Vulnerability-Lookup – News

Vulnerability Report - May 2026

Wed, 03 Jun 2026 00:00:00 +0000

Introduction

This vulnerability report has been generated with the help of AI, using the VulnMCP tooling on top of Vulnerability-Lookup, with contributions from the platform’s community.

It highlights the most frequently mentioned vulnerabilities for May 2026, based on data aggregated from Vulnerability-Lookup, the CISA Known Exploited Vulnerabilities catalog, the CIRCL KEV catalog, the ENISA EUVD feed, and contributor comments and bundles. Sightings come from MISP, Exploit-DB, Bluesky, Mastodon, Telegram, GitHub Gists, The Shadowserver Foundation, Nuclei, SPLOITUS, Metasploit, and more. For further details, please visit this page.

The Month at a Glance

May 2026 was, once again, the month of the Linux kernel “Copy Fail” flaw. CVE-2026-31431 (algif_aead in-place operation regression) more than doubled its activity, drawing 574 sightings – up from 279 in April – and remaining the most observed vulnerability on the platform by a wide margin. Two further Linux kernel networking flaws in the same family of “shared skb fragment” issues, CVE-2026-43284 (xfrm/ESP) and CVE-2026-43500 (rxrpc), also entered the top ranking, underlining sustained scrutiny of the kernel crypto and networking paths.

Edge-security appliances dominated the exploited side of the month. Palo Alto Networks PAN-OS suffered two separate KEV-listed flaws: a critical unauthenticated buffer overflow in the User-ID Authentication Portal (CVE-2026-0300, CVSS 9.3) added to CISA KEV on May 6, and GlobalProtect authentication bypass CVE-2026-0257 added on May 29. Cisco’s Catalyst SD-WAN authentication bypass CVE-2026-20182 (CVSS 10.0) prompted CISA Emergency Directive ED 26-03. WebPros cPanel & WHM CVE-2026-41940 carried over from April as the second-most-sighted issue (320 sightings) and was confirmed in ransomware campaigns by the ENISA / EU CSIRTs Network.

A clear software supply-chain theme emerged: CISA added three “embedded malicious code” entries within a single week – TanStack (CVE-2026-45321), Nx Console (CVE-2026-48027, CWE-506) and Daemon Tools Lite (CVE-2026-8398) – all involving trojanised packages or extensions used to harvest credentials.

The AI stack continued to be a recurring exposure surface. CISA KEV-listed BerriAI LiteLLM SQLi (CVE-2026-42208) and Langflow CVE-2025-34291, while contributors documented an unauthenticated memory-leak in Ollama (CVE-2026-7482, “Bleeding Llama”). NGINX heap overflow CVE-2026-42945 and a long tail of WordPress/Freemius reflected-XSS (CVE-2024-13362) rounded out the high-volume sightings.

The CISA Known Exploited Vulnerabilities catalog added 21 entries during May, spanning fresh edge-appliance and AI-stack RCEs, supply-chain malware, and a notable re-anchoring batch of legacy Microsoft and Adobe issues from 2008-2010 (CVE-2008-4250 / MS08-067, CVE-2010-0249, CVE-2009-3459). The CIRCL KEV catalog added the Linux kernel “Copy Fail” flaw on the basis of incident-response host-log evidence, and the ENISA EUVD KEV catalog surfaced three entries during May, including the cPanel & WHM authentication bypass flagged as ransomware-linked by CERT-PL.

By CWE, the month was characterised by memory-corruption in the kernel and edge appliances (CWE-787, CWE-122), authentication bypass (CWE-565, CWE-287, CWE-306), SQL injection in AI/web tooling (CWE-89), cross-site scripting (CWE-79), and a distinct spike in embedded-malicious-code supply-chain entries (CWE-506).

Top 10 Vendors of the Month

Top 10 Assigners of the Month

Top 10 vulnerabilities of the Month

Vulnerability	Sighting Count	Vendor	Product	VLAI Severity
CVE-2026-31431	574	Linux	Kernel (algif_aead)	High (confidence: 0.9482)
CVE-2026-41940	320	WebPros	cPanel & WHM	Critical (confidence: 0.8211)
CVE-2026-42945	180	F5	NGINX	High (confidence: 0.8166)
CVE-2026-43284	174	Linux	Kernel (xfrm/ESP)	High (confidence: 0.9722)
CVE-2026-0300	172	Palo Alto Networks	PAN-OS	Critical (confidence: 0.9876)
CVE-2026-42897	117	Microsoft	Exchange Server	High (confidence: 0.4482)
CVE-2024-13362	112	Freemius	Freemius SDK (WordPress)	Medium (confidence: 0.9807)
CVE-2026-43500	106	Linux	Kernel (rxrpc)	High (confidence: 0.4832)
CVE-2026-0257	95	Palo Alto Networks	PAN-OS (GlobalProtect)	Medium (confidence: 0.953)
CVE-2026-20182	86	Cisco	Catalyst SD-WAN Manager	Critical (confidence: 0.995)

Known Exploited Vulnerabilities

New entries have been added to major Known Exploited Vulnerabilities catalogs.

Exploited CVE ratio

CISA

CVE ID	Date Added	Vendor	Product	VLAI Severity
CVE-2026-0257	2026-05-29	Palo Alto Networks	PAN-OS (GlobalProtect)	Medium (confidence: 0.953)
CVE-2026-45321	2026-05-27	TanStack	TanStack	High (confidence: 0.8857)
CVE-2026-48027	2026-05-27	Nx	Nx Console	Critical (confidence: 0.7056)
CVE-2026-8398	2026-05-27	Daemon	Daemon Tools Lite	High (confidence: 0.5318)
CVE-2026-48172	2026-05-26	LiteSpeed	cPanel Plugin	High (confidence: 0.7521)
CVE-2026-9082	2026-05-22	Drupal	Core	Critical (confidence: 0.621)
CVE-2026-34926	2026-05-21	Trend Micro	Apex One	High (confidence: 0.9918)
CVE-2025-34291	2026-05-21	Langflow	Langflow	High (confidence: 0.987)
CVE-2026-41091	2026-05-20	Microsoft	Defender	High (confidence: 0.9057)
CVE-2026-45498	2026-05-20	Microsoft	Defender	Medium (confidence: 0.9434)
CVE-2008-4250	2026-05-20	Microsoft	Windows (Server Service)	Critical (confidence: 0.795)
CVE-2009-3459	2026-05-20	Adobe	Acrobat and Reader	High (confidence: 0.8861)
CVE-2010-0249	2026-05-20	Microsoft	Internet Explorer	High (confidence: 0.7062)
CVE-2010-0806	2026-05-20	Microsoft	Internet Explorer	Medium (confidence: 0.7167)
CVE-2009-1537	2026-05-20	Microsoft	DirectX	Medium (confidence: 0.4378)
CVE-2026-42897	2026-05-15	Microsoft	Exchange Server	High (confidence: 0.4482)
CVE-2026-20182	2026-05-14	Cisco	Catalyst SD-WAN Manager	Critical (confidence: 0.995)
CVE-2026-42208	2026-05-08	BerriAI	LiteLLM	Critical (confidence: 0.851)
CVE-2026-6973	2026-05-07	Ivanti	Endpoint Manager Mobile (EPMM)	High (confidence: 0.9765)
CVE-2026-0300	2026-05-06	Palo Alto Networks	PAN-OS	Critical (confidence: 0.9876)
CVE-2026-31431	2026-05-01	Linux	Kernel (algif_aead)	High (confidence: 0.9482)

More KEV entries from the CISA Catalog.

CIRCL

Vulnerability ID	Date Added	Vendor	Product	VLAI Severity
CVE-2026-31431	2026-05-04	Linux	Kernel (algif_aead)	High (confidence: 0.9482)

Added on the basis of incident-response host logs (“seen exploited on a system giving shell access to users”), confirming local privilege escalation in the wild.

More KEV entries from the CIRCL Catalog.

ENISA (EUVD)

The following entries from the ENISA / EU CSIRTs Network (CNW) KEV feed were surfaced in Vulnerability-Lookup during May. The cPanel & WHM authentication bypass is flagged as ransomware-linked by CERT-PL; the Roundcube XSS is attributed to APT activity (UNC1151).

Vulnerability ID	Date Reported	Vendor	Product	VLAI Severity
CVE-2026-41940	2026-05-08	WebPros	cPanel & WHM	Critical (confidence: 0.8211)
CVE-2024-42009	2026-04-27	Roundcube	Webmail	Medium (confidence: 0.9215)
CVE-2026-20963	2026-03-12	Microsoft	SharePoint	High (confidence: 0.9949)

More KEV entries from the ENISA Catalog.

Top 10 Weaknesses of the Month

Insights from Contributors

Community contributions in May combined hands-on mitigation guidance for the “Copy Fail” kernel flaw with deep-dive analysis of emerging AI-stack risks.

Deny alg_socket to Containers with SELinux to Mitigate CVE-2026-31431 – a detailed, tested walk-through of an SELinux deny rule (alg_socket) for container runtimes, plus RestrictAddressFamilies=~AF_ALG / SystemCallArchitectures=native per-service hardening and Red Hat’s initcall_blacklist boot-argument approach. The recurring theme: AF_ALG / algif_aead is rarely needed by user workloads, so denying it at the container or systemd-unit boundary is a pragmatic mitigation.
Bleeding Llama: Critical Unauthenticated Memory Leak in Ollama (CVE-2026-7482) – a shared write-up of Cyera Research’s analysis of an out-of-bounds heap read in Ollama’s GGUF quantization path (/api/create), exfiltratable via /api/push to an attacker-controlled URI. With ~300,000 Ollama servers exposed (listening on 0.0.0.0 with no authentication by default), three unauthenticated API calls can leak user prompts, system prompts, and host environment variables.
CVE-2026-0300 PAN-OS Authentication Portal buffer overflow – a pointer to the Palo Alto Networks advisory for the critical unauthenticated User-ID Authentication Portal overflow.

Contributors also curated a number of vendor advisories into bundles during May, helping group related fixes for triage:

Unauthenticated Remote Code Execution in Samba printing subsystem and the corresponding Debian DSA 6297-1 samba security update (6 CVEs).
Security content of iOS / iPadOS 26.5 (61 CVEs) and macOS Tahoe 26.5 (79 CVEs).
rsync 3.4.3 (7 CVEs), dnsmasq May 2026 advisory (6 CVEs), Firefox 150.0.3 / MFSA 2026-45 (5 CVEs), Moodle May 2026 (7 CVEs), Exim 4.99.2 (4 CVEs), and ImageMagick DSA 6240-1 (15 CVEs).

Thank you

Thank you to all the contributors and our diverse sources!

If you want to contribute to the next report, you can create your account.

Feedback and Support

If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/

Funding

The main objective of Federated European Team for Threat Analysis (FETTA) is improvement of Cyber Threat Intelligence (CTI) products available to the public and private sector in Poland, Luxembourg, and the European Union as a whole.
Developing actionable CTI products (reports, indicators, etc) is a complex task and requires an in-depth understanding of the threat landscape and the ability to analyse and interpret large amounts of data. Many SOCs and CSIRTs build their capabilities in this area independently, leading to a fragmented approach and duplication of work.

The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response facility to computer security threats and incidents. The organization brings to the table its extensive experience in cybersecurity incident management, threat intelligence, and proactive response strategies. With a strong background in developing innovative open source cybersecurity tools and solutions, CIRCL’s contribution to the FETTA project is instrumental in achieving enhanced collaboration and intelligence sharing across Europe.

Press release

Vulnerability-Lookup 5.0.0 released

Fri, 29 May 2026 00:00:00 +0000

We are thrilled to announce the release of Vulnerability-Lookup 5.0.0!

This major release centers on a new CNA-interoperable API for managing the vulnerabilities of your local source, together with deep Vulnogram integration, a continued UI refresh, and a long list of stability and correctness fixes.

A special thank you to Niclas Dauster for the substantial contribution behind the new CNA-interoperable API (#398).

What’s New

CNA- and GNA-Compatible Vulnerability Management

Vulnerabilities in your local instance can now be managed in a CNA-interoperable way through a dedicated API.

It streamlines Coordinated Vulnerability Disclosure (CVD) through a built-in Vulnogram integration compatible with both CVE 5.2 and GCVE-BCP-05, allowing CNAs and GNAs to publish advisories and synchronize with other instances regardless of the identifier format used.

The new API endpoint is partially interoperable with existing CNA endpoints from the CVE program, building on its solid foundation to enable a compatible and unified system for publishing vulnerability information. The API may be refined in upcoming releases based on feedback from adopters. We firmly believe that interoperable, reusable open-source components are key to preventing fragmentation in the vulnerability ecosystem.

We also welcome other vulnerability publication programs to extend this API to support their specific use cases or new models that could further improve automation in vulnerability handling.

Vulnogram integration

Vulnogram now drives ID reservation within vulnerability-lookup directly and vulnerability data management directly through the new CNA-interoperable API:

a dialog to view and reserve identifiers,
range-document creation,
state filtering,
reject and delete actions,
reserved IDs inserted directly into the form.

Configurable identifier allocation

You can now configure GCVE identifier allocation ranges for reservation. A bin script is also provided to migrate existing data to the new GNA ID format.

Website improvements

A new /kev-catalogs view listing all KEV catalogs.
Recent sightings are now rendered inside a dedicated home page tab.
Related vulnerabilities on the CWE detail page are now paginated (#406).

API

IPs/CIDRs can now be allowlisted to exempt them from the /api read rate limits.

Changes

UI refresh — We introduced a shared card design language (rounded cards, soft hover, brand-tinted leading icon badges) and applied it across the About, home, /recent and vulnerability pages. The About page gains a hero banner, feature highlights and live stats; the source dropdown on the recent vulnerabilities page was improved; popover triggers on vulnerability views were harmonized; and the sightings correlations tabs were reorganized. More UI improvements will come in future releases.
Production reference architecture — The documentation now includes a production reference architecture (HAProxy, Varnish, CDN, dumps and configuration examples).

Fixes

It also addresses a number of other issues:

UI — Preserve the VLAI popover header when refreshing content; align right-side navbar dropdowns to prevent overflow.
Website — Make Choices.js search inputs readable in the dark theme; repopulate the product list when the vendor changes on the search page; propagate config DEBUG=True to the FLASK_DEBUG environment variable.
Core — Add a timeout to graceful shutdown to prevent an infinite loop (#409).
API — Correct the per_page range check across the remaining endpoints, including rulezet and user (#411).
Docker — Use the kvrocks container name in .env.sample (#407).
Typing — Assorted mypy/typing fixes and Python 3.11 f-string compatibility.

Migration Notes

A bin script is provided to migrate existing local-source data to the new GNA ID format.

Changelog

📂 For the full list of changes, check the GitHub release:
https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v5.0.0

🙏 A big thank you to all contributors and testers!

Feedback and Support

If you encounter any issues or have suggestions, feel free to open a ticket on our GitHub repository:
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/
Your feedback is always appreciated!

Follow Us on Fediverse/Mastodon

You can follow us on Mastodon and get real-time information about security advisories:
https://social.circl.lu/@vulnerability_lookup/

Vulnerability-Lookup 4.6.0 released

Thu, 21 May 2026 00:00:00 +0000

We are excited to announce the release of Vulnerability-Lookup 4.6.0!
This version brings more transparency, new data sources, API improvements, notable UI enhancements, and several performance and stability fixes.

What’s New

VLAI model transparency

The VLAI badge popover now surfaces the exact model name and revision used for a given analysis, with direct links to the HuggingFace model card and the revision commit. This is particularly useful as we regularly update our AI models and publish new versions on HuggingFace, making it easy to track exactly which model version produced a given result.

Moksha feeder

A new feeder for Moksha has been added, mirroring the indexing pattern used by the cvelistv5 source. Because Moksha is accessible over Tor, the feeder requires a local Tor instance and is disabled by default.

KEV catalog on the homepage and search results

The latest entries from CISA’s Known Exploited Vulnerabilities (KEV) catalog are now displayed directly on the homepage. KEV catalog badges also appear on the search results page, giving you an immediate signal when a vulnerability is actively exploited in the wild.

Improved CSAF advisory display

CSAF advisories now show a structured per-status product table derived from the product_tree, and the /recent page loads only the selected source with its own pagination — making it faster to browse recent activity.

API additions

A new with_meta parameter on the vulnerabilities list endpoint lets consumers fetch enriched metadata in a single call.
Optional, tier-aware rate limits can now be applied to vulnerability read endpoints.
A machine-readable access policy endpoint is available for automated consumers.

Changes

Performance improvements — Hot read endpoints are now cached with a Redis backend, full-text index writes are batched, and homepage sighting statistics are computed via a dedicated aggregated endpoint. These changes significantly reduce load under traffic spikes.
Homepage and template updates — The home page displays more information at a glance; the sources list on the About page is now in a collapsible accordion; Moksha is available in the /recent source menu.
ML-Gateway — The gateway response now includes the model name and revision, which are forwarded by the API (project page).
Dependencies — Python dependencies have been updated.

Fixes

This release includes a number of stability and correctness fixes: rate-limiter accuracy improvements (correct client IP resolution, dedicated Redis backend), Flask-Caching Redis pool reliability under gunicorn/gevent, EPSS badges on search results, timezone-aware timestamps for comments and bundles, restricted comment editing to authorized users only, and several minor UI and template corrections.

Migration Notes

Commit de3deb9 adds a composite index ix_sighting_creation_timestamp_type_vulnerability on the sighting table to support the /api/sighting/stats aggregation as an index-only scan.

To pick up the new index after pulling, run:

poetry run flask --app website.app db upgrade

Large instances: On really large sighting tables, consider building the index with CREATE INDEX CONCURRENTLY outside Alembic to avoid blocking writes during the build.

Changelog

📂 For the full list of changes, check the GitHub release:
https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v4.6.0

🙏 A big thank you to all contributors and testers!

Feedback and Support

If you find any issues or have suggestions, please open a ticket on our GitHub repository:
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/ I want We appreciate your feedback!

Follow Us on Fediverse/Mastodon

Stay updated on security advisories in real-time by following us on Mastodon:
https://social.circl.lu/@vulnerability_lookup/

Vulnerability Report for the year 2025

Mon, 11 May 2026 00:00:00 +0000

All vulnerability reports

This report was generated with the help of AI, leveraging the VulnMCP Model Context Protocol server connected to Vulnerability-Lookup. The underlying data was aggregated from the twelve monthly reports published throughout 2025 and from the live Vulnerability-Lookup API.

Download this report as a PDF.

Introduction

The 2025 threat landscape was characterised by sustained pressure on enterprise infrastructure, edge devices, and developer tooling. Attackers continued to weaponise newly disclosed vulnerabilities within hours of publication, while a long tail of unpatched legacy IoT and edge devices (D-Link, Zyxel, DASAN, Huawei, Realtek, Netgear) kept generating massive exploitation noise. Several flagship incidents shaped the year: the SAP NetWeaver Visual Composer zero-day exploitation in April, the SharePoint “ToolShell” campaign in July, the NetScaler “CitrixBleed 2” saga from June onward, the Oracle E-Business Suite exploitation tied to the Cl0p activity in October, the WSUS critical (CVE-2025-59287) in October-November, the FortiWeb authentication bypasses in November, and the dramatic React Server Components (“React2Shell”) surge in December.

This year-in-review consolidates the twelve monthly reports covering 2025 and aggregates the data collected by Vulnerability-Lookup. Sources used to build this report include:

Vulnerability-Lookup sightings
CISA KEV catalog
CIRCL team curation and security advisories
EUVD / ENISA Known Exploited Vulnerabilities catalog
Community contributors via comments and bundles on the platform
Sighting feeds: MISP, Exploit-DB, Bluesky, Mastodon, GitHub Gists, The Shadowserver Foundation honeypots, Nuclei, SPLOITUS, Metasploit, Telegram, and more.

This report was generated with AI assistance via VulnMCP, the Model Context Protocol server that exposes Vulnerability-Lookup capabilities to AI agents: https://github.com/vulnerability-lookup/VulnMCP.

The Year at a Glance

The charts below summarise publication trends and the ecosystem most affected throughout 2025.

Evolution of CVE publication

Top 10 CVE Assigners of the Year

Top 10 Weaknesses (CWE) of the Year

Top 10 Vendors in 2025

Recurring themes

2025 delivered an unusually high volume of actively exploited vulnerabilities. Recurring themes across the year include:

Edge & network devices dominated continuous exploitation: D-Link DIR-645 (CVE-2015-2051), Zyxel P660HN (CVE-2017-18368), DASAN GPON (CVE-2018-10562), Huawei HG532 (CVE-2017-17215) remained in the top sightings every single month.
VPN / remote access: Ivanti Connect Secure (CVE-2025-0282, CVE-2025-22457), NetScaler ADC (CVE-2025-5777, CVE-2025-6543), Fortinet FortiOS / FortiWeb / FortiSwitchManager, Palo Alto PAN-OS (CVE-2025-0108), SonicWall SMA, Check Point Quantum.
Enterprise platforms: SAP NetWeaver (CVE-2025-31324), Microsoft SharePoint (CVE-2025-53770), Microsoft Exchange (CVE-2025-53786), Microsoft WSUS (CVE-2025-59287), Oracle E-Business Suite (CVE-2025-61882), Oracle Identity Manager (CVE-2025-61757).
Developer ecosystem & supply chain: Next.js middleware bypass (CVE-2025-29927), Apache Tomcat (CVE-2025-24813), Erlang/OTP SSH (CVE-2025-32433), tj-actions/changed-files GitHub Action compromise (CVE-2025-30066), React Server Components “React2Shell” (CVE-2025-55182), npm qix/duckdb_admin account compromise.
Client-side: Apple iOS/iPadOS/visionOS, Google Chrome V8, WinRAR (CVE-2025-8088, CVE-2025-6218), 7-Zip (CVE-2025-11001), Samsung Mobile zero-days (CVE-2025-21042, CVE-2025-21043).
CWE landscape: Cross-site scripting (CWE-79) and SQL injection (CWE-89) consistently topped the weakness charts, followed by injection (CWE-74), code injection (CWE-94), and memory safety issues (CWE-119/121/122/125/416).

In total, our community recorded tens of thousands of sightings in 2025, with hundreds of patches released, dozens of public proofs of concept, and numerous in-the-wild exploitations confirmed by The Shadowserver Foundation honeypot network, CISA KEV additions, and contributor reports.

Top 50 Vulnerabilities of the Year

Most-sighted vulnerabilities recorded by Vulnerability-Lookup between 2025-01-01 and 2025-12-31. Severities are derived from the VLAI classifier.

Vulnerability	Sighting Count	Vendor	Product	VLAI Severity
CVE-2025-55182	1138	Meta	react-server-dom-webpack	Critical
CVE-2015-2051	726	D-Link	DIR-645	High
CVE-2017-18368	710	ZyXEL	P660HN-T1A	Critical
CVE-2025-5777	671	NetScaler	ADC	Critical
CVE-2018-10562	627	DASAN Networks	GPON Router	Critical
CVE-2025-53770	619	Microsoft	SharePoint Enterprise Server 2016	Critical
CVE-2025-31324	566	SAP	SAP NetWeaver (Visual Composer)	Critical
CVE-2018-14774	542	Symfony	HttpKernel	Medium
CVE-2025-0108	524	Palo Alto Networks	PAN-OS / Cloud NGFW	High
CVE-2021-44228	493	Apache Software Foundation	Apache Log4j2	Critical
CVE-2023-20198	472	Cisco	Cisco IOS XE Software	High
CVE-2017-17215	462	Huawei	HG532	Critical
CVE-2017-9841	444	PHPUnit	PHPUnit	Critical
CVE-2016-1555	437	Netgear	WNAP320	Critical
CVE-2014-8361	435	Realtek	Realtek SDK	Critical
CVE-2023-22527	434	Atlassian	Confluence Data Center	Critical
CVE-2019-12780	429	Belkin	Wemo Crock-Pot	High
CVE-2025-29927	427	Vercel	Next.js	Critical
CVE-2024-3721	426	TBK	DVR-4104 / DVR-4216	Medium
CVE-2016-6277	424	Netgear	D6220 / R-series	High
CVE-2025-59287	418	Microsoft	Windows Server (WSUS)	Critical
CVE-2016-10372	418	eir	D1000 modem	Critical
CVE-2019-1653	408	Cisco	Small Business RV320/RV325	High
CVE-2021-26855	401	Microsoft	Exchange Server (ProxyLogon)	Critical
CVE-2021-42013	391	Apache Software Foundation	Apache HTTP Server	Critical
CVE-2023-0656	380	SonicWall	SonicOS	High
CVE-2023-42793	377	JetBrains	TeamCity	Critical
CVE-2018-13379	375	Fortinet	FortiOS / FortiProxy	Critical
CVE-2025-0282	369	Ivanti	Connect Secure	Critical
CVE-2022-26134	366	Atlassian	Confluence Data Center	Critical
CVE-2023-38646	366	Metabase	Metabase	Critical
CVE-2020-25506	360	D-Link	DNS-320 NAS	High
CVE-2018-7600	355	Drupal	Drupal Core (Drupalgeddon 2)	Critical
CVE-2024-28995	348	SolarWinds	Serv-U	High
CVE-2023-23752	343	Joomla!	Joomla! CMS	High
CVE-2024-36401	341	OSGeo	GeoServer / GeoTools	Critical
CVE-2022-22274	335	SonicWall	SonicOS	High
CVE-2024-4577	333	PHP Group	PHP	Critical
CVE-2020-8191	328	Citrix	ADC / Gateway	Medium
CVE-2025-61882	327	Oracle Corporation	Oracle Concurrent Processing (EBS)	Critical
CVE-2011-3600	322	Apache	OFBiz	High
CVE-2021-32030	320	ASUS	GT-AC2900 / Lyra Mini Routers	High
CVE-2023-26801	318	LB-LINK	BL-AC1900 / BL-WR9000 routers	High
CVE-2019-17506	312	D-Link	DIR-868L / DIR-817LW	High
CVE-2025-24813	307	Apache Software Foundation	Apache Tomcat	Critical
CVE-2025-8088	307	win.rar GmbH	WinRAR	High
CVE-2024-24919	299	Check Point	Quantum Security Gateways	High
CVE-2016-10108	290	Western Digital	MyCloud NAS	High
CVE-2021-3129	284	Laravel	Ignition	Critical
CVE-2025-32433	282	Erlang	OTP (SSH)	Critical

Top 10 Vulnerabilities per Month

Aggregated from the published monthly reports. The metrics differ slightly across months (some months use sighting counts, others a curated Top ranking).

January 2025

Top vulnerabilities sourced from the January 2025 report:

Vulnerability	Vendor	Product	Severity
CVE-2025-0282	Ivanti	Connect Secure	9.0 (Critical)
CVE-2024-55591	Fortinet	FortiOS	9.8 (Critical)
CVE-2024-49113	Microsoft	Windows 10 (LDAP)	7.5 (High)
CVE-2015-2051	D-Link	DIR-645	8.8 (High)
CVE-2025-24085	Apple	visionOS / iOS	7.3 (High)
CVE-2025-0283	Ivanti	Connect Secure	7.0 (High)
CVE-2018-10562	DASAN Networks	GPON Router	9.8 (Critical)
CVE-2017-17215	Huawei	HG532	8.8 (High)
CVE-2024-7344	Radix	SmartRecovery	8.2 (High)
CVE-2024-50603	Aviatrix	Controller	10.0 (Critical)

February 2025

Top vulnerabilities sourced from the February 2025 report:

Vulnerability	Vendor	Product	Severity
CVE-2025-0282	Ivanti	Connect Secure	9.0 (Critical)
CVE-2024-55591	Fortinet	FortiOS	9.8 (Critical)
CVE-2024-49113	Microsoft	Windows 10 (LDAP)	7.5 (High)
CVE-2015-2051	D-Link	DIR-645	9.8 (Critical)
CVE-2017-18368	ZyXEL	P660HN-T1A	9.8 (Critical)
CVE-2025-0283	Ivanti	Connect Secure	7.0 (High)
CVE-2024-7344	Radix	SmartRecovery	8.2 (High)
CVE-2017-17215	Huawei	HG532	8.8 (High)
CVE-2018-10562	DASAN Networks	GPON Router	9.8 (Critical)
CVE-2024-50603	Aviatrix	Controller	10.0 (Critical)

March 2025

Top vulnerabilities sourced from the March 2025 report:

Vulnerability	Vendor	Product	Sightings	Severity
CVE-2025-29927	Vercel	Next.js	167	9.1 (Critical)
CVE-2025-24813	Apache Software Foundation	Apache Tomcat	128	9.2 (Critical)
CVE-2025-1974	Kubernetes	ingress-nginx	86	9.8 (Critical)
CVE-2024-4577	PHP Group	PHP	83	9.8 (Critical)
CVE-2025-22224	VMware	ESXi	80	9.3 (Critical)
CVE-2025-24201	Apple	iOS / iPadOS	79	7.0 (High)
CVE-2025-2783	Google	Chrome	72	8.3 (High)
CVE-2025-30066	tj-actions	changed-files	67	8.6 (High)
CVE-2017-18368	ZyXEL	P660HN-T1A	60	9.8 (Critical)
CVE-2015-2051	D-Link	DIR-645	60	8.8 (High)

April 2025

Top vulnerabilities sourced from the April 2025 report:

Vulnerability	Vendor	Product	Sightings	Severity
CVE-2025-22457	Ivanti	Connect Secure	188	9.0 (Critical)
CVE-2025-32433	Erlang	OTP (SSH)	119	10 (Critical)
CVE-2025-31161	CrushFTP	CrushFTP	108	9.8 (Critical)
CVE-2025-31324	SAP	NetWeaver Visual Composer	101	10 (Critical)
CVE-2025-29824	Microsoft	Windows (CLFS)	85	7.8 (High)
CVE-2025-24054	Microsoft	Windows (NTLM)	79	6.5 (Medium)
CVE-2025-30406	Gladinet	CentreStack	64	9.0 (Critical)
CVE-2025-24200	Apple	iPadOS	61	6.1 (Medium)
CVE-2017-18368	ZyXEL	P660HN-T1A	60	9.8 (Critical)
CVE-2015-2051	D-Link	DIR-645	60	8.8 (High)

May 2025

Top vulnerabilities sourced from the May 2025 report:

Vulnerability	Vendor	Product	VLAI Severity
CVE-2025-31324	SAP	NetWeaver Visual Composer	Critical
CVE-2025-4427	Ivanti	Endpoint Manager Mobile	Critical
CVE-2025-37899	Linux	Linux kernel (ksmbd)	High
CVE-2025-4428	Ivanti	Endpoint Manager Mobile	High
CVE-2025-32756	Fortinet	FortiVoice	Critical
CVE-2025-4664	Google	Chrome	Medium
CVE-2025-20188	Cisco	IOS XE Software	Critical
CVE-2017-18368	ZyXEL	P660HN-T1A	Critical
CVE-2015-2051	D-Link	DIR-645	Critical
CVE-2024-38475	Apache Software Foundation	HTTP Server	Critical

June 2025

Top vulnerabilities sourced from the June 2025 report:

Vulnerability	Vendor	Product	VLAI Severity
CVE-2025-33053	Microsoft	Windows (WebDAV)	High
CVE-2025-49113	Roundcube	Webmail	High
CVE-2025-5777	NetScaler	ADC (“CitrixBleed 2”)	Critical
CVE-2025-5419	Google	Chrome	High
CVE-2025-2783	Google	Chrome	High
CVE-2025-6019	Red Hat	Red Hat Enterprise Linux	Medium
CVE-2025-33073	Microsoft	Windows SMB	High
CVE-2025-6543	NetScaler	ADC	Critical
CVE-2015-2051	D-Link	DIR-645	Critical
CVE-2017-18368	ZyXEL	P660HN-T1A	Critical

July 2025

Top vulnerabilities sourced from the July 2025 report:

Vulnerability	Vendor	Product	Sightings	VLAI Severity
CVE-2025-53770	Microsoft	SharePoint (“ToolShell”)	416	Critical
CVE-2025-5777	NetScaler	ADC	267	Critical
CVE-2025-25257	Fortinet	FortiWeb	145	Critical
CVE-2025-6554	Google	Chrome	130	High
CVE-2025-47812	wftpserver	Wing FTP Server	129	Critical
GHSA-269G-PWP5-87PP	junit-team	JUnit4	120	Medium
CVE-2025-53771	Microsoft	SharePoint	104	Medium
CVE-2025-49706	Microsoft	SharePoint	96	Medium
GHSA-78WR-2P64-HPWJ	Apache Software Foundation	Apache Commons IO	85	Medium
GHSA-5MG8-W23W-74H3	Google LLC	Guava	84	Low

August 2025

Top vulnerabilities sourced from the August 2025 report:

Vulnerability	Vendor	Product	Sightings	VLAI Severity
CVE-2025-8088	win.rar GmbH	WinRAR	193	High
CVE-2025-53786	Microsoft	Exchange Server	175	High
CVE-2025-43300	Apple	macOS / iOS	128	Medium
CVE-2025-6543	NetScaler	ADC	111	Critical
CVE-2025-25256	Fortinet	FortiSIEM	79	Critical
CVE-2025-9074	Docker	Docker Desktop	65	Critical
CVE-2015-2051	D-Link	DIR-645	62	Critical
CVE-2017-18368	ZyXEL	P660HN-T1A	61	Critical
CVE-2025-31324	SAP	NetWeaver Visual Composer	59	Critical
CVE-2025-5777	NetScaler	ADC	52	Critical

September 2025

Top vulnerabilities sourced from the September 2025 report:

Vulnerability	Vendor	Product	Sightings	VLAI Severity
CVE-2025-10585	Google	Chrome	94	High
CVE-2025-10035	Fortra	GoAnywhere MFT	79	Critical
CVE-2025-42957	SAP	S/4HANA	71	Critical
CVE-2025-55241	Microsoft	Entra	68	High
CVE-2025-54236	Adobe	Commerce	64	Critical
CVE-2024-50264	Linux	Linux kernel	60	High
CVE-2015-2051	D-Link	DIR-645	58	High
CVE-2023-51767	OpenSSH	OpenSSH	57	High
CVE-2017-18368	ZyXEL	P660HN-T1A	57	Critical
CVE-2025-43300	Apple	iOS / iPadOS	54	High

October 2025

Top vulnerabilities sourced from the October 2025 report:

Vulnerability	Vendor	Product	Sightings	VLAI Severity
CVE-2025-61882	Oracle Corporation	Oracle Concurrent Processing (EBS)	241	Critical
CVE-2025-59287	Microsoft	Windows Server (WSUS)	235	Critical
CVE-2025-49844	Redis	Redis	106	Critical
CVE-2025-59489	Unity3D	Unity Editor	98	High
CVE-2025-61884	Oracle Corporation	Oracle Configurator	95	High
CVE-2025-54236	Adobe	Commerce	94	Critical
CVE-2025-55315	Microsoft	ASP.NET Core 8.0	75	High
CVE-2015-2051	D-Link	DIR-645	64	High
CVE-2025-20352	Cisco	IOS	63	High
CVE-2017-18368	ZyXEL	P660HN-T1A	63	Critical

November 2025

Top vulnerabilities sourced from the November 2025 report:

Vulnerability	Vendor	Product	Sightings	VLAI Severity
CVE-2025-64446	Fortinet	FortiWeb	105	Critical
CVE-2025-59287	Microsoft	Windows Server (WSUS)	88	Critical
CVE-2025-21042	Samsung Mobile	Samsung Mobile Devices	86	High
CVE-2025-58034	Fortinet	FortiWeb	84	High
CVE-2025-13223	Google	Chrome	84	High
CVE-2023-20198	Cisco	IOS XE Software	71	High
CVE-2025-61757	Oracle Corporation	Identity Manager	67	Critical
CVE-2025-11001	7-Zip	7-Zip	65	High
CVE-2025-12480	TrioFox	TrioFox	64	Critical
CVE-2015-2051	D-Link	DIR-645	59	High

December 2025

Top vulnerabilities sourced from the December 2025 report:

Vulnerability	Vendor	Product	Sightings	VLAI Severity
CVE-2025-55182	Meta	react-server-dom-webpack (“React2Shell”)	852	Critical
CVE-2025-14847	MongoDB Inc.	MongoDB Server	204	High
CVE-2025-20393	Cisco	Cisco Secure Email	89	Critical
CVE-2015-2051	D-Link	DIR-645	62	High
CVE-2017-18368	ZyXEL	P660HN-T1A	62	Critical
CVE-2025-14733	WatchGuard	Fireware OS	60	Critical
CVE-2025-66516	Apache Software Foundation	Apache Tika core	57	High
CVE-2018-10562	DASAN Networks	GPON Router	56	Critical
CVE-2025-40602	SonicWall	SMA1000	53	Medium
CVE-2025-59718	Fortinet	FortiSwitchManager	53	Critical

Known Exploited Vulnerabilities (CISA, CIRCL, EUVD)

KEV catalogs aggregated by Vulnerability-Lookup. The monthly reports formally introduced a dedicated Known Exploited Vulnerabilities section starting in September 2025. The entries below mirror what was published in each monthly report between September and December 2025. Earlier 2025 KEV additions (January–August) are tracked in the live CISA and EUVD catalogs but were not summarised at the time. CIRCL is the publisher of Vulnerability-Lookup and curates KEV data from CISA, EUVD/ENISA, and ad-hoc community sources.

