Spyke

Posts

securityΒ·SecuritybyCedric

πŸš€ Vulnerability-Lookup 5.4.0 is out β€” and it speaks VEX!

Vulnerability-Lookup now ingests Red Hat's per-CVE CSAF VEX documents and attaches them straight to the vulnerabilities you're already tracking. Which products are affected? Which are fixed? Which were never affected at all? One glance at the new VEX tab β€” or the EPSS-style VEX badge right in the vulnerability header β€” and you know.

No more digging through vendor advisories to answer "does this CVE actually matter to us?" πŸ”Ž

Also in this release:

βœ… New /api/vex endpoints β€” VEX data, fully machine-readable πŸ” Per-user enable/disable of CNA publication, with a dedicated admin overview πŸ“¬ Admin overview for KEV catalog e-mail subscriptions + richer digest e-mails (entry titles, affected vendors & products) πŸ› οΈ A batch of feeder robustness fixes β€” no more full re-imports or notification storms after a partial download failure

Vulnerability-Lookup is open source, and you can run your own instance today (https://www.vulnerability-lookup.org/documentation/installation.html).

πŸ‘‰ Release post: https://www.vulnerability-lookup.org/2026/07/10/vulnerability-lookup-5-4-0/

⭐ GitHub: https://github.com/vulnerability-lookup/vulnerability-lookup

Feel free to create an account on the instance operated by CIRCL: πŸ‘‰ https://vulnerability.circl.lu/user/signup

πŸ“š References

Source code: https://github.com/vulnerability-lookup/vulnerability-lookup

Examples:

πŸ’ΆπŸ‡ͺπŸ‡Ί Funding

Vulnerability-Lookup is co-funded by CIRCL and by the European Union through the #NGSOTI project.

More information from the Restena Foundation: https://www.restena.lu/en/project/ngsoti

#VulnerabilityManagement #VEX #CSAF #CVE #OpenSource #CyberSecurity #ThreatIntelligence

View original on lemmy.ml
5
securityΒ·SecuritybyCedric

Stegano 2.5.0: reversible data hiding technique based on histogram shifting

Stegano 2.5.0 is out! πŸŽ‰

This release adds a reversible data hiding technique based on histogram shifting (Ni et al., IEEE TCSVT 2006): unlike LSB, the original cover image can be recovered pixel-for-pixel after the hidden message is extracted. Includes a new stegano-rdh command line tool.

Thanks to Eesh Saxena for the contribution!

https://github.com/cedricbonhomme/Stegano/releases/tag/v2.5.0

View original on lemmy.ml
4
securityΒ·SecuritybyCedric

Vulnerability-Lookup 5.3.0 released

We are pleased to announce the release of Vulnerability-Lookup 5.3.0!

This release brings email subscriptions to KEV catalogs, letting you receive batched digests whenever new exploited vulnerabilities are added to a catalog you follow. Search gained the long-requested ability to filter and sort by CVSS base score, two new feeder families join the platform β€” the AVID (AI Vulnerability Database) feeder and a set of new CSAF vendor feeders β€” and the KEV catalogs page gained a whole suite of coverage visualisations. On the account side, 2FA recovery codes make account recovery safer.

What's New

Email subscriptions to KEV catalogs

You can now subscribe to any KEV catalog and receive batched email digests when new entries are added. Subscriber counts are surfaced on the catalogs page, and the notifications page was modernized onto the shared card design language (#457).

Filter and sort by CVSS base score

The search now supports filtering and sorting vulnerabilities by CVSS base score β€” including CVSS-only searches that need no vendor, product or assigner. The recent vulnerabilities page gained a quick-filter accordion above the table, and the search form now preselects the CVE Program source by default (#454).

New feeders: AVID and more CSAF vendors

A new feeder for the AVID (AI Vulnerability Database) brings AI-specific vulnerability advisories into the platform, with a dedicated advisory view, product search wiring and source registration. Contributed by @thunderstornX in #442.

We also added new CSAF feeders for the vendors whose public feeds actually deliver documents β€” audited from a much larger candidate list β€” wired into the web interface and README. Along the way: CERT@VDE trusted-provider metadata URLs were fixed for 12 vendors, the TuxCare feeder now points at its published provider metadata, Palo Alto advisory ids were namespaced so they no longer overwrite canonical CVE records, and the csaf_trend feeder was renamed to csaf_trendmicro (#448).

KEV catalog coverage visualisations

Building on the catalog coverage matrix introduced in 5.2.0, the KEV catalogs page gained a set of coverage visualisations:

  • A coverage timeline chart with a blind-spots gap finder.
  • Cross-catalog vulnerability search.
  • Click-to-filter on the UpSet plot columns, plus a mean lead-time and same-day caption.
  • First-listed/last-updated sort toggles on the coverage table and catalog pages.
  • Catalog licence badges, and vendor/product shown in the coverage table.

2FA recovery codes

Accounts protected with two-factor authentication can now generate recovery codes for account recovery, and the profile page was restructured into themed cards (#435).

Favorite feed

Users can pick a favorite feed used as the default source on the recent vulnerabilities page, and toggle it directly from that page.

Readable RSS/Atom feeds

RSS/Atom feeds now render as readable pages when opened in a browser: server-side rendering via content negotiation, KEV Atom content emitted as XHTML, and the XSL stylesheet made XSLT 1.0 compatible and served as application/xslt+xml so Chromium-based browsers apply it.

API improvements

  • Enrichment flags on the bulk vulnerability endpoint.
  • CORS headers on /api endpoints for browser-based access.
  • KEV entries resolvable by (origin_uuid, vulnId) for PUT/DELETE.

Other new features

  • Sightings β€” Accept more vulnerability identifier patterns: CVE-UNASSIGNED, OpenVAS, SSV, Exploit-DB (EDB) and China National Vulnerability Database (CNVD).
  • Performance β€” pg_trgm GIN indexes for sighting source/vulnerability search, with the author lookup split into a UNION leg so the indexes actually apply. Contributed by @DevamShah in #431 (#440).
  • UI β€” Filtering, sorting and search on the CNA publications and vulnerability disclosures lists.

Changes

  • EUVD β€” Added the EUVD ID data model and Kvrocks key conventions. Contributed by @archakisn in #452.
  • UI β€” Continued the UI refresh: the About and About-this-instance pages, a soft azure underglow on the home hero signal line, Choices.js widgets themed with the design tokens, and a themed vendor autocomplete for the navbar search.
  • Templates β€” Recent vulnerabilities page polish: a shortcut button to the local instance source, a link to the current source's recent vulnerabilities in the generic CSAF view, and vulnerability identifiers displayed in uppercase in the disclosures list.
  • Configuration β€” Added unicode icons to the source names in SOURCES_TO_SHOW.
  • Documentation β€” Improved the README, added documentation for running a minimal publication instance (#456), and documented the KEV catalog email subscriptions.
  • Dependencies β€” Updated Python dependencies and bumped the pinned GitHub Actions.

Fixes

  • API β€” GET /api/vulnerability/recent without a source again returns the most recent entries across all sources (the global index), consistent with /api/vulnerability/last and with the documented behavior. Since 3.0.0 (February 2026) it silently defaulted to the cvelistv5 source only; clients that came to rely on that must now pass source=cvelistv5 explicitly.
  • Search β€” A vendor-only search now spans all sources instead of only cvelistv5, and a known-vendor query takes precedence over the linked-vulnerabilities fallback (#432).
  • Notifications β€” Widened the notification query window and deduplicated already-sent notifications, so entries indexed with a source-side lastModified older than the wall-clock window are no longer silently skipped; the nvd source is now included and results are deduplicated across sources (#449).
  • API β€” KEV endpoint hardening: BCP-07 conformant output, a unique tiebreaker in the list ordering so pagination no longer yields duplicate entries on tie-heavy sorts, unhandled 500 responses marked as no-store, and PUT now only moves first_seen_at/asserted_at backwards (#453).
  • API β€” Sighting creation timestamps are set server-side, ILIKE wildcards are escaped in search filters, and the updated date sort uses the correct index key.
  • Statistics β€” Current-year charts stop at the current month, bogus delta labels for unfinished months are suppressed (#433), and the selected multi-year window is preserved when switching sources (#436).
  • Feeds β€” Aligned the recent feed sort order and timestamps with the /recent page (#443).
  • KEV β€” UpSet plot rendering: widened the set-label gutter so long catalog names fit, reserved a numeric lane so totals are not clipped, and clarified the total vs exact-slice reading of the plot.
  • UI β€” Stripped global-chrome bleed from the vulnogram editor and corrected its dialog button layout; aligned navbar link tooltips with their labels; showed the public Vulnerability Disclosures link to logged-in users; made vulnerability IDs clickable in the admin disclosures view (#438).
  • Users β€” Avoided an N+1 query in the user directory and made the DB pool resilient.
  • Docker β€” Read the PostgreSQL URI from website.py to avoid importing psycopg2.

