Vulnerability-Lookup now ingests Red Hat's per-CVE CSAF VEX documents and attaches them straight to the vulnerabilities you're already tracking. Which products are affected? Which are fixed? Which were never affected at all? One glance at the new VEX tab β or the EPSS-style VEX badge right in the vulnerability header β and you know.
No more digging through vendor advisories to answer "does this CVE actually matter to us?" π
Also in this release:
β New /api/vex endpoints β VEX data, fully machine-readable
π Per-user enable/disable of CNA publication, with a dedicated admin overview
π¬ Admin overview for KEV catalog e-mail subscriptions + richer digest e-mails (entry titles, affected vendors & products)
π οΈ A batch of feeder robustness fixes β no more full re-imports or notification storms after a partial download failure
This release adds a reversible data hiding technique based on histogram shifting (Ni et al., IEEE TCSVT 2006): unlike LSB, the original cover image can be recovered pixel-for-pixel after the hidden message is extracted. Includes a new stegano-rdh command line tool.
We are pleased to announce the release of Vulnerability-Lookup 5.3.0!
This release brings email subscriptions to KEV catalogs, letting you receive batched digests whenever new exploited vulnerabilities are added to a catalog you follow. Search gained the long-requested ability to filter and sort by CVSS base score, two new feeder families join the platform β the AVID (AI Vulnerability Database) feeder and a set of new CSAF vendor feeders β and the KEV catalogs page gained a whole suite of coverage visualisations. On the account side, 2FA recovery codes make account recovery safer.
What's New
Email subscriptions to KEV catalogs
You can now subscribe to any KEV catalog and receive batched email digests when new entries are added. Subscriber counts are surfaced on the catalogs page, and the notifications page was modernized onto the shared card design language (#457).
Filter and sort by CVSS base score
The search now supports filtering and sorting vulnerabilities by CVSS base score β including CVSS-only searches that need no vendor, product or assigner. The recent vulnerabilities page gained a quick-filter accordion above the table, and the search form now preselects the CVE Program source by default (#454).
New feeders: AVID and more CSAF vendors
A new feeder for the AVID (AI Vulnerability Database) brings AI-specific vulnerability advisories into the platform, with a dedicated advisory view, product search wiring and source registration. Contributed by @thunderstornX in #442.
We also added new CSAF feeders for the vendors whose public feeds actually deliver documents β audited from a much larger candidate list β wired into the web interface and README. Along the way: CERT@VDE trusted-provider metadata URLs were fixed for 12 vendors, the TuxCare feeder now points at its published provider metadata, Palo Alto advisory ids were namespaced so they no longer overwrite canonical CVE records, and the csaf_trend feeder was renamed to csaf_trendmicro (#448).
A coverage timeline chart with a blind-spots gap finder.
Cross-catalog vulnerability search.
Click-to-filter on the UpSet plot columns, plus a mean lead-time and same-day caption.
First-listed/last-updated sort toggles on the coverage table and catalog pages.
Catalog licence badges, and vendor/product shown in the coverage table.
2FA recovery codes
Accounts protected with two-factor authentication can now generate recovery codes for account recovery, and the profile page was restructured into themed cards (#435).
Favorite feed
Users can pick a favorite feed used as the default source on the recent vulnerabilities page, and toggle it directly from that page.
Readable RSS/Atom feeds
RSS/Atom feeds now render as readable pages when opened in a browser: server-side rendering via content negotiation, KEV Atom content emitted as XHTML, and the XSL stylesheet made XSLT 1.0 compatible and served as application/xslt+xml so Chromium-based browsers apply it.
API improvements
Enrichment flags on the bulk vulnerability endpoint.
CORS headers on /api endpoints for browser-based access.
KEV entries resolvable by (origin_uuid, vulnId) for PUT/DELETE.
Other new features
Sightings β Accept more vulnerability identifier patterns: CVE-UNASSIGNED, OpenVAS, SSV, Exploit-DB (EDB) and China National Vulnerability Database (CNVD).
Performance β pg_trgm GIN indexes for sighting source/vulnerability search, with the author lookup split into a UNION leg so the indexes actually apply. Contributed by @DevamShah in #431 (#440).
UI β Filtering, sorting and search on the CNA publications and vulnerability disclosures lists.
Changes
EUVD β Added the EUVD ID data model and Kvrocks key conventions. Contributed by @archakisn in #452.
UI β Continued the UI refresh: the About and About-this-instance pages, a soft azure underglow on the home hero signal line, Choices.js widgets themed with the design tokens, and a themed vendor autocomplete for the navbar search.
Templates β Recent vulnerabilities page polish: a shortcut button to the local instance source, a link to the current source's recent vulnerabilities in the generic CSAF view, and vulnerability identifiers displayed in uppercase in the disclosures list.
