We are pleased to announce the release of **Vulnerability-Lookup 5.1.0**!
The highlight of this release is the new **CNA Publication Service**, which lets vulnerabilities from your local source be published to the official CVE API as part of the Coordinated Vulnerability Disclosure (CVD) process. It also brings a new exploited-CVE ratio statistic, CSAF advisories in full-text search, further UI harmonization, and important reindexing and feeder fixes.
A special thank you to [Niclas Dauster]( NMD03 (Niclas Dauster) · GitHub ) for the substantial contribution behind the CNA Publication Service ([#416]( Add CNA Publication Service by NMD03 · Pull Request #416 · vulnerability-lookup/vulnerability-lookup · GitHub )).
## What’s New
### CNA Publication Service
Building on the CNA-interoperable API introduced in [5.0.0](/2026/05/29/vulnerability-lookup-5-0-0/), vulnerabilities of the local source can now be published to the official [CVE API]( Swagger UI ) (cveawg) as part of the Coordinated Vulnerability Disclosure process:
- users request publication of a local vulnerability,
- admins moderate the request (publish or reject) through a dedicated HTML moderation view,
- the resulting CVE-ID is mirrored back into the local database (Kvrocks).
The service is built on a new data model and web service, includes a rejection mechanism, stores per-user CNA credentials encrypted, and integrates with Vulnogram (a CNA publications link is now available directly from the editor header).
The feature is **disabled by default**. Enable it with `cna: true` in `config/generic.json` and configure it in `config/cna.json`. Note that it requires a database migration. See the [CNA service documentation]( CNA Publication Service — Vulnerability-Lookup ) for the full setup and usage guide.
#### Screenshots
The CVE record pushed to MITRE’s cveawg service is the very same GCVE record created locally on the Vulnerability-Lookup instance — there is no duplication or re-entry of data. From this view, locally created advisories can be managed through their whole publication lifecycle: reserving a CVE ID, creating or updating the corresponding CVE record, and tracking the status of each request. Once published, the advisory is known under both its GCVE ID and its assigned CVE ID. Local-only vulnerabilities — GCVE entries that are not published as CVEs — remain visible alongside, so disclosure can stay entirely local or go through the CVE Program, on a per-vulnerability basis.
### Exploited-CVE ratio statistics
New charts and API endpoints track, over time, the share of CVEs that have at least one exploitation sighting — a clearer real-world risk signal than raw vulnerability counts ([#413]( Feature Request: Add a feature to track and visualize the percentage of vulnerabilities with exploitation sightings over the total number of CVEs over time · Issue #413 · vulnerability-lookup/vulnerability-lookup · GitHub )). This metric was already put to use in our [May 2026 vulnerability report](/2026/06/03/vulnerability-report-may-2026/).
### CSAF advisories in full-text search
CSAF advisories are now wired into the full-text search read path, making them discoverable through search ([#417]( Bug: Search dialogue in GUI noch considering all sources · Issue #417 · vulnerability-lookup/vulnerability-lookup · GitHub ), [#420]( Feature: make CSAF vendor/product (incl. model numbers) searchable · Issue #420 · vulnerability-lookup/vulnerability-lookup · GitHub )).
### Website improvements
- The Vendor and Product columns in the recent vulnerabilities view now link directly to the corresponding search.
## Changes
- **UI refresh, continued** — More pages were harmonized onto the shared card design language introduced in 5.0.0: the sightings templates, the statistics page cards, bundle cards, comment cards, and the “Evolution for the last month” section.
- **Vulnogram** — Added a CNA publications link to the editor header; the Recent vulnerabilities link now falls back to the local source.
- **Templates** — Vulnerability/CVE identifiers are now displayed in uppercase across the templates and the CNA publications view.
- **Documentation** — Fixed the path to `dumps/` and various CHANGELOG cleanups.
- **Dependencies** — Updated Python dependencies.
## Fixes
- **Reindexing and feeder keys** — Rewrote the reindex scripts, made `index_vulnerabilities --purge` lossless, guarded the nvd and gcve_vl published counters with `first_seen`, and fixed several feeder key bugs ([#418]( fix: rewrite reindex scripts and fix feeder index-key bugs by cedricbonhomme · Pull Request #418 · vulnerability-lookup/vulnerability-lookup · GitHub ), [#419]( Fix/index reindex and feeder keys by cedricbonhomme · Pull Request #419 · vulnerability-lookup/vulnerability-lookup · GitHub )).
- **CNA Publication Service hardening** — Post-merge hardening of the new service: stricter validation of cveawg responses and vulnerability identifiers, the credentials endpoint and Profile credentials link gated to admins, the CVE API key redacted from persisted request/response/error fields, Fernet key validation at startup, a unique `vuln_id` constraint at the database level, and assorted refactors.
- **UI** — Include ADP container data in CVE 5 record views ([#414]( fix: include ADP container data in CVE 5 record views by cedricbonhomme · Pull Request #414 · vulnerability-lookup/vulnerability-lookup · GitHub )); constrain user markdown images to their container.
- **Vulnogram** — Keep editing in update mode after creating a record.
- **Website** — Silenced the per-worker gevent monkey-patch warning and made cache writes resilient to broken connections.
## Changelog
For the full list of changes, check the GitHub release:
A big thank you to all contributors and testers!
## Feedback and Support
If you encounter any issues or have suggestions, feel free to open a ticket on our GitHub repository:
Your feedback is always appreciated!
## Follow Us on Fediverse/Mastodon
You can follow us on Mastodon and get real-time information about security advisories: