy | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| → Join us at the inaugural Ecommerce Open Source Summit (EO2S) in Paris  Organized by Friends of Presta, EO2S brings together the open source ecommerce community on March 26, 2026 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Join Slack
+            Community
+                 (external link) | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| path traversal: file deletion | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| → PrestaShop Core Monthly - February 2026  New releases, Hummingbird v2, B2B foundations, and a one-page checkout on the horizon | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Core Monthly | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Issues 
+           2.3k | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Discussions | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| 4 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Developer
+            Documentation      (external link) | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| → Cleaning up old branches: a routine maintenance for a healthier repository  We are removing old branches from our repository | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Download
+                  sources      (external link) | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| PrestaShop | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Some attribute not escaped in Validate::isCleanHTML method | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Pull requests 
+           305 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Top Contributors
+                 (external link) | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Contact us | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Projects | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Start Developing | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| About us | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| 5 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| [CVE-2024-36682] Exposure of Private Personal Information to an Unauthorized Actor in Promokit.eu - Theme settings module for PrestaShop | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| [CVE-2025-69633] Improper neutralization of SQL parameters in Advanced Popup Creator module from Idnovate for PrestaShop | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| → PrestaShop 9.1 RC1 is open for testing!  The first Release Candidate of PrestaShop 9.1 is here. Help us validate it before the final release. | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Time based enumeration in FO login form | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Live Updates | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| [CVE-2024-34989] Improper neutralization of SQL parameter in RSI PDF/HTML catalog evolution (prestapdf) module for PrestaShop | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| New possible XSS injection through Validate::isCleanHTML method | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Top Translators      (external link) | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| [CVE-2023-45256] Improper neutralization of SQL parameters in Monetico Paiement module from EuroInformation for PrestaShop | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Anonymous customer can download other customers's invoices | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| PrestaShop 8.x | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| PrestaShop 9.x | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| → AI-Powered API Hackathon: 14+ Endpoints in a Single Day  How PrestaShop teams used Claude Code to accelerate Admin API contributions | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| [CVE-2024-36683] Improper neutralization of SQL parameter in Smart Modules - Products Alert module for PrestaShop | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Email enumeration | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Skip to content | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| How-to Guides | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Sign up | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| [CVE-2024-41670] Improperly Implemented Security Check for Standard in PayPal Official for PrestaShop | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| → PrestaShop Developer Conference 2025 Filmed Sessions - Community and Security  Friends of Presta, Cybersecurity and Ecommerce Development | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Star
+            9k | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| RSS | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| YouTube
+            Channel      (external link) | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Development Tools | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Security 
+           53 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Useful Tools | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| XSS via customer contact form in FO, through file upload | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Next | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Actions | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
--- a/07-framework-security/ecommerce/prestashop/cases/prestashop-cve-2026-33673.md
+++ b/07-framework-security/ecommerce/prestashop/cases/prestashop-cve-2026-33673.md
@@ -0,0 +1,185 @@
+---
+title: "PrestaShop has multiple stored XSS vulnerabilities via unprotected Template variables"
+system_id: "prestashop"
+category: "ecommerce"
+advisory_mode: "core"
+published_date: "2026-03-25T19:41:50Z"
+updated_date: "2026-03-30T12:26:07.105030Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "ecosystem-authority"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "official-image"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "BIT-prestashop-2026-33673"
+  - "CVE-2026-33673"
+  - "GHSA-35pf-37c6-jxjv"
+affected_versions:
+  - "9.0.0"
+  - "9.0.0-alpha.1"
+  - "9.0.0-beta.1"
+  - "9.0.0-rc.1"
+  - "9.0.1"
+  - "9.0.2"
+  - "9.0.3"
+  - "9.1.0-beta.1"
+  - "9.1.0-rc.1"
+  - "1.7.0.0"
+  - "1.7.0.0-beta.1.0"
+  - "1.7.0.0-beta.2.0"
+  - "1.7.0.0-beta.3.0"
+  - "1.7.0.0-beta.4.0"
+  - "1.7.0.0-rc.0.0"
+  - "1.7.0.0-rc.1.0"
+  - "1.7.0.0-rc.2.0"
+  - "1.7.0.1"
+  - "1.7.0.2"
+  - "1.7.0.3"
+fixed_versions:
+  - "9.1.0"
+  - "8.2.5"
+entity_refs:
+  - "prestashop:system:root-system"
+  - "prestashop--package--prestashop-prestashop:package:affected-component"
+secure_code_topics:
+  - "plugin-extension-trust-policy"
+  - "authz-server-side-recheck"
+  - "file-upload-validation"
+  - "xss-output-encoding"
+primary_source: "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-35pf-37c6-jxjv"
+---
+
+# PrestaShop has multiple stored XSS vulnerabilities via unprotected Template variables
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `official-image`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `prestashop--CVE-2026-33673`
+- 系统: `prestashop`
+- 严重度: `low`
+- 来源置信度: `ecosystem-authority`
+- 官方主源: https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-35pf-37c6-jxjv
+- 影响版本: `9.0.0, 9.0.0-alpha.1, 9.0.0-beta.1, 9.0.0-rc.1, 9.0.1, 9.0.2, 9.0.3, 9.1.0-beta.1, 9.1.0-rc.1, 1.7.0.0`
+- 修复版本: `9.1.0, 8.2.5`
+
+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `prestashop / prestashop`
+- Entity Refs: `prestashop, prestashop--package--prestashop-prestashop`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-35pf-37c6-jxjv, https://nvd.nist.gov/vuln/detail/CVE-2026-33673, https://github.com/PrestaShop/PrestaShop, https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.5, https://github.com/PrestaShop/PrestaShop/releases/tag/9.1.0`
+
+## 受控验证流程
+
+- Workflow ID: `prestashop--CVE-2026-33673--workflow`
+- 漏洞家族: `xss`
+- 入口面: `web-ui-render-path`
+- 需要角色: `editor-or-admin`
+- 触发向量: 对 `xss` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/admin/editor, /preview, /rendered-content`
+- 输入形态: 受控 HTML/Markdown/富文本输入，观察渲染上下文是否失去编码或净化。
+- 预期不安全行为: 输入在目标上下文执行或被浏览器解释为主动内容。
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2026-33673
+- https://github.com/PrestaShop/PrestaShop
+- https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.5
+- https://github.com/PrestaShop/PrestaShop/releases/tag/9.1.0
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `9.0.0, 9.0.0-alpha.1, 9.0.0-beta.1` 升级或回移到 `9.1.0`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `xss` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/plugin-extension-trust-policy.md)
+- [nodejs:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/nodejs/plugin-extension-trust-policy.md)
+- [java:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/java/plugin-extension-trust-policy.md)
+- [php:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/php/plugin-extension-trust-policy.md)
+- [python:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/python/plugin-extension-trust-policy.md)
+- [ruby:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/ruby/plugin-extension-trust-policy.md)
+- [csharp:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/csharp/plugin-extension-trust-policy.md)
+- [go:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/go/plugin-extension-trust-policy.md)
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:file-upload-validation](/Users/x/websafe/05-defense/secure-code/javascript-typescript/file-upload-validation.md)
+- [nodejs:file-upload-validation](/Users/x/websafe/05-defense/secure-code/nodejs/file-upload-validation.md)
+- [java:file-upload-validation](/Users/x/websafe/05-defense/secure-code/java/file-upload-validation.md)
+- [php:file-upload-validation](/Users/x/websafe/05-defense/secure-code/php/file-upload-validation.md)
+- [python:file-upload-validation](/Users/x/websafe/05-defense/secure-code/python/file-upload-validation.md)
+- [ruby:file-upload-validation](/Users/x/websafe/05-defense/secure-code/ruby/file-upload-validation.md)
+- [csharp:file-upload-validation](/Users/x/websafe/05-defense/secure-code/csharp/file-upload-validation.md)
+- [go:file-upload-validation](/Users/x/websafe/05-defense/secure-code/go/file-upload-validation.md)
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
--- a/07-framework-security/ecommerce/prestashop/cases/prestashop-cve-2026-33674.md
+++ b/07-framework-security/ecommerce/prestashop/cases/prestashop-cve-2026-33674.md
@@ -0,0 +1,176 @@
+---
+title: "PrestaShop: Improper Use of Validation Framework"
+system_id: "prestashop"
+category: "ecommerce"
+advisory_mode: "core"
+published_date: "2026-03-25T19:40:42Z"
+updated_date: "2026-03-30T12:26:06.049752Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "ecosystem-authority"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "official-image"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "BIT-prestashop-2026-33674"
+  - "CVE-2026-33674"
+  - "GHSA-283w-xf3q-788v"
+affected_versions:
+  - "1.7.0.0"
+  - "1.7.0.0-beta.1.0"
+  - "1.7.0.0-beta.2.0"
+  - "1.7.0.0-beta.3.0"
+  - "1.7.0.0-beta.4.0"
+  - "1.7.0.0-rc.0.0"
+  - "1.7.0.0-rc.1.0"
+  - "1.7.0.0-rc.2.0"
+  - "1.7.0.1"
+  - "1.7.0.2"
+  - "1.7.0.3"
+  - "1.7.0.4"
+  - "1.7.0.5"
+  - "1.7.0.6"
+  - "1.7.1.0"
+  - "1.7.1.1"
+  - "1.7.1.2"
+  - "1.7.2.0"
+  - "1.7.2.0-rc.1.0"
+  - "1.7.2.1"
+fixed_versions:
+  - "8.2.5"
+  - "9.1.0"
+entity_refs:
+  - "prestashop:system:root-system"
+  - "prestashop--package--prestashop-prestashop:package:affected-component"
+secure_code_topics:
+  - "plugin-extension-trust-policy"
+  - "authz-server-side-recheck"
+  - "file-upload-validation"
+primary_source: "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-283w-xf3q-788v"
+---
+
+# PrestaShop: Improper Use of Validation Framework
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `official-image`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `prestashop--CVE-2026-33674`
+- 系统: `prestashop`
+- 严重度: `low`
+- 来源置信度: `ecosystem-authority`
+- 官方主源: https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-283w-xf3q-788v
+- 影响版本: `1.7.0.0, 1.7.0.0-beta.1.0, 1.7.0.0-beta.2.0, 1.7.0.0-beta.3.0, 1.7.0.0-beta.4.0, 1.7.0.0-rc.0.0, 1.7.0.0-rc.1.0, 1.7.0.0-rc.2.0, 1.7.0.1, 1.7.0.2`
+- 修复版本: `8.2.5, 9.1.0`
+
+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `prestashop / prestashop`
+- Entity Refs: `prestashop, prestashop--package--prestashop-prestashop`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-283w-xf3q-788v, https://nvd.nist.gov/vuln/detail/CVE-2026-33674, https://github.com/PrestaShop/PrestaShop, https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.5, https://github.com/PrestaShop/PrestaShop/releases/tag/9.1.0`
+
+## 受控验证流程
+
+- Workflow ID: `prestashop--CVE-2026-33674--workflow`
+- 漏洞家族: `unknown`
+- 入口面: `package-surface`
+- 需要角色: `unknown`
+- 触发向量: 对 `unknown` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/package`
+- 输入形态: 提交最小化、可审计、可回滚的受控输入。
+- 预期不安全行为: 目标表现出超出设计边界的行为。
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2026-33674
+- https://github.com/PrestaShop/PrestaShop
+- https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.5
+- https://github.com/PrestaShop/PrestaShop/releases/tag/9.1.0
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `1.7.0.0, 1.7.0.0-beta.1.0, 1.7.0.0-beta.2.0` 升级或回移到 `8.2.5`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `unknown` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/plugin-extension-trust-policy.md)
+- [nodejs:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/nodejs/plugin-extension-trust-policy.md)
+- [java:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/java/plugin-extension-trust-policy.md)
+- [php:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/php/plugin-extension-trust-policy.md)
+- [python:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/python/plugin-extension-trust-policy.md)
+- [ruby:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/ruby/plugin-extension-trust-policy.md)
+- [csharp:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/csharp/plugin-extension-trust-policy.md)
+- [go:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/go/plugin-extension-trust-policy.md)
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:file-upload-validation](/Users/x/websafe/05-defense/secure-code/javascript-typescript/file-upload-validation.md)
+- [nodejs:file-upload-validation](/Users/x/websafe/05-defense/secure-code/nodejs/file-upload-validation.md)
+- [java:file-upload-validation](/Users/x/websafe/05-defense/secure-code/java/file-upload-validation.md)
+- [php:file-upload-validation](/Users/x/websafe/05-defense/secure-code/php/file-upload-validation.md)
+- [python:file-upload-validation](/Users/x/websafe/05-defense/secure-code/python/file-upload-validation.md)
+- [ruby:file-upload-validation](/Users/x/websafe/05-defense/secure-code/ruby/file-upload-validation.md)
+- [csharp:file-upload-validation](/Users/x/websafe/05-defense/secure-code/csharp/file-upload-validation.md)
+- [go:file-upload-validation](/Users/x/websafe/05-defense/secure-code/go/file-upload-validation.md)
--- a/07-framework-security/ecommerce/saleor/INDEX.md
+++ b/07-framework-security/ecommerce/saleor/INDEX.md
@@ -5,14 +5,14 @@
 - 系统 ID: `saleor`
 - 分类: `ecommerce`
 - 覆盖策略: `rolling-24m`
- 总案例数: `0`
+- 总案例数: `24`
 - 近 30 天新增/更新: `0`
 - 重点 Markdown 案例数: `0`
 - 已实证(真实版本): `0`
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
- 待人工/缺浏览器证据: `0`
- 最近渲染时间: `2026-03-18T04:06:05+00:00`
+- 待人工/缺浏览器证据: `24`
+- 最近渲染时间: `2026-04-02T09:18:51+00:00`

 ## 目标约束

@@ -26,9 +26,37 @@

 - `official` [GitHub Saleor Advisories](https://github.com/saleor/saleor/security/advisories) (mode=core)
 - `official` [NVD Saleor](https://nvd.nist.gov/vuln/search) (keyword=Saleor; mode=core)
+- `ecosystem-authority` [OSV Saleor](https://osv.dev/) (mode=core)

 ## 案例列表

 | 标题 | 严重度 | 案例状态 | 实证状态 | 实证方式 | 来源置信度 | 更新时间 | 案例页 |
 |------|--------|----------|----------|----------|------------|----------|--------|
-| No advisories yet | `n/a` | `empty` | `n/a` | `n/a` | `n/a` | `n/a` | - |
+| saleor | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Skip to content | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Sign up | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Insights | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Unauthenticated Information Disclosure Vulnerability via Python Exceptions | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Non-constant time HMAC comparison in Adyen plugin | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Customers addresses leak when using Warehouse as a `Pickup: Local stock only` delivery method | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Sign in | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Actions | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Stored XSS via Unrestricted File Uploads | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Insecure Direct Object Reference (IDOR) in GraphQL API | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Star
+            22.7k | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| saleor | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Improper object type validation in mutations leading to unauthorized access | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Report a vulnerability | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Security 
+           10 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Policy | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Issues 
+           185 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| CSRF bypass in refreshToken mutation | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Pull requests 
+           67 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Discussions | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| User enumeration vulnerability in Saleor due to different error messages | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Lack of proper HTML sanitization in rich text fields | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Staff-Authenticated Error Message Information Disclosure Vulnerability via Python Exceptions | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
--- a/07-framework-security/ecommerce/shopware/INDEX.md
+++ b/07-framework-security/ecommerce/shopware/INDEX.md
@@ -5,14 +5,14 @@
 - 系统 ID: `shopware`
 - 分类: `ecommerce`
 - 覆盖策略: `history-full`
- 总案例数: `0`
+- 总案例数: `71`
 - 近 30 天新增/更新: `0`
 - 重点 Markdown 案例数: `0`
 - 已实证(真实版本): `0`
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
- 待人工/缺浏览器证据: `0`
- 最近渲染时间: `2026-03-18T04:06:05+00:00`
+- 待人工/缺浏览器证据: `71`
+- 最近渲染时间: `2026-04-02T09:18:51+00:00`

 ## 目标约束

@@ -26,9 +26,84 @@

 - `official` [Shopware Security Advisories](https://github.com/shopware/shopware/security/advisories) (mode=core)
 - `official` [NVD Shopware](https://nvd.nist.gov/vuln/search) (keyword=Shopware; mode=core)
+- `ecosystem-authority` [OSV Shopware](https://osv.dev/) (mode=core)

 ## 案例列表

 | 标题 | 严重度 | 案例状态 | 实证状态 | 实证方式 | 来源置信度 | 更新时间 | 案例页 |
 |------|--------|----------|----------|----------|------------|----------|--------|
-| No advisories yet | `n/a` | `empty` | `n/a` | `n/a` | `n/a` | `n/a` | - |
+| CVE-2023-22730 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T07:45:18.660` | - |
+| CVE-2022-36102 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T07:12:23.590` | - |
+| CVE-2022-36101 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T07:12:23.440` | - |
+| CVE-2022-31148 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T07:03:59.930` | - |
+| CVE-2022-31057 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T07:03:48.270` | - |
+| CVE-2022-24892 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T06:51:20.243` | - |
+| CVE-2022-24879 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T06:51:18.403` | - |
+| CVE-2022-24873 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T06:51:17.737` | - |
+| CVE-2022-24872 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T06:51:17.607` | - |
+| CVE-2022-24871 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T06:51:17.483` | - |
+| CVE-2022-24956 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T06:51:27.467` | - |
+| CVE-2022-24748 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T06:51:00.577` | - |
+| CVE-2022-24747 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T06:51:00.453` | - |
+| CVE-2022-24746 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T06:51:00.337` | - |
+| CVE-2022-24745 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T06:51:00.213` | - |
+| CVE-2022-24744 | `low` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T06:51:00.097` | - |
+| CVE-2022-21652 | `low` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T06:45:09.557` | - |
+| CVE-2022-21651 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T06:45:09.420` | - |
+| CVE-2021-41188 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T06:25:43.210` | - |
+| CVE-2021-37710 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T06:15:45.890` | - |
+| CVE-2021-37709 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T06:15:45.713` | - |
+| CVE-2021-37708 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T06:15:45.560` | - |
+| CVE-2021-37707 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T06:15:45.410` | - |
+| CVE-2021-32717 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T06:07:35.447` | - |
+| CVE-2021-32716 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T06:07:35.340` | - |
+| CVE-2021-32713 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T06:07:35.013` | - |
+| CVE-2021-32712 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T06:07:34.910` | - |
+| CVE-2021-32711 | `critical` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T06:07:34.803` | - |
+| CVE-2021-32710 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T06:07:34.690` | - |
+| CVE-2021-32709 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T06:07:34.577` | - |
+| CVE-2020-28199 | `critical` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T05:22:27.980` | - |
+| CVE-2020-13997 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T05:02:18.893` | - |
+| CVE-2020-13971 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T05:02:16.100` | - |
+| CVE-2020-13970 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T05:02:15.970` | - |
+| CVE-2019-12935 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:23:51.287` | - |
+| CVE-2019-12799 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:23:36.247` | - |
+| CVE-2018-20713 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:02:00.820` | - |
+| CVE-2017-18357 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T03:19:55.227` | - |
+| CVE-2017-15374 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-20T01:37:25.860` | - |
+| CVE-2016-3109 | `critical` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-20T01:37:25.860` | - |
+| Sign up | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Report a vulnerability | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Policy | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Pull requests 
+           186 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Issues 
+           1.3k | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| `/api/_info/config` route exposes information about licenses | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Reflected XSS in Storefront Login Page | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Insights | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| 7 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| 3 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Skip to content | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Discussions | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Actions | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| `/api/_info/config` route exposes information about active security fixes | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Star
+            3.3k | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| shopware | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Improper Control of Generation of Code in Twig rendered views | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| 6 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| 4 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| User enumeration via distinct error codes on Store API login endpoint | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Unauthenticated data extraction possible through store-api.order endpoint | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Next | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Reflective Cross Site-Scripting (XSS) in CMS components | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| shopware | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Security 
+           68 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Password recovery link does not expire after email change | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Path traversal via Plugin upload | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| 5 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Sign in | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Projects | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Potential take over of app credentials | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
--- a/07-framework-security/ecommerce/woocommerce/INDEX.md
+++ b/07-framework-security/ecommerce/woocommerce/INDEX.md
@@ -5,14 +5,14 @@
 - 系统 ID: `woocommerce`
 - 分类: `ecommerce`
 - 覆盖策略: `history-full`
- 总案例数: `0`
+- 总案例数: `111`
 - 近 30 天新增/更新: `0`
 - 重点 Markdown 案例数: `0`
 - 已实证(真实版本): `0`
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
- 待人工/缺浏览器证据: `0`
- 最近渲染时间: `2026-03-18T04:06:05+00:00`
+- 待人工/缺浏览器证据: `111`
+- 最近渲染时间: `2026-04-02T09:18:51+00:00`

 ## 目标约束

@@ -26,6 +26,8 @@

 - `official` [Woo Developer Advisories](https://developer.woocommerce.com/) (mode=core)
 - `official` [GitHub WooCommerce Advisories](https://github.com/woocommerce/woocommerce/security/advisories) (mode=core)
+- `official` [NVD WooCommerce](https://nvd.nist.gov/vuln/search) (keyword=WooCommerce; mode=core)
+- `ecosystem-authority` [OSV WooCommerce](https://osv.dev/) (mode=core)
 - `ecosystem-authority` [Patchstack Database](https://patchstack.com/database/) (mode=extension)
 - `ecosystem-authority` [Wordfence Vulnerability Database](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/) (mode=extension)

@@ -33,4 +35,118 @@

 | 标题 | 严重度 | 案例状态 | 实证状态 | 实证方式 | 来源置信度 | 更新时间 | 案例页 |
 |------|--------|----------|----------|----------|------------|----------|--------|
-| No advisories yet | `n/a` | `empty` | `n/a` | `n/a` | `n/a` | `n/a` | - |
+| CVE-2019-18834 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:33:40.530` | - |
+| CVE-2019-20891 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:39:37.827` | - |
+| CVE-2020-11727 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:58:29.603` | - |
+| CVE-2020-8819 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T05:39:30.133` | - |
+| CVE-2014-4558 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T02:10:26.603` | - |
+| CVE-2019-18668 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:33:29.677` | - |
+| CVE-2019-14979 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:27:48.810` | - |
+| CVE-2019-14978 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:27:48.663` | - |
+| CVE-2017-18592 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T03:20:28.627` | - |
+| CVE-2016-10935 | `critical` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T02:45:06.817` | - |
+| CVE-2019-15092 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:28:02.440` | - |
+| CVE-2016-10923 | `critical` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T02:45:05.073` | - |
+| CVE-2016-10922 | `critical` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T02:45:04.920` | - |
+| CVE-2018-20966 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:02:35.007` | - |
+| CVE-2019-14948 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:27:44.950` | - |
+| CVE-2017-18506 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T03:20:16.597` | - |
+| CVE-2019-14796 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:27:22.400` | - |
+| CVE-2019-14774 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:27:19.310` | - |
+| CVE-2019-1010124 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:17:58.953` | - |
+| CVE-2019-5979 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:45:50.723` | - |
+| CVE-2019-11807 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:21:48.027` | - |
+| CVE-2019-7441 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:48:14.587` | - |
+| CVE-2019-9168 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:51:07.733` | - |
+| CVE-2018-20782 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:02:09.783` | - |
+| CVE-2018-20714 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:02:00.963` | - |
+| CVE-2017-18356 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T03:19:55.073` | - |
+| CVE-2018-11525 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T03:43:32.763` | - |
+| CVE-2018-11486 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T03:43:27.857` | - |
+| CVE-2018-11485 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T03:43:27.710` | - |
+| CVE-2018-11579 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T03:43:39.363` | - |
+| CVE-2018-8711 | `critical` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:14:10.983` | - |
+| CVE-2018-8710 | `critical` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:14:10.840` | - |
+| CVE-2015-2329 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T02:27:13.723` | - |
+| CVE-2018-5316 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2024-11-21T04:08:34.753` | - |
+| CVE-2017-17058 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-20T01:37:25.860` | - |
+| CVE-2016-10112 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-12T10:46:40.837` | - |
+| CVE-2015-5065 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-12T10:46:40.837` | - |
+| CVE-2015-2069 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-12T10:46:40.837` | - |
+| CVE-2014-6313 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-12T10:46:40.837` | - |
+| CVE-2014-4549 | `medium` | `triage` | `triage-manual` | `synthetic` | `official` | `2025-04-12T10:46:40.837` | - |
+| woocommerce | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Second parameter of woocommerce_get_breadcrumb may be null for Core Breadcrumbs block in WooCommerce 10.6 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| HPOS sync on read to be disabled by default in WooCommerce 10.7 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Join the Community Slack | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Booster for WooCommerce  < 7.11.3    Broken Access Control vulnerability | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| WooCommerce 10.6.1: Dot Release | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Policy | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Call for Testing: WooCommerce Order Fulfillments | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Join us for our “Building Ecommerce Community” Live Event | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Pull requests 
+           369 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| See all Release Posts | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| WooCommerce 10.6: What’s coming for developers | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Subscriptions for WooCommerce  <= 1.9.2    Missing Authorization to Unauthenticated Arbitrary Subscription Cancellation vulnerability | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| AI & Agentic Commerce in WooCommerce | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Actions | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Contribute to WooCommerce | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| How AI and Automation are Improving the Woo Release Process | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Projects | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Blind SQL Injection possible via Authenticated Web-hook Search API Endpoint | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| WooCommerce 10.4.3: Dot Release | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Become a Woo agency partner | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| WooCommerce 10.5: What’s coming for developers | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| WooCommerce Meetups | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Events | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Skip to content | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Product images are now lazy-loaded by default in WooCommerce 10.6 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| WowStore  <= 4.4.3    WordPress WowStore - Store Builder & Product Blocks for WooCommerce plugin <= 4.4.3 - Unauthenticated SQL Injection via 'search' Parameter vulnerability | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| Sign up | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Release Calendar | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Improving WooCommerce Performance at Scale | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| WooCommerce 10.5 Release is Delayed | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Star
+            10.2k | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Newsletter | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| See all Roadmap Insights | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Contact Us | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| WooCommerce 10.6: Enhanced blocks and a faster dashboard | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Issues 
+           2.6k | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| What we’re doing to get the Woo Block Theme ready for you | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Get started | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Call for testing: Experimental REST API Caching in WooCommerce 10.5 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Experimental Product Object Caching in WooCommerce 10.5 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Become a Marketplace partner | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Restricting per_page for Product and ProductReview Store API Requests in WooCommerce 10.6 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| March Office Hours: Testing, testing | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Discussions | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Wiki | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Sign in | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| WooCommerce 10.5.3: Dot release | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| woocommerce | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Insights | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Do not sell or share my personal information | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Mailchimp API Maintenance on February 28, 2026 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Community Forum | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| XSS Vulnerability in WooCommerce checkout & registration forms | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| WooCommerce 10.5.1: Dot Release | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Call for Testing: WooCommerce MCP Beta | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| WooCommerce 10.5: Improving analytics and admin performance | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Security 
+           2 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Store API Vulnerability Patched in WooCommerce 5.4+ – What You Need To Know | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Release Posts | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| GitHub Discussions | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| About | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Status | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| See all Developer Advisories | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| See all posts | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| WooCommerce 10.5.2: Dot Release | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Understanding the Interactivity API-driven future for WooCommerce Blocks | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| WooCommerce | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `` | - |
+| WooCommerce Block Theme: An update on our strategy | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Join the Woo community on Slack | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Release downloads | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
--- a/07-framework-security/frameworks/angular/INDEX.md
+++ b/07-framework-security/frameworks/angular/INDEX.md
@@ -5,14 +5,14 @@
 - 系统 ID: `angular`
 - 分类: `frameworks`
 - 覆盖策略: `rolling-24m`
- 总案例数: `0`
- 近 30 天新增/更新: `0`
- 重点 Markdown 案例数: `0`
+- 总案例数: `2`
+- 近 30 天新增/更新: `1`
+- 重点 Markdown 案例数: `2`
 - 已实证(真实版本): `0`
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
- 待人工/缺浏览器证据: `0`
- 最近渲染时间: `2026-03-18T04:06:09+00:00`
+- 待人工/缺浏览器证据: `2`
+- 最近渲染时间: `2026-04-02T09:18:51+00:00`

 ## 目标约束

@@ -31,4 +31,5 @@

 | 标题 | 严重度 | 案例状态 | 实证状态 | 实证方式 | 来源置信度 | 更新时间 | 案例页 |
 |------|--------|----------|----------|----------|------------|----------|--------|
-| No advisories yet | `n/a` | `empty` | `n/a` | `n/a` | `n/a` | `n/a` | - |
+| Angular vulnerable to XSS in i18n attribute bindings | `medium` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-03-17T01:31:35.828211Z` | [link](/Users/x/websafe/07-framework-security/frameworks/angular/cases/angular-cve-2026-32635.md) |
+| Angular i18n vulnerable to Cross-Site Scripting | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-02-28T06:24:33.665085Z` | [link](/Users/x/websafe/07-framework-security/frameworks/angular/cases/angular-cve-2026-27970.md) |
--- a/07-framework-security/frameworks/angular/cases/angular-cve-2026-27970.md
+++ b/07-framework-security/frameworks/angular/cases/angular-cve-2026-27970.md
@@ -0,0 +1,177 @@
+---
+title: "Angular i18n vulnerable to Cross-Site Scripting"
+system_id: "angular"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2026-02-27T18:33:16Z"
+updated_date: "2026-02-28T06:24:33.665085Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2026-27970"
+  - "GHSA-prjf-86w9-mfqv"
+affected_versions:
+  - "introduced=21.2.0-next.0, fixed<21.2.0"
+  - "introduced=21.0.0-next.0, fixed<21.1.6"
+  - "introduced=20.0.0-next.0, fixed<20.3.17"
+  - "introduced=19.0.0-next.0, fixed<19.2.19"
+  - "introduced=0, last_affected=18.2.14"
+fixed_versions:
+  - "21.2.0"
+  - "21.1.6"
+  - "20.3.17"
+  - "19.2.19"
+entity_refs:
+  - "angular:system:root-system"
+  - "angular--package--angular-core:package:affected-component"
+secure_code_topics:
+  - "xss-output-encoding"
+  - "template-injection-guard"
+  - "csp-trusted-types"
+  - "token-cookie-storage"
+primary_source: "https://github.com/angular/angular/security/advisories/GHSA-prjf-86w9-mfqv"
+---
+
+# Angular i18n vulnerable to Cross-Site Scripting
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `angular--CVE-2026-27970`
+- 系统: `angular`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://github.com/angular/angular/security/advisories/GHSA-prjf-86w9-mfqv
+- 影响版本: `introduced=21.2.0-next.0, fixed<21.2.0, introduced=21.0.0-next.0, fixed<21.1.6, introduced=20.0.0-next.0, fixed<20.3.17, introduced=19.0.0-next.0, fixed<19.2.19, introduced=0, last_affected=18.2.14`
+- 修复版本: `21.2.0, 21.1.6, 20.3.17, 19.2.19`
+
+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `angular / core`
+- Entity Refs: `angular, angular--package--angular-core`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/angular/angular/security/advisories/GHSA-prjf-86w9-mfqv, https://nvd.nist.gov/vuln/detail/CVE-2026-27970, https://github.com/angular/angular/pull/67183, https://github.com/angular/angular/commit/306f367899dfc2e04238fecd3455547b5d54075d, https://github.com/angular/angular/commit/7d58b798c626bb0e4e5f89ca8affdce4f352b232`
+
+## 受控验证流程
+
+- Workflow ID: `angular--CVE-2026-27970--workflow`
+- 漏洞家族: `xss`
+- 入口面: `web-ui-render-path`
+- 需要角色: `editor-or-admin`
+- 触发向量: 对 `xss` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/admin/editor, /preview, /rendered-content`
+- 输入形态: 受控 HTML/Markdown/富文本输入，观察渲染上下文是否失去编码或净化。
+- 预期不安全行为: 输入在目标上下文执行或被浏览器解释为主动内容。
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2026-27970
+- https://github.com/angular/angular/pull/67183
+- https://github.com/angular/angular/commit/306f367899dfc2e04238fecd3455547b5d54075d
+- https://github.com/angular/angular/commit/7d58b798c626bb0e4e5f89ca8affdce4f352b232
+- https://github.com/angular/angular/commit/b85830953281ff3a1a77bbfe69019d352d509c93
+- https://angular.dev/best-practices/security#enforcing-trusted-types
+- https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API
+- https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP
+- https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/XSS
+- https://github.com/angular/angular
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=21.2.0-next.0, fixed<21.2.0, introduced=21.0.0-next.0, fixed<21.1.6, introduced=20.0.0-next.0, fixed<20.3.17` 升级或回移到 `21.2.0`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `xss` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:template-injection-guard](/Users/x/websafe/05-defense/secure-code/javascript-typescript/template-injection-guard.md)
+- [nodejs:template-injection-guard](/Users/x/websafe/05-defense/secure-code/nodejs/template-injection-guard.md)
+- [java:template-injection-guard](/Users/x/websafe/05-defense/secure-code/java/template-injection-guard.md)
+- [php:template-injection-guard](/Users/x/websafe/05-defense/secure-code/php/template-injection-guard.md)
+- [python:template-injection-guard](/Users/x/websafe/05-defense/secure-code/python/template-injection-guard.md)
+- [ruby:template-injection-guard](/Users/x/websafe/05-defense/secure-code/ruby/template-injection-guard.md)
+- [csharp:template-injection-guard](/Users/x/websafe/05-defense/secure-code/csharp/template-injection-guard.md)
+- [go:template-injection-guard](/Users/x/websafe/05-defense/secure-code/go/template-injection-guard.md)
+- [javascript-typescript:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/javascript-typescript/csp-trusted-types.md)
+- [nodejs:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/nodejs/csp-trusted-types.md)
+- [java:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/java/csp-trusted-types.md)
+- [php:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/php/csp-trusted-types.md)
+- [python:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/python/csp-trusted-types.md)
+- [ruby:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/ruby/csp-trusted-types.md)
+- [csharp:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/csharp/csp-trusted-types.md)
+- [go:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/go/csp-trusted-types.md)
+- [javascript-typescript:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/javascript-typescript/token-cookie-storage.md)
+- [nodejs:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/nodejs/token-cookie-storage.md)
+- [java:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/java/token-cookie-storage.md)
+- [php:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/php/token-cookie-storage.md)
+- [python:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/python/token-cookie-storage.md)
+- [ruby:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/ruby/token-cookie-storage.md)
+- [csharp:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/csharp/token-cookie-storage.md)
+- [go:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/go/token-cookie-storage.md)
--- a/07-framework-security/frameworks/angular/cases/angular-cve-2026-32635.md
+++ b/07-framework-security/frameworks/angular/cases/angular-cve-2026-32635.md
@@ -0,0 +1,175 @@
+---
+title: "Angular vulnerable to XSS in i18n attribute bindings"
+system_id: "angular"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2026-03-13T20:56:18Z"
+updated_date: "2026-03-17T01:31:35.828211Z"
+severity: "medium"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2026-32635"
+  - "GHSA-g93w-mfhg-p222"
+affected_versions:
+  - "introduced=22.0.0-next.0, fixed<22.0.0-next.3"
+  - "introduced=21.0.0-next.0, fixed<21.2.4"
+  - "introduced=20.0.0-next.0.0.0, fixed<20.3.18"
+  - "introduced=19.0.0-next.0, fixed<19.2.20"
+  - "introduced=17.0.0-next.0, last_affected=18.2.14"
+fixed_versions:
+  - "22.0.0-next.3"
+  - "21.2.4"
+  - "20.3.18"
+  - "19.2.20"
+entity_refs:
+  - "angular:system:root-system"
+  - "angular--package--angular-core:package:affected-component"
+secure_code_topics:
+  - "xss-output-encoding"
+  - "template-injection-guard"
+  - "csp-trusted-types"
+  - "token-cookie-storage"
+primary_source: "https://github.com/angular/angular/security/advisories/GHSA-g93w-mfhg-p222"
+---
+
+# Angular vulnerable to XSS in i18n attribute bindings
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `angular--CVE-2026-32635`
+- 系统: `angular`
+- 严重度: `medium`
+- 来源置信度: `official`
+- 官方主源: https://github.com/angular/angular/security/advisories/GHSA-g93w-mfhg-p222
+- 影响版本: `introduced=22.0.0-next.0, fixed<22.0.0-next.3, introduced=21.0.0-next.0, fixed<21.2.4, introduced=20.0.0-next.0.0.0, fixed<20.3.18, introduced=19.0.0-next.0, fixed<19.2.20, introduced=17.0.0-next.0, last_affected=18.2.14`
+- 修复版本: `22.0.0-next.3, 21.2.4, 20.3.18, 19.2.20`
+
+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `angular / core`
+- Entity Refs: `angular, angular--package--angular-core`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/angular/angular/security/advisories/GHSA-g93w-mfhg-p222, https://nvd.nist.gov/vuln/detail/CVE-2026-32635, https://github.com/angular/angular/pull/67541, https://github.com/angular/angular/pull/67561, https://github.com/angular/angular/commit/224e60ecb1b90115baa702f1c06edc1d64d86187`
+
+## 受控验证流程
+
+- Workflow ID: `angular--CVE-2026-32635--workflow`
+- 漏洞家族: `xss`
+- 入口面: `web-ui-render-path`
+- 需要角色: `editor-or-admin`
+- 触发向量: 对 `xss` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/admin/editor, /preview, /rendered-content`
+- 输入形态: 受控 HTML/Markdown/富文本输入，观察渲染上下文是否失去编码或净化。
+- 预期不安全行为: 输入在目标上下文执行或被浏览器解释为主动内容。
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2026-32635
+- https://github.com/angular/angular/pull/67541
+- https://github.com/angular/angular/pull/67561
+- https://github.com/angular/angular/commit/224e60ecb1b90115baa702f1c06edc1d64d86187
+- https://github.com/angular/angular/commit/78dea55351fb305b33a919c43a6b363137eca166
+- https://github.com/angular/angular/commit/8630319f74c9575a21693d875cc7d5252516146d
+- https://github.com/angular/angular/commit/ed2d324f9cc12aab6cfa0569ef10b73243a62c65
+- https://github.com/angular/angular
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=22.0.0-next.0, fixed<22.0.0-next.3, introduced=21.0.0-next.0, fixed<21.2.4, introduced=20.0.0-next.0.0.0, fixed<20.3.18` 升级或回移到 `22.0.0-next.3`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `xss` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:template-injection-guard](/Users/x/websafe/05-defense/secure-code/javascript-typescript/template-injection-guard.md)
+- [nodejs:template-injection-guard](/Users/x/websafe/05-defense/secure-code/nodejs/template-injection-guard.md)
+- [java:template-injection-guard](/Users/x/websafe/05-defense/secure-code/java/template-injection-guard.md)
+- [php:template-injection-guard](/Users/x/websafe/05-defense/secure-code/php/template-injection-guard.md)
+- [python:template-injection-guard](/Users/x/websafe/05-defense/secure-code/python/template-injection-guard.md)
+- [ruby:template-injection-guard](/Users/x/websafe/05-defense/secure-code/ruby/template-injection-guard.md)
+- [csharp:template-injection-guard](/Users/x/websafe/05-defense/secure-code/csharp/template-injection-guard.md)
+- [go:template-injection-guard](/Users/x/websafe/05-defense/secure-code/go/template-injection-guard.md)
+- [javascript-typescript:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/javascript-typescript/csp-trusted-types.md)
+- [nodejs:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/nodejs/csp-trusted-types.md)
+- [java:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/java/csp-trusted-types.md)
+- [php:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/php/csp-trusted-types.md)
+- [python:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/python/csp-trusted-types.md)
+- [ruby:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/ruby/csp-trusted-types.md)
+- [csharp:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/csharp/csp-trusted-types.md)
+- [go:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/go/csp-trusted-types.md)
+- [javascript-typescript:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/javascript-typescript/token-cookie-storage.md)
+- [nodejs:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/nodejs/token-cookie-storage.md)
+- [java:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/java/token-cookie-storage.md)
+- [php:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/php/token-cookie-storage.md)
+- [python:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/python/token-cookie-storage.md)
+- [ruby:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/ruby/token-cookie-storage.md)
+- [csharp:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/csharp/token-cookie-storage.md)
+- [go:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/go/token-cookie-storage.md)
--- a/07-framework-security/frameworks/aspnet-core/INDEX.md
+++ b/07-framework-security/frameworks/aspnet-core/INDEX.md
@@ -5,14 +5,14 @@
 - 系统 ID: `aspnet-core`
 - 分类: `frameworks`
 - 覆盖策略: `rolling-24m`
- 总案例数: `0`
- 近 30 天新增/更新: `0`
+- 总案例数: `3`
+- 近 30 天新增/更新: `1`
 - 重点 Markdown 案例数: `0`
 - 已实证(真实版本): `0`
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
- 待人工/缺浏览器证据: `0`
- 最近渲染时间: `2026-03-18T04:06:10+00:00`
+- 待人工/缺浏览器证据: `3`
+- 最近渲染时间: `2026-04-02T09:18:51+00:00`