Changelog

πŸ“‚ For the full list of changes, check the GitHub release:
https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v5.3.0

πŸ™ A big thank you to all contributors and testers!

Feedback and Support

If you encounter any issues or have suggestions, feel free to open a ticket on our GitHub repository:
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/
Your feedback is always appreciated!

Follow Us on Fediverse/Mastodon

You can follow us on Mastodon and get real-time information about security advisories:
https://social.circl.lu/@vulnerability_lookup/

https://www.vulnerability-lookup.org/2026/07/07/vulnerability-lookup-5-3-0/Open linkView original on lemmy.ml
3
securityΒ·SecuritybyCedric

Vulnerability Report - June 2026

Introduction

This vulnerability report has been generated with the help of AI, using the VulnMCP tooling on top of Vulnerability-Lookup, with contributions from the platform's community.

It highlights the most frequently sighted vulnerabilities for June 2026, based on data aggregated from Vulnerability-Lookup, the CISA Known Exploited Vulnerabilities catalog, the CIRCL KEV catalog, the ENISA EUVD feed, honeypot observations from The Shadowserver Foundation, and contributor comments and bundles. Sightings come from MISP, Exploit-DB, Bluesky, Mastodon, Telegram, GitHub Gists, Nuclei, SPLOITUS, Metasploit, and more. For further details, please visit this page.

New in this report: the Shadowserver KEV catalog, built from honeypot-observed exploitation attempts, makes its first appearance in our monthly reports. A big thank you to The Shadowserver Foundation for making this data available to the community.

June's threat landscape was dominated by actively exploited flaws in enterprise infrastructure: remote-access and management software, network appliances, and identity-adjacent services. Nine of the ten most sighted vulnerabilities of the month are listed in the CISA KEV catalog (eight of them added during June), a strong signal that sighting activity closely tracked in-the-wild exploitation.

The Month at a Glance

7,454 CVEs were published in June 2026 (from the CVE List v5 source alone), up from 6,953 in May -- a 14.5% month-over-month increase and the highest monthly volume of the year so far. On top of that, Vulnerability-Lookup ingested 7,315 GitHub security advisories and 745 PySec advisories over the same period.

Vulnerability-Lookup collected 27,251 sightings during June 2026, including 18,123 "seen" observations, 8,542 exploitation-related sightings, and 71 "confirmed" sightings (mostly newly published Nuclei detection templates). No "patched" or "proof of concept" type sightings were recorded this month. Across the monitored KEV catalogs, 23 entries were added by CISA, 4 by CIRCL, 1 was reported through the ENISA / EU CSIRTs Network feed, and 6 new vulnerabilities appeared in The Shadowserver Foundation's honeypot-observed exploitation feed.

The most sighted vulnerability of the month was CVE-2026-35273, a missing-authentication flaw in Oracle PeopleSoft Enterprise PeopleTools (Updates Environment Management), added to the CISA KEV catalog on June 12 with known ransomware campaign use -- the only entry of the month with that flag.

Cisco had a particularly rough month, with three KEV-listed issues: an unauthenticated SSRF in Unified Communications Manager (CVE-2026-20230), a privilege escalation in Catalyst SD-WAN Controller (CVE-2026-20245) and a path traversal in Catalyst SD-WAN Manager (CVE-2026-20262) -- the SD-WAN line remaining a target for the second month in a row after May's Emergency-Directive flaw. Remote-access and remote-management tooling was the other clear cluster: unauthenticated root-level command injection in Ivanti Sentry (CVE-2026-10520, also observed against Shadowserver honeypots), an OIDC authentication bypass in SimpleHelp (CVE-2026-48558), an IKEv1 authentication bypass in Check Point Security Gateway (CVE-2026-50751, confirmed exploited by Check Point), and a pre-authentication RCE in BeyondTrust Remote Support / Privileged Remote Access (CVE-2026-1731) reported by NCSC-FI through the ENISA CNW feed.

Other notable KEV additions include a trio of Ubiquiti UniFi OS flaws (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910) added the same day, an unauthenticated arbitrary file creation/truncation in Splunk Enterprise via a PostgreSQL sidecar endpoint (CVE-2026-20253), and -- for the second month running -- an AI-stack entry, with a command injection in BerriAI LiteLLM (CVE-2026-42271) following May's LiteLLM SQL injection. On the client side, both Google Chrome (V8) (CVE-2026-11645) and Android Framework (CVE-2025-48595) were KEV-listed and appeared in the top 10. The high-sighting Windows Netlogon stack-based buffer overflow (CVE-2026-41089) rounded out the picture, and CISA also re-anchored legacy issues -- the Linux kernel cgroups v1 container-escape CVE-2022-0492 and Oracle WebLogic CVE-2024-21182 -- while Shadowserver honeypots still registered attacks against the 2017 HP iLO 4 authentication bypass (CVE-2017-12542).

Across the month's KEV additions, the dominant weakness patterns were missing authentication for critical functions (CWE-306: PeopleSoft, Splunk), authentication bypass and improper authentication (CWE-287/CWE-294: SimpleHelp, Check Point, PAN-OS GlobalProtect), OS command and code injection (CWE-77/78/94: Ivanti Sentry, Lantronix EDS5000, LiteLLM), path traversal (CWE-22: Ubiquiti UniFi OS, Cisco SD-WAN Manager, FortiSandbox), server-side request forgery (CWE-918: Cisco Unified CM), and memory corruption in widely deployed client software (CWE-787/CWE-190: Windows Netlogon, Chrome V8, Android Framework). In overall published volume, cross-site scripting (CWE-79) and SQL injection (CWE-89) once again topped the monthly CWE ranking (see the Top 10 Weaknesses chart below).

Top 10 Vendors of the Month

Top 10 Assigners of the Month

Top 10 Vulnerabilities of the Month

VulnerabilitySighting CountVendorProductVLAI Severity
CVE-2026-35273192OraclePeopleSoft Enterprise PeopleToolsCritical (confidence: 0.9967)
CVE-2026-20245183CiscoCatalyst SD-WAN ControllerHigh (confidence: 0.9894)
CVE-2026-50751139Check PointQuantum Security GatewayCritical (confidence: 0.7947)
CVE-2026-20230138CiscoUnified Communications ManagerHigh (confidence: 0.6151)
CVE-2026-0257125Palo Alto NetworksPAN-OS (GlobalProtect)Medium (confidence: 0.9371)
CVE-2026-20253119SplunkSplunk EnterpriseCritical (confidence: 0.9624)
CVE-2026-41089101MicrosoftWindows (Netlogon)Critical (confidence: 0.9326)
CVE-2026-10520100IvantiSentryCritical (confidence: 0.9849)
CVE-2025-4859597GoogleAndroid (Framework)High (confidence: 0.9277)
CVE-2026-1164591GoogleChrome (V8)High (confidence: 0.9938)

Known Exploited Vulnerabilities

New entries have been added to the major Known Exploited Vulnerabilities catalogs during June.

Catalog coverage

30 distinct vulnerabilities entered at least one of the tracked KEV catalogs during June. The matrix below shows, for each of them, which catalogs cover it (as of publication) -- built with the new KEV catalog coverage feature of Vulnerability-Lookup. The KEVIntel catalog, the highest-volume of the tracked feeds with 335 new entries in June alone, covers 28 of the 30; conversely, two entries (HP iLO 4 and the MeiG router) are visible only through Shadowserver's honeypots, and the Ivanti Sentry command injection is the only vulnerability of the month present in four catalogs at once.

VulnerabilityFirst addedCISACIRCLENISAKEVIntelShadowserver
CVE-2017-125422026-06-30βœ“
CVE-2026-485582026-06-29βœ“βœ“
CVE-2026-202302026-06-25βœ“βœ“
CVE-2026-125692026-06-25βœ“βœ“
CVE-2026-349102026-06-23βœ“βœ“
CVE-2026-349092026-06-23βœ“βœ“
CVE-2026-349082026-06-23βœ“βœ“
CVE-2025-670382026-06-23βœ“βœ“
CVE-2026-398132026-06-22βœ“βœ“
CVE-2026-363562026-06-21βœ“
CVE-2026-202532026-06-18βœ“βœ“
CVE-2026-489072026-06-16βœ“βœ“
CVE-2026-544202026-06-15βœ“βœ“
CVE-2026-202622026-06-15βœ“βœ“
CVE-2026-352732026-06-12βœ“βœ“
CVE-2026-105202026-06-10βœ“βœ“βœ“βœ“
CVE-2026-74732026-06-09βœ“βœ“
CVE-2026-202452026-06-09βœ“βœ“βœ“
CVE-2026-116452026-06-09βœ“βœ“
CVE-2026-507512026-06-08βœ“βœ“βœ“
CVE-2026-422712026-06-08βœ“βœ“
CVE-2026-244232026-06-08βœ“βœ“βœ“
CVE-2024-85222026-06-08βœ“βœ“
CVE-2025-340332026-06-07βœ“βœ“
CVE-2026-283182026-06-05βœ“βœ“
CVE-2026-17312026-06-04βœ“βœ“βœ“
CVE-2026-452472026-06-03βœ“βœ“
CVE-2025-485952026-06-02βœ“βœ“
CVE-2022-04922026-06-02βœ“βœ“
CVE-2024-211822026-06-01βœ“βœ“

CISA

The CISA KEV catalog added 23 entries in June. The Oracle PeopleSoft entry is flagged with known ransomware campaign use.

