Vulnerability-Lookup 5.3.0 released
We are pleased to announce the release of Vulnerability-Lookup 5.3.0!
This release brings email subscriptions to KEV catalogs, letting you receive batched digests whenever new exploited vulnerabilities are added to a catalog you follow. Search gained the long-requested ability to filter and sort by CVSS base score, two new feeder families join the platform — the AVID (AI Vulnerability Database) feeder and a set of new CSAF vendor feeders — and the KEV catalogs page gained a whole suite of coverage visualisations. On the account side, 2FA recovery codes make account recovery safer.
What’s New
Email subscriptions to KEV catalogs
You can now subscribe to any KEV catalog and receive batched email digests when new entries are added. Subscriber counts are surfaced on the catalogs page, and the notifications page was modernized onto the shared card design language (#457).

The KEV catalogs page now shows the number of subscribers on each catalog card.

The notifications page, modernized onto the shared card design language, with the new KEV catalog subscriptions alongside vendor/product and organization watches.
Filter and sort by CVSS base score
The search now supports filtering and sorting vulnerabilities by CVSS base score — including CVSS-only searches that need no vendor, product or assigner. The recent vulnerabilities page gained a quick-filter accordion above the table, and the search form now preselects the CVE Program source by default (#454).

The quick-filter accordion on the recent vulnerabilities page: filter the current source by vendor, product, assigner and CVSS score range.
New feeders: AVID and more CSAF vendors
A new feeder for the AVID (AI Vulnerability Database) brings AI-specific vulnerability advisories into the platform, with a dedicated advisory view, product search wiring and source registration. Contributed by @thunderstornX in #442.
We also added new CSAF feeders for the vendors whose public feeds actually deliver documents — audited from a much larger candidate list — wired into the web interface and README. Along the way: CERT@VDE trusted-provider metadata URLs were fixed for 12 vendors, the TuxCare feeder now points at its published provider metadata, Palo Alto advisory ids were namespaced so they no longer overwrite canonical CVE records, and the csaf_trend feeder was renamed to csaf_trendmicro (#448).
KEV catalog coverage visualisations
Building on the catalog coverage matrix introduced in 5.2.0, the KEV catalogs page gained a set of coverage visualisations:
- A coverage timeline chart with a blind-spots gap finder.
- Cross-catalog vulnerability search.
- Click-to-filter on the UpSet plot columns, plus a mean lead-time and same-day caption.
- First-listed/last-updated sort toggles on the coverage table and catalog pages.
- Catalog licence badges, and vendor/product shown in the coverage table.

The catalog combinations UpSet plot — click a column to filter the coverage table below — and the coverage table with its new first-listed/last-updated sort toggle.
2FA recovery codes
Accounts protected with two-factor authentication can now generate recovery codes for account recovery, and the profile page was restructured into themed cards (#435).
Favorite feed
Users can pick a favorite feed used as the default source on the recent vulnerabilities page, and toggle it directly from that page.

Quick-access buttons next to the source selector jump to the local instance source or your favorite feed — here browsing the new AVID source.
Readable RSS/Atom feeds
RSS/Atom feeds now render as readable pages when opened in a browser: server-side rendering via content negotiation, KEV Atom content emitted as XHTML, and the XSL stylesheet made XSLT 1.0 compatible and served as application/xslt+xml so Chromium-based browsers apply it.
API improvements
- Enrichment flags on the bulk vulnerability endpoint.
- CORS headers on
/apiendpoints for browser-based access. - KEV entries resolvable by
(origin_uuid, vulnId)forPUT/DELETE.
Other new features
- Sightings — Accept more vulnerability identifier patterns: CVE-UNASSIGNED, OpenVAS, SSV, Exploit-DB (EDB) and China National Vulnerability Database (CNVD).
- Performance — pg_trgm GIN indexes for sighting source/vulnerability search, with the author lookup split into a UNION leg so the indexes actually apply. Contributed by @DevamShah in #431 (#440).
- UI — Filtering, sorting and search on the CNA publications and vulnerability disclosures lists.
Changes
- EUVD — Added the EUVD ID data model and Kvrocks key conventions. Contributed by @archakisn in #452.
- UI — Continued the UI refresh: the About and About-this-instance pages, a soft azure underglow on the home hero signal line, Choices.js widgets themed with the design tokens, and a themed vendor autocomplete for the navbar search.
- Templates — Recent vulnerabilities page polish: a shortcut button to the local instance source, a link to the current source’s recent vulnerabilities in the generic CSAF view, and vulnerability identifiers displayed in uppercase in the disclosures list.
- Configuration — Added unicode icons to the source names in
SOURCES_TO_SHOW. - Documentation — Improved the README, added documentation for running a minimal publication instance (#456), and documented the KEV catalog email subscriptions.
- Dependencies — Updated Python dependencies and bumped the pinned GitHub Actions.
Fixes
- API —
GET /api/vulnerability/recentwithout asourceagain returns the most recent entries across all sources (the global index), consistent with/api/vulnerability/lastand with the documented behavior. Since 3.0.0 (February 2026) it silently defaulted to thecvelistv5source only; clients that came to rely on that must now passsource=cvelistv5explicitly. - Search — A vendor-only search now spans all sources instead of only
cvelistv5, and a known-vendor query takes precedence over the linked-vulnerabilities fallback (#432). - Notifications — Widened the notification query window and deduplicated already-sent notifications, so entries indexed with a source-side
lastModifiedolder than the wall-clock window are no longer silently skipped; the nvd source is now included and results are deduplicated across sources (#449). - API — KEV endpoint hardening: BCP-07 conformant output, a unique tiebreaker in the list ordering so pagination no longer yields duplicate entries on tie-heavy sorts, unhandled 500 responses marked as
no-store, andPUTnow only movesfirst_seen_at/asserted_atbackwards (#453). - API — Sighting creation timestamps are set server-side,
ILIKEwildcards are escaped in search filters, and theupdateddate sort uses the correct index key. - Statistics — Current-year charts stop at the current month, bogus delta labels for unfinished months are suppressed (#433), and the selected multi-year window is preserved when switching sources (#436).
- Feeds — Aligned the recent feed sort order and timestamps with the
/recentpage (#443). - KEV — UpSet plot rendering: widened the set-label gutter so long catalog names fit, reserved a numeric lane so totals are not clipped, and clarified the total vs exact-slice reading of the plot.
- UI — Stripped global-chrome bleed from the vulnogram editor and corrected its dialog button layout; aligned navbar link tooltips with their labels; showed the public Vulnerability Disclosures link to logged-in users; made vulnerability IDs clickable in the admin disclosures view (#438).
- Users — Avoided an N+1 query in the user directory and made the DB pool resilient.
- Docker — Read the PostgreSQL URI from
website.pyto avoid importing psycopg2.
Changelog
📂 For the full list of changes, check the GitHub release:
https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v5.3.0
🙏 A big thank you to all contributors and testers!
Feedback and Support
If you encounter any issues or have suggestions, feel free to open a ticket on our GitHub repository:
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/
Your feedback is always appreciated!
Follow Us on Fediverse/Mastodon
You can follow us on Mastodon and get real-time information about security advisories:
https://social.circl.lu/@vulnerability_lookup/