Configuration β Added unicode icons to the source names in SOURCES_TO_SHOW.
Documentation β Improved the README, added documentation for running a minimal publication instance (#456), and documented the KEV catalog email subscriptions.
Dependencies β Updated Python dependencies and bumped the pinned GitHub Actions.
Fixes
API β GET /api/vulnerability/recent without a source again returns the most recent entries across all sources (the global index), consistent with /api/vulnerability/last and with the documented behavior. Since 3.0.0 (February 2026) it silently defaulted to the cvelistv5 source only; clients that came to rely on that must now pass source=cvelistv5 explicitly.
Search β A vendor-only search now spans all sources instead of only cvelistv5, and a known-vendor query takes precedence over the linked-vulnerabilities fallback (#432).
Notifications β Widened the notification query window and deduplicated already-sent notifications, so entries indexed with a source-side lastModified older than the wall-clock window are no longer silently skipped; the nvd source is now included and results are deduplicated across sources (#449).
API β KEV endpoint hardening: BCP-07 conformant output, a unique tiebreaker in the list ordering so pagination no longer yields duplicate entries on tie-heavy sorts, unhandled 500 responses marked as no-store, and PUT now only moves first_seen_at/asserted_at backwards (#453).
API β Sighting creation timestamps are set server-side, ILIKE wildcards are escaped in search filters, and the updated date sort uses the correct index key.
Statistics β Current-year charts stop at the current month, bogus delta labels for unfinished months are suppressed (#433), and the selected multi-year window is preserved when switching sources (#436).
Feeds β Aligned the recent feed sort order and timestamps with the /recent page (#443).
KEV β UpSet plot rendering: widened the set-label gutter so long catalog names fit, reserved a numeric lane so totals are not clipped, and clarified the total vs exact-slice reading of the plot.
UI β Stripped global-chrome bleed from the vulnogram editor and corrected its dialog button layout; aligned navbar link tooltips with their labels; showed the public Vulnerability Disclosures link to logged-in users; made vulnerability IDs clickable in the admin disclosures view (#438).
Users β Avoided an N+1 query in the user directory and made the DB pool resilient.
Docker β Read the PostgreSQL URI from website.py to avoid importing psycopg2.
This vulnerability report has been generated with the help of AI, using the
VulnMCP tooling on top of
Vulnerability-Lookup,
with contributions from the platform's community.
New in this report: the Shadowserver KEV catalog,
built from honeypot-observed exploitation attempts, makes its first appearance in our monthly reports.
A big thank you to The Shadowserver Foundation for making this data available to the community.
June's threat landscape was dominated by actively exploited flaws in enterprise
infrastructure: remote-access and management software, network appliances, and
identity-adjacent services. Nine of the ten most sighted vulnerabilities of the month
are listed in the CISA KEV catalog (eight of them added during June), a strong signal
that sighting activity closely tracked in-the-wild exploitation.
The Month at a Glance
7,454 CVEs were published in June 2026 (from the CVE List v5 source alone), up from
6,953 in May -- a 14.5% month-over-month increase and the highest monthly volume of
the year so far. On top of that, Vulnerability-Lookup ingested 7,315 GitHub security
advisories and 745 PySec advisories over the same period.
Vulnerability-Lookup collected 27,251 sightings during June 2026, including 18,123
"seen" observations, 8,542 exploitation-related sightings, and 71 "confirmed"
sightings (mostly newly published Nuclei detection templates). No "patched" or
"proof of concept" type sightings were recorded this month. Across the monitored KEV
catalogs, 23 entries were added by CISA, 4 by CIRCL, 1 was reported through
the ENISA / EU CSIRTs Network feed, and 6 new vulnerabilities appeared in The
Shadowserver Foundation's honeypot-observed exploitation feed.
The most sighted vulnerability of the month was CVE-2026-35273,
a missing-authentication flaw in Oracle PeopleSoft Enterprise PeopleTools (Updates
Environment Management), added to the CISA KEV catalog on June 12 with known
ransomware campaign use -- the only entry of the month with that flag.
Cisco had a particularly rough month, with three KEV-listed issues: an
unauthenticated SSRF in Unified Communications Manager
(CVE-2026-20230), a privilege
escalation in Catalyst SD-WAN Controller
(CVE-2026-20245) and a path
traversal in Catalyst SD-WAN Manager
(CVE-2026-20262) -- the SD-WAN
line remaining a target for the second month in a row after May's Emergency-Directive
flaw. Remote-access and remote-management tooling was the other clear cluster:
unauthenticated root-level command injection in Ivanti Sentry
(CVE-2026-10520, also observed
against Shadowserver honeypots), an OIDC authentication bypass in SimpleHelp
(CVE-2026-48558), an IKEv1
authentication bypass in Check Point Security Gateway
(CVE-2026-50751, confirmed
exploited by Check Point), and a pre-authentication RCE in BeyondTrust Remote Support /
Privileged Remote Access (CVE-2026-1731)
reported by NCSC-FI through the ENISA CNW feed.
