We are thrilled to announce the release of Vulnerability-Lookup 5.0.0! This major release centers on a new CNA-compliant API for managing the vulnerabilities of your local source, together with deep Vulnogram integration, a continued UI refresh, and a long list of stability and correctness fixes. A special thank you to Niclas Dauster for the substantial contribution behind the new CNA-interoperable API (#398). What’s New CNA- and GNA-Compatible Vulnerability Management Vulnerabilities in your local instance can now be managed in a CNA-interoperable way through a dedicated API.

We are thrilled to announce the release of Vulnerability-Lookup 5.0.0!

This major release centers on a new CNA-compliant API for managing the vulnerabilities of your local source, together with deep Vulnogram integration, a continued UI refresh, and a long list of stability and correctness fixes.

A special thank you to Niclas Dauster for the substantial contribution behind the new CNA-interoperable API (#398).

What’s New

CNA- and GNA-Compatible Vulnerability Management

Vulnerabilities in your local instance can now be managed in a CNA-interoperable way through a dedicated API.

It streamlines Coordinated Vulnerability Disclosure (CVD) through a built-in Vulnogram integration compatible with both CVE 5.2 and GCVE-BCP-05, allowing CNAs and GNAs to publish advisories and synchronize with other instances regardless of the identifier format used.

The new API endpoint is partially interoperable with existing CNA endpoints from the CVE program, building on its solid foundation to enable a compatible and unified system for publishing vulnerability information. The API may be refined in upcoming releases based on feedback from adopters. We firmly believe that interoperable, reusable open-source components are key to preventing fragmentation in the vulnerability ecosystem.

We also welcome other vulnerability publication programs to extend this API to support their specific use cases or new models that could further improve automation in vulnerability handling.

Vulnogram integration

Vulnogram now drives ID reservation within vulnerability-lookup directly and vulnerability data management directly through the new CNA-interoperable API:

  • a dialog to view and reserve identifiers,
  • range-document creation,
  • state filtering,
  • reject and delete actions,
  • reserved IDs inserted directly into the form.

Configurable identifier allocation

You can now configure GCVE identifier allocation ranges for reservation. A bin script is also provided to migrate existing data to the new GNA ID format.

Website improvements

  • A new /kev-catalogs view listing all KEV catalogs.
  • Recent sightings are now rendered inside a dedicated home page tab.
  • Related vulnerabilities on the CWE detail page are now paginated (#406).

API

  • IPs/CIDRs can now be allowlisted to exempt them from the /api read rate limits.

Changes

  • UI refresh — We introduced a shared card design language (rounded cards, soft hover, brand-tinted leading icon badges) and applied it across the About, home, /recent and vulnerability pages. The About page gains a hero banner, feature highlights and live stats; the source dropdown on the recent vulnerabilities page was improved; popover triggers on vulnerability views were harmonized; and the sightings correlations tabs were reorganized. More UI improvements will come in future releases.
  • Production reference architecture — The documentation now includes a production reference architecture (HAProxy, Varnish, CDN, dumps and configuration examples).

Fixes

It also addresses a number of other issues:

  • UI — Preserve the VLAI popover header when refreshing content; align right-side navbar dropdowns to prevent overflow.
  • Website — Make Choices.js search inputs readable in the dark theme; repopulate the product list when the vendor changes on the search page; propagate config DEBUG=True to the FLASK_DEBUG environment variable.
  • Core — Add a timeout to graceful shutdown to prevent an infinite loop (#409).
  • API — Correct the per_page range check across the remaining endpoints, including rulezet and user (#411).
  • Docker — Use the kvrocks container name in .env.sample (#407).
  • Typing — Assorted mypy/typing fixes and Python 3.11 f-string compatibility.

Migration Notes

A bin script is provided to migrate existing local-source data to the new GNA ID format.

Changelog

📂 For the full list of changes, check the GitHub release:
https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v5.0.0

🙏 A big thank you to all contributors and testers!

Feedback and Support

If you encounter any issues or have suggestions, feel free to open a ticket on our GitHub repository:
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/
Your feedback is always appreciated!

Follow Us on Fediverse/Mastodon

You can follow us on Mastodon and get real-time information about security advisories:
https://social.circl.lu/@vulnerability_lookup/