Vulnerability-Lookup 5.4.0 released
We are pleased to announce the release of Vulnerability-Lookup 5.4.0!
The highlight of this release is VEX enrichment: a new feeder ingests Red Hat’s per-CVE CSAF VEX documents and attaches them to the corresponding vulnerabilities, surfaced through new /api/vex endpoints, a VEX tab on the vulnerability page and a VEX badge in the vulnerability header. Administrators gain per-user control over CNA publication with a dedicated credentials overview, the admin dashboard was modernized, and a batch of feeder robustness fixes makes the CSAF and VARIoT feeders much better behaved on partial failures.
What’s New
VEX enrichment from Red Hat CSAF VEX documents
A new redhat_vex metadata feeder ingests Red Hat’s per-CVE CSAF VEX documents and attaches them to the corresponding vulnerabilities as enrichment metadata (#468).
The feeder is built for reliable incremental operation: it walks changes.csv (the only Red Hat index with timestamps) for incremental updates, advances its cursor with a 24-hour overlap instead of freezing on missing CVEs, honors deletions.csv by skipping tombstoned documents and dropping their stale metadata, keeps the full CSAF document in a side key so the meta hash stays compact, and reuses one HTTP session across document downloads.
VEX metadata in the API and the web interface
The VEX metadata is exposed through new /api/vex endpoints, the vulnerability page gained a VEX tab that distills a summary of the CSAF document, and an EPSS-style VEX badge now appears in the vulnerability header.

The new VEX badge in the vulnerability header, alongside VLAI and EPSS, summarizing the affected, fixed and not-affected product counts from the Red Hat CSAF VEX document.

The VEX tab distills the CSAF VEX document: vendor statement, weakness, vendor CVSS, why products are not affected, known affected products and remediations.
Per-user enable/disable of CNA publication
CNA credentials gained an enabled attribute (existing credentials stay enabled via the migration). When disabled, the reserve, publish and reject operations against the CVE Services API are blocked for that user, while purely local publication records remain manageable.
Administrators manage the flag from the new /admin/cna-credentials overview, which lists each credential with the login of the bound user, and the affected user sees a notice on their credentials page. A new admin-only /api/cna_credential endpoint exposes the credentials — including the enabled attribute and the login of the bound user, never the API key — and supports toggling enabled via PUT.
Admin overview for KEV catalog subscriptions
Following up on the KEV catalog email subscriptions introduced in 5.3.0, administrators get an overview page for KEV catalog e-mail subscriptions and a dedicated e-mail notifications card on the dashboard.

The modernized admin dashboard, with the new e-mail notifications card covering product and KEV notifications.
Richer KEV digest emails
Digest emails now show the entry titles and the affected vendors/products.
Changes
- Admin — Modernized the dashboard with the analyst console theme, renamed e-mail notifications to product notifications and harmonized the page with the KEV notifications overview, and removed the notifications column from the users table.
- EUVD — Added the EUVD data-access layer and hardened the key builders. Contributed by @archakisn in #467.
- KEV — The KEV entry detail page now displays the catalog name.
- Update —
poetry run updateonly reinstalls the root project whenpyproject.tomlchanged, skipping the costly package-file scan on routine updates. - Notifications — Added more e-mail signoff variations.
- Documentation — Documented the VEX enrichment and the enrichment sources (including CISA ADP Vulnrichment) in the README, corrected the feeds source list (Vulnrichment is enrichment, not a feed source), documented CNA credential administration and the
enabledattribute, and updated the KEV catalog list and the Swagger file. - Dependencies — Updated Python dependencies.
Fixes
- Feeders — CSAF feeders no longer reset their cursor to 1900 on a partial download failure — a single failed document made the next cycle re-pull and re-import the entire feed (#458) — and only new or updated CSAF advisories are published to subscribers, so a re-pull no longer triggers a notification storm (#466).
- Feeders — Placeholder or invalid feeder credentials are surfaced at startup instead of failing silently (#465).
- Feeders — One malformed
modules.cfgentry no longer aborts all feeders (#464). - Feeders — The VARIoT feeder handles unexpected API responses instead of rescanning the full window every cycle without progress (#461).
- Feeders — Aligned the
osv_almalinuxsubmodule path with the feeder name (#462).
Changelog
📂 For the full list of changes, check the GitHub release:
https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v5.4.0
🙏 A big thank you to all contributors and testers!
Feedback and Support
If you encounter any issues or have suggestions, feel free to open a ticket on our GitHub repository:
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/
Your feedback is always appreciated!
Follow Us on Fediverse/Mastodon
You can follow us on Mastodon and get real-time information about security advisories:
https://social.circl.lu/@vulnerability_lookup/