We are excited to announce the release of Vulnerability-Lookup 4.6.0!
This version brings more transparency, new data sources, API improvements, notable UI enhancements, and several performance and stability fixes.

What’s New

VLAI model transparency

The VLAI badge popover now surfaces the exact model name and revision used for a given analysis, with direct links to the HuggingFace model card and the revision commit. This is particularly useful as we regularly update our AI models and publish new versions on HuggingFace, making it easy to track exactly which model version produced a given result.

Image

Image

Moksha feeder

A new feeder for Moksha has been added, mirroring the indexing pattern used by the cvelistv5 source. Because Moksha is accessible over Tor, the feeder requires a local Tor instance and is disabled by default.

Recent vulnerabilities page filtered to the Moksha source, listing MOKSHA-2026 entries for XenServer (Cloud Software Group) with CVSS scores, short descriptions, and publication dates

KEV catalog on the homepage and search results

The latest entries from CISA’s Known Exploited Vulnerabilities (KEV) catalog are now displayed directly on the homepage. KEV catalog badges also appear on the search results page, giving you an immediate signal when a vulnerability is actively exploited in the wild.

Image

Improved CSAF advisory display

CSAF advisories now show a structured per-status product table derived from the product_tree, and the /recent page loads only the selected source with its own pagination — making it faster to browse recent activity.

Image

API additions

  • A new with_meta parameter on the vulnerabilities list endpoint lets consumers fetch enriched metadata in a single call.
  • Optional, tier-aware rate limits can now be applied to vulnerability read endpoints.
  • A machine-readable access policy endpoint is available for automated consumers.

Image

Changes

  • Performance improvements — Hot read endpoints are now cached with a Redis backend, full-text index writes are batched, and homepage sighting statistics are computed via a dedicated aggregated endpoint. These changes significantly reduce load under traffic spikes.
  • Homepage and template updates — The home page displays more information at a glance; the sources list on the About page is now in a collapsible accordion; Moksha is available in the /recent source menu.
  • ML-Gateway — The gateway response now includes the model name and revision, which are forwarded by the API (project page).
  • Dependencies — Python dependencies have been updated.

Fixes

This release includes a number of stability and correctness fixes: rate-limiter accuracy improvements (correct client IP resolution, dedicated Redis backend), Flask-Caching Redis pool reliability under gunicorn/gevent, EPSS badges on search results, timezone-aware timestamps for comments and bundles, restricted comment editing to authorized users only, and several minor UI and template corrections.

Changelog

📂 For the full list of changes, check the GitHub release:
github.com/vulnerability-lookup/…/v4.6.0

🙏 A big thank you to all contributors and testers!

Feedback and Support

If you find any issues or have suggestions, please open a ticket on our GitHub repository:
github.com/vulnerability-lookup/…/issues/
We appreciate your feedback!

Follow Us on Fediverse/Mastodon

Stay updated on security advisories in real-time by following us on Mastodon:
social.circl.lu/@vulnerability_lookup/