Other notable KEV additions include a trio of Ubiquiti UniFi OS flaws
(CVE-2026-34908,
CVE-2026-34909,
CVE-2026-34910) added the same day,
an unauthenticated arbitrary file creation/truncation in Splunk Enterprise via a
PostgreSQL sidecar endpoint
(CVE-2026-20253), and -- for the
second month running -- an AI-stack entry, with a command injection in BerriAI
LiteLLM (CVE-2026-42271)
following May's LiteLLM SQL injection. On the client side, both Google Chrome (V8)
(CVE-2026-11645) and Android
Framework (CVE-2025-48595) were
KEV-listed and appeared in the top 10. The high-sighting Windows Netlogon
stack-based buffer overflow
(CVE-2026-41089) rounded out the
picture, and CISA also re-anchored legacy issues -- the Linux kernel cgroups v1
container-escape CVE-2022-0492 and
Oracle WebLogic CVE-2024-21182 --
while Shadowserver honeypots still registered attacks against the 2017 HP iLO 4
authentication bypass (CVE-2017-12542).
Across the month's KEV additions, the dominant weakness patterns were missing
authentication for critical functions (CWE-306: PeopleSoft, Splunk), authentication
bypass and improper authentication (CWE-287/CWE-294: SimpleHelp, Check Point, PAN-OS
GlobalProtect), OS command and code injection (CWE-77/78/94: Ivanti Sentry, Lantronix
EDS5000, LiteLLM), path traversal (CWE-22: Ubiquiti UniFi OS, Cisco SD-WAN Manager,
FortiSandbox), server-side request forgery (CWE-918: Cisco Unified CM), and memory
corruption in widely deployed client software (CWE-787/CWE-190: Windows Netlogon,
Chrome V8, Android Framework). In overall published volume, cross-site scripting
(CWE-79) and SQL injection (CWE-89) once again topped the monthly CWE ranking (see the
Top 10 Weaknesses chart below).
New entries have been added to the major Known Exploited Vulnerabilities catalogs during June.
Catalog coverage
30 distinct vulnerabilities entered at least one of the tracked KEV catalogs during June.
The matrix below shows, for each of them, which catalogs cover it (as of publication) -- built
with the new KEV catalog coverage feature of
Vulnerability-Lookup. The
KEVIntel catalog, the highest-volume of the tracked feeds with 335 new
entries in June alone, covers 28 of the 30; conversely, two entries (HP iLO 4 and the MeiG
router) are visible only through Shadowserver's honeypots, and the Ivanti Sentry command
injection is the only vulnerability of the month present in four catalogs at once.
The CIRCL KEV catalog
added 4 entries during June. The Check Point IKEv1 authentication bypass was confirmed on the basis
of Check Point's own report of active exploitation in the wild; the Cisco SD-WAN and Ivanti Sentry
entries are marked as suspected exploitation.
A single new entry was reported through the ENISA / EU CSIRTs Network (CNW) KEV feed during June:
a critical pre-authentication remote code execution in BeyondTrust Remote Support and Privileged
Remote Access, reported by NCSC-FI.
The Shadowserver KEV catalog
is fed by honeypot-observed exploitation attempts. 6 vulnerabilities were observed for the first
time during June, two of which are also in the CISA KEV catalog. Notably, the 2017 HP iLO 4
authentication bypass was still drawing attack traffic at the very end of the month.
Community contributions in June ranged from data-quality improvements to supply-chain research:
Impact of MISP.disableUserSelfManagement on exploitability -- a practical exploitability note on GCVE-1-2026-20092 explaining that when MISP.disableUserSelfManagement is enabled on a MISP instance, non-admin users cannot reach the vulnerable endpoint -- a useful triage criterion for instance operators.
The main objective of Federated European Team for Threat Analysis (FETTA) is improvement of Cyber Threat Intelligence (CTI) products available to the public and private sector in Poland, Luxembourg, and the European Union as a whole.
Developing actionable CTI products (reports, indicators, etc) is a complex task and requires an in-depth understanding of the threat landscape and the ability to analyse and interpret large amounts of data. Many SOCs and CSIRTs build their capabilities in this area independently, leading to a fragmented approach and duplication of work.
The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response facility to computer security threats and incidents. The organization brings to the table its extensive experience in cybersecurity incident management, threat intelligence, and proactive response strategies. With a strong background in developing innovative open source cybersecurity tools and solutions, CIRCL's contribution to the FETTA project is instrumental in achieving enhanced collaboration and intelligence sharing across Europe.