CVE IDDate AddedVendorProductVLAI Severity
CVE-2026-485582026-06-29SimpleHelpSimpleHelpCritical (confidence: 0.9723)
CVE-2026-125692026-06-25PTCWindchill and FlexPLMCritical (confidence: 0.9946)
CVE-2026-202302026-06-25CiscoUnified Communications ManagerHigh (confidence: 0.6151)
CVE-2025-670382026-06-23LantronixEDS5000Critical (confidence: 0.9956)
CVE-2026-349082026-06-23UbiquitiUniFi OSCritical (confidence: 0.9784)
CVE-2026-349092026-06-23UbiquitiUniFi OSCritical (confidence: 0.9783)
CVE-2026-349102026-06-23UbiquitiUniFi OSCritical (confidence: 0.9642)
CVE-2026-202532026-06-18SplunkSplunk EnterpriseCritical (confidence: 0.9624)
CVE-2026-489072026-06-16Widget FactoryJoomla Content Editor (JCE)Critical (confidence: 0.993)
CVE-2026-544202026-06-15LiteSpeedcPanel PluginHigh (confidence: 0.9896)
CVE-2026-202622026-06-15CiscoCatalyst SD-WAN ManagerMedium (confidence: 0.7478)
CVE-2026-352732026-06-12OraclePeopleSoft Enterprise PeopleToolsCritical (confidence: 0.9967)
CVE-2026-105202026-06-11IvantiSentryCritical (confidence: 0.9849)
CVE-2026-202452026-06-09CiscoCatalyst SD-WAN ControllerHigh (confidence: 0.9894)
CVE-2026-74732026-06-09AristaExtensible Operating System (EOS)Medium (confidence: 0.5082)
CVE-2026-116452026-06-09GoogleChromium V8High (confidence: 0.9938)
CVE-2026-422712026-06-08BerriAILiteLLMHigh (confidence: 0.6121)
CVE-2026-507512026-06-08Check PointSecurity GatewayCritical (confidence: 0.7947)
CVE-2026-283182026-06-05SolarWindsServ-UHigh (confidence: 0.9813)
CVE-2026-452472026-06-03MirasvitFull Page Cache Warmer (Magento 2)Critical (confidence: 0.9944)
CVE-2025-485952026-06-02GoogleAndroid FrameworkHigh (confidence: 0.9277)
CVE-2022-04922026-06-02LinuxKernel (cgroups v1)High (confidence: 0.9381)
CVE-2024-211822026-06-01OracleWebLogic ServerHigh (confidence: 0.9972)

More KEV entries from the CISA Catalog.

CIRCL

The CIRCL KEV catalog added 4 entries during June. The Check Point IKEv1 authentication bypass was confirmed on the basis of Check Point's own report of active exploitation in the wild; the Cisco SD-WAN and Ivanti Sentry entries are marked as suspected exploitation.

CVE IDDate AddedVendorProductVLAI Severity
CVE-2026-202452026-06-25CiscoCatalyst SD-WAN ControllerHigh (confidence: 0.9894)
CVE-2026-398132026-06-22FortinetFortiSandboxCritical (confidence: 0.8265)
CVE-2026-105202026-06-12IvantiSentryCritical (confidence: 0.9849)
CVE-2026-507512026-06-08Check PointQuantum Security GatewayCritical (confidence: 0.7947)

More KEV entries from the CIRCL Catalog.

ENISA (EUVD)

A single new entry was reported through the ENISA / EU CSIRTs Network (CNW) KEV feed during June: a critical pre-authentication remote code execution in BeyondTrust Remote Support and Privileged Remote Access, reported by NCSC-FI.

CVE IDDate ReportedVendorProductVLAI Severity
CVE-2026-17312026-06-04BeyondTrustRemote Support (RS) / Privileged Remote Access (PRA)Critical (confidence: 0.9813)

More KEV entries from the ENISA Catalog.

The Shadowserver Foundation

The Shadowserver KEV catalog is fed by honeypot-observed exploitation attempts. 6 vulnerabilities were observed for the first time during June, two of which are also in the CISA KEV catalog. Notably, the 2017 HP iLO 4 authentication bypass was still drawing attack traffic at the very end of the month.

CVE IDFirst SeenVendorProductSeverity (Shadowserver)
CVE-2017-125422026-06-30HPHP iLO 4Critical (CVSS 10.0)
CVE-2026-363562026-06-21MeiGSmart FORGE_SLT711Critical (CVSS 9.1)
CVE-2026-105202026-06-10IvantiSentryCritical (CVSS 10.0)
CVE-2026-244232026-06-08SmarterToolsSmarterMailCritical (CVSS 9.8)
CVE-2024-85222026-06-08WordPressLearnPress pluginHigh (CVSS 7.5)
CVE-2025-340332026-06-075VTechnologiesBlue Angel Software Suite--

More KEV entries from the Shadowserver Catalog.

Top 10 Weaknesses of the Month

Insights from Contributors

Community contributions in June ranged from data-quality improvements to supply-chain research:

Contributors also curated vendor advisories into bundles during June:

Thank you

Thank you to all the contributors and our diverse sources!

If you want to contribute to the next report, you can create your account.

Feedback and Support

If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/

Funding

The main objective of Federated European Team for Threat Analysis (FETTA) is improvement of Cyber Threat Intelligence (CTI) products available to the public and private sector in Poland, Luxembourg, and the European Union as a whole.
Developing actionable CTI products (reports, indicators, etc) is a complex task and requires an in-depth understanding of the threat landscape and the ability to analyse and interpret large amounts of data. Many SOCs and CSIRTs build their capabilities in this area independently, leading to a fragmented approach and duplication of work.

The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response facility to computer security threats and incidents. The organization brings to the table its extensive experience in cybersecurity incident management, threat intelligence, and proactive response strategies. With a strong background in developing innovative open source cybersecurity tools and solutions, CIRCL's contribution to the FETTA project is instrumental in achieving enhanced collaboration and intelligence sharing across Europe.

Press release

View original on lemmy.ml
5
securityΒ·SecuritybyCedric

A new KEV Catalog built from real-world exploitation data !

We are excited to share the result of a fruitful collaboration with The Shadowserver Foundation: a new Known Exploited Vulnerabilities (KEV) Catalog (BCP-07 compliant) built directly from their global honeypot telemetry.

Most KEV catalogs tell you what is being exploited. This one is grounded in observed exploitation attempts captured across Shadowserver's worldwide honeypot sensor network. When a vulnerability is exploited against one of their honeypots, it becomes an attributable, structured GCVE-EU BCP-07 KEV assertion, complete with evidence typing (honeypot), exploitation signals (in_the_wild_attempts), and timestamps indicating when exploitation was first and last observed.

A huge thank-you to the Shadowserver team, and especially to Piotr Kijewski, for their support and collaboration.

A new KEV Catalog built from real-world exploitation data !https://vulnerability.circl.lu/known-exploited-vulnerabilities-catalog/?sort=first_seen&catalog_uuid=c8fb6bf1-f81f-4cb8-95b1-eadbb3b54ee8Open linkView original on lemmy.ml
6
securityΒ·SecuritybyCedric

πŸ”₯ New in Vulnerability-Lookup: KEV Catalog Coverage!

Vulnerability-Lookup now provides a coverage matrix on its KEV catalogs page, showing which Known Exploited Vulnerability catalogs (e.g. EUVD KEV, CISA KEV, CIRCL KEV) reference the most recently updated vulnerabilities. Each row corresponds to a vulnerability and each column to a catalog, making it straightforward to identify overlaps and gaps between KEV sources. All catalogs follow the GCVE-BCP-07 standard for documenting actively exploited vulnerabilities.

The coverage matrix is available at:

https://vulnerability.circl.lu/kev-catalogs

If a Vulnerability-Lookup instance is pulling more KEV catalogs, more columns will be automatically shown in the table.