 ## 目标约束

@@ -24,10 +24,13 @@

 ## 来源

+- `official` [OSV ASP.NET Core](https://osv.dev/) (mode=core)
 - `official` [NVD ASP.NET Core](https://nvd.nist.gov/vuln/search) (keyword=ASP.NET Core; mode=core)

 ## 案例列表

 | 标题 | 严重度 | 案例状态 | 实证状态 | 实证方式 | 来源置信度 | 更新时间 | 案例页 |
 |------|--------|----------|----------|----------|------------|----------|--------|
-| No advisories yet | `n/a` | `empty` | `n/a` | `n/a` | `n/a` | `n/a` | - |
+| CVE-2026-26130 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2026-03-11T13:53:20.707` | - |
+| CVE-2020-1045 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2026-02-23T18:23:07.950` | - |
+| CVE-2020-1597 | `high` | `triage` | `triage-manual` | `synthetic` | `official` | `2026-02-23T18:25:45.733` | - |
--- a/07-framework-security/frameworks/astro/INDEX.md
+++ b/07-framework-security/frameworks/astro/INDEX.md
@@ -5,14 +5,14 @@
 - 系统 ID: `astro`
 - 分类: `frameworks`
 - 覆盖策略: `rolling-24m`
- 总案例数: `0`
- 近 30 天新增/更新: `0`
- 重点 Markdown 案例数: `0`
+- 总案例数: `15`
+- 近 30 天新增/更新: `1`
+- 重点 Markdown 案例数: `15`
 - 已实证(真实版本): `0`
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
- 待人工/缺浏览器证据: `0`
- 最近渲染时间: `2026-03-18T04:06:09+00:00`
+- 待人工/缺浏览器证据: `15`
+- 最近渲染时间: `2026-04-02T09:18:51+00:00`