We are excited to share the result of a fruitful collaboration with The Shadowserver Foundation: a new Known Exploited Vulnerabilities (KEV) Catalog (BCP-07 compliant) built directly from their global honeypot telemetry.
Most KEV catalogs tell you what is being exploited. This one is grounded in observed exploitation attempts captured across Shadowserver's worldwide honeypot sensor network. When a vulnerability is exploited against one of their honeypots, it becomes an attributable, structured GCVE-EU BCP-07 KEV assertion, complete with evidence typing (honeypot), exploitation signals (in_the_wild_attempts), and timestamps indicating when exploitation was first and last observed.
A huge thank-you to the Shadowserver team, and especially to Piotr Kijewski, for their support and collaboration.
Vulnerability-Lookup now provides a coverage matrix on its KEV catalogs page, showing which Known Exploited Vulnerability catalogs (e.g. EUVD KEV, CISA KEV, CIRCL KEV) reference the most recently updated vulnerabilities. Each row corresponds to a vulnerability and each column to a catalog, making it straightforward to identify overlaps and gaps between KEV sources. All catalogs follow the GCVE-BCP-07 standard for documenting actively exploited vulnerabilities.
We are pleased to announce the release of Vulnerability-Lookup 5.1.0!
The highlight of this release is the new CNA Publication Service, which lets vulnerabilities from your local source be published to the official CVE API as part of the Coordinated Vulnerability Disclosure (CVD) process. It also brings a new exploited-CVE ratio statistic, CSAF advisories in full-text search, further UI harmonization, and important reindexing and feeder fixes.
A special thank you to Niclas Dauster for the substantial contribution behind the CNA Publication Service (#416).
What's New
CNA Publication Service
Building on the CNA-interoperable API introduced in 5.0.0, vulnerabilities of the local source can now be published to the official CVE API (cveawg) as part of the Coordinated Vulnerability Disclosure process:
users request publication of a local vulnerability,
admins moderate the request (publish or reject) through a dedicated HTML moderation view,
the resulting CVE-ID is mirrored back into the local database (Kvrocks).
The service is built on a new data model and web service, includes a rejection mechanism, stores per-user CNA credentials encrypted, and integrates with Vulnogram (a CNA publications link is now available directly from the editor header).
The feature is disabled by default. Enable it with cna: true in config/generic.json and configure it in config/cna.json. Note that it requires a database migration. See the CNA service documentation for the full setup and usage guide.
The CVE record pushed to MITRE's cveawg service is the very same GCVE record created locally on the Vulnerability-Lookup instance β there is no duplication or re-entry of data. From this view, locally created advisories can be managed through their whole publication lifecycle: reserving a CVE ID, creating or updating the corresponding CVE record, and tracking the status of each request. Once published, the advisory is known under both its GCVE ID and its assigned CVE ID. Local-only vulnerabilities β GCVE entries that are not published as CVEs β remain visible alongside, so disclosure can stay entirely local or go through the CVE Program, on a per-vulnerability basis.
Exploited-CVE ratio statistics
New charts and API endpoints track, over time, the share of CVEs that have at least one exploitation sighting β a clearer real-world risk signal than raw vulnerability counts (#413). This metric was already put to use in our May 2026 vulnerability report.
CSAF advisories in full-text search
CSAF advisories are now wired into the full-text search read path, making them discoverable through search (#417, #420).
Website improvements
The Vendor and Product columns in the recent vulnerabilities view now link directly to the corresponding search.
Changes
UI refresh, continued β More pages were harmonized onto the shared card design language introduced in 5.0.0: the sightings templates, the statistics page cards, bundle cards, comment cards, and the "Evolution for the last month" section.
Vulnogram β Added a CNA publications link to the editor header; the Recent vulnerabilities link now falls back to the local source.
Templates β Vulnerability/CVE identifiers are now displayed in uppercase across the templates and the CNA publications view.
Documentation β Fixed the path to dumps/ and various CHANGELOG cleanups.
Dependencies β Updated Python dependencies.
Fixes
Reindexing and feeder keys β Rewrote the reindex scripts, made index_vulnerabilities --purge lossless, guarded the nvd and gcve_vl published counters with first_seen, and fixed several feeder key bugs (#418, #419).
CNA Publication Service hardening β Post-merge hardening of the new service: stricter validation of cveawg responses and vulnerability identifiers, the credentials endpoint and Profile credentials link gated to admins, the CVE API key redacted from persisted request/response/error fields, Fernet key validation at startup, a unique vuln_id constraint at the database level, and assorted refactors.
UI β Include ADP container data in CVE 5 record views (#414); constrain user markdown images to their container.