View original on lemmy.ml
2
securityΒ·SecuritybyCedric

Vulnerability-Lookup 5.1.0

We are pleased to announce the release of Vulnerability-Lookup 5.1.0!

The highlight of this release is the new CNA Publication Service, which lets vulnerabilities from your local source be published to the official CVE API as part of the Coordinated Vulnerability Disclosure (CVD) process. It also brings a new exploited-CVE ratio statistic, CSAF advisories in full-text search, further UI harmonization, and important reindexing and feeder fixes.

A special thank you to Niclas Dauster for the substantial contribution behind the CNA Publication Service (#416).

What's New

CNA Publication Service

Building on the CNA-interoperable API introduced in 5.0.0, vulnerabilities of the local source can now be published to the official CVE API (cveawg) as part of the Coordinated Vulnerability Disclosure process:

  • users request publication of a local vulnerability,
  • admins moderate the request (publish or reject) through a dedicated HTML moderation view,
  • the resulting CVE-ID is mirrored back into the local database (Kvrocks).

The service is built on a new data model and web service, includes a rejection mechanism, stores per-user CNA credentials encrypted, and integrates with Vulnogram (a CNA publications link is now available directly from the editor header).

The feature is disabled by default. Enable it with cna: true in config/generic.json and configure it in config/cna.json. Note that it requires a database migration. See the CNA service documentation for the full setup and usage guide.

The CVE record pushed to MITRE's cveawg service is the very same GCVE record created locally on the Vulnerability-Lookup instance β€” there is no duplication or re-entry of data. From this view, locally created advisories can be managed through their whole publication lifecycle: reserving a CVE ID, creating or updating the corresponding CVE record, and tracking the status of each request. Once published, the advisory is known under both its GCVE ID and its assigned CVE ID. Local-only vulnerabilities β€” GCVE entries that are not published as CVEs β€” remain visible alongside, so disclosure can stay entirely local or go through the CVE Program, on a per-vulnerability basis.

Exploited-CVE ratio statistics

New charts and API endpoints track, over time, the share of CVEs that have at least one exploitation sighting β€” a clearer real-world risk signal than raw vulnerability counts (#413). This metric was already put to use in our May 2026 vulnerability report.

CSAF advisories in full-text search

CSAF advisories are now wired into the full-text search read path, making them discoverable through search (#417, #420).

Website improvements

  • The Vendor and Product columns in the recent vulnerabilities view now link directly to the corresponding search.

Changes

  • UI refresh, continued β€” More pages were harmonized onto the shared card design language introduced in 5.0.0: the sightings templates, the statistics page cards, bundle cards, comment cards, and the "Evolution for the last month" section.
  • Vulnogram β€” Added a CNA publications link to the editor header; the Recent vulnerabilities link now falls back to the local source.
  • Templates β€” Vulnerability/CVE identifiers are now displayed in uppercase across the templates and the CNA publications view.
  • Documentation β€” Fixed the path to dumps/ and various CHANGELOG cleanups.
  • Dependencies β€” Updated Python dependencies.

Fixes

  • Reindexing and feeder keys β€” Rewrote the reindex scripts, made index_vulnerabilities --purge lossless, guarded the nvd and gcve_vl published counters with first_seen, and fixed several feeder key bugs (#418, #419).
  • CNA Publication Service hardening β€” Post-merge hardening of the new service: stricter validation of cveawg responses and vulnerability identifiers, the credentials endpoint and Profile credentials link gated to admins, the CVE API key redacted from persisted request/response/error fields, Fernet key validation at startup, a unique vuln_id constraint at the database level, and assorted refactors.
  • UI β€” Include ADP container data in CVE 5 record views (#414); constrain user markdown images to their container.
  • Vulnogram β€” Keep editing in update mode after creating a record.
  • Website β€” Silenced the per-worker gevent monkey-patch warning and made cache writes resilient to broken connections.

Changelog

πŸ“‚ For the full list of changes, check the GitHub release:
https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v5.1.0

πŸ™ A big thank you to all contributors and testers!

Feedback and Support

If you encounter any issues or have suggestions, feel free to open a ticket on our GitHub repository:
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/
Your feedback is always appreciated!

Follow Us on Fediverse/Mastodon

You can follow us on Mastodon and get real-time information about security advisories:
https://social.circl.lu/@vulnerability_lookup/

https://www.vulnerability-lookup.org/2026/06/11/vulnerability-lookup-5-1-0/Open linkView original on lemmy.ml
3
securityΒ·SecuritybyCedric

Vulnerability-Lookup 5.0.0 released

We are thrilled to announce the release of Vulnerability-Lookup 5.0.0!

This major release centers on a new CNA-compliant API for managing the vulnerabilities of your local source, together with deep Vulnogram integration, a continued UI refresh, and a long list of stability and correctness fixes.

A special thank you to Niclas Dauster for the substantial contribution behind the new CNA-interoperable API (#398).

What's New

CNA- and GNA-Compatible Vulnerability Management

Vulnerabilities in your local instance can now be managed in a CNA-interoperable way through a dedicated API.

It streamlines Coordinated Vulnerability Disclosure (CVD) through a built-in Vulnogram integration compatible with both CVE 5.2 and GCVE-BCP-05, allowing CNAs and GNAs to publish advisories and synchronize with other instances regardless of the identifier format used.

The new API endpoint is partially interoperable with existing CNA endpoints from the CVE program, building on its solid foundation to enable a compatible and unified system for publishing vulnerability information. The API may be refined in upcoming releases based on feedback from adopters. We firmly believe that interoperable, reusable open-source components are key to preventing fragmentation in the vulnerability ecosystem.

We also welcome other vulnerability publication programs to extend this API to support their specific use cases or new models that could further improve automation in vulnerability handling.

Vulnogram integration

Vulnogram now drives ID reservation within vulnerability-lookup directly and vulnerability data management directly through the new CNA-interoperable API:

  • a dialog to view and reserve identifiers,
  • range-document creation,
  • state filtering,
  • reject and delete actions,
  • reserved IDs inserted directly into the form.

Configurable identifier allocation

You can now configure GCVE identifier allocation ranges for reservation. A bin script is also provided to migrate existing data to the new GNA ID format.

Website improvements

  • A new /kev-catalogs view listing all KEV catalogs.
  • Recent sightings are now rendered inside a dedicated home page tab.
  • Related vulnerabilities on the CWE detail page are now paginated (#406).

API

  • IPs/CIDRs can now be allowlisted to exempt them from the /api read rate limits.

Changes

  • UI refresh β€” We introduced a shared card design language (rounded cards, soft hover, brand-tinted leading icon badges) and applied it across the About, home, /recent and vulnerability pages. The About page gains a hero banner, feature highlights and live stats; the source dropdown on the recent vulnerabilities page was improved; popover triggers on vulnerability views were harmonized; and the sightings correlations tabs were reorganized. More UI improvements will come in future releases.
  • Production reference architecture β€” The documentation now includes a production reference architecture (HAProxy, Varnish, CDN, dumps and configuration examples).

Fixes

It also addresses a number of other issues:

  • UI β€” Preserve the VLAI popover header when refreshing content; align right-side navbar dropdowns to prevent overflow.
  • Website β€” Make Choices.js search inputs readable in the dark theme; repopulate the product list when the vendor changes on the search page; propagate config DEBUG=True to the FLASK_DEBUG environment variable.
  • Core β€” Add a timeout to graceful shutdown to prevent an infinite loop (#409).
  • API β€” Correct the per_page range check across the remaining endpoints, including rulezet and user (#411).
  • Docker β€” Use the kvrocks container name in .env.sample (#407).
  • Typing β€” Assorted mypy/typing fixes and Python 3.11 f-string compatibility.

Migration Notes

A bin script is provided to migrate existing local-source data to the new GNA ID format.

Changelog

πŸ“‚ For the full list of changes, check the GitHub release:
https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v5.0.0

πŸ™ A big thank you to all contributors and testers!

Feedback and Support

If you encounter any issues or have suggestions, feel free to open a ticket on our GitHub repository:
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/
Your feedback is always appreciated!

Follow Us on Fediverse/Mastodon

You can follow us on Mastodon and get real-time information about security advisories:
https://social.circl.lu/@vulnerability_lookup/

https://www.vulnerability-lookup.org/2026/05/29/vulnerability-lookup-5-0-0/Open linkView original on lemmy.ml
3
securityΒ·SecuritybyCedric

Vulnerability-Lookup 4.6.0

We are excited to announce the release of Vulnerability-Lookup 4.6.0!
This version brings more transparency, new data sources, API improvements, notable UI enhancements, and several performance and stability fixes.