 ## 目标约束

@@ -31,4 +31,18 @@

 | 标题 | 严重度 | 案例状态 | 实证状态 | 实证方式 | 来源置信度 | 更新时间 | 案例页 |
 |------|--------|----------|----------|----------|------------|----------|--------|
-| No advisories yet | `n/a` | `empty` | `n/a` | `n/a` | `n/a` | `n/a` | - |
+| Astro: Remote allowlist bypass via unanchored matchPathname wildcard | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-03-26T19:01:26.420643Z` | [link](/Users/x/websafe/07-framework-security/frameworks/astro/cases/astro-cve-2026-33769.md) |
+| Astro has an Authentication Bypass via Double URL Encoding, a bypass for CVE-2025-64765 | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-02-04T02:27:12.689316Z` | [link](/Users/x/websafe/07-framework-security/frameworks/astro/cases/astro-cve-2025-66202.md) |
+| Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2025-11-27T08:33:26.119485Z` | [link](/Users/x/websafe/07-framework-security/frameworks/astro/cases/astro-cve-2025-65019.md) |
+| Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded values | `medium` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-02-04T03:01:27.986221Z` | [link](/Users/x/websafe/07-framework-security/frameworks/astro/cases/astro-cve-2025-64765.md) |
+| Astro vulnerable to reflected XSS via the server islands feature | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2025-11-20T14:43:59.624508Z` | [link](/Users/x/websafe/07-framework-security/frameworks/astro/cases/astro-cve-2025-64764.md) |
+| Astro Development Server has Arbitrary Local File Read | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2025-11-20T14:43:59.558170Z` | [link](/Users/x/websafe/07-framework-security/frameworks/astro/cases/astro-cve-2025-64757.md) |
+| Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2025-11-13T22:46:24Z` | [link](/Users/x/websafe/07-framework-security/frameworks/astro/cases/astro-cve-2025-64525.md) |
+| Astro development server error page is vulnerable to reflected Cross-site Scripting | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2025-11-27T08:22:31.471739Z` | [link](/Users/x/websafe/07-framework-security/frameworks/astro/cases/astro-cve-2025-64745.md) |
+| Astro's bypass of image proxy domain validation leads to SSRF and potential XSS | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2025-10-29T14:48:45Z` | [link](/Users/x/websafe/07-framework-security/frameworks/astro/cases/astro-cve-2025-59837.md) |
+| Astro's `X-Forwarded-Host` is reflected without validation | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2025-10-11T00:12:31.565977Z` | [link](/Users/x/websafe/07-framework-security/frameworks/astro/cases/astro-cve-2025-61925.md) |
+| Astro allows unauthorized third-party images in _image endpoint | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2025-11-27T08:22:36.525875Z` | [link](/Users/x/websafe/07-framework-security/frameworks/astro/cases/astro-cve-2025-55303.md) |
+| Astros's duplicate trailing slash feature leads to an open redirection security issue | `medium` | `generated` | `triage-manual` | `synthetic` | `official` | `2025-11-27T08:35:13.558198Z` | [link](/Users/x/websafe/07-framework-security/frameworks/astro/cases/astro-cve-2025-54793.md) |
+| Astro's server source code is exposed to the public if sourcemaps are enabled | `medium` | `generated` | `triage-manual` | `synthetic` | `official` | `2025-11-27T08:18:38.026555Z` | [link](/Users/x/websafe/07-framework-security/frameworks/astro/cases/astro-cve-2024-56159.md) |
+| Atro CSRF Middleware Bypass (security.checkOrigin) | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2025-11-27T08:18:05.038082Z` | [link](/Users/x/websafe/07-framework-security/frameworks/astro/cases/astro-cve-2024-56140.md) |
+| DOM Clobbering Gadget found in astro's client-side router that leads to XSS | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2025-11-27T08:16:37.087731Z` | [link](/Users/x/websafe/07-framework-security/frameworks/astro/cases/astro-cve-2024-47885.md) |
--- a/07-framework-security/frameworks/astro/cases/astro-cve-2024-47885.md
+++ b/07-framework-security/frameworks/astro/cases/astro-cve-2024-47885.md
@@ -0,0 +1,184 @@
+---
+title: "DOM Clobbering Gadget found in astro's client-side router that leads to XSS"
+system_id: "astro"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2024-10-14T20:02:21Z"
+updated_date: "2025-11-27T08:16:37.087731Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2024-47885"
+  - "GHSA-m85w-3h95-hcf9"
+affected_versions:
+  - "introduced=3.0.0, fixed<4.16.1"
+fixed_versions:
+  - "4.16.1"
+entity_refs:
+  - "astro:system:root-system"
+  - "astro--module--astro:module:affected-component"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "csp-trusted-types"
+  - "xss-output-encoding"
+  - "dom-sink-hardening"
+  - "plugin-extension-trust-policy"
+  - "dependency-upgrade-policy"
+primary_source: "https://github.com/withastro/astro/security/advisories/GHSA-m85w-3h95-hcf9"
+---
+
+# DOM Clobbering Gadget found in astro's client-side router that leads to XSS
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `astro--CVE-2024-47885`
+- 系统: `astro`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://github.com/withastro/astro/security/advisories/GHSA-m85w-3h95-hcf9
+- 影响版本: `introduced=3.0.0, fixed<4.16.1`
+- 修复版本: `4.16.1`
+
+## 对象与版本映射
+
+- Advisory Scope: `module`
+- 影响对象: `astro`
+- Entity Refs: `astro, astro--module--astro`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/withastro/astro/security/advisories/GHSA-m85w-3h95-hcf9, https://nvd.nist.gov/vuln/detail/CVE-2024-47885, https://github.com/withastro/astro/commit/a4ffbfaa5cb460c12bd486fd75e36147f51d3e5e, https://github.com/withastro/astro, https://github.com/withastro/astro/blob/7814a6cad15f06931f963580176d9b38aa7819f2/packages/astro/src/transitions/router.ts#L135-L156`
+
+## 受控验证流程
+
+- Workflow ID: `astro--CVE-2024-47885--workflow`
+- 漏洞家族: `xss`
+- 入口面: `web-ui-render-path`
+- 需要角色: `editor-or-admin`
+- 触发向量: 对 `xss` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/admin/editor, /preview, /rendered-content`
+- 输入形态: 受控 HTML/Markdown/富文本输入，观察渲染上下文是否失去编码或净化。
+- 预期不安全行为: 输入在目标上下文执行或被浏览器解释为主动内容。
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2024-47885
+- https://github.com/withastro/astro/commit/a4ffbfaa5cb460c12bd486fd75e36147f51d3e5e
+- https://github.com/withastro/astro
+- https://github.com/withastro/astro/blob/7814a6cad15f06931f963580176d9b38aa7819f2/packages/astro/src/transitions/router.ts#L135-L156
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+- 插件/扩展管理日志、安装日志与版本清单
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+- 插件目录、主题目录或扩展配置表中的测试样本
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=3.0.0, fixed<4.16.1` 升级或回移到 `4.16.1`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `xss` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/javascript-typescript/csp-trusted-types.md)
+- [nodejs:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/nodejs/csp-trusted-types.md)
+- [java:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/java/csp-trusted-types.md)
+- [php:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/php/csp-trusted-types.md)
+- [python:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/python/csp-trusted-types.md)
+- [ruby:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/ruby/csp-trusted-types.md)
+- [csharp:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/csharp/csp-trusted-types.md)
+- [go:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/go/csp-trusted-types.md)
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:dom-sink-hardening](/Users/x/websafe/05-defense/secure-code/javascript-typescript/dom-sink-hardening.md)
+- [nodejs:dom-sink-hardening](/Users/x/websafe/05-defense/secure-code/nodejs/dom-sink-hardening.md)
+- [java:dom-sink-hardening](/Users/x/websafe/05-defense/secure-code/java/dom-sink-hardening.md)
+- [php:dom-sink-hardening](/Users/x/websafe/05-defense/secure-code/php/dom-sink-hardening.md)
+- [python:dom-sink-hardening](/Users/x/websafe/05-defense/secure-code/python/dom-sink-hardening.md)
+- [ruby:dom-sink-hardening](/Users/x/websafe/05-defense/secure-code/ruby/dom-sink-hardening.md)
+- [csharp:dom-sink-hardening](/Users/x/websafe/05-defense/secure-code/csharp/dom-sink-hardening.md)
+- [go:dom-sink-hardening](/Users/x/websafe/05-defense/secure-code/go/dom-sink-hardening.md)
+- [javascript-typescript:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/plugin-extension-trust-policy.md)
+- [nodejs:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/nodejs/plugin-extension-trust-policy.md)
+- [java:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/java/plugin-extension-trust-policy.md)
+- [php:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/php/plugin-extension-trust-policy.md)
+- [python:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/python/plugin-extension-trust-policy.md)
+- [ruby:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/ruby/plugin-extension-trust-policy.md)
+- [csharp:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/csharp/plugin-extension-trust-policy.md)
+- [go:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/go/plugin-extension-trust-policy.md)
+- [javascript-typescript:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/dependency-upgrade-policy.md)
+- [nodejs:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/nodejs/dependency-upgrade-policy.md)
+- [java:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/java/dependency-upgrade-policy.md)
+- [php:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/php/dependency-upgrade-policy.md)
+- [python:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/python/dependency-upgrade-policy.md)
+- [ruby:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/ruby/dependency-upgrade-policy.md)
+- [csharp:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/csharp/dependency-upgrade-policy.md)
+- [go:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/go/dependency-upgrade-policy.md)
--- a/07-framework-security/frameworks/astro/cases/astro-cve-2024-56140.md
+++ b/07-framework-security/frameworks/astro/cases/astro-cve-2024-56140.md
@@ -0,0 +1,175 @@
+---
+title: "Atro CSRF Middleware Bypass (security.checkOrigin)"
+system_id: "astro"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2024-12-18T15:02:37Z"
+updated_date: "2025-11-27T08:18:05.038082Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2024-56140"
+  - "GHSA-c4pw-33h3-35xw"
+affected_versions:
+  - "introduced=0, fixed<4.16.17"
+fixed_versions:
+  - "4.16.17"
+entity_refs:
+  - "astro:system:root-system"
+  - "astro--project--astro:project:affected-component"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "csp-trusted-types"
+  - "token-cookie-storage"
+  - "dependency-upgrade-policy"
+  - "proxy-trust-boundary"
+primary_source: "https://github.com/withastro/astro/security/advisories/GHSA-c4pw-33h3-35xw"
+---
+
+# Atro CSRF Middleware Bypass (security.checkOrigin)
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `astro--CVE-2024-56140`
+- 系统: `astro`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://github.com/withastro/astro/security/advisories/GHSA-c4pw-33h3-35xw
+- 影响版本: `introduced=0, fixed<4.16.17`
+- 修复版本: `4.16.17`
+
+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `astro`
+- Entity Refs: `astro, astro--project--astro`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/withastro/astro/security/advisories/GHSA-c4pw-33h3-35xw, https://nvd.nist.gov/vuln/detail/CVE-2024-56140, https://github.com/withastro/astro/commit/e7d14c374b9d45e27089994a4eb72186d05514de, https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests, https://github.com/withastro/astro`
+
+## 受控验证流程
+
+- Workflow ID: `astro--CVE-2024-56140--workflow`
+- 漏洞家族: `proxy-boundary`
+- 入口面: `proxy-header-or-trust-boundary`
+- 需要角色: `reverse-proxy-or-edge-client`
+- 触发向量: 对 `proxy-boundary` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/middleware, /x-forwarded-* trust path`
+- 输入形态: 提交受控代理头或来源头，验证信任边界和回源鉴权。
+- 预期不安全行为: 仅凭代理头即可越过鉴权或来源控制。
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2024-56140
+- https://github.com/withastro/astro/commit/e7d14c374b9d45e27089994a4eb72186d05514de
+- https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests
+- https://github.com/withastro/astro
+- https://github.com/withastro/astro/blob/6031962ab5f56457de986eb82bd24807e926ba1b/packages/astro/src/core/app/middlewares.ts
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+- 上游代理与应用层对 Content-Length / Transfer-Encoding / forwarded headers 的解释差异
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=0, fixed<4.16.17` 升级或回移到 `4.16.17`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `proxy-boundary` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/javascript-typescript/csp-trusted-types.md)
+- [nodejs:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/nodejs/csp-trusted-types.md)
+- [java:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/java/csp-trusted-types.md)
+- [php:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/php/csp-trusted-types.md)
+- [python:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/python/csp-trusted-types.md)
+- [ruby:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/ruby/csp-trusted-types.md)
+- [csharp:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/csharp/csp-trusted-types.md)
+- [go:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/go/csp-trusted-types.md)
+- [javascript-typescript:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/javascript-typescript/token-cookie-storage.md)
+- [nodejs:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/nodejs/token-cookie-storage.md)
+- [java:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/java/token-cookie-storage.md)
+- [php:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/php/token-cookie-storage.md)
+- [python:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/python/token-cookie-storage.md)
+- [ruby:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/ruby/token-cookie-storage.md)
+- [csharp:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/csharp/token-cookie-storage.md)
+- [go:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/go/token-cookie-storage.md)
+- [javascript-typescript:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/dependency-upgrade-policy.md)
+- [nodejs:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/nodejs/dependency-upgrade-policy.md)
+- [java:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/java/dependency-upgrade-policy.md)
+- [php:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/php/dependency-upgrade-policy.md)
+- [python:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/python/dependency-upgrade-policy.md)
+- [ruby:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/ruby/dependency-upgrade-policy.md)
+- [csharp:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/csharp/dependency-upgrade-policy.md)
+- [go:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/go/dependency-upgrade-policy.md)
+- [javascript-typescript:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/javascript-typescript/proxy-trust-boundary.md)
+- [nodejs:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/nodejs/proxy-trust-boundary.md)
+- [java:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/java/proxy-trust-boundary.md)
+- [php:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/php/proxy-trust-boundary.md)
+- [python:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/python/proxy-trust-boundary.md)
+- [ruby:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/ruby/proxy-trust-boundary.md)
+- [csharp:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/csharp/proxy-trust-boundary.md)
+- [go:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/go/proxy-trust-boundary.md)
--- a/07-framework-security/frameworks/astro/cases/astro-cve-2024-56159.md
+++ b/07-framework-security/frameworks/astro/cases/astro-cve-2024-56159.md
@@ -0,0 +1,160 @@
+---
+title: "Astro's server source code is exposed to the public if sourcemaps are enabled"
+system_id: "astro"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2024-12-19T15:12:33Z"
+updated_date: "2025-11-27T08:18:38.026555Z"
+severity: "medium"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2024-56159"
+  - "GHSA-49w6-73cw-chjr"
+affected_versions:
+  - "introduced=5.0.0-alpha.0, fixed<5.0.8"
+  - "introduced=0, fixed<4.16.18"
+fixed_versions:
+  - "5.0.8"
+  - "4.16.18"
+entity_refs:
+  - "astro:system:root-system"
+  - "astro--project--astro:project:affected-component"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "csp-trusted-types"
+  - "dependency-upgrade-policy"
+primary_source: "https://github.com/withastro/astro/security/advisories/GHSA-49w6-73cw-chjr"
+---
+
+# Astro's server source code is exposed to the public if sourcemaps are enabled
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `astro--CVE-2024-56159`
+- 系统: `astro`
+- 严重度: `medium`
+- 来源置信度: `official`
+- 官方主源: https://github.com/withastro/astro/security/advisories/GHSA-49w6-73cw-chjr
+- 影响版本: `introduced=5.0.0-alpha.0, fixed<5.0.8, introduced=0, fixed<4.16.18`
+- 修复版本: `5.0.8, 4.16.18`
+
+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `astro`
+- Entity Refs: `astro, astro--project--astro`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/withastro/astro/security/advisories/GHSA-49w6-73cw-chjr, https://nvd.nist.gov/vuln/detail/CVE-2024-56159, https://github.com/withastro/astro/issues/12703, https://github.com/withastro/astro/commit/039d022b1bbaacf9ea83071d27affc5318e0e515, https://github.com/withastro/astro/commit/c879f501ff01b1a3c577de776a1f7100d78f8dd5`
+
+## 受控验证流程
+
+- Workflow ID: `astro--CVE-2024-56159--workflow`
+- 漏洞家族: `file-upload`
+- 入口面: `upload-or-import-surface`
+- 需要角色: `authenticated-uploader`
+- 触发向量: 对 `file-upload` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/upload, /import, /plugin/install`
+- 输入形态: 提交受控非执行样本，验证扩展名、MIME、落盘与执行权限。
+- 预期不安全行为: 上传样本被错误接受、可访问或位于可执行路径。
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2024-56159
+- https://github.com/withastro/astro/issues/12703
+- https://github.com/withastro/astro/commit/039d022b1bbaacf9ea83071d27affc5318e0e515
+- https://github.com/withastro/astro/commit/c879f501ff01b1a3c577de776a1f7100d78f8dd5
+- https://github.com/getsentry/sentry-javascript/blob/develop/packages/astro/src/integration/index.ts#L50
+- https://github.com/withastro/astro
+- https://github.com/withastro/astro/blob/176fe9f113fd912f9b61e848b00bbcfecd6d5c2c/packages/astro/src/core/build/static-build.ts#L139
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=5.0.0-alpha.0, fixed<5.0.8, introduced=0, fixed<4.16.18` 升级或回移到 `5.0.8`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `file-upload` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/javascript-typescript/csp-trusted-types.md)
+- [nodejs:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/nodejs/csp-trusted-types.md)
+- [java:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/java/csp-trusted-types.md)
+- [php:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/php/csp-trusted-types.md)
+- [python:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/python/csp-trusted-types.md)
+- [ruby:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/ruby/csp-trusted-types.md)
+- [csharp:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/csharp/csp-trusted-types.md)
+- [go:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/go/csp-trusted-types.md)
+- [javascript-typescript:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/dependency-upgrade-policy.md)
+- [nodejs:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/nodejs/dependency-upgrade-policy.md)
+- [java:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/java/dependency-upgrade-policy.md)
+- [php:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/php/dependency-upgrade-policy.md)
+- [python:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/python/dependency-upgrade-policy.md)
+- [ruby:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/ruby/dependency-upgrade-policy.md)
+- [csharp:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/csharp/dependency-upgrade-policy.md)
+- [go:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/go/dependency-upgrade-policy.md)
--- a/07-framework-security/frameworks/astro/cases/astro-cve-2025-54793.md
+++ b/07-framework-security/frameworks/astro/cases/astro-cve-2025-54793.md
@@ -0,0 +1,145 @@
+---
+title: "Astros's duplicate trailing slash feature leads to an open redirection security issue"
+system_id: "astro"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2025-08-07T16:41:55Z"
+updated_date: "2025-11-27T08:35:13.558198Z"
+severity: "medium"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2025-54793"
+  - "GHSA-cq8c-xv66-36gw"
+affected_versions:
+  - "introduced=5.2.0, fixed<5.12.8"
+fixed_versions:
+  - "5.12.8"
+entity_refs:
+  - "astro:system:root-system"
+  - "astro--project--astro:project:affected-component"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "csp-trusted-types"
+primary_source: "https://github.com/withastro/astro/security/advisories/GHSA-cq8c-xv66-36gw"
+---
+
+# Astros's duplicate trailing slash feature leads to an open redirection security issue
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `astro--CVE-2025-54793`
+- 系统: `astro`
+- 严重度: `medium`
+- 来源置信度: `official`
+- 官方主源: https://github.com/withastro/astro/security/advisories/GHSA-cq8c-xv66-36gw
+- 影响版本: `introduced=5.2.0, fixed<5.12.8`
+- 修复版本: `5.12.8`
+
+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `astro`
+- Entity Refs: `astro, astro--project--astro`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/withastro/astro/security/advisories/GHSA-cq8c-xv66-36gw, https://nvd.nist.gov/vuln/detail/CVE-2025-54793, https://github.com/withastro/astro/commit/0567fb7b50c0c452be387dd7c7264b96bedab48f, https://github.com/withastro/astro`
+
+## 受控验证流程
+
+- Workflow ID: `astro--CVE-2025-54793--workflow`
+- 漏洞家族: `unknown`
+- 入口面: `package-surface`
+- 需要角色: `unknown`
+- 触发向量: 对 `unknown` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/package`
+- 输入形态: 提交最小化、可审计、可回滚的受控输入。
+- 预期不安全行为: 目标表现出超出设计边界的行为。
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2025-54793
+- https://github.com/withastro/astro/commit/0567fb7b50c0c452be387dd7c7264b96bedab48f
+- https://github.com/withastro/astro
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=5.2.0, fixed<5.12.8` 升级或回移到 `5.12.8`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `unknown` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/javascript-typescript/csp-trusted-types.md)
+- [nodejs:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/nodejs/csp-trusted-types.md)
+- [java:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/java/csp-trusted-types.md)
+- [php:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/php/csp-trusted-types.md)
+- [python:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/python/csp-trusted-types.md)
+- [ruby:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/ruby/csp-trusted-types.md)
+- [csharp:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/csharp/csp-trusted-types.md)
+- [go:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/go/csp-trusted-types.md)
--- a/07-framework-security/frameworks/astro/cases/astro-cve-2025-55303.md
+++ b/07-framework-security/frameworks/astro/cases/astro-cve-2025-55303.md
@@ -0,0 +1,158 @@
+---
+title: "Astro allows unauthorized third-party images in _image endpoint"
+system_id: "astro"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2025-08-19T15:40:31Z"
+updated_date: "2025-11-27T08:22:36.525875Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2025-55303"
+  - "GHSA-xf8x-j4p2-f749"
+affected_versions:
+  - "introduced=5.0.0-alpha.0, fixed<5.13.2"
+  - "introduced=0, fixed<9.1.1"
+  - "introduced=0, fixed<4.16.19"
+fixed_versions:
+  - "5.13.2"
+  - "9.1.1"
+  - "4.16.19"
+entity_refs:
+  - "astro:system:root-system"
+  - "astro--project--astro:project:affected-component"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "csp-trusted-types"
+  - "xss-output-encoding"
+primary_source: "https://github.com/withastro/astro/security/advisories/GHSA-xf8x-j4p2-f749"
+---
+
+# Astro allows unauthorized third-party images in _image endpoint
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `astro--CVE-2025-55303`
+- 系统: `astro`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://github.com/withastro/astro/security/advisories/GHSA-xf8x-j4p2-f749
+- 影响版本: `introduced=5.0.0-alpha.0, fixed<5.13.2, introduced=0, fixed<9.1.1, introduced=0, fixed<4.16.19`
+- 修复版本: `5.13.2, 9.1.1, 4.16.19`
+
+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `astro`
+- Entity Refs: `astro, astro--project--astro`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/withastro/astro/security/advisories/GHSA-xf8x-j4p2-f749, https://nvd.nist.gov/vuln/detail/CVE-2025-55303, https://github.com/withastro/astro/commit/4d16de7f95db5d1ec1ce88610d2a95e606e83820, https://github.com/withastro/astro`
+
+## 受控验证流程
+
+- Workflow ID: `astro--CVE-2025-55303--workflow`
+- 漏洞家族: `xss`
+- 入口面: `web-ui-render-path`
+- 需要角色: `editor-or-admin`
+- 触发向量: 对 `xss` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/admin/editor, /preview, /rendered-content`
+- 输入形态: 受控 HTML/Markdown/富文本输入，观察渲染上下文是否失去编码或净化。
+- 预期不安全行为: 输入在目标上下文执行或被浏览器解释为主动内容。
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2025-55303
+- https://github.com/withastro/astro/commit/4d16de7f95db5d1ec1ce88610d2a95e606e83820
+- https://github.com/withastro/astro
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=5.0.0-alpha.0, fixed<5.13.2, introduced=0, fixed<9.1.1, introduced=0, fixed<4.16.19` 升级或回移到 `5.13.2`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `xss` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/javascript-typescript/csp-trusted-types.md)
+- [nodejs:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/nodejs/csp-trusted-types.md)
+- [java:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/java/csp-trusted-types.md)
+- [php:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/php/csp-trusted-types.md)
+- [python:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/python/csp-trusted-types.md)
+- [ruby:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/ruby/csp-trusted-types.md)
+- [csharp:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/csharp/csp-trusted-types.md)
+- [go:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/go/csp-trusted-types.md)
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
--- a/07-framework-security/frameworks/astro/cases/astro-cve-2025-59837.md
+++ b/07-framework-security/frameworks/astro/cases/astro-cve-2025-59837.md
@@ -0,0 +1,173 @@
+---
+title: "Astro's bypass of image proxy domain validation leads to SSRF and potential XSS"
+system_id: "astro"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2025-10-28T17:45:04Z"
+updated_date: "2025-10-29T14:48:45Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2025-59837"
+  - "GHSA-qcpr-679q-rhm2"
+affected_versions:
+  - "introduced=5.13.4, fixed<5.13.10"
+fixed_versions:
+  - "5.13.10"
+entity_refs:
+  - "astro:system:root-system"
+  - "astro--project--astro:project:affected-component"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "csp-trusted-types"
+  - "xss-output-encoding"
+  - "ssrf-url-validation"
+  - "proxy-trust-boundary"
+primary_source: "https://github.com/withastro/astro/security/advisories/GHSA-qcpr-679q-rhm2"
+---
+
+# Astro's bypass of image proxy domain validation leads to SSRF and potential XSS
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `astro--CVE-2025-59837`
+- 系统: `astro`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://github.com/withastro/astro/security/advisories/GHSA-qcpr-679q-rhm2
+- 影响版本: `introduced=5.13.4, fixed<5.13.10`
+- 修复版本: `5.13.10`
+
+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `astro`
+- Entity Refs: `astro, astro--project--astro`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/withastro/astro/security/advisories/GHSA-qcpr-679q-rhm2, https://nvd.nist.gov/vuln/detail/CVE-2025-59837, https://github.com/withastro/astro/commit/1e2499e8ea83ebfa233a18a7499e1ccf169e56f4, https://github.com/withastro/astro/commit/9ecf3598e2b29dd74614328fde3047ea90e67252, https://github.com/withastro/astro`
+
+## 受控验证流程
+
+- Workflow ID: `astro--CVE-2025-59837--workflow`
+- 漏洞家族: `xss`
+- 入口面: `web-ui-render-path`
+- 需要角色: `editor-or-admin`
+- 触发向量: 对 `xss` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/admin/editor, /preview, /rendered-content`
+- 输入形态: 受控 HTML/Markdown/富文本输入，观察渲染上下文是否失去编码或净化。
+- 预期不安全行为: 输入在目标上下文执行或被浏览器解释为主动内容。
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2025-59837
+- https://github.com/withastro/astro/commit/1e2499e8ea83ebfa233a18a7499e1ccf169e56f4
+- https://github.com/withastro/astro/commit/9ecf3598e2b29dd74614328fde3047ea90e67252
+- https://github.com/withastro/astro
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=5.13.4, fixed<5.13.10` 升级或回移到 `5.13.10`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `xss` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/javascript-typescript/csp-trusted-types.md)
+- [nodejs:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/nodejs/csp-trusted-types.md)
+- [java:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/java/csp-trusted-types.md)
+- [php:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/php/csp-trusted-types.md)
+- [python:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/python/csp-trusted-types.md)
+- [ruby:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/ruby/csp-trusted-types.md)
+- [csharp:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/csharp/csp-trusted-types.md)
+- [go:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/go/csp-trusted-types.md)
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/javascript-typescript/ssrf-url-validation.md)
+- [nodejs:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/nodejs/ssrf-url-validation.md)
+- [java:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/java/ssrf-url-validation.md)
+- [php:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/php/ssrf-url-validation.md)
+- [python:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/python/ssrf-url-validation.md)
+- [ruby:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/ruby/ssrf-url-validation.md)
+- [csharp:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/csharp/ssrf-url-validation.md)
+- [go:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/go/ssrf-url-validation.md)
+- [javascript-typescript:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/javascript-typescript/proxy-trust-boundary.md)
+- [nodejs:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/nodejs/proxy-trust-boundary.md)
+- [java:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/java/proxy-trust-boundary.md)
+- [php:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/php/proxy-trust-boundary.md)
+- [python:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/python/proxy-trust-boundary.md)
+- [ruby:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/ruby/proxy-trust-boundary.md)
+- [csharp:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/csharp/proxy-trust-boundary.md)
+- [go:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/go/proxy-trust-boundary.md)
--- a/07-framework-security/frameworks/astro/cases/astro-cve-2025-61925.md
+++ b/07-framework-security/frameworks/astro/cases/astro-cve-2025-61925.md
@@ -0,0 +1,156 @@
+---
+title: "Astro's `X-Forwarded-Host` is reflected without validation"
+system_id: "astro"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2025-10-10T23:41:29Z"
+updated_date: "2025-10-11T00:12:31.565977Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2025-61925"
+  - "GHSA-5ff5-9fcw-vg88"
+affected_versions:
+  - "introduced=0, fixed<5.14.3"
+fixed_versions:
+  - "5.14.3"
+entity_refs:
+  - "astro:system:root-system"
+  - "astro--project--astro:project:affected-component"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "csp-trusted-types"
+  - "proxy-trust-boundary"
+primary_source: "https://github.com/withastro/astro/security/advisories/GHSA-5ff5-9fcw-vg88"
+---
+
+# Astro's `X-Forwarded-Host` is reflected without validation
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `astro--CVE-2025-61925`
+- 系统: `astro`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://github.com/withastro/astro/security/advisories/GHSA-5ff5-9fcw-vg88
+- 影响版本: `introduced=0, fixed<5.14.3`
+- 修复版本: `5.14.3`
+
+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `astro`
+- Entity Refs: `astro, astro--project--astro`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/withastro/astro/security/advisories/GHSA-5ff5-9fcw-vg88, https://nvd.nist.gov/vuln/detail/CVE-2025-61925, https://github.com/withastro/astro/commit/6ee63bfac4856f21b4d4633021b3d2ee059e553f, https://github.com/Chisnet/minimal_dynamic_astro_server, https://github.com/withastro/astro`
+
+## 受控验证流程
+
+- Workflow ID: `astro--CVE-2025-61925--workflow`
+- 漏洞家族: `proxy-boundary`
+- 入口面: `proxy-header-or-trust-boundary`
+- 需要角色: `reverse-proxy-or-edge-client`
+- 触发向量: 对 `proxy-boundary` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/middleware, /x-forwarded-* trust path`
+- 输入形态: 提交受控代理头或来源头，验证信任边界和回源鉴权。
+- 预期不安全行为: 仅凭代理头即可越过鉴权或来源控制。
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2025-61925
+- https://github.com/withastro/astro/commit/6ee63bfac4856f21b4d4633021b3d2ee059e553f
+- https://github.com/Chisnet/minimal_dynamic_astro_server
+- https://github.com/withastro/astro
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+- 上游代理与应用层对 Content-Length / Transfer-Encoding / forwarded headers 的解释差异
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=0, fixed<5.14.3` 升级或回移到 `5.14.3`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `proxy-boundary` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/javascript-typescript/csp-trusted-types.md)
+- [nodejs:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/nodejs/csp-trusted-types.md)
+- [java:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/java/csp-trusted-types.md)
+- [php:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/php/csp-trusted-types.md)
+- [python:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/python/csp-trusted-types.md)
+- [ruby:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/ruby/csp-trusted-types.md)
+- [csharp:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/csharp/csp-trusted-types.md)
+- [go:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/go/csp-trusted-types.md)
+- [javascript-typescript:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/javascript-typescript/proxy-trust-boundary.md)
+- [nodejs:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/nodejs/proxy-trust-boundary.md)
+- [java:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/java/proxy-trust-boundary.md)
+- [php:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/php/proxy-trust-boundary.md)
+- [python:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/python/proxy-trust-boundary.md)
+- [ruby:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/ruby/proxy-trust-boundary.md)
+- [csharp:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/csharp/proxy-trust-boundary.md)
+- [go:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/go/proxy-trust-boundary.md)
--- a/07-framework-security/frameworks/astro/cases/astro-cve-2025-64525.md
+++ b/07-framework-security/frameworks/astro/cases/astro-cve-2025-64525.md
@@ -0,0 +1,192 @@
+---
+title: "Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass"
+system_id: "astro"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2025-11-13T22:46:24Z"
+updated_date: "2025-11-13T22:46:24Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2025-64525"
+  - "GHSA-hr2q-hp5q-x767"
+affected_versions:
+  - "introduced=2.16.0, fixed<5.15.5"
+fixed_versions:
+  - "5.15.5"
+entity_refs:
+  - "astro:system:root-system"
+  - "astro--project--astro:project:affected-component"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "csp-trusted-types"
+  - "xss-output-encoding"
+  - "token-cookie-storage"
+  - "ssrf-url-validation"
+  - "dependency-upgrade-policy"
+  - "proxy-trust-boundary"
+primary_source: "https://github.com/withastro/astro/security/advisories/GHSA-hr2q-hp5q-x767"
+---
+
+# Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `astro--CVE-2025-64525`
+- 系统: `astro`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://github.com/withastro/astro/security/advisories/GHSA-hr2q-hp5q-x767
+- 影响版本: `introduced=2.16.0, fixed<5.15.5`
+- 修复版本: `5.15.5`
+
+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `astro`
+- Entity Refs: `astro, astro--project--astro`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/withastro/astro/security/advisories/GHSA-hr2q-hp5q-x767, https://nvd.nist.gov/vuln/detail/CVE-2025-64525, https://github.com/withastro/astro/commit/dafbb1ba29912099c4faff1440033edc768af8b4, https://github.com/withastro/astro, https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L121`
+
+## 受控验证流程
+
+- Workflow ID: `astro--CVE-2025-64525--workflow`
+- 漏洞家族: `xss`
+- 入口面: `web-ui-render-path`
+- 需要角色: `editor-or-admin`
+- 触发向量: 对 `xss` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/admin/editor, /preview, /rendered-content`
+- 输入形态: 受控 HTML/Markdown/富文本输入，观察渲染上下文是否失去编码或净化。
+- 预期不安全行为: 输入在目标上下文执行或被浏览器解释为主动内容。
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2025-64525
+- https://github.com/withastro/astro/commit/dafbb1ba29912099c4faff1440033edc768af8b4
+- https://github.com/withastro/astro
+- https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L121
+- https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L97
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=2.16.0, fixed<5.15.5` 升级或回移到 `5.15.5`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `xss` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/javascript-typescript/csp-trusted-types.md)
+- [nodejs:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/nodejs/csp-trusted-types.md)
+- [java:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/java/csp-trusted-types.md)
+- [php:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/php/csp-trusted-types.md)
+- [python:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/python/csp-trusted-types.md)
+- [ruby:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/ruby/csp-trusted-types.md)
+- [csharp:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/csharp/csp-trusted-types.md)
+- [go:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/go/csp-trusted-types.md)
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/javascript-typescript/token-cookie-storage.md)
+- [nodejs:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/nodejs/token-cookie-storage.md)
+- [java:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/java/token-cookie-storage.md)
+- [php:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/php/token-cookie-storage.md)
+- [python:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/python/token-cookie-storage.md)
+- [ruby:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/ruby/token-cookie-storage.md)
+- [csharp:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/csharp/token-cookie-storage.md)
+- [go:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/go/token-cookie-storage.md)
+- [javascript-typescript:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/javascript-typescript/ssrf-url-validation.md)
+- [nodejs:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/nodejs/ssrf-url-validation.md)
+- [java:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/java/ssrf-url-validation.md)
+- [php:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/php/ssrf-url-validation.md)
+- [python:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/python/ssrf-url-validation.md)
+- [ruby:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/ruby/ssrf-url-validation.md)
+- [csharp:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/csharp/ssrf-url-validation.md)
+- [go:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/go/ssrf-url-validation.md)
+- [javascript-typescript:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/dependency-upgrade-policy.md)
+- [nodejs:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/nodejs/dependency-upgrade-policy.md)
+- [java:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/java/dependency-upgrade-policy.md)
+- [php:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/php/dependency-upgrade-policy.md)
+- [python:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/python/dependency-upgrade-policy.md)
+- [ruby:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/ruby/dependency-upgrade-policy.md)
+- [csharp:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/csharp/dependency-upgrade-policy.md)
+- [go:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/go/dependency-upgrade-policy.md)
+- [javascript-typescript:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/javascript-typescript/proxy-trust-boundary.md)
+- [nodejs:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/nodejs/proxy-trust-boundary.md)
+- [java:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/java/proxy-trust-boundary.md)
+- [php:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/php/proxy-trust-boundary.md)
+- [python:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/python/proxy-trust-boundary.md)
+- [ruby:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/ruby/proxy-trust-boundary.md)
+- [csharp:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/csharp/proxy-trust-boundary.md)
+- [go:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/go/proxy-trust-boundary.md)
--- a/07-framework-security/frameworks/astro/cases/astro-cve-2025-64745.md
+++ b/07-framework-security/frameworks/astro/cases/astro-cve-2025-64745.md
@@ -0,0 +1,174 @@
+---
+title: "Astro development server error page is vulnerable to reflected Cross-site Scripting"
+system_id: "astro"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2025-11-13T22:38:30Z"
+updated_date: "2025-11-27T08:22:31.471739Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2025-64745"
+  - "GHSA-w2vj-39qv-7vh7"
+affected_versions:
+  - "introduced=5.2.0, fixed<5.15.6"
+fixed_versions:
+  - "5.15.6"
+entity_refs:
+  - "astro:system:root-system"
+  - "astro--project--astro:project:affected-component"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "csp-trusted-types"
+  - "xss-output-encoding"
+  - "token-cookie-storage"
+  - "dependency-upgrade-policy"
+primary_source: "https://github.com/withastro/astro/security/advisories/GHSA-w2vj-39qv-7vh7"
+---
+
+# Astro development server error page is vulnerable to reflected Cross-site Scripting
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `astro--CVE-2025-64745`
+- 系统: `astro`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://github.com/withastro/astro/security/advisories/GHSA-w2vj-39qv-7vh7
+- 影响版本: `introduced=5.2.0, fixed<5.15.6`
+- 修复版本: `5.15.6`
+
+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `astro`
+- Entity Refs: `astro, astro--project--astro`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/withastro/astro/security/advisories/GHSA-w2vj-39qv-7vh7, https://nvd.nist.gov/vuln/detail/CVE-2025-64745, https://github.com/withastro/astro/pull/12994, https://github.com/withastro/astro/commit/790d9425f39bbbb462f1c27615781cd965009f91, https://github.com/withastro/astro`
+
+## 受控验证流程
+
+- Workflow ID: `astro--CVE-2025-64745--workflow`
+- 漏洞家族: `xss`
+- 入口面: `web-ui-render-path`
+- 需要角色: `editor-or-admin`
+- 触发向量: 对 `xss` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/admin/editor, /preview, /rendered-content`
+- 输入形态: 受控 HTML/Markdown/富文本输入，观察渲染上下文是否失去编码或净化。
+- 预期不安全行为: 输入在目标上下文执行或被浏览器解释为主动内容。
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2025-64745
+- https://github.com/withastro/astro/pull/12994
+- https://github.com/withastro/astro/commit/790d9425f39bbbb462f1c27615781cd965009f91
+- https://github.com/withastro/astro
+- https://github.com/withastro/astro/blob/5bc37fd5cade62f753aef66efdf40f982379029a/packages/astro/src/template/4xx.ts#L133-L149
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=5.2.0, fixed<5.15.6` 升级或回移到 `5.15.6`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `xss` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/javascript-typescript/csp-trusted-types.md)
+- [nodejs:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/nodejs/csp-trusted-types.md)
+- [java:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/java/csp-trusted-types.md)
+- [php:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/php/csp-trusted-types.md)
+- [python:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/python/csp-trusted-types.md)
+- [ruby:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/ruby/csp-trusted-types.md)
+- [csharp:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/csharp/csp-trusted-types.md)
+- [go:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/go/csp-trusted-types.md)
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/javascript-typescript/token-cookie-storage.md)
+- [nodejs:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/nodejs/token-cookie-storage.md)
+- [java:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/java/token-cookie-storage.md)
+- [php:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/php/token-cookie-storage.md)
+- [python:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/python/token-cookie-storage.md)
+- [ruby:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/ruby/token-cookie-storage.md)
+- [csharp:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/csharp/token-cookie-storage.md)
+- [go:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/go/token-cookie-storage.md)
+- [javascript-typescript:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/dependency-upgrade-policy.md)
+- [nodejs:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/nodejs/dependency-upgrade-policy.md)
+- [java:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/java/dependency-upgrade-policy.md)
+- [php:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/php/dependency-upgrade-policy.md)
+- [python:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/python/dependency-upgrade-policy.md)
+- [ruby:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/ruby/dependency-upgrade-policy.md)
+- [csharp:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/csharp/dependency-upgrade-policy.md)
+- [go:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/go/dependency-upgrade-policy.md)
--- a/07-framework-security/frameworks/astro/cases/astro-cve-2025-64757.md
+++ b/07-framework-security/frameworks/astro/cases/astro-cve-2025-64757.md
@@ -0,0 +1,163 @@
+---
+title: "Astro Development Server has Arbitrary Local File Read"
+system_id: "astro"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2025-11-19T19:43:05Z"
+updated_date: "2025-11-20T14:43:59.558170Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2025-64757"
+  - "GHSA-x3h8-62x9-952g"
+affected_versions:
+  - "introduced=0, fixed<5.14.3"
+fixed_versions:
+  - "5.14.3"
+entity_refs:
+  - "astro:system:root-system"
+  - "astro--project--astro:project:affected-component"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "csp-trusted-types"
+  - "path-traversal-guard"
+  - "dependency-upgrade-policy"
+primary_source: "https://github.com/withastro/astro/security/advisories/GHSA-x3h8-62x9-952g"
+---
+
+# Astro Development Server has Arbitrary Local File Read
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `astro--CVE-2025-64757`
+- 系统: `astro`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://github.com/withastro/astro/security/advisories/GHSA-x3h8-62x9-952g
+- 影响版本: `introduced=0, fixed<5.14.3`
+- 修复版本: `5.14.3`
+
+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `astro`
+- Entity Refs: `astro, astro--project--astro`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/withastro/astro/security/advisories/GHSA-x3h8-62x9-952g, https://nvd.nist.gov/vuln/detail/CVE-2025-64757, https://github.com/withastro/astro/commit/b8ca69b97149becefaf89bf21853de9c905cdbb7, https://github.com/withastro/astro`
+
+## 受控验证流程
+
+- Workflow ID: `astro--CVE-2025-64757--workflow`
+- 漏洞家族: `path-traversal`
+- 入口面: `file-read-or-download-path`
+- 需要角色: `anonymous-or-low-privileged`
+- 触发向量: 对 `path-traversal` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/download, /assets, /attachment`
+- 输入形态: 提交规范化路径片段，验证根目录限制与标准化处理。
+- 预期不安全行为: 可读取、列出或访问根目录之外资源。
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2025-64757
+- https://github.com/withastro/astro/commit/b8ca69b97149becefaf89bf21853de9c905cdbb7
+- https://github.com/withastro/astro
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=0, fixed<5.14.3` 升级或回移到 `5.14.3`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `path-traversal` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/javascript-typescript/csp-trusted-types.md)
+- [nodejs:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/nodejs/csp-trusted-types.md)
+- [java:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/java/csp-trusted-types.md)
+- [php:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/php/csp-trusted-types.md)
+- [python:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/python/csp-trusted-types.md)
+- [ruby:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/ruby/csp-trusted-types.md)
+- [csharp:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/csharp/csp-trusted-types.md)
+- [go:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/go/csp-trusted-types.md)
+- [javascript-typescript:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/javascript-typescript/path-traversal-guard.md)
+- [nodejs:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/nodejs/path-traversal-guard.md)
+- [java:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/java/path-traversal-guard.md)
+- [php:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/php/path-traversal-guard.md)
+- [python:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/python/path-traversal-guard.md)
+- [ruby:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/ruby/path-traversal-guard.md)
+- [csharp:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/csharp/path-traversal-guard.md)
+- [go:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/go/path-traversal-guard.md)
+- [javascript-typescript:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/dependency-upgrade-policy.md)
+- [nodejs:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/nodejs/dependency-upgrade-policy.md)
+- [java:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/java/dependency-upgrade-policy.md)
+- [php:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/php/dependency-upgrade-policy.md)
+- [python:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/python/dependency-upgrade-policy.md)
+- [ruby:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/ruby/dependency-upgrade-policy.md)
+- [csharp:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/csharp/dependency-upgrade-policy.md)
+- [go:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/go/dependency-upgrade-policy.md)
--- a/07-framework-security/frameworks/astro/cases/astro-cve-2025-64764.md
+++ b/07-framework-security/frameworks/astro/cases/astro-cve-2025-64764.md
@@ -0,0 +1,174 @@
+---
+title: "Astro vulnerable to reflected XSS via the server islands feature"
+system_id: "astro"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2025-11-19T20:00:14Z"
+updated_date: "2025-11-20T14:43:59.624508Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2025-64764"
+  - "GHSA-wrwg-2hg8-v723"
+affected_versions:
+  - "introduced=0, fixed<5.15.8"
+fixed_versions:
+  - "5.15.8"
+entity_refs:
+  - "astro:system:root-system"
+  - "astro--module--astro:module:affected-component"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "csp-trusted-types"
+  - "xss-output-encoding"
+  - "plugin-extension-trust-policy"
+  - "dependency-upgrade-policy"
+primary_source: "https://github.com/withastro/astro/security/advisories/GHSA-wrwg-2hg8-v723"
+---
+
+# Astro vulnerable to reflected XSS via the server islands feature
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `astro--CVE-2025-64764`
+- 系统: `astro`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://github.com/withastro/astro/security/advisories/GHSA-wrwg-2hg8-v723
+- 影响版本: `introduced=0, fixed<5.15.8`
+- 修复版本: `5.15.8`
+
+## 对象与版本映射
+
+- Advisory Scope: `module`
+- 影响对象: `astro`
+- Entity Refs: `astro, astro--module--astro`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/withastro/astro/security/advisories/GHSA-wrwg-2hg8-v723, https://nvd.nist.gov/vuln/detail/CVE-2025-64764, https://github.com/withastro/astro/commit/790d9425f39bbbb462f1c27615781cd965009f91, https://github.com/withastro/astro`
+
+## 受控验证流程
+
+- Workflow ID: `astro--CVE-2025-64764--workflow`
+- 漏洞家族: `xss`
+- 入口面: `web-ui-render-path`
+- 需要角色: `editor-or-admin`
+- 触发向量: 对 `xss` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/admin/editor, /preview, /rendered-content`
+- 输入形态: 受控 HTML/Markdown/富文本输入，观察渲染上下文是否失去编码或净化。
+- 预期不安全行为: 输入在目标上下文执行或被浏览器解释为主动内容。
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2025-64764
+- https://github.com/withastro/astro/commit/790d9425f39bbbb462f1c27615781cd965009f91
+- https://github.com/withastro/astro
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+- 插件/扩展管理日志、安装日志与版本清单
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+- 插件目录、主题目录或扩展配置表中的测试样本
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=0, fixed<5.15.8` 升级或回移到 `5.15.8`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `xss` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/javascript-typescript/csp-trusted-types.md)
+- [nodejs:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/nodejs/csp-trusted-types.md)
+- [java:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/java/csp-trusted-types.md)
+- [php:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/php/csp-trusted-types.md)
+- [python:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/python/csp-trusted-types.md)
+- [ruby:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/ruby/csp-trusted-types.md)
+- [csharp:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/csharp/csp-trusted-types.md)
+- [go:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/go/csp-trusted-types.md)
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/plugin-extension-trust-policy.md)
+- [nodejs:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/nodejs/plugin-extension-trust-policy.md)
+- [java:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/java/plugin-extension-trust-policy.md)
+- [php:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/php/plugin-extension-trust-policy.md)
+- [python:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/python/plugin-extension-trust-policy.md)
+- [ruby:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/ruby/plugin-extension-trust-policy.md)
+- [csharp:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/csharp/plugin-extension-trust-policy.md)
+- [go:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/go/plugin-extension-trust-policy.md)
+- [javascript-typescript:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/dependency-upgrade-policy.md)
+- [nodejs:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/nodejs/dependency-upgrade-policy.md)
+- [java:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/java/dependency-upgrade-policy.md)
+- [php:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/php/dependency-upgrade-policy.md)
+- [python:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/python/dependency-upgrade-policy.md)
+- [ruby:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/ruby/dependency-upgrade-policy.md)
+- [csharp:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/csharp/dependency-upgrade-policy.md)
+- [go:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/go/dependency-upgrade-policy.md)
--- a/07-framework-security/frameworks/astro/cases/astro-cve-2025-64765.md
+++ b/07-framework-security/frameworks/astro/cases/astro-cve-2025-64765.md
@@ -0,0 +1,172 @@
+---
+title: "Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded values"
+system_id: "astro"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2025-11-19T20:03:21Z"
+updated_date: "2026-02-04T03:01:27.986221Z"
+severity: "medium"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2025-64765"
+  - "GHSA-ggxq-hp9w-j794"
+affected_versions:
+  - "introduced=0, fixed<5.15.8"
+fixed_versions:
+  - "5.15.8"
+entity_refs:
+  - "astro:system:root-system"
+  - "astro--project--astro:project:affected-component"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "csp-trusted-types"
+  - "plugin-extension-trust-policy"
+  - "dependency-upgrade-policy"
+  - "proxy-trust-boundary"
+primary_source: "https://github.com/withastro/astro/security/advisories/GHSA-ggxq-hp9w-j794"
+---
+
+# Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded values
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `astro--CVE-2025-64765`
+- 系统: `astro`
+- 严重度: `medium`
+- 来源置信度: `official`
+- 官方主源: https://github.com/withastro/astro/security/advisories/GHSA-ggxq-hp9w-j794
+- 影响版本: `introduced=0, fixed<5.15.8`
+- 修复版本: `5.15.8`
+
+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `astro`
+- Entity Refs: `astro, astro--project--astro`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/withastro/astro/security/advisories/GHSA-ggxq-hp9w-j794, https://nvd.nist.gov/vuln/detail/CVE-2025-64765, https://github.com/withastro/astro/commit/6f800813516b07bbe12c666a92937525fddb58ce, https://github.com/withastro/astro`
+
+## 受控验证流程
+
+- Workflow ID: `astro--CVE-2025-64765--workflow`
+- 漏洞家族: `file-upload`
+- 入口面: `upload-or-import-surface`
+- 需要角色: `authenticated-uploader`
+- 触发向量: 对 `file-upload` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/upload, /import, /plugin/install`
+- 输入形态: 提交受控非执行样本，验证扩展名、MIME、落盘与执行权限。
+- 预期不安全行为: 上传样本被错误接受、可访问或位于可执行路径。
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2025-64765
+- https://github.com/withastro/astro/commit/6f800813516b07bbe12c666a92937525fddb58ce
+- https://github.com/withastro/astro
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=0, fixed<5.15.8` 升级或回移到 `5.15.8`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `file-upload` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/javascript-typescript/csp-trusted-types.md)
+- [nodejs:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/nodejs/csp-trusted-types.md)
+- [java:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/java/csp-trusted-types.md)
+- [php:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/php/csp-trusted-types.md)
+- [python:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/python/csp-trusted-types.md)
+- [ruby:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/ruby/csp-trusted-types.md)
+- [csharp:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/csharp/csp-trusted-types.md)
+- [go:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/go/csp-trusted-types.md)
+- [javascript-typescript:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/plugin-extension-trust-policy.md)
+- [nodejs:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/nodejs/plugin-extension-trust-policy.md)
+- [java:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/java/plugin-extension-trust-policy.md)
+- [php:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/php/plugin-extension-trust-policy.md)
+- [python:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/python/plugin-extension-trust-policy.md)
+- [ruby:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/ruby/plugin-extension-trust-policy.md)
+- [csharp:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/csharp/plugin-extension-trust-policy.md)
+- [go:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/go/plugin-extension-trust-policy.md)
+- [javascript-typescript:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/dependency-upgrade-policy.md)
+- [nodejs:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/nodejs/dependency-upgrade-policy.md)
+- [java:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/java/dependency-upgrade-policy.md)
+- [php:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/php/dependency-upgrade-policy.md)
+- [python:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/python/dependency-upgrade-policy.md)
+- [ruby:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/ruby/dependency-upgrade-policy.md)
+- [csharp:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/csharp/dependency-upgrade-policy.md)
+- [go:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/go/dependency-upgrade-policy.md)
+- [javascript-typescript:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/javascript-typescript/proxy-trust-boundary.md)
+- [nodejs:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/nodejs/proxy-trust-boundary.md)
+- [java:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/java/proxy-trust-boundary.md)
+- [php:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/php/proxy-trust-boundary.md)
+- [python:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/python/proxy-trust-boundary.md)
+- [ruby:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/ruby/proxy-trust-boundary.md)
+- [csharp:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/csharp/proxy-trust-boundary.md)
+- [go:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/go/proxy-trust-boundary.md)
--- a/07-framework-security/frameworks/astro/cases/astro-cve-2025-65019.md
+++ b/07-framework-security/frameworks/astro/cases/astro-cve-2025-65019.md
@@ -0,0 +1,190 @@
+---
+title: "Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint"
+system_id: "astro"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2025-11-19T20:09:12Z"
+updated_date: "2025-11-27T08:33:26.119485Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2025-65019"
+  - "GHSA-fvmw-cj7j-j39q"
+affected_versions:
+  - "introduced=0, fixed<5.15.9"
+fixed_versions:
+  - "5.15.9"
+entity_refs:
+  - "astro:system:root-system"
+  - "astro--project--astro:project:affected-component"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "csp-trusted-types"
+  - "xss-output-encoding"
+  - "token-cookie-storage"
+  - "plugin-extension-trust-policy"
+  - "dependency-upgrade-policy"
+  - "proxy-trust-boundary"
+primary_source: "https://github.com/withastro/astro/security/advisories/GHSA-fvmw-cj7j-j39q"
+---
+
+# Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `astro--CVE-2025-65019`
+- 系统: `astro`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://github.com/withastro/astro/security/advisories/GHSA-fvmw-cj7j-j39q
+- 影响版本: `introduced=0, fixed<5.15.9`
+- 修复版本: `5.15.9`
+
+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `astro`
+- Entity Refs: `astro, astro--project--astro`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/withastro/astro/security/advisories/GHSA-fvmw-cj7j-j39q, https://nvd.nist.gov/vuln/detail/CVE-2025-65019, https://github.com/withastro/astro/commit/9e9c528191b6f5e06db9daf6ad26b8f68016e533, https://github.com/withastro/astro`
+
+## 受控验证流程
+
+- Workflow ID: `astro--CVE-2025-65019--workflow`
+- 漏洞家族: `xss`
+- 入口面: `web-ui-render-path`
+- 需要角色: `editor-or-admin`
+- 触发向量: 对 `xss` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/admin/editor, /preview, /rendered-content`
+- 输入形态: 受控 HTML/Markdown/富文本输入，观察渲染上下文是否失去编码或净化。
+- 预期不安全行为: 输入在目标上下文执行或被浏览器解释为主动内容。
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2025-65019
+- https://github.com/withastro/astro/commit/9e9c528191b6f5e06db9daf6ad26b8f68016e533
+- https://github.com/withastro/astro
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=0, fixed<5.15.9` 升级或回移到 `5.15.9`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `xss` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/javascript-typescript/csp-trusted-types.md)
+- [nodejs:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/nodejs/csp-trusted-types.md)
+- [java:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/java/csp-trusted-types.md)
+- [php:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/php/csp-trusted-types.md)
+- [python:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/python/csp-trusted-types.md)
+- [ruby:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/ruby/csp-trusted-types.md)
+- [csharp:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/csharp/csp-trusted-types.md)
+- [go:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/go/csp-trusted-types.md)
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/javascript-typescript/token-cookie-storage.md)
+- [nodejs:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/nodejs/token-cookie-storage.md)
+- [java:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/java/token-cookie-storage.md)
+- [php:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/php/token-cookie-storage.md)
+- [python:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/python/token-cookie-storage.md)
+- [ruby:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/ruby/token-cookie-storage.md)
+- [csharp:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/csharp/token-cookie-storage.md)
+- [go:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/go/token-cookie-storage.md)
+- [javascript-typescript:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/plugin-extension-trust-policy.md)
+- [nodejs:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/nodejs/plugin-extension-trust-policy.md)
+- [java:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/java/plugin-extension-trust-policy.md)
+- [php:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/php/plugin-extension-trust-policy.md)
+- [python:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/python/plugin-extension-trust-policy.md)
+- [ruby:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/ruby/plugin-extension-trust-policy.md)
+- [csharp:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/csharp/plugin-extension-trust-policy.md)
+- [go:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/go/plugin-extension-trust-policy.md)
+- [javascript-typescript:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/dependency-upgrade-policy.md)
+- [nodejs:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/nodejs/dependency-upgrade-policy.md)
+- [java:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/java/dependency-upgrade-policy.md)
+- [php:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/php/dependency-upgrade-policy.md)
+- [python:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/python/dependency-upgrade-policy.md)
+- [ruby:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/ruby/dependency-upgrade-policy.md)
+- [csharp:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/csharp/dependency-upgrade-policy.md)
+- [go:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/go/dependency-upgrade-policy.md)
+- [javascript-typescript:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/javascript-typescript/proxy-trust-boundary.md)
+- [nodejs:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/nodejs/proxy-trust-boundary.md)
+- [java:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/java/proxy-trust-boundary.md)
+- [php:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/php/proxy-trust-boundary.md)
+- [python:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/python/proxy-trust-boundary.md)
+- [ruby:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/ruby/proxy-trust-boundary.md)
+- [csharp:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/csharp/proxy-trust-boundary.md)
+- [go:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/go/proxy-trust-boundary.md)
--- a/07-framework-security/frameworks/astro/cases/astro-cve-2025-66202.md
+++ b/07-framework-security/frameworks/astro/cases/astro-cve-2025-66202.md
@@ -0,0 +1,157 @@
+---
+title: "Astro has an Authentication Bypass via Double URL Encoding, a bypass for CVE-2025-64765"
+system_id: "astro"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2025-12-08T16:26:43Z"
+updated_date: "2026-02-04T02:27:12.689316Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2025-66202"
+  - "GHSA-whqg-ppgf-wp8c"
+affected_versions:
+  - "introduced=0, fixed<5.15.8"
+fixed_versions:
+  - "5.15.8"
+entity_refs:
+  - "astro:system:root-system"
+  - "astro--project--astro:project:affected-component"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "csp-trusted-types"
+  - "proxy-trust-boundary"
+primary_source: "https://github.com/withastro/astro/security/advisories/GHSA-ggxq-hp9w-j794"
+---
+
+# Astro has an Authentication Bypass via Double URL Encoding, a bypass for CVE-2025-64765
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `astro--CVE-2025-66202`
+- 系统: `astro`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://github.com/withastro/astro/security/advisories/GHSA-ggxq-hp9w-j794
+- 影响版本: `introduced=0, fixed<5.15.8`
+- 修复版本: `5.15.8`
+
+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `astro`
+- Entity Refs: `astro, astro--project--astro`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/withastro/astro/security/advisories/GHSA-ggxq-hp9w-j794, https://github.com/withastro/astro/security/advisories/GHSA-whqg-ppgf-wp8c, https://nvd.nist.gov/vuln/detail/CVE-2025-64765, https://nvd.nist.gov/vuln/detail/CVE-2025-66202, https://github.com/withastro/astro/commit/6f800813516b07bbe12c666a92937525fddb58ce`
+
+## 受控验证流程
+
+- Workflow ID: `astro--CVE-2025-66202--workflow`
+- 漏洞家族: `proxy-boundary`
+- 入口面: `proxy-header-or-trust-boundary`
+- 需要角色: `reverse-proxy-or-edge-client`
+- 触发向量: 对 `proxy-boundary` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/middleware, /x-forwarded-* trust path`
+- 输入形态: 提交受控代理头或来源头，验证信任边界和回源鉴权。
+- 预期不安全行为: 仅凭代理头即可越过鉴权或来源控制。
+
+## 其他来源
+
+- https://github.com/withastro/astro/security/advisories/GHSA-whqg-ppgf-wp8c
+- https://nvd.nist.gov/vuln/detail/CVE-2025-64765
+- https://nvd.nist.gov/vuln/detail/CVE-2025-66202
+- https://github.com/withastro/astro/commit/6f800813516b07bbe12c666a92937525fddb58ce
+- https://github.com/withastro/astro
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+- 上游代理与应用层对 Content-Length / Transfer-Encoding / forwarded headers 的解释差异
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=0, fixed<5.15.8` 升级或回移到 `5.15.8`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `proxy-boundary` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/javascript-typescript/csp-trusted-types.md)
+- [nodejs:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/nodejs/csp-trusted-types.md)
+- [java:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/java/csp-trusted-types.md)
+- [php:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/php/csp-trusted-types.md)
+- [python:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/python/csp-trusted-types.md)
+- [ruby:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/ruby/csp-trusted-types.md)
+- [csharp:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/csharp/csp-trusted-types.md)
+- [go:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/go/csp-trusted-types.md)
+- [javascript-typescript:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/javascript-typescript/proxy-trust-boundary.md)
+- [nodejs:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/nodejs/proxy-trust-boundary.md)
+- [java:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/java/proxy-trust-boundary.md)
+- [php:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/php/proxy-trust-boundary.md)
+- [python:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/python/proxy-trust-boundary.md)
+- [ruby:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/ruby/proxy-trust-boundary.md)
+- [csharp:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/csharp/proxy-trust-boundary.md)
+- [go:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/go/proxy-trust-boundary.md)
--- a/07-framework-security/frameworks/astro/cases/astro-cve-2026-33769.md
+++ b/07-framework-security/frameworks/astro/cases/astro-cve-2026-33769.md
@@ -0,0 +1,162 @@
+---
+title: "Astro: Remote allowlist bypass via unanchored matchPathname wildcard"
+system_id: "astro"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2026-03-26T18:45:17Z"
+updated_date: "2026-03-26T19:01:26.420643Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2026-33769"
+  - "GHSA-g735-7g2w-hh3f"
+affected_versions:
+  - "introduced=2.10.10, fixed<5.18.1"
+fixed_versions:
+  - "5.18.1"
+entity_refs:
+  - "astro:system:root-system"
+  - "astro--project--astro:project:affected-component"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "csp-trusted-types"
+  - "ssrf-url-validation"
+  - "dependency-upgrade-policy"
+primary_source: "https://github.com/withastro/astro/security/advisories/GHSA-g735-7g2w-hh3f"
+---
+
+# Astro: Remote allowlist bypass via unanchored matchPathname wildcard
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `astro--CVE-2026-33769`
+- 系统: `astro`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://github.com/withastro/astro/security/advisories/GHSA-g735-7g2w-hh3f
+- 影响版本: `introduced=2.10.10, fixed<5.18.1`
+- 修复版本: `5.18.1`
+
+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `astro`
+- Entity Refs: `astro, astro--project--astro`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/withastro/astro/security/advisories/GHSA-g735-7g2w-hh3f, https://nvd.nist.gov/vuln/detail/CVE-2026-33769, https://github.com/withastro/astro`
+
+## 受控验证流程
+
+- Workflow ID: `astro--CVE-2026-33769--workflow`
+- 漏洞家族: `ssrf`
+- 入口面: `remote-fetch-or-webhook-endpoint`
+- 需要角色: `editor-or-admin`
+- 触发向量: 对 `ssrf` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/webhook/test, /remote-fetch, /import-url`
+- 输入形态: 提交受控回环或哨兵 URL，验证协议、主机、IP 与重定向限制。
+- 预期不安全行为: 服务端向受控目标发起非预期请求。
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2026-33769
+- https://github.com/withastro/astro
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=2.10.10, fixed<5.18.1` 升级或回移到 `5.18.1`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `ssrf` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/javascript-typescript/csp-trusted-types.md)
+- [nodejs:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/nodejs/csp-trusted-types.md)
+- [java:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/java/csp-trusted-types.md)
+- [php:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/php/csp-trusted-types.md)
+- [python:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/python/csp-trusted-types.md)
+- [ruby:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/ruby/csp-trusted-types.md)
+- [csharp:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/csharp/csp-trusted-types.md)
+- [go:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/go/csp-trusted-types.md)
+- [javascript-typescript:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/javascript-typescript/ssrf-url-validation.md)
+- [nodejs:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/nodejs/ssrf-url-validation.md)
+- [java:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/java/ssrf-url-validation.md)
+- [php:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/php/ssrf-url-validation.md)
+- [python:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/python/ssrf-url-validation.md)
+- [ruby:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/ruby/ssrf-url-validation.md)
+- [csharp:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/csharp/ssrf-url-validation.md)
+- [go:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/go/ssrf-url-validation.md)
+- [javascript-typescript:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/dependency-upgrade-policy.md)
+- [nodejs:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/nodejs/dependency-upgrade-policy.md)
+- [java:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/java/dependency-upgrade-policy.md)
+- [php:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/php/dependency-upgrade-policy.md)
+- [python:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/python/dependency-upgrade-policy.md)
+- [ruby:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/ruby/dependency-upgrade-policy.md)
+- [csharp:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/csharp/dependency-upgrade-policy.md)
+- [go:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/go/dependency-upgrade-policy.md)
--- a/07-framework-security/frameworks/django/INDEX.md
+++ b/07-framework-security/frameworks/django/INDEX.md
@@ -5,14 +5,14 @@
 - 系统 ID: `django`
 - 分类: `frameworks`
 - 覆盖策略: `rolling-24m`
- 总案例数: `0`
- 近 30 天新增/更新: `0`
- 重点 Markdown 案例数: `0`
+- 总案例数: `82`
+- 近 30 天新增/更新: `3`
+- 重点 Markdown 案例数: `5`
 - 已实证(真实版本): `0`
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
- 待人工/缺浏览器证据: `0`
- 最近渲染时间: `2026-03-18T04:06:10+00:00`
+- 待人工/缺浏览器证据: `82`
+- 最近渲染时间: `2026-04-02T09:18:51+00:00`

 ## 目标约束

@@ -25,10 +25,93 @@
 ## 来源

 - `official` [Django Security RSS](https://www.djangoproject.com/weblog/feeds/tags/security/) (mode=core)
+- `official` [Django Security Weblog](https://www.djangoproject.com/weblog/) (mode=core)
+- `official` [Django Security Releases Archive](https://docs.djangoproject.com/en/dev/releases/security/) (mode=core)
 - `official` [OSV Django](https://osv.dev/) (mode=core)