Vulnogram β Keep editing in update mode after creating a record.
Website β Silenced the per-worker gevent monkey-patch warning and made cache writes resilient to broken connections.
We are thrilled to announce the release of Vulnerability-Lookup 5.0.0!
This major release centers on a new CNA-compliant API for managing the vulnerabilities of your local source, together with deep Vulnogram integration, a continued UI refresh, and a long list of stability and correctness fixes.
A special thank you to Niclas Dauster for the substantial contribution behind the new CNA-interoperable API (#398).
What's New
CNA- and GNA-Compatible Vulnerability Management
Vulnerabilities in your local instance can now be managed in a CNA-interoperable way through a dedicated API.
It streamlines Coordinated Vulnerability Disclosure (CVD) through a built-in Vulnogram integration compatible with both CVE 5.2 and GCVE-BCP-05, allowing CNAs and GNAs to publish advisories and synchronize with other instances regardless of the identifier format used.
The new API endpoint is partially interoperable with existing CNA endpoints from the CVE program, building on its solid foundation to enable a compatible and unified system for publishing vulnerability information. The API may be refined in upcoming releases based on feedback from adopters. We firmly believe that interoperable, reusable open-source components are key to preventing fragmentation in the vulnerability ecosystem.
We also welcome other vulnerability publication programs to extend this API to support their specific use cases or new models that could further improve automation in vulnerability handling.
Vulnogram integration
Vulnogram now drives ID reservation within vulnerability-lookup directly and vulnerability data management directly through the new CNA-interoperable API:
a dialog to view and reserve identifiers,
range-document creation,
state filtering,
reject and delete actions,
reserved IDs inserted directly into the form.
Configurable identifier allocation
You can now configure GCVE identifier allocation ranges for reservation. A bin script is also provided to migrate existing data to the new GNA ID format.
Website improvements
A new /kev-catalogs view listing all KEV catalogs.
Recent sightings are now rendered inside a dedicated home page tab.
Related vulnerabilities on the CWE detail page are now paginated (#406).
API
IPs/CIDRs can now be allowlisted to exempt them from the /api read rate limits.
Changes
UI refresh β We introduced a shared card design language (rounded cards, soft hover, brand-tinted leading icon badges) and applied it across the About, home, /recent and vulnerability pages. The About page gains a hero banner, feature highlights and live stats; the source dropdown on the recent vulnerabilities page was improved; popover triggers on vulnerability views were harmonized; and the sightings correlations tabs were reorganized. More UI improvements will come in future releases.
Production reference architecture β The documentation now includes a production reference architecture (HAProxy, Varnish, CDN, dumps and configuration examples).
Fixes
It also addresses a number of other issues:
UI β Preserve the VLAI popover header when refreshing content; align right-side navbar dropdowns to prevent overflow.
Website β Make Choices.js search inputs readable in the dark theme; repopulate the product list when the vendor changes on the search page; propagate config DEBUG=True to the FLASK_DEBUG environment variable.
Core β Add a timeout to graceful shutdown to prevent an infinite loop (#409).
API β Correct the per_page range check across the remaining endpoints, including rulezet and user (#411).
Docker β Use the kvrocks container name in .env.sample (#407).
Typing β Assorted mypy/typing fixes and Python 3.11 f-string compatibility.
Migration Notes
A bin script is provided to migrate existing local-source data to the new GNA ID format.
We are excited to announce the release of Vulnerability-Lookup 4.6.0!
This version brings more transparency, new data sources, API improvements, notable UI enhancements, and several performance and stability fixes.
What's New
VLAI model transparency
The VLAI badge popover now surfaces the exact model name and revision used for a given analysis, with direct links to the HuggingFace model card and the revision commit. This is particularly useful as we regularly update our AI models and publish new versions on HuggingFace, making it easy to track exactly which model version produced a given result.
Moksha feeder
A new feeder for Moksha has been added, mirroring the indexing pattern used by the cvelistv5 source. Because Moksha is accessible over Tor, the feeder requires a local Tor instance and is disabled by default.
KEV catalog on the homepage and search results
The latest entries from CISA's Known Exploited Vulnerabilities (KEV) catalog are now displayed directly on the homepage. KEV catalog badges also appear on the search results page, giving you an immediate signal when a vulnerability is actively exploited in the wild.
Improved CSAF advisory display
CSAF advisories now show a structured per-status product table derived from the product_tree, and the /recent page loads only the selected source with its own pagination β making it faster to browse recent activity.
API additions
A new with_meta parameter on the vulnerabilities list endpoint lets consumers fetch enriched metadata in a single call.
Optional, tier-aware rate limits can now be applied to vulnerability read endpoints.
A machine-readable access policy endpoint is available for automated consumers.