CISA KEV

September 2025

CVE ID	Date Added	Vendor	Product	VLAI Severity
CVE-2025-59689	29/09/25	Cisco	IOS	Medium
CVE-2025-10035	29/09/25	Fortra	GoAnywhere MFT	Critical
CVE-2025-32463	29/09/25	Sudo project	Sudo	High
CVE-2021-21311	29/09/25	vrana	adminer	High
CVE-2025-20352	29/09/25	Cisco	IOS	High
CVE-2025-20333	25/09/25	Cisco	ASA Software	Critical
CVE-2025-20362	25/09/25	Cisco	ASA Software	Medium
CVE-2025-10585	23/09/25	Google	Chrome	High
CVE-2025-5086	11/09/25	Dassault Systèmes	DELMIA Apriso	Critical
CVE-2025-53690	04/09/25	Sitecore	Experience Manager (XM)	Critical
CVE-2025-48543	04/09/25	Google	Android	High
CVE-2025-38352	04/09/25	Linux	Linux kernel	High
CVE-2023-50224	03/09/25	TP-Link	TL-WR841N	Medium
CVE-2025-9377	03/09/25	TP-Link Systems Inc.	Archer C7(EU) V2	High
CVE-2020-24363	02/09/25	TP-Link	TL-WA855RE	High

October 2025

CVE ID	Date Added	Vendor	Product	VLAI Severity
CVE-2025-41244	30/10/25	VMware	VCF operations	High
CVE-2025-24893	30/10/25	XWiki	xwiki-platform	Critical
CVE-2025-6205	28/10/25	Dassault Systèmes	DELMIA Apriso	Critical
CVE-2025-6204	28/10/25	Dassault Systèmes	DELMIA Apriso	High
CVE-2025-54236	24/10/25	Adobe	Commerce	Critical
CVE-2025-59287	24/10/25	Microsoft	Windows Server (WSUS)	Critical
CVE-2025-61932	22/10/25	MOTEX Inc.	Lanscope Endpoint Manager	Critical
CVE-2025-61884	20/10/25	Oracle Corporation	Oracle Configurator	High
CVE-2022-48503	20/10/25	Apple	macOS	High
CVE-2025-2746	20/10/25	Kentico	Xperience	Critical
CVE-2025-2747	20/10/25	Kentico	Xperience	Critical
CVE-2025-33073	20/10/25	Microsoft	Windows	High
CVE-2025-54253	15/10/25	Adobe	Experience Manager	Critical
CVE-2025-47827	14/10/25	IGEL	IGEL OS	Medium
CVE-2025-6264	14/10/25	Rapid7	Velociraptor	Medium
CVE-2016-7836	14/10/25	Sky Co., LTD.	SKYSEA Client View	Critical
CVE-2025-59230	14/10/25	Microsoft	Windows	High
CVE-2025-24990	14/10/25	Microsoft	Windows	High
CVE-2021-43798	09/10/25	Grafana	Grafana	High
CVE-2025-27915	07/10/25	Zimbra	Collaboration	Medium
CVE-2010-3962	06/10/25	Microsoft	Internet Explorer	High
CVE-2025-61882	06/10/25	Oracle Corporation	Oracle Concurrent Processing (EBS)	Critical
CVE-2021-22555	06/10/25	Linux / NetApp	Linux kernel	High
CVE-2010-3765	06/10/25	Mozilla	Firefox	Critical
CVE-2021-43226	06/10/25	Microsoft	Windows	High
CVE-2011-3402	06/10/25	Microsoft	Windows	High
CVE-2013-3918	06/10/25	Microsoft	Windows	High
CVE-2025-4008	02/10/25	Smartbedded	MeteoBridge	Critical
CVE-2015-7755	02/10/25	Juniper	ScreenOS	Critical
CVE-2017-1000353	02/10/25	Jenkins	Jenkins	Critical
CVE-2014-6278	02/10/25	GNU	Bash	Critical
CVE-2025-21043	02/10/25	Samsung Mobile	Samsung Mobile Devices	High

November 2025

CVE ID	Date Added	Vendor	Product	VLAI Severity
CVE-2025-48703	04/11/25	centos-webpanel	CentOS Web Panel	Critical
CVE-2025-11371	04/11/25	Gladinet	CentreStack / TrioFox	Medium
CVE-2025-21042	10/11/25	Samsung Mobile	Samsung Mobile Devices	High
CVE-2025-9242	12/11/25	WatchGuard	Fireware OS	Critical
CVE-2025-62215	12/11/25	Microsoft	Windows	High
CVE-2025-12480	12/11/25	TrioFox	TrioFox	Critical
CVE-2025-64446	14/11/25	Fortinet	FortiWeb	Critical
CVE-2025-58034	18/11/25	Fortinet	FortiWeb	High
CVE-2025-13223	19/11/25	Google	Chrome	High
CVE-2025-61757	21/11/25	Oracle Corporation	Identity Manager	Critical
CVE-2021-26829	28/11/25	scadabr	scadabr	Medium

December 2025

CVE ID	Date Added	Vendor	Product	VLAI Severity
CVE-2025-14847	29/12/25	MongoDB Inc.	MongoDB Server	High
CVE-2023-52163	22/12/25	DigiEver	DS-2105 Pro	High
CVE-2025-14733	19/12/25	WatchGuard	Fireware OS	Critical
CVE-2025-20393	17/12/25	Cisco	Cisco Secure Email	Critical
CVE-2025-40602	17/12/25	SonicWall	SMA1000	Medium
CVE-2025-59374	17/12/25	ASUS	Live Update	Critical
CVE-2025-59718	16/12/25	Fortinet	FortiSwitchManager	Critical
CVE-2025-43529	15/12/25	Apple	iOS / iPadOS	High
CVE-2025-14611	15/12/25	Gladinet	CentreStack / TrioFox	High
CVE-2025-14174	12/12/25	Google	Chrome	High
CVE-2018-4063	12/12/25	Sierra Wireless	ALEOS	High
CVE-2025-58360	11/12/25	GeoServer	GeoServer	High
CVE-2025-62221	09/12/25	Microsoft	Windows	High
CVE-2025-6218	09/12/25	RARLAB	WinRAR	High
CVE-2025-66644	08/12/25	Array Networks	ArrayOS AG	High
CVE-2022-37055	08/12/25	D-Link	GO-RT-AC750	Critical
CVE-2025-55182	05/12/25	Meta	react-server-dom-webpack	Critical
CVE-2021-26828	03/12/25	scadabr	scadabr	High
CVE-2025-48633	02/12/25	Google	Android	High
CVE-2025-48572	02/12/25	Google	Android	High

EUVD / ENISA KEV

September 2025

CVE ID	Date Added	Vendor	Product	VLAI Severity
CVE-2025-25231	09/09/25	Omnissa	Workspace ONE UEM	High

October, November, December 2025

No new entry was added to the EUVD / ENISA Known Exploited Vulnerabilities catalog during October, November and December 2025.

CIRCL KEV

The CIRCL Known Exploited Vulnerabilities catalog (catalog_uuid=1a89b78e-f703-45f3-bb86-59eb712668bd) tracks vulnerabilities that CIRCL has confirmed exploited based on its own incident-response, honeypot, and sinkhole telemetry. The entries below correspond to KEV records with confirmed exploitation activity observed during 2025:

CVE ID	Vendor	Product	First seen	Last seen	Evidence source
CVE-2023-28771	Zyxel	ZyWALL/USG, USG FLEX, ATP, VPN, ZLD firmware	2025-01-01	2026-01-28	CIRCL sinkhole (`cti-feed.circl.lu`)
CVE-2025-53770	Microsoft	SharePoint Server (“ToolShell”)	2025-07-20	2025-09-30	CIRCL incident response

The CIRCL KEV catalog remains intentionally small and high-confidence — every entry is backed by first-hand evidence collected by CIRCL — which is why its 2025 footprint is much narrower than the CISA KEV catalog.

Insights from Contributors

The following community comments and bundles were among the most relevant content shared on Vulnerability-Lookup during 2025.

January

February

Black Basta’s Leaked Chat Logs — multi-vendor exploitation tracking from leaked Matrix chat logs.
Update on SVR Cyber Operations and Vulnerability Exploitation.
SonicWall Firewall Vulnerability Exploited After PoC Publication for CVE-2024-53704.
Out-of-Cycle Security Bulletin: Juniper Session Smart Router auth bypass (CVE-2025-21589).
Threat Actors Use CVE-2019-18935 to Deliver Reverse Shells.

March

April

May

June

CitrixBleed 2 (CVE-2025-5777) — analysis comparing the flaw to CVE-2023-4966.
GCVE-1-2025-0002: Cl0p ransomware data exfiltration utility vulnerable to RCE.
Stuxnet-related CVEs.
CVE-2025-31022: PayU WordPress plugin account takeover.
CVE-2025-4517: CPython tarfile library RCE.

July

August

September

October

November

December

Thank you

A heartfelt thank you to all the contributors, source maintainers, and users who reported sightings, posted comments, curated bundles, and provided feedback throughout 2025. Vulnerability-Lookup is a community effort, and the depth of this year-in-review is a direct reflection of your engagement. Special thanks to the Shadowserver Foundation, the MISP project, the CISA KEV, the EUVD / ENISA team, and the many researchers who share information openly with the community.

If you want to contribute to the next report, you can create your account.

Feedback and Support

If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us: https://github.com/vulnerability-lookup/vulnerability-lookup/issues/

You can also explore and reuse the AI tooling that produced this report: VulnMCP — https://github.com/vulnerability-lookup/VulnMCP.

Funding

The main objective of the Federated European Team for Threat Analysis (FETTA) is the improvement of Cyber Threat Intelligence (CTI) products available to the public and private sectors in Poland, Luxembourg, and the European Union as a whole. Developing actionable CTI products (reports, indicators, etc.) is a complex task and requires an in-depth understanding of the threat landscape and the ability to analyse and interpret large amounts of data. Many SOCs and CSIRTs build their capabilities in this area independently, leading to a fragmented approach and duplication of work.

The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response facility to computer security threats and incidents. The organisation brings to the table its extensive experience in cybersecurity incident management, threat intelligence, and proactive response strategies. With a strong background in developing innovative open source cybersecurity tools and solutions, CIRCL’s contribution to the FETTA project is instrumental in achieving enhanced collaboration and intelligence sharing across Europe.

Press release

Vulnerability Report - April 2026

Mon, 04 May 2026 00:00:00 +0000

All vulnerability reports

Introduction

This vulnerability report has been generated with the help of AI, using the VulnMCP tooling on top of Vulnerability-Lookup, with contributions from the platform’s community.

It highlights the most frequently mentioned vulnerabilities for April 2026, based on data aggregated from Vulnerability-Lookup, the CISA Known Exploited Vulnerabilities catalog, the CIRCL KEV catalog, the ENISA EUVD feed, and contributor comments and bundles. Sightings come from MISP, Exploit-DB, Bluesky, Mastodon, Telegram, GitHub Gists, The Shadowserver Foundation, Nuclei, SPLOITUS, Metasploit, and more. For further details, please visit this page.

The Month at a Glance

April 2026 was dominated by a Linux kernel crypto subsystem flaw, CVE-2026-31431 (“Copy Fail”), an algif_aead in-place operation regression that drew 279 sightings – by far the highest activity of the month. Local privilege escalation against shared multi-user Linux hosts and container infrastructure (including Microsoft WSL) was confirmed in the wild, and CISA added the entry to its KEV catalog on May 1.

Edge-security appliances and developer tooling shaped the rest of the top ranking. Fortinet FortiClient EMS (improper access control, CVSS 9.1) was added to both the CISA and CIRCL KEV catalogs on April 6, and a related FortiClient EMS SQLi – CVE-2026-21643 – was KEV-listed on April 13. Adobe Acrobat Reader prototype-pollution CVE-2026-34621 and GitHub Enterprise Server git-push option injection CVE-2026-3854 both crossed 140 sightings, while Apache ActiveMQ CVE-2026-34197 (Jolokia/Spring code injection) followed closely.

A burst of “AI-stack” exposure also marked the month: marimo (pre-auth RCE via an unauthenticated terminal WebSocket) was added to KEV on April 23, and Meta React Server Components CVE-2025-55182 (KEV since December 2025, known ransomware use) continued to rack up sightings as scanning persisted.

The end of the month brought a critical hosting-stack incident: WebPros cPanel & WHM CVE-2026-41940, an authentication bypass in the login flow (CVSS 9.8), was disclosed on April 28-29 and added to CISA KEV on April 30 with a 3-day remediation deadline.

The CISA Known Exploited Vulnerabilities catalog added 30 entries during April. Highlights:

CVE-2026-41940: WebPros cPanel & WHM authentication bypass
CVE-2026-39987: marimo pre-auth RCE
CVE-2026-34197: Apache ActiveMQ code injection via Jolokia
CVE-2026-35616: Fortinet FortiClient EMS improper access control
CVE-2026-34621: Adobe Acrobat & Reader prototype pollution
CVE-2026-1340: Ivanti Endpoint Manager Mobile (EPMM) RCE
CVE-2026-32201: Microsoft SharePoint Server spoofing
CVE-2026-3502: TrueConf Client update integrity bypass
CVE-2026-5281: Google Chrome / Dawn use-after-free

CISA also re-anchored attention on long-standing exploited issues – ConnectWise ScreenConnect (CVE-2024-1708), SimpleHelp (CVE-2024-57726, CVE-2024-57728), Samsung MagicINFO (CVE-2024-7399), JetBrains TeamCity (CVE-2024-27199), PaperCut NG (CVE-2023-27351), Microsoft Exchange (CVE-2023-21529) and even legacy Microsoft Office issues from 2009/2012 (CVE-2009-0238, CVE-2012-1854).

The CIRCL Known Exploited Vulnerabilities catalog added one entry: CVE-2026-35616 (Fortinet FortiClient EMS), confirmed via incident-response evidence. The ENISA EUVD KEV catalog had no new entries in April.

Contributor activity in April focused on operational mitigations for the Linux kernel “Copy Fail” issue, with practical SELinux, systemd RestrictAddressFamilies, and initcall_blacklist recipes shared by community members.

Top 10 vulnerabilities of the Month

Vulnerability	Sighting Count	Vendor	Product	VLAI Severity
CVE-2026-31431	279	Linux	Kernel (algif_aead)	High (confidence: 0.9482)
CVE-2026-34621	147	Adobe	Acrobat Reader	High (confidence: 0.997)
CVE-2026-35616	142	Fortinet	FortiClient EMS	Critical (confidence: 0.9572)
CVE-2026-3854	142	GitHub	Enterprise Server	Critical (confidence: 0.8704)
CVE-2026-34197	138	Apache	ActiveMQ	Critical (confidence: 0.6661)
CVE-2025-55182	111	Meta	React Server Components	Critical (confidence: 0.9934)
CVE-2026-5281	104	Google	Chrome (Dawn)	High (confidence: 0.9874)
CVE-2026-39987	96	marimo-team	marimo	Critical (confidence: 0.9856)
CVE-2026-41940	92	WebPros	cPanel & WHM	Critical (confidence: 0.8211)
CVE-2026-32201	91	Microsoft	SharePoint Server	High (confidence: 0.5863)

Known Exploited Vulnerabilities

New entries have been added to major Known Exploited Vulnerabilities catalogs.

CISA

CVE ID	Date Added	Vendor	Product	VLAI Severity
CVE-2026-32202	2026-04-28	Microsoft	Windows Shell	Medium (confidence: 0.8578)
CVE-2024-1708	2026-04-28	ConnectWise	ScreenConnect	High (confidence: 0.6127)
CVE-2024-57726	2026-04-24	SimpleHelp	SimpleHelp	High (confidence: 0.7288)
CVE-2024-57728	2026-04-24	SimpleHelp	SimpleHelp	High (confidence: 0.8902)
CVE-2024-7399	2026-04-24	Samsung	MagicINFO 9 Server	Critical (confidence: 0.6987)
CVE-2025-29635	2026-04-24	D-Link	DIR-823X	High (confidence: 0.9867)
CVE-2026-39987	2026-04-23	marimo-team	marimo	Critical (confidence: 0.9856)
CVE-2026-33825	2026-04-22	Microsoft	Defender Antimalware Platform	High (confidence: 0.9396)
CVE-2024-27199	2026-04-20	JetBrains	TeamCity	High (confidence: 0.785)
CVE-2025-32975	2026-04-20	Quest	KACE Systems Management Appliance	Critical (confidence: 0.8677)
CVE-2026-20128	2026-04-20	Cisco	Catalyst SD-WAN Manager	High (confidence: 0.5543)
CVE-2025-48700	2026-04-20	Synacor	Zimbra Collaboration Suite	Medium (confidence: 0.9744)
CVE-2023-27351	2026-04-20	PaperCut	NG	High (confidence: 0.7781)
CVE-2025-2749	2026-04-20	Kentico	Xperience	High (confidence: 0.9762)
CVE-2026-20133	2026-04-20	Cisco	Catalyst SD-WAN Manager	High (confidence: 0.7295)
CVE-2026-20122	2026-04-20	Cisco	Catalyst SD-WAN Manager	Medium (confidence: 0.9478)
CVE-2026-34197	2026-04-16	Apache	ActiveMQ	Critical (confidence: 0.6661)
CVE-2026-32201	2026-04-14	Microsoft	SharePoint Server	High (confidence: 0.5863)
CVE-2009-0238	2026-04-14	Microsoft	Office Excel	High (confidence: 0.5354)
CVE-2026-34621	2026-04-13	Adobe	Acrobat Reader	High (confidence: 0.997)
CVE-2026-21643	2026-04-13	Fortinet	FortiClient EMS	Critical (confidence: 0.9881)
CVE-2020-9715	2026-04-13	Adobe	Acrobat & Reader	High (confidence: 0.8726)
CVE-2023-36424	2026-04-13	Microsoft	Windows CLFS Driver	High (confidence: 0.9933)
CVE-2023-21529	2026-04-13	Microsoft	Exchange Server	High (confidence: 0.6307)
CVE-2025-60710	2026-04-13	Microsoft	Host Process for Windows Tasks	High (confidence: 0.9957)
CVE-2012-1854	2026-04-13	Microsoft	Office VBE6 / VBA	Critical (confidence: 0.954)
CVE-2026-1340	2026-04-08	Ivanti	Endpoint Manager Mobile (EPMM)	Critical (confidence: 0.9867)
CVE-2026-35616	2026-04-06	Fortinet	FortiClient EMS	Critical (confidence: 0.9572)
CVE-2026-3502	2026-04-02	TrueConf	TrueConf Client	High (confidence: 0.9884)
CVE-2026-5281	2026-04-01	Google	Chrome / Dawn	High (confidence: 0.9874)

More KEV entries from the CISA Catalog.

CIRCL

Vulnerability ID	Date Added	Vendor	Product	VLAI Severity
CVE-2026-35616	2026-04-06	Fortinet	FortiClient EMS	Critical (confidence: 0.9572)

More KEV entries from the CIRCL Catalog.

ENISA (EUVD)

No new entry in April.

More KEV entries from the ENISA Catalog.

Insights from Contributors

Community members focused on operational mitigations for the Linux kernel “Copy Fail” issue, sharing concrete defensive recipes:

Quick remediation for CVE-2026-31431 (algif_aead “Copy Fail”) – unloading the algif_aead kernel module, blacklisting via modprobe.d, and initcall_blacklist=algif_aead_init for kernels with the module compiled in.
Microsoft WSL is also vulnerable to CVE-2026-31431 – pointer to the Microsoft WSL issue tracker confirming impact on Windows hosts running WSL.
Deny alg_socket to Containers with SELinux to Mitigate CVE-2026-31431 – end-to-end SELinux deny-rule walk-through plus systemd-run -p RestrictAddressFamilies=~AF_ALG and SystemCallArchitectures=native mitigations for non-container services.

The recurring theme across these contributions: AF_ALG / algif_aead is rarely needed by user workloads, so disabling it at the kernel, container-runtime, or systemd-unit boundary is a pragmatic mitigation while distributions roll out the corrected kernel patches.

Thank you

Thank you to all the contributors and our diverse sources!

If you want to contribute to the next report, you can create your account.

Feedback and Support

If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/

Funding

Press release

Vulnerability-Lookup 4.5.0 released

Thu, 30 Apr 2026 00:00:00 +0000

We are pleased to announce the release of Vulnerability-Lookup 4.5.0!

This release strengthens Vulnerability-Lookup on both data collection and analysis.

We now ingest sightings from Telegram channels, with roughly 200,000 Telegram sigthings collected so far. Each vulnerability page also gains new interactive visualisations: sighting type repartition, source repartition, and an experimental adaptive forecast based on the TARDISSight prototype.

TARDISSight was presented last week in Munich during the FIRST CTI Conference, and the related paper is available on arXiv.

The EPSS feeder has also been substantially reworked for lower memory usage and more reliable ingestion.

What’s New

Screencast

The screencast below gives a quick overview of the new charts, filtering interactions, and forecast behavior introduced in 4.5.0.

There should have been a video here but your browser does not seem to support it.

If your browser cannot play WebM inline, you can still download the file directly from this link.

Highlights

new: [sightings] Sightings can now originate from Telegram channels via the companion Vulnerability-Lookup Telegram sighting tool.
new: [templates] Three new tabs on every vulnerability page: sighting type repartition (pie chart), source repartition (pie chart grouping URLs by hostname and collapsing Telegram and MISP feeds), and an experimental adaptive forecast (logistic when the trend is rising, exponential decay when falling — a JavaScript port of the TARDISSight prototype). Each chart is interactive and filters the sightings table when clicked. d8bfc88, 8e2ed8c, 0640874, d573e31
new: [templates] Display trend slope (linear fit on daily counts) near the sightings chart. 7e22eb0
new: [sightings] Optional content field on the Sighting model and API. 4923f87
new: [templates] Add download/correlations icons to the sightings table on the vuln page. 6de9cf1

Screenshots

Adaptive forecast view based on the observed trend.

Source repartition chart, including grouped feed origins.

Sighting type repartition chart with interactive filtering.

Alternative chart state for a different vulnerability timeline.

Click any image to view it in full size.

Changes

chg: [api] Use case-insensitive substring match for the sighting source filter. db8e14f
chg: [schema] Align Sighting JSON schema with the model. 67cc01f
chg: [templates] Index page now displays published proofs of concept instead of confirmed sightings. 8908ce3
chg: [security] Switch markdown URL sanitizer to a scheme allowlist. 347c9b4
chg: [feeders] EPSS feeder improvements: configurable ingestion from Kvrocks with API fallback, Redis pipelining, year-boundary fix, reduced memory usage, error handling for GitHub API calls. EPSS scores are no longer published on the Redis pub/sub channel. 939d800, eabc5ad, a9be57e, 2a1c75d, 7d9867b, 054d4ab, 9a0822e, 9277d03, ac9a9f4
chg: [templates] Improve full-text search UX and clarify exact vs approximate matching. 05d5ef9
chg: [dependencies] The project now requires Python >=3.11,<4.0; restrict myst-parser to Python ≥3.11; updated gevent. 69d36da, 27d1300, 28bad8c
chg: [dependencies] Updated Python and JavaScript dependencies. 74902de, 9d5ab76, 44fe2a2, ecb766e
chg: [github] Added issue templates and pull request template. d4a74b8
chg: [documentation] Updated README and contributor notes. 09aca11, 8ed689f

Fixes

fix: [security] Hardened several DOM-injection sites against XSS, including escaping vendor/product and vulnerability ID in the sightings correlations tooltip; URLs are now normalized before the scheme check. 68b96c8, e4f4da0, 205dad1
fix: [forecast] Restrict decay fit to post-peak data so the forecast cannot contradict the observed trend. acd8425
fix: [disclosure] Warn about CSRF expiry on the new disclosure form and extend token lifetime. baff893
fix: [templates] Long credit names no longer break layout. cc267fe

Changelog

📂 For the full list of changes, check the GitHub release:
https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v4.5.0

🙏 Thank you to all contributors and testers!

Feedback and Support

Follow Us on Fediverse/Mastodon

You can follow us on Mastodon and get real-time information about security advisories:
https://social.circl.lu/@vulnerability_lookup/

CIRCL AI approach at the International Committee of the Red Cross (ICRC)

Wed, 29 Apr 2026 00:00:00 +0000

On April 28, 2026, we had the opportunity to present the CIRCL AI approach at the International Committee of the Red Cross (ICRC). The session took place in Luxembourg, with remote participation from the Delegation for Cyberspace at the Global Cyber Hub in Geneva.

The objective of this event was practical: show how AI can be used as an operational capability in vulnerability intelligence, not just as a research topic. We focused on production workflows that help analysts deliver faster, more consistent, and more actionable results.

What We Covered

During the session, we presented concrete AI use cases developed around Vulnerability-Lookup and related CIRCL initiatives, including:

Classification and enrichment workflows for vulnerability records, including VLAI and our models published on Hugging Face.
Prioritization support when signals are sparse, noisy, or bursty.
Reproducible pipelines with human review checkpoints, so final decisions remain analyst-driven.

We also presented AI usage in two other operational projects at CIRCL:

AIL Project: applying multiple models for inference tasks on the large-scale AIL dataset.
MISP Project: integrating AI-assisted workflows to support threat intelligence analysis and data handling.

We also briefly presented VulnMCP, our open-source MCP server, and its orchestrated skills.

Across these projects, we rely on a mix of models, including excellent open-weight Chinese models, selected according to clear criteria: task fit, inference speed, quality on real data, explainability, and operational robustness. CIRCL is convinced of the importance of open-weight models.

Why It Matters

Security teams are often asked to make high-impact decisions under time pressure and with incomplete information. Our approach is designed for these conditions by combining open vulnerability data, domain knowledge, and machine-learning components that are measurable and testable.

In short, the goal is to improve triage quality and response speed while preserving traceability, reproducibility, and analyst oversight.

Key Takeaways

AI is most effective when embedded in existing analyst workflows.
Data quality and explainability are as important as model performance.
Practical, incremental deployment delivers more value than one-shot automation.
A portfolio of models is often more effective than a single-model strategy for production environments.

Presentation Material

Download the slides (PDF)

Feedback and Support

If you encounter issues or have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us: info@circl.lu

Vulnerability-Lookup 4.4.0 released

Thu, 09 Apr 2026 00:00:00 +0000

We are pleased to announce the release of Vulnerability-Lookup 4.4.0!

This release introduces public disclosure list views, enhanced sightings with automatic creation and heatmap navigation controls, toggleable chart events, and configurable CVD policy alerts. It also includes numerous fixes for database stability and performance, notification reliability, and Meilisearch error handling.

The technical documentation has been revamped for greater clarity and expanded with deployment guidance for high-traffic environments, validated in our production setup handling 15,000–20,000 queries per second (public API + Web pages).

What’s New

new: [views] Add public disclosures list view and improve disclosure detail template. ac97550
new: [heatmap] Add navigation and zoom controls to sightings heatmap. 57c1fb8
new: [sightings] Add toggleable extra events (published, reserved, KEV) to sightings charts. 1ae5cdf
new: [sightings] Add backfill_sightings script to create sightings from existing data. 3c036b3
new: [sightings] Automatically create sightings when bundles, comments, or KEV entries are created. 5676730, eb20f85, 351d538

Disclosed Vulnerabilities (CVD process)

Disclosures part of the CVD process are now listed on a dedicated page once they are disclosed (the CVD feature can be disabled in Vulnerability-Lookup). Previously, they were publicly accessible but not listed in a single view.

Comments as a sighting

Creating a comment on a vulnerability now automatically generates a sighting.

Displaying reserved and published dates in the sightings visualisations

CVE-2026-23456 was mentioned in the list of Ghost CVEs in our February Vulnerability Report. The CVE record is now available, and the visualisations show our sightings predating the publication date.

KEV entry as exploited sightings

Creating a KEV entry — whether directly, via synchronisation from another Vulnerability-Lookup instance, or by pulling from the CISA or ENISA catalogs — now automatically generates a sighting.