 ## 案例列表

 | 标题 | 严重度 | 案例状态 | 实证状态 | 实证方式 | 来源置信度 | 更新时间 | 案例页 |
 |------|--------|----------|----------|----------|------------|----------|--------|
-| No advisories yet | `n/a` | `empty` | `n/a` | `n/a` | `n/a` | `n/a` | - |
+| Django vulnerable to Uncontrolled Resource Consumption | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-03-06T19:44:13.458245Z` | [link](/Users/x/websafe/07-framework-security/frameworks/django/cases/django-cve-2026-25673.md) |
+| Django has a Race Condition vulnerability | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-03-06T19:44:14.996605Z` | [link](/Users/x/websafe/07-framework-security/frameworks/django/cases/django-cve-2026-25674.md) |
+| Django has Inefficient Algorithmic Complexity | `medium` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-02-22T23:41:06.153879Z` | [link](/Users/x/websafe/07-framework-security/frameworks/django/cases/django-cve-2025-14550.md) |
+| Django has Inefficient Algorithmic Complexity | `medium` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-02-22T23:26:02.134436Z` | [link](/Users/x/websafe/07-framework-security/frameworks/django/cases/django-cve-2026-1285.md) |
+| XSS in jQuery as used in Drupal, Backdrop CMS, and other products | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-03-13T21:56:20.301637Z` | [link](/Users/x/websafe/07-framework-security/frameworks/django/cases/django-cve-2019-11358.md) |
+| March 2025 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| May 2023 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| April 2025 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Google Summer of Code 2026 with Django | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| June 2023 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| 2026 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| 5.2 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Next | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| 5.1 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| December 2022 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| September 2024 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Plan to Adopt Contributor Covenant 3 as Django’s New Code of Conduct | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| 5.0 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Djangonaut Space - Session 6 Accepting Applications | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Django Steering Council 2025 Year in Review | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| February 2025 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| 2025 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| May 2025 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| December 2025 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| 4.2 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| 2023 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| September 2022 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| September 2023 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| November 2023 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| 2.0 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| March 2026 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| April 2023 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| February 2026 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| February 2023 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| 2024 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| DSF member of the month -  Baptiste Mispelon | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| October 2022 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| 1.10 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| March 2023 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| October 2024 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| September 2025 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| June 2025 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Django security releases issued: 6.0.3, 5.2.12, and 4.2.29 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| 3.2 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| August 2025 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| April 2024 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| May 2024 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| 6.0 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| January 2024 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| January 2026 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| 2.1 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| December 2024 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| October 2025 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| July 2023 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| August 2024 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| DSF member of the month -  Theresa Seyram Agbenyegah | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| November 2024 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| 3.1 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| June 2024 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| 4.0 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| 2.2 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| July 2025 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| 4.1 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| March 2024 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| November 2025 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| 3.0 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| February 2024 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Recent trends in the work of the Django Security Team | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| January 2023 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| 1.8 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Django security releases issued: 6.0.2, 5.2.11, and 4.2.28 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| DSF member of the month - Omar Abou Mrad | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| 2022 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| December 2023 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| November 2022 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| October 2023 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| 1.11 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| January 2025 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| August 2023 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Skip to main content | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Skip to main content | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| July 2024 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
--- a/07-framework-security/frameworks/django/cases/django-cve-2019-11358.md
+++ b/07-framework-security/frameworks/django/cases/django-cve-2019-11358.md
@@ -0,0 +1,195 @@
+---
+title: "XSS in jQuery as used in Drupal, Backdrop CMS, and other products"
+system_id: "django"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2019-04-26T16:29:11Z"
+updated_date: "2026-03-13T21:56:20.301637Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2019-11358"
+  - "DRUPAL-CORE-2019-006"
+  - "GHSA-6c3j-c64m-qhgq"
+affected_versions:
+  - "0.1.1"
+  - "0.1.2"
+  - "0.1.3"
+  - "0.2"
+  - "0.2.1"
+  - "0.2.2"
+  - "0.2.3"
+  - "0.2.4"
+  - "0.2.5"
+  - "0.2.6"
+  - "0.2.7"
+  - "1.0"
+  - "1.0.1"
+  - "1.0.10"
+  - "1.0.11"
+  - "1.0.12"
+  - "1.0.13"
+  - "1.0.14"
+  - "1.0.15"
+  - "1.0.16"
+fixed_versions:
+  - "3.4.0"
+  - "4.3.4"
+  - "2.1.9"
+  - "2.2.2"
+  - "1.19.0"
+entity_refs:
+  - "django:system:root-system"
+  - "django--project--django:project:affected-component"
+secure_code_topics:
+  - "xss-output-encoding"
+  - "path-traversal-guard"
+  - "file-upload-validation"
+primary_source: "https://nvd.nist.gov/vuln/detail/CVE-2019-11358"
+---
+
+# XSS in jQuery as used in Drupal, Backdrop CMS, and other products
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `django--CVE-2019-11358`
+- 系统: `django`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://nvd.nist.gov/vuln/detail/CVE-2019-11358
+- 影响版本: `0.1.1, 0.1.2, 0.1.3, 0.2, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6`
+- 修复版本: `3.4.0, 4.3.4, 2.1.9, 2.2.2, 1.19.0`
+
+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `django`
+- Entity Refs: `django, django--project--django`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://nvd.nist.gov/vuln/detail/CVE-2019-11358, https://github.com/maximebf/php-debugbar/issues/447, https://github.com/jquery/jquery/pull/4333, https://github.com/maximebf/php-debugbar/commit/847216e60544258c881f2733d699bbcfeefac0fc, https://github.com/django/django/commit/34ec52269ade54af31a021b12969913129571a3f`
+
+## 受控验证流程
+
+- Workflow ID: `django--CVE-2019-11358--workflow`
+- 漏洞家族: `xss`
+- 入口面: `web-ui-render-path`
+- 需要角色: `editor-or-admin`
+- 触发向量: 对 `xss` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/admin/editor, /preview, /rendered-content`
+- 输入形态: 受控 HTML/Markdown/富文本输入，观察渲染上下文是否失去编码或净化。
+- 预期不安全行为: 输入在目标上下文执行或被浏览器解释为主动内容。
+
+## 其他来源
+
+- https://github.com/maximebf/php-debugbar/issues/447
+- https://github.com/jquery/jquery/pull/4333
+- https://github.com/maximebf/php-debugbar/commit/847216e60544258c881f2733d699bbcfeefac0fc
+- https://github.com/django/django/commit/34ec52269ade54af31a021b12969913129571a3f
+- https://github.com/django/django/commit/95649bc08547a878cebfa1d019edec8cb1b80829
+- https://github.com/django/django/commit/baaf187a4e354bf3976c51e2c83a0d2f8ee6e6ad
+- https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
+- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5
+- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA
+- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI
+- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO
+- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP
+- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F
+- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5
+- https://seclists.org/bugtraq/2019/Apr/32
+- https://seclists.org/bugtraq/2019/Jun/12
+- https://seclists.org/bugtraq/2019/May/18
+- https://www.tenable.com/security/tns-2020-02
+- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F
+- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `0.1.1, 0.1.2, 0.1.3` 升级或回移到 `3.4.0`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `xss` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/javascript-typescript/path-traversal-guard.md)
+- [nodejs:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/nodejs/path-traversal-guard.md)
+- [java:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/java/path-traversal-guard.md)
+- [php:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/php/path-traversal-guard.md)
+- [python:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/python/path-traversal-guard.md)
+- [ruby:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/ruby/path-traversal-guard.md)
+- [csharp:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/csharp/path-traversal-guard.md)
+- [go:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/go/path-traversal-guard.md)
+- [javascript-typescript:file-upload-validation](/Users/x/websafe/05-defense/secure-code/javascript-typescript/file-upload-validation.md)
+- [nodejs:file-upload-validation](/Users/x/websafe/05-defense/secure-code/nodejs/file-upload-validation.md)
+- [java:file-upload-validation](/Users/x/websafe/05-defense/secure-code/java/file-upload-validation.md)
+- [php:file-upload-validation](/Users/x/websafe/05-defense/secure-code/php/file-upload-validation.md)
+- [python:file-upload-validation](/Users/x/websafe/05-defense/secure-code/python/file-upload-validation.md)
+- [ruby:file-upload-validation](/Users/x/websafe/05-defense/secure-code/ruby/file-upload-validation.md)
+- [csharp:file-upload-validation](/Users/x/websafe/05-defense/secure-code/csharp/file-upload-validation.md)
+- [go:file-upload-validation](/Users/x/websafe/05-defense/secure-code/go/file-upload-validation.md)
--- a/07-framework-security/frameworks/django/cases/django-cve-2025-14550.md
+++ b/07-framework-security/frameworks/django/cases/django-cve-2025-14550.md
@@ -0,0 +1,178 @@
+---
+title: "Django has Inefficient Algorithmic Complexity"
+system_id: "django"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2026-02-03T15:30:23Z"
+updated_date: "2026-02-22T23:41:06.153879Z"
+severity: "medium"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "BIT-django-2025-14550"
+  - "CVE-2025-14550"
+  - "GHSA-33mw-q7rj-mjwj"
+affected_versions:
+  - "6.0"
+  - "6.0.1"
+  - "6.0a1"
+  - "6.0b1"
+  - "6.0rc1"
+  - "5.2"
+  - "5.2.1"
+  - "5.2.10"
+  - "5.2.2"
+  - "5.2.3"
+  - "5.2.4"
+  - "5.2.5"
+  - "5.2.6"
+  - "5.2.7"
+  - "5.2.8"
+  - "5.2.9"
+  - "5.2a1"
+  - "5.2b1"
+  - "5.2rc1"
+  - "4.2"
+fixed_versions:
+  - "6.0.2"
+  - "5.2.11"
+  - "4.2.28"
+entity_refs:
+  - "django:system:root-system"
+  - "django--project--django:project:affected-component"
+secure_code_topics:
+  - "xss-output-encoding"
+  - "path-traversal-guard"
+  - "file-upload-validation"
+primary_source: "https://nvd.nist.gov/vuln/detail/CVE-2025-14550"
+---
+
+# Django has Inefficient Algorithmic Complexity
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `django--CVE-2025-14550`
+- 系统: `django`
+- 严重度: `medium`
+- 来源置信度: `official`
+- 官方主源: https://nvd.nist.gov/vuln/detail/CVE-2025-14550
+- 影响版本: `6.0, 6.0.1, 6.0a1, 6.0b1, 6.0rc1, 5.2, 5.2.1, 5.2.10, 5.2.2, 5.2.3`
+- 修复版本: `6.0.2, 5.2.11, 4.2.28`
+
+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `django`
+- Entity Refs: `django, django--project--django`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://nvd.nist.gov/vuln/detail/CVE-2025-14550, https://github.com/django/django/commit/eb22e1d6d643360e952609ef562c139a100ea4eb, https://docs.djangoproject.com/en/dev/releases/security, https://github.com/django/django, https://groups.google.com/g/django-announce`
+
+## 受控验证流程
+
+- Workflow ID: `django--CVE-2025-14550--workflow`
+- 漏洞家族: `xss`
+- 入口面: `web-ui-render-path`
+- 需要角色: `editor-or-admin`
+- 触发向量: 对 `xss` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/admin/editor, /preview, /rendered-content`
+- 输入形态: 受控 HTML/Markdown/富文本输入，观察渲染上下文是否失去编码或净化。
+- 预期不安全行为: 输入在目标上下文执行或被浏览器解释为主动内容。
+
+## 其他来源
+
+- https://github.com/django/django/commit/eb22e1d6d643360e952609ef562c139a100ea4eb
+- https://docs.djangoproject.com/en/dev/releases/security
+- https://github.com/django/django
+- https://groups.google.com/g/django-announce
+- https://www.djangoproject.com/weblog/2026/feb/03/security-releases
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `6.0, 6.0.1, 6.0a1` 升级或回移到 `6.0.2`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `xss` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/javascript-typescript/path-traversal-guard.md)
+- [nodejs:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/nodejs/path-traversal-guard.md)
+- [java:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/java/path-traversal-guard.md)
+- [php:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/php/path-traversal-guard.md)
+- [python:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/python/path-traversal-guard.md)
+- [ruby:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/ruby/path-traversal-guard.md)
+- [csharp:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/csharp/path-traversal-guard.md)
+- [go:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/go/path-traversal-guard.md)
+- [javascript-typescript:file-upload-validation](/Users/x/websafe/05-defense/secure-code/javascript-typescript/file-upload-validation.md)
+- [nodejs:file-upload-validation](/Users/x/websafe/05-defense/secure-code/nodejs/file-upload-validation.md)
+- [java:file-upload-validation](/Users/x/websafe/05-defense/secure-code/java/file-upload-validation.md)
+- [php:file-upload-validation](/Users/x/websafe/05-defense/secure-code/php/file-upload-validation.md)
+- [python:file-upload-validation](/Users/x/websafe/05-defense/secure-code/python/file-upload-validation.md)
+- [ruby:file-upload-validation](/Users/x/websafe/05-defense/secure-code/ruby/file-upload-validation.md)
+- [csharp:file-upload-validation](/Users/x/websafe/05-defense/secure-code/csharp/file-upload-validation.md)
+- [go:file-upload-validation](/Users/x/websafe/05-defense/secure-code/go/file-upload-validation.md)
--- a/07-framework-security/frameworks/django/cases/django-cve-2026-1285.md
+++ b/07-framework-security/frameworks/django/cases/django-cve-2026-1285.md
@@ -0,0 +1,178 @@
+---
+title: "Django has Inefficient Algorithmic Complexity"
+system_id: "django"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2026-02-03T15:30:23Z"
+updated_date: "2026-02-22T23:26:02.134436Z"
+severity: "medium"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "BIT-django-2026-1285"
+  - "CVE-2026-1285"
+  - "GHSA-4rrr-2h4v-f3j9"
+affected_versions:
+  - "6.0"
+  - "6.0.1"
+  - "6.0a1"
+  - "6.0b1"
+  - "6.0rc1"
+  - "5.2"
+  - "5.2.1"
+  - "5.2.10"
+  - "5.2.2"
+  - "5.2.3"
+  - "5.2.4"
+  - "5.2.5"
+  - "5.2.6"
+  - "5.2.7"
+  - "5.2.8"
+  - "5.2.9"
+  - "5.2a1"
+  - "5.2b1"
+  - "5.2rc1"
+  - "4.2"
+fixed_versions:
+  - "6.0.2"
+  - "5.2.11"
+  - "4.2.28"
+entity_refs:
+  - "django:system:root-system"
+  - "django--project--django:project:affected-component"
+secure_code_topics:
+  - "xss-output-encoding"
+  - "path-traversal-guard"
+  - "file-upload-validation"
+primary_source: "https://nvd.nist.gov/vuln/detail/CVE-2026-1285"
+---
+
+# Django has Inefficient Algorithmic Complexity
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `django--CVE-2026-1285`
+- 系统: `django`
+- 严重度: `medium`
+- 来源置信度: `official`
+- 官方主源: https://nvd.nist.gov/vuln/detail/CVE-2026-1285
+- 影响版本: `6.0, 6.0.1, 6.0a1, 6.0b1, 6.0rc1, 5.2, 5.2.1, 5.2.10, 5.2.2, 5.2.3`
+- 修复版本: `6.0.2, 5.2.11, 4.2.28`
+
+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `django`
+- Entity Refs: `django, django--project--django`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://nvd.nist.gov/vuln/detail/CVE-2026-1285, https://github.com/django/django/commit/a33540b3e20b5d759aa8b2e4b9ca0e8edd285344, https://docs.djangoproject.com/en/dev/releases/security, https://github.com/django/django, https://groups.google.com/g/django-announce`
+
+## 受控验证流程
+
+- Workflow ID: `django--CVE-2026-1285--workflow`
+- 漏洞家族: `xss`
+- 入口面: `web-ui-render-path`
+- 需要角色: `editor-or-admin`
+- 触发向量: 对 `xss` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/admin/editor, /preview, /rendered-content`
+- 输入形态: 受控 HTML/Markdown/富文本输入，观察渲染上下文是否失去编码或净化。
+- 预期不安全行为: 输入在目标上下文执行或被浏览器解释为主动内容。
+
+## 其他来源
+
+- https://github.com/django/django/commit/a33540b3e20b5d759aa8b2e4b9ca0e8edd285344
+- https://docs.djangoproject.com/en/dev/releases/security
+- https://github.com/django/django
+- https://groups.google.com/g/django-announce
+- https://www.djangoproject.com/weblog/2026/feb/03/security-releases
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `6.0, 6.0.1, 6.0a1` 升级或回移到 `6.0.2`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `xss` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/javascript-typescript/path-traversal-guard.md)
+- [nodejs:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/nodejs/path-traversal-guard.md)
+- [java:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/java/path-traversal-guard.md)
+- [php:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/php/path-traversal-guard.md)
+- [python:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/python/path-traversal-guard.md)
+- [ruby:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/ruby/path-traversal-guard.md)
+- [csharp:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/csharp/path-traversal-guard.md)
+- [go:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/go/path-traversal-guard.md)
+- [javascript-typescript:file-upload-validation](/Users/x/websafe/05-defense/secure-code/javascript-typescript/file-upload-validation.md)
+- [nodejs:file-upload-validation](/Users/x/websafe/05-defense/secure-code/nodejs/file-upload-validation.md)
+- [java:file-upload-validation](/Users/x/websafe/05-defense/secure-code/java/file-upload-validation.md)
+- [php:file-upload-validation](/Users/x/websafe/05-defense/secure-code/php/file-upload-validation.md)
+- [python:file-upload-validation](/Users/x/websafe/05-defense/secure-code/python/file-upload-validation.md)
+- [ruby:file-upload-validation](/Users/x/websafe/05-defense/secure-code/ruby/file-upload-validation.md)
+- [csharp:file-upload-validation](/Users/x/websafe/05-defense/secure-code/csharp/file-upload-validation.md)
+- [go:file-upload-validation](/Users/x/websafe/05-defense/secure-code/go/file-upload-validation.md)
--- a/07-framework-security/frameworks/django/cases/django-cve-2026-25673.md
+++ b/07-framework-security/frameworks/django/cases/django-cve-2026-25673.md
@@ -0,0 +1,177 @@
+---
+title: "Django vulnerable to Uncontrolled Resource Consumption"
+system_id: "django"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2026-03-03T15:31:41Z"
+updated_date: "2026-03-06T19:44:13.458245Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "BIT-django-2026-25673"
+  - "CVE-2026-25673"
+  - "GHSA-8p8v-wh79-9r56"
+affected_versions:
+  - "6.0"
+  - "6.0.1"
+  - "6.0.2"
+  - "5.2"
+  - "5.2.1"
+  - "5.2.10"
+  - "5.2.11"
+  - "5.2.2"
+  - "5.2.3"
+  - "5.2.4"
+  - "5.2.5"
+  - "5.2.6"
+  - "5.2.7"
+  - "5.2.8"
+  - "5.2.9"
+  - "4.2"
+  - "4.2.1"
+  - "4.2.10"
+  - "4.2.11"
+  - "4.2.12"
+fixed_versions:
+  - "6.0.3"
+  - "5.2.12"
+  - "4.2.29"
+entity_refs:
+  - "django:system:root-system"
+  - "django--project--django:project:affected-component"
+secure_code_topics:
+  - "xss-output-encoding"
+  - "path-traversal-guard"
+  - "file-upload-validation"
+primary_source: "https://nvd.nist.gov/vuln/detail/CVE-2026-25673"
+---
+
+# Django vulnerable to Uncontrolled Resource Consumption
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `django--CVE-2026-25673`
+- 系统: `django`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://nvd.nist.gov/vuln/detail/CVE-2026-25673
+- 影响版本: `6.0, 6.0.1, 6.0.2, 5.2, 5.2.1, 5.2.10, 5.2.11, 5.2.2, 5.2.3, 5.2.4`
+- 修复版本: `6.0.3, 5.2.12, 4.2.29`
+
+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `django`
+- Entity Refs: `django, django--project--django`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://nvd.nist.gov/vuln/detail/CVE-2026-25673, https://docs.djangoproject.com/en/dev/releases/security, https://github.com/django/django, https://groups.google.com/g/django-announce, https://www.djangoproject.com/weblog/2026/mar/03/security-releases`
+
+## 受控验证流程
+
+- Workflow ID: `django--CVE-2026-25673--workflow`
+- 漏洞家族: `xss`
+- 入口面: `web-ui-render-path`
+- 需要角色: `editor-or-admin`
+- 触发向量: 对 `xss` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/admin/editor, /preview, /rendered-content`
+- 输入形态: 受控 HTML/Markdown/富文本输入，观察渲染上下文是否失去编码或净化。
+- 预期不安全行为: 输入在目标上下文执行或被浏览器解释为主动内容。
+
+## 其他来源
+
+- https://docs.djangoproject.com/en/dev/releases/security
+- https://github.com/django/django
+- https://groups.google.com/g/django-announce
+- https://www.djangoproject.com/weblog/2026/mar/03/security-releases
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `6.0, 6.0.1, 6.0.2` 升级或回移到 `6.0.3`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `xss` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/javascript-typescript/path-traversal-guard.md)
+- [nodejs:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/nodejs/path-traversal-guard.md)
+- [java:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/java/path-traversal-guard.md)
+- [php:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/php/path-traversal-guard.md)
+- [python:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/python/path-traversal-guard.md)
+- [ruby:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/ruby/path-traversal-guard.md)
+- [csharp:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/csharp/path-traversal-guard.md)
+- [go:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/go/path-traversal-guard.md)
+- [javascript-typescript:file-upload-validation](/Users/x/websafe/05-defense/secure-code/javascript-typescript/file-upload-validation.md)
+- [nodejs:file-upload-validation](/Users/x/websafe/05-defense/secure-code/nodejs/file-upload-validation.md)
+- [java:file-upload-validation](/Users/x/websafe/05-defense/secure-code/java/file-upload-validation.md)
+- [php:file-upload-validation](/Users/x/websafe/05-defense/secure-code/php/file-upload-validation.md)
+- [python:file-upload-validation](/Users/x/websafe/05-defense/secure-code/python/file-upload-validation.md)
+- [ruby:file-upload-validation](/Users/x/websafe/05-defense/secure-code/ruby/file-upload-validation.md)
+- [csharp:file-upload-validation](/Users/x/websafe/05-defense/secure-code/csharp/file-upload-validation.md)
+- [go:file-upload-validation](/Users/x/websafe/05-defense/secure-code/go/file-upload-validation.md)
--- a/07-framework-security/frameworks/django/cases/django-cve-2026-25674.md
+++ b/07-framework-security/frameworks/django/cases/django-cve-2026-25674.md
@@ -0,0 +1,177 @@
+---
+title: "Django has a Race Condition vulnerability"
+system_id: "django"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2026-03-03T15:31:41Z"
+updated_date: "2026-03-06T19:44:14.996605Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "BIT-django-2026-25674"
+  - "CVE-2026-25674"
+  - "GHSA-mjgh-79qc-68w3"
+affected_versions:
+  - "6.0"
+  - "6.0.1"
+  - "6.0.2"
+  - "5.2"
+  - "5.2.1"
+  - "5.2.10"
+  - "5.2.11"
+  - "5.2.2"
+  - "5.2.3"
+  - "5.2.4"
+  - "5.2.5"
+  - "5.2.6"
+  - "5.2.7"
+  - "5.2.8"
+  - "5.2.9"
+  - "4.2"
+  - "4.2.1"
+  - "4.2.10"
+  - "4.2.11"
+  - "4.2.12"
+fixed_versions:
+  - "6.0.3"
+  - "5.2.12"
+  - "4.2.29"
+entity_refs:
+  - "django:system:root-system"
+  - "django--project--django:project:affected-component"
+secure_code_topics:
+  - "xss-output-encoding"
+  - "path-traversal-guard"
+  - "file-upload-validation"
+primary_source: "https://nvd.nist.gov/vuln/detail/CVE-2026-25674"
+---
+
+# Django has a Race Condition vulnerability
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `django--CVE-2026-25674`
+- 系统: `django`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://nvd.nist.gov/vuln/detail/CVE-2026-25674
+- 影响版本: `6.0, 6.0.1, 6.0.2, 5.2, 5.2.1, 5.2.10, 5.2.11, 5.2.2, 5.2.3, 5.2.4`
+- 修复版本: `6.0.3, 5.2.12, 4.2.29`
+
+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `django`
+- Entity Refs: `django, django--project--django`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://nvd.nist.gov/vuln/detail/CVE-2026-25674, https://docs.djangoproject.com/en/dev/releases/security, https://github.com/django/django, https://groups.google.com/g/django-announce, https://www.djangoproject.com/weblog/2026/mar/03/security-releases`
+
+## 受控验证流程
+
+- Workflow ID: `django--CVE-2026-25674--workflow`
+- 漏洞家族: `xss`
+- 入口面: `web-ui-render-path`
+- 需要角色: `editor-or-admin`
+- 触发向量: 对 `xss` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/admin/editor, /preview, /rendered-content`
+- 输入形态: 受控 HTML/Markdown/富文本输入，观察渲染上下文是否失去编码或净化。
+- 预期不安全行为: 输入在目标上下文执行或被浏览器解释为主动内容。
+
+## 其他来源
+
+- https://docs.djangoproject.com/en/dev/releases/security
+- https://github.com/django/django
+- https://groups.google.com/g/django-announce
+- https://www.djangoproject.com/weblog/2026/mar/03/security-releases
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `6.0, 6.0.1, 6.0.2` 升级或回移到 `6.0.3`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `xss` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/javascript-typescript/path-traversal-guard.md)
+- [nodejs:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/nodejs/path-traversal-guard.md)
+- [java:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/java/path-traversal-guard.md)
+- [php:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/php/path-traversal-guard.md)
+- [python:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/python/path-traversal-guard.md)
+- [ruby:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/ruby/path-traversal-guard.md)
+- [csharp:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/csharp/path-traversal-guard.md)
+- [go:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/go/path-traversal-guard.md)
+- [javascript-typescript:file-upload-validation](/Users/x/websafe/05-defense/secure-code/javascript-typescript/file-upload-validation.md)
+- [nodejs:file-upload-validation](/Users/x/websafe/05-defense/secure-code/nodejs/file-upload-validation.md)
+- [java:file-upload-validation](/Users/x/websafe/05-defense/secure-code/java/file-upload-validation.md)
+- [php:file-upload-validation](/Users/x/websafe/05-defense/secure-code/php/file-upload-validation.md)
+- [python:file-upload-validation](/Users/x/websafe/05-defense/secure-code/python/file-upload-validation.md)
+- [ruby:file-upload-validation](/Users/x/websafe/05-defense/secure-code/ruby/file-upload-validation.md)
+- [csharp:file-upload-validation](/Users/x/websafe/05-defense/secure-code/csharp/file-upload-validation.md)
+- [go:file-upload-validation](/Users/x/websafe/05-defense/secure-code/go/file-upload-validation.md)
--- a/07-framework-security/frameworks/echo/INDEX.md
+++ b/07-framework-security/frameworks/echo/INDEX.md
@@ -5,14 +5,14 @@
 - 系统 ID: `echo`
 - 分类: `frameworks`
 - 覆盖策略: `rolling-24m`
- 总案例数: `0`
+- 总案例数: `2`
 - 近 30 天新增/更新: `0`
- 重点 Markdown 案例数: `0`
+- 重点 Markdown 案例数: `2`
 - 已实证(真实版本): `0`
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
- 待人工/缺浏览器证据: `0`
- 最近渲染时间: `2026-03-18T04:06:10+00:00`
+- 待人工/缺浏览器证据: `2`
+- 最近渲染时间: `2026-04-02T09:18:51+00:00`

 ## 目标约束

@@ -30,4 +30,5 @@

 | 标题 | 严重度 | 案例状态 | 实证状态 | 实证方式 | 来源置信度 | 更新时间 | 案例页 |
 |------|--------|----------|----------|----------|------------|----------|--------|
-| No advisories yet | `n/a` | `empty` | `n/a` | `n/a` | `n/a` | `n/a` | - |
+| Open redirect in github.com/labstack/echo/v4 | `unknown` | `generated` | `triage-manual` | `synthetic` | `official` | `2024-05-20T16:03:47Z` | [link](/Users/x/websafe/07-framework-security/frameworks/echo/cases/echo-cve-2022-40083.md) |
+| Directory traversal on Windows in github.com/labstack/echo/v4 | `unknown` | `generated` | `triage-manual` | `synthetic` | `official` | `2024-05-20T16:03:47Z` | [link](/Users/x/websafe/07-framework-security/frameworks/echo/cases/echo-cve-2020-36565.md) |
--- a/07-framework-security/frameworks/echo/cases/echo-cve-2020-36565.md
+++ b/07-framework-security/frameworks/echo/cases/echo-cve-2020-36565.md
@@ -0,0 +1,154 @@
+---
+title: "Directory traversal on Windows in github.com/labstack/echo/v4"
+system_id: "echo"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2021-04-14T20:04:52Z"
+updated_date: "2024-05-20T16:03:47Z"
+severity: "unknown"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2020-36565"
+  - "GHSA-j453-hm5x-c46w"
+  - "GO-2021-0051"
+affected_versions:
+  - "introduced=0, fixed<4.1.18-0.20201215153152-4422e3b66b9f"
+fixed_versions:
+  - "4.1.18-0.20201215153152-4422e3b66b9f"
+entity_refs:
+  - "echo:system:root-system"
+  - "echo--repo--github-com-labstack-echo-v4:repo:affected-component"
+secure_code_topics:
+  - "proxy-trust-boundary"
+  - "token-cookie-storage"
+  - "path-traversal-guard"
+primary_source: "https://github.com/labstack/echo/pull/1718"
+---
+
+# Directory traversal on Windows in github.com/labstack/echo/v4
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `echo--CVE-2020-36565`
+- 系统: `echo`
+- 严重度: `unknown`
+- 来源置信度: `official`
+- 官方主源: https://github.com/labstack/echo/pull/1718
+- 影响版本: `introduced=0, fixed<4.1.18-0.20201215153152-4422e3b66b9f`
+- 修复版本: `4.1.18-0.20201215153152-4422e3b66b9f`
+
+## 对象与版本映射
+
+- Advisory Scope: `repo`
+- 影响对象: `labstack / echo / v4`
+- Entity Refs: `echo, echo--repo--github-com-labstack-echo-v4`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/labstack/echo/pull/1718, https://github.com/labstack/echo/commit/4422e3b66b9fd498ed1ae1d0242d660d0ed3faaa`
+
+## 受控验证流程
+
+- Workflow ID: `echo--CVE-2020-36565--workflow`
+- 漏洞家族: `proxy-boundary`
+- 入口面: `proxy-header-or-trust-boundary`
+- 需要角色: `reverse-proxy-or-edge-client`
+- 触发向量: 对 `proxy-boundary` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/middleware, /x-forwarded-* trust path`
+- 输入形态: 提交受控代理头或来源头，验证信任边界和回源鉴权。
+- 预期不安全行为: 仅凭代理头即可越过鉴权或来源控制。
+
+## 其他来源
+
+- https://github.com/labstack/echo/commit/4422e3b66b9fd498ed1ae1d0242d660d0ed3faaa
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+- 上游代理与应用层对 Content-Length / Transfer-Encoding / forwarded headers 的解释差异
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=0, fixed<4.1.18-0.20201215153152-4422e3b66b9f` 升级或回移到 `4.1.18-0.20201215153152-4422e3b66b9f`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `proxy-boundary` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/javascript-typescript/proxy-trust-boundary.md)
+- [nodejs:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/nodejs/proxy-trust-boundary.md)
+- [java:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/java/proxy-trust-boundary.md)
+- [php:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/php/proxy-trust-boundary.md)
+- [python:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/python/proxy-trust-boundary.md)
+- [ruby:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/ruby/proxy-trust-boundary.md)
+- [csharp:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/csharp/proxy-trust-boundary.md)
+- [go:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/go/proxy-trust-boundary.md)
+- [javascript-typescript:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/javascript-typescript/token-cookie-storage.md)
+- [nodejs:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/nodejs/token-cookie-storage.md)
+- [java:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/java/token-cookie-storage.md)
+- [php:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/php/token-cookie-storage.md)
+- [python:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/python/token-cookie-storage.md)
+- [ruby:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/ruby/token-cookie-storage.md)
+- [csharp:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/csharp/token-cookie-storage.md)
+- [go:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/go/token-cookie-storage.md)
+- [javascript-typescript:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/javascript-typescript/path-traversal-guard.md)
+- [nodejs:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/nodejs/path-traversal-guard.md)
+- [java:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/java/path-traversal-guard.md)
+- [php:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/php/path-traversal-guard.md)
+- [python:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/python/path-traversal-guard.md)
+- [ruby:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/ruby/path-traversal-guard.md)
+- [csharp:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/csharp/path-traversal-guard.md)
+- [go:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/go/path-traversal-guard.md)
--- a/07-framework-security/frameworks/echo/cases/echo-cve-2022-40083.md
+++ b/07-framework-security/frameworks/echo/cases/echo-cve-2022-40083.md
@@ -0,0 +1,153 @@
+---
+title: "Open redirect in github.com/labstack/echo/v4"
+system_id: "echo"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2022-10-11T21:29:24Z"
+updated_date: "2024-05-20T16:03:47Z"
+severity: "unknown"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2022-40083"
+  - "GHSA-crxj-hrmp-4rwf"
+  - "GO-2022-1031"
+affected_versions:
+  - "introduced=0, fixed<4.9.0"
+fixed_versions:
+  - "4.9.0"
+entity_refs:
+  - "echo:system:root-system"
+  - "echo--repo--github-com-labstack-echo-v4:repo:affected-component"
+secure_code_topics:
+  - "proxy-trust-boundary"
+  - "token-cookie-storage"
+  - "ssrf-url-validation"
+primary_source: "https://github.com/labstack/echo/issues/2259"
+---
+
+# Open redirect in github.com/labstack/echo/v4
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `echo--CVE-2022-40083`
+- 系统: `echo`
+- 严重度: `unknown`
+- 来源置信度: `official`
+- 官方主源: https://github.com/labstack/echo/issues/2259
+- 影响版本: `introduced=0, fixed<4.9.0`
+- 修复版本: `4.9.0`
+
+## 对象与版本映射
+
+- Advisory Scope: `repo`
+- 影响对象: `labstack / echo / v4`
+- Entity Refs: `echo, echo--repo--github-com-labstack-echo-v4`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/labstack/echo/issues/2259, https://github.com/labstack/echo/pull/2260`
+
+## 受控验证流程
+
+- Workflow ID: `echo--CVE-2022-40083--workflow`
+- 漏洞家族: `ssrf`
+- 入口面: `remote-fetch-or-webhook-endpoint`
+- 需要角色: `editor-or-admin`
+- 触发向量: 对 `ssrf` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/webhook/test, /remote-fetch, /import-url`
+- 输入形态: 提交受控回环或哨兵 URL，验证协议、主机、IP 与重定向限制。
+- 预期不安全行为: 服务端向受控目标发起非预期请求。
+
+## 其他来源
+
+- https://github.com/labstack/echo/pull/2260
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=0, fixed<4.9.0` 升级或回移到 `4.9.0`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `ssrf` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/javascript-typescript/proxy-trust-boundary.md)
+- [nodejs:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/nodejs/proxy-trust-boundary.md)
+- [java:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/java/proxy-trust-boundary.md)
+- [php:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/php/proxy-trust-boundary.md)
+- [python:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/python/proxy-trust-boundary.md)
+- [ruby:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/ruby/proxy-trust-boundary.md)
+- [csharp:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/csharp/proxy-trust-boundary.md)
+- [go:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/go/proxy-trust-boundary.md)
+- [javascript-typescript:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/javascript-typescript/token-cookie-storage.md)
+- [nodejs:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/nodejs/token-cookie-storage.md)
+- [java:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/java/token-cookie-storage.md)
+- [php:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/php/token-cookie-storage.md)
+- [python:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/python/token-cookie-storage.md)
+- [ruby:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/ruby/token-cookie-storage.md)
+- [csharp:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/csharp/token-cookie-storage.md)
+- [go:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/go/token-cookie-storage.md)
+- [javascript-typescript:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/javascript-typescript/ssrf-url-validation.md)
+- [nodejs:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/nodejs/ssrf-url-validation.md)
+- [java:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/java/ssrf-url-validation.md)
+- [php:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/php/ssrf-url-validation.md)
+- [python:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/python/ssrf-url-validation.md)
+- [ruby:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/ruby/ssrf-url-validation.md)
+- [csharp:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/csharp/ssrf-url-validation.md)
+- [go:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/go/ssrf-url-validation.md)
--- a/07-framework-security/frameworks/esbuild/INDEX.md
+++ b/07-framework-security/frameworks/esbuild/INDEX.md
@@ -5,14 +5,14 @@
 - 系统 ID: `esbuild`
 - 分类: `frameworks`
 - 覆盖策略: `rolling-24m`
- 总案例数: `0`
+- 总案例数: `1`
 - 近 30 天新增/更新: `0`
- 重点 Markdown 案例数: `0`
+- 重点 Markdown 案例数: `1`
 - 已实证(真实版本): `0`
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
- 待人工/缺浏览器证据: `0`
- 最近渲染时间: `2026-03-18T04:06:10+00:00`
+- 待人工/缺浏览器证据: `1`
+- 最近渲染时间: `2026-04-02T09:18:51+00:00`