Changes
Performance improvements β Hot read endpoints are now cached with a Redis backend, full-text index writes are batched, and homepage sighting statistics are computed via a dedicated aggregated endpoint. These changes significantly reduce load under traffic spikes.
Homepage and template updates β The home page displays more information at a glance; the sources list on the About page is now in a collapsible accordion; Moksha is available in the /recent source menu.
ML-Gateway β The gateway response now includes the model name and revision, which are forwarded by the API (project page).
Dependencies β Python dependencies have been updated.
Fixes
This release includes a number of stability and correctness fixes: rate-limiter accuracy improvements (correct client IP resolution, dedicated Redis backend), Flask-Caching Redis pool reliability under gunicorn/gevent, EPSS badges on search results, timezone-aware timestamps for comments and bundles, restricted comment editing to authorized users only, and several minor UI and template corrections.
This vulnerability report has been generated with the help of AI, using the
VulnMCP tooling on top of
Vulnerability-Lookup,
with contributions from the platform's community.
April 2026 was dominated by a Linux kernel crypto subsystem flaw, CVE-2026-31431 ("Copy Fail"), an algif_aead in-place operation regression that drew 279 sightings -- by far the highest activity of the month. Local privilege escalation against shared multi-user Linux hosts and container infrastructure (including Microsoft WSL) was confirmed in the wild, and CISA added the entry to its KEV catalog on May 1.
Edge-security appliances and developer tooling shaped the rest of the top ranking. Fortinet FortiClient EMS (improper access control, CVSS 9.1) was added to both the CISA and CIRCL KEV catalogs on April 6, and a related FortiClient EMS SQLi -- CVE-2026-21643 -- was KEV-listed on April 13. Adobe Acrobat Reader prototype-pollution CVE-2026-34621 and GitHub Enterprise Server git-push option injection CVE-2026-3854 both crossed 140 sightings, while Apache ActiveMQ CVE-2026-34197 (Jolokia/Spring code injection) followed closely.
A burst of "AI-stack" exposure also marked the month: marimo (pre-auth RCE via an unauthenticated terminal WebSocket) was added to KEV on April 23, and Meta React Server Components CVE-2025-55182 (KEV since December 2025, known ransomware use) continued to rack up sightings as scanning persisted.
The end of the month brought a critical hosting-stack incident: WebPros cPanel & WHM CVE-2026-41940, an authentication bypass in the login flow (CVSS 9.8), was disclosed on April 28-29 and added to CISA KEV on April 30 with a 3-day remediation deadline.
Contributor activity in April focused on operational mitigations for the Linux kernel "Copy Fail" issue, with practical SELinux, systemd RestrictAddressFamilies, and initcall_blacklist recipes shared by community members.
The recurring theme across these contributions: AF_ALG / algif_aead is rarely needed by user workloads, so disabling it at the kernel, container-runtime, or systemd-unit boundary is a pragmatic mitigation while distributions roll out the corrected kernel patches.
Thank you
Thank you to all the contributors and our diverse sources!
The main objective of Federated European Team for Threat Analysis (FETTA) is improvement of Cyber Threat Intelligence (CTI) products available to the public and private sector in Poland, Luxembourg, and the European Union as a whole.
Developing actionable CTI products (reports, indicators, etc) is a complex task and requires an in-depth understanding of the threat landscape and the ability to analyse and interpret large amounts of data. Many SOCs and CSIRTs build their capabilities in this area independently, leading to a fragmented approach and duplication of work.
The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response facility to computer security threats and incidents. The organization brings to the table its extensive experience in cybersecurity incident management, threat intelligence, and proactive response strategies. With a strong background in developing innovative open source cybersecurity tools and solutions, CIRCL's contribution to the FETTA project is instrumental in achieving enhanced collaboration and intelligence sharing across Europe.
This release introduces public disclosure list views,
enhanced sightings with automatic creation and heatmap navigation controls, toggleable chart events, and configurable CVD policy alerts.
It also includes numerous fixes for database stability and performance, notification reliability, and Meilisearch error handling.
The technical documentation has been revamped for greater clarity and expanded with deployment guidance for high-traffic environments, validated in our production setup handling 15,000β20,000 queries per second (public API + Web pages).
What's New
new: [views] Add public disclosures list view and improve disclosure detail template.
ac97550
new: [heatmap] Add navigation and zoom controls to sightings heatmap.
57c1fb8
new: [sightings] Add toggleable extra events (published, reserved, KEV) to sightings charts.
1ae5cdf
new: [sightings] Add backfill_sightings script to create sightings from existing data.
3c036b3
new: [sightings] Automatically create sightings when bundles, comments, or KEV entries are created.
5676730, eb20f85, 351d538
Disclosed Vulnerabilities (CVD process)
Disclosures part of the CVD process are now listed on a dedicated page once they are disclosed (the CVD feature can be disabled in Vulnerability-Lookup).
