Vulnerability-Lookup 5.1.0 released

We are pleased to announce the release of Vulnerability-Lookup 5.1.0!

The highlight of this release is the new CNA Publication Service, which lets vulnerabilities from your local source be published to the official CVE API as part of the Coordinated Vulnerability Disclosure (CVD) process. It also brings a new exploited-CVE ratio statistic, CSAF advisories in full-text search, further UI harmonization, and important reindexing and feeder fixes.

A special thank you to Niclas Dauster for the substantial contribution behind the CNA Publication Service (#416).

What’s New

CNA Publication Service

Building on the CNA-interoperable API introduced in 5.0.0, vulnerabilities of the local source can now be published to the official CVE API (cveawg) as part of the Coordinated Vulnerability Disclosure process:

users request publication of a local vulnerability,
admins moderate the request (publish or reject) through a dedicated HTML moderation view,
the resulting CVE-ID is mirrored back into the local database (Kvrocks).

The service is built on a new data model and web service, includes a rejection mechanism, stores per-user CNA credentials encrypted, and integrates with Vulnogram (a CNA publications link is now available directly from the editor header).

The feature is disabled by default. Enable it with cna: true in config/generic.json and configure it in config/cna.json. Note that it requires a database migration. See the CNA service documentation for the full setup and usage guide.

The screencast below walks through the complete workflow: a vulnerability is first published as a GCVE on the local instance, then submitted for publication as a CVE — including how error messages returned by the official MITRE service are surfaced and handled along the way.

The vulnerability published during the screencast is now available under both identifiers — one single record, reachable as GCVE-1-2026-20016 or CVE-2026-53901 on the instance, and listed in the official CVE Program as CVE-2026-53901 on cve.org.

Screenshots

Create CNA publication dialog in the Vulnogram editor — Requesting the publication of a local vulnerability directly from the Vulnogram editor.

CNA Publications overview listing publication requests with their status and actions — The CNA Publications view, displaying the status of the publication requests made to the cveawg MITRE service from local vulnerabilities (GCVE), with the assigned CVE ID, requester, timeline and moderation actions.

CNA Publication detail page with status, timeline, requester and moderation actions — Managing a single publication: status, timeline, requester and CNA API debug information, with update, reject, abort and delete actions.

The CVE record pushed to MITRE’s cveawg service is the very same GCVE record created locally on the Vulnerability-Lookup instance — there is no duplication or re-entry of data. From this view, locally created advisories can be managed through their whole publication lifecycle: reserving a CVE ID, creating or updating the corresponding CVE record, and tracking the status of each request. Once published, the advisory is known under both its GCVE ID and its assigned CVE ID. Local-only vulnerabilities — GCVE entries that are not published as CVEs — remain visible alongside, so disclosure can stay entirely local or go through the CVE Program, on a per-vulnerability basis.

CNA Publications view showing GCVE entries in different states: local only, reserved, publication pending and published — All the lifecycle states side by side: local-only GCVE entries (no CVE ID reserved) next to advisories with a reserved CVE ID, a pending publication, or a published CVE record.

Exploited-CVE ratio statistics

New charts and API endpoints track, over time, the share of CVEs that have at least one exploitation sighting — a clearer real-world risk signal than raw vulnerability counts (#413). This metric was already put to use in our May 2026 vulnerability report.

Exploited CVE ratio per year chart on the statistics page — The new ‘Exploited CVE ratio per year’ chart on the statistics page, combining the yearly share of exploited CVEs with the absolute counts.

CSAF advisories in full-text search

CSAF advisories are now wired into the full-text search read path, making them discoverable through search (#417, #420).

Website improvements

The Vendor and Product columns in the recent vulnerabilities view now link directly to the corresponding search.

Recent vulnerabilities view with clickable Vendor and Product columns — The recent vulnerabilities view: clicking a vendor or product now jumps straight to the corresponding search.

Changes

UI refresh, continued — More pages were harmonized onto the shared card design language introduced in 5.0.0: the sightings templates, the statistics page cards, bundle cards, comment cards, and the “Evolution for the last month” section.
Vulnogram — Added a CNA publications link to the editor header; the Recent vulnerabilities link now falls back to the local source.
Templates — Vulnerability/CVE identifiers are now displayed in uppercase across the templates and the CNA publications view.
Documentation — Fixed the path to dumps/ and various CHANGELOG cleanups.
Dependencies — Updated Python dependencies.

Fixes

Reindexing and feeder keys — Rewrote the reindex scripts, made index_vulnerabilities --purge lossless, guarded the nvd and gcve_vl published counters with first_seen, and fixed several feeder key bugs (#418, #419).
CNA Publication Service hardening — Post-merge hardening of the new service: stricter validation of cveawg responses and vulnerability identifiers, the credentials endpoint and Profile credentials link gated to admins, the CVE API key redacted from persisted request/response/error fields, Fernet key validation at startup, a unique vuln_id constraint at the database level, and assorted refactors.
UI — Include ADP container data in CVE 5 record views (#414); constrain user markdown images to their container.
Vulnogram — Keep editing in update mode after creating a record.
Website — Silenced the per-worker gevent monkey-patch warning and made cache writes resilient to broken connections.

Changelog

📂 For the full list of changes, check the GitHub release:
https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v5.1.0

🙏 A big thank you to all contributors and testers!

Feedback and Support

If you encounter any issues or have suggestions, feel free to open a ticket on our GitHub repository:
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/
Your feedback is always appreciated!

Follow Us on Fediverse/Mastodon

You can follow us on Mastodon and get real-time information about security advisories:
https://social.circl.lu/@vulnerability_lookup/