News
Vulnerability Report for the year 2025
All vulnerability reports This report was generated with the help of AI, leveraging the VulnMCP Model Context Protocol server connected to Vulnerability-Lookup. The underlying data was aggregated from the twelve monthly reports published throughout 2025 and from the live Vulnerability-Lookup API. Download this report as a PDF. Introduction The 2025 threat landscape was characterised by sustained pressure on enterprise infrastructure, edge devices, and developer tooling. Attackers continued to weaponise newly disclosed vulnerabilities within hours of publication, while a long tail of unpatched legacy IoT and edge devices (D-Link, Zyxel, DASAN, Huawei, Realtek, Netgear) kept generating massive exploitation noise. Several flagship incidents shaped the year: the SAP NetWeaver Visual Composer zero-day exploitation in April, the SharePoint “ToolShell” campaign in July, the NetScaler “CitrixBleed 2” saga from June onward, the Oracle E-Business Suite exploitation tied to the Cl0p activity in October, the WSUS critical (CVE-2025-59287) in October-November, the FortiWeb authentication bypasses in November, and the dramatic React Server Components (“React2Shell”) surge in December.
May 11, 2026
Vulnerability Report - April 2026
All vulnerability reports Introduction This vulnerability report has been generated with the help of AI, using the VulnMCP tooling on top of Vulnerability-Lookup, with contributions from the platform’s community.
May 4, 2026
Vulnerability-Lookup 4.5.0 released
We are pleased to announce the release of Vulnerability-Lookup 4.5.0! This release strengthens Vulnerability-Lookup on both data collection and analysis. We now ingest sightings from Telegram channels, with roughly 200,000 Telegram sigthings collected so far. Each vulnerability page also gains new interactive visualisations: sighting type repartition, source repartition, and an experimental adaptive forecast based on the TARDISSight prototype. TARDISSight was presented last week in Munich during the FIRST CTI Conference, and the related paper is available on arXiv.
April 30, 2026
CIRCL AI approach at the International Committee of the Red Cross (ICRC)
On April 28, 2026, we had the opportunity to present the CIRCL AI approach at the International Committee of the Red Cross (ICRC). The session took place in Luxembourg, with remote participation from the Delegation for Cyberspace at the Global Cyber Hub in Geneva. The objective of this event was practical: show how AI can be used as an operational capability in vulnerability intelligence, not just as a research topic. We focused on production workflows that help analysts deliver faster, more consistent, and more actionable results.
April 29, 2026
Vulnerability-Lookup 4.4.0 released
We are pleased to announce the release of Vulnerability-Lookup 4.4.0! This release introduces public disclosure list views, enhanced sightings with automatic creation and heatmap navigation controls, toggleable chart events, and configurable CVD policy alerts. It also includes numerous fixes for database stability and performance, notification reliability, and Meilisearch error handling. The technical documentation has been revamped for greater clarity and expanded with deployment guidance for high-traffic environments, validated in our production setup handling 15,000–20,000 queries per second (public API + Web pages).
April 9, 2026
New Russian Severity Classifier and Improved Multilingual Models
We are pleased to announce a new Russian-language severity classifier for vulnerability descriptions, alongside improved English and Chinese models. These models are trained with VulnTrain and served through ML-Gateway for integration into Vulnerability-Lookup. All datasets and models are openly available on Hugging Face. VulnTrain 3.1.0 This release is powered by VulnTrain v3.1.0, which introduces: FSTEC source support: vulnerability entries from the Russian Federal Service for Technical and Export Control (BDU) can now be used for dataset generation and model training. Source field in datasets: each vulnerability entry now includes a source field identifying its origin (cvelistv5, github, pysec, cnvd, csaf_*, fstec), making it easier to trace and filter data. Dynamic dataset cards: when generating a dataset from multiple sources, a dataset card is automatically created with a per-source breakdown table showing entry counts and percentages. Per-class metrics: the severity trainer now reports precision, recall, and F1 per class (Low / Medium / High / Critical) alongside overall accuracy and macro F1. Best model checkpoint selection: models are now selected by accuracy instead of eval_loss, with save_total_limit increased from 2 to 3. Russian Severity Classifier 🇷🇺 This is our new model for classifying vulnerability severity in Russian, trained on data from the Russian Federal Service for Technical and Export Control (BDU).
April 6, 2026
Improving the CNVD Severity Classifier: Honest Metrics and Data Leakage Fixes
We recently made significant improvements to our CNVD severity classifier and the underlying Vulnerability-CNVD dataset, prompted by a thorough independent review from Eric Romang. These changes ship in VulnTrain v3.0.0, released today. What happened Eric opened VulnTrain#19 with a detailed technical analysis of the dataset and model. His key findings: Data leakage: CNVD reuses boilerplate descriptions across different vulnerability IDs. Our train/test split was done on IDs, not on description text, so 15.6% of the test set contained descriptions identical to training data. This inflated the reported accuracy by ~1.7pp. Low-class recall at 38.4%: 60% of Low-severity entries were misclassified as Medium. The dataset is heavily imbalanced (Low ~9%, Medium ~55%, High ~36%). Keyword dependency: the model predicts severity based on vulnerability-type keywords rather than actual impact. Accuracy drops from ~89% to ~55% on entries whose severity deviates from the type’s typical level. His full analysis, code, and data are available at eromang/researches/CNVD-Dataset-Validation.
April 3, 2026
Vulnerability Report - March 2026
All vulnerability reports Introduction This vulnerability report has been generated using data aggregated on Vulnerability-Lookup, with contributions from the platform’s community.
April 2, 2026
Vulnerability-Lookup 4.3.0 released
We are pleased to announce the release of Vulnerability-Lookup 4.3.0! This release brings compliance with the updated GCVE BCP-03 specification (discussion), introducing a dedicated API endpoint for exposing GCVEs published by a local Vulnerability-Lookup instance. It also includes improvements to the GCVE feeder, email notification reliability fixes, and updated dependencies. What’s New GCVE Publication Endpoint A new /api/gcve/publication endpoint lets external consumers discover all GCVEs published by the local instance. This is the standard mechanism defined in the updated GCVE BCP-03 for federated vulnerability sharing between Vulnerability-Lookup deployments and GCVE-compatible tools. c931b95
March 27, 2026
VulnMCP 1.0.0 released
We are excited to share a new project we have been working on: VulnMCP. VulnMCP is an MCP server that brings vulnerability intelligence directly into AI clients, chat agents, and automated workflows. The idea is simple: make vulnerability analysis programmable, modular, and easily consumable by modern AI systems. With VulnMCP, you can: Query and explore vulnerabilities (via Vulnerability-Lookup) directly from your chat agent or editor. Classify vulnerability severity (in English and Chinese) using our fine-tuned NLP models. Predict CWE categories from descriptions. Guess the CPE based on one or more keywords from a vulnerability description. Explore KEV catalogs. Retrieve real-world sightings. Build and extend your own “skills” for automated security analysis. Have a look at the screencast below (with sound on!) featuring Claude Code. You will see how to retrieve information about a vulnerability using its CVE ID and classify its severity — all from your favorite AI chat agent.
March 25, 2026