 ## 目标约束

@@ -26,9 +26,10 @@

 - `official` [GitHub Global Advisories](https://github.com/advisories) (ecosystem=npm; mode=core)
 - `official` [OSV esbuild](https://osv.dev/) (mode=core)
+- `ecosystem-authority` [NVD esbuild](https://nvd.nist.gov/vuln/search) (keyword=esbuild; mode=core)

 ## 案例列表

 | 标题 | 严重度 | 案例状态 | 实证状态 | 实证方式 | 来源置信度 | 更新时间 | 案例页 |
 |------|--------|----------|----------|----------|------------|----------|--------|
-| No advisories yet | `n/a` | `empty` | `n/a` | `n/a` | `n/a` | `n/a` | - |
+| esbuild enables any website to send any requests to the development server and read the response | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-02-04T02:50:58.022803Z` | [link](/Users/x/websafe/07-framework-security/frameworks/esbuild/cases/esbuild-ghsa-67mh-4wv8-2f99.md) |
--- a/07-framework-security/frameworks/esbuild/cases/esbuild-ghsa-67mh-4wv8-2f99.md
+++ b/07-framework-security/frameworks/esbuild/cases/esbuild-ghsa-67mh-4wv8-2f99.md
@@ -0,0 +1,143 @@
+---
+title: "esbuild enables any website to send any requests to the development server and read the response"
+system_id: "esbuild"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2025-02-10T17:48:07Z"
+updated_date: "2026-02-04T02:50:58.022803Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "GHSA-67mh-4wv8-2f99"
+affected_versions:
+  - "introduced=0, fixed<0.25.0"
+fixed_versions:
+  - "0.25.0"
+entity_refs:
+  - "esbuild:system:root-system"
+  - "esbuild--project--esbuild:project:affected-component"
+secure_code_topics:
+  - "dependency-upgrade-policy"
+  - "file-upload-validation"
+primary_source: "https://github.com/evanw/esbuild/security/advisories/GHSA-67mh-4wv8-2f99"
+---
+
+# esbuild enables any website to send any requests to the development server and read the response
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `esbuild--GHSA-67mh-4wv8-2f99`
+- 系统: `esbuild`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://github.com/evanw/esbuild/security/advisories/GHSA-67mh-4wv8-2f99
+- 影响版本: `introduced=0, fixed<0.25.0`
+- 修复版本: `0.25.0`
+
+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `esbuild`
+- Entity Refs: `esbuild, esbuild--project--esbuild`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/evanw/esbuild/security/advisories/GHSA-67mh-4wv8-2f99, https://github.com/evanw/esbuild/commit/de85afd65edec9ebc44a11e245fd9e9a2e99760d, https://github.com/evanw/esbuild`
+
+## 受控验证流程
+
+- Workflow ID: `esbuild--GHSA-67mh-4wv8-2f99--workflow`
+- 漏洞家族: `file-upload`
+- 入口面: `upload-or-import-surface`
+- 需要角色: `authenticated-uploader`
+- 触发向量: 对 `file-upload` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/upload, /import, /plugin/install`
+- 输入形态: 提交受控非执行样本，验证扩展名、MIME、落盘与执行权限。
+- 预期不安全行为: 上传样本被错误接受、可访问或位于可执行路径。
+
+## 其他来源
+
+- https://github.com/evanw/esbuild/commit/de85afd65edec9ebc44a11e245fd9e9a2e99760d
+- https://github.com/evanw/esbuild
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=0, fixed<0.25.0` 升级或回移到 `0.25.0`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `file-upload` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/dependency-upgrade-policy.md)
+- [nodejs:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/nodejs/dependency-upgrade-policy.md)
+- [java:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/java/dependency-upgrade-policy.md)
+- [php:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/php/dependency-upgrade-policy.md)
+- [python:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/python/dependency-upgrade-policy.md)
+- [ruby:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/ruby/dependency-upgrade-policy.md)
+- [csharp:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/csharp/dependency-upgrade-policy.md)
+- [go:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/go/dependency-upgrade-policy.md)
+- [javascript-typescript:file-upload-validation](/Users/x/websafe/05-defense/secure-code/javascript-typescript/file-upload-validation.md)
+- [nodejs:file-upload-validation](/Users/x/websafe/05-defense/secure-code/nodejs/file-upload-validation.md)
+- [java:file-upload-validation](/Users/x/websafe/05-defense/secure-code/java/file-upload-validation.md)
+- [php:file-upload-validation](/Users/x/websafe/05-defense/secure-code/php/file-upload-validation.md)
+- [python:file-upload-validation](/Users/x/websafe/05-defense/secure-code/python/file-upload-validation.md)
+- [ruby:file-upload-validation](/Users/x/websafe/05-defense/secure-code/ruby/file-upload-validation.md)
+- [csharp:file-upload-validation](/Users/x/websafe/05-defense/secure-code/csharp/file-upload-validation.md)
+- [go:file-upload-validation](/Users/x/websafe/05-defense/secure-code/go/file-upload-validation.md)
--- a/07-framework-security/frameworks/express/INDEX.md
+++ b/07-framework-security/frameworks/express/INDEX.md
@@ -5,14 +5,14 @@
 - 系统 ID: `express`
 - 分类: `frameworks`
 - 覆盖策略: `rolling-24m`
- 总案例数: `0`
- 近 30 天新增/更新: `0`
+- 总案例数: `1`
+- 近 30 天新增/更新: `1`
 - 重点 Markdown 案例数: `0`
 - 已实证(真实版本): `0`
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
- 待人工/缺浏览器证据: `0`
- 最近渲染时间: `2026-03-18T04:06:09+00:00`
+- 待人工/缺浏览器证据: `1`
+- 最近渲染时间: `2026-04-02T09:18:51+00:00`

 ## 目标约束

@@ -26,9 +26,10 @@

 - `official` [GitHub Global Advisories](https://github.com/advisories) (ecosystem=npm; mode=core)
 - `official` [OSV Express](https://osv.dev/) (mode=core)
+- `ecosystem-authority` [NVD Express.js](https://nvd.nist.gov/vuln/search) (keyword=Express.js; mode=core)

 ## 案例列表

 | 标题 | 严重度 | 案例状态 | 实证状态 | 实证方式 | 来源置信度 | 更新时间 | 案例页 |
 |------|--------|----------|----------|----------|------------|----------|--------|
-| No advisories yet | `n/a` | `empty` | `n/a` | `n/a` | `n/a` | `n/a` | - |
+| CVE-2025-67731 | `high` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `2026-03-17T19:40:55.690` | - |
--- a/07-framework-security/frameworks/fastify/INDEX.md
+++ b/07-framework-security/frameworks/fastify/INDEX.md
@@ -5,14 +5,14 @@
 - 系统 ID: `fastify`
 - 分类: `frameworks`
 - 覆盖策略: `rolling-24m`
- 总案例数: `0`
- 近 30 天新增/更新: `0`
- 重点 Markdown 案例数: `0`
+- 总案例数: `2`
+- 近 30 天新增/更新: `2`
+- 重点 Markdown 案例数: `2`
 - 已实证(真实版本): `0`
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
- 待人工/缺浏览器证据: `0`
- 最近渲染时间: `2026-03-18T04:06:09+00:00`
+- 待人工/缺浏览器证据: `2`
+- 最近渲染时间: `2026-04-02T09:18:51+00:00`

 ## 目标约束

@@ -31,4 +31,5 @@

 | 标题 | 严重度 | 案例状态 | 实证状态 | 实证方式 | 来源置信度 | 更新时间 | 案例页 |
 |------|--------|----------|----------|----------|------------|----------|--------|
-| No advisories yet | `n/a` | `empty` | `n/a` | `n/a` | `n/a` | `n/a` | - |
+| fastify: request.protocol and request.host Spoofable via X-Forwarded-Proto/Host from Untrusted Connections | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-03-25T19:48:38.788319Z` | [link](/Users/x/websafe/07-framework-security/frameworks/fastify/cases/fastify-cve-2026-3635.md) |
+| Fastify's Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-03-16T03:05:26.332715Z` | [link](/Users/x/websafe/07-framework-security/frameworks/fastify/cases/fastify-cve-2026-3419.md) |
--- a/07-framework-security/frameworks/fastify/cases/fastify-cve-2026-3419.md
+++ b/07-framework-security/frameworks/fastify/cases/fastify-cve-2026-3419.md
@@ -0,0 +1,167 @@
+---
+title: "Fastify's Missing End Anchor in 'subtypeNameReg' Allows Malformed Content-Types to Pass Validation"
+system_id: "fastify"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2026-03-05T21:29:54Z"
+updated_date: "2026-03-16T03:05:26.332715Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2026-3419"
+  - "GHSA-573f-x89g-hqp9"
+affected_versions:
+  - "introduced=5.7.2, fixed<5.8.1"
+fixed_versions:
+  - "5.8.1"
+entity_refs:
+  - "fastify:system:root-system"
+  - "fastify--project--fastify:project:affected-component"
+secure_code_topics:
+  - "proxy-trust-boundary"
+  - "ssrf-url-validation"
+  - "xss-output-encoding"
+  - "token-cookie-storage"
+primary_source: "https://github.com/fastify/fastify/security/advisories/GHSA-573f-x89g-hqp9"
+---
+
+# Fastify's Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `fastify--CVE-2026-3419`
+- 系统: `fastify`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://github.com/fastify/fastify/security/advisories/GHSA-573f-x89g-hqp9
+- 影响版本: `introduced=5.7.2, fixed<5.8.1`
+- 修复版本: `5.8.1`
+
+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `fastify`
+- Entity Refs: `fastify, fastify--project--fastify`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/fastify/fastify/security/advisories/GHSA-573f-x89g-hqp9, https://nvd.nist.gov/vuln/detail/CVE-2026-3419, https://github.com/fastify/fastify/commit/67f6c9b32cb3623d3c9470cc17ed830dd2f083d7, https://cna.openjsf.org/security-advisories.html, https://github.com/advisories/GHSA-573f-x89g-hqp9`
+
+## 受控验证流程
+
+- Workflow ID: `fastify--CVE-2026-3419--workflow`
+- 漏洞家族: `xss`
+- 入口面: `web-ui-render-path`
+- 需要角色: `editor-or-admin`
+- 触发向量: 对 `xss` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/admin/editor, /preview, /rendered-content`
+- 输入形态: 受控 HTML/Markdown/富文本输入，观察渲染上下文是否失去编码或净化。
+- 预期不安全行为: 输入在目标上下文执行或被浏览器解释为主动内容。
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2026-3419
+- https://github.com/fastify/fastify/commit/67f6c9b32cb3623d3c9470cc17ed830dd2f083d7
+- https://cna.openjsf.org/security-advisories.html
+- https://github.com/advisories/GHSA-573f-x89g-hqp9
+- https://github.com/fastify/fastify
+- https://httpwg.org/specs/rfc9110.html#field.content-type
+- https://www.cve.org/CVERecord?id=CVE-2026-3419
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=5.7.2, fixed<5.8.1` 升级或回移到 `5.8.1`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `xss` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/javascript-typescript/proxy-trust-boundary.md)
+- [nodejs:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/nodejs/proxy-trust-boundary.md)
+- [java:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/java/proxy-trust-boundary.md)
+- [php:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/php/proxy-trust-boundary.md)
+- [python:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/python/proxy-trust-boundary.md)
+- [ruby:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/ruby/proxy-trust-boundary.md)
+- [csharp:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/csharp/proxy-trust-boundary.md)
+- [go:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/go/proxy-trust-boundary.md)
+- [javascript-typescript:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/javascript-typescript/ssrf-url-validation.md)
+- [nodejs:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/nodejs/ssrf-url-validation.md)
+- [java:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/java/ssrf-url-validation.md)
+- [php:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/php/ssrf-url-validation.md)
+- [python:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/python/ssrf-url-validation.md)
+- [ruby:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/ruby/ssrf-url-validation.md)
+- [csharp:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/csharp/ssrf-url-validation.md)
+- [go:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/go/ssrf-url-validation.md)
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/javascript-typescript/token-cookie-storage.md)
+- [nodejs:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/nodejs/token-cookie-storage.md)
+- [java:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/java/token-cookie-storage.md)
+- [php:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/php/token-cookie-storage.md)
+- [python:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/python/token-cookie-storage.md)
+- [ruby:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/ruby/token-cookie-storage.md)
+- [csharp:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/csharp/token-cookie-storage.md)
+- [go:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/go/token-cookie-storage.md)
--- a/07-framework-security/frameworks/fastify/cases/fastify-cve-2026-3635.md
+++ b/07-framework-security/frameworks/fastify/cases/fastify-cve-2026-3635.md
@@ -0,0 +1,166 @@
+---
+title: "fastify: request.protocol and request.host Spoofable via X-Forwarded-Proto/Host from Untrusted Connections"
+system_id: "fastify"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2026-03-25T19:32:28Z"
+updated_date: "2026-03-25T19:48:38.788319Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2026-3635"
+  - "GHSA-444r-cwp2-x5xf"
+affected_versions:
+  - "introduced=0, fixed<5.8.3"
+fixed_versions:
+  - "5.8.3"
+entity_refs:
+  - "fastify:system:root-system"
+  - "fastify--project--fastify:project:affected-component"
+secure_code_topics:
+  - "proxy-trust-boundary"
+  - "ssrf-url-validation"
+  - "xss-output-encoding"
+  - "token-cookie-storage"
+primary_source: "https://github.com/fastify/fastify/security/advisories/GHSA-444r-cwp2-x5xf"
+---
+
+# fastify: request.protocol and request.host Spoofable via X-Forwarded-Proto/Host from Untrusted Connections
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `fastify--CVE-2026-3635`
+- 系统: `fastify`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://github.com/fastify/fastify/security/advisories/GHSA-444r-cwp2-x5xf
+- 影响版本: `introduced=0, fixed<5.8.3`
+- 修复版本: `5.8.3`
+
+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `fastify`
+- Entity Refs: `fastify, fastify--project--fastify`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/fastify/fastify/security/advisories/GHSA-444r-cwp2-x5xf, https://nvd.nist.gov/vuln/detail/CVE-2026-3635, https://cna.openjsf.org/security-advisories.html, https://github.com/fastify/fastify, https://github.com/fastify/fastify/releases/tag/v5.8.3`
+
+## 受控验证流程
+
+- Workflow ID: `fastify--CVE-2026-3635--workflow`
+- 漏洞家族: `proxy-boundary`
+- 入口面: `proxy-header-or-trust-boundary`
+- 需要角色: `reverse-proxy-or-edge-client`
+- 触发向量: 对 `proxy-boundary` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/middleware, /x-forwarded-* trust path`
+- 输入形态: 提交受控代理头或来源头，验证信任边界和回源鉴权。
+- 预期不安全行为: 仅凭代理头即可越过鉴权或来源控制。
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2026-3635
+- https://cna.openjsf.org/security-advisories.html
+- https://github.com/fastify/fastify
+- https://github.com/fastify/fastify/releases/tag/v5.8.3
+- https://www.cve.org/CVERecord?id=CVE-2026-3635
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+- 上游代理与应用层对 Content-Length / Transfer-Encoding / forwarded headers 的解释差异
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=0, fixed<5.8.3` 升级或回移到 `5.8.3`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `proxy-boundary` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/javascript-typescript/proxy-trust-boundary.md)
+- [nodejs:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/nodejs/proxy-trust-boundary.md)
+- [java:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/java/proxy-trust-boundary.md)
+- [php:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/php/proxy-trust-boundary.md)
+- [python:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/python/proxy-trust-boundary.md)
+- [ruby:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/ruby/proxy-trust-boundary.md)
+- [csharp:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/csharp/proxy-trust-boundary.md)
+- [go:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/go/proxy-trust-boundary.md)
+- [javascript-typescript:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/javascript-typescript/ssrf-url-validation.md)
+- [nodejs:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/nodejs/ssrf-url-validation.md)
+- [java:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/java/ssrf-url-validation.md)
+- [php:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/php/ssrf-url-validation.md)
+- [python:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/python/ssrf-url-validation.md)
+- [ruby:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/ruby/ssrf-url-validation.md)
+- [csharp:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/csharp/ssrf-url-validation.md)
+- [go:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/go/ssrf-url-validation.md)
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/javascript-typescript/token-cookie-storage.md)
+- [nodejs:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/nodejs/token-cookie-storage.md)
+- [java:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/java/token-cookie-storage.md)
+- [php:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/php/token-cookie-storage.md)
+- [python:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/python/token-cookie-storage.md)
+- [ruby:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/ruby/token-cookie-storage.md)
+- [csharp:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/csharp/token-cookie-storage.md)
+- [go:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/go/token-cookie-storage.md)
--- a/07-framework-security/frameworks/flask/INDEX.md
+++ b/07-framework-security/frameworks/flask/INDEX.md
@@ -5,14 +5,14 @@
 - 系统 ID: `flask`
 - 分类: `frameworks`
 - 覆盖策略: `rolling-24m`
- 总案例数: `0`
+- 总案例数: `1`
 - 近 30 天新增/更新: `0`
- 重点 Markdown 案例数: `0`
+- 重点 Markdown 案例数: `1`
 - 已实证(真实版本): `0`
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
- 待人工/缺浏览器证据: `0`
- 最近渲染时间: `2026-03-18T04:06:10+00:00`
+- 待人工/缺浏览器证据: `1`
+- 最近渲染时间: `2026-04-02T09:18:51+00:00`

 ## 目标约束

@@ -31,4 +31,4 @@

 | 标题 | 严重度 | 案例状态 | 实证状态 | 实证方式 | 来源置信度 | 更新时间 | 案例页 |
 |------|--------|----------|----------|----------|------------|----------|--------|
-| No advisories yet | `n/a` | `empty` | `n/a` | `n/a` | `n/a` | `n/a` | - |
+| Flask session does not add `Vary: Cookie` header when accessed in some ways | `medium` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-02-23T23:43:45.778179Z` | [link](/Users/x/websafe/07-framework-security/frameworks/flask/cases/flask-cve-2026-27205.md) |
--- a/07-framework-security/frameworks/flask/cases/flask-cve-2026-27205.md
+++ b/07-framework-security/frameworks/flask/cases/flask-cve-2026-27205.md
@@ -0,0 +1,183 @@
+---
+title: "Flask session does not add `Vary: Cookie` header when accessed in some ways"
+system_id: "flask"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2026-02-19T20:45:41Z"
+updated_date: "2026-02-23T23:43:45.778179Z"
+severity: "medium"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2026-27205"
+  - "GHSA-68rp-wp8r-4726"
+affected_versions:
+  - "0.1"
+  - "0.10"
+  - "0.10.1"
+  - "0.11"
+  - "0.11.1"
+  - "0.12"
+  - "0.12.1"
+  - "0.12.2"
+  - "0.12.3"
+  - "0.12.4"
+  - "0.12.5"
+  - "0.2"
+  - "0.3"
+  - "0.3.1"
+  - "0.4"
+  - "0.5"
+  - "0.5.1"
+  - "0.5.2"
+  - "0.6"
+  - "0.6.1"
+fixed_versions:
+  - "3.1.3"
+entity_refs:
+  - "flask:system:root-system"
+  - "flask--project--flask:project:affected-component"
+secure_code_topics:
+  - "xss-output-encoding"
+  - "ssrf-url-validation"
+  - "token-cookie-storage"
+  - "proxy-trust-boundary"
+primary_source: "https://github.com/pallets/flask/security/advisories/GHSA-68rp-wp8r-4726"
+---
+
+# Flask session does not add `Vary: Cookie` header when accessed in some ways
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `flask--CVE-2026-27205`
+- 系统: `flask`
+- 严重度: `medium`
+- 来源置信度: `official`
+- 官方主源: https://github.com/pallets/flask/security/advisories/GHSA-68rp-wp8r-4726
+- 影响版本: `0.1, 0.10, 0.10.1, 0.11, 0.11.1, 0.12, 0.12.1, 0.12.2, 0.12.3, 0.12.4`
+- 修复版本: `3.1.3`
+
+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `flask`
+- Entity Refs: `flask, flask--project--flask`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/pallets/flask/security/advisories/GHSA-68rp-wp8r-4726, https://nvd.nist.gov/vuln/detail/CVE-2026-27205, https://github.com/pallets/flask/commit/089cb86dd22bff589a4eafb7ab8e42dc357623b4, https://github.com/pallets/flask, https://github.com/pallets/flask/releases/tag/3.1.3`
+
+## 受控验证流程
+
+- Workflow ID: `flask--CVE-2026-27205--workflow`
+- 漏洞家族: `xss`
+- 入口面: `web-ui-render-path`
+- 需要角色: `editor-or-admin`
+- 触发向量: 对 `xss` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/admin/editor, /preview, /rendered-content`
+- 输入形态: 受控 HTML/Markdown/富文本输入，观察渲染上下文是否失去编码或净化。
+- 预期不安全行为: 输入在目标上下文执行或被浏览器解释为主动内容。
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2026-27205
+- https://github.com/pallets/flask/commit/089cb86dd22bff589a4eafb7ab8e42dc357623b4
+- https://github.com/pallets/flask
+- https://github.com/pallets/flask/releases/tag/3.1.3
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `0.1, 0.10, 0.10.1` 升级或回移到 `3.1.3`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `xss` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/javascript-typescript/ssrf-url-validation.md)
+- [nodejs:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/nodejs/ssrf-url-validation.md)
+- [java:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/java/ssrf-url-validation.md)
+- [php:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/php/ssrf-url-validation.md)
+- [python:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/python/ssrf-url-validation.md)
+- [ruby:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/ruby/ssrf-url-validation.md)
+- [csharp:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/csharp/ssrf-url-validation.md)
+- [go:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/go/ssrf-url-validation.md)
+- [javascript-typescript:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/javascript-typescript/token-cookie-storage.md)
+- [nodejs:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/nodejs/token-cookie-storage.md)
+- [java:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/java/token-cookie-storage.md)
+- [php:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/php/token-cookie-storage.md)
+- [python:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/python/token-cookie-storage.md)
+- [ruby:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/ruby/token-cookie-storage.md)
+- [csharp:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/csharp/token-cookie-storage.md)
+- [go:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/go/token-cookie-storage.md)
+- [javascript-typescript:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/javascript-typescript/proxy-trust-boundary.md)
+- [nodejs:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/nodejs/proxy-trust-boundary.md)
+- [java:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/java/proxy-trust-boundary.md)
+- [php:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/php/proxy-trust-boundary.md)
+- [python:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/python/proxy-trust-boundary.md)
+- [ruby:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/ruby/proxy-trust-boundary.md)
+- [csharp:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/csharp/proxy-trust-boundary.md)
+- [go:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/go/proxy-trust-boundary.md)
--- a/07-framework-security/frameworks/gin/INDEX.md
+++ b/07-framework-security/frameworks/gin/INDEX.md
@@ -5,14 +5,14 @@
 - 系统 ID: `gin`
 - 分类: `frameworks`
 - 覆盖策略: `rolling-24m`
- 总案例数: `0`
- 近 30 天新增/更新: `0`
- 重点 Markdown 案例数: `0`
+- 总案例数: `1`
+- 近 30 天新增/更新: `1`
+- 重点 Markdown 案例数: `1`
 - 已实证(真实版本): `0`
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
- 待人工/缺浏览器证据: `0`
- 最近渲染时间: `2026-03-18T04:06:10+00:00`
+- 待人工/缺浏览器证据: `1`
+- 最近渲染时间: `2026-04-02T09:18:51+00:00`

 ## 目标约束

@@ -30,4 +30,4 @@

 | 标题 | 严重度 | 案例状态 | 实证状态 | 实证方式 | 来源置信度 | 更新时间 | 案例页 |
 |------|--------|----------|----------|----------|------------|----------|--------|
-| No advisories yet | `n/a` | `empty` | `n/a` | `n/a` | `n/a` | `n/a` | - |
+| Inconsistent Interpretation of HTTP Requests in github.com/gin-gonic/gin | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-03-14T10:41:18.820930Z` | [link](/Users/x/websafe/07-framework-security/frameworks/gin/cases/gin-cve-2020-28483.md) |
--- a/07-framework-security/frameworks/gin/cases/gin-cve-2020-28483.md
+++ b/07-framework-security/frameworks/gin/cases/gin-cve-2020-28483.md
@@ -0,0 +1,169 @@
+---
+title: "Inconsistent Interpretation of HTTP Requests in github.com/gin-gonic/gin"
+system_id: "gin"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2021-06-23T17:53:21Z"
+updated_date: "2026-03-14T10:41:18.820930Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2020-28483"
+  - "GO-2021-0052"
+  - "GHSA-h395-qcrw-5vmq"
+affected_versions:
+  - "introduced=0, fixed<1.7.7"
+fixed_versions:
+  - "1.7.7"
+entity_refs:
+  - "gin:system:root-system"
+  - "gin--repo--github-com-gin-gonic-gin:repo:affected-component"
+secure_code_topics:
+  - "proxy-trust-boundary"
+  - "xss-output-encoding"
+  - "dependency-upgrade-policy"
+primary_source: "https://nvd.nist.gov/vuln/detail/CVE-2020-28483"
+---
+
+# Inconsistent Interpretation of HTTP Requests in github.com/gin-gonic/gin
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `gin--CVE-2020-28483`
+- 系统: `gin`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://nvd.nist.gov/vuln/detail/CVE-2020-28483
+- 影响版本: `introduced=0, fixed<1.7.7`
+- 修复版本: `1.7.7`
+
+## 对象与版本映射
+
+- Advisory Scope: `repo`
+- 影响对象: `gin-gonic / gin`
+- Entity Refs: `gin, gin--repo--github-com-gin-gonic-gin`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://nvd.nist.gov/vuln/detail/CVE-2020-28483, https://github.com/gin-gonic/gin/issues/2862, https://github.com/gin-gonic/gin/issues/2232, https://github.com/gin-gonic/gin/issues/2473, https://github.com/gin-gonic/gin/pull/2474`
+
+## 受控验证流程
+
+- Workflow ID: `gin--CVE-2020-28483--workflow`
+- 漏洞家族: `xss`
+- 入口面: `web-ui-render-path`
+- 需要角色: `editor-or-admin`
+- 触发向量: 对 `xss` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/admin/editor, /preview, /rendered-content`
+- 输入形态: 受控 HTML/Markdown/富文本输入，观察渲染上下文是否失去编码或净化。
+- 预期不安全行为: 输入在目标上下文执行或被浏览器解释为主动内容。
+
+## 其他来源
+
+- https://github.com/gin-gonic/gin/issues/2862
+- https://github.com/gin-gonic/gin/issues/2232
+- https://github.com/gin-gonic/gin/issues/2473
+- https://github.com/gin-gonic/gin/pull/2474
+- https://github.com/gin-gonic/gin/pull/2474#23issuecomment-729696437
+- https://github.com/gin-gonic/gin/pull/2632
+- https://github.com/gin-gonic/gin/pull/2675
+- https://github.com/gin-gonic/gin/pull/2844
+- https://github.com/gin-gonic/gin/pull/2844/files#diff-e6ce689a25eaef174c2dd51fe869fabbe04a6c6afbd416b23eda138c82e761baR1432
+- https://github.com/gin-gonic/gin/commit/03e5e05ae089bc989f1ca41841f05504d29e3fd9
+- https://github.com/gin-gonic/gin/commit/5929d521715610c9dd14898ebbe1d188d5de8937
+- https://github.com/gin-gonic/gin/commit/bfc8ca285eb46dad60e037d57c545cd260636711
+- https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGINGONICGIN-1041736
+- https://pkg.go.dev/vuln/GO-2021-0052
+- https://github.com/gin-gonic/gin/releases/tag/v1.7.7
+- https://github.com/gin-gonic/gin/releases/tag/v1.7.0
+- https://github.com/gin-gonic/gin
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=0, fixed<1.7.7` 升级或回移到 `1.7.7`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `xss` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/javascript-typescript/proxy-trust-boundary.md)
+- [nodejs:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/nodejs/proxy-trust-boundary.md)
+- [java:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/java/proxy-trust-boundary.md)
+- [php:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/php/proxy-trust-boundary.md)
+- [python:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/python/proxy-trust-boundary.md)
+- [ruby:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/ruby/proxy-trust-boundary.md)
+- [csharp:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/csharp/proxy-trust-boundary.md)
+- [go:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/go/proxy-trust-boundary.md)
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/dependency-upgrade-policy.md)
+- [nodejs:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/nodejs/dependency-upgrade-policy.md)
+- [java:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/java/dependency-upgrade-policy.md)
+- [php:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/php/dependency-upgrade-policy.md)
+- [python:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/python/dependency-upgrade-policy.md)
+- [ruby:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/ruby/dependency-upgrade-policy.md)
+- [csharp:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/csharp/dependency-upgrade-policy.md)
+- [go:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/go/dependency-upgrade-policy.md)
--- a/07-framework-security/frameworks/hapi/INDEX.md
+++ b/07-framework-security/frameworks/hapi/INDEX.md
@@ -4,15 +4,15 @@

 - 系统 ID: `hapi`
 - 分类: `frameworks`
- 覆盖策略: `rolling-24m`
- 总案例数: `0`
+- 覆盖策略: `history-full`
+- 总案例数: `1`
 - 近 30 天新增/更新: `0`
- 重点 Markdown 案例数: `0`
+- 重点 Markdown 案例数: `1`
 - 已实证(真实版本): `0`
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
- 待人工/缺浏览器证据: `0`
- 最近渲染时间: `2026-03-18T04:06:09+00:00`
+- 待人工/缺浏览器证据: `1`
+- 最近渲染时间: `2026-04-02T09:18:51+00:00`

 ## 目标约束

@@ -31,4 +31,4 @@

 | 标题 | 严重度 | 案例状态 | 实证状态 | 实证方式 | 来源置信度 | 更新时间 | 案例页 |
 |------|--------|----------|----------|----------|------------|----------|--------|
-| No advisories yet | `n/a` | `empty` | `n/a` | `n/a` | `n/a` | `n/a` | - |
+| Denial of Service in @hapi/hapi | `unknown` | `generated` | `triage-manual` | `synthetic` | `official` | `2020-08-31T19:00:56Z` | [link](/Users/x/websafe/07-framework-security/frameworks/hapi/cases/hapi-ghsa-23vw-mhv5-grv5.md) |
--- a/07-framework-security/frameworks/hapi/README.md
+++ b/07-framework-security/frameworks/hapi/README.md
@@ -3,7 +3,7 @@
 > `LAB ONLY` | `AUTHORIZED TARGETS ONLY`

 - 分类: `frameworks`
- 覆盖层级: `rolling-24m`
+- 覆盖层级: `history-full`
 - Advisory 模式: core
 - 输出目录: `07-framework-security/frameworks/hapi`
 - 修复主题: proxy-trust-boundary, token-cookie-storage
--- a/07-framework-security/frameworks/hapi/cases/hapi-ghsa-23vw-mhv5-grv5.md
+++ b/07-framework-security/frameworks/hapi/cases/hapi-ghsa-23vw-mhv5-grv5.md
@@ -0,0 +1,145 @@
+---
+title: "Denial of Service in @hapi/hapi"
+system_id: "hapi"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2020-09-03T15:48:43Z"
+updated_date: "2020-08-31T19:00:56Z"
+severity: "unknown"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "GHSA-23vw-mhv5-grv5"
+affected_versions:
+  - "introduced=0, fixed<18.4.1"
+  - "introduced=19.0.0, fixed<19.1.1"
+fixed_versions:
+  - "18.4.1"
+  - "19.1.1"
+entity_refs:
+  - "hapi:system:root-system"
+  - "hapi--package--hapi-hapi:package:affected-component"
+secure_code_topics:
+  - "proxy-trust-boundary"
+  - "token-cookie-storage"
+primary_source: "https://www.npmjs.com/advisories/1482"
+---
+
+# Denial of Service in @hapi/hapi
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `hapi--GHSA-23vw-mhv5-grv5`
+- 系统: `hapi`
+- 严重度: `unknown`
+- 来源置信度: `official`
+- 官方主源: https://www.npmjs.com/advisories/1482
+- 影响版本: `introduced=0, fixed<18.4.1, introduced=19.0.0, fixed<19.1.1`
+- 修复版本: `18.4.1, 19.1.1`
+
+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `hapi / hapi`
+- Entity Refs: `hapi, hapi--package--hapi-hapi`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://www.npmjs.com/advisories/1482`
+
+## 受控验证流程
+
+- Workflow ID: `hapi--GHSA-23vw-mhv5-grv5--workflow`
+- 漏洞家族: `proxy-boundary`
+- 入口面: `proxy-header-or-trust-boundary`
+- 需要角色: `reverse-proxy-or-edge-client`
+- 触发向量: 对 `proxy-boundary` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/middleware, /x-forwarded-* trust path`
+- 输入形态: 提交受控代理头或来源头，验证信任边界和回源鉴权。
+- 预期不安全行为: 仅凭代理头即可越过鉴权或来源控制。
+
+## 其他来源
+
+- 无额外来源
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+- 上游代理与应用层对 Content-Length / Transfer-Encoding / forwarded headers 的解释差异
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=0, fixed<18.4.1, introduced=19.0.0, fixed<19.1.1` 升级或回移到 `18.4.1`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `proxy-boundary` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/javascript-typescript/proxy-trust-boundary.md)
+- [nodejs:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/nodejs/proxy-trust-boundary.md)
+- [java:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/java/proxy-trust-boundary.md)
+- [php:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/php/proxy-trust-boundary.md)
+- [python:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/python/proxy-trust-boundary.md)
+- [ruby:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/ruby/proxy-trust-boundary.md)
+- [csharp:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/csharp/proxy-trust-boundary.md)
+- [go:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/go/proxy-trust-boundary.md)
+- [javascript-typescript:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/javascript-typescript/token-cookie-storage.md)
+- [nodejs:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/nodejs/token-cookie-storage.md)
+- [java:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/java/token-cookie-storage.md)
+- [php:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/php/token-cookie-storage.md)
+- [python:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/python/token-cookie-storage.md)
+- [ruby:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/ruby/token-cookie-storage.md)
+- [csharp:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/csharp/token-cookie-storage.md)
+- [go:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/go/token-cookie-storage.md)
--- a/07-framework-security/frameworks/koa/INDEX.md
+++ b/07-framework-security/frameworks/koa/INDEX.md
@@ -5,14 +5,14 @@
 - 系统 ID: `koa`
 - 分类: `frameworks`
 - 覆盖策略: `rolling-24m`
- 总案例数: `0`
+- 总案例数: `1`
 - 近 30 天新增/更新: `0`
- 重点 Markdown 案例数: `0`
+- 重点 Markdown 案例数: `1`
 - 已实证(真实版本): `0`
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
- 待人工/缺浏览器证据: `0`
- 最近渲染时间: `2026-03-18T04:06:09+00:00`
+- 待人工/缺浏览器证据: `1`
+- 最近渲染时间: `2026-04-02T09:18:51+00:00`