What's New

VLAI model transparency

The VLAI badge popover now surfaces the exact model name and revision used for a given analysis, with direct links to the HuggingFace model card and the revision commit. This is particularly useful as we regularly update our AI models and publish new versions on HuggingFace, making it easy to track exactly which model version produced a given result.

Moksha feeder

A new feeder for Moksha has been added, mirroring the indexing pattern used by the cvelistv5 source. Because Moksha is accessible over Tor, the feeder requires a local Tor instance and is disabled by default.

KEV catalog on the homepage and search results

The latest entries from CISA's Known Exploited Vulnerabilities (KEV) catalog are now displayed directly on the homepage. KEV catalog badges also appear on the search results page, giving you an immediate signal when a vulnerability is actively exploited in the wild.

Improved CSAF advisory display

CSAF advisories now show a structured per-status product table derived from the product_tree, and the /recent page loads only the selected source with its own pagination β€” making it faster to browse recent activity.

API additions

  • A new with_meta parameter on the vulnerabilities list endpoint lets consumers fetch enriched metadata in a single call.
  • Optional, tier-aware rate limits can now be applied to vulnerability read endpoints.
  • A machine-readable access policy endpoint is available for automated consumers.

Changes

  • Performance improvements β€” Hot read endpoints are now cached with a Redis backend, full-text index writes are batched, and homepage sighting statistics are computed via a dedicated aggregated endpoint. These changes significantly reduce load under traffic spikes.
  • Homepage and template updates β€” The home page displays more information at a glance; the sources list on the About page is now in a collapsible accordion; Moksha is available in the /recent source menu.
  • ML-Gateway β€” The gateway response now includes the model name and revision, which are forwarded by the API (project page).
  • Dependencies β€” Python dependencies have been updated.

Fixes

This release includes a number of stability and correctness fixes: rate-limiter accuracy improvements (correct client IP resolution, dedicated Redis backend), Flask-Caching Redis pool reliability under gunicorn/gevent, EPSS badges on search results, timezone-aware timestamps for comments and bundles, restricted comment editing to authorized users only, and several minor UI and template corrections.

Changelog

πŸ“‚ For the full list of changes, check the GitHub release:
https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v4.6.0

πŸ™ A big thank you to all contributors and testers!

Feedback and Support

If you find any issues or have suggestions, please open a ticket on our GitHub repository:
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/
We appreciate your feedback!

Follow Us on Fediverse/Mastodon

Stay updated on security advisories in real-time by following us on Mastodon:
https://social.circl.lu/@vulnerability_lookup/

https://www.vulnerability-lookup.org/2026/05/21/vulnerability-lookup-4-6-0/Open linkView original on lemmy.ml
4
securityΒ·SecuritybyCedric

Vulnerability Report - April 2026

Introduction

This vulnerability report has been generated with the help of AI, using the VulnMCP tooling on top of Vulnerability-Lookup, with contributions from the platform's community.

It highlights the most frequently mentioned vulnerabilities for April 2026, based on data aggregated from Vulnerability-Lookup, the CISA Known Exploited Vulnerabilities catalog, the CIRCL KEV catalog, the ENISA EUVD feed, and contributor comments and bundles. Sightings come from MISP, Exploit-DB, Bluesky, Mastodon, Telegram, GitHub Gists, The Shadowserver Foundation, Nuclei, SPLOITUS, Metasploit, and more. For further details, please visit this page.

The Month at a Glance

April 2026 was dominated by a Linux kernel crypto subsystem flaw, CVE-2026-31431 ("Copy Fail"), an algif_aead in-place operation regression that drew 279 sightings -- by far the highest activity of the month. Local privilege escalation against shared multi-user Linux hosts and container infrastructure (including Microsoft WSL) was confirmed in the wild, and CISA added the entry to its KEV catalog on May 1.

Edge-security appliances and developer tooling shaped the rest of the top ranking. Fortinet FortiClient EMS (improper access control, CVSS 9.1) was added to both the CISA and CIRCL KEV catalogs on April 6, and a related FortiClient EMS SQLi -- CVE-2026-21643 -- was KEV-listed on April 13. Adobe Acrobat Reader prototype-pollution CVE-2026-34621 and GitHub Enterprise Server git-push option injection CVE-2026-3854 both crossed 140 sightings, while Apache ActiveMQ CVE-2026-34197 (Jolokia/Spring code injection) followed closely.

A burst of "AI-stack" exposure also marked the month: marimo (pre-auth RCE via an unauthenticated terminal WebSocket) was added to KEV on April 23, and Meta React Server Components CVE-2025-55182 (KEV since December 2025, known ransomware use) continued to rack up sightings as scanning persisted.

The end of the month brought a critical hosting-stack incident: WebPros cPanel & WHM CVE-2026-41940, an authentication bypass in the login flow (CVSS 9.8), was disclosed on April 28-29 and added to CISA KEV on April 30 with a 3-day remediation deadline.

The CISA Known Exploited Vulnerabilities catalog added 30 entries during April. Highlights:

CISA also re-anchored attention on long-standing exploited issues -- ConnectWise ScreenConnect (CVE-2024-1708), SimpleHelp (CVE-2024-57726, CVE-2024-57728), Samsung MagicINFO (CVE-2024-7399), JetBrains TeamCity (CVE-2024-27199), PaperCut NG (CVE-2023-27351), Microsoft Exchange (CVE-2023-21529) and even legacy Microsoft Office issues from 2009/2012 (CVE-2009-0238, CVE-2012-1854).

The CIRCL Known Exploited Vulnerabilities catalog added one entry: CVE-2026-35616 (Fortinet FortiClient EMS), confirmed via incident-response evidence. The ENISA EUVD KEV catalog had no new entries in April.

Contributor activity in April focused on operational mitigations for the Linux kernel "Copy Fail" issue, with practical SELinux, systemd RestrictAddressFamilies, and initcall_blacklist recipes shared by community members.

Top 10 vulnerabilities of the Month

VulnerabilitySighting CountVendorProductVLAI Severity
CVE-2026-31431279LinuxKernel (algif_aead)High (confidence: 0.9482)
CVE-2026-34621147AdobeAcrobat ReaderHigh (confidence: 0.997)
CVE-2026-35616142FortinetFortiClient EMSCritical (confidence: 0.9572)
CVE-2026-3854142GitHubEnterprise ServerCritical (confidence: 0.8704)
CVE-2026-34197138ApacheActiveMQCritical (confidence: 0.6661)
CVE-2025-55182111MetaReact Server ComponentsCritical (confidence: 0.9934)
CVE-2026-5281104GoogleChrome (Dawn)High (confidence: 0.9874)
CVE-2026-3998796marimo-teammarimoCritical (confidence: 0.9856)
CVE-2026-4194092WebProscPanel & WHMCritical (confidence: 0.8211)
CVE-2026-3220191MicrosoftSharePoint ServerHigh (confidence: 0.5863)

Known Exploited Vulnerabilities

New entries have been added to major Known Exploited Vulnerabilities catalogs.

CISA

CVE IDDate AddedVendorProductVLAI Severity
CVE-2026-322022026-04-28MicrosoftWindows ShellMedium (confidence: 0.8578)
CVE-2024-17082026-04-28ConnectWiseScreenConnectHigh (confidence: 0.6127)
CVE-2024-577262026-04-24SimpleHelpSimpleHelpHigh (confidence: 0.7288)
CVE-2024-577282026-04-24SimpleHelpSimpleHelpHigh (confidence: 0.8902)
CVE-2024-73992026-04-24SamsungMagicINFO 9 ServerCritical (confidence: 0.6987)
CVE-2025-296352026-04-24D-LinkDIR-823XHigh (confidence: 0.9867)
CVE-2026-399872026-04-23marimo-teammarimoCritical (confidence: 0.9856)
CVE-2026-338252026-04-22MicrosoftDefender Antimalware PlatformHigh (confidence: 0.9396)
CVE-2024-271992026-04-20JetBrainsTeamCityHigh (confidence: 0.785)
CVE-2025-329752026-04-20QuestKACE Systems Management ApplianceCritical (confidence: 0.8677)
CVE-2026-201282026-04-20CiscoCatalyst SD-WAN ManagerHigh (confidence: 0.5543)
CVE-2025-487002026-04-20SynacorZimbra Collaboration SuiteMedium (confidence: 0.9744)
CVE-2023-273512026-04-20PaperCutNGHigh (confidence: 0.7781)
CVE-2025-27492026-04-20KenticoXperienceHigh (confidence: 0.9762)
CVE-2026-201332026-04-20CiscoCatalyst SD-WAN ManagerHigh (confidence: 0.7295)
CVE-2026-201222026-04-20CiscoCatalyst SD-WAN ManagerMedium (confidence: 0.9478)
CVE-2026-341972026-04-16ApacheActiveMQCritical (confidence: 0.6661)
CVE-2026-322012026-04-14MicrosoftSharePoint ServerHigh (confidence: 0.5863)
CVE-2009-02382026-04-14MicrosoftOffice ExcelHigh (confidence: 0.5354)
CVE-2026-346212026-04-13AdobeAcrobat ReaderHigh (confidence: 0.997)
CVE-2026-216432026-04-13FortinetFortiClient EMSCritical (confidence: 0.9881)
CVE-2020-97152026-04-13AdobeAcrobat & ReaderHigh (confidence: 0.8726)
CVE-2023-364242026-04-13MicrosoftWindows CLFS DriverHigh (confidence: 0.9933)
CVE-2023-215292026-04-13MicrosoftExchange ServerHigh (confidence: 0.6307)
CVE-2025-607102026-04-13MicrosoftHost Process for Windows TasksHigh (confidence: 0.9957)
CVE-2012-18542026-04-13MicrosoftOffice VBE6 / VBACritical (confidence: 0.954)
CVE-2026-13402026-04-08IvantiEndpoint Manager Mobile (EPMM)Critical (confidence: 0.9867)
CVE-2026-356162026-04-06FortinetFortiClient EMSCritical (confidence: 0.9572)
CVE-2026-35022026-04-02TrueConfTrueConf ClientHigh (confidence: 0.9884)
CVE-2026-52812026-04-01GoogleChrome / DawnHigh (confidence: 0.9874)