Zoom feature for the sightings visualisations

Changes

chg: [config] Make CVD policy alert messages configurable (CVD_POLICY_TITLE, CVD_POLICY_URL, CVD_POLICY_LOGIN_MESSAGE). 38a9fc8
chg: [views] Set disclosed_timestamp when admin transitions disclosure state to disclosed. b1265ca
chg: [templates] Link vulnerability ID, affected products, and CWEs in disclosure detail page. 0b57f62, c7f750e, 24512cf, 7dde7dc
chg: [templates] GCVE vulnerabilities show a parenthesized link to the associated CVE ID. 2944a32
chg: [templates] Vulnerabilities from FSTEC use the severity classification model. 9896c18
chg: [documentation] Convert documentation to Markdown and improvements. af2de56, ba70b69, 54d004b, 497c45a
chg: [dependencies] Updated Python and JavaScript dependencies. 81ea0d7, af81a41, ab94807, 7706a5c, b7cfab2

Fixes

fix: [views] Skip timestamp check for disclosed state in disclosures query. 88f8fe9
fix: [models] Handle None values in Product and Organization field validators. 3f56d34, 078eb1d
fix: [fulltext] Auto-purge Meilisearch tasks on no_space_left_on_device error. e7ffbfa
fix: [database] Fix DetachedInstanceError and idle-in-transaction timeouts. 801eefd, 9b89ce3, 028da84
fix: [notifications] Release DB transaction before slow email rendering/sending. 1c1a552, 913ecc1
fix: [tags] Sync comment tags with upstream MISP vulnerability taxonomy. 5b3d08f
fix: [forms] Align SignupForm login max length with database constraint. 210594a
fix: [bundle] Use JSONB contains operator for bundle vuln_id filter. 80c7295
fix: [sightings] Use KEV asserted_at date for backfilled sighting timestamp. 8c7d455

Changelog

📂 For the full list of changes, check the GitHub release:
https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v4.4.0

🙏 Thank you to all contributors and testers!

Feedback and Support

Follow Us on Fediverse/Mastodon

You can follow us on Mastodon and get real-time information about security advisories:
https://social.circl.lu/@vulnerability_lookup/

New Russian Severity Classifier and Improved Multilingual Models

Mon, 06 Apr 2026 00:00:00 +0000

We are pleased to announce a new Russian-language severity classifier for vulnerability descriptions, alongside improved English and Chinese models. These models are trained with VulnTrain and served through ML-Gateway for integration into Vulnerability-Lookup.

All datasets and models are openly available on Hugging Face.

VulnTrain 3.1.0

This release is powered by VulnTrain v3.1.0, which introduces:

FSTEC source support: vulnerability entries from the Russian Federal Service for Technical and Export Control (BDU) can now be used for dataset generation and model training.
Source field in datasets: each vulnerability entry now includes a source field identifying its origin (cvelistv5, github, pysec, cnvd, csaf_*, fstec), making it easier to trace and filter data.
Dynamic dataset cards: when generating a dataset from multiple sources, a dataset card is automatically created with a per-source breakdown table showing entry counts and percentages.
Per-class metrics: the severity trainer now reports precision, recall, and F1 per class (Low / Medium / High / Critical) alongside overall accuracy and macro F1.
Best model checkpoint selection: models are now selected by accuracy instead of eval_loss, with save_total_limit increased from 2 to 3.

Russian Severity Classifier 🇷🇺

This is our new model for classifying vulnerability severity in Russian, trained on data from the Russian Federal Service for Technical and Export Control (BDU).


Dataset	CIRCL/Vulnerability-FSTEC
Model	CIRCL/vulnerability-severity-classification-russian-ruRoberta-large
Base model	ai-forever/ruRoberta-large

Improved English Severity Classifier 🇬🇧

The English model is trained on a broad set of sources for better coverage and accuracy.

Sources:

CVE Program (enriched with vulnrichment and Fraunhofer FKIE)
GitHub Security Advisories
PySec advisories
CSAF Cisco
CSAF CISA


Dataset	CIRCL/vulnerability-scores
Model	CIRCL/vulnerability-severity-classification-roberta-base
Base model	FacebookAI/roberta-base

Improved Chinese Severity Classifier 🇨🇳

The Chinese model is trained on data from the China National Vulnerability Database (CNVD).


Dataset	CIRCL/Vulnerability-CNVD
Model	CIRCL/vulnerability-severity-classification-chinese-macbert-base
Base model	hfl/chinese-macbert-base

ML-Gateway 0.5.0

ML-Gateway is the FastAPI-based inference server that loads pre-trained models at startup and exposes them through a RESTful API. It supports multilingual severity classification out of the box: clients simply specify the desired model in their request.

ML-Gateway v0.5.0 adds support for the new Russian severity classification model (CIRCL/vulnerability-severity-classification-russian-ruRoberta-large):

Registered the Russian ruRoBERTa-large model in the model registry with standard CVSS severity labels (Low, Medium, High, Critical).
Added the model to the CLI refresh-all command for pre-downloading.

Vulnerability-Lookup uses ML-Gateway to provide AI-powered severity predictions directly in its web interface.

Funding

AIPITCH (AI-Powered Innovative Toolkit for Cybersecurity Hubs) is a co-funded EU project supported by the European Cybersecurity Competence Centre (ECCC) under the DIGITAL-ECCC-2024-DEPLOY-CYBER-06-ENABLINGTECH program and CIRCL.

Improving the CNVD Severity Classifier: Honest Metrics and Data Leakage Fixes

Fri, 03 Apr 2026 00:00:00 +0000

We recently made significant improvements to our CNVD severity classifier and the underlying Vulnerability-CNVD dataset, prompted by a thorough independent review from Eric Romang. These changes ship in VulnTrain v3.0.0, released today.

What happened

Eric opened VulnTrain#19 with a detailed technical analysis of the dataset and model. His key findings:

Data leakage: CNVD reuses boilerplate descriptions across different vulnerability IDs. Our train/test split was done on IDs, not on description text, so 15.6% of the test set contained descriptions identical to training data. This inflated the reported accuracy by ~1.7pp.
Low-class recall at 38.4%: 60% of Low-severity entries were misclassified as Medium. The dataset is heavily imbalanced (Low ~9%, Medium ~55%, High ~36%).
Keyword dependency: the model predicts severity based on vulnerability-type keywords rather than actual impact. Accuracy drops from ~89% to ~55% on entries whose severity deviates from the type’s typical level.

His full analysis, code, and data are available at eromang/researches/CNVD-Dataset-Validation.

What we fixed

Data leakage

We implemented a deduplicate_split function that groups entries by description text before splitting. All entries sharing a description land in the same split. The result: our retrained model scores 76.8% accuracy on the deduplicated test set, matching Eric’s independently measured unleaked accuracy of 76.6%. The model quality was always ~77% — we just have honest metrics now.

Class imbalance experiments

We tested four loss strategies to improve Low-class recall:

Strategy	Low recall	Medium recall	Overall acc
Uniform (baseline)	41.0%	81.7%	76.8%
Sqrt-dampened weights	49.0%	74.8%	74.6%
Balanced weights	60.8%	70.2%	73.2%
Focal loss (gamma=2)	63.3%	64.4%	71.1%

Every strategy that improved Low recall caused disproportionate Medium recall loss. The Low/Medium vocabulary overlap in CNVD descriptions makes this a data-level ceiling, not a loss-function problem. Eric’s own experience with the CyberScale Phase 1 project — predicting 4-class CVSS bands from CVE descriptions using ModernBERT-base — reached the same conclusion: nothing moved the needle beyond ~2pp. Adjacent severity classes share vocabulary because vulnerability descriptions are formulaic.

We defaulted to uniform loss and documented the Low class limitation.

Dataset improvements

The Vulnerability-CNVD dataset now includes:

A cve_id field cross-referencing CVE equivalents. Approximately 81% of CNVD entries have a corresponding CVE (68-69% in 2020-2021, rising to 91-97% after 2022). The ~19% CNVD-only entries are concentrated in Chinese domestic software (PHP CMS, ERP systems). Western vendors (Adobe, Microsoft, IBM, Cisco) are largely absent from the CNVD-only subset.
A dataset card documenting severity distribution, CVE overlap rates, and the coverage decline: CNVD published details for 94% of reserved IDs in 2015 but only 4% in 2023. This drop coincides with China’s Regulations on the Management of Security Vulnerabilities (RMSV), effective September 2021.
A warning about duplicate descriptions and the need to split on description text rather than IDs.

The RMSV effect

The RMSV regulations deserve attention. Before September 2021, CNVD published vulnerability details for most of the IDs it reserved. After the regulations took effect, publication rates dropped sharply. As a result, the CNVD dataset is increasingly sparse for recent years and the model’s training data is concentrated in pre-2022 entries. Users should be aware of this temporal bias.

CNVD reserves 50,000–100,000 vulnerability IDs per year but publishes full details for only a fraction. As noted above, the publication rate has declined significantly:

2015: ~94% of reserved IDs have published details
2023: ~4% of reserved IDs have published details

Model card

The model card is now dynamically generated from actual training metrics and documents the known limitations: Low-class recall, keyword dependency, negation blindness, and CVE overlap.

Acknowledgments

Thanks to Eric Romang for his detailed and constructive analysis. His work directly led to these improvements and confirmed that the model adds real value (+12pp over a keyword heuristic baseline) despite its limitations.

Funding

AIPITCH aims to create advanced artificial intelligence-based tools supporting key operational services in cyber defense. These include technologies for early threat detection, automatic malware classification, and improvement of analytical processes through the integration of Large Language Models (LLM). The project has the potential to set new standards in the cybersecurity industry.

The project leader is NASK National Research Institute. The international consortium includes:

CIRCL (Computer Incident Response Center Luxembourg), Luxembourg
The Shadowserver Foundation, Netherlands
NCBJ (National Centre for Nuclear Research), Poland
ABI LAB (Centre of Research and Innovation for Banks), Italy

Funded by the European Union. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or the European Cybersecurity Competence Centre. Neither the European Union nor the European Cybersecurity Competence Centre can be held responsible for them.

Vulnerability Report - March 2026

Thu, 02 Apr 2026 00:00:00 +0000

All vulnerability reports

Introduction

This vulnerability report has been generated using data aggregated on Vulnerability-Lookup, with contributions from the platform’s community.

It highlights the most frequently mentioned vulnerability for March 2026, based on sightings collected from various sources, including MISP, Exploit-DB, Bluesky, Mastodon, GitHub Gists, The Shadowserver Foundation, Nuclei, SPLOITUS, Metasploit, and more. For further details, please visit this page.

The Month at a Glance

March 2026 was led by CVE-2026-3055, a Critical-severity memory overread in Citrix NetScaler ADC and Gateway when configured as a SAML IDP, with 154 sightings. Active exploitation was confirmed in the wild by multiple sources including honeypot operators, and a proof-of-concept was publicly released by watchTowr. It was followed by CVE-2026-20131 in Cisco Secure Firewall Management Center (FMC) with 121 sightings – notably flagged by CISA as having known ransomware campaign use.

Network appliances and edge devices dominated the threat landscape in March, with Citrix NetScaler, Cisco FMC, and F5 BIG-IP (CVE-2025-53521) all appearing in both the top sightings and the CISA KEV catalog. AI and workflow automation tools also drew significant attention, with Langflow (CVE-2026-33017) suffering an unauthenticated RCE via code injection and n8n (CVE-2025-68613) being added to CISA KEV. A notable supply-chain entry was the Aquasecurity Trivy embedded malicious code vulnerability (CVE-2026-33634), which could expose CI/CD credentials.

On the Linux side, CVE-2026-3888, a local privilege escalation in snapd affecting multiple Ubuntu LTS versions, attracted 96 sightings. Qualcomm chipset memory corruption (CVE-2026-21385) was added to CISA KEV early in the month via the Android Security Bulletin. Legacy IoT devices continued to be targeted by botnets such as Mozi, with Zyxel (CVE-2017-18368) and D-Link (CVE-2015-2051) routers still appearing in the top 10 sightings despite being years old.

The CISA Known Exploited Vulnerabilities catalog added 26 new entries during the month. Notable additions include:

CVE-2026-3055: Citrix NetScaler ADC & Gateway
CVE-2026-20131: Cisco Secure Firewall Management Center (FMC) – known ransomware use
CVE-2026-33634: Aquasecurity Trivy (supply-chain compromise)
CVE-2026-33017: Langflow (unauthenticated RCE)
CVE-2025-53521: F5 BIG-IP (RCE)
CVE-2025-54068: Laravel Livewire (code injection)

The CIRCL Known Exploited Vulnerabilities catalog added five entries, all confirmed via sinkhole and CTI feed evidence: CVE-2024-13030 (D-Link DIR-823G), CVE-2021-35394 (Realtek Jungle SDK), CVE-2017-17215 (Huawei HG532), CVE-2014-8361 (Realtek SDK), and GCVE-1-2026-0020 (Eir D1000 router). The ENISA KEV catalog had no new entries in March.

Contributor insights this month covered Citrix NetScaler CVE-2026-3055 exploitation analysis and PoC details, F5 BIG-IP indicators of compromise, Oracle Identity Manager critical vulnerabilities, BMC FootPrints pre-auth RCE chains, Veeam Backup & Replication security updates, and Lantronix industrial device vulnerabilities.

Top 10 vulnerabilities of the Month

Vulnerability	Sighting Count	Vendor	Product	VLAI Severity
CVE-2026-3055	154	Citrix	NetScaler ADC & Gateway	Critical (confidence: 0.9651)
CVE-2026-20131	121	Cisco	Secure Firewall Management Center (FMC)	Critical (confidence: 0.978)
CVE-2026-33017	101	Langflow	Langflow	Critical (confidence: 0.9904)
CVE-2026-3888	96	Canonical	snapd (Ubuntu)	High (confidence: 0.9876)
CVE-2026-21385	93	Qualcomm	Snapdragon	High (confidence: 0.9871)
CVE-2025-53521	87	F5	BIG-IP	Critical (confidence: 0.9364)
CVE-2026-21992	81	Oracle	Identity Manager & Web Services Manager	Critical (confidence: 0.9929)
CVE-2026-32746	72	GNU	inetutils (telnetd)	Critical (confidence: 0.8862)
CVE-2017-18368	62	Zyxel	P660HN-T1A Router	Medium (confidence: 0.5886)
CVE-2015-2051	60	D-Link	DIR-645 Router	Critical (confidence: 0.7862)

Known Exploited Vulnerabilities

New entries have been added to major Known Exploited Vulnerabilities catalogs.

CISA

CVE ID	Date Added	Vendor	Product	VLAI Severity
CVE-2026-3055	2026-03-30	Citrix	NetScaler	Critical (confidence: 0.9651)
CVE-2025-53521	2026-03-27	F5	BIG-IP	Critical (confidence: 0.9364)
CVE-2026-33634	2026-03-26	Aquasecurity	Trivy	Critical (confidence: 0.9963)
CVE-2026-33017	2026-03-25	Langflow	Langflow	Critical (confidence: 0.9904)
CVE-2025-31277	2026-03-20	Apple	Multiple Products	High (confidence: 0.9935)
CVE-2025-43520	2026-03-20	Apple	Multiple Products	High (confidence: 0.891)
CVE-2025-43510	2026-03-20	Apple	Multiple Products	Medium (confidence: 0.7061)
CVE-2025-54068	2026-03-20	Laravel	Livewire	Critical (confidence: 0.9685)
CVE-2025-32432	2026-03-20	Craft CMS	Craft CMS	High (confidence: 0.8744)
CVE-2026-20131	2026-03-19	Cisco	Secure Firewall Management Center (FMC)	Critical (confidence: 0.978)
CVE-2026-20963	2026-03-18	Microsoft	SharePoint	Critical (confidence: 0.6657)
CVE-2025-66376	2026-03-18	Synacor	Zimbra Collaboration Suite (ZCS)	Medium (confidence: 0.9952)
CVE-2025-47813	2026-03-16	Wing FTP Server	Wing FTP Server	Medium (confidence: 0.8028)
CVE-2026-3909	2026-03-13	Google	Skia	High (confidence: 0.9471)
CVE-2026-3910	2026-03-13	Google	Chromium V8	High (confidence: 0.98)
CVE-2025-68613	2026-03-11	n8n	n8n	Critical (confidence: 0.8146)
CVE-2026-1603	2026-03-09	Ivanti	Endpoint Manager (EPM)	High (confidence: 0.9622)
CVE-2025-26399	2026-03-09	SolarWinds	Web Help Desk	Critical (confidence: 0.9655)
CVE-2021-22054	2026-03-09	Omnissa	Workspace One UEM	High (confidence: 0.9505)
CVE-2023-41974	2026-03-05	Apple	iOS and iPadOS	High (confidence: 0.997)
CVE-2021-30952	2026-03-05	Apple	Multiple Products	High (confidence: 0.9971)
CVE-2023-43000	2026-03-05	Apple	Multiple Products	High (confidence: 0.9948)
CVE-2021-22681	2026-03-05	Rockwell	Multiple Products	High (confidence: 0.5079)
CVE-2017-7921	2026-03-05	Hikvision	Multiple Products	Critical (confidence: 0.9056)
CVE-2026-21385	2026-03-03	Qualcomm	Multiple Chipsets	High (confidence: 0.9871)
CVE-2026-22719	2026-03-03	Broadcom	VMware Aria Operations	Critical (confidence: 0.5026)

More KEV entries from the CISA Catalog.

CIRCL

Vulnerability ID	Date Added	Vendor	Product	VLAI Severity
CVE-2024-13030	2026-03-12	D-Link	DIR-823G	Critical (confidence: 0.5827)
CVE-2021-35394	2026-03-12	Realtek	Jungle SDK	Critical (confidence: 0.9847)
CVE-2017-17215	2026-03-12	Huawei	HG532	High (confidence: 0.4429)
CVE-2014-8361	2026-03-12	Realtek	SDK	Critical (confidence: 0.9846)
GCVE-1-2026-0020	2026-03-23	Eir	D1000	Critical (confidence: 0.944)

More KEV entries from the CIRCL Catalog.

ENISA

No new entry in March.

More KEV entries from the ENISA Catalog.

Insights from Contributors

Thank you

Thank you to all the contributors and our diverse sources!

If you want to contribute to the next report, you can create your account.

Feedback and Support

If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/

Funding

Press release

Vulnerability-Lookup 4.3.0 released

Fri, 27 Mar 2026 00:00:00 +0000

We are pleased to announce the release of Vulnerability-Lookup 4.3.0!

This release brings compliance with the updated GCVE BCP-03 specification (discussion), introducing a dedicated API endpoint for exposing GCVEs published by a local Vulnerability-Lookup instance. It also includes improvements to the GCVE feeder, email notification reliability fixes, and updated dependencies.

What’s New

GCVE Publication Endpoint

A new /api/gcve/publication endpoint lets external consumers discover all GCVEs published by the local instance. This is the standard mechanism defined in the updated GCVE BCP-03 for federated vulnerability sharing between Vulnerability-Lookup deployments and GCVE-compatible tools. c931b95

GCVE new endpoint

GCVE publications on db.gcve.eu

GNA-1 publications

Changes

chg: [feeder] GCVE feeder now uses /api/gcve/publication with two fallbacks for retro-compatibility. 96aaed6
chg: [bin] Also dump KEV entries. 5523cb7
chg: [bin] Updated footer of the dump page. 3260682
chg: [templates] Added a link to the list of sources from the /recent page. 89723f2
chg: [dependencies] Updated Python and JavaScript dependencies. a135d86, 1fcc515, d163c5f

Fixes

fix: [notifications] Remove jitter from last_execution_time to prevent missed notifications. When multiple users subscribed to the same product, the random jitter on last_execution_time created different blind windows, causing some users to miss vulnerability notifications. a02a9fe
fix: [typing] Fixed a typing issue in the aggregator parameter of the CSAFAggregatorHelper class. 860ead7

Changelog

📂 For the full list of changes, check the GitHub release:
https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v4.3.0

🙏 Thank you to all contributors and testers!

Feedback and Support

Follow Us on Fediverse/Mastodon

You can follow us on Mastodon and get real-time information about security advisories:
https://social.circl.lu/@vulnerability_lookup/

VulnMCP 1.0.0 released

Wed, 25 Mar 2026 00:00:00 +0000

We are excited to share a new project we have been working on: VulnMCP.

VulnMCP is an MCP server that brings vulnerability intelligence directly into AI clients, chat agents, and automated workflows. The idea is simple: make vulnerability analysis programmable, modular, and easily consumable by modern AI systems.

With VulnMCP, you can:

Query and explore vulnerabilities (via Vulnerability-Lookup) directly from your chat agent or editor.
Classify vulnerability severity (in English and Chinese) using our fine-tuned NLP models.
Predict CWE categories from descriptions.
Guess the CPE based on one or more keywords from a vulnerability description.
Explore KEV catalogs.
Retrieve real-world sightings.
Build and extend your own “skills” for automated security analysis.

Have a look at the screencast below (with sound on!) featuring Claude Code. You will see how to retrieve information about a vulnerability using its CVE ID and classify its severity — all from your favorite AI chat agent.

There should have been a video here but your browser does not seem to support it.

Example of CPE Guessing

This AI agent tool uses CPE Guesser.

VulnMCP is built with a modular architecture, so adding new capabilities is straightforward — whether you want to integrate additional models, data sources, or custom logic.

This is part of a broader effort to make vulnerability intelligence more accessible, interoperable, and ready for AI-native environments.

Looking into KEV catalogs

Looking into KEV catalogs and retrieving real-world observations (sightings)

Finding a GNA and its published vulnerabilities

Feedback

If you work with MCP clients, LLM agents, or are simply interested in automating vulnerability workflows, give it a try:

🔗 https://github.com/vulnerability-lookup/VulnMCP

Feedback, ideas, and contributions are very welcome!

References

The MCP server: https://github.com/vulnerability-lookup/VulnMCP
Training pipelines: https://github.com/vulnerability-lookup/VulnTrain
Orchestration framework based on XMPP: https://github.com/vulnerability-lookup/VulnAgent
Vulnerability-Lookup source code: https://github.com/vulnerability-lookup/vulnerability-lookup
Vulnerability-Lookup instance operated by CIRCL: https://vulnerability.circl.lu

Funding

The project leader is NASK National Research Institute. The international consortium includes:

CIRCL (Computer Incident Response Center Luxembourg), Luxembourg
The Shadowserver Foundation, Netherlands
NCBJ (National Centre for Nuclear Research), Poland
ABI LAB (Centre of Research and Innovation for Banks), Italy

cpe-guesser 2.0 released - Multi-Source CPE Imports, Better Ranking, and Greater Autonomy Beyond NVD

Sun, 22 Mar 2026 00:00:00 +0000

cpe-guesser 2.0 released

Overview

Version 2.0 brings major improvements to CPE import, ranking, and CVE v5 data handling. This release focuses on better import performance, broader format support, improved search relevance, and more robust indexing for vendor and product matching.

A notable change in this release is that cpe-guesser is no longer limited to NVD as its only practical CPE source. In addition to the NVD feeds, it can also leverage the Vulnerability-Lookup dump available at https://vulnerability.circl.lu/dumps/, providing additional CPE sources and more autonomy from the previously NVD-only source model.

Highlights

Improved search and ranking

Improved search ranking using CPE rank scores.
Enhanced server-side lookup ranking with rank:cpe scoring.
Reset of CVE v5 rank state before each import to ensure consistent ranking behavior.

CVE v5 import and indexing enhancements

Added CVE v5 NDJSON rank importer.
Added support for handling incomplete or multiline NDJSON records in CVEListV5Handler.
Introduced optional CVE v5 word indexing.
Added missing-word tracking for CVE v5 imports.
Split missing-word tracking into separate vendor and product sets for more precise analysis.

Faster and more flexible CPE imports

Parallelized NVD CPE imports for improved performance.
Refactored import logic into reusable handler classes.
Added NVDCPEHandler for importing the NVD CPE Dictionary 2.0 JSON format.
Extended import support for tar archives and standalone JSON files.
Continued support for legacy XML imports through XMLCPEHandler.
Added logging of JSON file names found inside tar archives.
Expanded the import model so cpe-guesser can integrate CPE data from additional sources, including Vulnerability-Lookup dumps, instead of relying solely on NVD feeds.

Configuration and deployment improvements

Improved configuration robustness by embedding default settings in code when configuration is missing or incomplete.
Made the Valkey database number configurable.
Fixed Docker deployment and docker-compose configuration to use Valkey correctly.
Corrected settings.yaml structure issues.
Added missing requirements and improved script executability in bin/.

Documentation and maintenance

Updated README documentation.
Added examples for the JSON format while keeping legacy format examples.
Applied Black formatting across library code and regression/import tests.
General linting and formatting cleanups.

Breaking / notable changes

The project now defaults to the CPE Dictionary 2.0 feed.
Import handling has been refactored significantly around dedicated handler classes.
CLI import behavior was simplified by removing the redundant --update flag and improving boolean toggle handling.
The project architecture is now better suited for multi-source CPE ingestion, reducing dependence on NVD as the single upstream source.

Contributors

Thanks to everyone who contributed to this release, including:

Alexandre Dulaunoy
Esa Jokinen
Surya Kanagasabapathy

Upgrade notes

When upgrading to 2.0, review:

Your import workflows, especially if you rely on legacy XML-only behavior.
Your configuration files, although defaults now make startup more robust.
Your Docker and Valkey setup if you deploy with containers.
Your data ingestion pipeline if you want to take advantage of alternative CPE sources such as the Vulnerability-Lookup dumps.

Summary

cpe-guesser 2.0 is a substantial release that modernizes the import pipeline, adds support for current NVD CPE data formats, improves ranking quality, and makes deployments more robust and scalable. It also opens the door to a more autonomous and flexible ingestion model by supporting additional CPE sources beyond NVD.

Vulnerability-Lookup 4.2.0 released

Fri, 20 Mar 2026 00:00:00 +0000

It is our honour to announce the release of Vulnerability-Lookup 4.2.0!
This version brings a large number of new CSAF-based vulnerability advisory sources, improvements to the web interface, and several bug fixes.

What’s New

New CSAF-based sources

As the number of GNA keeps growing and the interest around the GCVE-EU initiative increases, these UI improvements and filtering capabilities are becoming essential to efficiently explore the various available sources.

Below is the list of CSAF-based sources available by default. You can enable or disable each feeder via the config/modules.cfg configuration file. The display in the web interface is also configurable through the config/website.py configuration file.

Improvements

Enriched CSAF view
The generic CSAF view now includes severity, vulnerabilities, references, and acknowledgments.
d528da8
Enriched OSV view
Added severity and references to the generic OSV view.
65de73e
Date published in CVE records
If known, the datePublic field of CVE records is now displayed.
861a082
Boost recent sightings enabled by default
The boost recent sightings switch is now checked by default.
4eed4c4
New source argument for the full-text indexer
Added a source argument to the indexer for more targeted indexing.
d4e6e1f
Less verbose indexing
Reduced the verbosity of the full-text search indexing process.
a563dff
Configuration improvements
Reorganized the default SOURCES_TO_SHOW config variable and updated the sample website.py configuration with examples for the new configuration options.
f699400, 6e8fb6c
Documentation updates
Various improvements to the documentation, including GCVE publication as a GNA and Known Exploited Vulnerabilities Catalogs.
58a4d83, 143f5f5, 1f6d6d3, 52c774f
Updated Python dependencies
6e30dc2

Fixes

Fixed incorrect vulnerability ID passed in various Jinja macros. cf1b209
Fixed the default product option so the form correctly re-submits its value when changing sort/order controls. 7373f8f
Suppressed spurious config warnings for disabled features. c82e911
Fixed a variable shadowing issue in parse_vuln_payload() where the local source variable was overriding the function parameter. cb03721

Changelog

📂 For the full list of changes, check the GitHub release:
https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v4.2.0

🙏 Thank you to all contributors and testers!

Special thanks to Raphaël Vinot for adding the new sources.

Feedback and Support

Follow Us on Fediverse/Mastodon

You can follow us on Mastodon and get real-time information about security advisories:
https://social.circl.lu/@vulnerability_lookup/

Vulnerability-Lookup 4.1.0 released

Tue, 10 Mar 2026 00:00:00 +0000

We are excited to announce the release of Vulnerability-Lookup 4.1.0!
This version brings new features, improvements, and several bug fixes.

What’s New

Full-text search with Meilisearch

You can now enable full-text search on your Vulnerability-Lookup instance. This new feature relies on Meilisearch and the Vulnerability-Lookup event-stream. The indexer subscribes to the appropriate topic and receives all new and updated vulnerabilities pushed through the Valkey event-stream. This is the event-stream used by FediVuln in order to push notifications from a Vulnerability-Lookup instance to the Fediverse.

A documentation is available.

New full-text search API endpoint

A new endpoint at /api/vulnerability/fulltext is now available for programmatic full-text searches. (9cdac1c)

Better monitoring for email notifications

Email notifications are now monitored using Valkey. (7e3c26f)

New importers for Haskell, OCaml, and AlmaLinux

You can now import vulnerabilities from three additional ecosystems:

Haskell – d4ddbe9
OCaml – 3596b73
AlmaLinux – A new feeder to automatically gather AlmaLinux vulnerabilities. 3e23c53

Sightings table recency boost

You can now toggle a “recency boost” in the sightings table to highlight the latest vulnerability activity. (e966a70)

Improvements

Streamlined admin interface for users and bundles for a more consistent experience.
2b1cc87 | 20912ac
Adjusted how recent sightings are weighted to better reflect activity trends.
a8dc7f3

Fixes

Improved stability in real-time streams and email notifications.
95c249a | fdf1a2f
Corrected pagination and comment display in the API.
6003ad1
Fixed issues with sending emails when templates failed and case-sensitive IDs in certain feeds.
7f97222 | d87cc46 | bf0b8ba

Changelog

📂 For the full list of changes, check the GitHub release:
https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v4.1.0

🙏 Thank you to all contributors and testers! Escpecially to Niclas Dauster for the full-text search feature. And to Raphaël Vinot for the new sources.

Feedback and Support

If you encounter any issues or have suggestions, please open a ticket on our GitHub repository:
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/
Your feedback is always appreciated!

Follow Us on Fediverse/Mastodon

Stay updated on security advisories in real time by following us on Mastodon:
https://social.circl.lu/@vulnerability_lookup/

Vulnerability Report - February 2026

Mon, 02 Mar 2026 00:00:00 +0000

All vulnerability reports

Introduction

This vulnerability report has been generated using data aggregated on Vulnerability-Lookup, with contributions from the platform’s community.

It highlights the most frequently mentioned vulnerability for February 2026, based on sightings collected from various sources, including MISP, Exploit-DB, Bluesky, Mastodon, GitHub Gists, The Shadowserver Foundation, Nuclei, SPLOITUS, Metasploit, and more. For further details, please visit this page.

The Month at a Glance

February 2026 was led by CVE-2026-1731, a Critical-severity issue affecting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA), with 158 sightings. It was followed closely by CVE-2026-2441 in Google Chrome with 143 sightings.

Microsoft-related vulnerabilities were also prominent in the top 10, including CVE-2026-20841 (Windows Notepad) and CVE-2026-21509 (Microsoft 365 Apps for Enterprise). Other heavily sighted entries spanned enterprise recovery and networking products such as Dell RecoverPoint for Virtual Machines (CVE-2026-22769) and Cisco Catalyst SD-WAN Manager (CVE-2026-20127), as well as platform and tooling ecosystems like Apple macOS (CVE-2026-20700), Ivanti Endpoint Manager Mobile (CVE-2026-1281), and n8n (CVE-2026-25049).

February continued to be an active month for known exploited vulnerabilities. The CISA Known Exploited Vulnerabilities catalog added 28 new entries during the month. Notable additions include:

CVE-2026-1731: BeyondTrust Remote Support (RS) & Privileged Remote Access (PRA)
CVE-2026-2441: Google Chrome
CVE-2026-20127: Cisco Catalyst SD-WAN Manager
CVE-2026-22769: Dell RecoverPoint for Virtual Machines
CVE-2025-49113: Roundcube Webmail
CVE-2020-7796: synacor zimbra_collaboration_suite

The CIRCL Known Exploited Vulnerabilities catalog added three entries (CVE-2026-25108, CVE-2026-1340, and CVE-2026-1281), while the ENISA KEV catalog had no new entries in February.

The Ghost CVE Report highlights eight vulnerability identifiers that were observed in sightings despite limited or missing public records. The most frequently sighted were CVE-2023-42344 (5 occurrences) and CVE-2026-1584 (4 occurrences), followed by CVE-2026-23456 (3 occurrences).

Contributor insights this month covered Cisco Catalyst SD-WAN vulnerabilities, an IceWarp command-injection RCE, analysis of CVEs affecting the Svelte ecosystem, TP-Link VIGI IP camera issues, and reporting on UAC-0001 (APT28) activity leveraging CVE-2026-21509.

Top 10 Vendors of the Month

Top 10 Assigners of the Month

Top 10 vulnerabilities of the Month

Vulnerability	Sighting Count	Vendor	Product	VLAI Severity
CVE-2026-1731	158	BeyondTrust	Remote Support(RS) & Privileged Remote Access(PRA)	Critical (confidence: 0.9914)
CVE-2026-2441	143	Google	Chrome	High (confidence: 0.9908)
CVE-2026-20841	131	Microsoft	Windows Notepad	High (confidence: 0.9833)
CVE-2026-21509	113	Microsoft	Microsoft 365 Apps for Enterprise	High (confidence: 0.9687)
CVE-2026-22769	91	Dell	RecoverPoint for Virtual Machines	Critical (confidence: 0.9356)
CVE-2026-20127	76	Cisco	Cisco Catalyst SD-WAN Manager	Critical (confidence: 0.9411)
CVE-2026-20700	69	Apple	macOS	High (confidence: 0.9705)
CVE-2026-1281	69	Ivanti	Endpoint Manager Mobile	Critical (confidence: 0.9791)
CVE-2026-25253	55	OpenClaw	OpenClaw	High (confidence: 0.7975)
CVE-2026-25049	54	n8n-io	n8n	Critical (confidence: 0.617)

Known Exploited Vulnerabilities

New entries have been added to major Known Exploited Vulnerabilities catalogs.