Previously, they were publicly accessible but not listed in a single view.
Comments as a sighting
Creating a comment on a vulnerability now automatically generates a sighting.
Displaying reserved and published dates in the sightings visualisations
CVE-2026-23456 was mentioned in the list of Ghost CVEs in our February Vulnerability Report. The CVE record is now available, and the visualisations show our sightings predating the publication date.
KEV entry as exploited sightings
Creating a KEV entry β whether directly, via synchronisation from another Vulnerability-Lookup instance, or by pulling from the CISA or ENISA catalogs β now automatically generates a sighting.
π Weβve just published a new article introducing a Russian-language severity classifier, along with improved English and Chinese models for vulnerability descriptions.
Eric opened VulnTrain#19 with a detailed technical analysis of the dataset and model. His key findings:
Data leakage: CNVD reuses boilerplate descriptions across different vulnerability IDs. Our train/test split was done on IDs, not on description text, so 15.6% of the test set contained descriptions identical to training data. This inflated the reported accuracy by ~1.7pp.
Low-class recall at 38.4%: 60% of Low-severity entries were misclassified as Medium. The dataset is heavily imbalanced (Low ~9%, Medium ~55%, High ~36%).
Keyword dependency: the model predicts severity based on vulnerability-type keywords rather than actual impact. Accuracy drops from ~89% to ~55% on entries whose severity deviates from the type's typical level.
We implemented a deduplicate_split function that groups entries by description text before splitting. All entries sharing a description land in the same split. The result: our retrained model scores 76.8% accuracy on the deduplicated test set, matching Eric's independently measured unleaked accuracy of 76.6%. The model quality was always ~77% β we just have honest metrics now.
Class imbalance experiments
We tested four loss strategies to improve Low-class recall:
Strategy
Low recall
Medium recall
Overall acc
Uniform (baseline)
41.0%
81.7%
76.8%
Sqrt-dampened weights
49.0%
74.8%
74.6%
Balanced weights
60.8%
70.2%
73.2%
Focal loss (gamma=2)
63.3%
64.4%
71.1%
Every strategy that improved Low recall caused disproportionate Medium recall loss. The Low/Medium vocabulary overlap in CNVD descriptions makes this a data-level ceiling, not a loss-function problem. Eric's own experience with the CyberScale Phase 1 project β predicting 4-class CVSS bands from CVE descriptions using ModernBERT-base β reached the same conclusion: nothing moved the needle beyond ~2pp. Adjacent severity classes share vocabulary because vulnerability descriptions are formulaic.
We defaulted to uniform loss and documented the Low class limitation.
A cve_id field cross-referencing CVE equivalents. Approximately 81% of CNVD entries have a corresponding CVE (68-69% in 2020-2021, rising to 91-97% after 2022). The ~19% CNVD-only entries are concentrated in Chinese domestic software (PHP CMS, ERP systems). Western vendors (Adobe, Microsoft, IBM, Cisco) are largely absent from the CNVD-only subset.
A dataset card documenting severity distribution, CVE overlap rates, and the coverage decline: CNVD published details for 94% of reserved IDs in 2015 but only 4% in 2023. This drop coincides with China's Regulations on the Management of Security Vulnerabilities (RMSV), effective September 2021.
A warning about duplicate descriptions and the need to split on description text rather than IDs.
The RMSV effect
The RMSV regulations deserve attention. Before September 2021, CNVD published vulnerability details for most of the IDs it reserved. After the regulations took effect, publication rates dropped sharply. As a result, the CNVD dataset is increasingly sparse for recent years and the model's training data is concentrated in pre-2022 entries. Users should be aware of this temporal bias.
CNVD reserves 50,000β100,000 vulnerability IDs per year but publishes full details for only a fraction. As noted above, the publication rate has declined significantly:
2015: ~94% of reserved IDs have published details
2023: ~4% of reserved IDs have published details
Model card
The model card is now dynamically generated from actual training metrics and documents the known limitations: Low-class recall, keyword dependency, negation blindness, and CVE overlap.
Thanks to Eric Romang for his detailed and constructive analysis. His work directly led to these improvements and confirmed that the model adds real value (+12pp over a keyword heuristic baseline) despite its limitations.
Funding
AIPITCH aims to create advanced artificial intelligence-based tools supporting key operational services in cyber defense.
These include technologies for early threat detection, automatic malware classification, and improvement of analytical processes through the integration of Large Language Models (LLM).
The project has the potential to set new standards in the cybersecurity industry.
NCBJ (National Centre for Nuclear Research), Poland
ABI LAB (Centre of Research and Innovation for Banks), Italy
Funded by the European Union. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or the European Cybersecurity Competence Centre.