More KEV entries from the CISA Catalog.

CIRCL

Vulnerability IDDate AddedVendorProductVLAI Severity
CVE-2026-356162026-04-06FortinetFortiClient EMSCritical (confidence: 0.9572)

More KEV entries from the CIRCL Catalog.

ENISA (EUVD)

No new entry in April.

More KEV entries from the ENISA Catalog.

Insights from Contributors

Community members focused on operational mitigations for the Linux kernel "Copy Fail" issue, sharing concrete defensive recipes:

The recurring theme across these contributions: AF_ALG / algif_aead is rarely needed by user workloads, so disabling it at the kernel, container-runtime, or systemd-unit boundary is a pragmatic mitigation while distributions roll out the corrected kernel patches.

Thank you

Thank you to all the contributors and our diverse sources!

If you want to contribute to the next report, you can create your account.

Feedback and Support

If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/

Funding

The main objective of Federated European Team for Threat Analysis (FETTA) is improvement of Cyber Threat Intelligence (CTI) products available to the public and private sector in Poland, Luxembourg, and the European Union as a whole.
Developing actionable CTI products (reports, indicators, etc) is a complex task and requires an in-depth understanding of the threat landscape and the ability to analyse and interpret large amounts of data. Many SOCs and CSIRTs build their capabilities in this area independently, leading to a fragmented approach and duplication of work.

The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response facility to computer security threats and incidents. The organization brings to the table its extensive experience in cybersecurity incident management, threat intelligence, and proactive response strategies. With a strong background in developing innovative open source cybersecurity tools and solutions, CIRCL's contribution to the FETTA project is instrumental in achieving enhanced collaboration and intelligence sharing across Europe.

Press release

https://www.vulnerability-lookup.org/2026/05/04/vulnerability-report-april-2026/Open linkView original on lemmy.ml
2
securityΒ·SecuritybyCedric

Vulnerability-Lookup 4.4.0

We are pleased to announce the release of Vulnerability-Lookup 4.4.0!

This release introduces public disclosure list views, enhanced sightings with automatic creation and heatmap navigation controls, toggleable chart events, and configurable CVD policy alerts. It also includes numerous fixes for database stability and performance, notification reliability, and Meilisearch error handling.

The technical documentation has been revamped for greater clarity and expanded with deployment guidance for high-traffic environments, validated in our production setup handling 15,000–20,000 queries per second (public API + Web pages).

What's New

  • new: [views] Add public disclosures list view and improve disclosure detail template. ac97550
  • new: [heatmap] Add navigation and zoom controls to sightings heatmap. 57c1fb8
  • new: [sightings] Add toggleable extra events (published, reserved, KEV) to sightings charts. 1ae5cdf
  • new: [sightings] Add backfill_sightings script to create sightings from existing data. 3c036b3
  • new: [sightings] Automatically create sightings when bundles, comments, or KEV entries are created. 5676730, eb20f85, 351d538

Disclosed Vulnerabilities (CVD process)

Disclosures part of the CVD process are now listed on a dedicated page once they are disclosed (the CVD feature can be disabled in Vulnerability-Lookup). Previously, they were publicly accessible but not listed in a single view.

Comments as a sighting

Creating a comment on a vulnerability now automatically generates a sighting.

Displaying reserved and published dates in the sightings visualisations

CVE-2026-23456 was mentioned in the list of Ghost CVEs in our February Vulnerability Report. The CVE record is now available, and the visualisations show our sightings predating the publication date.

KEV entry as exploited sightings

Creating a KEV entry β€” whether directly, via synchronisation from another Vulnerability-Lookup instance, or by pulling from the CISA or ENISA catalogs β€” now automatically generates a sighting.

Zoom feature for the sightings visualisations

Changes

  • chg: [config] Make CVD policy alert messages configurable (CVD_POLICY_TITLE, CVD_POLICY_URL, CVD_POLICY_LOGIN_MESSAGE). 38a9fc8
  • chg: [views] Set disclosed_timestamp when admin transitions disclosure state to disclosed. b1265ca
  • chg: [templates] Link vulnerability ID, affected products, and CWEs in disclosure detail page. 0b57f62, c7f750e, 24512cf, 7dde7dc
  • chg: [templates] GCVE vulnerabilities show a parenthesized link to the associated CVE ID. 2944a32
  • chg: [templates] Vulnerabilities from FSTEC use the severity classification model. 9896c18
  • chg: [documentation] Convert documentation to Markdown and improvements. af2de56, ba70b69, 54d004b, 497c45a
  • chg: [dependencies] Updated Python and JavaScript dependencies. 81ea0d7, af81a41, ab94807, 7706a5c, b7cfab2

Fixes

  • fix: [views] Skip timestamp check for disclosed state in disclosures query. 88f8fe9
  • fix: [models] Handle None values in Product and Organization field validators. 3f56d34, 078eb1d
  • fix: [fulltext] Auto-purge Meilisearch tasks on no_space_left_on_device error. e7ffbfa
  • fix: [database] Fix DetachedInstanceError and idle-in-transaction timeouts. 801eefd, 9b89ce3, 028da84
  • fix: [notifications] Release DB transaction before slow email rendering/sending. 1c1a552, 913ecc1
  • fix: [tags] Sync comment tags with upstream MISP vulnerability taxonomy. 5b3d08f
  • fix: [forms] Align SignupForm login max length with database constraint. 210594a
  • fix: [bundle] Use JSONB contains operator for bundle vuln_id filter. 80c7295
  • fix: [sightings] Use KEV asserted_at date for backfilled sighting timestamp. 8c7d455

Changelog

πŸ“‚ For the full list of changes, check the GitHub release:
https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v4.4.0

πŸ™ Thank you to all contributors and testers!

Feedback and Support

If you encounter any issues or have suggestions, feel free to open a ticket on our GitHub repository:
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/
Your feedback is always appreciated!

Follow Us on Fediverse/Mastodon

You can follow us on Mastodon and get real-time information about security advisories:
https://social.circl.lu/@vulnerability_lookup/

View original on lemmy.ml
3
securityΒ·SecuritybyCedric

New multilingual severity classifiers for vulnerability analysis

πŸš€ We’ve just published a new article introducing a Russian-language severity classifier, along with improved English and Chinese models for vulnerability descriptions.

πŸ‘‰ https://www.vulnerability-lookup.org/2026/04/06/russian-severity-classifier/

These models are trained with VulnTrain and served via ML-Gateway, and are fully integrated into Vulnerability-Lookup.

πŸ” What’s new

  • πŸ‡·πŸ‡Ί Russian severity classifier based on FSTEC (BDU) data, using a ruRoBERTa-large model
  • πŸ‡¬πŸ‡§ Improved English model trained on diverse sources (CVE, GitHub, PySec, CSAF…)
  • πŸ‡¨πŸ‡³ Improved Chinese model leveraging CNVD data
  • πŸ“Š Better training insights with per-class precision / recall / F1 metrics
  • 🧩 Multi-source datasets with traceable origins and dynamic dataset cards

All datasets and models are openly available on Hugging Face.

βš™οΈ Under the hood

  • VulnTrain 3.1.0 adds FSTEC support, dataset traceability, and improved model selection
  • ML-Gateway 0.5.0 now supports multilingual severity classification out of the box

This work is part of the AIPITCH project, supporting practical AI integration in cybersecurity workflows.