CISA

CVE ID	Date Added	Vendor	Product	VLAI Severity
CVE-2026-20127	2026-02-25	Cisco	Cisco Catalyst SD-WAN Manager	High (confidence: 0.9183)
CVE-2022-20775	2026-02-25	Cisco	Cisco Catalyst SD-WAN	High (confidence: 0.9894)
CVE-2026-25108	2026-02-24	Soliton Systems K.K.	FileZen	High (confidence: 0.8244)
CVE-2025-49113	2026-02-20	Roundcube	Webmail	High (confidence: 0.7952)
CVE-2025-68461	2026-02-20	Roundcube	Webmail	Medium (confidence: 0.9892)
CVE-2021-22175	2026-02-18	GitLab	GitLab	Medium (confidence: 0.7533)
CVE-2026-22769	2026-02-18	Dell	RecoverPoint for Virtual Machines	Critical (confidence: 0.9356)
CVE-2020-7796	2026-02-17	synacor	zimbra_collaboration_suite	Critical (confidence: 0.5846)
CVE-2024-7694	2026-02-17	TeamT5	ThreatSonar Anti-Ransomware	High (confidence: 0.9626)
CVE-2008-0015	2026-02-17	Microsoft	Windows	High (confidence: 0.981)
CVE-2026-2441	2026-02-17	Google	Chrome	High (confidence: 0.9908)
CVE-2026-1731	2026-02-13	BeyondTrust	Remote Support(RS) & Privileged Remote Access(PRA)	Critical (confidence: 0.9914)
CVE-2025-15556	2026-02-12	notepad-plus-plus	notepad-plus-plus	High (confidence: 0.9083)
CVE-2026-20700	2026-02-12	Apple	MacOS	High (confidence: 0.9705)
CVE-2024-43468	2026-02-12	Microsoft	Microsoft Configuration Manager	High (confidence: 0.8181)
CVE-2025-40536	2026-02-12	SolarWinds	Web Help Desk	High (confidence: 0.7215)
CVE-2026-21533	2026-02-10	Microsoft	Windows 10 Version 1607	High (confidence: 0.9889)
CVE-2026-21510	2026-02-10	Microsoft	Windows 10 Version 1607	High (confidence: 0.5272)
CVE-2026-21513	2026-02-10	Microsoft	Windows 10 Version 1607	High (confidence: 0.8378)
CVE-2026-21514	2026-02-10	Microsoft	Microsoft 365 Apps for Enterprise	High (confidence: 0.9769)
CVE-2026-21519	2026-02-10	Microsoft	Windows 10 Version 1607	High (confidence: 0.9183)
CVE-2026-21525	2026-02-10	Microsoft	Windows 10 Version 1607	Medium (confidence: 0.9918)
CVE-2026-24423	2026-02-05	SmarterTools	SmarterMail	Critical (confidence: 0.9798)
CVE-2025-11953	2026-02-05	react-native-community	react_native_community_cli	Critical (confidence: 0.987)
CVE-2019-19006	2026-02-03	sangoma	freepbx	Critical (confidence: 0.6005)
CVE-2025-64328	2026-02-03	FreePBX	filestore	High (confidence: 0.7976)
CVE-2021-39935	2026-02-03	GitLab	GitLab	Medium (confidence: 0.8559)
CVE-2025-40551	2026-02-03	SolarWinds	Web Help Desk	Critical (confidence: 0.9385)

More KEV entries from the CISA Catalog.

CIRCL

CVE ID	Date Added	Vendor	Product	VLAI Severity
CVE-2026-25108	2026-02-26	Soliton Systems K.K.	FileZen	High (confidence: 0.8244)
CVE-2026-1340	2026-02-03	Ivanti	Endpoint Manager Mobile	Critical (confidence: 0.9791)
CVE-2026-1281	2026-02-03	Ivanti	Endpoint Manager Mobile	Critical (confidence: 0.9791)

More KEV entries from the CIRCL Catalog.

ENISA

No new entry in February.

More KEV entries from the ENISA Catalog.

Top 10 Weaknesses of the Month

Click the image for more information.

Ghost CVE Report

A ghost CVE is a vulnerability identifier that’s already popped up in the wild but is still listed as RESERVED or NOT_FOUND in official registries like NVD or MITRE.

Sightings detected between 2026-02-01 and 2026-02-28 that are associated with vulnerabilities without public records.

Vulnerability ID	Occurrences	Comment
CVE-2023-42344	5	OpenCMS Unauthenticated XXE Vulnerability
CVE-2026-1584	4	libgnutls: Fix NULL pointer dereference in PSK binder verification
CVE-2026-23456	3	YoSmart YoLink Smart Hub
CVE-2025-15576	2	FreeBSD 14.3 and 13.5 (Jail chroot escape via fd exchange with a different jail)
CVE-2026-3038	2	All supported versions of FreeBSD (Local DoS and possible privilege escalation via routing sockets)
CVE-2025-13050	2	Multiple vulnerabilities in Centreon products
CVE-2025-12523	2	Multiple vulnerabilities in Centreon products
CVE-2025-71210	2	Multiple vulnerabilities in Trend Micro products (KA-0022458)

Insights from Contributors

Thank you

Thank you to all the contributors and our diverse sources!

If you want to contribute to the next report, you can create your account.

Feedback and Support

If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/

Funding

Press release

Vulnerability Report - January 2026

Wed, 18 Feb 2026 00:00:00 +0000

All vulnerability reports

Introduction

This vulnerability report has been generated using data aggregated on Vulnerability-Lookup, with contributions from the platform’s community.

It highlights the most frequently mentioned vulnerability for January 2026, based on sightings collected from various sources, including MISP, Exploit-DB, Bluesky, Mastodon, GitHub Gists, The Shadowserver Foundation, Nuclei, SPLOITUS, Metasploit, and more. For further details, please visit this page.

The Month at a Glance

January 2026 saw two vulnerabilities tied for most frequently sighted with 110 sightings each: CVE-2026-21858, a Critical-severity vulnerability in n8n-io’s n8n workflow automation platform, and CVE-2026-24061, a Critical vulnerability affecting GNU Inetutils. The n8n vulnerability was extensively covered in contributor insights, notably in “The Ni8mare Test: n8n RCE Under the Microscope”.

Other critical vulnerabilities in the top 10 include CVE-2025-55182 in Meta’s react-server-dom-webpack (97 sightings), CVE-2026-20045 in Cisco Unified Communications Manager (80 sightings), CVE-2026-24858 in Fortinet FortiManager (80 sightings), CVE-2026-1281 in Ivanti Endpoint Manager Mobile (70 sightings), and CVE-2017-18368, an older but still active vulnerability in billion 5200w-t devices (62 sightings).

January was a busy month for actively exploited vulnerabilities, with 15 new entries added to the CISA Known Exploited Vulnerabilities catalog. Notable additions include:

CVE-2026-24858: Fortinet FortiManager (Critical severity)
CVE-2026-21509 and CVE-2026-24061: Microsoft 365 Apps and GNU Inetutils
CVE-2025-52691 and CVE-2026-23760: SmarterTools SmarterMail
CVE-2026-20045: Cisco Unified Communications Manager
CVE-2025-34026: Versa Concerto

No new entries were added to the ENISA KEV catalog in January.

The Ghost CVE Report reveals early detection of vulnerabilities with limited public information. CVE-2025-58151 (Xen Security Advisory) and CVE-2026-23456 (YoSmart YoLink Smart Hub) led with 5 sightings each, followed by CVE-2024-31884 (4 sightings) and several GHSA identifiers and CVEs with 3 sightings.

Contributor insights covered a diverse range of topics, including EPMM detection techniques, PAN-OS firewall vulnerabilities, CVEs affecting the Svelte ecosystem, security advisories for Ivanti Endpoint Manager Mobile, GNU C Library updates, Trend Micro Apex Central vulnerabilities, and multiple vulnerabilities in GnuPG (gpg.fail).

Top 10 Vendors of the Month

Top 10 Assigners of the Month

Top 10 vulnerabilities of the Month

Vulnerability	Sighting Count	Vendor	Product	VLAI Severity
CVE-2026-21858	110	n8n-io	n8n	Critical (confidence: 0.8071)
CVE-2026-24061	110	GNU	Inetutils	Critical (confidence: 0.9534)
CVE-2025-55182	97	Meta	react-server-dom-webpack	Critical (confidence: 0.9914)
CVE-2026-21509	94	Microsoft	Microsoft 365 Apps for Enterprise	High (confidence: 0.9735)
CVE-2025-8088	84	win.rar GmbH	WinRAR	High (confidence: 0.9881)
CVE-2026-20045	80	Cisco	Cisco Unified Communications Manager	Critical (confidence: 0.5226)
CVE-2026-24858	80	Fortinet	FortiManager	Critical (confidence: 0.9378)
CVE-2025-14847	76	MongoDB Inc.	MongoDB Server	High (confidence: 0.9349)
CVE-2026-1281	70	Ivanti	Endpoint Manager Mobile	Critical (confidence: 0.9914)
CVE-2017-18368	62	billion	5200w-t	Critical (confidence: 0.9748)

Known Exploited Vulnerabilities

New entries have been added to major Known Exploited Vulnerabilities catalogs.

CISA

CVE ID	Date Added	Vendor	Product	VLAI Severity
CVE-2026-24858	2026-01-27	Fortinet	FortiManager	Critical (confidence: 0.9378)
CVE-2025-52691	2026-01-26	SmarterTools	SmarterMail	Critical (confidence: 0.7545)
CVE-2018-14634	2026-01-26	The Linux Foundation	kernel	High (confidence: 0.8719)
CVE-2026-23760	2026-01-26	SmarterTools	SmarterMail	Critical (confidence: 0.9916)
CVE-2026-21509	2026-01-26	Microsoft	Microsoft 365 Apps for Enterprise	High (confidence: 0.9735)
CVE-2026-24061	2026-01-26	GNU	Inetutils	Critical (confidence: 0.9534)
CVE-2024-37079	2026-01-23	vmware	vcenter_server	Critical (confidence: 0.9302)
CVE-2025-54313	2026-01-22	prettier	eslint-config-prettier	High (confidence: 0.8864)
CVE-2025-34026	2026-01-22	Versa	Concerto	Critical (confidence: 0.9819)
CVE-2025-31125	2026-01-22	vitejs	vite	Medium (confidence: 0.6523)
CVE-2026-20045	2026-01-21	Cisco	Cisco Unified Communications Manager	Critical (confidence: 0.5226)
CVE-2026-20805	2026-01-13	Microsoft	Windows 10 Version 1607	Medium (confidence: 0.995)
CVE-2025-8110	2026-01-12	Gogs	Gogs	High (confidence: 0.9905)
CVE-2009-0556	2026-01-07	Microsoft	Office	High (confidence: 0.8535)
CVE-2025-37164	2026-01-07	Hewlett Packard Enterprise (HPE)	HPE OneView	High (confidence: 0.6929)

ENISA

No new entry in January.

Top 10 Weaknesses of the Month

Click the image for more information.

Ghost CVE Report

A ghost CVE is a vulnerability identifier that’s already popped up in the wild but is still listed as RESERVED or NOT_FOUND in official registries like NVD or MITRE.

Sightings detected between 2026-01-01 and 2026-01-31 that are associated with vulnerabilities without public records.

Vulnerability ID	Occurrences	Comment
CVE-2025-58151	5	Xen Security Advisory 478 v2
CVE-2026-23456	5	Critical Vulnerabilities in YoSmart YoLink Smart Hub Expose Smart Homes to Remote Attacks
CVE-2024-31884	4	Incorrect usage of certificate checking via Pybind
GHSA-7hf5-mc28-xmcv	3	CVE-2026-22794: Trust Issues: Hijacking Appsmith Accounts via Origin Header Abuse
GHSA-7g7f-ff96-5gcw	3	CVE-2025-8217: Amazon Q’s Self-Sabotage: The Backdoor That Couldn’t Code
CVE-2026-23594	3	Remote Privilege Elevation in HPE Alletra & Nimble Storage
CVE-2026-1220	3	Google Chrome 144 Update Patches High-Severity V8 Vulnerability
CVE-2023-42344	2	XXE in OpenCMS
CVE-2026-12345	2	Zero-day RCE in NexusFlow API Gateway is actively exploited
CVE-2025-53086	2	The recent patch for HarfBuzz (CVE-2025-53086) addresses a classic yet dangerous heap corruption bug
CVE-2025-134655	1	prototype pollution flaw
CVE-2025-63261	3	vulnerability in AWStats as shipped with cPanel

Insights from Contributors

Thank you

Thank you to all the contributors and our diverse sources!

If you want to contribute to the next report, you can create your account.

Feedback and Support

If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/

Funding

Press release

Vulnerability-Lookup 4.0.0 released

Mon, 16 Feb 2026 00:00:00 +0000

We are pleased to announce the release of Vulnerability-Lookup 4.0.0 — a second major milestone at the beginning of this year.

This version is paving the way for federated deployments of Vulnerability-Lookup instances.

What’s New

Remote Instance Synchronization

There should have been a video here but your browser does not seem to support it.

A local instance can now pull objects — including bundles, comments, sightings, and KEV entries (BCP-07) — from configured remote Vulnerability-Lookup instances via their public APIs.

The synchronization engine includes:

Remote instance management with per-object-type synchronization controls
Timestamp-based update detection to keep data consistent
Asynchronous scheduler with graceful shutdown support
CLI command and systemd service template for automation
Administrative controls to trigger synchronization manually
Visual indicators in the interface to clearly identify synchronized objects

This enables controlled federation between trusted instances while maintaining operational visibility.

The documentation is available here.

Remote instances configuration

About page listing configured remote instances

Synced comments

Synced KEV Catalogs

New Security Advisory Sources

Two new feeders expand Vulnerability-Lookup’s ingestion capabilities:

RustSec OSV feeder bf0c435
OSS-Fuzz feeder with support for YAML sources in OSV 21f2309

Changes

Improved global dashboard layout for better clarity and navigation 91db7fd
CSAF and OSV templates made fully generic 418b590

Fixes

Timestamps are now consistently converted to UTC before JSON serialization, preventing timezone mislabeling when the database session runs in a non-UTC timezone 4f7149e
API updated to handle the new data format returned by Rulezet 5489d29

Changelog

For the complete list of changes, please refer to the GitHub release notes:
v4.0.0 Release Notes

Feedback and Support

If you encounter any issues or have suggestions, please open a ticket on our GitHub repository: GitHub Issues

Follow Us on the Fediverse

Stay updated on security advisories and project news in real time by following us on Mastodon:
@vulnerability_lookup

Vulnerability-Lookup 3.0.0 released

Mon, 02 Feb 2026 00:00:00 +0000

We are glad to announce Vulnerability-Lookup 3.0.0. Our second release of 2026 is a major milestone, featuring GCVE-BCP-07 support. Now, every Vulnerability-Lookup instance can publish its own KEV catalog while integrating KEV feeds from CISA and ENISA.

Let’s take a look at all the notable changes.

What’s New

GCVE-BCP-07: Known Exploited Vulnerabilities (KEV) Catalogs Integration

There should have been a video here but your browser does not seem to support it.

This release implements support for GCVE-BCP-07, enabling seamless integration with multiple Known Exploited Vulnerabilities (KEV) catalogs from different Global Numbering Authorities (GNAs). PR #310

Out of the box, any Vulnerability-Lookup instance can publish its own GCVE-BCP-07–compliant KEV catalog and consume KEV catalogs from ENISA and CISA. Conversion and synchronization are performed using the following tool: https://github.com/gcve-eu/gcve-eu-kev

A huge thank you to CISA and ENISA for their continuous work and for making KEV data available. Their catalogs are key building blocks for effective vulnerability prioritization, and it’s great to see them fit naturally into a GCVE-aligned workflow.

New and updated tools

CISA KEV and ENISA CNW EUVD to GCVE-BCP-07 Converter: https://github.com/gcve-eu/gcve-eu-kev
```
$ gcve-from-cisa --push
$ gcve-from-enisa --push
```

BCP Validator: https://github.com/gcve-eu/bcp-validator

$ python gcve_bcp05_validate.py --url https://vulnerability.circl.lu/api/vulnerability?source=gna-1
OK: https://vulnerability.circl.lu/api/vulnerability/recent?source=gna-1

GCVE Python client: https://github.com/gcve-eu/gcve

$ gcve references --list
{
 "kev": [
 {
 "uuid": "405284c2-e461-4670-8979-7fd2c9755a60",
 "short_name": "CISA KEV",
 "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
 "automation_url": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json",
 "description": "For the benefit of the cybersecurity community and network defenders\u2014and to help every organization better manage vulnerabilities and keep pace with threat activity\u2014CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catalog as an input to their vulnerability management prioritization framework."
 },
 {
 "uuid": "1a89b78e-f703-45f3-bb86-59eb712668bd",
 "short_name": "CIRCL",
 "gcve_gna_id": 1,
 "description": "CIRCL provides a known-exploited vulnerability and supporting the different status_reason described in GCVE BCP-07."
 },
 {
 "uuid": "cce329bf-df49-4c6e-a027-80be2e6483bd",
 "short_name": "EUVD KEV",
 "gcve_gna_id": 2,
 "automation_url": "https://github.com/enisaeu/CNW/raw/refs/heads/main/kev.csv",
 "description": "ENISA via the CSIRTs network provides list of known-exploited seen in the CSIRTs network."
 }
 ]
}

New Vulnerability Sources

new: [feeders] OSV importer for Drupal security advisories. Imports vulnerabilities from the Drupal security team’s OSV feed. 14177ab
new: [feeders] OSV importer for CleanStart security advisories. Imports vulnerabilities from CleanStart’s OSV feed. 14177ab
new: [feeders] Bitnami Vulnerability Database importer. Imports vulnerabilities from Bitnami’s OSV-formatted vulnerability database, covering their application catalog. 165e99d

Changes

chg: [gcve] Updated GCVE Python client with improved type hints and bug fixes. 78dbfc1 5ddf74d
chg: [gcve] KEV catalog menu now handles production instances that have their own GNA ID. When a local instance (e.g., CIRCL - GNA-1) exists in the GCVE KEV catalog list, it’s marked as local without creating duplicates. 2bba2d8
chg: [api] Extended x_gcve injection to all vulnerability list endpoints: VulnerabilitiesList, Recent, Last, and LastLegacy. This ensures consistent GCVE integration across all API endpoints. 227da00
Various graphical improvements.

Fixes

fix: [gcve] Resolved circular import in gcve_utils module. e7aa364
‘Ghost CVEs’ toggle is wonky #303
Fix CVSS 4.0 parsing crash in web filters #304
Fix blacklist bypass vulnerability in username validation #314
Support YYYYMMDD date format in API since parameter #315

Changelog

For the full list of changes, check the GitHub release:
v3.0.0 Release Notes

Thank you to all our contributors and testers!

Feedback and Support

If you encounter any issues or have suggestions, please open a ticket on our GitHub repository:
GitHub Issues

Follow Us on the Fediverse

Stay updated on security advisories in real-time by following us on Mastodon:
@vulnerability_lookup

Vulnerability-Lookup 2.21.0 released

Fri, 23 Jan 2026 00:00:00 +0000

We’re delighted to announce the release of Vulnerability-Lookup 2.21.0. This release brings several important improvements focused on search, data ingestion, and usability.

What’s New

Product-level indexing & search API

Making it easier to explore vulnerabilities from a product-centric angle, without specifying a vendor name. (f906064)

New CSAF feeder for Schneider Electric

We have recently added a new CSAF feed for Schneider Electric. (e43fa03)

More flexible user registration configuration

New options to customize signup/about pages and restrict accepted email domains. (3855838, bfc82cf)

Improved notifications & UI refinements

Clearer emails, better metadata, and cleaner templates.

Ghost CVE

We now use the term Ghost CVE to refer to vulnerabilities observed in the wild via sightings that do not yet have a public CVE record.

Changes

A number of fixes and technical improvements are also included.

chg: [notifications] Added the publication date in email notifications and a special icon for new vulnerabilities. Closes #299. 64bc631
chg: [dependencies] Updated Python and dev/docs dependencies. 510233c b08c381
chg: [config] Updated default value for ACCEPTED_DOMAINS_FOR_REGISTRATION. 6563f8a
chg: [templates] Simplified titles for vuln and sightings pages; added Open Graph meta tag. 19c9a69 27eb6bf
chg: [documentation] Updated installation instructions. 152212d

Fixes

fix: [api] Preserve typing for flask-restx decorators (mypy). f5f31c5
fix(cvss): Safely handle CVSS 4.0 vectors in Jinja filters. Closes #305. 5a303bb
fix: [templates] Fix Bootstrap switch click handling (moved popover to help icon). Closes #303. 19a8c54
fix: [bin] Corrected the script name for the CSAF Schneider Electric importer. 1386a76
fix: [templates] Fixed an issue with batch deletion of users. 839345b
fix: [templates] Fixed a tag id in vulnerability_templates.html. bc0d329

Changelog

For the full list of changes, check the GitHub release:
v2.21.0 Release Notes

Thank you to all our contributors and testers!

The new contributor of this release is Thai Nguyen.

Feedback and Support

If you encounter any issues or have suggestions, please open a ticket on our GitHub repository:
GitHub Issues

Follow Us on the Fediverse

Stay updated on security advisories in real-time by following us on Mastodon:
@vulnerability_lookup

Vulnerability Report - December 2025

Mon, 12 Jan 2026 00:00:00 +0000

All vulnerability reports

Introduction

This vulnerability report has been generated using data aggregated on Vulnerability-Lookup, with contributions from the platform’s community.

It highlights the most frequently mentioned vulnerability for December 2025, based on sightings collected from various sources, including MISP, Exploit-DB, Bluesky, Mastodon, GitHub Gists, The Shadowserver Foundation, Nuclei, SPLOITUS, Metasploit, and more. For further details, please visit this page.

A new section dedicated to detection rules is available.

The Month at a Glance

December 2025 was dominated by a massive surge in activity surrounding CVE-2025-55182 affecting Meta’s react-server-dom-webpack. With 852 sightings, this critical vulnerability (referenced by contributors as “React2Shell”) significantly outpaced all other vulnerabilities, highlighting a major focus on web application infrastructure exploitation.

Database and network security were also primary themes this month. MongoDB (CVE-2025-14847) ranked second in sightings and was added to the CISA Known Exploited Vulnerabilities (KEV) catalog on December 29th. The networking sector remained volatile, with critical vulnerabilities in Cisco Secure Email, WatchGuard Fireware OS, Fortinet, and SonicWall appearing in both the top sightings and the CISA KEV list.

Despite the influx of 2025 vulnerabilities, “zombie” vulnerabilities continue to plague the internet. Legacy issues from 2015 (D-Link) and 2017 (Zyxel) persist in the Top 10, proving that unpatched IoT devices remain active attack vectors years after disclosure.

In the broader ecosystem, CISA added a wide variety of threats to their catalog, ranging from mobile operating systems (iOS, Android) and browsers (Chrome) to desktop utilities like WinRAR. Additionally, community contributors highlighted significant structural shifts, notably the End-of-Life status for the Linux 5.4 kernel and new cryptographic implementation flaws in GnuPG.

Evolution of published CVE in 2025

More information.

Top 10 Vendors of the Month

Top 10 Assigners of the Month

Top 10 vulnerabilities of the Month

Vulnerability	Sighting Count	Vendor	Product	VLAI Severity
CVE-2025-55182	852	Meta	react-server-dom-webpack	Critical (confidence: 0.9783)
CVE-2025-14847	204	MongoDB Inc.	MongoDB Server	High (confidence: 0.9538)
CVE-2025-20393	89	Cisco	Cisco Secure Email	Critical (confidence: 0.5137)
CVE-2015-2051	62	dlink	dir-645	High (confidence: 0.607)
CVE-2017-18368	62	zyxel	p660hn-t1a_v1	Critical (confidence: 0.9763)
CVE-2025-14733	60	WatchGuard	Fireware OS	Critical (confidence: 0.976)
CVE-2025-66516	57	Apache Software Foundation	Apache Tika core	High (confidence: 0.8155)
CVE-2018-10562	56	dasannetworks	gpon_router	Critical (confidence: 0.9815)
CVE-2025-40602	53	SonicWall	SMA1000	Medium (confidence: 0.9162)
CVE-2025-59718	53	Fortinet	FortiSwitchManager	Critical (confidence: 0.7339)

Known Exploited Vulnerabilities

New entries have been added to major Known Exploited Vulnerabilities catalogs.

CISA

CVE ID	Date Added	Vendor	Product	VLAI Severity
CVE-2025-14847	29/12/25	MongoDB Inc.	MongoDB Server	High (confidence: 0.9538)
CVE-2023-52163	22/12/25	digiever	ds-2105_pro	High (confidence: 0.9141)
CVE-2025-14733	19/12/25	WatchGuard	Fireware OS	Critical (confidence: 0.976)
CVE-2025-20393	17/12/25	Cisco	Cisco Secure Email	Critical (confidence: 0.5137)
CVE-2025-40602	17/12/25	SonicWall	SMA1000	Medium (confidence: 0.9162)
CVE-2025-59374	17/12/25	ASUS	live update	Critical (confidence: 0.7584)
CVE-2025-59718	16/12/25	Fortinet	FortiSwitchManager	Critical (confidence: 0.7339)
CVE-2025-43529	15/12/25	Apple	iOS and iPadOS	High (confidence: 0.9918)
CVE-2025-14611	15/12/25	Gladinet	CentreStack and TrioFox	High (confidence: 0.8669)
CVE-2025-14174	12/12/25	Google	Chrome	High (confidence: 0.8175)
CVE-2018-4063	12/12/25	sierrawireless	aleos	High (confidence: 0.7137)
CVE-2025-58360	11/12/25	geoserver	geoserver	High (confidence: 0.5288)
CVE-2025-62221	09/12/25	Microsoft	Windows 10 Version 1809	High (confidence: 0.9943)
CVE-2025-6218	09/12/25	RARLAB	WinRAR	High (confidence: 0.9977)
CVE-2025-66644	08/12/25	Array Networks	ArrayOS AG	High (confidence: 0.8361)
CVE-2022-37055	08/12/25	dlink	go-rt-ac750	Critical (confidence: 0.9698)
CVE-2025-55182	05/12/25	Meta	react-server-dom-webpack	Critical (confidence: 0.9783)
CVE-2021-26828	03/12/25	scadabr	scadabr	High (confidence: 0.7378)
CVE-2025-48633	02/12/25	Google	Android	High (confidence: 0.8796)
CVE-2025-48572	02/12/25	Google	Android	High (confidence: 0.9629)

ENISA

No new entry in December.

Top 10 Weaknesses of the Month

Click the image for more information.

Detection rules

CVE-2025-55182

Ghost CVE Report

A ghost CVE is a vulnerability identifier that’s already popped up in the wild but is still listed as RESERVED or NOT_FOUND in official registries like NVD or MITRE.

Sightings detected between 2025-12-01 and 2025-12-31 that are associated with vulnerabilities without public records.

Vulnerability ID	Occurrences	Comment
CVE-2023-42344	11	OpenCMS Unauthenticated XXE Vulnerability
CVE-2025-14269	9	Credential caching in Headlamp with Helm enabled
CVE-2025-14282	6	dropbear: privilege escalation via unix domain socket forwardings
CVE-2025-14558	5	FreeBSD IPv6 Flaw Enables Remote Code Execution Attacks
CVE-2025-9820	2	gnutls 3.8.11 released with fix for CVE-2025-9820
CVE-2025-66387	2	QL Injection in Orkes Conductor
CVE-2025-65995	2	Apache Airflow: Disclosure of secrets to UI via kwargs

Insights from Contributors

Thank you

Thank you to all the contributors and our diverse sources!

If you want to contribute to the next report, you can create your account.

Feedback and Support

If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/

Funding

Press release

Vulnerability-Lookup 2.20.0 released

Fri, 19 Dec 2025 00:00:00 +0000

Just in time for the end of the year, we’re happy to share our final release before the holidays: Vulnerability-Lookup 2.20.0 🎄

What’s New

GCVE (Global CVE Allocation System): Relationships

We’ve updated the bundled Vulnogram interface to better support the GCVE ecosystem. Vulnerability-Lookup now allows you to define and manage relationships between vulnerabilities, in line with the GCVE BCP-05 specification.

Commit: 2f39bf8

This is a first step toward implementing full GCVE BCP-05 compliance.

Displaying relationships of a vulnerability

https://vulnerability.circl.lu/vuln/GCVE-1-2025-0032

In this case, opposes indicates that the GNA does not agree with the status or validity of the referenced vulnerability. This can be used when a GCVE published by another GNA is considered not to be a vulnerability for the product in question (e.g., the behavior is expected, or the scenario describes a discouraged or unsupported configuration).

Editing relationships with the Vulnogram UI

Sightings Visualization

Understanding how vulnerabilities are observed in the wild just got easier. We’ve added a new Heat Map to visualize vulnerability sightings over time, featuring built-in filters for dates and sighting types.

Commit: 56a66e0

Heatmap for sightings

Examples

https://vulnerability.circl.lu/vuln/CVE-2025-61757#sightings

https://vulnerability.circl.lu/vuln/CVE-2018-13379#sightings

Sighting correlations

https://vulnerability.circl.lu/vuln/CVE-2025-59718#sightingsCorrelations

Changes

Authentication: Allowed password recovery triggers based on case-insensitive usernames. #290
Vulnerability Disclosure: A guidance message is now displayed to unauthenticated users when attempting to submit a new disclosure. (90787db)
Product API: product.find_vulnerabilities now returns more comprehensive results. (a31f6c3)

https://vulnerability.circl.lu/vuln/GCVE-1-2025-0041

Fixes

Data Ingestion: Fixed an issue to ignore temporary files in ossf/malicious-packages. (6bc93b1)
Website: Fixed the routing path used to delete vulnerability disclosures. (e2ecb2a)
Website: Updated vulnerability ID requirements to be optional for disclosures. (5bd5353)

Changelog

For the full list of changes, check the GitHub release:
v2.20.0 Release Notes

Thank you to all our contributors and testers!

Feedback and Support

If you encounter any issues or have suggestions, please open a ticket on our GitHub repository:
GitHub Issues

Follow Us on the Fediverse

Stay updated on security advisories in real-time by following us on Mastodon:
@vulnerability_lookup

GPU Efficiency in VLAI Model Training

Fri, 12 Dec 2025 00:00:00 +0000

This report is also available as a PDF.

Preface

This document summarizes the benchmarking, training configuration, and performance results obtained while generating the Vulnerability Severity Classification model across different GPU architectures throughout 2025.

The VLAI Vulnerability Severity Classification model developed at CIRCL is regularly updated and shared on Hugging Face. It has been presented in:

Bonhomme, C., & Dulaunoy, A. (2025). VLAI: A RoBERTa-Based Model for Automated Vulnerability Severity Classification (Version 1.4.0) [Computer software].
https://doi.org/10.48550/arXiv.2507.03607

All materials used to produce this technical report—including Matplotlib scripts, datasets, and other resources—are available in the Git repository:
https://github.com/vulnerability-lookup/gpu-vuln-bench

Environments used for benchmarking

GPU Architectures

The performance benchmarks were conducted on the GPU-accelerated systems described in the table 1. Each environment varies in CPU architecture, GPU type, and memory capacity, enabling us to evaluate model training efficiency across different hardware configurations.

Table 1: GPU-accelerated systems used for benchmarking in different environments.

Env	CPU	GPU	RAM	Location
A	64 (AMD EPYC 9124 16-Core Processor)	2 × NVIDIA L40S	251.5 GB	CIRCL Server Lab (Luxembourg City)
B	224 (Intel Xeon Platinum 8480+)	2 × NVIDIA H100 NVL	2,014 GB	LuxConnect Datacenter
C	224 (Intel Xeon Platinum 8480+)	4 × NVIDIA L40S	2,014 GB	LuxConnect Datacenter

Each environment was used to execute a series of experiments designed to measure the throughput, memory utilization, and training time of the VLAI Vulnerability Severity Classification model. The following sections provide a detailed summary and analysis of these experiments.

Framework Versions

Main software and libraries used during the experiences:

Python: 3.12.3
Transformers: 4.57.1
PyTorch: 2.9.1+cu128
Datasets: 4.4.1
Tokenizers: 0.22.1

Dataset

The dataset used for training and evaluation is available on Hugging Face at the commit 2135755d8f42902de065d1ca30d800820b1e5cf1.

https://huggingface.co/datasets/CIRCL/vulnerability-scores

This is the updated version of the dataset referenced in arXiv.2507.03607.