 ## 目标约束

@@ -31,4 +31,4 @@

 | 标题 | 严重度 | 案例状态 | 实证状态 | 实证方式 | 来源置信度 | 更新时间 | 案例页 |
 |------|--------|----------|----------|----------|------------|----------|--------|
-| No advisories yet | `n/a` | `empty` | `n/a` | `n/a` | `n/a` | `n/a` | - |
+| Koa has Host Header Injection via ctx.hostname | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-02-26T23:36:36.294040Z` | [link](/Users/x/websafe/07-framework-security/frameworks/koa/cases/koa-cve-2026-27959.md) |
--- a/07-framework-security/frameworks/koa/cases/koa-cve-2026-27959.md
+++ b/07-framework-security/frameworks/koa/cases/koa-cve-2026-27959.md
@@ -0,0 +1,166 @@
+---
+title: "Koa has Host Header Injection via ctx.hostname"
+system_id: "koa"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2026-02-26T22:42:57Z"
+updated_date: "2026-02-26T23:36:36.294040Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2026-27959"
+  - "GHSA-7gcc-r8m5-44qm"
+affected_versions:
+  - "introduced=3.0.0, fixed<3.1.2"
+  - "introduced=0, fixed<2.16.4"
+fixed_versions:
+  - "3.1.2"
+  - "2.16.4"
+entity_refs:
+  - "koa:system:root-system"
+  - "koa--project--koa:project:affected-component"
+secure_code_topics:
+  - "proxy-trust-boundary"
+  - "ssrf-url-validation"
+  - "xss-output-encoding"
+  - "token-cookie-storage"
+primary_source: "https://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm"
+---
+
+# Koa has Host Header Injection via ctx.hostname
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `koa--CVE-2026-27959`
+- 系统: `koa`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm
+- 影响版本: `introduced=3.0.0, fixed<3.1.2, introduced=0, fixed<2.16.4`
+- 修复版本: `3.1.2, 2.16.4`
+
+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `koa`
+- Entity Refs: `koa, koa--project--koa`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm, https://nvd.nist.gov/vuln/detail/CVE-2026-27959, https://github.com/koajs/koa/commit/55ab9bab044ead4e82c70a30a4f9dc0fc9c1b6df, https://github.com/koajs/koa/commit/b76ddc01fdb703e51652b0fd131d16394cadcfeb, https://github.com/koajs/koa`
+
+## 受控验证流程
+
+- Workflow ID: `koa--CVE-2026-27959--workflow`
+- 漏洞家族: `xss`
+- 入口面: `web-ui-render-path`
+- 需要角色: `editor-or-admin`
+- 触发向量: 对 `xss` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/admin/editor, /preview, /rendered-content`
+- 输入形态: 受控 HTML/Markdown/富文本输入，观察渲染上下文是否失去编码或净化。
+- 预期不安全行为: 输入在目标上下文执行或被浏览器解释为主动内容。
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2026-27959
+- https://github.com/koajs/koa/commit/55ab9bab044ead4e82c70a30a4f9dc0fc9c1b6df
+- https://github.com/koajs/koa/commit/b76ddc01fdb703e51652b0fd131d16394cadcfeb
+- https://github.com/koajs/koa
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=3.0.0, fixed<3.1.2, introduced=0, fixed<2.16.4` 升级或回移到 `3.1.2`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `xss` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/javascript-typescript/proxy-trust-boundary.md)
+- [nodejs:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/nodejs/proxy-trust-boundary.md)
+- [java:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/java/proxy-trust-boundary.md)
+- [php:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/php/proxy-trust-boundary.md)
+- [python:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/python/proxy-trust-boundary.md)
+- [ruby:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/ruby/proxy-trust-boundary.md)
+- [csharp:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/csharp/proxy-trust-boundary.md)
+- [go:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/go/proxy-trust-boundary.md)
+- [javascript-typescript:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/javascript-typescript/ssrf-url-validation.md)
+- [nodejs:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/nodejs/ssrf-url-validation.md)
+- [java:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/java/ssrf-url-validation.md)
+- [php:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/php/ssrf-url-validation.md)
+- [python:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/python/ssrf-url-validation.md)
+- [ruby:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/ruby/ssrf-url-validation.md)
+- [csharp:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/csharp/ssrf-url-validation.md)
+- [go:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/go/ssrf-url-validation.md)
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/javascript-typescript/token-cookie-storage.md)
+- [nodejs:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/nodejs/token-cookie-storage.md)
+- [java:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/java/token-cookie-storage.md)
+- [php:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/php/token-cookie-storage.md)
+- [python:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/python/token-cookie-storage.md)
+- [ruby:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/ruby/token-cookie-storage.md)
+- [csharp:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/csharp/token-cookie-storage.md)
+- [go:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/go/token-cookie-storage.md)
--- a/07-framework-security/frameworks/laravel/INDEX.md
+++ b/07-framework-security/frameworks/laravel/INDEX.md
@@ -5,14 +5,14 @@
 - 系统 ID: `laravel`
 - 分类: `frameworks`
 - 覆盖策略: `rolling-24m`
- 总案例数: `0`
- 近 30 天新增/更新: `0`
- 重点 Markdown 案例数: `0`
+- 总案例数: `2`
+- 近 30 天新增/更新: `2`
+- 重点 Markdown 案例数: `2`
 - 已实证(真实版本): `0`
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
- 待人工/缺浏览器证据: `0`
- 最近渲染时间: `2026-03-18T04:06:10+00:00`
+- 待人工/缺浏览器证据: `2`
+- 最近渲染时间: `2026-04-02T09:18:51+00:00`

 ## 目标约束

@@ -31,4 +31,5 @@

 | 标题 | 严重度 | 案例状态 | 实证状态 | 实证方式 | 来源置信度 | 更新时间 | 案例页 |
 |------|--------|----------|----------|----------|------------|----------|--------|
-| No advisories yet | `n/a` | `empty` | `n/a` | `n/a` | `n/a` | `n/a` | - |
+| Laravel Framework XSS in Blade templating engine | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-03-13T22:01:16.767646Z` | [link](/Users/x/websafe/07-framework-security/frameworks/laravel/cases/laravel-cve-2021-43808.md) |
+| Query Binding Exploitation | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-03-13T22:15:34.333730Z` | [link](/Users/x/websafe/07-framework-security/frameworks/laravel/cases/laravel-cve-2021-21263.md) |
--- a/07-framework-security/frameworks/laravel/cases/laravel-cve-2021-21263.md
+++ b/07-framework-security/frameworks/laravel/cases/laravel-cve-2021-21263.md
@@ -0,0 +1,183 @@
+---
+title: "Query Binding Exploitation"
+system_id: "laravel"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2021-01-19T19:36:51Z"
+updated_date: "2026-03-13T22:15:34.333730Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "BIT-laravel-2021-21263"
+  - "CVE-2021-21263"
+  - "GHSA-3p32-j457-pg5x"
+affected_versions:
+  - "v8.0.0"
+  - "v8.0.1"
+  - "v8.0.2"
+  - "v8.0.3"
+  - "v8.0.4"
+  - "v8.1.0"
+  - "v8.10.0"
+  - "v8.11.0"
+  - "v8.11.1"
+  - "v8.11.2"
+  - "v8.12.0"
+  - "v8.12.1"
+  - "v8.12.2"
+  - "v8.12.3"
+  - "v8.13.0"
+  - "v8.14.0"
+  - "v8.15.0"
+  - "v8.16.0"
+  - "v8.16.1"
+  - "v8.17.0"
+fixed_versions:
+  - "8.22.1"
+  - "7.30.3"
+  - "6.20.12"
+  - "6.20.11"
+  - "7.30.2"
+entity_refs:
+  - "laravel:system:root-system"
+  - "laravel--package--laravel-framework:package:affected-component"
+secure_code_topics:
+  - "xss-output-encoding"
+  - "authz-server-side-recheck"
+  - "file-upload-validation"
+primary_source: "https://github.com/laravel/framework/security/advisories/GHSA-3p32-j457-pg5x"
+---
+
+# Query Binding Exploitation
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `laravel--CVE-2021-21263`
+- 系统: `laravel`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://github.com/laravel/framework/security/advisories/GHSA-3p32-j457-pg5x
+- 影响版本: `v8.0.0, v8.0.1, v8.0.2, v8.0.3, v8.0.4, v8.1.0, v8.10.0, v8.11.0, v8.11.1, v8.11.2`
+- 修复版本: `8.22.1, 7.30.3, 6.20.12, 6.20.11, 7.30.2`
+
+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `laravel / framework`
+- Entity Refs: `laravel, laravel--package--laravel-framework`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/laravel/framework/security/advisories/GHSA-3p32-j457-pg5x, https://nvd.nist.gov/vuln/detail/CVE-2021-21263, https://github.com/laravel/framework/pull/35865, https://blog.laravel.com/security-laravel-62011-7302-8221-released, https://blog.laravel.com/security-laravel-62012-7303-released`
+
+## 受控验证流程
+
+- Workflow ID: `laravel--CVE-2021-21263--workflow`
+- 漏洞家族: `xss`
+- 入口面: `web-ui-render-path`
+- 需要角色: `editor-or-admin`
+- 触发向量: 对 `xss` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/admin/editor, /preview, /rendered-content`
+- 输入形态: 受控 HTML/Markdown/富文本输入，观察渲染上下文是否失去编码或净化。
+- 预期不安全行为: 输入在目标上下文执行或被浏览器解释为主动内容。
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2021-21263
+- https://github.com/laravel/framework/pull/35865
+- https://blog.laravel.com/security-laravel-62011-7302-8221-released
+- https://blog.laravel.com/security-laravel-62012-7303-released
+- https://github.com/FriendsOfPHP/security-advisories/blob/master/illuminate/database/CVE-2021-21263.yaml
+- https://github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/CVE-2021-21263.yaml
+- https://packagist.org/packages/illuminate/database
+- https://packagist.org/packages/laravel/framework
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `v8.0.0, v8.0.1, v8.0.2` 升级或回移到 `8.22.1`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `xss` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:file-upload-validation](/Users/x/websafe/05-defense/secure-code/javascript-typescript/file-upload-validation.md)
+- [nodejs:file-upload-validation](/Users/x/websafe/05-defense/secure-code/nodejs/file-upload-validation.md)
+- [java:file-upload-validation](/Users/x/websafe/05-defense/secure-code/java/file-upload-validation.md)
+- [php:file-upload-validation](/Users/x/websafe/05-defense/secure-code/php/file-upload-validation.md)
+- [python:file-upload-validation](/Users/x/websafe/05-defense/secure-code/python/file-upload-validation.md)
+- [ruby:file-upload-validation](/Users/x/websafe/05-defense/secure-code/ruby/file-upload-validation.md)
+- [csharp:file-upload-validation](/Users/x/websafe/05-defense/secure-code/csharp/file-upload-validation.md)
+- [go:file-upload-validation](/Users/x/websafe/05-defense/secure-code/go/file-upload-validation.md)
--- a/07-framework-security/frameworks/laravel/cases/laravel-cve-2021-43808.md
+++ b/07-framework-security/frameworks/laravel/cases/laravel-cve-2021-43808.md
@@ -0,0 +1,183 @@
+---
+title: "Laravel Framework XSS in Blade templating engine"
+system_id: "laravel"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2021-12-08T19:57:36Z"
+updated_date: "2026-03-13T22:01:16.767646Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2021-43808"
+  - "GHSA-66hf-2p6w-jqfw"
+affected_versions:
+  - "5.0.30"
+  - "5.2.41"
+  - "v4.0.0"
+  - "v4.0.0-BETA2"
+  - "v4.0.0-BETA3"
+  - "v4.0.0-BETA4"
+  - "v4.0.1"
+  - "v4.0.10"
+  - "v4.0.11"
+  - "v4.0.2"
+  - "v4.0.3"
+  - "v4.0.4"
+  - "v4.0.5"
+  - "v4.0.6"
+  - "v4.0.7"
+  - "v4.0.8"
+  - "v4.0.9"
+  - "v4.1.0"
+  - "v4.1.1"
+  - "v4.1.10"
+fixed_versions:
+  - "6.20.42"
+  - "7.30.6"
+  - "8.75.0"
+entity_refs:
+  - "laravel:system:root-system"
+  - "laravel--package--laravel-framework:package:affected-component"
+secure_code_topics:
+  - "xss-output-encoding"
+  - "authz-server-side-recheck"
+  - "file-upload-validation"
+primary_source: "https://github.com/laravel/framework/security/advisories/GHSA-66hf-2p6w-jqfw"
+---
+
+# Laravel Framework XSS in Blade templating engine
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `laravel--CVE-2021-43808`
+- 系统: `laravel`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://github.com/laravel/framework/security/advisories/GHSA-66hf-2p6w-jqfw
+- 影响版本: `5.0.30, 5.2.41, v4.0.0, v4.0.0-BETA2, v4.0.0-BETA3, v4.0.0-BETA4, v4.0.1, v4.0.10, v4.0.11, v4.0.2`
+- 修复版本: `6.20.42, 7.30.6, 8.75.0`
+
+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `laravel / framework`
+- Entity Refs: `laravel, laravel--package--laravel-framework`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/laravel/framework/security/advisories/GHSA-66hf-2p6w-jqfw, https://nvd.nist.gov/vuln/detail/CVE-2021-43808, https://github.com/laravel/framework/pull/39906, https://github.com/laravel/framework/pull/39908, https://github.com/laravel/framework/pull/39909`
+
+## 受控验证流程
+
+- Workflow ID: `laravel--CVE-2021-43808--workflow`
+- 漏洞家族: `xss`
+- 入口面: `web-ui-render-path`
+- 需要角色: `editor-or-admin`
+- 触发向量: 对 `xss` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/admin/editor, /preview, /rendered-content`
+- 输入形态: 受控 HTML/Markdown/富文本输入，观察渲染上下文是否失去编码或净化。
+- 预期不安全行为: 输入在目标上下文执行或被浏览器解释为主动内容。
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2021-43808
+- https://github.com/laravel/framework/pull/39906
+- https://github.com/laravel/framework/pull/39908
+- https://github.com/laravel/framework/pull/39909
+- https://github.com/laravel/framework/commit/b8174169b1807f36de1837751599e2828ceddb9b
+- https://github.com/FriendsOfPHP/security-advisories/blob/master/illuminate/view/CVE-2021-43808.yaml
+- https://github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/CVE-2021-43808.yaml
+- https://github.com/laravel/framework
+- https://github.com/laravel/framework/releases/tag/v6.20.42
+- https://github.com/laravel/framework/releases/tag/v7.30.6
+- https://github.com/laravel/framework/releases/tag/v8.75.0
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `5.0.30, 5.2.41, v4.0.0` 升级或回移到 `6.20.42`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `xss` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:file-upload-validation](/Users/x/websafe/05-defense/secure-code/javascript-typescript/file-upload-validation.md)
+- [nodejs:file-upload-validation](/Users/x/websafe/05-defense/secure-code/nodejs/file-upload-validation.md)
+- [java:file-upload-validation](/Users/x/websafe/05-defense/secure-code/java/file-upload-validation.md)
+- [php:file-upload-validation](/Users/x/websafe/05-defense/secure-code/php/file-upload-validation.md)
+- [python:file-upload-validation](/Users/x/websafe/05-defense/secure-code/python/file-upload-validation.md)
+- [ruby:file-upload-validation](/Users/x/websafe/05-defense/secure-code/ruby/file-upload-validation.md)
+- [csharp:file-upload-validation](/Users/x/websafe/05-defense/secure-code/csharp/file-upload-validation.md)
+- [go:file-upload-validation](/Users/x/websafe/05-defense/secure-code/go/file-upload-validation.md)
--- a/07-framework-security/frameworks/nestjs/INDEX.md
+++ b/07-framework-security/frameworks/nestjs/INDEX.md
@@ -5,14 +5,14 @@
 - 系统 ID: `nestjs`
 - 分类: `frameworks`
 - 覆盖策略: `rolling-24m`
- 总案例数: `0`
+- 总案例数: `2`
 - 近 30 天新增/更新: `0`
 - 重点 Markdown 案例数: `0`
 - 已实证(真实版本): `0`
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
- 待人工/缺浏览器证据: `0`
- 最近渲染时间: `2026-03-18T04:06:09+00:00`
+- 待人工/缺浏览器证据: `2`
+- 最近渲染时间: `2026-04-02T09:18:51+00:00`

 ## 目标约束

@@ -26,9 +26,11 @@

 - `official` [GitHub Global Advisories](https://github.com/advisories) (ecosystem=npm; mode=core)
 - `official` [OSV NestJS](https://osv.dev/) (mode=core)
+- `ecosystem-authority` [NVD NestJS](https://nvd.nist.gov/vuln/search) (keyword=NestJS; mode=core)

 ## 案例列表

 | 标题 | 严重度 | 案例状态 | 实证状态 | 实证方式 | 来源置信度 | 更新时间 | 案例页 |
 |------|--------|----------|----------|----------|------------|----------|--------|
-| No advisories yet | `n/a` | `empty` | `n/a` | `n/a` | `n/a` | `n/a` | - |
+| CVE-2026-2293 | `unknown` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `2026-03-02T20:30:10.923` | - |
+| CVE-2025-69211 | `high` | `triage` | `triage-manual` | `synthetic` | `ecosystem-authority` | `2026-02-20T16:58:36.320` | - |
--- a/07-framework-security/frameworks/nextjs/INDEX.md
+++ b/07-framework-security/frameworks/nextjs/INDEX.md
@@ -5,14 +5,14 @@
 - 系统 ID: `nextjs`
 - 分类: `frameworks`
 - 覆盖策略: `history-full`
- 总案例数: `26`
- 近 30 天新增/更新: `5`
- 重点 Markdown 案例数: `26`
+- 总案例数: `66`
+- 近 30 天新增/更新: `11`
+- 重点 Markdown 案例数: `41`
 - 已实证(真实版本): `26`
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
- 待人工/缺浏览器证据: `0`
- 最近渲染时间: `2026-03-18T04:06:08+00:00`
+- 待人工/缺浏览器证据: `40`
+- 最近渲染时间: `2026-04-02T09:18:51+00:00`

 ## 目标约束

@@ -32,8 +32,13 @@

 | 标题 | 严重度 | 案例状态 | 实证状态 | 实证方式 | 来源置信度 | 更新时间 | 案例页 |
 |------|--------|----------|----------|----------|------------|----------|--------|
+| Next.js: HTTP request smuggling in rewrites | `medium` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-03-19T17:59:01.302251Z` | [link](/Users/x/websafe/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2026-29057.md) |
+| Next.js: Unbounded next/image disk cache growth can exhaust storage | `medium` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-03-19T18:47:09.413134Z` | [link](/Users/x/websafe/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2026-27980.md) |
+| Next.js: Unbounded postponed resume buffering can lead to DoS | `medium` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-03-19T18:48:06.587119Z` | [link](/Users/x/websafe/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2026-27979.md) |
+| Next.js: null origin can bypass Server Actions CSRF checks | `medium` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-03-19T18:31:23.523529Z` | [link](/Users/x/websafe/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2026-27978.md) |
+| Next.js: null origin can bypass dev HMR websocket CSRF checks | `medium` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-03-25T19:49:01.129152Z` | [link](/Users/x/websafe/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2026-27977.md) |
 | Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components | `low` | `generated` | `verified-real` | `real` | `official` | `2026-02-13T00:43:52.836085Z` | [link](/Users/x/websafe/07-framework-security/frameworks/nextjs/cases/nextjs-ghsa-h25m-26qc-wcjf.md) |
-| Next.js has Unbounded Memory Consumption via PPR Resume Endpoint  | `low` | `generated` | `verified-real` | `real` | `official` | `2026-02-06T13:13:43.709252Z` | [link](/Users/x/websafe/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2025-59472.md) |
+| Next.js has Unbounded Memory Consumption via PPR Resume Endpoint  | `low` | `generated` | `verified-real` | `real` | `official` | `2026-04-01T17:31:03.347234Z` | [link](/Users/x/websafe/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2025-59472.md) |
 | Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration | `low` | `generated` | `verified-real` | `real` | `official` | `2026-02-10T01:28:46.973023Z` | [link](/Users/x/websafe/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2025-59471.md) |
 | Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up | `low` | `generated` | `verified-real` | `real` | `official` | `2026-02-04T02:46:38.768104Z` | [link](/Users/x/websafe/07-framework-security/frameworks/nextjs/cases/nextjs-ghsa-5j59-xgg2-r9c4.md) |
 | Next Server Actions Source Code Exposure  | `low` | `generated` | `verified-real` | `real` | `official` | `2026-02-04T02:51:40.627151Z` | [link](/Users/x/websafe/07-framework-security/frameworks/nextjs/cases/nextjs-ghsa-w37m-7fhw-fmv9.md) |
@@ -52,9 +57,48 @@
 | Next.js authorization bypass vulnerability | `low` | `generated` | `verified-real` | `real` | `official` | `2025-09-10T21:12:24Z` | [link](/Users/x/websafe/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2024-51479.md) |
 | Denial of Service condition in Next.js image optimization | `low` | `generated` | `verified-real` | `real` | `official` | `2026-02-04T03:25:43.295558Z` | [link](/Users/x/websafe/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2024-47831.md) |
 | Next.js Cache Poisoning | `low` | `generated` | `verified-real` | `real` | `official` | `2026-02-04T03:45:33.402195Z` | [link](/Users/x/websafe/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2024-46982.md) |
+| Next.js Denial of Service (DoS) condition | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2024-11-06T14:30:33Z` | [link](/Users/x/websafe/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2024-39693.md) |
 | Next.js Server-Side Request Forgery in Server Actions | `low` | `generated` | `verified-real` | `real` | `official` | `2026-02-04T03:32:36.434669Z` | [link](/Users/x/websafe/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2024-34351.md) |
+| Next.js Vulnerable to HTTP Request Smuggling | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2024-07-09T18:28:18Z` | [link](/Users/x/websafe/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2024-34350.md) |
+| Next.js missing cache-control header may lead to CDN caching empty reply | `unknown` | `generated` | `triage-manual` | `synthetic` | `official` | `2023-11-08T04:13:42.231979Z` | [link](/Users/x/websafe/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2023-46298.md) |
+| Unexpected server crash in Next.js | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2023-11-08T04:09:58.785797Z` | [link](/Users/x/websafe/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2022-36046.md) |
+| Improper CSP in Image Optimization API for Next.js versions between 10.0.0 and 12.1.0 | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2023-11-08T04:08:26.298810Z` | [link](/Users/x/websafe/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2022-23646.md) |
+| Denial of Service Vulnerability in next.js | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2023-11-08T04:08:09.355091Z` | [link](/Users/x/websafe/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2022-21721.md) |
 | Unexpected server crash in Next.js. | `low` | `generated` | `verified-real` | `real` | `official` | `2026-03-13T22:00:36.554552Z` | [link](/Users/x/websafe/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2021-43803.md) |
 | XSS in Image Optimization API for Next.js | `low` | `generated` | `verified-real` | `real` | `official` | `2026-03-13T22:00:20.154452Z` | [link](/Users/x/websafe/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2021-39178.md) |
 | Open Redirect in Next.js | `low` | `generated` | `verified-real` | `real` | `official` | `2026-03-13T22:00:08.038285Z` | [link](/Users/x/websafe/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2021-37699.md) |
 | Open Redirect in Next.js versions | `low` | `generated` | `verified-real` | `real` | `official` | `2026-03-13T22:14:13.665535Z` | [link](/Users/x/websafe/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2020-15242.md) |
+| Remote Code Execution in next | `unknown` | `generated` | `triage-manual` | `synthetic` | `official` | `2022-04-28T19:57:43Z` | [link](/Users/x/websafe/07-framework-security/frameworks/nextjs/cases/nextjs-ghsa-5vj8-3v2h-h38v.md) |
 | Directory Traversal in Next.js | `low` | `generated` | `verified-real` | `real` | `official` | `2025-09-26T17:49:56Z` | [link](/Users/x/websafe/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2020-5284.md) |
+| Next.js has cross site scripting (XSS) vulnerability via the 404 or 500 /_error page | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2023-11-08T04:00:05.061101Z` | [link](/Users/x/websafe/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2018-18282.md) |
+| Directory traversal vulnerability in Next.js | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2023-11-08T04:00:21.025418Z` | [link](/Users/x/websafe/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2018-6184.md) |
+| Next.js Directory Traversal Vulnerability | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2024-04-22T19:49:35Z` | [link](/Users/x/websafe/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2017-16877.md) |
+| Actions | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Next | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Sign in | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Discussions | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Denial of Service in Partial Pre Rendering | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Denial of Service with Server Components - Incomplete Fix Follow-Up | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| next.js | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| 4 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| 3 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| null origin can bypass Server Actions CSRF checks | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Security 
+           36 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Insights | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Server Actions Source Code Exposure | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Star
+            138k | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Denial of Service with Server Components | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Skip to content | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Sign up | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Denial of Service in Image Optimizer | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Unbounded next/image disk cache growth can exhaust storage | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Policy | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| null origin can bypass dev HMR websocket CSRF checks | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| HTTP request smuggling in rewrites | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Pull requests 
+           1.4k | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Unbounded postponed resume buffering can lead to DoS | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
+| Issues 
+           2.1k | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `` | - |
--- a/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2017-16877.md
+++ b/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2017-16877.md
@@ -0,0 +1,164 @@
+---
+title: "Next.js Directory Traversal Vulnerability"
+system_id: "nextjs"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2017-12-05T02:04:14Z"
+updated_date: "2024-04-22T19:49:35Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "official-source"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2017-16877"
+  - "GHSA-3f5c-4qxj-vmpf"
+affected_versions:
+  - "introduced=1.0.0, fixed<2.4.1"
+fixed_versions:
+  - "2.4.1"
+entity_refs:
+  - "nextjs:system:root-system"
+  - "nextjs--project--next:project:affected-component"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "proxy-trust-boundary"
+  - "token-cookie-storage"
+  - "path-traversal-guard"
+primary_source: "https://nvd.nist.gov/vuln/detail/CVE-2017-16877"
+---
+
+# Next.js Directory Traversal Vulnerability
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `official-source`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `nextjs--CVE-2017-16877`
+- 系统: `nextjs`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://nvd.nist.gov/vuln/detail/CVE-2017-16877
+- 影响版本: `introduced=1.0.0, fixed<2.4.1`
+- 修复版本: `2.4.1`
+
+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `next`
+- Entity Refs: `nextjs, nextjs--project--next`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://nvd.nist.gov/vuln/detail/CVE-2017-16877, https://github.com/vercel/next.js/commit/02fe7cf63f6265d73bdaf8bc50a4f2fb539dcd00, https://github.com/zeit/next.js, https://github.com/zeit/next.js/releases/tag/2.4.1`
+
+## 受控验证流程
+
+- Workflow ID: `nextjs--CVE-2017-16877--workflow`
+- 漏洞家族: `proxy-boundary`
+- 入口面: `proxy-header-or-trust-boundary`
+- 需要角色: `reverse-proxy-or-edge-client`
+- 触发向量: 对 `proxy-boundary` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/middleware, /x-forwarded-* trust path`
+- 输入形态: 提交受控代理头或来源头，验证信任边界和回源鉴权。
+- 预期不安全行为: 仅凭代理头即可越过鉴权或来源控制。
+
+## 其他来源
+
+- https://github.com/vercel/next.js/commit/02fe7cf63f6265d73bdaf8bc50a4f2fb539dcd00
+- https://github.com/zeit/next.js
+- https://github.com/zeit/next.js/releases/tag/2.4.1
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+- 上游代理与应用层对 Content-Length / Transfer-Encoding / forwarded headers 的解释差异
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=1.0.0, fixed<2.4.1` 升级或回移到 `2.4.1`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `proxy-boundary` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/javascript-typescript/proxy-trust-boundary.md)
+- [nodejs:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/nodejs/proxy-trust-boundary.md)
+- [java:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/java/proxy-trust-boundary.md)
+- [php:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/php/proxy-trust-boundary.md)
+- [python:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/python/proxy-trust-boundary.md)
+- [ruby:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/ruby/proxy-trust-boundary.md)
+- [csharp:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/csharp/proxy-trust-boundary.md)
+- [go:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/go/proxy-trust-boundary.md)
+- [javascript-typescript:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/javascript-typescript/token-cookie-storage.md)
+- [nodejs:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/nodejs/token-cookie-storage.md)
+- [java:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/java/token-cookie-storage.md)
+- [php:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/php/token-cookie-storage.md)
+- [python:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/python/token-cookie-storage.md)
+- [ruby:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/ruby/token-cookie-storage.md)
+- [csharp:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/csharp/token-cookie-storage.md)
+- [go:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/go/token-cookie-storage.md)
+- [javascript-typescript:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/javascript-typescript/path-traversal-guard.md)
+- [nodejs:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/nodejs/path-traversal-guard.md)
+- [java:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/java/path-traversal-guard.md)
+- [php:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/php/path-traversal-guard.md)
+- [python:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/python/path-traversal-guard.md)
+- [ruby:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/ruby/path-traversal-guard.md)
+- [csharp:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/csharp/path-traversal-guard.md)
+- [go:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/go/path-traversal-guard.md)
--- a/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2018-18282.md
+++ b/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2018-18282.md
@@ -0,0 +1,163 @@
+---
+title: "Next.js has cross site scripting (XSS) vulnerability via the 404 or 500 /_error page"
+system_id: "nextjs"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2018-10-15T21:43:12Z"
+updated_date: "2023-11-08T04:00:05.061101Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "official-source"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2018-18282"
+  - "GHSA-qw96-mm2g-c8m7"
+affected_versions:
+  - "introduced=7.0.0, fixed<7.0.2"
+fixed_versions:
+  - "7.0.2"
+entity_refs:
+  - "nextjs:system:root-system"
+  - "nextjs--project--next:project:affected-component"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "proxy-trust-boundary"
+  - "token-cookie-storage"
+  - "xss-output-encoding"
+primary_source: "https://nvd.nist.gov/vuln/detail/CVE-2018-18282"
+---
+
+# Next.js has cross site scripting (XSS) vulnerability via the 404 or 500 /_error page
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `official-source`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `nextjs--CVE-2018-18282`
+- 系统: `nextjs`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://nvd.nist.gov/vuln/detail/CVE-2018-18282
+- 影响版本: `introduced=7.0.0, fixed<7.0.2`
+- 修复版本: `7.0.2`
+
+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `next`
+- Entity Refs: `nextjs, nextjs--project--next`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://nvd.nist.gov/vuln/detail/CVE-2018-18282, https://github.com/advisories/GHSA-qw96-mm2g-c8m7, https://github.com/zeit/next.js, https://github.com/zeit/next.js/releases/tag/7.0.2`
+
+## 受控验证流程
+
+- Workflow ID: `nextjs--CVE-2018-18282--workflow`
+- 漏洞家族: `xss`
+- 入口面: `web-ui-render-path`
+- 需要角色: `editor-or-admin`
+- 触发向量: 对 `xss` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/admin/editor, /preview, /rendered-content`
+- 输入形态: 受控 HTML/Markdown/富文本输入，观察渲染上下文是否失去编码或净化。
+- 预期不安全行为: 输入在目标上下文执行或被浏览器解释为主动内容。
+
+## 其他来源
+
+- https://github.com/advisories/GHSA-qw96-mm2g-c8m7
+- https://github.com/zeit/next.js
+- https://github.com/zeit/next.js/releases/tag/7.0.2
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=7.0.0, fixed<7.0.2` 升级或回移到 `7.0.2`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `xss` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/javascript-typescript/proxy-trust-boundary.md)
+- [nodejs:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/nodejs/proxy-trust-boundary.md)
+- [java:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/java/proxy-trust-boundary.md)
+- [php:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/php/proxy-trust-boundary.md)
+- [python:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/python/proxy-trust-boundary.md)
+- [ruby:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/ruby/proxy-trust-boundary.md)
+- [csharp:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/csharp/proxy-trust-boundary.md)
+- [go:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/go/proxy-trust-boundary.md)
+- [javascript-typescript:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/javascript-typescript/token-cookie-storage.md)
+- [nodejs:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/nodejs/token-cookie-storage.md)
+- [java:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/java/token-cookie-storage.md)
+- [php:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/php/token-cookie-storage.md)
+- [python:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/python/token-cookie-storage.md)
+- [ruby:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/ruby/token-cookie-storage.md)
+- [csharp:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/csharp/token-cookie-storage.md)
+- [go:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/go/token-cookie-storage.md)
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
--- a/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2018-6184.md
+++ b/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2018-6184.md
@@ -0,0 +1,164 @@
+---
+title: "Directory traversal vulnerability in Next.js"
+system_id: "nextjs"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2018-01-24T19:38:52Z"
+updated_date: "2023-11-08T04:00:21.025418Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "official-source"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2018-6184"
+  - "GHSA-m34x-wgrh-g897"
+affected_versions:
+  - "introduced=1.0.0, fixed<4.2.3"
+fixed_versions:
+  - "4.2.3"
+entity_refs:
+  - "nextjs:system:root-system"
+  - "nextjs--project--next:project:affected-component"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "proxy-trust-boundary"
+  - "token-cookie-storage"
+  - "path-traversal-guard"
+primary_source: "https://nvd.nist.gov/vuln/detail/CVE-2018-6184"
+---
+
+# Directory traversal vulnerability in Next.js
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `official-source`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `nextjs--CVE-2018-6184`
+- 系统: `nextjs`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://nvd.nist.gov/vuln/detail/CVE-2018-6184
+- 影响版本: `introduced=1.0.0, fixed<4.2.3`
+- 修复版本: `4.2.3`
+
+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `next`
+- Entity Refs: `nextjs, nextjs--project--next`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://nvd.nist.gov/vuln/detail/CVE-2018-6184, https://github.com/advisories/GHSA-m34x-wgrh-g897, https://github.com/vercel/next.js/releases/tag/4.2.3, https://github.com/zeit/next.js`
+
+## 受控验证流程
+
+- Workflow ID: `nextjs--CVE-2018-6184--workflow`
+- 漏洞家族: `proxy-boundary`
+- 入口面: `proxy-header-or-trust-boundary`
+- 需要角色: `reverse-proxy-or-edge-client`
+- 触发向量: 对 `proxy-boundary` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/middleware, /x-forwarded-* trust path`
+- 输入形态: 提交受控代理头或来源头，验证信任边界和回源鉴权。
+- 预期不安全行为: 仅凭代理头即可越过鉴权或来源控制。
+
+## 其他来源
+
+- https://github.com/advisories/GHSA-m34x-wgrh-g897
+- https://github.com/vercel/next.js/releases/tag/4.2.3
+- https://github.com/zeit/next.js
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+- 上游代理与应用层对 Content-Length / Transfer-Encoding / forwarded headers 的解释差异
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=1.0.0, fixed<4.2.3` 升级或回移到 `4.2.3`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `proxy-boundary` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/javascript-typescript/proxy-trust-boundary.md)
+- [nodejs:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/nodejs/proxy-trust-boundary.md)
+- [java:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/java/proxy-trust-boundary.md)
+- [php:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/php/proxy-trust-boundary.md)
+- [python:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/python/proxy-trust-boundary.md)
+- [ruby:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/ruby/proxy-trust-boundary.md)
+- [csharp:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/csharp/proxy-trust-boundary.md)
+- [go:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/go/proxy-trust-boundary.md)
+- [javascript-typescript:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/javascript-typescript/token-cookie-storage.md)
+- [nodejs:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/nodejs/token-cookie-storage.md)
+- [java:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/java/token-cookie-storage.md)
+- [php:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/php/token-cookie-storage.md)
+- [python:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/python/token-cookie-storage.md)
+- [ruby:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/ruby/token-cookie-storage.md)
+- [csharp:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/csharp/token-cookie-storage.md)
+- [go:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/go/token-cookie-storage.md)
+- [javascript-typescript:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/javascript-typescript/path-traversal-guard.md)
+- [nodejs:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/nodejs/path-traversal-guard.md)
+- [java:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/java/path-traversal-guard.md)
+- [php:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/php/path-traversal-guard.md)
+- [python:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/python/path-traversal-guard.md)
+- [ruby:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/ruby/path-traversal-guard.md)
+- [csharp:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/csharp/path-traversal-guard.md)
+- [go:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/go/path-traversal-guard.md)
--- a/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2020-15242.md
+++ b/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2020-15242.md
@@ -26,6 +26,9 @@ affected_versions:
  - "introduced=9.5.0, fixed<9.5.4"
 fixed_versions:
  - "9.5.4"
+entity_refs:
+  - "nextjs:system:root-system"
+  - "nextjs--project--next:project:affected-component"
 secure_code_topics:
  - "authz-server-side-recheck"
  - "proxy-trust-boundary"
@@ -54,12 +57,68 @@ primary_source: "https://github.com/vercel/next.js/security/advisories/GHSA-x56p
 - 影响版本: `introduced=9.5.0, fixed<9.5.4`
 - 修复版本: `9.5.4`

