Vulnerability-Lookup 5.2.0 released

We are pleased to announce the release of Vulnerability-Lookup 5.2.0!

This release centers on a broad interface redesign — a refreshed home page built around a hero search and a tabbed dashboard, with the shared card design language now rolled out across the rest of the application. Alongside it come new change-aware browse API endpoints that let clients poll only what actually changed, a modernized KEV catalogs experience with aggregated feeds, and a confidential notes field for vulnerability disclosures.

The screencast below gives a tour of what’s new (turn the sound on):

What’s New

Change-aware browse API

Two new metadata-aware browse endpoints expose the date of the last vulnerability change per vendor and product:

  • GET /api/browse/vendors
  • GET /api/browse/vendors/<vendor>/products

With these, clients can poll only the vendors and products that actually changed since their last call, instead of fanning out over every product. The timestamps are maintained at import time by every feeder that populates the vendor/product index, and backfilled by the reindex tool.

Under the hood, the last-change dates live in dedicated sorted sets (vendors:updated, <vendor>:products:updated), so a since= query costs a single ZRANGE … WITHSCORES plus an in-memory sort — regardless of how many CVEs sit behind each vendor, and with no caching layer required (#255, #422).

For example, listing Microsoft products matching windows that changed since 2026-06-18, paginated:

$ curl -s 'https://vulnerability.circl.lu/api/browse/vendors/microsoft/products?q=windows&since=2026-06-18&page=1&per_page=10' | jq
{
  "metadata": {
    "count": 19,
    "page": 1,
    "per_page": 10
  },
  "data": [
    {
      "name": "windows 10 version 1607",
      "last_change": "2026-06-18T22:26:33.618000+00:00"
    },
    {
      "name": "windows 10 version 1809",
      "last_change": "2026-06-18T22:26:33.618000+00:00"
    },
    {
      "name": "windows 10 version 21h2",
      "last_change": "2026-06-18T22:26:33.618000+00:00"
    },
    {
      "name": "windows 10 version 22h2",
      "last_change": "2026-06-18T22:26:33.618000+00:00"
    },
    {
      "name": "windows 11 version 23h2",
      "last_change": "2026-06-18T22:26:33.618000+00:00"
    },
    {
      "name": "windows 11 version 24h2",
      "last_change": "2026-06-18T22:26:33.618000+00:00"
    },
    {
      "name": "windows 11 version 25h2",
      "last_change": "2026-06-18T22:26:33.618000+00:00"
    },
    {
      "name": "windows 11 version 26h1",
      "last_change": "2026-06-18T22:26:33.618000+00:00"
    },
    {
      "name": "windows server 2012",
      "last_change": "2026-06-18T22:26:33.618000+00:00"
    },
    {
      "name": "windows server 2012 (server core installation)",
      "last_change": "2026-06-18T22:26:33.618000+00:00"
    }
  ]
}

The metadata.count reports the total number of matching products (19 here), while data returns the requested page — a client can keep paging or, on its next run, raise since= to fetch only what has changed since.

The legacy plain-list browse endpoints (/api/browse/, /api/browse/<vendor>, /api/vulnerability/browse/) are now signposted as deprecated via Deprecation/Sunset/Link headers and in the OpenAPI docs, in favor of these new endpoints. Their behavior and response shape are unchanged.

KEV catalogs, modernized

The KEV catalogs page gained a catalog coverage matrix that shows, across all catalogs, which entries each one covers — and the KEV catalog vulnerability column now surfaces the vendor and product. We covered this feature in detail in a dedicated blog post.

This release also adds aggregated RSS/Atom feeds for all KEV catalogs, so you can subscribe to exploited-vulnerability updates across every catalog at once.

Known Exploited Vulnerability Catalogs page with one card per catalog and the Catalog coverage matrix below

The Known Exploited Vulnerability Catalogs page, with one card per catalog and the catalog coverage matrix below.

CIRCL KEV catalog view showing the vendor and product columns alongside each vulnerability

A single KEV catalog view: the vulnerability column now surfaces the vendor and product.

Confidential disclosure notes

The disclosure form now includes a confidential free-text field that is never published. It is intended for reproduction steps and other sensitive notes that should stay private to the instance, distinct from the publicly disclosed advisory content.

Changes

A redesigned home page

The home page was rebuilt around a hero search and a dashboard split into Trending, Charts and Activity tabs:

  • The hero lead now describes correlating advisories across sources, linking them to sightings, and coordinating disclosure.
  • A themed, keyboard-navigable vendor autocomplete — also rolled out to the search and notification forms.
  • A dismissible banner, remembered via a cookie and restorable from the footer, and a persisted last-visited tab.
  • The Charts tab gained sighting-type definitions and a link to the sightings manual.
  • The Activity tab folded the latest KEV entries in alongside vulnerabilities, comments, bundles and sightings.
  • The watchlist page was modernized onto the shared card design language.
Redesigned Vulnerability-Lookup home page with a hero search and a tabbed dashboard

The redesigned home page, built around a hero search and a dashboard split into Trending, Charts and Activity tabs.

UI refresh, continued

The global theme and chrome were refreshed, and the shared card design language and theme utilities were rolled across the rest of the interface: the vulnerability and CWE/product detail pages, the search page, the recent vulnerabilities and sightings views, the KEV catalog and entry pages, the statistics header, bundle and comment detail pages, the contributors list, the profile/auth/edit forms, and the community and admin pages. KEV catalog badges now link to their entry, and the main menu was improved (#427).

Redesigned vulnerability detail page on the shared card design language

The vulnerability detail page, refreshed onto the shared card design language.

Other changes

  • KEV — Reorganized the KEV views, deduplicated helpers, fixed the local catalog label, and paginated the catalog coverage matrix over all vulnerabilities.
  • CI — Hardened the GitHub Actions workflows: top-level deny-by-default permissions on the CodeQL workflow, explicit GITHUB_TOKEN permissions, action versions pinned via Ratchet, actions/checkout prevented from storing credentials on the runner, and a cooldown introduced for actions (#421).
  • Documentation — Restructured the API v1 page around the rendered OpenAPI spec, renamed api-v1.md to api.md, documented the KEV RSS/Atom feeds, refreshed the API usage example, and updated the Swagger.json file.
  • Dependencies — Updated Python dependencies, including bumping cryptography from 44.0.3 to 48.0.1 (#426).
  • Project — Updated the authors list in pyproject.toml and refreshed humans.txt.

Fixes

  • API — Percent-encode the user-controlled vendor segment before placing it in the deprecation Link header, preventing header injection; fixed an issue when parsing the JSON string query parameter.
  • Reindex — Avoid suffix SCAN patterns unsupported by older Kvrocks.
  • KEV — Restore the default feed page size of 20 entries.
  • Docs — Render the OpenAPI spec via eval-rst so httpdomain directives parse, and sanitize dangling $refs at build time.
  • UI — Fixed spacing around the sightings and recent vulnerabilities tables.

Changelog

📂 For the full list of changes, check the GitHub release:
https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v5.2.0

🙏 A big thank you to all contributors and testers!

Feedback and Support

If you encounter any issues or have suggestions, feel free to open a ticket on our GitHub repository:
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/
Your feedback is always appreciated!

Follow Us on Fediverse/Mastodon

You can follow us on Mastodon and get real-time information about security advisories:
https://social.circl.lu/@vulnerability_lookup/