Dataset statistics:

Number of rows: 642,080
- Train split: 577,872
- Test split: 64,208
- ref: commit 2135755d8f42902de065d1ca30d800820b1e5cf1
Downloaded size: 159 MB
Auto-converted Parquet size: 159 MB

The test split accounts for 10% of the dataset and can be configured in VulnTrain (https://github.com/vulnerability-lookup/VulnTrain).

VulnTrain is developed as part of the AIPITCH project and is integrated with Vulnerability-Lookup via ML-Gateway—a FastAPI-based local server that loads one or more pre-trained NLP models at startup and exposes them through a clean, RESTful API for inference.
For more details, see: https://github.com/vulnerability-lookup/ML-Gateway.

This dataset is periodically updated with data collected with Vulnerability-Lookup.

Model Training

Resulting models

The main model is available on Hugging Face:
https://huggingface.co/CIRCL/vulnerability-severity-classification-roberta-base

It is a fine-tuned version of RoBERTa-base trained on the CIRCL/vulnerability-scores dataset.
Intermediate models are also available on Hugging Face and are versioned for reproducibility:

The code of the trainer is available in the VulnTrain project.

Training Hyperparameters

The following hyperparameters were used during training:

Learning rate: 3e-05
Per device Batch Size: 8
Seed: 42
Optimizer: ADAMW_TORCH_FUSED
Scheduler: linear
Epochs: 5

For a RoBERTa model, the default batch size per device we chose is 8.

RoBERTa-base is a medium-sized Transformer model (approx. 125 million parameters). A batch size of 8 per device is a standard, conservative choice that is un likely to cause Out-of-Memory (OOM) errors on most modern GPUs (like NVIDIA V100, A100, or even modern consumer cards like the RTX 3080/4080) for typical sequence lengths (e.g., 128 or 256 tokens).

3e-05 is a standard and safe learning rate for fine-tuning RoBERTa, with the optimizer using its default settings.

A quick note on epochs and batches

A batch is a subset of the training data processed together in one forward and backward pass, producing gradients that update the model weights.
The batch size is the number of samples in that batch.

An epoch is one full pass over the entire training dataset.
Since the dataset is divided into batches, an epoch consists of multiple steps, where each step processes one batch and updates the model weights.

The effective batch size (batch size × number of GPUs) influences training dynamics:

Larger effective batches produce more stable gradients, require fewer optimization steps per epoch, and often converge faster.
Smaller batches introduce noise in the gradients, which can help escape poor local minima and improve generalization, but each epoch takes longer.
The impact on generalization also depends on using an appropriate learning rate.

RoBERTa often benefits from slightly larger batches. For example, using a batch of 32 samples per step can reduce gradient noise and stabilize learning, leading to quicker convergence.

Figure 1: Number of GPUs / Batch Size - Illustration 1

Figure 2: Number of GPUs / Batch Size - Illustration 2

Each colored rectangle represents a single training step, corresponding to one processed batch. An epoch ends once steps_per_epoch steps have been completed.

In our case, the training split contains 577,872 samples. The visualizations use a simplified view to illustrate the concepts more clearly for learning purposes. They illustrate how batch size, number of GPUs, and dataset size affect the number of training steps per epoch.

Training results

Environment	Final Loss	Final Accuracy	Epochs to Converge	Batch Size	Steps per Epoch
A	0.2537	0.8232	5	16	29470
B	0.2801	0.8230	5	16	29470
C	0.3793	0.8173	5	32	14735

Table 2: Final training results for the different environments.

Results in terms of loss and accuracy are very similar, regardless of the system used.
Each experiment produced slightly different rankings, but the differences are minimal.

The samples per epoch is the same in each environments: 577,872. Wich corresponds to 10 per cent of the dataset .

Environment A

Theoretically, samples_per_epoch should match the number of samples in the training split (577,872), but our trainer filters out entries with missing or unknown severity labels. As previously explained an epoch is one full pass over the entire training dataset.

Training Loss	Epoch	Step	Validation Loss	Accuracy	steps_per_epoch	samples_per_epoch
0.4999	1.0	29470	0.6657	0.7290	29470.0	471520.0
0.5279	2.0	58940	0.5911	0.7685	29470.0	471520.0
0.4775	3.0	88410	0.5392	0.7961	29470.0	471520.0
0.3753	4.0	117880	0.5125	0.8122	29470.0	471520.0
0.2537	5.0	147350	0.5169	0.8232	29470.0	471520.0

Table 3: Training results for an experiment with environment A

Environment B

Training Loss	Epoch	Step	Validation Loss	Accuracy	steps_per_epoch	samples_per_epoch
0.5379	1.0	29470	0.6573	0.7358	29470.0	471520.0
0.5714	2.0	58940	0.5810	0.7710	29470.0	471520.0
0.4636	3.0	88410	0.5412	0.7918	29470.0	471520.0
0.4738	4.0	117880	0.5098	0.8131	29470.0	471520.0
0.2801	5.0	147350	0.5175	0.8230	29470.0	471520.0

Table 4: Training results for an experiment with environment B

Environment C

Training Loss	Epoch	Step	Validation Loss	Accuracy	steps_per_epoch	samples_per_epoch
0.6270	1.0	14735	0.6594	0.7298	14735.0	471520.0
0.5675	2.0	29470	0.5780	0.7693	14735.0	471520.0
0.4690	3.0	44205	0.5363	0.7930	14735.0	471520.0
0.4373	4.0	58940	0.5069	0.8107	14735.0	471520.0
0.3793	5.0	73675	0.5071	0.8173	14735.0	471520.0

Table 5: Training results for an experiment with environment C

Note that

147350 / 2 = 73675

Comparisons

A common rule of thumb is the linear scaling rule: when the effective batch size is doubled, the learning rate is also doubled.
This behavior is confirmed in all of our experiments.

The chart shows the validation accuracy per epoch for the various experiments with the environments A, B, and C.
All experiments exhibit very similar accuracy trends.
Experiments in environment C reaches higher accuracy more quickly in the early epochs, reflecting faster convergence per epoch due to a larger effective batch size (more GPUs × batch per device).
By the final epoch, all experiments achieve comparable accuracy (~0.82), indicating consistent model performance across the different setups.

Key Observations

More GPUs → larger effective batch → fewer steps per epoch
- Example:
  - 4 GPUs × 256 samples → 1024 samples/step → fewer steps to process the full dataset
  - 2 GPUs × 256 samples → 612 samples/step → more steps to process the same dataset
Larger batch size per device → fewer steps per epoch, but each step processes more data.
Epoch duration is proportional to number of steps × time per step, so increasing GPUs or batch size reduces total training time per epoch.

Figure 1 and 2 make it easier to understand why Exp C (4 GPUs, batch size 8 per device → effective batch 32) completes fewer steps per epoch and thus runs faster per epoch than Exp A/B (2 GPUs, effective batch 16), even though the dataset and model are identical.

Benchmark Comparisons Across Different Environments

Duration

Energy

Emissions

GPU Power

Energy vs. Duration

GPU Power vs. Duration

GPU Power vs. Energy

Conclusion

From our perspective, Environment C offers the best balance of performance and energy efficiency. The quality of the resulting model is not significantly affected by these small variations in batch size, and may in fact remain completely unchanged. We plan to explore additional configurations in the future using our new equipment.

Evolution of Experiments in Environment A

We have been collecting data since February 2025 in Environment A, which is equipped with 2 × NVIDIA L40S GPUs. The charts below illustrate the evolution of our experiments over the course of the year. (Environments B and C are too recent to provide meaningful data at this time.)

The workload did not change enough to explain the summer peak:

The dataset size shows a nearly linear and steady growth.
We did not change the training hyperparameters or the base model (model size) in this configuration.
No changes were made to the GPU configuration.

Our hypothesis is thermal throttling and cooling overhead.
CodeCarbon estimates total energy consumption using the PUE (Power Usage Effectiveness) of the environment.
If PUE increases during summer due to higher cooling requirements, the estimated energy usage rises, even if the GPU workload remains identical.

When ambient temperatures increase, hardware may:

throttle its operating frequency,
reduce performance,
complete the same training steps over a longer duration.

As a result, even if instantaneous power consumption remains similar, the overall job duration increases, which leads to a higher total energy consumption (more Joules).

It must be noted that Environment A is located in the CIRCL Server Lab in Luxembourg City, where temperature is not controlled as strictly as in a datacenter.

We will monitor temperature and environmental metrics in future experiments to quantify these effects more precisely.

Future Works

The acquisition of our new equipment will allow us to conduct more experiments across a variety of configurations, enabling larger and more complex model training, which could have a greater impact (negative or positive) on model accuracy.

As a first demonstration, we recently developed a text generation model designed to assist in writing vulnerability descriptions. This is a fine-tuned version of GPT-2 XL, the 1.5B parameter variant of GPT-2. The model is available here: https://huggingface.co/CIRCL/vulnerability-description-generation-gpt2-xl

The model was trained in Environment C over approximately 34 hours. Training in Environment A was not feasible, even with the standard GPT-2 model, due to GPU memory limitations.

In addition, we plan to improve our CWE classification model using the vulnerability patches we have collected (https://huggingface.co/datasets/CIRCL/vulnerability-cwe-patch).

We also plan to experiment with a RAG (Retrieval-Augmented Generation) system, which combines retrieval from a knowledge base with generative models to produce answers. This approach is particularly suited for domain-specific information, in our case software vulnerabilities. Alternatively, we may explore a Question-Answering (QA) system, focused on providing factual answers directly from our dataset.

Resources

Related to CodeCarbon’s RAM Energy Calculation

CodeCarbon primarily calculates the energy used by RAM through a power consumption model based on estimations, rather than direct hardware measurement, unless specific system features are available.

The power estimation for a “large server” is approximately 40W (using 8x128GB DIMMs with high efficiency scaling).

Reference: https://mlco2.github.io/codecarbon/methodology.html#ram

Estimation Methodology

The default method relies on a fixed power consumption value per installed RAM module (DIMM):

Fixed Power per DIMM: A standardized, average power consumption value is assigned to each RAM module.
- For x86 Systems (most standard laptops/desktops), this is typically set at 5 Watts per DIMM.
- For ARM Systems (e.g., Raspberry Pi), a lower base power, like 1.5W per DIMM, or a constant of 3W, is used.
Counting RAM Modules: CodeCarbon attempts to determine the number of installed RAM modules (DIMMs) on the system by querying the operating system.
Total Power Calculation: The estimated total RAM power is calculated by multiplying these two values: $\text{RAM Power (Watts)} = \text{Fixed Power per DIMM} \times \text{Number of RAM Slots Used}$
Scaling (for Servers): For systems with many DIMMs (e.g., servers with 8+ slots), a scaling factor is applied to reduce the power assigned to each additional DIMM, acknowledging that power consumption doesn’t increase strictly linearly in large configurations.

Energy Calculation

Once the estimated RAM Power (in Watts) is determined, the Energy Consumed (in kilowatt-hours, or kWh) is calculated based on the duration of the code execution:

\text{Energy (kWh)} = \frac{\text{Power (Watts)} \times \text{Time (hours)}}{1000}

Direct Measurement Alternative

On Linux systems, CodeCarbon offers a more accurate method with the Intel Running Average Power Limit (RAPL) interface.

If the rapl_include_dram parameter is set to True, CodeCarbon will attempt to use the direct power measurement for the DRAM (memory subsystem) provided by RAPL, overriding the fixed power estimation model. This method offers the most precise consumption data when available.

Reference: https://mlco2.github.io/codecarbon/parameters.html

Related to CodeCarbon’s GPU Energy Calculation

The energy consumption is tracked using nvidia-ml-pylibrary.

Reference: https://mlco2.github.io/codecarbon/methodology.html#gpu

Environmental Considerations

Our server room is hosted in LuxConnect’s data centers, which are powered entirely by renewable energy (https://www.luxconnect.lu/infrastructure).

Litterature

“Natural Language Processing with Transformers”
https://www.librarything.com/work/27807959/281493045
“How AI Works: From Sorcery to Science”
https://www.librarything.com/work/31127745/287620374

Bonhomme, C., & Dulaunoy, A. (2025). VLAI: A RoBERTa-Based Model for Automated Vulnerability Severity Classification (Version 1.4.0) [Computer software].
https://doi.org/10.48550/arXiv.2507.03607

Feedback

Feel free to share your feedback at info@circl.lu or publicly:
https://github.com/vulnerability-lookup/gpu-vuln-bench/issues

Funding

The project leader is NASK National Research Institute. The international consortium includes:

CIRCL (Computer Incident Response Center Luxembourg), Luxembourg
The Shadowserver Foundation, Netherlands
NCBJ (National Centre for Nuclear Research), Poland
ABI LAB (Centre of Research and Innovation for Banks), Italy

Vulnerability-Lookup 2.19.0 released

Tue, 09 Dec 2025 00:00:00 +0000

We’re delighted to announce the release of Vulnerability-Lookup 2.19.0!

What’s New

GCVE: Global CVE Allocation System

We’re pleased to announce the publication of:

This Best Current Practice document GCVE-BCP-02 provides actionable guidance for organisations, researchers, and GCVE Numbering Authorities (GNAs) on managing and disclosing vulnerabilities effectively, both within the GCVE ecosystem and beyond.

Vulnerability-Lookup fully supports these best practices for vulnerability disclosure, helping to promote responsible and effective handling of security issues.

Graphical improvements

Added Credits section for CVE v5 format (used by GCVE) and the OpenSSF Malicious Packages. 686e518, 3b39016, 7e9bf4f
Show CVE description on hover in /recent page (and for the card box of the index page). #289.
Many templates have been improved, including the vulnerability detail page, the recent vulnerabilities list, severity score displays, and all HTML tables, allowing more information to be shown while keeping the interface clean and user-friendly.

Tooltips for Bootstrap cardboxes

Tooltips for lists of recent vulnerabilities

New Credits section

Credits for the OpenSSF Malicious Packages

Changes

chg: [website] Reorganized and improved all Jinja filters especially the filters related to the parsing of CVE data. f912ef4
chg: [templates] Improved the display of the severity related information for CVE and GitHub sources in the /recent page. 629dc7a
chg: [website] New layout for severity implemented for PySec advisories. 74387cd
chg: [website] Added VLAI Severity score for PySec advisories. 3cfcc8d
chg: [website] Extract and display credits from OSSF Malicious Packages sources. 3b39016
chg: [templates] Improved display of various tables. 88b73f1
chg: [website] Display more data in the vulnerability evolution charts. The growth is now displayed in a tooltip box. b986dd3

Fixes

fix: [backend] Remove notifications of users to be deleted. 3ad413f
chg: [templates] Fixed a display issue for Tailscale ids. ef8a4a8
fix: [templates] Handle single object case for the references section of record from the JVNDB. f36689b

Security

fix: [security] Unconfirm user accounts when their email address changes and send a password-reset token to the original email. 46f30a0
fix: [security] Remove all items from the session dict on logout e2c54f7
fix: [security] Regenerate session ID after a user updates their password. 2403fa6
fix: [security] Updating the password now requires the user to provide the current password. a902f91
fix: [security] Sanitize related_vulnerabilities field of bundles (in backend) and avoid injecting raw HTML when building the DOM (in frontend) when displaying. 1811ef9 - GCVE-1-2025-0035
fix: [security] All state changing endpoints are now using POST HTTP requests with a CSRF token. a6c568d - GCVE-1-2025-0034
fix: [security] The number of failed OTP attemprs is now recorded. The user account is blocked after 5 attempts. Admins have the possibility to monitor failed 2FA via the admin panel (list of users). 113b1fe - GCVE-1-2025-0033

Changelog

📂 For the full list of changes, check the GitHub release:
https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v2.19.0

Thank you to all contributors and testers!

Feedback and Support

If you find any issues or have suggestions, please open a ticket on our GitHub repository:
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/
We appreciate your feedback!

Follow Us on Fediverse/Mastodon

Stay updated on security advisories in real-time by following us on Mastodon:
https://social.circl.lu/@vulnerability_lookup/

Vulnerability Report - November 2025

Wed, 03 Dec 2025 00:00:00 +0000

All vulnerability reports

Introduction

This vulnerability report has been generated using data aggregated on Vulnerability-Lookup, with contributions from the platform’s community.

It highlights the most frequently mentioned vulnerability for November 2025, based on sightings collected from various sources, including MISP, Exploit-DB, Bluesky, Mastodon, GitHub Gists, The Shadowserver Foundation, Nuclei, SPLOITUS, Metasploit, and more. For further details, please visit this page.

The Month at a Glance

The most frequently sighted vulnerability in November was CVE-2025-64446 (105 sightings), a Critical-severity vulnerability in Fortinet FortiWeb. Fortinet featured prominently, with a second FortiWeb vulnerability, CVE-2025-58034 (High severity), also in the top 10.

Other critical vulnerabilities in the top 10 include CVE-2025-59287 in Microsoft Windows Server 2019 (88 sightings) and CVE-2025-61757 in Oracle Corporation Identity Manager (67 sightings). The list also features a highly sighted vulnerability in Samsung Mobile Devices (CVE-2025-21042), a High-severity flaw in Google Chrome (CVE-2025-13223), and an older but still active vulnerability in Cisco IOS XE Software (CVE-2023-20198).

November saw 11 new entries added to the CISA Known Exploited Vulnerabilities catalog, highlighting actively exploited threats. Notable additions include:

CVE-2025-64446 and CVE-2025-58034: Fortinet FortiWeb
CVE-2025-21042: Samsung Mobile Devices
CVE-2025-13223: Google Chrome
CVE-2025-9242: A Critical vulnerability in WatchGuard Fireware OS

No new entries were added to the ENISA KEV catalog in November.

The report also details vulnerabilities that have reserved CVE IDs but have limited public information, showing early sightings detected on the internet. CVE-2023-42344 and CVE-2025-13086 were the most sighted in this category, each with 6 occurrences.

In addition, contributor insights covered topics like RCE in Agent DVR, an APT exploiting Cisco and Citrix zero-days discovered by Amazon, and the UNC6148 Backdoors utilizing the OVERSTEP Rootkit on SonicWall SMA 100 Series Devices.

Evolution of published CVE in 2025

More information.

Top 10 Vendors of the Month

Top 10 Assigners of the Month

Top 10 vulnerabilities of the Month

Vulnerability	Sighting Count	Vendor	Product	VLAI Severity
CVE-2025-64446	105	Fortinet	FortiWeb	Critical (confidence: 0.9084)
CVE-2025-59287	88	Microsoft	Windows Server 2019	Critical (confidence: 0.9565)
CVE-2025-21042	86	Samsung Mobile	Samsung Mobile Devices	High (confidence: 0.9308)
CVE-2025-58034	84	Fortinet	FortiWeb	High (confidence: 0.9584)
CVE-2025-13223	84	Google	Chrome	High (confidence: 0.9675)
CVE-2023-20198	71	Cisco	Cisco IOS XE Software	High (confidence: 0.9908)
CVE-2025-61757	67	Oracle Corporation	Identity Manager	Critical (confidence: 0.9961)
CVE-2025-11001	65	7-Zip	7-Zip	High (confidence: 0.9967)
CVE-2025-1248	64	TrioFox	TrioFox	Critical (confidence: 0.4751)
CVE-2015-2051	59	dlink	dir-645	High (confidence: 0.744)

Except CVE-2025-11001, all listed vulnerabilities are in CISA.

Sightings forecast

The following visualizations represent the forecasted number of sightings for various vulnerabilities, using an adaptive model (decay or logistic growth), with vulnerabilities selected based on having a sufficient number of sightings and relatively consistent patterns.

Known Exploited Vulnerabilities

New entries have been added to major Known Exploited Vulnerabilities catalogs.

CISA

CVE ID	Date Added	Vendor	Product	VLAI Severity
CVE-2025-48703	04/11/25	centos-webpanel	CentOS Web Panel	Critical (confidence: 0.9836)
CVE-2025-11371	04/11/25	Gladinet	CentreStack and TrioFox	Medium (confidence: 0.9575)
CVE-2025-21042	10/11/25	Samsung Mobile	Samsung Mobile Devices	High (confidence: 0.9308)
CVE-2025-9242	12/11/25	WatchGuard	Fireware OS	Critical (confidence: 0.9381)
CVE-2025-62215	12/11/25	Microsoft	Windows 10 Version 1809	High (confidence: 0.9918)
CVE-2025-12480	12/11/25	TrioFox	TrioFox	Critical (confidence: 0.4751)
CVE-2025-64446	14/11/25	Fortinet	FortiWeb	Critical (confidence: 0.9084)
CVE-2025-58034	18/11/25	Fortinet	FortiWeb	High (confidence: 0.9584)
CVE-2025-13223	19/11/25	Google	Chrome	High (confidence: 0.9675)
CVE-2025-61757	21/11/25	Oracle Corporation	Identity Manager	Critical (confidence: 0.9961)
CVE-2021-26829	28/11/25	scadabr	scadabr	Medium (confidence: 0.9951)

ENISA

No new entry in November.

Top 10 Weaknesses of the Month

Click the image for more information.

Ghost CVE Report

A ghost CVE is a vulnerability identifier that’s already popped up in the wild but is still listed as RESERVED or NOT_FOUND in official registries like NVD or MITRE.

Sightings detected between 2025-11-01 and 2025-11-30 that are associated with vulnerabilities without public records.

Vulnerability ID	Occurrences	Comment
CVE-2025-59396	7	Not a security vulnerability (GCVE - watchguard / firebox).
CVE-2023-42344	6	source: The Shadowserver (honeypot/common-vulnerabilities)
CVE-2025-13086	6	OpenVPN
CVE-2025-66270	5	KDE Connect
CVE-2025-11002	5	7-Zip
CVE-2025-9820	4	gnutls
CVE-2025-12686	3	BeeStation
CVE-2024-9183	2	Race condition issue in CI/CD cache impacts GitLab CE/EE
CVE-2025-13167	2	Synology
CVE-2025-13392	2	Synology
CVE-2025-13593	2	Synology
CVE-2025-13699	2	mariadb-dump Utility
CVE-2020-23125	2	Vulncheck KEV
GHSA-x697-jf34-gp5x	3	Wazuh Agent (v4.10.1)
CVE-2024-1045	1	GRUB 2
CVE-2025-36270	1	Fedora 42 Kubernetes
CVE-2025-28840	1	Fedora 42 Kubernetes
CVE-2024-24481	1	Tenda 4G03 Pro and N300 Routers
CVE-2024-59373	1	ASUS
CVE-2025-12345	1	SUSE Linux Enterprise Server (SLES) security patch
CVE-2025-13207	1	Tenda 4G03 Pro and N300 Routers
CVE-2025-13698	1	Deciso OPNsense
CVE-2025-13700	1	DreamFactory saveZipFile
CVE-2025-13703	1	VIPRE Advanced Security
CVE-2025-21140	1	Oracle Linux 8
CVE-2025-30333	1	Federal civilian agencies are failing to adequately patch vulnerable Cisco devices amid ongoing exploitation
CVE-2025-33514	1	W3 Total Cache WordPress plugin
CVE-2025-33515	1
CVE-2025-44446	1	Fortiweb
CVE-2025-52022	1	emsloyalty backend
CVE-2025-52023	1	gemscms backend
CVE-2025-52024	1	gemscms POS Platform (backend)
CVE-2025-52025	1	gemscms backend (POS platform)
CVE-2025-52026	1	gemscms backend (POS platform)
CVE-2025-58388	1	Android: Vulnerability-Lookup bundle
CVE-2025-58390	1	Android: Vulnerability-Lookup bundle
CVE-2025-58392	1	Android: Vulnerability-Lookup bundle
CVE-2025-58394	1	Android: Vulnerability-Lookup bundle
CVE-2025-58396	1	Android: Vulnerability-Lookup bundle
CVE-2025-58397	1	Android: cVulnerability-Lookup bundle
CVE-2025-593656	1	ASUS
CVE-2025-60274	1	Windows graphic component (GDI+)
CVE-2025-63721	1	HummerRisk
CVE-2025-65882	1	OpenMPTCProuter

Insights from Contributors

Thank you

Thank you to all the contributors and our diverse sources!

If you want to contribute to the next report, you can create your account.

Feedback and Support

If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/

Funding

Press release

End-of-Year Threat Intelligence Sightings Forecast

Tue, 02 Dec 2025 00:00:00 +0000

Introduction and Methodology

This report presents an analysis of Threat Intelligence (TI) Sightings aggregated from several key data sources, including social platforms, code repositories, and specialized TI feeds. The primary objective is to visually track historical trends per source and provide a short-term adaptive forecast for a defined period (in days).

For the global view (aggregating all sighting types), we applied a SARIMAX model and compared it with an Adaptive / Exponential Decay approach to highlight differing trend interpretations.

The data pipeline and analysis for source-specific sightings follow two main steps:

Historical Trend (Weekly): Sightings are filtered by source, aggregated weekly by domain within that source (e.g., individual Fediverse instances), and visualized to show distribution and activity patterns.
Adaptive Forecast (Daily): Total daily sightings per source are analyzed to determine the underlying trend:
- Increasing trend → fitted with a Logistic Growth model to project potential saturation points.
- Decreasing trend → fitted with an Exponential Decay model to estimate a future baseline or floor.

The next sections display historical charts (weekly aggregation by sub-domain) and predictive charts (daily total counts) for each analyzed source.

Data is available here, and the report is also available as a PDF.

Adaptive Forecast

To predict the number of sightings over time, we adaptively select the forecasting model based on the observed trend slope. This is achieved independently for each pipeline.

Exponential Decay model:

y(t) = a \cdot e^{-bt} + c

Logistic Growth model:

y(t) = \frac{L}{1 + e^{-k(t-t_0)}}

The implementation is available on GitHub.

Global View

We have aggregated over 165,000 sightings since 1999-01-01; however, for the global view, we focus on the past year of data. Notably, collection volumes have grown significantly since September 2024, driven by the deployment of our various sighting tools.

Insights:

The SARIMAX model captures cyclical patterns in sightings and can detect emerging surges.
The decay model emphasizes a long-term baseline, highlighting periods when activity naturally declines.

Fediverse

The Fediverse is a network of decentralized social servers (e.g., Mastodon instances). Monitoring sightings here provides early signals of community-driven threat reporting.

Historical Activity (Weekly)

Observations:

Peaks appear to correspond to bursts of discussion, often triggered by the vendor involved in a vulnerability or by its severity and exploitability.
Activity varies across instances, indicating heterogeneous engagement in TI reporting.

Adaptive Forecast (Daily)

Insights:

The forecast suggests a decreasing trend, approaching a floor near 17 sightings/day.
Analysts can interpret this as a stabilization phase after recent high-activity events.

Bluesky

Bluesky serves as a decentralized, modern social platform for security discussions, similar to the Fediverse.

Historical Activity (Weekly)

Observations:

Weekly fluctuations mirror platform engagement cycles, including release-driven spikes in TI information.
Consistent reporting from Bluesky suggests it is an increasingly relevant source for threat detection.

Adaptive Forecast (Daily)

Insights:

Slightly decreasing trend with a projected floor around 146 sightings/day.
Sustained engagement indicates Bluesky remains a reliable source for early TI signals.

Gist

Gist is a critical source for sharing code, configuration files, PoCs, and raw threat data.

Historical Activity (Weekly)

Observations:

Sharp weekly spikes often coincide with the release of new PoCs, significant configuration dumps, or data leaks.
Activity intensity correlates with major vulnerability announcements. Sometimes even before the availability of the CVE record.

Adaptive Forecast (Daily)

Insights:

Forecast indicates a slightly rising trend, stabilizing around 32 sightings/day.
Analysts can interpret this as a steady flow of early-stage threat artifacts.

MISP

MISP provides curated, high-confidence threat intelligence sightings. Although the volume of vulnerability-related observations is lower than that of social platforms, the data is more structured and consistently reliable, offering higher-quality intelligence. This is partly because the MISP dedicated sighting tool explicitly targets attributes associated with the specific vulnerability type. The sporadic nature of these sightings makes mid-term forecasting challenging, even when using adaptive methods such as SARIMAX. As such, the results should be treated with caution. We plan to improve our MISP sighting tool to identify vulnerability sightings in objects not labeled as vulnerabilities.

Historical Activity (Weekly)

Observations:

Weekly activity is smoother, reflecting institutional contributions and structured updates.
Bursts in activity typically coincide with major vulnerability events, as multiple contributors across the MISP network submit sightings, highlighting coordinated focus on high-impact disclosures.

Adaptive Forecast (Daily)

Insights:

Logistic growth model suggests rising activity, with daily sightings expected to peak near 96/day.
Indicates increased structured intelligence input, beneficial for high-confidence threat detection.

The Shadowserver Foundation

The Shadowserver Foundation is a cornerstone resource for security researchers, providing an extensive wealth of data on real-world exploits and their associated vulnerabilities, complete with daily statistics and geographical insights.

Historical Activity (Weekly)

Our daily sightings from the Shadowserver Foundation are based on the honeypot group:

Exploited vulnerabilities (type: exploited): https://vulnerability.circl.lu/sightings/?query=honeypot%2Fexploited-vulnerabilities
Common vulnerabilities (type: seen): https://vulnerability.circl.lu/sightings/?query=honeypot%2Fcommon-vulnerabilities

Adaptive Forecast (Daily)

The volume of observations is expected to show slight growth, peaking at approximately 128/day.

Metasploit

Metasploit sightings typically reflect tool-based testing or exploitation activity.

Historical Activity (Weekly)

Observations:

Peaks align with active exploitation campaigns or module releases, which is a good indicator of exploitability.

Adaptive Forecast (Daily)

Exponential decay forecast with a floor approximately to 2/day.

Conclusion

Social sources (Fediverse, Bluesky) display volatile, event-driven patterns, reflecting community discussions.
Structured sources (MISP, Shadow Server, Gist) exhibit smoother, more predictable trends, providing higher-confidence intelligence.
Forecasting models support short-term planning, allowing teams to anticipate surges (Logistic Growth) or declines (Exponential Decay) in incoming TI sightings.
Combining multiple sources ensures a balanced situational awareness, capturing both early signals and verified intelligence.
A potential path forward involves attributing weights to sightings according to their origin.

Key Takeaways:

Early detection: Social platforms provide rapid but noisy signals.
Reliability: Structured sources confirm and validate threats.
Adaptive planning: Forecasting helps resource allocation for analysts and SOCs.

Funding

The Federated European Team for Threat Analysis (FETTA) aims to enhance Cyber Threat Intelligence (CTI) products across the EU, supporting coordinated reporting and reducing redundancy among SOCs and CSIRTs.

The Computer Incident Response Center Luxembourg (CIRCL) contributes extensive expertise in incident management, threat intelligence, and open-source cybersecurity tools, playing a pivotal role in fostering cross-European collaboration.

Press release

Vulnerability-Lookup 2.18.0 released

Fri, 14 Nov 2025 00:00:00 +0000

We’re delighted to announce the release of Vulnerability-Lookup 2.18.0 — packed with exciting new features!

What’s New

Integration with Rulezet

Rulezet is an open-source platform for sharing, evaluating, improving, and managing cybersecurity detection rules (YARA, Sigma, Suricata, etc.). Its goal is to foster collaboration among professionals and enthusiasts to enhance the quality and reliability of detection rules.

Vulnerability-Lookup can now be configured to interface with the API of any Rulezet instance, providing insights into existing detection rules related to security vulnerabilities.
The default Rulezet instance enabled in Vulnerability-Lookup is hosted at https://rulezet.org and currently offers more than 122,000 security rules.

Detection rules related to vulnerabilities are displayed on the vulnerability details page (in a dedicated tab) and on bundle details pages.