+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `next`
+- Entity Refs: `nextjs, nextjs--project--next`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/vercel/next.js/security/advisories/GHSA-x56p-c8cg-q435, https://nvd.nist.gov/vuln/detail/CVE-2020-15242, https://github.com/vercel/next.js, https://github.com/zeit/next.js/releases/tag/v9.5.4`
+
+## 受控验证流程
+
+- Workflow ID: `nextjs--CVE-2020-15242--workflow`
+- 漏洞家族: `proxy-boundary`
+- 入口面: `proxy-header-or-trust-boundary`
+- 需要角色: `reverse-proxy-or-edge-client`
+- 触发向量: 对 `proxy-boundary` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/middleware, /x-forwarded-* trust path`
+- 输入形态: 提交受控代理头或来源头，验证信任边界和回源鉴权。
+- 预期不安全行为: 仅凭代理头即可越过鉴权或来源控制。
+
 ## 其他来源

 - https://nvd.nist.gov/vuln/detail/CVE-2020-15242
 - https://github.com/vercel/next.js
 - https://github.com/zeit/next.js/releases/tag/v9.5.4

+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+- 上游代理与应用层对 Content-Length / Transfer-Encoding / forwarded headers 的解释差异
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=9.5.0, fixed<9.5.4` 升级或回移到 `9.5.4`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `proxy-boundary` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
 ## 实验层

 - 仅用于自有资产、测试环境或已明确授权目标。
--- a/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2020-5284.md
+++ b/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2020-5284.md
@@ -26,6 +26,9 @@ affected_versions:
  - "introduced=0.9.9, fixed<9.3.2"
 fixed_versions:
  - "9.3.2"
+entity_refs:
+  - "nextjs:system:root-system"
+  - "nextjs--project--next:project:affected-component"
 secure_code_topics:
  - "authz-server-side-recheck"
  - "proxy-trust-boundary"
@@ -55,12 +58,68 @@ primary_source: "https://github.com/zeit/next.js/security/advisories/GHSA-fq77-7
 - 影响版本: `introduced=0.9.9, fixed<9.3.2`
 - 修复版本: `9.3.2`

+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `next`
+- Entity Refs: `nextjs, nextjs--project--next`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/zeit/next.js/security/advisories/GHSA-fq77-7p7r-83rj, https://nvd.nist.gov/vuln/detail/CVE-2020-5284, https://github.com/zeit/next.js/releases/tag/v9.3.2, https://www.npmjs.com/advisories/1503`
+
+## 受控验证流程
+
+- Workflow ID: `nextjs--CVE-2020-5284--workflow`
+- 漏洞家族: `proxy-boundary`
+- 入口面: `proxy-header-or-trust-boundary`
+- 需要角色: `reverse-proxy-or-edge-client`
+- 触发向量: 对 `proxy-boundary` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/middleware, /x-forwarded-* trust path`
+- 输入形态: 提交受控代理头或来源头，验证信任边界和回源鉴权。
+- 预期不安全行为: 仅凭代理头即可越过鉴权或来源控制。
+
 ## 其他来源

 - https://nvd.nist.gov/vuln/detail/CVE-2020-5284
 - https://github.com/zeit/next.js/releases/tag/v9.3.2
 - https://www.npmjs.com/advisories/1503

+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+- 上游代理与应用层对 Content-Length / Transfer-Encoding / forwarded headers 的解释差异
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=0.9.9, fixed<9.3.2` 升级或回移到 `9.3.2`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `proxy-boundary` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
 ## 实验层

 - 仅用于自有资产、测试环境或已明确授权目标。
--- a/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2021-37699.md
+++ b/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2021-37699.md
@@ -26,6 +26,9 @@ affected_versions:
  - "introduced=0.9.9, fixed<11.1.0"
 fixed_versions:
  - "11.1.0"
+entity_refs:
+  - "nextjs:system:root-system"
+  - "nextjs--project--next:project:affected-component"
 secure_code_topics:
  - "authz-server-side-recheck"
  - "proxy-trust-boundary"
@@ -55,12 +58,68 @@ primary_source: "https://github.com/vercel/next.js/security/advisories/GHSA-vxf5
 - 影响版本: `introduced=0.9.9, fixed<11.1.0`
 - 修复版本: `11.1.0`

+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `next`
+- Entity Refs: `nextjs, nextjs--project--next`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/vercel/next.js/security/advisories/GHSA-vxf5-wxwp-m7g9, https://nvd.nist.gov/vuln/detail/CVE-2021-37699, https://github.com/vercel/next.js, https://github.com/vercel/next.js/releases/tag/v11.1.0`
+
+## 受控验证流程
+
+- Workflow ID: `nextjs--CVE-2021-37699--workflow`
+- 漏洞家族: `proxy-boundary`
+- 入口面: `proxy-header-or-trust-boundary`
+- 需要角色: `reverse-proxy-or-edge-client`
+- 触发向量: 对 `proxy-boundary` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/middleware, /x-forwarded-* trust path`
+- 输入形态: 提交受控代理头或来源头，验证信任边界和回源鉴权。
+- 预期不安全行为: 仅凭代理头即可越过鉴权或来源控制。
+
 ## 其他来源

 - https://nvd.nist.gov/vuln/detail/CVE-2021-37699
 - https://github.com/vercel/next.js
 - https://github.com/vercel/next.js/releases/tag/v11.1.0

+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+- 上游代理与应用层对 Content-Length / Transfer-Encoding / forwarded headers 的解释差异
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=0.9.9, fixed<11.1.0` 升级或回移到 `11.1.0`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `proxy-boundary` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
 ## 实验层

 - 仅用于自有资产、测试环境或已明确授权目标。
--- a/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2021-39178.md
+++ b/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2021-39178.md
@@ -26,6 +26,9 @@ affected_versions:
  - "introduced=10.0.0, fixed<11.1.1"
 fixed_versions:
  - "11.1.1"
+entity_refs:
+  - "nextjs:system:root-system"
+  - "nextjs--project--next:project:affected-component"
 secure_code_topics:
  - "authz-server-side-recheck"
  - "proxy-trust-boundary"
@@ -55,6 +58,26 @@ primary_source: "https://github.com/vercel/next.js/security/advisories/GHSA-9gr3
 - 影响版本: `introduced=10.0.0, fixed<11.1.1`
 - 修复版本: `11.1.1`

+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `next`
+- Entity Refs: `nextjs, nextjs--project--next`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/vercel/next.js/security/advisories/GHSA-9gr3-7897-pp7m, https://nvd.nist.gov/vuln/detail/CVE-2021-39178, https://github.com/vercel/next.js/pull/28620, https://github.com/vercel/next.js/commit/7afc97c5744b38bdf36aa7f87625f438224688aa, https://github.com/vercel/next.js`
+
+## 受控验证流程
+
+- Workflow ID: `nextjs--CVE-2021-39178--workflow`
+- 漏洞家族: `xss`
+- 入口面: `web-ui-render-path`
+- 需要角色: `editor-or-admin`
+- 触发向量: 对 `xss` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/admin/editor, /preview, /rendered-content`
+- 输入形态: 受控 HTML/Markdown/富文本输入，观察渲染上下文是否失去编码或净化。
+- 预期不安全行为: 输入在目标上下文执行或被浏览器解释为主动内容。
+
 ## 其他来源

 - https://nvd.nist.gov/vuln/detail/CVE-2021-39178
@@ -63,6 +86,41 @@ primary_source: "https://github.com/vercel/next.js/security/advisories/GHSA-9gr3
 - https://github.com/vercel/next.js
 - https://github.com/vercel/next.js/releases/tag/v11.1.1

+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=10.0.0, fixed<11.1.1` 升级或回移到 `11.1.1`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `xss` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
 ## 实验层

 - 仅用于自有资产、测试环境或已明确授权目标。
--- a/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2021-43803.md
+++ b/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2021-43803.md
@@ -28,6 +28,9 @@ affected_versions:
 fixed_versions:
  - "12.0.5"
  - "11.1.3"
+entity_refs:
+  - "nextjs:system:root-system"
+  - "nextjs--project--next:project:affected-component"
 secure_code_topics:
  - "authz-server-side-recheck"
  - "proxy-trust-boundary"
@@ -57,6 +60,26 @@ primary_source: "https://github.com/vercel/next.js/security/advisories/GHSA-25mp
 - 影响版本: `introduced=12.0.0, fixed<12.0.5, introduced=0.9.9, fixed<11.1.3`
 - 修复版本: `12.0.5, 11.1.3`

+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `next`
+- Entity Refs: `nextjs, nextjs--project--next`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/vercel/next.js/security/advisories/GHSA-25mp-g6fv-mqxx, https://nvd.nist.gov/vuln/detail/CVE-2021-43803, https://github.com/vercel/next.js/pull/32080, https://github.com/vercel/next.js/commit/6d98b4fb4315dec1badecf0e9bdc212a4272b264, https://github.com/vercel/next.js`
+
+## 受控验证流程
+
+- Workflow ID: `nextjs--CVE-2021-43803--workflow`
+- 漏洞家族: `proxy-boundary`
+- 入口面: `proxy-header-or-trust-boundary`
+- 需要角色: `reverse-proxy-or-edge-client`
+- 触发向量: 对 `proxy-boundary` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/middleware, /x-forwarded-* trust path`
+- 输入形态: 提交受控代理头或来源头，验证信任边界和回源鉴权。
+- 预期不安全行为: 仅凭代理头即可越过鉴权或来源控制。
+
 ## 其他来源

 - https://nvd.nist.gov/vuln/detail/CVE-2021-43803
@@ -66,6 +89,42 @@ primary_source: "https://github.com/vercel/next.js/security/advisories/GHSA-25mp
 - https://github.com/vercel/next.js/releases/tag/v11.1.3
 - https://github.com/vercel/next.js/releases/v12.0.5

+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+- 上游代理与应用层对 Content-Length / Transfer-Encoding / forwarded headers 的解释差异
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=12.0.0, fixed<12.0.5, introduced=0.9.9, fixed<11.1.3` 升级或回移到 `12.0.5`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `proxy-boundary` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
 ## 实验层

 - 仅用于自有资产、测试环境或已明确授权目标。
--- a/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2022-21721.md
+++ b/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2022-21721.md
@@ -0,0 +1,165 @@
+---
+title: "Denial of Service Vulnerability in next.js"
+system_id: "nextjs"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2022-01-28T23:09:22Z"
+updated_date: "2023-11-08T04:08:09.355091Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "official-source"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2022-21721"
+  - "GHSA-wr66-vrwm-5g5x"
+affected_versions:
+  - "introduced=12.0.0, fixed<12.0.9"
+fixed_versions:
+  - "12.0.9"
+entity_refs:
+  - "nextjs:system:root-system"
+  - "nextjs--project--next:project:affected-component"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "proxy-trust-boundary"
+  - "token-cookie-storage"
+  - "dependency-upgrade-policy"
+primary_source: "https://github.com/vercel/next.js/security/advisories/GHSA-wr66-vrwm-5g5x"
+---
+
+# Denial of Service Vulnerability in next.js
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `official-source`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `nextjs--CVE-2022-21721`
+- 系统: `nextjs`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://github.com/vercel/next.js/security/advisories/GHSA-wr66-vrwm-5g5x
+- 影响版本: `introduced=12.0.0, fixed<12.0.9`
+- 修复版本: `12.0.9`
+
+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `next`
+- Entity Refs: `nextjs, nextjs--project--next`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/vercel/next.js/security/advisories/GHSA-wr66-vrwm-5g5x, https://nvd.nist.gov/vuln/detail/CVE-2022-21721, https://github.com/vercel/next.js/pull/33503, https://github.com/vercel/next.js, https://github.com/vercel/next.js/releases/tag/v12.0.9`
+
+## 受控验证流程
+
+- Workflow ID: `nextjs--CVE-2022-21721--workflow`
+- 漏洞家族: `proxy-boundary`
+- 入口面: `proxy-header-or-trust-boundary`
+- 需要角色: `reverse-proxy-or-edge-client`
+- 触发向量: 对 `proxy-boundary` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/middleware, /x-forwarded-* trust path`
+- 输入形态: 提交受控代理头或来源头，验证信任边界和回源鉴权。
+- 预期不安全行为: 仅凭代理头即可越过鉴权或来源控制。
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2022-21721
+- https://github.com/vercel/next.js/pull/33503
+- https://github.com/vercel/next.js
+- https://github.com/vercel/next.js/releases/tag/v12.0.9
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+- 上游代理与应用层对 Content-Length / Transfer-Encoding / forwarded headers 的解释差异
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=12.0.0, fixed<12.0.9` 升级或回移到 `12.0.9`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `proxy-boundary` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/javascript-typescript/proxy-trust-boundary.md)
+- [nodejs:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/nodejs/proxy-trust-boundary.md)
+- [java:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/java/proxy-trust-boundary.md)
+- [php:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/php/proxy-trust-boundary.md)
+- [python:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/python/proxy-trust-boundary.md)
+- [ruby:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/ruby/proxy-trust-boundary.md)
+- [csharp:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/csharp/proxy-trust-boundary.md)
+- [go:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/go/proxy-trust-boundary.md)
+- [javascript-typescript:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/javascript-typescript/token-cookie-storage.md)
+- [nodejs:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/nodejs/token-cookie-storage.md)
+- [java:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/java/token-cookie-storage.md)
+- [php:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/php/token-cookie-storage.md)
+- [python:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/python/token-cookie-storage.md)
+- [ruby:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/ruby/token-cookie-storage.md)
+- [csharp:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/csharp/token-cookie-storage.md)
+- [go:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/go/token-cookie-storage.md)
+- [javascript-typescript:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/dependency-upgrade-policy.md)
+- [nodejs:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/nodejs/dependency-upgrade-policy.md)
+- [java:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/java/dependency-upgrade-policy.md)
+- [php:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/php/dependency-upgrade-policy.md)
+- [python:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/python/dependency-upgrade-policy.md)
+- [ruby:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/ruby/dependency-upgrade-policy.md)
+- [csharp:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/csharp/dependency-upgrade-policy.md)
+- [go:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/go/dependency-upgrade-policy.md)
--- a/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2022-23646.md
+++ b/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2022-23646.md
@@ -0,0 +1,174 @@
+---
+title: "Improper CSP in Image Optimization API for Next.js versions between 10.0.0 and 12.1.0"
+system_id: "nextjs"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2022-02-17T17:19:18Z"
+updated_date: "2023-11-08T04:08:26.298810Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "official-source"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2022-23646"
+  - "GHSA-fmvm-x8mv-47mj"
+affected_versions:
+  - "introduced=10.0.0, fixed<12.1.0"
+fixed_versions:
+  - "12.1.0"
+entity_refs:
+  - "nextjs:system:root-system"
+  - "nextjs--project--next:project:affected-component"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "proxy-trust-boundary"
+  - "token-cookie-storage"
+  - "csp-trusted-types"
+  - "plugin-extension-trust-policy"
+primary_source: "https://github.com/vercel/next.js/security/advisories/GHSA-fmvm-x8mv-47mj"
+---
+
+# Improper CSP in Image Optimization API for Next.js versions between 10.0.0 and 12.1.0
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `official-source`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `nextjs--CVE-2022-23646`
+- 系统: `nextjs`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://github.com/vercel/next.js/security/advisories/GHSA-fmvm-x8mv-47mj
+- 影响版本: `introduced=10.0.0, fixed<12.1.0`
+- 修复版本: `12.1.0`
+
+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `next`
+- Entity Refs: `nextjs, nextjs--project--next`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/vercel/next.js/security/advisories/GHSA-fmvm-x8mv-47mj, https://nvd.nist.gov/vuln/detail/CVE-2022-23646, https://github.com/vercel/next.js/pull/34075, https://github.com/vercel/next.js, https://github.com/vercel/next.js/releases/tag/v12.1.0`
+
+## 受控验证流程
+
+- Workflow ID: `nextjs--CVE-2022-23646--workflow`
+- 漏洞家族: `proxy-boundary`
+- 入口面: `proxy-header-or-trust-boundary`
+- 需要角色: `reverse-proxy-or-edge-client`
+- 触发向量: 对 `proxy-boundary` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/middleware, /x-forwarded-* trust path`
+- 输入形态: 提交受控代理头或来源头，验证信任边界和回源鉴权。
+- 预期不安全行为: 仅凭代理头即可越过鉴权或来源控制。
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2022-23646
+- https://github.com/vercel/next.js/pull/34075
+- https://github.com/vercel/next.js
+- https://github.com/vercel/next.js/releases/tag/v12.1.0
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+- 上游代理与应用层对 Content-Length / Transfer-Encoding / forwarded headers 的解释差异
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=10.0.0, fixed<12.1.0` 升级或回移到 `12.1.0`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `proxy-boundary` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/javascript-typescript/proxy-trust-boundary.md)
+- [nodejs:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/nodejs/proxy-trust-boundary.md)
+- [java:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/java/proxy-trust-boundary.md)
+- [php:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/php/proxy-trust-boundary.md)
+- [python:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/python/proxy-trust-boundary.md)
+- [ruby:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/ruby/proxy-trust-boundary.md)
+- [csharp:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/csharp/proxy-trust-boundary.md)
+- [go:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/go/proxy-trust-boundary.md)
+- [javascript-typescript:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/javascript-typescript/token-cookie-storage.md)
+- [nodejs:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/nodejs/token-cookie-storage.md)
+- [java:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/java/token-cookie-storage.md)
+- [php:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/php/token-cookie-storage.md)
+- [python:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/python/token-cookie-storage.md)
+- [ruby:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/ruby/token-cookie-storage.md)
+- [csharp:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/csharp/token-cookie-storage.md)
+- [go:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/go/token-cookie-storage.md)
+- [javascript-typescript:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/javascript-typescript/csp-trusted-types.md)
+- [nodejs:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/nodejs/csp-trusted-types.md)
+- [java:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/java/csp-trusted-types.md)
+- [php:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/php/csp-trusted-types.md)
+- [python:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/python/csp-trusted-types.md)
+- [ruby:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/ruby/csp-trusted-types.md)
+- [csharp:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/csharp/csp-trusted-types.md)
+- [go:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/go/csp-trusted-types.md)
+- [javascript-typescript:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/plugin-extension-trust-policy.md)
+- [nodejs:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/nodejs/plugin-extension-trust-policy.md)
+- [java:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/java/plugin-extension-trust-policy.md)
+- [php:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/php/plugin-extension-trust-policy.md)
+- [python:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/python/plugin-extension-trust-policy.md)
+- [ruby:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/ruby/plugin-extension-trust-policy.md)
+- [csharp:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/csharp/plugin-extension-trust-policy.md)
+- [go:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/go/plugin-extension-trust-policy.md)
--- a/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2022-36046.md
+++ b/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2022-36046.md
@@ -0,0 +1,155 @@
+---
+title: "Unexpected server crash in Next.js"
+system_id: "nextjs"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2022-08-30T20:38:34Z"
+updated_date: "2023-11-08T04:09:58.785797Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "official-source"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2022-36046"
+  - "GHSA-wff4-fpwg-qqv3"
+affected_versions:
+  - "12.2.3"
+  - "introduced=12.2.3, fixed<12.2.4"
+fixed_versions:
+  - "12.2.4"
+entity_refs:
+  - "nextjs:system:root-system"
+  - "nextjs--project--next:project:affected-component"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "proxy-trust-boundary"
+  - "token-cookie-storage"
+primary_source: "https://github.com/vercel/next.js/security/advisories/GHSA-wff4-fpwg-qqv3"
+---
+
+# Unexpected server crash in Next.js
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `official-source`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `nextjs--CVE-2022-36046`
+- 系统: `nextjs`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://github.com/vercel/next.js/security/advisories/GHSA-wff4-fpwg-qqv3
+- 影响版本: `12.2.3, introduced=12.2.3, fixed<12.2.4`
+- 修复版本: `12.2.4`
+
+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `next`
+- Entity Refs: `nextjs, nextjs--project--next`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/vercel/next.js/security/advisories/GHSA-wff4-fpwg-qqv3, https://nvd.nist.gov/vuln/detail/CVE-2022-36046, https://github.com/vercel/next.js/releases/tag/v12.2.4`
+
+## 受控验证流程
+
+- Workflow ID: `nextjs--CVE-2022-36046--workflow`
+- 漏洞家族: `proxy-boundary`
+- 入口面: `proxy-header-or-trust-boundary`
+- 需要角色: `reverse-proxy-or-edge-client`
+- 触发向量: 对 `proxy-boundary` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/middleware, /x-forwarded-* trust path`
+- 输入形态: 提交受控代理头或来源头，验证信任边界和回源鉴权。
+- 预期不安全行为: 仅凭代理头即可越过鉴权或来源控制。
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2022-36046
+- https://github.com/vercel/next.js/releases/tag/v12.2.4
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+- 上游代理与应用层对 Content-Length / Transfer-Encoding / forwarded headers 的解释差异
+
+### 补丁验证步骤
+
+- 确认目标版本从 `12.2.3, introduced=12.2.3, fixed<12.2.4` 升级或回移到 `12.2.4`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `proxy-boundary` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/javascript-typescript/proxy-trust-boundary.md)
+- [nodejs:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/nodejs/proxy-trust-boundary.md)
+- [java:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/java/proxy-trust-boundary.md)
+- [php:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/php/proxy-trust-boundary.md)
+- [python:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/python/proxy-trust-boundary.md)
+- [ruby:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/ruby/proxy-trust-boundary.md)
+- [csharp:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/csharp/proxy-trust-boundary.md)
+- [go:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/go/proxy-trust-boundary.md)
+- [javascript-typescript:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/javascript-typescript/token-cookie-storage.md)
+- [nodejs:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/nodejs/token-cookie-storage.md)
+- [java:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/java/token-cookie-storage.md)
+- [php:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/php/token-cookie-storage.md)
+- [python:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/python/token-cookie-storage.md)
+- [ruby:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/ruby/token-cookie-storage.md)
+- [csharp:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/csharp/token-cookie-storage.md)
+- [go:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/go/token-cookie-storage.md)
--- a/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2023-46298.md
+++ b/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2023-46298.md
@@ -0,0 +1,157 @@
+---
+title: "Next.js missing cache-control header may lead to CDN caching empty reply"
+system_id: "nextjs"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2023-10-22T03:30:23Z"
+updated_date: "2023-11-08T04:13:42.231979Z"
+severity: "unknown"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "official-source"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2023-46298"
+  - "GHSA-c59h-r6p8-q9wc"
+affected_versions:
+  - "introduced=0.9.9, fixed<13.4.20-canary.13"
+fixed_versions:
+  - "13.4.20-canary.13"
+entity_refs:
+  - "nextjs:system:root-system"
+  - "nextjs--project--next:project:affected-component"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "proxy-trust-boundary"
+  - "token-cookie-storage"
+primary_source: "https://nvd.nist.gov/vuln/detail/CVE-2023-46298"
+---
+
+# Next.js missing cache-control header may lead to CDN caching empty reply
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `official-source`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `nextjs--CVE-2023-46298`
+- 系统: `nextjs`
+- 严重度: `unknown`
+- 来源置信度: `official`
+- 官方主源: https://nvd.nist.gov/vuln/detail/CVE-2023-46298
+- 影响版本: `introduced=0.9.9, fixed<13.4.20-canary.13`
+- 修复版本: `13.4.20-canary.13`
+
+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `next`
+- Entity Refs: `nextjs, nextjs--project--next`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://nvd.nist.gov/vuln/detail/CVE-2023-46298, https://github.com/vercel/next.js/issues/45301, https://github.com/vercel/next.js/pull/54732, https://github.com/vercel/next.js/commit/20d05958ff853e9c9e42139ffec294336881c648, https://github.com/vercel/next.js`
+
+## 受控验证流程
+
+- Workflow ID: `nextjs--CVE-2023-46298--workflow`
+- 漏洞家族: `proxy-boundary`
+- 入口面: `proxy-header-or-trust-boundary`
+- 需要角色: `reverse-proxy-or-edge-client`
+- 触发向量: 对 `proxy-boundary` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/middleware, /x-forwarded-* trust path`
+- 输入形态: 提交受控代理头或来源头，验证信任边界和回源鉴权。
+- 预期不安全行为: 仅凭代理头即可越过鉴权或来源控制。
+
+## 其他来源
+
+- https://github.com/vercel/next.js/issues/45301
+- https://github.com/vercel/next.js/pull/54732
+- https://github.com/vercel/next.js/commit/20d05958ff853e9c9e42139ffec294336881c648
+- https://github.com/vercel/next.js
+- https://github.com/vercel/next.js/compare/v13.4.20-canary.12...v13.4.20-canary.13
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+- 上游代理与应用层对 Content-Length / Transfer-Encoding / forwarded headers 的解释差异
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=0.9.9, fixed<13.4.20-canary.13` 升级或回移到 `13.4.20-canary.13`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `proxy-boundary` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/javascript-typescript/proxy-trust-boundary.md)
+- [nodejs:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/nodejs/proxy-trust-boundary.md)
+- [java:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/java/proxy-trust-boundary.md)
+- [php:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/php/proxy-trust-boundary.md)
+- [python:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/python/proxy-trust-boundary.md)
+- [ruby:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/ruby/proxy-trust-boundary.md)
+- [csharp:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/csharp/proxy-trust-boundary.md)
+- [go:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/go/proxy-trust-boundary.md)
+- [javascript-typescript:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/javascript-typescript/token-cookie-storage.md)
+- [nodejs:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/nodejs/token-cookie-storage.md)
+- [java:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/java/token-cookie-storage.md)
+- [php:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/php/token-cookie-storage.md)
+- [python:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/python/token-cookie-storage.md)
+- [ruby:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/ruby/token-cookie-storage.md)
+- [csharp:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/csharp/token-cookie-storage.md)
+- [go:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/go/token-cookie-storage.md)
--- a/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2024-34350.md
+++ b/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2024-34350.md
@@ -0,0 +1,165 @@
+---
+title: "Next.js Vulnerable to HTTP Request Smuggling"
+system_id: "nextjs"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2024-05-09T21:07:00Z"
+updated_date: "2024-07-09T18:28:18Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "official-source"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2024-34350"
+  - "GHSA-77r5-gw3j-2mpf"
+affected_versions:
+  - "introduced=13.4.0, fixed<13.5.1"
+fixed_versions:
+  - "13.5.1"
+entity_refs:
+  - "nextjs:system:root-system"
+  - "nextjs--project--next:project:affected-component"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "proxy-trust-boundary"
+  - "token-cookie-storage"
+  - "request-smuggling-boundary"
+primary_source: "https://github.com/vercel/next.js/security/advisories/GHSA-77r5-gw3j-2mpf"
+---
+
+# Next.js Vulnerable to HTTP Request Smuggling
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `official-source`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `nextjs--CVE-2024-34350`
+- 系统: `nextjs`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://github.com/vercel/next.js/security/advisories/GHSA-77r5-gw3j-2mpf
+- 影响版本: `introduced=13.4.0, fixed<13.5.1`
+- 修复版本: `13.5.1`
+
+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `next`
+- Entity Refs: `nextjs, nextjs--project--next`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/vercel/next.js/security/advisories/GHSA-77r5-gw3j-2mpf, https://nvd.nist.gov/vuln/detail/CVE-2024-34350, https://github.com/vercel/next.js/commit/44eba020c615f0d9efe431f84ada67b81576f3f5, https://github.com/vercel/next.js, https://github.com/vercel/next.js/compare/v13.5.0...v13.5.1`
+
+## 受控验证流程
+
+- Workflow ID: `nextjs--CVE-2024-34350--workflow`
+- 漏洞家族: `request-smuggling`
+- 入口面: `reverse-proxy-boundary`
+- 需要角色: `edge-access`
+- 触发向量: 对 `request-smuggling` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/ via reverse proxy, front proxy -> app origin`
+- 输入形态: 构造受控冲突头部组合，仅验证代理与应用解析差异。
+- 预期不安全行为: 代理和应用对同一请求的边界解释不一致。
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2024-34350
+- https://github.com/vercel/next.js/commit/44eba020c615f0d9efe431f84ada67b81576f3f5
+- https://github.com/vercel/next.js
+- https://github.com/vercel/next.js/compare/v13.5.0...v13.5.1
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+- 上游代理与应用层对 Content-Length / Transfer-Encoding / forwarded headers 的解释差异
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=13.4.0, fixed<13.5.1` 升级或回移到 `13.5.1`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `request-smuggling` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/javascript-typescript/proxy-trust-boundary.md)
+- [nodejs:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/nodejs/proxy-trust-boundary.md)
+- [java:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/java/proxy-trust-boundary.md)
+- [php:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/php/proxy-trust-boundary.md)
+- [python:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/python/proxy-trust-boundary.md)
+- [ruby:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/ruby/proxy-trust-boundary.md)
+- [csharp:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/csharp/proxy-trust-boundary.md)
+- [go:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/go/proxy-trust-boundary.md)
+- [javascript-typescript:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/javascript-typescript/token-cookie-storage.md)
+- [nodejs:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/nodejs/token-cookie-storage.md)
+- [java:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/java/token-cookie-storage.md)
+- [php:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/php/token-cookie-storage.md)
+- [python:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/python/token-cookie-storage.md)
+- [ruby:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/ruby/token-cookie-storage.md)
+- [csharp:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/csharp/token-cookie-storage.md)
+- [go:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/go/token-cookie-storage.md)
+- [javascript-typescript:request-smuggling-boundary](/Users/x/websafe/05-defense/secure-code/javascript-typescript/request-smuggling-boundary.md)
+- [nodejs:request-smuggling-boundary](/Users/x/websafe/05-defense/secure-code/nodejs/request-smuggling-boundary.md)
+- [java:request-smuggling-boundary](/Users/x/websafe/05-defense/secure-code/java/request-smuggling-boundary.md)
+- [php:request-smuggling-boundary](/Users/x/websafe/05-defense/secure-code/php/request-smuggling-boundary.md)
+- [python:request-smuggling-boundary](/Users/x/websafe/05-defense/secure-code/python/request-smuggling-boundary.md)
+- [ruby:request-smuggling-boundary](/Users/x/websafe/05-defense/secure-code/ruby/request-smuggling-boundary.md)
+- [csharp:request-smuggling-boundary](/Users/x/websafe/05-defense/secure-code/csharp/request-smuggling-boundary.md)
+- [go:request-smuggling-boundary](/Users/x/websafe/05-defense/secure-code/go/request-smuggling-boundary.md)
--- a/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2024-34351.md
+++ b/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2024-34351.md
@@ -26,6 +26,9 @@ affected_versions:
  - "introduced=13.4.0, fixed<14.1.1"
 fixed_versions:
  - "14.1.1"
+entity_refs:
+  - "nextjs:system:root-system"
+  - "nextjs--project--next:project:affected-component"
 secure_code_topics:
  - "authz-server-side-recheck"
  - "proxy-trust-boundary"
@@ -55,6 +58,26 @@ primary_source: "https://github.com/vercel/next.js/security/advisories/GHSA-fr5h
 - 影响版本: `introduced=13.4.0, fixed<14.1.1`
 - 修复版本: `14.1.1`

+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `next`
+- Entity Refs: `nextjs, nextjs--project--next`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/vercel/next.js/security/advisories/GHSA-fr5h-rqp8-mj6g, https://nvd.nist.gov/vuln/detail/CVE-2024-34351, https://github.com/vercel/next.js/pull/62561, https://github.com/vercel/next.js/commit/8f7a6ca7d21a97bc9f7a1bbe10427b5ad74b9085, https://github.com/vercel/next.js`
+
+## 受控验证流程
+
+- Workflow ID: `nextjs--CVE-2024-34351--workflow`
+- 漏洞家族: `ssrf`
+- 入口面: `remote-fetch-or-webhook-endpoint`
+- 需要角色: `editor-or-admin`
+- 触发向量: 对 `ssrf` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/webhook/test, /remote-fetch, /import-url`
+- 输入形态: 提交受控回环或哨兵 URL，验证协议、主机、IP 与重定向限制。
+- 预期不安全行为: 服务端向受控目标发起非预期请求。
+
 ## 其他来源

 - https://nvd.nist.gov/vuln/detail/CVE-2024-34351
@@ -62,6 +85,41 @@ primary_source: "https://github.com/vercel/next.js/security/advisories/GHSA-fr5h
 - https://github.com/vercel/next.js/commit/8f7a6ca7d21a97bc9f7a1bbe10427b5ad74b9085
 - https://github.com/vercel/next.js

+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=13.4.0, fixed<14.1.1` 升级或回移到 `14.1.1`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `ssrf` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
 ## 实验层

 - 仅用于自有资产、测试环境或已明确授权目标。
--- a/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2024-39693.md
+++ b/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2024-39693.md
@@ -0,0 +1,154 @@
+---
+title: "Next.js Denial of Service (DoS) condition"
+system_id: "nextjs"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2024-07-10T16:03:06Z"
+updated_date: "2024-11-06T14:30:33Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "official-source"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2024-39693"
+  - "GHSA-fq54-2j52-jc42"
+affected_versions:
+  - "introduced=13.3.1, fixed<13.5.0"
+fixed_versions:
+  - "13.5.0"
+entity_refs:
+  - "nextjs:system:root-system"
+  - "nextjs--project--next:project:affected-component"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "proxy-trust-boundary"
+  - "token-cookie-storage"
+primary_source: "https://github.com/vercel/next.js/security/advisories/GHSA-fq54-2j52-jc42"
+---
+
+# Next.js Denial of Service (DoS) condition
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `official-source`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `nextjs--CVE-2024-39693`
+- 系统: `nextjs`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://github.com/vercel/next.js/security/advisories/GHSA-fq54-2j52-jc42
+- 影响版本: `introduced=13.3.1, fixed<13.5.0`
+- 修复版本: `13.5.0`
+
+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `next`
+- Entity Refs: `nextjs, nextjs--project--next`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/vercel/next.js/security/advisories/GHSA-fq54-2j52-jc42, https://nvd.nist.gov/vuln/detail/CVE-2024-39693, https://github.com/vercel/next.js`
+
+## 受控验证流程
+
+- Workflow ID: `nextjs--CVE-2024-39693--workflow`
+- 漏洞家族: `proxy-boundary`
+- 入口面: `proxy-header-or-trust-boundary`
+- 需要角色: `reverse-proxy-or-edge-client`
+- 触发向量: 对 `proxy-boundary` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/middleware, /x-forwarded-* trust path`
+- 输入形态: 提交受控代理头或来源头，验证信任边界和回源鉴权。
+- 预期不安全行为: 仅凭代理头即可越过鉴权或来源控制。
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2024-39693
+- https://github.com/vercel/next.js
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+- 上游代理与应用层对 Content-Length / Transfer-Encoding / forwarded headers 的解释差异
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=13.3.1, fixed<13.5.0` 升级或回移到 `13.5.0`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `proxy-boundary` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/javascript-typescript/proxy-trust-boundary.md)
+- [nodejs:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/nodejs/proxy-trust-boundary.md)
+- [java:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/java/proxy-trust-boundary.md)
+- [php:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/php/proxy-trust-boundary.md)
+- [python:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/python/proxy-trust-boundary.md)
+- [ruby:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/ruby/proxy-trust-boundary.md)
+- [csharp:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/csharp/proxy-trust-boundary.md)
+- [go:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/go/proxy-trust-boundary.md)
+- [javascript-typescript:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/javascript-typescript/token-cookie-storage.md)
+- [nodejs:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/nodejs/token-cookie-storage.md)
+- [java:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/java/token-cookie-storage.md)
+- [php:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/php/token-cookie-storage.md)
+- [python:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/python/token-cookie-storage.md)
+- [ruby:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/ruby/token-cookie-storage.md)
+- [csharp:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/csharp/token-cookie-storage.md)
+- [go:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/go/token-cookie-storage.md)
--- a/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2024-46982.md
+++ b/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2024-46982.md
@@ -28,6 +28,9 @@ affected_versions:
 fixed_versions:
  - "13.5.7"
  - "14.2.10"
+entity_refs:
+  - "nextjs:system:root-system"
+  - "nextjs--project--next:project:affected-component"
 secure_code_topics:
  - "authz-server-side-recheck"
  - "proxy-trust-boundary"
@@ -56,6 +59,26 @@ primary_source: "https://github.com/vercel/next.js/security/advisories/GHSA-gp8f
 - 影响版本: `introduced=13.5.1, fixed<13.5.7, introduced=14.0.0, fixed<14.2.10`
 - 修复版本: `13.5.7, 14.2.10`

