from cedric@lemmy.ml to security@lemmy.ml on 11 Jun 11:23
https://lemmy.ml/post/48586713
We are pleased to announce the release of Vulnerability-Lookup 5.1.0!
The highlight of this release is the new CNA Publication Service, which lets vulnerabilities from your local source be published to the official CVE API as part of the Coordinated Vulnerability Disclosure (CVD) process. It also brings a new exploited-CVE ratio statistic, CSAF advisories in full-text search, further UI harmonization, and important reindexing and feeder fixes.
A special thank you to Niclas Dauster for the substantial contribution behind the CNA Publication Service (#416).
What’s New
CNA Publication Service
Building on the CNA-interoperable API introduced in 5.0.0, vulnerabilities of the local source can now be published to the official CVE API (cveawg) as part of the Coordinated Vulnerability Disclosure process:
- users request publication of a local vulnerability,
- admins moderate the request (publish or reject) through a dedicated HTML moderation view,
- the resulting CVE-ID is mirrored back into the local database (Kvrocks).
The service is built on a new data model and web service, includes a rejection mechanism, stores per-user CNA credentials encrypted, and integrates with Vulnogram (a CNA publications link is now available directly from the editor header).
The feature is disabled by default. Enable it with cna: true in config/generic.json and configure it in config/cna.json. Note that it requires a database migration. See the CNA service documentation for the full setup and usage guide.
The CVE record pushed to MITRE’s cveawg service is the very same GCVE record created locally on the Vulnerability-Lookup instance — there is no duplication or re-entry of data. From this view, locally created advisories can be managed through their whole publication lifecycle: reserving a CVE ID, creating or updating the corresponding CVE record, and tracking the status of each request. Once published, the advisory is known under both its GCVE ID and its assigned CVE ID. Local-only vulnerabilities — GCVE entries that are not published as CVEs — remain visible alongside, so disclosure can stay entirely local or go through the CVE Program, on a per-vulnerability basis.
Exploited-CVE ratio statistics
New charts and API endpoints track, over time, the share of CVEs that have at least one exploitation sighting — a clearer real-world risk signal than raw vulnerability counts (#413). This metric was already put to use in our May 2026 vulnerability report.
CSAF advisories in full-text search
CSAF advisories are now wired into the full-text search read path, making them discoverable through search (#417, #420).
Website improvements
- The Vendor and Product columns in the recent vulnerabilities view now link directly to the corresponding search.
Changes
- UI refresh, continued — More pages were harmonized onto the shared card design language introduced in 5.0.0: the sightings templates, the statistics page cards, bundle cards, comment cards, and the “Evolution for the last month” section.
- Vulnogram — Added a CNA publications link to the editor header; the Recent vulnerabilities link now falls back to the local source.
- Templates — Vulnerability/CVE identifiers are now displayed in uppercase across the templates and the CNA publications view.
- Documentation — Fixed the path to
dumps/and various CHANGELOG cleanups. - Dependencies — Updated Python dependencies.
Fixes
- Reindexing and feeder keys — Rewrote the reindex scripts, made
index_vulnerabilities --purgelossless, guarded the nvd and gcve_vl published counters withfirst_seen, and fixed several feeder key bugs (#418, #419). - CNA Publication Service hardening — Post-merge hardening of the new service: stricter validation of cveawg responses and vulnerability identifiers, the credentials endpoint and Profile credentials link gated to admins, the CVE API key redacted from persisted request/response/error fields, Fernet key validation at startup, a unique
vuln_idconstraint at the database level, and assorted refactors. - UI — Include ADP container data in CVE 5 record views (#414); constrain user markdown images to their container.
- Vulnogram — Keep editing in update mode after creating a record.
- Website — Silenced the per-worker gevent monkey-patch warning and made cache writes resilient to broken connections.
Changelog
📂 For the full list of changes, check the GitHub release:
github.com/vulnerability-lookup/…/v5.1.0
🙏 A big thank you to all contributors and testers!
Feedback and Support
If you encounter any issues or have suggestions, feel free to open a ticket on our GitHub repository:
github.com/vulnerability-lookup/…/issues/
Your feedback is always appreciated!
Follow Us on Fediverse/Mastodon
You can follow us on Mastodon and get real-time information about security advisories:
social.circl.lu/@vulnerability_lookup/
threaded - newest