Implemented in #280.

https://vulnerability.circl.lu/vuln/CVE-2022-26134#detection-rules

https://vulnerability.circl.lu/vuln/CVE-2014-6271#detection-rules

You can even query the remote Rulezet instance via the Vulnerability-Lookup API:

$ curl --silent 'https://vulnerability.circl.lu/api/rulezet/search_rules_by_vulnerabilities/CVE-2020-27130?page=1&per_page=50' | jq
{
 "metadata": {
 "count": 3,
 "page": 1,
 "per_page": 50
 },
 "data": [
 {
 "id": 122599,
 "uuid": "84846673-015e-450b-8a73-2ba481b5a6ce",
 "vulnerability_id": "CVE-2020-27130",
 "format": "suricata",
 "title": "Exploit CVE-2020-27130 on Cisco Security Manager - Upload webshell",
 "description": "Rule for security (detection rule in many format)",
 "raw": "alert http any any -> any any (msg:\"Exploit CVE-2020-27130 on Cisco Security Manager - Upload webshell\"; flow:to_server,established; content:\"POST\"; http_method; content:\"/cwhp/XmpFileUploadServlet\"; startswith; http_uri; pcre:\"/filename=\\\".*\\.\\.\\/.+\\\"\\r\\n/P\"; reference:cve,CVE-2020-27130; classtype:web-application-attack; sid:2020271303; rev:1;)",
 "detail_url": "https://rulezet.org/rule/detail_rule/122599",
 "creation_date": "2025-11-06 13:03",
 "updated_date": "2025-11-13 09:33"
 },
 {
 "id": 122598,
 "uuid": "538dafc1-d49c-4fd6-bdb5-57b997346fe6",
 "vulnerability_id": "CVE-2020-27130",
 "format": "suricata",
 "title": "Exploit CVE-2020-27130 on Cisco Security Manager - Download arbitrary directory as a zip file",
 "description": "Rule for security (detection rule in many format)",
 "raw": "alert http any any -> any any (msg:\"Exploit CVE-2020-27130 on Cisco Security Manager - Download arbitrary directory as a zip file\"; flow:to_server,established; content:\"GET\"; http_method; pcre:\"/^\\/cwhp\\/(Xmp|Sample)FileDownloadServlet/U\"; content:\"../\"; distance:0; http_uri; reference:cve,CVE-2020-27130; classtype:web-application-attack; sid:2020271302; rev:1;)",
 "detail_url": "https://rulezet.org/rule/detail_rule/122598",
 "creation_date": "2025-11-06 13:03",
 "updated_date": "2025-11-06 13:03"
 },
 {
 "id": 122597,
 "uuid": "2cd8fb2a-e97b-4390-8dca-d416b2858c66",
 "vulnerability_id": "CVE-2020-27130",
 "format": "suricata",
 "title": "Exploit CVE-2020-27130 on Cisco Security Manager - Download arbitrary file",
 "description": "Rule for security (detection rule in many format)",
 "raw": "alert http any any -> any any (msg:\"Exploit CVE-2020-27130 on Cisco Security Manager - Download arbitrary file\"; flow:to_server,established; content:\"GET\"; http_method; pcre:\"/^\\/athena\\/(xdmProxy\\/(xdmConfig|xdmResources)|itf\\/resultsFrame\\.jsp)/U\"; content:\"../\"; distance:0; http_uri; reference:cve,CVE-2020-27130; classtype:web-application-attack; sid:2020271301; rev:1;)",
 "detail_url": "https://rulezet.org/rule/detail_rule/122597",
 "creation_date": "2025-11-06 13:03",
 "updated_date": "2025-11-06 13:03"
 }
 ]
}

Thanks to Théo Geffe for making this integration possible.

Indexing Information Related to Assigners (CNA)

Information about security advisory assigners is now indexed. CNAs from the official CVE Program source (cvelistv5) are indexed in Kvrocks, with GNAs planned for the future.
The API exposes this data via a new assigners endpoint. From an API perspective, both CNAs and GNAs are treated as assigners, though they will be stored in dedicated indexes.

Updates include:

Enhanced search capabilities related to assigners.
Improved /stats page.
Updated vulnerability details page: display the assigner name with a link.
A new page listing assigners, similar to the existing CWE list.

Implemented in PR #283.

Website

new: [website] Add PROTECT_USER_PAGES option to restrict user profile pages to authenticated users. Closes (#277)

Vulnerability Sources

Added ABB CSAF feed (0d984a8) by @neutrinoguy
It now possible to enable a list of enabled feeders via the config/modules.cfg file. (e4a1acb)

After updating, run the script: bin/index_vulnerabilities.py. This will index the CNAs and update the Kvrocks indexes. The process takes approximately 15 minutes. Next, run: bin/index_cwe.py. This will complete in under 2 minutes.

Please make sure your feeders configuration file (config/modules.cfg) is up to date. See the documentation.

Changes

chg: [website] Account creation via the API is now rate-limited to 3 registrations per hour per IP. (3a12de2)
Additional validation checks have been added to reject email addresses that are disposable (MISP list), from blocked domains, or with invalid MX records. (3a12de2)
chg: [website] Improved email address check in both the API endpoint and in the form controller. (bb090fc)
chg: [website] user.last_seen is now updated after successful login. (fb5796e)
chg: [API] Improved date parsing for sightings (d7bc9fd)
chg: [website] Harmonization of the templates for the details views of bundles and comments. (c7f90aa)
chg: [feeders] Improved use of the kvrocks counters for vendors and cwe rankings. (1205670)
chg: [notifications] add random jitter to reschedule execution times (d974315)
various minor improvements to the backend, user interface and documentation.

Refreshed views

Fixes

fix: [website] Redirect the user to the user_bp.watchlist view if notifications are found. (4f6e0bc)
fix: [API] Delete notifications of the user to delete. (2371962)
Rename flatpickr to flatpickr.js and update template reference (8dcc804) by @DocArmoryTech

Changelog

📂 For the full list of changes, check the GitHub release:
https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v2.18.0

Thank you to all contributors and testers!

Feedback and Support

If you find any issues or have suggestions, please open a ticket on our GitHub repository:
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/
We appreciate your feedback!

Follow Us on Fediverse/Mastodon

Stay updated on security advisories in real-time by following us on Mastodon:
https://social.circl.lu/@vulnerability_lookup/

Advancing Vulnerability Tracking and Disclosure Through an Open and Distributed Platform at Unlock Your Bain conference

Sat, 08 Nov 2025 00:00:00 +0000

Slides: Advancing Vulnerability Tracking and Disclosure Through an Open and Distributed Platform

We presented “Advancing Vulnerability Tracking and Disclosure Through an Open and Distributed Platform” at the excellent Unlock Your Brain conference.

A well-organised and welcoming event, Unlock Your Brain brings together a great mix of researchers, practitioners, and open-source enthusiasts—making it a perfect place to exchange ideas on vulnerability tracking and disclosure.

Download the slides:
https://www.vulnerability-lookup.org/files/events/2025/presentation-unlockyourbrain.pdf

Feedback and Support

If you find any issues or have suggestions, please open a ticket on our GitHub repository:
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/

Vulnerability Report - October 2025

Tue, 04 Nov 2025 00:00:00 +0000

All vulnerability reports

Introduction

This vulnerability report has been generated using data aggregated on Vulnerability-Lookup, with contributions from the platform’s community.

It highlights the most frequently mentioned vulnerability for October 2025, based on sightings collected from various sources, including MISP, Exploit-DB, Bluesky, Mastodon, GitHub Gists, The Shadowserver Foundation, Nuclei, SPLOITUS, Metasploit, and more. For further details, please visit this page.

The Month at a Glance

The October 2025 cybersecurity landscape has seen significant activity, with several high-profile vulnerabilities garnering attention due to widespread sightings and critical severity ratings. Analysis of the top 10 vulnerabilities of the month highlights major exposures across enterprise software, server platforms, and popular development tools.

At the forefront is CVE-2025-61882, affecting Oracle Concurrent Processing, which accumulated 241 sightings and is classified as critical with a VLAI confidence score of 0.9963. Close behind is CVE-2025-59287, impacting Microsoft Windows Server 2019, with 235 sightings and critical severity (confidence 0.9565). Redis also experienced notable issues with CVE-2025-49844, recording 106 sightings and critical classification, while Unity3D’s Unity Editor (CVE-2025-59489) and Oracle Configurator (CVE-2025-61884) were flagged as high-risk vulnerabilities with 98 and 95 sightings, respectively. Adobe Commerce’s CVE-2025-54236 further highlights the ongoing risk to e-commerce platforms with 94 sightings and critical rating. Other notable entries include ASP.NET Core 8.0 (CVE-2025-55315), D-Link DIR-645 (CVE-2015-2051), Cisco IOS (CVE-2025-20352), and Zyxel p660hn-t1a_v1 (CVE-2017-18368), which remain high or critical in severity.

In parallel, updates to major Known Exploited Vulnerabilities (KEV) catalogs, particularly the CISA list, reveal additional critical entries. VMware VCF operations (CVE-2025-41244) and XWiki Platform (CVE-2025-24893) are newly listed, alongside multiple Dassault Systèmes DELMIA Apriso vulnerabilities (CVE-2025-6205, CVE-2025-6204), Oracle Configurator (CVE-2025-61884), and Adobe Commerce (CVE-2025-54236), all showing high or critical severity. Microsoft continues to feature prominently with Windows Server 2019 (CVE-2025-59287) and older Windows versions under active exploitation. Other newly listed KEVs include Apple macOS (CVE-2022-48503), Kentico Xperience (CVE-2025-2746, CVE-2025-2747), and various security flaws in third-party software like MOTEX Lanscope Endpoint Manager and Rapid7 Velociraptor.

The report also identifies unpublished vulnerabilities detected in the wild. Significant examples include a critical Chrome V8 JavaScript engine flaw (CVE-2025-12036) observed in 12 instances, and multiple remote code execution vulnerabilities in 7-Zip (CVE-2025-11001, CVE-2025-11002). Other unpublished exposures involve OpenCMS XXE attacks, and AMD CPU microcode verification flaws.

Top weaknesses of the month, summarized via CWE categories, reveal recurring patterns in software development and deployment, emphasizing common attack vectors that continue to be exploited across industries. Contributors’ insights provided context for ongoing campaigns and incidents, including quarterly security notifications from F5, OpenSSL advisories, and the identification of Indicators of Compromise (IOCs) for CVE-2025-59287. Notably, speculation links recent Red Hat OpenShift AI compromises to recently disclosed vulnerabilities, underlining the importance of proactive patching and monitoring.

Overall, October’s data underscores a continued trend of critical vulnerabilities affecting widely used software and enterprise systems, with both published and unpublished flaws actively exploited. Organizations are strongly encouraged to review KEV listings, prioritize patching based on severity and exposure, and monitor sightings to mitigate immediate threats. The prominence of high-severity vulnerabilities in core infrastructure and cloud services emphasizes the need for continuous vigilance and timely vulnerability management.

This month’s report features a new section dedicated to Sightings Forecast using a Poisson regression model.

Evolution of published CVE in 2025

More information.

Top 10 Vendors of the Month

Top 10 vulnerabilities of the Month

Vulnerability	Sighting Count	Vendor	Product	VLAI Severity
CVE-2025-61882	241	Oracle Corporation	Oracle Concurrent Processing	Critical (confidence: 0.9963)
CVE-2025-59287	235	Microsoft	Windows Server 2019	Critical (confidence: 0.9565)
CVE-2025-49844	106	redis	redis	Critical (confidence: 0.6333)
CVE-2025-59489	98	Unity3D	Unity Editor	High (confidence: 0.951)
CVE-2025-61884	95	Oracle Corporation	Oracle Configurator	High (confidence: 0.9969)
CVE-2025-54236	94	Adobe	Adobe Commerce	Critical (confidence: 0.9955)
CVE-2025-55315	75	Microsoft	ASP.NET Core 8.0	High (confidence: 0.5387)
CVE-2015-2051	64	dlink	dir-645	High (confidence: 0.744)
CVE-2025-20352	63	Cisco	IOS	High (confidence: 0.9917)
CVE-2017-1836	63	zyxel	p660hn-t1a_v1	Critical (confidence: 0.9559)

Sightings forecast

The following visualizations represent the forecasted number of sightings for various vulnerabilities, using a Poisson regression model with adaptive daily/weekly granularity.

Known Exploited Vulnerabilities

New entries have been added to major Known Exploited Vulnerabilities catalogs.

CISA

CVE ID	Date Added	Vendor	Product	VLAI Severity
CVE-2025-41244	30/10/25	VMware	VCF operations	High (confidence: 0.966)
CVE-2025-24893	30/10/25	xwiki	xwiki-platform	Critical (confidence: 0.9967)
CVE-2025-6205	28/10/25	Dassault Systèmes	DELMIA Apriso	Critical (confidence: 0.9779)
CVE-2025-6204	28/10/25	Dassault Systèmes	DELMIA Apriso	High (confidence: 0.8877)
CVE-2025-54236	24/10/25	Adobe	Adobe Commerce	Critical (confidence: 0.9955)
CVE-2025-59287	24/10/25	Microsoft	Windows Server 2019	Critical (confidence: 0.9565)
CVE-2025-61932	22/10/25	MOTEX Inc.	Lanscope Endpoint Manager (On-Premises) (Client program (MR) and Detection agent (DA))	Critical (confidence: 0.9162)
CVE-2025-61884	20/10/25	Oracle Corporation	Oracle Configurator	High (confidence: 0.9969)
CVE-2022-48503	20/10/25	Apple	macOS	High (confidence: 0.9852)
CVE-2025-2746	20/10/25	Kentico	Xperiences	Critical (confidence: 0.9494)
CVE-2025-2747	20/10/25	Kentico	Xperience	Critical (confidence: 0.9852)
CVE-2025-33073	20/10/25	Microsoft	Windows 10 Version 1809	High (confidence: 0.9885)
CVE-2025-54253	15/10/25	Adobe	Adobe Experience Manager	Critical (confidence: 0.9854)
CVE-2025-47827	14/10/25	igel	igel_os	Medium (confidence: 0.5969)
CVE-2025-6264	14/10/25	Rapid7	Velociraptor	Medium (confidence: 0.9267)
CVE-2016-7836	14/10/25	Sky Co., LTD.	SKYSEA Client View	Critical (confidence: 0.9341)
CVE-2025-59230	14/10/25	Microsoft	Windows 10 Version 1809	High (confidence: 0.9898)
CVE-2025-24990	14/10/25	Microsoft	Windows 11 Version 25H2	High (confidence: 0.9185)
CVE-2021-43798	09/10/25	grafana	grafana	High (confidence: 0.9435)
CVE-2025-27915	07/10/25	zimbra	collaboration	Medium (confidence: 0.9972)
CVE-2010-3962	06/10/25	microsoft	internet_explorer	High (confidence: 0.9552)
CVE-2025-61882	06/10/25	Oracle Corporation	Oracle Concurrent Processing	Critical (confidence: 0.9963)
CVE-2021-22555	06/10/25	netapp / linux	c400	High (confidence: 0.9562)
CVE-2010-3765	06/10/25	mozilla	firefox	Critical (confidence: 0.8923)
CVE-2021-43226	06/10/25	Microsoft	Windows 10 Version 1809	High (confidence: 0.9937)
CVE-2011-3402	06/10/25	microsoft	windows_7	High (confidence: 0.9359)
CVE-2013-3918	06/10/25	microsoft	windows_7	High (confidence: 0.8313)
CVE-2025-4008	02/10/25	Smartbedded	MeteoBridge	Critical (confidence: 0.9919)
CVE-2015-7755	02/10/25	juniper	screenos	Critical (confidence: 0.9676)
CVE-2017-1000353	02/10/25	jenkins	jenkins	Critical (confidence: 0.9902)
CVE-2014-6278	02/10/25	gnu	bash	Critical (confidence: 0.4893)
CVE-2025-21043	02/10/25	Samsung Mobile	Samsung Mobile Devices	High (confidence: 0.9613)

ENISA

No new entry in October.

Top 10 Weaknesses of the Month

Click the image for more information.

Ghost CVE Report

A ghost CVE is a vulnerability identifier that’s already popped up in the wild but is still listed as RESERVED or NOT_FOUND in official registries like NVD or MITRE.

Sightings detected between 2025-10-01 and 2025-10-31 that are associated with unpublished vulnerabilities.

Vulnerability ID	Occurrences	Comment
CVE-2025-12036	12	A New Critical Chrome V8 JavaScript Engine Flaw Enables Attackers to Execute Remote Code on Vulnerable Systems
CVE-2025-11001	9	7-Zip Arbitrary Code Execution
CVE-2023-42344	7	OpenCMS Unauthenticated XXE Vulnerability
CVE-2024-35347	4	AMD CPU Microcode Signature Verification Vulnerability
CVE-2025-10230	4	Samba security releases for CVE-2025-10230 and CVE-2025-9640
CVE-2025-11002	4	7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability
GHSA-8h43-rcqj-wpc6	3	Quotes control bypass in Mastodon
CVE-2025-12490	2	Netgate pfSense CE Suricata Path Traversal Remote Code Execution Vulnerability
CVE-2025-24293	2	Rails - Active Storage allowed transformation methods that were potentially unsafe

Insights from Contributors

Thank you

Thank you to all the contributors and our diverse sources!

If you want to contribute to the next report, you can create your account.

Feedback and Support

If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/

Funding

Press release

Vulnerability Lookup and GCVE: A Decentralized Approach to Vulnerability Publishing and Management Workshop at Hack.lu 2025

Fri, 24 Oct 2025 00:00:00 +0000

This hands-on workshop at hack.lu 2025 introduced the open-source Vulnerability Lookup project and the Global Common Vulnerabilities and Exposures (GCVE) initiative, two complementary efforts designed to modernize and decentralize the way vulnerabilities are published, shared, and consumed.

Participants discovered how Vulnerability Lookup acts as a collaborative platform for collecting, enriching, and analyzing vulnerability data, supporting every stage of the vulnerability management lifecycle, from discovery and prioritization to tracking remediation and assessing exposure. The session introduced GCVE, a next-generation, decentralized framework for vulnerability identification that empowers organizations to act as GCVE Numbering Authorities (GNAs) with greater autonomy and flexibility.

How to publish and synchronize vulnerabilities using the GCVE and vulnerability-lookup ReST API.
How decentralized allocation empowers vendors, researchers, and CSIRTs to disclose vulnerabilities more efficiently.
How to leverage Vulnerability Lookup to support vulnerability triage, enrichment (EPSS, CVSS, Multi KEV), and exposure tracking.
How Vulnerability Lookup integrates with GCVE to provide real-time insights, cross-references, and analytics.
Best practices for integrating GCVE and Vulnerability Lookup into your existing vulnerability management workflows.

This post includes all the materials presented during the workshop.

Slide decks

Part 1 - https://cra.circl.lu/vl/vl-part-1.pdf - Vulnerability Lookup and VL-AI - Beyond CVEs: Mastering the Landscape with Vulnerability-Lookup from CVE to CVD
Part 2 - https://cra.circl.lu/vl/gcve-part-2.pdf - GCVE - GCVE: Global CVE Allocation System Enhancing Flexibility, Scalability, Autonomy, and Resilience in Vulnerability Identification

Additional References

Website and repository of vulnerability-lookup
vulnerability-lookup instance at CIRCL (GNA-1) - https://vulnerability.circl.lu/
https://vulnerability.circl.lu/api/ - Vulnerability-Lookup API
https://www.vulnerability-lookup.org/nis2-directive/ - Vulnerability-Lookup and NIS2 Directive Compliance
RSS and Vulnerability-Lookup
Simplified Vulnerability Reporting (aligned with NIS 2 requirements) in Vulnerability-Lookup
Full dumps of vulnerability-lookup sources at CIRCL https://vulnerability.circl.lu/dumps/
HuggingFace CIRCL - https://huggingface.co/CIRCL

API Usage of Vulnerability-Lookup

Core API

Usage

Backward compatible with cve-search (originally developed in late 2012)
Fully documented, paginated and JSON-Schema validated API
Documentation: https://vulnerability.circl.lu/api/
The UI and core features of Vulnerability-Lookup are built on top of the API
Sighting tools and satellite projects leverage the same API
https://www.vulnerability-lookup.org/user-manual/sightings/
Used by Vulnogram, bundled into Vulnerability-Lookup, to manage security advisories
Supports synchronization between Vulnerability-Lookup instances (in progress)
Supports MISP Taxonomy for various objects including comments
https://www.misp-project.org/taxonomies.html#_vulnerability_3
Used as reference implementation for GCVE-BCP-03

Correlations

Related vulnerabilities

curl --silent 'https://vulnerability.circl.lu/api/vulnerability/CVE-2015-2051?with_linked=true' \
 | jq 'keys'

[
 "containers",
 "cveMetadata",
 "dataType",
 "dataVersion",
 "vulnerability-lookup:linked"
]

Correlation sources

curl --silent 'https://vulnerability.circl.lu/api/vulnerability/CVE-2015-2051?with_linked=true' \
 | jq '.["vulnerability-lookup:linked"] | keys'

[
 "cnvd",
 "fkie_nvd",
 "github",
 "gsd",
 "variot"
]

Correlations from GitHub example

curl --silent 'https://vulnerability.circl.lu/api/vulnerability/CVE-2015-2051?with_linked=true' \
 | jq '.["vulnerability-lookup:linked"]["github"]'

[
 [
 "ghsa-x629-5xff-w7qg",
 {
 "schema_version": "1.4.0",
 "id": "GHSA-x629-5xff-w7qg",
 "modified": "2025-10-22T03:30:42Z",
 "published": "2022-05-17T03:11:58Z",
 "aliases": [
 "CVE-2015-2051"
 ],
 "details": "The D-Link DIR-645 Wired/Wireless Router Rev. Ax with firmware 1.04b12 and earlier allows remote attackers to execute arbitrary commands via a GetDeviceSettings action to the HNAP interface.",
 "severity": [
 {
 "type": "CVSS_V3",
 "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
 }
 ],
 "affected": [],
 "references": [
 {
 "type": "ADVISORY",
 "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-2051"
 },
 {
 "type": "WEB",
 "url": "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10282"
 },
 {
 "type": "WEB",
 "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-2051"
 },
 {
 "type": "WEB",
 "url": "https://www.exploit-db.com/exploits/37171"
 },
 {
 "type": "WEB",
 "url": "http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10051"
 },
 {
 "type": "WEB",
 "url": "http://www.securityfocus.com/bid/72623"
 },
 {
 "type": "WEB",
 "url": "http://www.securityfocus.com/bid/74870"
 }
 ],
 "database_specific": {
 "cwe_ids": [
 "CWE-77"
 ],
 "severity": "HIGH",
 "github_reviewed": false,
 "github_reviewed_at": null,
 "nvd_published_at": "2015-02-23T17:59:00Z"
 }
 }
 ]
]

Retrieving vulnerability sightings

curl --silent 'https://vulnerability.circl.lu/api/vulnerability/CVE-2024-5261?with_sightings=true' \
 | jq '.["vulnerability-lookup:sightings"]'

[
 {
 "uuid": "eec2c8fd-f664-4e73-b3f5-651db5fa4f3f",
 "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd",
 "author": "9f56dd64-161d-43a6-b9c3-555944290a09",
 "vulnerability": "cve-2024-5261",
 "type": "seen",
 "source": "https://mastodon.social/users/bagder/statuses/113984646246260950",
 "creation_timestamp": "2025-02-11T09:54:37.066650Z"
 },
 {
 "uuid": "6de72384-c623-4e70-bd38-1040c4e29bab",
 "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd",
 "author": "9f56dd64-161d-43a6-b9c3-555944290a09",
 "vulnerability": "cve-2024-5261",
 "type": "seen",
 "source": "https://bsky.app/profile/bagder.mastodon.social.ap.brid.gy/post/3lhvfc2enwhl2",
 "creation_timestamp": "2025-02-11T10:04:50.326511Z"
 },
 {
 "uuid": "61f4c902-4258-423a-929a-4b473e3d16a0",
 "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd",
 "author": "9f56dd64-161d-43a6-b9c3-555944290a09",
 "vulnerability": "CVE-2024-5261",
 "type": "seen",
 "source": "https://daniel.haxx.se/blog/2025/02/11/disabling-cert-checks-we-have-not-learned-much/",
 "creation_timestamp": "2025-02-11T14:00:07.000000Z"
 }
]

Pivoting via sightings

curl --silent 'https://vulnerability.circl.lu/api/sighting/?source=https://daniel.haxx.se/blog/2025/02/11/disabling-cert-checks-we-have-not-learned-much/' \
 | jq '.data[].vulnerability'

"GHSA-fq29-72jg-5hrj"
"CVE-2024-32928"
"GHSA-9mgx-552f-59p6"
"CVE-2024-56521"
"GHSA-crg3-fjm2-xvpq"
"CVE-2024-5261"

Unpublished advisories

Advisories detected via sightings that are not yet published (or rejected):

curl --silent 'https://vulnerability.circl.lu/api/sighting?date_from=2025-10-20&date_to=2025-10-23&advisory_status=unpublished' | jq . | grep vulnerability

 "vulnerability": "CVE-2025-54469",
 "vulnerability": "GHSA-573g-3567-8phg",
 "vulnerability": "CVE-2025-3720",
 "vulnerability": "CVE-2025-11702",
 "vulnerability": "CVE-2025-12036",
 "vulnerability": "CVE-2025-12036",
 "vulnerability": "CVE-2025-12036",
 "vulnerability": "CVE-2025-12036",
 "vulnerability": "CVE-2025-10230",
 "vulnerability": "GHSA-8h43-rcqj-wpc6",
 "vulnerability": "CVE-2025-10230",
 "vulnerability": "CVE-2025-60722",
 "vulnerability": "CVE-2025-12654",
 "vulnerability": "GHSA-8h43-rcqj-wpc6",
 "vulnerability": "CVE-2025-20727",
 "vulnerability": "CVE-2025-20726",
 "vulnerability": "CVE-2025-20725",
 "vulnerability": "CVE-2025-58148",
 "vulnerability": "CVE-2025-58147",
 "vulnerability": "CVE-2025-58147",
 "vulnerability": "CVE-2025-58148",
 "vulnerability": "CVE-2025-11002",
 "vulnerability": "CVE-2025-11001",
 "vulnerability": "CVE-2025-11001",
 "vulnerability": "CVE-2023-42344",
 "vulnerability": "CVE-2025-61431",
 "vulnerability": "CVE-2025-52179",
 "vulnerability": "CVE-2025-52180",
 "vulnerability": "CERTFR-2025-ACT-045",
 "vulnerability": "CVE-2025-11002",
 "vulnerability": "CVE-2025-11001",
 "vulnerability": "CERTFR-2025-ACT-045",
 "vulnerability": "CERTFR-2025-ACT-045",
 "vulnerability": "CVE-2025-11756",
 "vulnerability": "CVE-2025-11002",
 "vulnerability": "CVE-2025-11001",
 "vulnerability": "CVE-2025-10230",
 "vulnerability": "CVE-2025-10230",
 "vulnerability": "CVE-2025-10230",
 "vulnerability": "cve-2025-11001",
 "vulnerability": "CVE-2025-11002",
 "vulnerability": "CVE-2025-11001",
 "vulnerability": "CVE-2025-11001",
 "vulnerability": "CVE-2023-42344",
 "vulnerability": "CVE-2023-42344",

Example from the output:
https://vulnerability.circl.lu/vuln/CVE-2025-11001#sightings - “7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability”

Endpoints for Statistics

UI Global statistics - https://vulnerability.circl.lu/stats/

Dashboard: https://vulnerability.circl.lu
Most sighted: https://vulnerability.circl.lu/api/stats/vulnerability/most_sighted
Most commented: https://vulnerability.circl.lu/api/stats/vulnerability/most_commented

Statistics about CWE

curl -X 'GET' 'https://vulnerability.circl.lu/api/stats/cwe/most_used?limit=10&output=json' -H 'accept: application/json'

[{"cwe": "CWE-264", "count": 269.0}, {"cwe": "CWE-399", "count": 188.0}, {"cwe": "CWE-788", "count": 140.0}, {"cwe": "CWE-310", "count": 75.0}, {"cwe": "CWE-840", "count": 70.0}, {"cwe": "CWE-16", "count": 61.0}, {"cwe": "CWE-255", "count": 52.0}, {"cwe": "CWE-354", "count": 50.0}, {"cwe": "CWE-275", "count": 48.0}, {"cwe": "CWE-648", "count": 46.0}]

Statistics about Vendors

curl -X 'GET' 'https://vulnerability.circl.lu/api/stats/vendors/ranking?limit=5&output=json' -H 'accept: application/json' | jq .

[
 {
 "vendor": "microsoft",
 "count": 115466
 },
 {
 "vendor": "linux",
 "count": 20307
 },
 {
 "vendor": "red hat",
 "count": 19018
 },
 {
 "vendor": "siemens",
 "count": 16787
 },
 {
 "vendor": "apple",
 "count": 11308
 }
]

Generate a PDF report from the API

There are many open format such as markdown. Complex output pipelines can be added.

curl -s 'https://vulnerability.circl.lu/api/stats/vulnerability/most_sighted?date_from=2025-01-01&output=markdown' \
 | pandoc --from=markdown --to=pdf -o semestrial-report.pdf
xdg-open semestrial-report.pdf

Vendors ranking

curl --silent 'https://vulnerability.circl.lu/api/stats/vendors/ranking?limit=10&output=json&period=2025-09'

[
 {
 "vendor": "microsoft",
 "count": 6155
 },
 {
 "vendor": "linux",
 "count": 2110
 },
 {
 "vendor": "red hat",
 "count": 791
 },
 {
 "vendor": "amd",
 "count": 513
 },
 {
 "vendor": "apple",
 "count": 271
 },
 {
 "vendor": "dell",
 "count": 252
 },
 {
 "vendor": "vasion",
 "count": 220
 },
 {
 "vendor": "google",
 "count": 194
 },
 {
 "vendor": "mitsubishi electric corporation",
 "count": 177
 },
 {
 "vendor": "liferay",
 "count": 137
 }
]

Feedback and Support

If you find any issues or have suggestions, please open a ticket on our GitHub repository:
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/
We appreciate your feedback!

Vulnerability-Lookup 2.17.0 released

Mon, 13 Oct 2025 00:00:00 +0000

We’re happy to announce the release of Vulnerability-Lookup 2.17.0 — introducing new data integrations, API improvements, and multiple security and stability fixes.

What’s New

New Sightings and Integrations

Public PoC Sightings — Vulnerabilities with a known public proof of concept can now be tracked directly. (#245)
ENISA KEV Catalog — Integration of the European Union Agency for Cybersecurity’s Known Exploited Vulnerabilities catalog adds an authoritative new layer of intelligence. (#237)
Metasploit Sightings — Automatically detect and list vulnerabilities referenced in Metasploit modules. (#228)
Sploitus RSS — Fetch exploit information from Sploitus feeds. (#227)

API Enhancements

Added bulk DELETE endpoints for sightings. (commit a514920)

Changes

Command-line tools now provide an option to delete sightings matching a regular expression. (commit 0859260)
Regex matching for new sightings has been tightened to require full matches, improving data consistency. (commit 71387fc)

Fixes

A major focus of 2.17.0 is hardening the platform against potential injection and logic issues. Highlights include:

Fixed Reflected XSS vulnerabilities related to unsafe Markup usage, and a self-XSS risk in the admin CPE module — both responsibly reported by Jeroen Pinoy. (commits 378ccdf, 5403660)
Improved handling of API edge cases:
- /api/search endpoint errors fixed (#248)
- Consistent vendor limits in /vendors/ranking (commit b958bdb)
- Better error handling for unknown vulnerabilities (commit 5eaf644)
Website improvements:
- Correct HTTP codes in vulnerability_disclosure.py (commit 4622436)
- Fixed duplicate SQLAlchemy filters and decorator issues
- Enforced login for CPE management (PR #261)
Many smaller fixes — escaping for ilike searches, timeout checks, and improved validation logic across the application.

For a full list of fixes and commits, see the complete changelog.

🙏 Acknowledgments

A huge thank you to Jeroen Pinoy for his thorough code review and valuable security feedback. Your contributions make the platform stronger for everyone.

Changelog

📂 For the full list of changes, check the GitHub release:
https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v2.17.0

🙏 A big thank you to all contributors and testers!

Feedback and Support

If you find any issues or have suggestions, please open a ticket on our GitHub repository:
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/
We appreciate your feedback!

Follow Us on Fediverse/Mastodon

Stay updated on security advisories in real-time by following us on Mastodon:
https://social.circl.lu/@vulnerability_lookup/

Vulnerability Report - September 2025

Fri, 03 Oct 2025 00:00:00 +0000

All vulnerability reports

Introduction

This vulnerability report has been generated using data aggregated on Vulnerability-Lookup, with contributions from the platform’s community.

It highlights the most frequently mentioned vulnerability for September 2025, based on sightings collected from various sources, including MISP, Exploit-DB, Bluesky, Mastodon, GitHub Gists, The Shadowserver Foundation, Nuclei, SPLOITUS, and more. For further details, please visit this page.

The Month at a Glance

September 2025 has been marked by a diverse set of vulnerability sightings across multiple platforms and software ecosystems. The data collected through Vulnerability-Lookup indicates that both newly disclosed and previously known vulnerabilities continued to see active exploitation and discussion in the wild.

CVE-2025-10585, affecting Google Chrome, dominated the reports with 94 sightings. Other frequently sighted vulnerabilities include CVE-2025-10035 in Fortra’s GoAnywhere MFT and CVE-2025-42957 in SAP S/4HANA, both of which reflect persistent enterprise-level risks. These instances underscore the continued need for rapid patch deployment and robust monitoring in enterprise environments.

Network and infrastructure devices also remained a focus for adversaries. Vulnerabilities such as CVE-2023-51767 in OpenSSH and several router-specific CVEs like CVE-2017-18368 highlight the ongoing relevance of securing network endpoints against unauthorized access and exploitation. Similarly, Linux-based vulnerabilities, including CVE-2024-50264, accounted for a significant number of sightings, reinforcing the importance of kernel updates and system hardening practices.