View original on lemmy.ml
2
securityΒ·SecuritybyCedric

CNVD Severity Classification and RMSV Effects: Honest Metrics & Data Leakage

We recently made significant improvements to our CNVD severity classifier and the underlying Vulnerability-CNVD dataset, prompted by a thorough independent review from Eric Romang. These changes ship in VulnTrain v3.0.0, released today.

What happened

Eric opened VulnTrain#19 with a detailed technical analysis of the dataset and model. His key findings:

  • Data leakage: CNVD reuses boilerplate descriptions across different vulnerability IDs. Our train/test split was done on IDs, not on description text, so 15.6% of the test set contained descriptions identical to training data. This inflated the reported accuracy by ~1.7pp.
  • Low-class recall at 38.4%: 60% of Low-severity entries were misclassified as Medium. The dataset is heavily imbalanced (Low ~9%, Medium ~55%, High ~36%).
  • Keyword dependency: the model predicts severity based on vulnerability-type keywords rather than actual impact. Accuracy drops from ~89% to ~55% on entries whose severity deviates from the type's typical level.

His full analysis, code, and data are available at eromang/researches/CNVD-Dataset-Validation.

What we fixed

Data leakage

We implemented a deduplicate_split function that groups entries by description text before splitting. All entries sharing a description land in the same split. The result: our retrained model scores 76.8% accuracy on the deduplicated test set, matching Eric's independently measured unleaked accuracy of 76.6%. The model quality was always ~77% β€” we just have honest metrics now.

Class imbalance experiments

We tested four loss strategies to improve Low-class recall:

StrategyLow recallMedium recallOverall acc
Uniform (baseline)41.0%81.7%76.8%
Sqrt-dampened weights49.0%74.8%74.6%
Balanced weights60.8%70.2%73.2%
Focal loss (gamma=2)63.3%64.4%71.1%

Every strategy that improved Low recall caused disproportionate Medium recall loss. The Low/Medium vocabulary overlap in CNVD descriptions makes this a data-level ceiling, not a loss-function problem. Eric's own experience with the CyberScale Phase 1 project β€” predicting 4-class CVSS bands from CVE descriptions using ModernBERT-base β€” reached the same conclusion: nothing moved the needle beyond ~2pp. Adjacent severity classes share vocabulary because vulnerability descriptions are formulaic.

We defaulted to uniform loss and documented the Low class limitation.

Dataset improvements

The Vulnerability-CNVD dataset now includes:

  • A cve_id field cross-referencing CVE equivalents. Approximately 81% of CNVD entries have a corresponding CVE (68-69% in 2020-2021, rising to 91-97% after 2022). The ~19% CNVD-only entries are concentrated in Chinese domestic software (PHP CMS, ERP systems). Western vendors (Adobe, Microsoft, IBM, Cisco) are largely absent from the CNVD-only subset.
  • A dataset card documenting severity distribution, CVE overlap rates, and the coverage decline: CNVD published details for 94% of reserved IDs in 2015 but only 4% in 2023. This drop coincides with China's Regulations on the Management of Security Vulnerabilities (RMSV), effective September 2021.
  • A warning about duplicate descriptions and the need to split on description text rather than IDs.

The RMSV effect

The RMSV regulations deserve attention. Before September 2021, CNVD published vulnerability details for most of the IDs it reserved. After the regulations took effect, publication rates dropped sharply. As a result, the CNVD dataset is increasingly sparse for recent years and the model's training data is concentrated in pre-2022 entries. Users should be aware of this temporal bias.

CNVD reserves 50,000–100,000 vulnerability IDs per year but publishes full details for only a fraction. As noted above, the publication rate has declined significantly:

  • 2015: ~94% of reserved IDs have published details
  • 2023: ~4% of reserved IDs have published details

Model card

The model card is now dynamically generated from actual training metrics and documents the known limitations: Low-class recall, keyword dependency, negation blindness, and CVE overlap.

Links

Acknowledgments

Thanks to Eric Romang for his detailed and constructive analysis. His work directly led to these improvements and confirmed that the model adds real value (+12pp over a keyword heuristic baseline) despite its limitations.

Funding

AIPITCH aims to create advanced artificial intelligence-based tools supporting key operational services in cyber defense. These include technologies for early threat detection, automatic malware classification, and improvement of analytical processes through the integration of Large Language Models (LLM). The project has the potential to set new standards in the cybersecurity industry.

The project leader is NASK National Research Institute. The international consortium includes:

Funded by the European Union. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or the European Cybersecurity Competence Centre. Neither the European Union nor the European Cybersecurity Competence Centre can be held responsible for them.

https://www.vulnerability-lookup.org/2026/04/03/cnvd-severity-classifier-improvements/Open linkView original on lemmy.ml
2
selfhostΒ·Self Hosted - Self-hosting your services.byCedric

Newspipe 11.3.0

New release: Newspipe 11.3.0 πŸš€

Security & privacy take the spotlight in this version:

  • Fixed multiple XSS and SSRF vulnerabilities (thanks fyrepaw13 πŸ™Œ)
  • Safer API with stricter field validation and sanitization
  • State-changing routes now protected with POST + CSRF tokens
  • More privacy-friendly bookmarks page

Plus UX improvements across bookmarks, forms, and charts.

https://github.com/cedricbonhomme/newspipe

Newspipe 11.3.0https://github.com/cedricbonhomme/newspipeOpen linkView original on lemmy.ml
4
securityΒ·SecuritybyCedric

Vulneratility-Lookup 4.2.0

It is our honour to announce the release of Vulnerability-Lookup 4.2.0!

This version brings a large number of new CSAF-based vulnerability advisory sources, improvements to the web interface, and several bug fixes.

What's New

New CSAF-based sources

As the number of GNA keeps growing and the interest around the GCVE-EU initiative increases, these UI improvements and filtering capabilities are becoming essential to efficiently explore the various available sources.

Below is the list of CSAF-based sources available by default. You can enable or disable each feeder via the config/modules.cfg configuration file. The display in the web interface is also configurable through the config/website.py configuration file.

Improvements

  • Enriched CSAF view
    The generic CSAF view now includes severity, vulnerabilities, references, and acknowledgments.
    d528da8

  • Enriched OSV view
    Added severity and references to the generic OSV view.
    65de73e

  • Date published in CVE records
    If known, the datePublic field of CVE records is now displayed.
    861a082

  • Boost recent sightings enabled by default
    The boost recent sightings switch is now checked by default.
    4eed4c4

  • New source argument for the full-text indexer
    Added a source argument to the indexer for more targeted indexing.
    d4e6e1f

  • Less verbose indexing
    Reduced the verbosity of the full-text search indexing process.
    a563dff

  • Configuration improvements
    Reorganized the default SOURCES_TO_SHOW config variable and updated the sample website.py configuration with examples for the new configuration options.
    f699400, 6e8fb6c

  • Documentation updates
    Various improvements to the documentation, including GCVE publication as a GNA and Known Exploited Vulnerabilities Catalogs.
    58a4d83, 143f5f5, 1f6d6d3, 52c774f

  • Updated Python dependencies
    6e30dc2

Fixes

  • Fixed incorrect vulnerability ID passed in various Jinja macros. cf1b209
  • Fixed the default product option so the form correctly re-submits its value when changing sort/order controls. 7373f8f
  • Suppressed spurious config warnings for disabled features. c82e911
  • Fixed a variable shadowing issue in parse_vuln_payload() where the local source variable was overriding the function parameter. cb03721

Changelog

πŸ“‚ For the full list of changes, check the GitHub release:
https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v4.2.0

πŸ™ Thank you to all contributors and testers!

Special thanks to RaphaΓ«l Vinot for adding the new sources.

Feedback and Support

If you encounter any issues or have suggestions, feel free to open a ticket on our GitHub repository:
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/
Your feedback is always appreciated!

Follow Us on Fediverse/Mastodon

You can follow us on Mastodon and get real-time information about security advisories:
https://social.circl.lu/@vulnerability_lookup/

View original on lemmy.ml
5
securityΒ·SecuritybyCedric

Vulnerability Report - February 2026

Introduction

This vulnerability report has been generated using data aggregated on Vulnerability-Lookup, with contributions from the platform’s community.

It highlights the most frequently mentioned vulnerability for February 2026, based on sightings collected from various sources, including MISP, Exploit-DB, Bluesky, Mastodon, GitHub Gists, The Shadowserver Foundation, Nuclei, SPLOITUS, Metasploit, and more. For further details, please visit this page.