Neither the European Union nor the European Cybersecurity Competence Centre can be held responsible for them.
It is our honour to announce the release of Vulnerability-Lookup 4.2.0!
This version brings a large number of new CSAF-based vulnerability advisory sources, improvements to the web interface, and several bug fixes.
What's New
New CSAF-based sources
As the number of GNA keeps growing and the interest around the GCVE-EU initiative increases, these UI improvements and filtering
capabilities are becoming essential to efficiently explore the various available sources.
Below is the list of CSAF-based sources available by default. You can enable or disable each feeder via the
config/modules.cfg configuration file. The display in the web interface is also configurable through the
config/website.py configuration file.
Enriched CSAF view
The generic CSAF view now includes severity, vulnerabilities, references, and acknowledgments. d528da8
Enriched OSV view
Added severity and references to the generic OSV view. 65de73e
Date published in CVE records
If known, the datePublic field of CVE records is now displayed. 861a082
Boost recent sightings enabled by default
The boost recent sightings switch is now checked by default. 4eed4c4
New source argument for the full-text indexer
Added a source argument to the indexer for more targeted indexing. d4e6e1f
Less verbose indexing
Reduced the verbosity of the full-text search indexing process. a563dff
Configuration improvements
Reorganized the default SOURCES_TO_SHOW config variable and updated the sample website.py configuration with examples for the new configuration options. f699400, 6e8fb6c
Documentation updates
Various improvements to the documentation, including GCVE publication as a GNA and Known Exploited Vulnerabilities Catalogs. 58a4d83, 143f5f5, 1f6d6d3, 52c774f
This vulnerability report has been generated using data aggregated on
Vulnerability-Lookup,
with contributions from the platformβs community.
It highlights the most frequently mentioned vulnerability for February 2026, based on sightings collected from various sources,
including MISP, Exploit-DB, Bluesky, Mastodon, GitHub Gists,
The Shadowserver Foundation, Nuclei,
SPLOITUS, Metasploit, and more.
For further details, please visit this page.
The Month at a Glance
February 2026 was led by CVE-2026-1731, a Critical-severity issue affecting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA), with 158 sightings. It was followed closely by CVE-2026-2441 in Google Chrome with 143 sightings.
Microsoft-related vulnerabilities were also prominent in the top 10, including CVE-2026-20841 (Windows Notepad) and CVE-2026-21509 (Microsoft 365 Apps for Enterprise). Other heavily sighted entries spanned enterprise recovery and networking products such as Dell RecoverPoint for Virtual Machines (CVE-2026-22769) and Cisco Catalyst SD-WAN Manager (CVE-2026-20127), as well as platform and tooling ecosystems like Apple macOS (CVE-2026-20700), Ivanti Endpoint Manager Mobile (CVE-2026-1281), and n8n (CVE-2026-25049).
February continued to be an active month for known exploited vulnerabilities. The CISA Known Exploited Vulnerabilities catalog added 28 new entries during the month. Notable additions include:
CVE-2026-1731: BeyondTrust Remote Support (RS) & Privileged Remote Access (PRA)
The Ghost CVE Report highlights eight vulnerability identifiers that were observed in sightings despite limited or missing public records. The most frequently sighted were CVE-2023-42344 (5 occurrences) and CVE-2026-1584 (4 occurrences), followed by CVE-2026-23456 (3 occurrences).
Contributor insights this month covered Cisco Catalyst SD-WAN vulnerabilities, an IceWarp command-injection RCE, analysis of CVEs affecting the Svelte ecosystem, TP-Link VIGI IP camera issues, and reporting on UAC-0001 (APT28) activity leveraging CVE-2026-21509.
A ghost CVE is a vulnerability identifier that's already popped up in the wild but is still listed as RESERVED or NOT_FOUND in official registries like NVD or MITRE.
Sightings detected between 2026-02-01 and 2026-02-28 that are associated with vulnerabilities without public records.
The main objective of Federated European Team for Threat Analysis (FETTA) is improvement of Cyber Threat Intelligence (CTI) products available to the public and private sector in Poland, Luxembourg, and the European Union as a whole.
Developing actionable CTI products (reports, indicators, etc) is a complex task and requires an in-depth understanding of the threat landscape and the ability to analyse and interpret large amounts of data. Many SOCs and CSIRTs build their capabilities in this area independently, leading to a fragmented approach and duplication of work.
The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response facility to computer security threats and incidents. The organization brings to the table its extensive experience in cybersecurity incident management, threat intelligence, and proactive response strategies. With a strong background in developing innovative open source cybersecurity tools and solutions, CIRCLβs contribution to the FETTA project is instrumental in achieving enhanced collaboration and intelligence sharing across Europe.