From a severity perspective, most sightings fell into the High and Critical categories, with VLAI confidence scores often exceeding 0.95. This aligns with global observations of attackers prioritizing high-impact targets, such as widely used browsers, enterprise software, and critical network infrastructure. For example, Adobe Commerce, Sitecore Experience Manager, and Microsoft Entra were all associated with vulnerabilities of critical severity, underlining the necessity for organizations to prioritize patching and risk mitigation.

September 2025 reinforces several key trends in the cybersecurity landscape: high-severity vulnerabilities remain prevalent across browsers, enterprise software, and networking devices; unpublished vulnerabilities are actively exploited; and community-driven data aggregation plays a critical role in timely awareness and response. Organizations are encouraged to review patch management processes, monitor community sightings, and leverage threat intelligence feeds to mitigate exposure to these ongoing threats.

This month’s report features a new section dedicated to Known Exploited Vulnerabilities catalogs.

Top 10 Vendors of the Month

Top 15 vulnerabilities of the Month

Vulnerability	Sighting Count	Vendor	Product	VLAI Severity
CVE-2025-10585	94	Google	Chrome	High (confidence: 0.9945)
CVE-2025-10035	79	Fortra	GoAnywhere MFT	Critical (confidence: 0.9076)
CVE-2025-42957	71	SAP_SE	SAP S/4HANA (Private Cloud or On-Premise)	Critical (confidence: 0.9849)
CVE-2025-55241	68	Microsoft	Microsoft Entrac	High (confidence: 0.4512)
CVE-2025-54236	64	Adobe	Adobe Commerce	Critical (confidence: 0.9679)
CVE-2024-50264	60	Linux	Linux	High (confidence: 0.9854)
CVE-2015-2051	58	dlink	dir-645	High (confidence: 0.4993)
CVE-2023-51767	57	openssh	openssh	High (confidence: 0.5824)
CVE-2017-18368	57	zyxel	p660hn-t1a_v2	Critical (confidence: 0.9679)
CVE-2025-43300	54	Apple	iOS and iPadOS	High (confidence: 0.9548)
CVE-2025-55177	53	Facebook	WhatsApp Desktop for Mac	High (confidence: 0.5006)
CVE-2018-10562	51	dasannetworks	gpon_router	Critical (confidence: 0.9522)
CVE-2016-1555	49	netgear	wnap320	Critical (confidence: 0.9159)
CVE-2025-20333	48	code-projects	Blood Bank Management System	Medium (confidence: 0.9945)
CVE-2025-53690	44	Sitecore	Experience Manager (XM)	Critical (confidence: 0.9573)

Known Exploited Vulnerabilities

New entries have been added to major Known Exploited Vulnerabilities catalogs.

CISA

CVE ID	Date Added	Vendor	Product	VLAI Severity
CVE-2025-59689	29/09/25	Cisco	IOS	Medium (confidence: 0.8045)
CVE-2025-10035	29/09/25	Fortra	GoAnywhere MFT	Critical (confidence: 0.9076)
CVE-2025-32463	29/09/25	Sudo project	Sudo	High (confidence: 0.5599)
CVE-2021-21311	29/09/25	vrana	adminer	High (confidence: 0.6111)
CVE-2025-20352	29/09/25	Cisco	IOS	High (confidence: 0.9912)
CVE-2025-20333	25/09/25	Cisco	Cisco Adaptive Security Appliance (ASA) Software	Critical (confidence: 0.9823)
CVE-2025-20362	25/09/25	Cisco	Cisco Adaptive Security Appliance (ASA) Software	Medium (confidence: 0.9948)
CVE-2025-10585	23/09/25	Google	Chrome	High (confidence: 0.9945)
CVE-2025-5086	11/09/25	Dassault Systèmes	DELMIA Apriso	Critical (confidence: 0.9632)
CVE-2025-53690	04/09/25	Sitecore	Experience Manager (XM)	Critical (confidence: 0.9573)
CVE-2025-48543	04/09/25	Google	Android	High (confidence: 0.9709)
CVE-2025-38352	04/09/25	Linux	Linux	High (confidence: 0.8176)
CVE-2023-50224	03/09/25	TP-Link	TL-WR841N	Medium (confidence: 0.9651)
CVE-2025-9377	03/09/25	TP-Link Systems Inc.	Archer C7(EU) V2	High (confidence: 0.9895)
CVE-2020-24363	02/09/25	TP-Link	tl-wa855re	High (confidence: 0.9407)

ENISA

CVE ID	Date Added	Vendor	Product	VLAI Severity
CVE-2025-25231	09/09/25	Omnissa	Omnissa Workspace ONE UEM	High (confidence: 0.8877)

Top 10 Weaknesses of the Month

Click the image for more information.

Ghost CVE Report

A ghost CVE is a vulnerability identifier that’s already popped up in the wild but is still listed as RESERVED or NOT_FOUND in official registries like NVD or MITRE.

Sightings detected between 2025-09-01 and 2025-09-30 that are associated with unpublished vulnerabilities.

Vulnerability ID	Occurrences	Comment
CVE-2023-42344	15	OpenCMS Unauthenticated XXE Vulnerability
CVE-2025-30333	2
CVE-2025-27225	1	Nuclei template
CVE-2025-27222	1
CVE-2025-14414	1	Oracle
CVE-2011-2553	1	Exploit (SPLOITUS) source code not published
CVE-2025-56708	1	Exploit (SPLOITUS)
CVE-2025-55817	1	Exploit (SPLOITUS)

Continuous Exploitation

Insights from Contributors

Thank you

Thank you to all the contributors and our diverse sources!

If you want to contribute to the next report, you can create your account.

Feedback and Support

If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/

Funding

Press release

Vulnerability-Lookup 2.16.0 released

Fri, 19 Sep 2025 00:00:00 +0000

We’re delighted to announce the release of Vulnerability-Lookup 2.16.0 — packed with exciting new features!

There should have been a video here but your browser does not seem to support it.

What’s New

Backend

Introduced source-scoped kvrocks counters and source-scoped sorted indexes for vulnerability advisories by state (published, updated, reserved). (#211, PR #215)
Examples of newly available queries:
- GET published:count:github:2025-09
- ZREVRANGE index:csaf_certbund:published 0 9 WITHSCORES
- ZREVRANGE vendors:ranking:2025-08 0 9 WITHSCORES
Added feeders for CERT-FR Avis and CERT-FR Alerte. (b99291f)

API

The Stats API endpoint now delivers statistics on CVE publications, with filters available by source, date, and advisory state. These new endpoints leverage the new indexes provided by the kvrocks backend. The result can be returned as JSON (default) or Markdown table. (0d153ed)

Frontend

Added a new public statistics page displaying various insights on CVE publications. This new page features several interactive charts powered by the new Stats API endpoints. (0d153ed, c842876)
Added XSLT support for various RSS/Atom feeds. The XSLT is injected immediately after feed generation, before delivery to the user. (241c6ca)

Migration Notes

To reset the indexes, you can execute bin/index_vulnerabilities.py which is using various reindexing utilities. This will delete indexes and counters! Alternatively, you can rerun the appropriate feeder with the --reimport parameter.

Changes

Improved search page: (82b9f95, f9f5c58)
- Filtering on sources, vendors, and products.
- Sorting based on advisory state (reserved, published, updated) and order (ascending/descending).
- Displaying all vulnerabilities related to a vendor with pagination (without specifying a product).
Improved recent page: vulnerabilities from multiple sources can now be sorted by publication or update date. (df1e472c)
Improved admin dashboard for user management. (#221)
Improved Vulnerability API endpoint: The GET List endpoint now provides more advanced filtering by source and advisory state. (0d153ed)
Various improvements related to the vulnerability description pages.

Fixes

NDJSON data dumps: fixed an issue where dumps did not actually contain newlines. (#218)
Prevent reimport of already ingested vulnerabilities from flaky CSAF sources. (#1848619)

Changelog

📂 For the full list of changes, check the GitHub release:
https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v2.16.0

🙏 A big thank you to all contributors and testers!

Feedback and Support

If you find any issues or have suggestions, please open a ticket on our GitHub repository:
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/
We appreciate your feedback!

Follow Us on Fediverse/Mastodon

Stay updated on security advisories in real-time by following us on Mastodon:
https://social.circl.lu/@vulnerability_lookup/

Vulnerability Report - August 2025

Thu, 11 Sep 2025 00:00:00 +0000

All vulnerability reports

Introduction

This vulnerability report has been generated using data aggregated on Vulnerability-Lookup, with contributions from the platform’s community.

It highlights the most frequently mentioned vulnerability for August 2025, based on sightings collected from various sources, including MISP, Exploit-DB, Bluesky, Mastodon, GitHub Gists, The Shadowserver Foundation, Nuclei, and more. For further details, please visit this page.

The Month at a Glance

August 2025 saw continued activity across a range of products and vendors, with WinRAR, Microsoft Exchange (the previous month highlighted Microsoft SharePoint), and NetScaler ADC leading the sightings. Notably, several critical vulnerabilities were actively exploited, including NetScaler ADC (CVE-2025-6543 and CVE-2025-5777) and FortiSIEM (CVE-2025-25256).

Web applications remain a frequent target, with cross-site scripting (CWE-79) and SQL injection (CWE-89) dominating the weakness landscape. The report also highlights unpublished vulnerabilities that attracted attention, suggesting ongoing targeted exploitation and zero-day activity.

Overall, the month emphasizes the importance of timely patching, monitoring for continuous exploitation, and vigilance against both well-known and emerging threats.

Top 10 vulnerabilities of the Month

Vulnerability	Sighting Count	Vendor	Product	VLAI Severity
CVE-2025-8088	193	win.rar GmbH	WinRAR	High (confidence: 0.9824)
CVE-2025-53786	175	Microsoft	Microsoft Exchange Server Subscription Edition RTM	High (confidence: 0.8193)
CVE-2025-43300	128	Apple	macOS	Medium (confidence: 0.4233)
CVE-2025-6543	111	NetScaler	ADC	Critical (confidence: 0.9614)
CVE-2025-25256	79	Fortinet	FortiSIEM	Critical (confidence: 0.6508)
CVE-2025-9074	65	Docker	Docker Desktop	Critical (confidence: 0.8172)
CVE-2015-2051	62	dlink	dir-645	Critical (confidence: 0.54)
CVE-2017-18368	61	zyxel	p660hn-t1a_v2	Critical (confidence: 0.9298)
CVE-2025-31324	59	SAP_SE	SAP NetWeaver (Visual Composer development server)	Critical (confidence: 0.9607)
CVE-2025-5777	52	NetScaler	ADC	Critical (confidence: 0.964)

Top 10 Weaknesses of the Month

CWE	Count
CWE-79	639
CWE-89	374
CWE-74	282
CWE-94	236
CWE-121	206
CWE-78	165
CWE-416	157
CWE-122	157
CWE-119	150
CWE-22	140

Ghost CVE Report

A ghost CVE is a vulnerability identifier that’s already popped up in the wild but is still listed as RESERVED or NOT_FOUND in official registries like NVD or MITRE.

Sightings detected between 2025-08-01 and 2025-08-31 that are associated with unpublished vulnerabilities.

Vulnerability ID	Occurrences	Comment
CVE-2023-42344	8	OpenCMS
CVE-2024-28080	4	Gitblit
GHSA-42m8-jxr4-976p	2	Wildermyth
CVE-2025-9040	2	Workhorse - bundle
CVE-2025-9037	2	Workhorse - bundle

Unpublished vulnerabilities with limited sightings:

Vulnerability ID	Occurrences
CVE-2023-34918	1
CVE-2025-55117	1
CVE-2025-14553	1
CVE-2024-55177	1
GHSA-5pm9-r2m8-rcmj	1
GHSA-m42g-xg4c-5f3h	1
GHSA-64qc-9x89-rx5j	1
CVE-2025-7719	1
GHSA-c2gv-xgf5-5cc2	1
CVE-2025-55616	1
CVE-2025-57497	1
CVE-2025-25964	1
CVE-2024-545078	1
CVE-2025-25987	1
CVE-2025-1272	1
CVE-2025-21589	1
CVE-2025-26517	1
CVE-2025-9141	1
GHSA-wrh9-463x-7wvv	1
CVE-2024-46507	1
CVE-2025-54321	1
CVE-2025-31143	1
CVE-2025-31646	1
CVE-2025-27564	1
GHSA-r4mf-mr9h-f27m	1

Continuous Exploitation

CVE-2023-42344 - OpenCMS (also in the “Most wanted vulnerabilities” section)
CVE-2015-2051 - D-Link DIR-645 - Sightings from MISP and Shadowserver
CVE-2025-5777 - NetScaler ADC - Sightings from Shadowserver and many more.

Insights from Contributors

NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2025-7775, CVE-2025-7776 and CVE-2025-8424

NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2025-7775, CVE-2025-7776 and CVE-2025-8424.
Multiple vulnerabilities have been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). Refer below for further details.

More information

Citrix forgot to tell you CVE-2025–6543 has been used as a zero day since May 2025

Back in late June, Citrix posted a patch for CVE-2025–6543, which they described as “Memory overflow vulnerability leading to unintended control flow and Denial of Service”. Denial of service? Piff the magic dragon, who cares.

No technical details were ever published about the vulnerability. That changes today.

What they forgot to tell you: it allows remote code execution, it was used to widespread compromise Netscaler remote access systems and maintain network access even after patching, webshells have been deployed, and Citrix knew this and just didn’t mention it.

More information

Cache Me If You Can (Sitecore Experience Platform Cache Poisoning to RCE)

The vulnerability affects Sitecore Experience Platform, a widely used Content Management System (CMS). The issue is a cache poisoning attack, which means an attacker can trick the system into storing malicious data in its cache. Later, when the system serves cached content, it unknowingly executes this malicious content.

In this specific case, the cache poisoning can escalate to remote code execution (RCE), meaning the attacker could run arbitrary code on the server, potentially taking full control of the website and the underlying system.

More information

Thank you

Thank you to all the contributors and our diverse sources!

If you want to contribute to the next report, you can create your account.

Feedback and Support

If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/

Funding

Press release

Two New feeds from CERT-FR (ANSSI) integrated in Vulnerability-Lookup

Fri, 29 Aug 2025 00:00:00 +0000

Two New feeds from CERT-FR are now integrated in Vulnerability-Lookup.

Thanks to the great work of Raphaël Vinot, we now have two new feeders:

CERT-FR Alerte, and
CERT-FR Avis

We were impressed by the excellent quality of these feeds, which allowed us to automatically extract impacted products (CPE vendors & names) and references to enrich our Kvrocks indexes.

Correlations

As with all our sources, advisories from CERT-FR are now automatically correlated with the other 27 (!) sources available on the CIRCL instance:
https://vulnerability.circl.lu/about#sources

Examples of correlations:

Screenshots

Sightings

You can already find sightings tied to CERT-FR advisories. For example, the sightings related to alerts published in 2025:
https://vulnerability.circl.lu/sightings/?query=CERTFR-2025-ALE

Screenshot

Contribute

Have a source you think should be integrated into Vulnerability-Lookup? Let us know!

Don’t hesitate to create an account on our instance: https://vulnerability.circl.lu/user/signup

Thank you

Thank you to all the contributors, and especially to CERT-FR for providing these excellent feeds.

References

The list of default feeders, active and ready to use in any Vulnerability-Lookup installation.
Source code of Vulnerability-Lookup.
News about the project

Vulnerability Report - July 2025

Sat, 23 Aug 2025 00:00:00 +0000

All vulnerability reports

Introduction

This vulnerability report has been generated using data aggregated on Vulnerability-Lookup, with contributions from the platform’s community.

It highlights the most frequently mentioned vulnerability for July 2025, based on sightings collected from various sources, including MISP, Exploit-DB, Bluesky, Mastodon, GitHub Gists, The Shadowserver Foundation, Nuclei, and more. For further details, please visit this page.

The final section focuses on exploitations observed through The Shadowserver Foundation’s honeypot network.

The Month at a Glance

The most reported vulnerability this month is CVE-2025-53770, a critical flaw in Microsoft SharePoint Enterprise Server 2016, with over 400 sightings. Other high-impact vulnerabilities include CVE-2025-5777 affecting NetScaler ADC, and CVE-2025-25257 in Fortinet FortiWeb, both widely discussed across communities and security feeds.

Well-known products such as Google Chrome and Wing FTP Server also appear in the top 10, along with GitHub advisories like GHSA-269G-PWP5-87PP (JUnit4) and GHSA-78WR-2P64-HPWJ (Apache Commons IO). This mix shows how both enterprise-grade platforms and widely used open-source projects continue to be targeted.

The most common weaknesses remain familiar:

CWE-79 (Cross-site Scripting) with 747 cases.
CWE-89 (SQL Injection) with 710 cases.
CWE-122 (Heap-based Buffer Overflow) with 593 cases.

Top 10 vulnerabilities of the Month

Vulnerability	Sighting Count	Vendor	Product	VLAI Severity
CVE-2025-53770	416	Microsoft	Microsoft SharePoint Enterprise Server 2016	Critical (confidence: 0.8952)
CVE-2025-5777	267	NetScaler	ADC	Critical (confidence: 0.9621)
CVE-2025-25257	145	Fortinet	FortiWeb	Critical (confidence: 0.9819)
CVE-2025-6554	130	Google	Chrome	High (confidence: 0.9928)
CVE-2025-47812	129	wftpserver	Wing FTP Server	Critical (confidence: 0.9724)
GHSA-269G-PWP5-87PP	120	junit-team	junit4	Medium (confidence: 0.5366)
CVE-2025-53771	104	Microsoft	Microsoft SharePoint Enterprise Server 2016	Medium (confidence: 0.9689)
CVE-2025-49706	96	Microsoft	Microsoft SharePoint Enterprise Server 2016	Medium (confidence: 0.9689)
GHSA-78WR-2P64-HPWJ	85	Apache Software Foundation	Apache Commons IO	Medium (confidence: 0.9078)
GHSA-5MG8-W23W-74H3	84	Google LLC	Guava	Low (confidence: 0.877)

Ghost CVE Report

A ghost CVE is a vulnerability identifier that’s already popped up in the wild but is still listed as RESERVED or NOT_FOUND in official registries like NVD or MITRE.

The following vulnerabilities were only detected through our sighting tools:

CVE-2023-42344, source: The Shadowserver (honeypot/common-vulnerabilities)
CVE-2025-48932, source: Bluesky

These vulnerabilities have not yet been officially published.

Top 10 Weaknesses of the Month

CWE	Number of vulnerabilities
CWE-79	747
CWE-89	710
CWE-122	593
CWE-74	526
CWE-416	492
CWE-119	397
CWE-125	353
CWE-94	313
CWE-434	216
CWE-121	213

Insights from Contributors

Ruckus network management solutions riddled with unpatched vulnerabilities - Help Net Security

Claroty researcher Noam Moshe has discovered serious vulnerabilities in two Ruckus Networks (formerly Ruckus Wireless) products that may allow attackers to compromise the environments managed by the affected software, Carnegie Mellon University’s CERT Coordination Center (CERT/CC) has warned.
More information

Pre-Auth SQL Injection to RCE - Fortinet FortiWeb Fabric Connector (CVE-2025-25257)

An improper neutralization of special elements used in an SQL command (‘SQL Injection’) vulnerability [CWE-89] in Fortinet FortiWeb.
More information

VMSA-2025-0013: VMware ESXi, Workstation, Fusion, and Tools updates address multiple vulnerabilities

Multiple vulnerabilities in VMware ESXi, Workstation, Fusion, and Tools were privately reported to Broadcom. Updates are available to remediate these vulnerabilities in affected Broadcom products.
More information

Continuous Exploitation

CVE-2018-13379 - Fortinet / Fortinet FortiOS, FortiProxy
CVE-2017-17215 - Huawei Technologies Co., Ltd. / HG532
CVE-2025-5777 - NetScaler / ADC

Thank you

Thank you to all the contributors and our diverse sources!

If you want to contribute to the next report, you can create your account.

Feedback and Support

If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/

Funding

Press release

Vulnerability-Lookup 2.15.0 released

Fri, 22 Aug 2025 00:00:00 +0000

We are excited to announce the release of Vulnerability-Lookup 2.15.0!
This version brings new features, performance improvements, and several bug fixes.

What’s New

Detecting vulnerabilities known only through sightings

The dashboard now highlights vulnerabilities discovered via our sighting tools, including scraping social networks, MISP, Nuclei templates, Shadowserver, Gist, and more. This gives you better visibility of unpublished advisories.

Batch user deletion for admins

Admins can now delete multiple users at once using checkboxes and a confirmation modal. CSRF protection is included to ensure safe operations.

Changes

Better logging
We improved logging for access, warnings, and errors in the web app, including the HTTP status codes returned in unexpected situations.
Issue #199
Commits: a6b99bf, 9c37e7e, d2e826f
Faster vendor/product vulnerability searches
The search page is now faster thanks to pipelines and pagination. A Bootstrap pagination component has been added when vendor and product are specified.
Commit aeb6ae0

New API option
Added advisory_status parameter to the /sighting endpoint.
Commit de5873c
Faster Organization/Product search
The find_vulnerabilities function now finds matching vulnerabilities for all vendor/product combinations much faster.
Commit 67d2516
Search page improvements
We made several graphical and functional enhancements to the search page.
Commits: 82c6f2d, 0f249d1, 94e53c0
About page improvements
Better handling of GNAs and a link to the recent activity page.
Commits: 70308f5, 168fcff
Dashboard updates
Various improvements related to recently imported vulnerabilities and new filters in the “Evolution for the last month” table.

Changelog

📂 For the full list of changes, check the GitHub release:
https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v2.15.0

🙏 A big thank you to all contributors and testers!

Feedback and Support

If you find any issues or have suggestions, please open a ticket on our GitHub repository:
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/
We appreciate your feedback!

Follow Us on Fediverse/Mastodon

Stay updated on security advisories in real-time by following us on Mastodon:
https://social.circl.lu/@vulnerability_lookup/

Vulnerability-Lookup 2.14.0 released

Fri, 25 Jul 2025 00:00:00 +0000

We’re glad to announce verion 2.14.0 of Vulnerability-Lookup!
This version introduces several new features, enhancements, and fixes.

What’s New

New Watchlist View

You can now view your monitored products and their related vulnerabilities directly in the browser, mirroring the structure of email notifications. Authenticated RSS/Atom feeds are available. (#181)

There should have been a video here but your browser does not seem to support it.

(enable audio in the screencast)

GNA Verification

We added a way to confirm whether a Vulnerability-Lookup instance is officially operated by a GNA. The information is available on the About page. (#179)

Optional CVD Process

The Coordinated Vulnerability Disclosure module can now be disabled if not applicable to your deployment. (#178)

Changes

Other changes include a smoother post-login experience and a fail-safe around ML-Gateway calls for related vulnerabilities. (#170)

Changelog

📂 To explore the full list of changes, visit the changelog on GitHub:
https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v2.14.0

🙏 Thank you very much to all the contributors and testers!

Feedback and Support

Follow Us on Fediverse/Mastodon

You can follow us on Mastodon and get real time information about security advisories:
https://social.circl.lu/@vulnerability_lookup/

Vulnerability-Lookup 2.13.0 released

Fri, 11 Jul 2025 00:00:00 +0000

We’re excited to announce the release of Vulnerability-Lookup 2.13.0!
This version introduces several new features, enhancements, and fixes.

What’s New

Support for VLAI Severity Classification in Chinese

For vulnerabilities originating from the CNVD source, Vulnerability-Lookup now leverages the ML-Gateway to perform inference using the CIRCL/vulnerability-severity-classification-chinese-macbert-base model. (0b85b2d)

More information is available on VLAI Severity Classification (preprint for the 25V4C-TC: 2025 Vulnerability Forecasting Technical Colloquia. Darwin College Cambridge, UK).

Easy Access to Mitigations from the Vulnerability View

Mitigations derived from CWEs are now directly displayed on the vulnerability details page. (#172)

Filter Vulnerabilities by CWE via the API

The /vulnerability/last API endpoint now supports filtering results by CWE. (#148)

Example query:

$ curl https://vulnerability.circl.lu/api/vulnerability/last/1?cwe=CWE-79 | jq .

Result:

[
 {
 "dataType": "CVE_RECORD",
 "dataVersion": "5.1",
 "cveMetadata": {
 "cveId": "CVE-2006-10001",
 "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
 "state": "PUBLISHED",
 "assignerShortName": "VulDB",
 "dateReserved": "2023-03-04T10:47:33.154Z",
 "datePublished": "2023-03-05T20:31:03.187Z",
 "dateUpdated": "2024-08-07T20:57:41.047Z"
 },
 "containers": {
 "cna": {
 "providerMetadata": {
 "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
 "shortName": "VulDB",
 "dateUpdated": "2023-10-12T08:05:39.323Z"
 },
 "title": "Subscribe to Comments Plugin subscribe-to-comments.php cross site scripting",
 "problemTypes": [
 {
 "descriptions": [
 {
 "type": "CWE",
 "cweId": "CWE-79",
 "lang": "en",
 "description": "CWE-79 Cross Site Scripting"
 }
 ]
 }
 ],
 "affected": [
 {
 "vendor": "n/a",
 "product": "Subscribe to Comments Plugin",
 "versions": [
 {
 "version": "2.0.0",
 "status": "affected"
 },
 {
 "version": "2.0.1",
 "status": "affected"
 },
 {
 "version": "2.0.2",
 "status": "affected"
 },
 {
 "version": "2.0.3",
 "status": "affected"
 },
 {
 "version": "2.0.4",
 "status": "affected"
 },
 {
 "version": "2.0.5",
 "status": "affected"
 },
 {
 "version": "2.0.6",
 "status": "affected"
 },
 {
 "version": "2.0.7",
 "status": "affected"
 }
 ]
 }
 ],
 "descriptions": [
 {
 "lang": "en",
 "value": "A vulnerability, which was classified as problematic, was found in Subscribe to Comments Plugin up to 2.0.7 on WordPress. This affects an unknown part of the file subscribe-to-comments.php. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 2.0.8 is able to address this issue. The identifier of the patch is 9683bdf462fcac2f32b33be98f0b96497fbd1bb6. It is recommended to upgrade the affected component. The identifier VDB-222321 was assigned to this vulnerability."
 },
 {
 "lang": "de",
 "value": "Es wurde eine problematische Schwachstelle in Subscribe to Comments Plugin bis 2.0.7 für WordPress gefunden. Hiervon betroffen ist ein unbekannter Codeblock der Datei subscribe-to-comments.php. Dank der Manipulation mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk angegangen werden. Ein Aktualisieren auf die Version 2.0.8 vermag dieses Problem zu lösen. Der Patch wird als 9683bdf462fcac2f32b33be98f0b96497fbd1bb6 bezeichnet. Als bestmögliche Massnahme wird das Einspielen eines Upgrades empfohlen."
 }
 ],
 "metrics": [
 {
 "cvssV3_1": {
 "version": "3.1",
 "baseScore": 3.5,
 "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
 "baseSeverity": "LOW"
 }
 },
 {
 "cvssV3_0": {
 "version": "3.0",
 "baseScore": 3.5,
 "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
 "baseSeverity": "LOW"
 }
 },
 {
 "cvssV2_0": {
 "version": "2.0",
 "baseScore": 4,
 "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N"
 }
 }
 ],
 "timeline": [
 {
 "time": "2023-03-04T00:00:00.000Z",
 "lang": "en",
 "value": "Advisory disclosed"
 },
 {
 "time": "2023-03-04T00:00:00.000Z",
 "lang": "en",
 "value": "CVE reserved"
 },
 {
 "time": "2023-03-04T01:00:00.000Z",
 "lang": "en",
 "value": "VulDB entry created"
 },
 {
 "time": "2023-03-31T12:24:01.000Z",
 "lang": "en",
 "value": "VulDB last update"
 }
 ],
 "credits": [
 {
 "lang": "en",
 "value": "VulDB GitHub Commit Analyzer",
 "type": "tool"
 }
 ],
 "references": [
 {
 "url": "https://vuldb.com/?id.222321",
 "tags": [
 "vdb-entry",
 "technical-description"
 ]
 },
 {
 "url": "https://vuldb.com/?ctiid.222321",
 "tags": [
 "signature",
 "permissions-required"
 ]
 },
 {
 "url": "https://github.com/wp-plugins/subscribe-to-comments/commit/9683bdf462fcac2f32b33be98f0b96497fbd1bb6",
 "tags": [
 "patch"
 ]
 },
 {
 "url": "https://github.com/wp-plugins/subscribe-to-comments/releases/tag/2.0.8",
 "tags": [
 "patch"
 ]
 }
 ]
 },
 "adp": [
 {
 "providerMetadata": {
 "orgId": "af854a3a-2127-422b-91ae-364da2661108",
 "shortName": "CVE",
 "dateUpdated": "2024-08-07T20:57:41.047Z"
 },
 "title": "CVE Program Container",
 "references": [
 {
 "url": "https://vuldb.com/?id.222321",
 "tags": [
 "vdb-entry",
 "technical-description",
 "x_transferred"
 ]
 },
 {
 "url": "https://vuldb.com/?ctiid.222321",
 "tags": [
 "signature",
 "permissions-required",
 "x_transferred"
 ]
 },
 {
 "url": "https://github.com/wp-plugins/subscribe-to-comments/commit/9683bdf462fcac2f32b33be98f0b96497fbd1bb6",
 "tags": [
 "patch",
 "x_transferred"
 ]
 },
 {
 "url": "https://github.com/wp-plugins/subscribe-to-comments/releases/tag/2.0.8",
 "tags": [
 "patch",
 "x_transferred"
 ]
 }
 ]
 }
 ]
 }
 }
]

Changes

Added reverse mapping support for CWEs. (84608bb)
CWEs are now stored in dedicated kvrocks sets for vulnerabilities added through the Vulnogram interface. (5d52048)
Improved loading mechanism for custom Jinja filters. (f14c262)
Numerous improvements to the vulnerability details page.
Several enhancements to the OpenAPI documentation.

Fixes

Fixed creation and editing of notifications when the specified organization or product does not exist. (#141)
The POST /vulnerability endpoint now correctly sets vendor and product names in kvrocks for entries created via the Vulnogram web interface. (9cc2a5b)
CSAF feeders now correctly detect and process vulnerability updates. (49c831a)

Changelog

📂 To explore the full list of changes, visit the changelog on GitHub:
https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v2.13.0

🙏 Thank you very much to all the contributors and testers!

Feedback and Support

Follow Us on Fediverse/Mastodon

You can follow us on Mastodon and get real time information about security advisories:
https://social.circl.lu/@vulnerability_lookup/

Vulnerability Report - June 2025

Mon, 07 Jul 2025 00:00:00 +0000

All vulnerability reports

Introduction

This vulnerability report has been generated using data aggregated on Vulnerability-Lookup, with contributions from the platform’s community.

It highlights the most frequently mentioned vulnerability for June 2025, based on sightings collected from various sources, including MISP, Exploit-DB, Bluesky, Mastodon, GitHub Gists, The Shadowserver Foundation, Nuclei, and more. For further details, please visit this page.

The final section focuses on exploitations observed through The Shadowserver Foundation’s honeypot network.

The Month at a Glance

The June 2025 report highlights a mix of long-standing and newly identified high-risk vulnerabilities. Notably, Citrix discloses a critical NetScaler ADC/Gateway flaw (CVE-2025-5777), dubbed “CitrixBleed 2,” which can expose session tokens and bypass multi-factor authentication — echoing last year’s infamous CitrixBleed. Other urgent issues include a PayU India WordPress plugin vulnerability (CVE-2025-31022) that allows full account takeover across thousands of sites, and a Python “tarfile” library bug (CVE-2025-4517) that enables attackers to write files outside intended directories. Among the most sighted vulnerabilities are multiple Microsoft Windows 10 and Google Chrome flaws, as well as several Citrix ADC bugs, many rated “High” or “Critical.” Common web weaknesses like cross-site scripting and SQL injection (CWE-79, CWE-89) remain widespread, highlighting the ongoing need for strong patching hygiene. Some older vulnerabilities — such as the 2015 D-Link DIR-645 flaw and known Confluence or Cisco RCE bugs — also continue to see active exploitation. Organizations should prioritize remediation of these critical and actively targeted vulnerabilities, while reinforcing application security against injection and XSS attacks.

Top 10 vulnerabilities of the Month

Vulnerability	Vendor	Product	VLAI Severity
CVE-2025-33053	Microsoft	Windows 10 Version 1809	High
CVE-2025-49113	Roundcube	Webmail	High
CVE-2025-5777	NetScaler	ADC	Critical
CVE-2025-5419	Google	Chrome	High
CVE-2025-2783	Google	Chrome	High
CVE-2025-6019	Red Hat	Red Hat Enterprise Linux 10	Medium
CVE-2025-33073	Microsoft	Windows 10 Version 1809	High
CVE-2025-6543	NetScaler	ADC	Critical
CVE-2015-2051	D-Link	DIR-645	Critical
CVE-2017-18368	ZyXEL	P660HN-T1A	Critical

Evolution of sightings per week

Top 10 Weaknesses of the Month

CWE	Number of vulnerabilities
CWE-79	659
CWE-89	411
CWE-74	342
CWE-119	190
CWE-862	157
CWE-352	157
CWE-120	105
CWE-94	94
CWE-22	86
CWE-98	74

Insights from Contributors

CitrixBleed 2
Citrix patched a critical vulnerability in its NetScaler ADC and NetScaler Gateway products that is already being compared to the infamous CitrixBleed flaw exploited by ransomware gangs and other cyber scum, although there haven’t been any reports of active exploitation. Yet.