The Month at a Glance

February 2026 was led by CVE-2026-1731, a Critical-severity issue affecting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA), with 158 sightings. It was followed closely by CVE-2026-2441 in Google Chrome with 143 sightings.

Microsoft-related vulnerabilities were also prominent in the top 10, including CVE-2026-20841 (Windows Notepad) and CVE-2026-21509 (Microsoft 365 Apps for Enterprise). Other heavily sighted entries spanned enterprise recovery and networking products such as Dell RecoverPoint for Virtual Machines (CVE-2026-22769) and Cisco Catalyst SD-WAN Manager (CVE-2026-20127), as well as platform and tooling ecosystems like Apple macOS (CVE-2026-20700), Ivanti Endpoint Manager Mobile (CVE-2026-1281), and n8n (CVE-2026-25049).

February continued to be an active month for known exploited vulnerabilities. The CISA Known Exploited Vulnerabilities catalog added 28 new entries during the month. Notable additions include:

The CIRCL Known Exploited Vulnerabilities catalog added three entries (CVE-2026-25108, CVE-2026-1340, and CVE-2026-1281), while the ENISA KEV catalog had no new entries in February.

The Ghost CVE Report highlights eight vulnerability identifiers that were observed in sightings despite limited or missing public records. The most frequently sighted were CVE-2023-42344 (5 occurrences) and CVE-2026-1584 (4 occurrences), followed by CVE-2026-23456 (3 occurrences).

Contributor insights this month covered Cisco Catalyst SD-WAN vulnerabilities, an IceWarp command-injection RCE, analysis of CVEs affecting the Svelte ecosystem, TP-Link VIGI IP camera issues, and reporting on UAC-0001 (APT28) activity leveraging CVE-2026-21509.

Top 10 Vendors of the Month

Top 10 Assigners of the Month

Top 10 vulnerabilities of the Month

VulnerabilitySighting CountVendorProductVLAI Severity
CVE-2026-1731158BeyondTrustRemote Support(RS) & Privileged Remote Access(PRA)Critical (confidence: 0.9914)
CVE-2026-2441143GoogleChromeHigh (confidence: 0.9908)
CVE-2026-20841131MicrosoftWindows NotepadHigh (confidence: 0.9833)
CVE-2026-21509113MicrosoftMicrosoft 365 Apps for EnterpriseHigh (confidence: 0.9687)
CVE-2026-2276991DellRecoverPoint for Virtual MachinesCritical (confidence: 0.9356)
CVE-2026-2012776CiscoCisco Catalyst SD-WAN ManagerCritical (confidence: 0.9411)
CVE-2026-2070069ApplemacOSHigh (confidence: 0.9705)
CVE-2026-128169IvantiEndpoint Manager MobileCritical (confidence: 0.9791)
CVE-2026-2525355OpenClawOpenClawHigh (confidence: 0.7975)
CVE-2026-2504954n8n-ion8nCritical (confidence: 0.617)

Known Exploited Vulnerabilities

New entries have been added to major Known Exploited Vulnerabilities catalogs.

CISA

CVE IDDate AddedVendorProductVLAI Severity
CVE-2026-201272026-02-25CiscoCisco Catalyst SD-WAN ManagerHigh (confidence: 0.9183)
CVE-2022-207752026-02-25CiscoCisco Catalyst SD-WANHigh (confidence: 0.9894)
CVE-2026-251082026-02-24Soliton Systems K.K.FileZenHigh (confidence: 0.8244)
CVE-2025-491132026-02-20RoundcubeWebmailHigh (confidence: 0.7952)
CVE-2025-684612026-02-20RoundcubeWebmailMedium (confidence: 0.9892)
CVE-2021-221752026-02-18GitLabGitLabMedium (confidence: 0.7533)
CVE-2026-227692026-02-18DellRecoverPoint for Virtual MachinesCritical (confidence: 0.9356)
CVE-2020-77962026-02-17synacorzimbra_collaboration_suiteCritical (confidence: 0.5846)
CVE-2024-76942026-02-17TeamT5ThreatSonar Anti-RansomwareHigh (confidence: 0.9626)
CVE-2008-00152026-02-17MicrosoftWindowsHigh (confidence: 0.981)
CVE-2026-24412026-02-17GoogleChromeHigh (confidence: 0.9908)
CVE-2026-17312026-02-13BeyondTrustRemote Support(RS) & Privileged Remote Access(PRA)Critical (confidence: 0.9914)
CVE-2025-155562026-02-12notepad-plus-plusnotepad-plus-plusHigh (confidence: 0.9083)
CVE-2026-207002026-02-12AppleMacOSHigh (confidence: 0.9705)
CVE-2024-434682026-02-12MicrosoftMicrosoft Configuration ManagerHigh (confidence: 0.8181)
CVE-2025-405362026-02-12SolarWindsWeb Help DeskHigh (confidence: 0.7215)
CVE-2026-215332026-02-10MicrosoftWindows 10 Version 1607High (confidence: 0.9889)
CVE-2026-215102026-02-10MicrosoftWindows 10 Version 1607High (confidence: 0.5272)
CVE-2026-215132026-02-10MicrosoftWindows 10 Version 1607High (confidence: 0.8378)
CVE-2026-215142026-02-10MicrosoftMicrosoft 365 Apps for EnterpriseHigh (confidence: 0.9769)
CVE-2026-215192026-02-10MicrosoftWindows 10 Version 1607High (confidence: 0.9183)
CVE-2026-215252026-02-10MicrosoftWindows 10 Version 1607Medium (confidence: 0.9918)
CVE-2026-244232026-02-05SmarterToolsSmarterMailCritical (confidence: 0.9798)
CVE-2025-119532026-02-05react-native-communityreact_native_community_cliCritical (confidence: 0.987)
CVE-2019-190062026-02-03sangomafreepbxCritical (confidence: 0.6005)
CVE-2025-643282026-02-03FreePBXfilestoreHigh (confidence: 0.7976)
CVE-2021-399352026-02-03GitLabGitLabMedium (confidence: 0.8559)
CVE-2025-405512026-02-03SolarWindsWeb Help DeskCritical (confidence: 0.9385)

More KEV entries from the CISA Catalog.

CIRCL

CVE IDDate AddedVendorProductVLAI Severity
CVE-2026-251082026-02-26Soliton Systems K.K.FileZenHigh (confidence: 0.8244)
CVE-2026-13402026-02-03IvantiEndpoint Manager MobileCritical (confidence: 0.9791)
CVE-2026-12812026-02-03IvantiEndpoint Manager MobileCritical (confidence: 0.9791)

More KEV entries from the CIRCL Catalog.

ENISA

No new entry in February.

More KEV entries from the ENISA Catalog.

Top 10 Weaknesses of the Month

Ghost CVE Report

A ghost CVE is a vulnerability identifier that's already popped up in the wild but is still listed as RESERVED or NOT_FOUND in official registries like NVD or MITRE.

Sightings detected between 2026-02-01 and 2026-02-28 that are associated with vulnerabilities without public records.

Vulnerability IDOccurrencesComment
CVE-2023-423445OpenCMS Unauthenticated XXE Vulnerability
CVE-2026-15844libgnutls: Fix NULL pointer dereference in PSK binder verification
CVE-2026-234563YoSmart YoLink Smart Hub
CVE-2025-155762FreeBSD 14.3 and 13.5 (Jail chroot escape via fd exchange with a different jail)
CVE-2026-30382All supported versions of FreeBSD (Local DoS and possible privilege escalation via routing sockets)
CVE-2025-130502Multiple vulnerabilities in Centreon products
CVE-2025-125232Multiple vulnerabilities in Centreon products
CVE-2025-712102Multiple vulnerabilities in Trend Micro products (KA-0022458)

Insights from Contributors

Thank you

Thank you to all the contributors and our diverse sources!

If you want to contribute to the next report, you can create your account.

Feedback and Support

If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/

Funding

The main objective of Federated European Team for Threat Analysis (FETTA) is improvement of Cyber Threat Intelligence (CTI) products available to the public and private sector in Poland, Luxembourg, and the European Union as a whole.
Developing actionable CTI products (reports, indicators, etc) is a complex task and requires an in-depth understanding of the threat landscape and the ability to analyse and interpret large amounts of data. Many SOCs and CSIRTs build their capabilities in this area independently, leading to a fragmented approach and duplication of work.

The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response facility to computer security threats and incidents. The organization brings to the table its extensive experience in cybersecurity incident management, threat intelligence, and proactive response strategies. With a strong background in developing innovative open source cybersecurity tools and solutions, CIRCL’s contribution to the FETTA project is instrumental in achieving enhanced collaboration and intelligence sharing across Europe.

Press release

https://www.vulnerability-lookup.org/2026/03/02/vulnerability-report-february-2026/Open linkView original on lemmy.ml
4