+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `next`
+- Entity Refs: `nextjs, nextjs--project--next`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/vercel/next.js/security/advisories/GHSA-gp8f-8m3g-qvj9, https://nvd.nist.gov/vuln/detail/CVE-2024-46982, https://github.com/vercel/next.js/commit/7ed7f125e07ef0517a331009ed7e32691ba403d3, https://github.com/vercel/next.js/commit/bd164d53af259c05f1ab434004bcfdd3837d7cda, https://github.com/vercel/next.js`
+
+## 受控验证流程
+
+- Workflow ID: `nextjs--CVE-2024-46982--workflow`
+- 漏洞家族: `proxy-boundary`
+- 入口面: `proxy-header-or-trust-boundary`
+- 需要角色: `reverse-proxy-or-edge-client`
+- 触发向量: 对 `proxy-boundary` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/middleware, /x-forwarded-* trust path`
+- 输入形态: 提交受控代理头或来源头，验证信任边界和回源鉴权。
+- 预期不安全行为: 仅凭代理头即可越过鉴权或来源控制。
+
 ## 其他来源

 - https://nvd.nist.gov/vuln/detail/CVE-2024-46982
@@ -63,6 +86,42 @@ primary_source: "https://github.com/vercel/next.js/security/advisories/GHSA-gp8f
 - https://github.com/vercel/next.js/commit/bd164d53af259c05f1ab434004bcfdd3837d7cda
 - https://github.com/vercel/next.js

+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+- 上游代理与应用层对 Content-Length / Transfer-Encoding / forwarded headers 的解释差异
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=13.5.1, fixed<13.5.7, introduced=14.0.0, fixed<14.2.10` 升级或回移到 `13.5.7`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `proxy-boundary` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
 ## 实验层

 - 仅用于自有资产、测试环境或已明确授权目标。
--- a/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2024-47831.md
+++ b/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2024-47831.md
@@ -26,6 +26,9 @@ affected_versions:
  - "introduced=10.0.0, fixed<14.2.7"
 fixed_versions:
  - "14.2.7"
+entity_refs:
+  - "nextjs:system:root-system"
+  - "nextjs--project--next:project:affected-component"
 secure_code_topics:
  - "authz-server-side-recheck"
  - "proxy-trust-boundary"
@@ -54,12 +57,68 @@ primary_source: "https://github.com/vercel/next.js/security/advisories/GHSA-g77x
 - 影响版本: `introduced=10.0.0, fixed<14.2.7`
 - 修复版本: `14.2.7`

+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `next`
+- Entity Refs: `nextjs, nextjs--project--next`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/vercel/next.js/security/advisories/GHSA-g77x-44xx-532m, https://nvd.nist.gov/vuln/detail/CVE-2024-47831, https://github.com/vercel/next.js/commit/d11cbc9ff0b1aaefabcba9afe1e562e0b1fde65a, https://github.com/vercel/next.js`
+
+## 受控验证流程
+
+- Workflow ID: `nextjs--CVE-2024-47831--workflow`
+- 漏洞家族: `proxy-boundary`
+- 入口面: `proxy-header-or-trust-boundary`
+- 需要角色: `reverse-proxy-or-edge-client`
+- 触发向量: 对 `proxy-boundary` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/middleware, /x-forwarded-* trust path`
+- 输入形态: 提交受控代理头或来源头，验证信任边界和回源鉴权。
+- 预期不安全行为: 仅凭代理头即可越过鉴权或来源控制。
+
 ## 其他来源

 - https://nvd.nist.gov/vuln/detail/CVE-2024-47831
 - https://github.com/vercel/next.js/commit/d11cbc9ff0b1aaefabcba9afe1e562e0b1fde65a
 - https://github.com/vercel/next.js

+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+- 上游代理与应用层对 Content-Length / Transfer-Encoding / forwarded headers 的解释差异
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=10.0.0, fixed<14.2.7` 升级或回移到 `14.2.7`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `proxy-boundary` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
 ## 实验层

 - 仅用于自有资产、测试环境或已明确授权目标。
--- a/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2024-51479.md
+++ b/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2024-51479.md
@@ -26,6 +26,9 @@ affected_versions:
  - "introduced=9.5.5, fixed<14.2.15"
 fixed_versions:
  - "14.2.15"
+entity_refs:
+  - "nextjs:system:root-system"
+  - "nextjs--project--next:project:affected-component"
 secure_code_topics:
  - "authz-server-side-recheck"
  - "proxy-trust-boundary"
@@ -54,6 +57,26 @@ primary_source: "https://github.com/vercel/next.js/security/advisories/GHSA-7gfc
 - 影响版本: `introduced=9.5.5, fixed<14.2.15`
 - 修复版本: `14.2.15`

+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `next`
+- Entity Refs: `nextjs, nextjs--project--next`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/vercel/next.js/security/advisories/GHSA-7gfc-8cq8-jh5f, https://nvd.nist.gov/vuln/detail/CVE-2024-51479, https://github.com/vercel/next.js/commit/1c8234eb20bc8afd396b89999a00f06b61d72d7b, https://github.com/vercel/next.js, https://github.com/vercel/next.js/releases/tag/v14.2.15`
+
+## 受控验证流程
+
+- Workflow ID: `nextjs--CVE-2024-51479--workflow`
+- 漏洞家族: `authz-bypass`
+- 入口面: `privileged-route-or-object-reference`
+- 需要角色: `cross-tenant-or-low-privileged-user`
+- 触发向量: 对 `authz-bypass` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/admin/*, /api/private/*, /tenant/*`
+- 输入形态: 使用低权限身份访问高权限对象或跨租户资源。
+- 预期不安全行为: 低权限身份可访问本不应可见的数据或操作。
+
 ## 其他来源

 - https://nvd.nist.gov/vuln/detail/CVE-2024-51479
@@ -61,6 +84,41 @@ primary_source: "https://github.com/vercel/next.js/security/advisories/GHSA-7gfc
 - https://github.com/vercel/next.js
 - https://github.com/vercel/next.js/releases/tag/v14.2.15

+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=9.5.5, fixed<14.2.15` 升级或回移到 `14.2.15`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `authz-bypass` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
 ## 实验层

 - 仅用于自有资产、测试环境或已明确授权目标。
--- a/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2024-56332.md
+++ b/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2024-56332.md
@@ -30,6 +30,9 @@ fixed_versions:
  - "13.5.8"
  - "14.2.21"
  - "15.1.2"
+entity_refs:
+  - "nextjs:system:root-system"
+  - "nextjs--project--next:project:affected-component"
 secure_code_topics:
  - "authz-server-side-recheck"
  - "proxy-trust-boundary"
@@ -58,11 +61,67 @@ primary_source: "https://github.com/vercel/next.js/security/advisories/GHSA-7m27
 - 影响版本: `introduced=13.0.0, fixed<13.5.8, introduced=14.0.0, fixed<14.2.21, introduced=15.0.0, fixed<15.1.2`
 - 修复版本: `13.5.8, 14.2.21, 15.1.2`

+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `next`
+- Entity Refs: `nextjs, nextjs--project--next`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/vercel/next.js/security/advisories/GHSA-7m27-7ghc-44w9, https://nvd.nist.gov/vuln/detail/CVE-2024-56332, https://github.com/vercel/next.js`
+
+## 受控验证流程
+
+- Workflow ID: `nextjs--CVE-2024-56332--workflow`
+- 漏洞家族: `proxy-boundary`
+- 入口面: `proxy-header-or-trust-boundary`
+- 需要角色: `reverse-proxy-or-edge-client`
+- 触发向量: 对 `proxy-boundary` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/middleware, /x-forwarded-* trust path`
+- 输入形态: 提交受控代理头或来源头，验证信任边界和回源鉴权。
+- 预期不安全行为: 仅凭代理头即可越过鉴权或来源控制。
+
 ## 其他来源

 - https://nvd.nist.gov/vuln/detail/CVE-2024-56332
 - https://github.com/vercel/next.js

+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+- 上游代理与应用层对 Content-Length / Transfer-Encoding / forwarded headers 的解释差异
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=13.0.0, fixed<13.5.8, introduced=14.0.0, fixed<14.2.21, introduced=15.0.0, fixed<15.1.2` 升级或回移到 `13.5.8`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `proxy-boundary` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
 ## 实验层

 - 仅用于自有资产、测试环境或已明确授权目标。
--- a/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2025-29927.md
+++ b/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2025-29927.md
@@ -32,6 +32,9 @@ fixed_versions:
  - "14.2.25"
  - "15.2.3"
  - "12.3.5"
+entity_refs:
+  - "nextjs:system:root-system"
+  - "nextjs--project--next:project:affected-component"
 secure_code_topics:
  - "authz-server-side-recheck"
  - "proxy-trust-boundary"
@@ -60,6 +63,26 @@ primary_source: "https://github.com/vercel/next.js/security/advisories/GHSA-f82v
 - 影响版本: `introduced=13.0.0, fixed<13.5.9, introduced=14.0.0, fixed<14.2.25, introduced=15.0.0, fixed<15.2.3, introduced=12.0.0, fixed<12.3.5`
 - 修复版本: `13.5.9, 14.2.25, 15.2.3, 12.3.5`

+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `next`
+- Entity Refs: `nextjs, nextjs--project--next`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw, https://nvd.nist.gov/vuln/detail/CVE-2025-29927, https://github.com/vercel/next.js/commit/52a078da3884efe6501613c7834a3d02a91676d2, https://github.com/vercel/next.js/commit/5fd3ae8f8542677c6294f32d18022731eab6fe48, https://github.com/vercel/next.js`
+
+## 受控验证流程
+
+- Workflow ID: `nextjs--CVE-2025-29927--workflow`
+- 漏洞家族: `authz-bypass`
+- 入口面: `privileged-route-or-object-reference`
+- 需要角色: `cross-tenant-or-low-privileged-user`
+- 触发向量: 对 `authz-bypass` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/admin/*, /api/private/*, /tenant/*`
+- 输入形态: 使用低权限身份访问高权限对象或跨租户资源。
+- 预期不安全行为: 低权限身份可访问本不应可见的数据或操作。
+
 ## 其他来源

 - https://nvd.nist.gov/vuln/detail/CVE-2025-29927
@@ -73,6 +96,41 @@ primary_source: "https://github.com/vercel/next.js/security/advisories/GHSA-f82v
 - http://www.openwall.com/lists/oss-security/2025/03/23/3
 - http://www.openwall.com/lists/oss-security/2025/03/23/4

+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=13.0.0, fixed<13.5.9, introduced=14.0.0, fixed<14.2.25, introduced=15.0.0, fixed<15.2.3` 升级或回移到 `13.5.9`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `authz-bypass` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
 ## 实验层

 - 仅用于自有资产、测试环境或已明确授权目标。
--- a/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2025-30218.md
+++ b/07-framework-security/frameworks/nextjs/cases/nextjs-cve-2025-30218.md
@@ -36,6 +36,9 @@ fixed_versions:
  - "13.5.10"
  - "14.2.26"
  - "15.2.4"
+entity_refs:
+  - "nextjs:system:root-system"
+  - "nextjs--project--next:project:affected-component"
 secure_code_topics:
  - "authz-server-side-recheck"
  - "proxy-trust-boundary"
@@ -64,12 +67,68 @@ primary_source: "https://github.com/vercel/next.js/security/advisories/GHSA-223j
 - 影响版本: `12.3.5, 13.5.9, 14.2.25, 15.2.3, introduced=12.3.5, fixed<12.3.6, introduced=13.5.9, fixed<13.5.10, introduced=14.2.25, fixed<14.2.26, introduced=15.2.3, fixed<15.2.4`
 - 修复版本: `12.3.6, 13.5.10, 14.2.26, 15.2.4`

+## 对象与版本映射
+
+- Advisory Scope: `package`
+- 影响对象: `next`
+- Entity Refs: `nextjs, nextjs--project--next`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://github.com/vercel/next.js/security/advisories/GHSA-223j-4rm8-mrmf, https://nvd.nist.gov/vuln/detail/CVE-2025-30218, https://github.com/vercel/next.js, https://vercel.com/changelog/cve-2025-30218-5DREmEH765PoeAsrNNQj3O`
+
+## 受控验证流程
+
+- Workflow ID: `nextjs--CVE-2025-30218--workflow`
+- 漏洞家族: `proxy-boundary`
+- 入口面: `proxy-header-or-trust-boundary`
+- 需要角色: `reverse-proxy-or-edge-client`
+- 触发向量: 对 `proxy-boundary` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/middleware, /x-forwarded-* trust path`
+- 输入形态: 提交受控代理头或来源头，验证信任边界和回源鉴权。
+- 预期不安全行为: 仅凭代理头即可越过鉴权或来源控制。
+
 ## 其他来源

 - https://nvd.nist.gov/vuln/detail/CVE-2025-30218
 - https://github.com/vercel/next.js
 - https://vercel.com/changelog/cve-2025-30218-5DREmEH765PoeAsrNNQj3O

+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+- 上游代理与应用层对 Content-Length / Transfer-Encoding / forwarded headers 的解释差异
+
+### 补丁验证步骤
+
+- 确认目标版本从 `12.3.5, 13.5.9, 14.2.25` 升级或回移到 `12.3.6`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `proxy-boundary` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
 ## 实验层

 - 仅用于自有资产、测试环境或已明确授权目标。
--- a/显示更多
+++ b/显示更多
作者	SHA1	备注	提交日期
hao	6b2c96ab39	更新: 1 个文件 - 2026-04-02 05:50:37	2026-04-02 05:50:37 -07:00
hao	3e91bf1335	更新: 1 个文件 - 2026-04-02 05:45:25	2026-04-02 05:45:25 -07:00
hao	5c1b1412ac	更新: 1 个文件 - 2026-04-02 05:45:07	2026-04-02 05:45:07 -07:00
hao	353f6b9ded	更新: 1 个文件 - 2026-04-02 05:40:06	2026-04-02 05:40:07 -07:00
hao	fdcef59bd5	更新: 1 个文件 - 2026-04-02 05:34:52	2026-04-02 05:34:52 -07:00
hao	2175115eb8	更新: 1 个文件 - 2026-04-02 05:30:07	2026-04-02 05:30:07 -07:00
hao	f188256489	更新: 1 个文件 - 2026-04-02 05:29:40	2026-04-02 05:29:40 -07:00
hao	cdb4b6e7aa	更新: 1 个文件 - 2026-04-02 05:24:28	2026-04-02 05:24:28 -07:00
hao	1b2b184e05	更新: 1 个文件 - 2026-04-02 04:30:07	2026-04-02 04:30:07 -07:00
hao	bfabca157f	更新: 1 个文件 - 2026-04-02 04:29:16	2026-04-02 04:29:16 -07:00
hao	22dac5744d	更新: 1 个文件 - 2026-04-02 04:24:06	2026-04-02 04:24:06 -07:00
hao	a57889760e	更新: 1 个文件 - 2026-04-02 04:18:57	2026-04-02 04:18:57 -07:00
hao	fdbda88700	更新: 1 个文件 - 2026-04-02 04:15:08	2026-04-02 04:15:08 -07:00
hao	f7623235f1	更新: 1 个文件 - 2026-04-02 04:13:44	2026-04-02 04:13:44 -07:00
hao	c290377cb9	更新: 1 个文件 - 2026-04-02 04:08:36	2026-04-02 04:08:36 -07:00
hao	841df7b796	更新: 1 个文件 - 2026-04-02 04:03:28	2026-04-02 04:03:28 -07:00
hao	1f459afffd	更新: 1 个文件 - 2026-04-02 04:00:08	2026-04-02 04:00:08 -07:00
hao	6fd6ed1a84	更新: 1 个文件 - 2026-04-02 03:58:21	2026-04-02 03:58:21 -07:00
hao	b39886d37e	更新: 1 个文件 - 2026-04-02 03:51:56	2026-04-02 03:51:56 -07:00
hao	e4bae0d1ea	更新: 1 个文件 - 2026-04-02 03:46:49	2026-04-02 03:46:49 -07:00
hao	31793384d9	更新: 1 个文件 - 2026-04-02 03:45:07	2026-04-02 03:45:07 -07:00
hao	ffd41760b1	更新: 1 个文件 - 2026-04-02 03:41:41	2026-04-02 03:41:41 -07:00
hao	c2d0aa12e8	更新: 1 个文件 - 2026-04-02 03:36:33	2026-04-02 03:36:33 -07:00
hao	73cbdd8589	更新: 1 个文件 - 2026-04-02 03:31:26	2026-04-02 03:31:26 -07:00
hao	340ae2432c	更新: 1 个文件 - 2026-04-02 03:30:08	2026-04-02 03:30:08 -07:00
hao	78a6408a8f	更新: 1 个文件 - 2026-04-02 03:26:19	2026-04-02 03:26:19 -07:00
hao	27ec1c7927	更新: 1 个文件 - 2026-04-02 03:21:11	2026-04-02 03:21:11 -07:00
hao	b8f1db4828	更新: 1 个文件 - 2026-04-02 03:16:02	2026-04-02 03:16:02 -07:00
hao	ee25f55719	更新: 331 个文件 - 2026-04-02 03:15:10	2026-04-02 03:15:10 -07:00
hao	602f8b2d52	更新: 1 个文件 - 2026-04-02 02:15:51	2026-04-02 02:15:51 -07:00
hao	6881bda5c7	更新: 1 个文件 - 2026-04-02 02:15:06	2026-04-02 02:15:06 -07:00
hao	2d8fe53fc9	更新: 1 个文件 - 2026-04-02 02:10:42	2026-04-02 02:10:42 -07:00
hao	fe7b40f10b	更新: 1 个文件 - 2026-04-02 02:05:34	2026-04-02 02:05:34 -07:00
hao	ac68e791a8	更新: 1 个文件 - 2026-04-02 02:00:25	2026-04-02 02:00:25 -07:00
hao	694a7e14e6	更新: 1 个文件 - 2026-04-02 02:00:06	2026-04-02 02:00:06 -07:00
hao	2411f2e1d4	更新: 1 个文件 - 2026-04-02 01:55:17	2026-04-02 01:55:17 -07:00
hao	04bcb7b8ed	更新: 1 个文件 - 2026-04-02 01:50:08	2026-04-02 01:50:08 -07:00
hao	bc9b8b4980	更新: 1 个文件 - 2026-04-02 01:44:59	2026-04-02 01:44:59 -07:00
hao	a9d5eb5ed2	更新: 1 个文件 - 2026-04-02 01:39:46	2026-04-02 01:39:46 -07:00
hao	57b2330089	更新: 1 个文件 - 2026-04-02 01:34:26	2026-04-02 01:34:26 -07:00
hao	d9e5769c4a	更新: 1 个文件 - 2026-04-02 01:30:09	2026-04-02 01:30:10 -07:00
hao	cf6e2bf5af	更新: 1 个文件 - 2026-04-02 01:29:15	2026-04-02 01:29:15 -07:00
hao	708ec9e4a7	更新: 1 个文件 - 2026-04-02 01:24:04	2026-04-02 01:24:04 -07:00
hao	88cce4ee39	更新: 1 个文件 - 2026-04-02 01:18:54	2026-04-02 01:18:54 -07:00
hao	9af59802b8	更新: 1 个文件 - 2026-04-02 01:15:08	2026-04-02 01:15:08 -07:00
hao	329a4df7f7	更新: 1 个文件 - 2026-04-02 01:13:43	2026-04-02 01:13:43 -07:00
hao	c4a2ea81c9	更新: 1 个文件 - 2026-04-02 01:08:24	2026-04-02 01:08:24 -07:00
hao	982a352a54	更新: 1 个文件 - 2026-04-02 01:03:07	2026-04-02 01:03:07 -07:00
hao	55931d0caf	更新: 1 个文件 - 2026-04-02 01:00:07	2026-04-02 01:00:07 -07:00
hao	f821cf7252	更新: 1 个文件 - 2026-04-02 00:57:56	2026-04-02 00:57:56 -07:00
hao	8ea0ea23c2	更新: 1 个文件 - 2026-04-02 00:52:37	2026-04-02 00:52:37 -07:00
hao	6f09edeb2a	更新: 1 个文件 - 2026-04-02 00:47:27	2026-04-02 00:47:27 -07:00
hao	b35185f27d	更新: 1 个文件 - 2026-04-02 00:45:07	2026-04-02 00:45:07 -07:00
hao	9881c9f054	更新: 1 个文件 - 2026-04-02 00:42:10	2026-04-02 00:42:10 -07:00
hao	0a358199f9	更新: 1 个文件 - 2026-04-02 00:36:50	2026-04-02 00:36:50 -07:00
hao	204c10304f	更新: 1 个文件 - 2026-04-02 00:31:35	2026-04-02 00:31:35 -07:00
hao	9304d8bf5c	更新: 1 个文件 - 2026-04-02 00:30:08	2026-04-02 00:30:08 -07:00
hao	7645fe1f1b	更新: 1 个文件 - 2026-04-02 00:26:23	2026-04-02 00:26:23 -07:00
hao	5da1f89b8d	更新: 1 个文件 - 2026-04-02 00:21:12	2026-04-02 00:21:12 -07:00
hao	6aee1961ad	更新: 1 个文件 - 2026-04-01 20:00:53	2026-04-01 20:00:54 -07:00
hao	6efe8bc490	更新: 1 个文件 - 2026-04-01 20:00:07	2026-04-01 20:00:07 -07:00
hao	63fac31f71	更新: 1 个文件 - 2026-04-01 19:55:41	2026-04-01 19:55:41 -07:00
hao	66a4af13a3	更新: 1 个文件 - 2026-04-01 19:50:33	2026-04-01 19:50:33 -07:00
hao	c6b011894b	更新: 1 个文件 - 2026-04-01 19:45:24	2026-04-01 19:45:24 -07:00
hao	7145236d75	更新: 1 个文件 - 2026-04-01 19:45:07	2026-04-01 19:45:07 -07:00
hao	b38324b648	更新: 1 个文件 - 2026-04-01 19:40:15	2026-04-01 19:40:15 -07:00
hao	be2a0f9c84	更新: 1 个文件 - 2026-04-01 19:35:07	2026-04-01 19:35:07 -07:00
hao	f776727376	更新: 1 个文件 - 2026-04-01 19:29:59	2026-04-01 19:29:59 -07:00
hao	a8f50b02bc	更新: 1 个文件 - 2026-04-01 19:24:47	2026-04-01 19:24:47 -07:00
hao	69f48eb328	更新: 1 个文件 - 2026-04-01 19:19:39	2026-04-01 19:19:39 -07:00
hao	87f2670261	更新: 1 个文件 - 2026-04-01 19:15:07	2026-04-01 19:15:07 -07:00
hao	0690ce86b8	更新: 1 个文件 - 2026-04-01 19:14:32	2026-04-01 19:14:32 -07:00
hao	4d6feaf969	更新: 1 个文件 - 2026-04-01 19:09:22	2026-04-01 19:09:22 -07:00
hao	a34986b5f0	更新: 1 个文件 - 2026-04-01 19:04:13	2026-04-01 19:04:13 -07:00
hao	82df24cf96	更新: 1 个文件 - 2026-04-01 18:58:54	2026-04-01 18:58:55 -07:00
hao	c99a318991	更新: 1 个文件 - 2026-04-01 18:03:08	2026-04-01 18:03:08 -07:00
hao	8f6fc5de14	更新: 1 个文件 - 2026-04-01 18:00:11	2026-04-01 18:00:11 -07:00
hao	792af1f0a5	更新: 1 个文件 - 2026-04-01 17:57:55	2026-04-01 17:57:55 -07:00
hao	c61fd35507	更新: 1 个文件 - 2026-04-01 17:52:41	2026-04-01 17:52:41 -07:00
hao	ac7a34d56d	更新: 1 个文件 - 2026-04-01 17:50:14	2026-04-01 17:50:17 -07:00
hao	2a130f4013	更新: 1 个文件 - 2026-04-01 17:47:13	2026-04-01 17:47:15 -07:00
hao	df1d3596ce	更新: 1 个文件 - 2026-04-01 17:39:46	2026-04-01 17:39:46 -07:00
hao	a5af83d6d3	更新: 1 个文件 - 2026-04-01 17:34:38	2026-04-01 17:34:38 -07:00
hao	4e8bf14ed6	更新: 1 个文件 - 2026-04-01 17:30:11	2026-04-01 17:30:11 -07:00
hao	ba38ea5d21	更新: 1 个文件 - 2026-04-01 17:29:28	2026-04-01 17:29:28 -07:00
hao	4bbf3a34f0	更新: 1 个文件 - 2026-04-01 17:24:02	2026-04-01 17:24:02 -07:00
hao	3a25f50148	更新: 1 个文件 - 2026-04-01 17:18:55	2026-04-01 17:18:55 -07:00
hao	fbe566ee85	更新: 1 个文件 - 2026-04-01 17:15:08	2026-04-01 17:15:08 -07:00
hao	d4ac52aef6	更新: 1 个文件 - 2026-04-01 17:13:43	2026-04-01 17:13:43 -07:00
hao	92c30f4b94	更新: 1 个文件 - 2026-04-01 17:08:36	2026-04-01 17:08:36 -07:00
hao	12354356d8	更新: 1 个文件 - 2026-04-01 17:03:27	2026-04-01 17:03:28 -07:00
hao	aa37f0b848	更新: 1 个文件 - 2026-04-01 17:00:08	2026-04-01 17:00:08 -07:00
hao	875ddf245a	更新: 1 个文件 - 2026-04-01 16:58:03	2026-04-01 16:58:03 -07:00
hao	9a7051d7c0	更新: 1 个文件 - 2026-04-01 16:52:56	2026-04-01 16:52:56 -07:00
hao	b8012dd4b3	更新: 1 个文件 - 2026-04-01 16:46:33	2026-04-01 16:46:33 -07:00
hao	0a0b2c8c91	更新: 1 个文件 - 2026-04-01 16:45:08	2026-04-01 16:45:08 -07:00
hao	58ce1a47dc	更新: 1 个文件 - 2026-04-01 16:41:26	2026-04-01 16:41:26 -07:00
hao	8e32cfc8da	更新: 1 个文件 - 2026-04-01 16:36:19	2026-04-01 16:36:19 -07:00
hao	931e1f64ee	更新: 1 个文件 - 2026-04-01 16:31:11	2026-04-01 16:31:11 -07:00
hao	1277ba4344	更新: 1 个文件 - 2026-04-01 16:30:09	2026-04-01 16:30:09 -07:00
hao	11a9ae4ccc	更新: 1 个文件 - 2026-04-01 16:21:02	2026-04-01 16:21:02 -07:00
hao	99e38526b2	更新: 1 个文件 - 2026-04-01 16:10:53	2026-04-01 16:10:53 -07:00
hao	7d59acc64b	更新: 1 个文件 - 2026-04-01 16:00:08	2026-04-01 16:00:08 -07:00
hao	8333d8ca12	更新: 1 个文件 - 2026-04-01 09:10:29	2026-04-01 09:10:29 -07:00
hao	280fc8e70b	更新: 1 个文件 - 2026-04-01 09:05:20	2026-04-01 09:05:20 -07:00
hao	235506dab9	更新: 1 个文件 - 2026-04-01 09:00:08	2026-04-01 09:00:08 -07:00
hao	8e98d8e3b0	更新: 1 个文件 - 2026-04-01 08:55:00	2026-04-01 08:55:01 -07:00
hao	7ad189fd09	更新: 1 个文件 - 2026-04-01 08:49:51	2026-04-01 08:49:51 -07:00
hao	c101a6fd40	更新: 1 个文件 - 2026-04-01 08:45:08	2026-04-01 08:45:08 -07:00
hao	477a74b375	更新: 1 个文件 - 2026-04-01 08:44:43	2026-04-01 08:44:43 -07:00
hao	a9afe3ff52	更新: 1 个文件 - 2026-04-01 08:39:32	2026-04-01 08:39:32 -07:00
hao	f1f85fc9d2	更新: 1 个文件 - 2026-04-01 08:29:24	2026-04-01 08:29:24 -07:00
hao	04285631db	更新: 1 个文件 - 2026-04-01 08:24:15	2026-04-01 08:24:15 -07:00
hao	652b915214	更新: 1 个文件 - 2026-04-01 08:19:05	2026-04-01 08:19:05 -07:00
hao	7f99f96c6a	更新: 1 个文件 - 2026-04-01 08:13:57	2026-04-01 08:13:57 -07:00
hao	4c0a513954	更新: 1 个文件 - 2026-04-01 08:08:49	2026-04-01 08:08:49 -07:00
hao	eff5a2505d	更新: 1 个文件 - 2026-04-01 08:03:40	2026-04-01 08:03:40 -07:00
hao	03e1a07bc4	更新: 1 个文件 - 2026-04-01 08:00:08	2026-04-01 08:00:08 -07:00
hao	d68ccea41f	更新: 1 个文件 - 2026-04-01 07:58:32	2026-04-01 07:58:32 -07:00
hao	6f4a03f63a	更新: 1 个文件 - 2026-04-01 07:53:23	2026-04-01 07:53:23 -07:00
hao	d0747e440c	更新: 1 个文件 - 2026-04-01 07:48:14	2026-04-01 07:48:14 -07:00
hao	ed26f34b7e	更新: 1 个文件 - 2026-04-01 07:45:08	2026-04-01 07:45:08 -07:00
hao	08c53c7071	更新: 1 个文件 - 2026-04-01 07:43:06	2026-04-01 07:43:06 -07:00
hao	fe8bd0c074	更新: 1 个文件 - 2026-04-01 06:52:54	2026-04-01 06:52:54 -07:00
hao	4b02834f77	更新: 1 个文件 - 2026-04-01 05:12:41	2026-04-01 05:12:41 -07:00
hao	1a9cfdb6f9	更新: 1 个文件 - 2026-04-01 05:07:34	2026-04-01 05:07:34 -07:00
hao	183c0bbf7a	更新: 1 个文件 - 2026-04-01 05:02:26	2026-04-01 05:02:26 -07:00
hao	96bde2118d	更新: 331 个文件 - 2026-04-01 05:00:10	2026-04-01 05:00:10 -07:00
hao	5beac32c48	更新: 319 个文件 - 2026-03-31 03:06:10	2026-03-31 03:06:11 -07:00
hao	e8a083bc68	更新: 269 个文件 - 2026-03-30 03:53:37	2026-03-30 03:53:37 -07:00
hao	6a60b43be7	监控更新: 2026-03-29 03:49:34	2026-03-29 03:50:57 -07:00
hao	d560e6b421	更新: 270 个文件 - 2026-03-28 03:48:48	2026-03-28 03:48:48 -07:00
hao	bce7f9ef61	更新: 307 个文件 - 2026-03-27 02:33:52	2026-03-27 02:33:52 -07:00
hao	3406fdb83f	更新: 2 个文件 - 2026-03-27 02:30:16	2026-03-27 02:30:16 -07:00
hao	1f7a3d6c60	更新: 489 个文件 - 2026-03-26 16:06:46	2026-03-26 16:06:46 -07:00
hao	1e447fe97f	更新: 413 个文件 - 2026-03-24 03:45:07	2026-03-24 03:45:08 -07:00
hao	cd808b4358	更新: 291 个文件 - 2026-03-23 03:00:08	2026-03-23 03:00:09 -07:00
hao	9c8cc7ec8a	监控更新: 2026-03-22 02:17:04	2026-03-22 02:19:03 -07:00
hao	bfd7d732ae	feat: sync version-driven intel coverage	2026-03-21 18:18:55 -07:00
hao	2d92ef6bce	更新: 2 个文件 - 2026-03-21 18:00:07	2026-03-21 18:00:07 -07:00
hao	e82b7d8cf6	更新: 4 个文件 - 2026-03-21 17:54:57	2026-03-21 17:54:57 -07:00
hao	af31c1b8d0	更新: 2 个文件 - 2026-03-21 17:49:36	2026-03-21 17:49:36 -07:00
hao	a0a5067ae1	更新: 3 个文件 - 2026-03-21 17:44:22	2026-03-21 17:44:22 -07:00
hao	e13c138232	监控更新: 2026-03-21 02:17:05	2026-03-21 06:37:00 -07:00
hao	c3a853d2cf	增强系统级实体覆盖摘要与工作台索引	2026-03-20 08:47:16 -07:00
hao	5e1ea395ef	监控更新: 2026-03-20 02:24:12	2026-03-20 06:41:46 -07:00
hao	1e81279e32	实现分层实体漏洞知识库与实体级完整度监控	2026-03-19 17:57:45 -07:00
hao	49fe46ab89	更新: 114 个文件 - 2026-03-19 16:45:07	2026-03-19 16:45:07 -07:00
hao	2e67bff9a7	Optimize cold source health probes	2026-03-19 02:31:34 -07:00
hao	826a907455	更新: 3 个文件 - 2026-03-19 02:29:34	2026-03-19 02:29:34 -07:00
hao	b57d649a2d	监控更新: 2026-03-19 02:17:03	2026-03-19 02:17:16 -07:00
hao	b0398f30b5	Retire remaining active NVD sources	2026-03-18 20:38:36 -07:00
hao	eb0e5d587a	Wire local NVD key loading	2026-03-18 19:54:45 -07:00
hao	baf8e8fa64	Cache NVD responses with API keys	2026-03-18 19:39:47 -07:00
hao	94d257177c	Stabilize source health monitoring	2026-03-18 19:28:13 -07:00
hao	9b0d72b112	更新: 103 个文件 - 2026-03-18 19:24:37	2026-03-18 19:24:37 -07:00
hao	8e13fcfbe0	更新: 4 个文件 - 2026-03-18 18:54:21	2026-03-18 18:54:21 -07:00
hao	42f380ef82	更新: 1 个文件 - 2026-03-18 18:49:00	2026-03-18 18:49:00 -07:00
hao	a950845ec6	更新: 2 个文件 - 2026-03-18 17:30:05	2026-03-18 17:30:05 -07:00
hao	6dff954778	更新: 4 个文件 - 2026-03-18 17:23:40	2026-03-18 17:23:40 -07:00
hao	301d15e91e	更新: 2 个文件 - 2026-03-18 16:28:30	2026-03-18 16:28:30 -07:00
hao	df455d7fb5	更新: 1 个文件 - 2026-03-18 16:13:21	2026-03-18 16:13:21 -07:00
hao	b9c67410c8	Fix completeness scope and restore generated summaries	2026-03-18 14:24:10 -07:00
hao	96b5353a91	更新: 2423 个文件 - 2026-03-18 14:23:01	2026-03-18 14:23:01 -07:00
hao	9a5f48cdf7	Refresh rendered dashboard snapshots	2026-03-18 14:18:50 -07:00
hao	00d828d090	Expand intel coverage and refresh monitoring	2026-03-18 14:18:09 -07:00
hao	87008d1bd5	更新: 15 个文件 - 2026-03-18 11:41:40	2026-03-18 11:41:40 -07:00
hao	13d341e71f	更新: 2933 个文件 - 2026-03-18 11:36:11	2026-03-18 11:36:12 -07:00
hao	1e9522e1a8	更新: 1 个文件 - 2026-03-18 11:26:00	2026-03-18 11:26:00 -07:00
hao	dbf9c375bc	监控更新: 2026-03-18 11:09:51	2026-03-18 11:21:09 -07:00
hao	fd8c4c6e31	更新: 3 个文件 - 2026-03-18 11:15:06	2026-03-18 11:15:06 -07:00
hao	48e5ce87f8	监控更新: 2026-03-18 10:58:07	2026-03-18 11:09:30 -07:00
hao	62adc24770	更新: 11 个文件 - 2026-03-18 11:00:06	2026-03-18 11:00:06 -07:00
hao	1f9d9b1d16	更新: 109 个文件 - 2026-03-18 10:55:52	2026-03-18 10:55:52 -07:00
hao	1d5cb533e3	更新: 5 个文件 - 2026-03-18 09:50:04	2026-03-18 09:50:04 -07:00
hao	dc31e6e80f	更新: 13 个文件 - 2026-03-18 09:44:57	2026-03-18 09:44:57 -07:00
hao	91d6f4d04e	更新: 178 个文件 - 2026-03-18 07:47:37	2026-03-18 07:47:37 -07:00
hao	63d89f2b0c	更新: 1 个文件 - 2026-03-18 07:33:19	2026-03-18 07:33:19 -07:00
hao	509281cfe9	更新: 8 个文件 - 2026-03-18 07:24:21	2026-03-18 07:24:21 -07:00
hao	0d30ca296c	更新: 8 个文件 - 2026-03-18 07:22:21	2026-03-18 07:22:21 -07:00
hao	bb436bc76f	更新: 8 个文件 - 2026-03-18 07:15:06	2026-03-18 07:15:06 -07:00
hao	99908f3e05	更新: 1 个文件 - 2026-03-17 23:14:38	2026-03-17 23:14:38 -07:00
hao	ab159308b5	更新: 1 个文件 - 2026-03-17 23:10:49	2026-03-17 23:10:49 -07:00
hao	29e753c170	更新: 1 个文件 - 2026-03-17 21:34:01	2026-03-17 21:34:01 -07:00