Security analyst Kevin Beaumont dubbed the vulnerability “CitrixBleed 2.” As The Register’s readers likely remember, that earlier flaw (CVE-2023-4966) allowed attackers to access a device’s memory, find session tokens, and then use those to impersonate an authenticated user while bypassing multi-factor authentication — which is also possible with this new bug.

GCVE-1-2025-0002: Cl0p Ransomware Data Exfiltration Vulnerable to RCE Attacks A newly identified security vulnerability in the Cl0p ransomware group’s data exfiltration utility has exposed a critical remote code execution (RCE) flaw that security researchers and rival threat actors could potentially exploit.

The vulnerability, designated as GCVE-1-2025-0002, was published on July 1, 2025, and carries a high severity rating of 8.9 on the CVSS:4.0 scale.

Stuxnet-related CVEs

CVE-2010-2568 MS10-046 Windows
CVE-2010-2729 MS10-061 Windows
CVE-2008-4250 MS08-067 Windows
CVE-2010-2772 Not Available Siemens SIMATIC WinCC

CVE-2025-31022: More details about PayU wordpress extension
“This can be abused by a malicious actor to perform action which normally should only be able to be executed by higher privileged users. These actions might allow the malicious actor to gain admin access to the website.”

CVE-2025-4517: Additional information
RISK : Multiple vulnerabilities affect the standard TarFile library for CPython. Currently, there is no indication that the vulnerability is actively exploited, but because it is a zero-day with a substantial install base, attackers can exploit it at any moment. An attacker could exploit flaws to bypass safety checks when extracting compressed files, allowing them to write files outside intended directories, create malicious links, or tamper with system files even when protections are supposedly enabled. Successful exploitation could lead to unauthorised access, data corruption, or malware installation, especially if your systems or third-party tools handle untrusted file uploads or archives RECOMMENDED ACTION: Patch Source: ccb.be

Continuous Exploitation

CVE-2025-32433 - erlang / otp
CVE-2015-2051 - D-Link / DIR-645
CVE-2022-26134 - Atlassian / Confluence Data Center
CVE-2019-1653 - Cisco / Cisco Small Business RV Series Router Firmware

Thank you

Thank you to all the contributors and our diverse sources!

If you want to contribute to the next report, you can create your account.

Feedback and Support

If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/

Beyond CVEs: Mastering the Landscape with Vulnerability-Lookup

Wed, 25 Jun 2025 00:00:00 +0000

We had the pleasure of presenting at FIRST.org 2025, showcasing the Vulnerability-Lookup and GCVE.eu initiatives.

Although CVEs are a cornerstone of vulnerability management, they often provide an incomplete view of the security landscape. Vulnerability-Lookup, a new open-source project developed by CIRCL, addresses this limitation by offering a comprehensive and enriched vulnerability intelligence platform that goes beyond basic CVE data.

The platform aggregates and correlates information from diverse sources, including exploit databases, vulnerability scanners, product advisories, and community contributions. This integration delivers a more complete picture of vulnerability threats. We demonstrate how this enhanced level of detail empowers security professionals to move beyond simple patch management and adopt proactive, actionable, risk-based strategies.

📄 Download the slides in PDF format

Feedback and Support

If you encounter issues or have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/

Follow us on Fediverse/Mastodon

You can follow us on Mastodon and get real time informationa about security advisories:
https://social.circl.lu/@vulnerability_lookup/

Vulnerability-Lookup 2.12.0 released

Fri, 20 Jun 2025 00:00:00 +0000

We’re glad to announce the immediate availability of Vulnerability-Lookup version 2.12.0.

What’s New

CWE statistics

Users can now access CWE occurrence statistics by year and optionally by month.
The vulnerability detail page also displays the associated CWEs, with a direct link to the CWE detail page, which includes potential mitigations. New Kvrocks indexes are used for the lookup. (#140) by Léa

This update enhances accessibility by making it easier for everyone to explore trends in common weaknesses over time directly through the web interface.

Changes

Adding optional pull before update and optimized imports (#164) by P-T-I
chg: [website] Provide a way to filter GNAs organization for unauthenticated users. (f537d56)
chg: [website] Display a message when the EPSS score is not yet available from FIRST. (1ef42b7)
Various minor user interface improvements.
Updated various dependencies.

Changelog

📂 To see the full rundown of the changes, users can visit the changelog on GitHub: https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v2.12.0

🙏 A big thank you to Léa, and all contributors who helped make this happen!

Feedback and Support

Follow us on Fediverse/Mastodon

You can follow us on Mastodon and get real time information about security advisories:
https://social.circl.lu/@vulnerability_lookup/

Vulnerability-Lookup 2.11.0 released

Fri, 13 Jun 2025 00:00:00 +0000

We’re excited to announce the release of Vulnerability-Lookup 2.11.0 — and it comes with a major milestone for decentralized vulnerability publication!

What’s New

GCVE-BCP-03 - Decentralized Publication Standard

The GCVE BCP-03 Decentralized Publication Standard has now been implemented for the first time.

This standard enables GCVE Numbering Authority (GNA) organizations to publish their vulnerability information directly—without relying on a centralized system.

As a first step, version 2.10.0 of Vulnerability-Lookup introduced support for maintaining a local copy of the GCVE registry. With the latest release, it’s now possible to synchronize the list of local organizations in a Vulnerability-Lookup instance with this local GCVE registry.

This new capability provides a simple way to maintain an up-to-date list of GNA organizations in any Vulnerability-Lookup deployment.

Administrators can then choose which advisories, published by these GNA organizations, they want to import into their instance. This is possible thanks to a new feeder. (151)

Security Advisories from the Local Vulnerability-Lookup Instance (gna-65535.private.circl.lu)

This view displays advisories published on the current local instance.

Security Advisories from GNA-1 Retrieved in the Local Vulnerability-Lookup Instance (gna-65535.private.circl.lu)

This view shows advisories retrieved from a remote GNA instance (GNA-1) using the new feeder system.

Security Advisories from GNA-1 Retrieved in the Local Vulnerability-Lookup Instance (vulnerability.circl.lu)

This screenshot displays the same advisory as in the previous example, but as seen on its originating instance.

Dashboard

The dashboard where administrators manage the local GCVE registry.

Organization Management

This section allows the management of both GNA and non-GNA organizations.

Editing an Organization

Editing details for a specific organization.

The distributed GCVE network

Changes

Added pagination in the API to the endpoint which list EMB3D objects. (a669461)
Vendor and Product management in vulnerability-lookup (#105)
Improvements to the view of recent vulnerabilities. The navigation menu is now automatically updated based on the list of GNAs the local instance is subscribed to.
Various improvements to the admin dashboard.
Various improvements to the documentation.

Fixes

Multiple comments share same UUID (#158)
GCVE data/feed is missing (#155)
Dockerfile change by P-T-I (#153)
Fixes to installation instructions by jeroenh (#154)
doc fix by jeroenh (#156)
Small fixes on containers by claudex (#157)
Fixed a test in the disculosure.html template. The description of approved diclosures was never displayed. (1ec3e55)

Changelog

📂 To see the full rundown of the changes, users can visit the changelog on GitHub: https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v2.11.0 z

Feedback and Support

Follow us on Fediverse/Mastodon

You can follow us on Mastodon and get real time information about security advisories:
https://social.circl.lu/@vulnerability_lookup/

Vulnerability Report - May 2025

Tue, 03 Jun 2025 00:00:00 +0000

All vulnerability reports

Introduction

This vulnerability report has been generated using data aggregated on Vulnerability-Lookup, with contributions from the platform’s community.

It highlights the most frequently mentioned vulnerability for May 2025, based on sightings collected from various sources, including MISP, Exploit-DB, Bluesky, Mastodon, GitHub Gists, The Shadowserver Foundation, Nuclei, and more. For further details, please visit this page.

The final section focuses on exploitations observed through The Shadowserver Foundation’s honeypot network.

Top 10 vulnerabilities of the month

Vulnerability	Vendor	Product	Severity	VLAI Severity
CVE-2025-31324	SAP_SE	SAP NetWeaver (Visual Composer development server)	Critical	Critical
CVE-2025-4427	Ivanti	Endpoint Manager Mobile	Medium	Critical
CVE-2025-37899	Linux	Linux		High
CVE-2025-4428	Ivanti	Endpoint Manager Mobile	High	High
CVE-2025-32756	Fortinet	FortiVoice	Critical	Critical
CVE-2025-4664	Google	Chrome	Medium	Medium
CVE-2025-20188	Cisco	Cisco IOS XE Software	Critical	Critical
CVE-2017-18368	ZyXEL	P660HN-T1A	Critical	Critical
CVE-2015-2051	D-Link	DIR-645	High	Critical
CVE-2024-38475	Apache Software Foundation	Apache HTTP Server	Critical	Critical

Evolution for the top 5 vulnerabilities

CVE-2025-31324 - SAP / SAP NetWeaver (Visual Composer development server)
CVE-2025-4427 - Ivanti / Endpoint Manager Mobile
CVE-2025-37899 - Linux / Linux
CVE-2025-4428 - Ivanti / Endpoint Manager Mobile
CVE-2025-32756 - Fortinet / FortiVoice

Insights from contributors

CVE-2025-22252: Authentication Vulnerability in FortiOS, FortiProxy, and FortiSwitchManager leads to Unauthenticated Admin Access
CVE-2025-22252 is a missing authentication for critical function vulnerability in devices configured to use a remote TACACS+ server for authentication configured to use ASCII authentication. It may allow an attacker with knowledge of an existing admin account to access the device as a valid admin via an authentication bypass, potentially resulting in complete system compromise, data theft and service disruption.

CVE-2025-30663: Additional information
In its security release of 13 May 2025, Zoom addressed two vulnerabilities that could be exploited for privilege escalation: • CVE-2025-30663, a time-of-check time-of-use race condition affecting some Zoom Workplace Apps. If successfully exploited, an authenticated user could conduct an escalation of privilege via local access. • CVE-2025-30664 is an improper neutralization of special elements flaw affecting some Zoom Workplace Apps. Successful exploitation could allow an authenticated user to conduct an escalation of privilege via local access.

CVE-2025-41229: More information
The vulnerabilities could be used by attackers to gain access to services and data. They can also be used to execute arbitrary commands and cause a denial of service. Confidentiality, integrity and availability are all impacted. The only solution is to upgrade immediately.

2025-27920: Additional information
Microsoft discovered critical vulnerability CVE-2025-27920 affecting the messaging application Output Messenger. Microsoft additionally observed exploitation of the vulnerability since April 2024. According to Microsoft, the attacker needs to be authenticated, although the Output Messenger advisory indicates that privileges are not required to exploit the vulnerability. An attacker could upload malicious files into the server’s startup directory by exploiting this directory traversal vulnerability. This allows an attacker to gain indiscriminate access to the communications of every user, steal sensitive data and impersonate users, possibly leading to operational disruptions, unauthorized access to internal systems, and widespread credential compromise.

Continuous exploitation

CVE-2023-0656 - SonicWall / SonicOS (not in CISA KEV)
CVE-2022-26134 - Atlassian / Confluence Data Center
CVE-2019-1653 - Cisco / Cisco Small Business RV Series Router Firmware

Thank you

Thank you to all the contributors and our diverse sources!

If you want to contribute to the next report, you can create your account.

Feedback and Support

If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/

Funding

The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response facility to computer security threats and incidents. The organization brings to the table its extensive experience in cybersecurity incident management, threat intelligence, and proactive response strategies. With a strong background in developing innovative open sour ce cybersecurity tools and solutions, CIRCL’s contribution to the FETTA project is instrumental in achieving enhanced collaboration and intelligence sharing across Europe.

Vulnerability-Lookup 2.10.0 released

Thu, 22 May 2025 00:00:00 +0000

We’re delighted to announce the release of Vulnerability-Lookup 2.10.0, and it’s packed with exciting features!

What’s New

AI-Powered Enrichment using our in-house AI models

Vulnerability-Lookup now enhances vulnerability advisories using our in-house AI models.

We recently worked on a new project, ML-Gateway, a FastAPI service for serving NLP models. It loads one or more pre-trained NLP models during startup and expose them through a clean, RESTful API for inference. For example, it leverages the transformers library to load the CIRCL/vulnerability-severity-classification-roberta-base model, which specializes in classifying vulnerability descriptions according to their severity level. The server initializes this model once at startup, ensuring minimal latency during inference requests.

The ultimate goal is to enrich vulnerability data descriptions through the application of a suite of NLP models, providing direct benefits to Vulnerability-Lookup and supporting other related projects such as AIL.

Think of it as a gateway to model-serving services, enabling us to integrate various AI models in the future without introducing new dependencies or added complexity to Vulnerability-Lookup.

This release marks a significant milestone in our AI strategy. We now have the full loop in place: from data gathering and vulnerability correlation to AI dataset generation, model training with our own AI trainers, and finally, our new bridge that connects these models directly to Vulnerability-Lookup.

Example

Concretely, for the user, the result of the severity classification model appears on the vulnerability description page in Vulnerability-Lookup, just after the CVSS information. The goal is to provide a comparison point—and to offer a severity indicator when CVSS data is missing. This result is composed of the level of the severity (from Low to Critical) and the confidence level (between 0 and 1).

https://vulnerability.circl.lu/vuln/CVE-2025-4427

Conceptual architecture of the ML-Gateway

Models generation workflow

More information about AI datasets and models.

Monitor Your Local GCVE Registry with Vulnerability-Lookup

Thanks to the integration of the GCVE client, administrators of a Vulnerability-Lookup instance can now manage and monitor a local GCVE registry.

GNAs are retrieved from gcve.eu, and the integrity of the data is automatically verified. In a future release, this will allow administrators of a Vulnerability-Lookup instance to choose which GNA feeds to pull.

Changes

Send notifications to admins and users when new comments are added to a disclosure. (58b6b60)
Improved admin notification system for published comments. (2d2b917)
Added a new API endpoint to verify the integrity of the local GCVE registry. (a4416c6, 27cdb50, 92c3c1b)
Introduced a new Flask/Click command to update the local GCVE registry in the background using data from gcve.eu. This can also be triggered from the HML dashboard. (0a35027)
Queries the backend to retrieve the vendor/product information for hovered vulnerability IDs in the charts and the table of the main public dashboard. Related to #136 (9f138a7)
Enhanced the vulnerability sightings correlation graph. Related to #136
(ac17667)
Various graphical improvements to the admin dashboard. (7c4e549)

Fixes

Allowed gna_id to be null for organizations. (569bfa2)
Fixed typos in HTML templates. (e301a7f)

Changelog

📂 To see the full rundown of the changes, users can visit the changelog on GitHub: https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v2.10.0

🙏 A big thank you to all our contributors — with a special welcome to Léa, our newest contributor!

Feedback and Support

Follow us on Fediverse/Mastodon

You can follow us on Mastodon and get real time informationa about security advisories:
https://social.circl.lu/@vulnerability_lookup/

Vulnerability-Lookup 2.9.0 released

Tue, 06 May 2025 00:00:00 +0000

We’re delighted to announce the release of Vulnerability-Lookup 2.9.0, with new features, enhancements, and bug fixes.

What’s New

Adversarial Techniques from MITRE EMB3D

The Adversarial Techniques from MITRE EMB3D are now integrated into Vulnerability-Lookup as a new source and are correlated with existing security advisories.

This feature was contributed by Piotr Kaminski during the last Hack.lu hackathon. (#129)

Global CVE Allocation System (GCVE)

GCVE identifiers are now supported in HTML templates and URL parameters,
thanks to the GCVE Python client.
These identifiers can now be used when disclosing a new vulnerability as part of the Coordinated Vulnerability Disclosure (CVD) process, in alignment with NIS 2 requirements. (8bb3d84, 58c394a)

Trustworthy Level for Members

Members of a Vulnerability-Lookup instance now have a dynamically calculated
trustworthy level based on profile completeness and verification.
Members affiliated with FIRST.org or European CSIRTs (CNW) are automatically
trusted for operations that would otherwise require administrator approval
(e.g., creating comments).

Changes

New API endpoint for MITRE EMB3D. (c0d6b44)
Improved the vulnerability disclosure page. (ccfb6b1)
Added page arguments to the vulnerability/last endpoint. (ce75a7a)
Notification emails now include a random signoff. (#119)
Various graphical enhancements. (0878a31)

Fixes

Fixed editing of notifications for Organization/Product. (#124)

Changelog

📂 To see the full rundown of the changes, users can visit the changelog on GitHub: https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v2.9.0

🙏 Thank you very much to all the contributors. Especially to Piotr Kaminski.

Feedback and Support

Follow us on Fediverse/Mastodon

You can follow us on Mastodon and get real time informationa about security advisories:
https://social.circl.lu/@vulnerability_lookup/

Vulnerability Report - April 2025

Thu, 01 May 2025 00:00:00 +0000

All vulnerability reports

Introduction

This vulnerability report has been generated using data aggregated on Vulnerability-Lookup, with contributions from the platform’s community.

It highlights the most frequently mentioned vulnerability for April 2025, based on sightings collected from various sources, including MISP, Exploit-DB, Bluesky, Mastodon, GitHub Gists, The Shadowserver Foundation, Nuclei, and more. For further details, please visit this page.

The final section focuses on exploitations observed through The Shadowserver Foundation’s honeypot network.

Top 10 vulnerabilities of the month

Vulnerability	Vendor	Product	Count	Severity
CVE-2025-22457	Ivanti	Connect Secure	188	9
CVE-2025-32433	erlang	otp	119	10
CVE-2025-31324	SAP	SAP NetWeaver	101	10
CVE-2025-31161	CrushFTP	CrushFTP	108	9.8
CVE-2025-29824	Microsoft	Windows 10 Version 1809	85	7.8
CVE-2025-24054	Microsoft	Windows 10 Version 1809	79	6.5
CVE-2025-30406	Gladinet	CentreStack	64	9
CVE-2025-24200	Apple	iPadOS	61	6.1
CVE-2017-18368	ZyXEL	p660hn-t1a_v1, p660hn-t1a_v2, 5200w-t	60	9.8
CVE-2015-2051	dlink	dir-645	60	8.8

A scanner is available for CVE-2025-31324 (SAP):

You can create a notification for this SAP product to get alerts about new activity.

CVE-2017-18368 and CVE-2015-2051 are continuously exploited, with a recent increase in activity.

Evolution per week

Week 14

Ranking

Vulnerability	Vendor	Product	Count	Severity
CVE-2025-22457	Ivanti	Connect Secure	100	9.0
CVE-2025-31161	CrushFTP	CrushFTP	46	9.8
CVE-2025-30065	Apache Software Foundation	Apache Parquet Java	27	10
CVE-2025-24813	Apache Software Foundation	Apache Tomcat	26	9.8
CVE-2025-1268	Canon Inc.	Generic Plus PCL6 Printer Driver	25	9.4
CVE-2024-20439	Cisco	Cisco Smart License Utility	21	9.8
CVE-2025-1974	kubernetes	ingress-nginx	20	9.8
CVE-2025-26633	Microsoft	Windows 10 Version 1809	19	7
CVE-2025-24201	Apple	iOS and iPadOS	15	7.1

Week 15

Ranking

Vulnerability	Vendor	Product	Count	Severity
CVE-2025-29824	Microsoft	Windows 10 Version 1809	59	7.8
CVE-2025-22457	Ivanti	Connect Secure	55	9.0
CVE-2025-24200	Apple	iPadOS	46	6.1
CVE-2024-53197	Linux	Linux	42	7.8
CVE-2025-31161	CrushFTP	CrushFTP	38	9.8
CVE-2024-53150	Linux	Linux	36	7.8
CVE-2024-48887	Fortinet	FortiSwitch	31	9.8
CVE-2024-0132	NVIDIA	Container Toolkit	24	9
CVE-2025-0108	Palo Alto Networks	Cloud NGFW	18	8.8

Insights from contributors

Week 16

Ranking

Vulnerability	Vendor	Product	Count	Severity
CVE-2025-32433	erlang	otp	70	10
CVE-2025-24054	Microsoft	Windows 10 Version 1809	58	7.8
CVE-2025-31200	Apple	visionOS	49	7.5
CVE-2025-30406	Gladinet	CentreStack	44	9
CVE-2025-31201	Apple	visionOS	42	6.8
CVE-2025-24859	Apache Software Foundation	Apache Roller	32	2.1
CVE-2021-20035	SonicWall	SMA100	26	6.5
CVE-2025-29824	Microsoft	Windows 10 Version 1809	24	7.8
CVE-2025-22457	Ivanti	Connect Secure	23	9.0
CVE-2024-56406	perl	perl	18	8.6

Insights from contributors

Week 17

Ranking

Vulnerability	Vendor	Product	Count	Severity
CVE-2025-32433	erlang	otp	42	10
CVE-2025-31324	SAP	SAP NetWeaver	42	10
CVE-2025-34028	Commvault	Command Center Innovation Release	39	10
CVE-2025-0282	Ivanti	Connect Secure	24	9
CVE-2025-32434	pytorch	pytorch	19	9.3
CVE-2025-24054	Microsoft	Windows 10 Version 1809	19	6.5
CVE-2021-42013	Apache Software Foundation	Apache HTTP Server	16	9.8
CVE-2015-2051	dlink	dir-645	14	8.8
CVE-2017-18368	ZyXEL	p660hn-t1a_v1, p660hn-t1a_v2, 5200w-t	14	9.8
CVE-2025-1731	Zyxel	USG FLEX H series uOS firmware	13	7.8

Insights from contributors

CVEs with appearances from week 14 to 17

Persistent ones (appear in at least 2 weeks):

CVE-2025-22457 – Week 14, 15, 16, 17
CVE-2025-31161 – Week 14, 15, 17
CVE-2025-29824 – Week 15, 16
CVE-2025-24054 – Week 16, 17

Appear only once

Week 14 only:

CVE-2025-30065, CVE-2025-24813, CVE-2025-1268, CVE-2024-20439, CVE-2025-1974

Week 15 only:

CVE-2025-24200, CVE-2024-53197, CVE-2024-53150

Week 16 only:

CVE-2025-32433, CVE-2025-31200 Week 17 only:
CVE-2025-31324, CVE-2025-0282, CVE-2025-1731

Continuous exploitation

The sightings used for this analysis were mainly collected through The Shadowserver Foundation’s honeypot network.

Vulnerability	Count
CVE-2015-2051	30
CVE-2019-1653	30
CVE-2019-12780	30
CVE-2017-18368	30
CVE-2021-42013	30
CVE-2016-6277	30
CVE-2018-10562	30
CVE-2016-10372	30
CVE-2021-44228	30
CVE-2017-9841	30
CVE-2017-17215	30

This table highlights vulnerabilities that are consistently and recently exploited at a high rate. Often found at network edges, such as routers, VPNs, and similar devices.

Thank you

Thank you to all the contributors and our diverse sources!

If you want to contribute to the next report, you can create your account.

Feedback and Support

If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/

Vulnerability-Lookup 2.8.0 released

Thu, 10 Apr 2025 00:00:00 +0000

We’re pleased to announce the immediate availability of Vulnerability-Lookup version 2.8.0.

What’s New

Simplified Vulnerability Reporting (aligned with NIS 2 requirements)

Members of a Vulnerability-Lookup instance can now easily report vulnerabilities as preliminary advisories in the context of NIS 2. Operators can review these notifications and, if deemed relevant, generate a security advisory directly from Vulnerability-Lookup. The advisory will then be made publicly accessible, similar to those from other sources. #114

CodeClarity as a new Sighting source

During the Hack.lu hackathon, Cédric Herzog worked on the new version of CodeClarity, which now supports pushing analysis results as Sightings into Vulnerability-Lookup.

Dockerized version of Vulnerability-Lookup

Thanks to Dawid Czarnecki, Vulnerability-Lookup now has a fully dockerized setup. Kvrocks, Valkey, and PostgreSQL are each configured as separate containers. #116

Graphical improvements

We also refined several areas of the user interface to enhance usability and provide a smoother experience. Thank you to David Cruciani !

Changelog

📂 To see the full rundown of the changes, users can visit the changelog on GitHub: https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v2.8.0

🙏 Thank you very much to all the contributors. Especially to Dawid Czarnecki and Cédric Herzog

Feedback and Support

Follow us on Fediverse/Mastodon

You can follow us on Mastodon and get real time informationa about security advisories:
https://social.circl.lu/@vulnerability_lookup/

Vulnerability Report - March 2025

Tue, 01 Apr 2025 00:00:00 +0000

All vulnerability reports

Introduction

This vulnerability report has been generated using data aggregated on Vulnerability-Lookup, with contributions from the platform’s community.

It highlights the most frequently mentioned vulnerability for March 2025, based on sightings collected from various sources, including MISP, Exploit-DB, Bluesky, Mastodon, GitHub Gists, The Shadowserver Foundation, Nuclei, and more. For further details, please visit this page.

The final section focuses on exploitations observed through The Shadowserver Foundation’s honeypot network.

March at a glance

Sightings repartition per day

Repartition of all type of sightings per day for the month of March.

Top 5 Vulnerabilities evolution

For more detailed information, check out the Vulnerability-Lookup dashboard:
https://vulnerability.circl.lu

Top 15 vulnerabilities of the month

Vulnerability	Vendor	Product	Count	Severity
CVE-2025-29927	vercel	next.js	167	9.1
CVE-2025-24813	Apache Software Foundation	Apache Tomcat	128	9.2
CVE-2025-1974	kubernetes	ingress-nginx	86	9.8
CVE-2024-4577	PHP Group	PHP	83	9.8
CVE-2025-22224	vmware	ESXi	80	9.3
CVE-2025-24201	Apple	iOS and iPadOS	79	7.0
CVE-2025-2783	Google	Chrome	72	8.3
CVE-2025-30066	tj-actions	changed-files	67	8.6
CVE-2017-18368	ZyXEL	p660hn-t1a_v1, p660hn-t1a_v2, 5200w-t	60	9.8
CVE-2015-2051	dlink	dir-645	60	8.8
CVE-2018-10562	dasannetworks	gpon_router	54	9.8
CVE-2025-22225	vmware	ESXi	54	8.2
CVE-2025-23120	Veeam	Backup and Recovery	52	9.9
CVE-2025-22226	vmware	ESXi	48	7.1
CVE-2025-27363	FreeType	FreeType	47	8.1

Evolution per week

Week 10

Ranking

Vulnerability	Vendor	Product	Count	Severity
CVE-2025-22224	vmware	esxi	72	9.3
CVE-2025-22225	vmware	esxi	50	8.2
CVE-2025-22226	vmware	ESXi	44	7.1
CVE-2024-50302	Linux	Linux	39	7.8
CVE-2018-8639	Microsoft	Windows 7	22	7.8
CVE-2025-1316	Edimax	IC-7100 IP Camera	19	9.3
CVE-2023-20118	Cisco	Cisco Small Business RV Series Router Firmware	18	6.5
CVE-2024-43093	Google	Android	18	7.8
CVE-2024-4577	PHP Group	PHP	18	9.8
CVE-2022-43769	Hitachi Vantara	Pentaho Business Analytics Server	16	8.8
CVE-2017-18368	ZyXEL	p660hn-t1a_v1, p660hn-t1a_v2, 5200w-t	14	9.8
CVE-2015-2051	dlink	dir-645	14	8.1
CVE-2021-44228	Apache Software Foundation	Apache Log4j2	13	10
CVE-2018-10562	dasannetworks	gpon_router	13	9.8
CVE-2025-25012	Elastic	Kibana	13

CVE-2025-25012 has been reserved and is pending publication.

Insights from contributors

Week 11

Ranking

Vulnerability	Vendor	Product	Count	Severity
CVE-2025-24201	Apple	iOS and iPadOS	70	7.1
CVE-2025-24813	Apache Software Foundation	Apache Tomcat	38	9.2
CVE-2024-4577	PHP Group	PHP	37	9.8
CVE-2025-27363	FreeType	FreeType	32	8.1
CVE-2024-8176	Red Hat	Red Hat Enterprise Linux 6	26	7.2
CVE-2023-1234	Google	Chrome	25	4.3
CVE-2025-27636	Apache Software Foundation	Apache Camel	22	6.3
CVE-2025-24983	Microsoft	Windows 10 Version 1507	22	7.0
CVE-2025-25291	SAML-Toolkits	ruby-saml	17	9.3
CVE-2025-25292	SAML-Toolkits	ruby-saml	17	9.3
CVE-2025-21590	Juniper Networks	Junos OS	15	6.7
CVE-2017-18368	ZyXEL	p660hn-t1a_v1, p660hn-t1a_v2, 5200w-t	14	9.8
CVE-2015-2051	dlink	dir-645	14	8.8
CVE-2025-24993	Microsoft	Windows 10 Version 1809	12	7.8
CVE-2023-1389	tp-link	TP-Link Archer AX21 (AX1800)	12	8.8

Insights from contributors

Pre-authentication SQL injection to RCE in GLPI (CVE-2025-24799/CVE-2025-24801)

Week 12

Ranking

Vulnerability	Vendor	Product	Count	Severity
CVE-2025-29927	vercel	next.js	68	9.1
CVE-2025-24813	Apache Software Foundation	Apache Tomcat	66	9.2
CVE-2025-30066	tj-actions	changed-files	51	8.6
CVE-2025-23120	Veeam	Backup and Recovery	48	9.9
CVE-2024-27564	dirk1983	mm1.ltd source code	27	5.8
CVE-2024-48248		Backup & Replication Director	22	8.6
CVE-2024-54471	NAKIVO		22	5.5
CVE-2024-9956	Google	Chrome	19	7.8
CVE-2025-24472	Fortinet	FortiOS	17	8.1
CVE-2024-4577	PHP Group	PHP	17	9.8
CVE-2025-2129		Mage AI	17	6.3
CVE-2025-0108	Palo Alto Networks	Cloud NGFW	15	8.8
CVE-2025-1316	Edimax	IC-7100 IP Camera	14	9.3
CVE-2017-18368	ZyXEL	p660hn-t1a_v1, p660hn-t1a_v2, 5200w-t	14	9.8
CVE-2015-2051	dlink	dir-645	14	8.8

Week 13

Ranking

Vulnerability	Vendor	Product	Count	Severity
CVE-2025-29927	vercel	next.js	98	9.1
CVE-2025-1974	kubernetes	ingress-nginx	81	9.8
CVE-2025-2783	Google	Chrome	70	8.3
CVE-2025-1098	kubernetes	ingress-nginx	29	8.8
CVE-2025-2857	Mozilla	Firefox	29	10
CVE-2025-24514	kubernetes	ingress-nginx	28	8.8
CVE-2025-1097	kubernetes	ingress-nginx	28	8.8
CVE-2025-22230	vmware	VMware Tools	26	7.8
CVE-2025-2825	CrushFTP	CrushFTP	23	9.8
CVE-2025-24813	Apache Software Foundation	Apache Tomcat	19	9.2
CVE-2025-26633	Microsoft	Windows 10 Version 1809	19	7.0
CVE-2025-31160	atop project	atop	18	2.9
CVE-2025-24513	kubernetes	ingress-nginx	16	4.8
CVE-2019-9874	sitecore	cms	16	9.8
CVE-2019-9875	sitecore	cms	15	8.8

Insights from contributors

Continuous exploitation

The sightings used for this analysis were mainly collected through The Shadowserver Foundation’s honeypot network.

CVE-2024-4577 - PHP Group / PHP

Total of 180 sightings from 2024-06-12 (sighting type: seen from MISP) to 2025-03-30 (sighting type: exploited from The Shadowserver Foundation).

Mentioned in the bundle People’s Republic of China-Linked Actors Compromise Routers and IoT Devices for Botnet Operations created on 2024-09-24.

MISP related events:

3714e52f-0f9a-5bbd-a430-7051c621dd44 (2025-03-25)
a1e796df-2ad8-4c8d-8b69-737a004e72dd (2025-02-23)
3c19819c-1dac-4ef2-bfed-be5efa7e0123 (2025-02-23)
3c19819c-1dac-4ef2-bfed-be5efa7e0123 (first sighting, 2024-06-12)

CVE-2021-44228 - Apache Software Foundation / Apache Log4j2

Total of 198 sightings from 2021-12-12 (sighting type: seen from Microsoft Blog) to 2025-03-30 (sighting type: exploited from The Shadowserver Foundation).

Mentioned in bundles:

Thank you

Thank you to all the contributors and our diverse sources!

If you want to contribute to the next report, you can create your account.

Feedback and Support

If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/