UPinar/contrastapi

v1.33.9 Feature

This release adds 1 notable feature for engineering teams evaluating rollout.

Published 17d MCP Security & Auth

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

ai-agents ai-security api claude cve security

+13 more

domain-recon email-security email-validation llm-tools mcp mitre-atlas mitre-d3fend model-context-protocol osint sigma-rules threat-intelligence vulnerability-management web-intel

Affected surfaces

auth rbac

ReleasePort's take

Light signal

editorial:auto 13d

Release v1.33.9 enhances CVE enrichment by integrating CISA Vulnrichment data while preserving existing behavior and schema.

Why it matters: Security: Patch to v1.33.9 immediately to mitigate DoS amplification risks from unbounded ADP iterations.

Summary

AI summary

CVE enrichment from CISA Vulnrichment fills gaps in CVE details without breaking existing behavior.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Medium	Outer adp[] iteration capped to prevent DoS amplification. Outer adp[] iteration capped to prevent DoS amplification. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Security	Medium	Severity sources merge includes allowlist and poisoned-row guard to reject forged sources. Severity sources merge includes allowlist and poisoned-row guard to reject forged sources. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Security	Medium	CVE enrichment from CISA Vulnrichment adds ADP source to severity_sources breakdown for missing CNA fields. CVE enrichment from CISA Vulnrichment adds ADP source to severity_sources breakdown for missing CNA fields. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—
Security	Medium	Description and reference-URL length caps applied symmetrically for CNA and ADP data. Description and reference-URL length caps applied symmetrically for CNA and ADP data. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—
Feature	Medium	MITRE cvelistV5 delta now parsed to include `containers.adp[]` (CISA Vulnrichment) alongside existing CNA container. MITRE cvelistV5 delta now parsed to include `containers.adp[]` (CISA Vulnrichment) alongside existing CNA container. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—
Dependency	Medium	No new MCP tool or dependency introduced; only additive enhancements. No new MCP tool or dependency introduced; only additive enhancements. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—
Performance	Medium	No new network calls; enrichment uses already downloaded MITRE delta data. No new network calls; enrichment uses already downloaded MITRE delta data. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—
Bugfix	Medium	Cache invalidated by VERSION bump for response-content changes while preserving shape. Cache invalidated by VERSION bump for response-content changes while preserving shape. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—
Refactor	Medium	Additive release with no schema break; existing responses unchanged in shape. Additive release with no schema break; existing responses unchanged in shape. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—

Full changelog

Hotfix/feature on top of v1.33.8. PATCH — additive, wire-compatible, no schema break.

What's new

CVE enrichment from CISA Vulnrichment (MITRE ADP container). The CVE sync engine already downloads the full MITRE cvelistV5 delta but previously parsed only the CNA container. It now also parses containers.adp[] (CISA Vulnrichment — the enrichment NIST NVD scaled back). For CVEs where the CNA left fields empty, ADP backfills description / CVSS / CWE / affected products / references, and contributes a cisa-adp entry to the multi-source severity_sources breakdown. CNA always wins; ADP only fills gaps.

No new network calls (data already in the downloaded delta). No new MCP tool, no schema change — severity_sources already existed; cisa-adp is an additive source value surfaced via ?include_severity_breakdown=true.

Hardening (security fold-ins)

Outer adp[] iteration capped (DoS amplification bound)
severity_sources merge: source allowlist (rejects forged sources; never overwrites nvd) + non-list poisoned-row guard
Description and reference-URL length caps (CNA + ADP symmetric); truncate-before-dedup

Migration / cache

Additive only — existing responses unchanged in shape. Back-catalog enrichment is gradual via the normal MITRE delta; a one-time backfill sweep is optional and operational. Response-content change for the same input → cache invalidated by the VERSION bump (cache key carries version).

Counts

Tests: 2453 -> 2458 (+5)
MCP tools / Resources / Prompts: unchanged (53 / 7 / 3)

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track UPinar/contrastapi

Get notified when new releases ship.

About UPinar/contrastapi

Security intelligence API with 31 MCP tools for CVE/EPSS/KEV lookup, domain recon (DNS/WHOIS/SSL/subdomains/CT logs), IOC/threat intel, OSINT (email/phone/username), and code security scanning (secrets, injection). Free 100 req/hr.

All releases →

Related context

Related tools

Earlier breaking changes

v1.33.11 `bulk_sigma_rule_lookup` now costs 1 credit per `rule_id`, changing from flat 1 credit/call.