Vulnerability-Lookup facilitates quick correlation of vulnerabilities from various sources, independent of vulnerability IDs, and streamlines the management of Coordinated Vulnerability Disclosure (CVD). Vulnerability-Lookup is also a collaborative platform where users can comment on security advisories and create bundles.
A Vulnerability-Lookup instance operated by CIRCL is available at https://vulnerability.circl.lu.
- Feeders: Modular system to import vulnerabilities from multiple sources. Default feeders are bundled and active out-of-the-box.
- CVD process: Manage Security Advisories and Vulnerability Disclosures.
- Local sources: Support for adding custom vulnerability sources per instance.
- Global CVE Allocation System: Integration with the GCVE.
- Sightings: Record observations on vulnerabilities, including seen, exploited, not exploited, confirmed, not confirmed, patched, and not patched.
- Comments: Add, review, and share notes on advisories.
- Bundles: Group vulnerability advisories with descriptions for easier tracking.
- RSS/Atom: Subscribe to vulnerabilities and comments via RSS or Atom feeds.
- EPSS: Exploit Prediction Scoring System integration.
- Watchlists: Track vulnerabilities for custom products and receive email notifications.
- API: Fast and comprehensive lookup of vulnerabilities, including correlation by vulnerability ID.
For more information, refer to the user manual or the documentation.
The default sources included in Vulnerability-Lookup are the following:
- NVD CVE importer (API 2.0), with Fraunhofer FKIE NVD JSON feeds
- China National Vulnerability Database (CNNVD)
- JVN iPedia – Japanese vulnerability countermeasure database
- CERT-FR Alerts and Advisories
- CISA Known Exploited Vulnerabilities Catalog
- CNW (EU CSIRTs network) Known Exploited Vulnerabilities
- CVE Project – cvelist
- Cloud Security Alliance – GSD Database
- GitHub Advisory Database
- PySec Advisory Database
- OpenSSF Malicious Packages
- VARIoT – IoT vulnerabilities database
- Tailscale Security Bulletins
Vulnerability-Lookup facilitates the recording of vulnerability sightings, regardless of whether they have been published by a source. A suite of sighting clients is already available to support this functionality:
Our tools on the Python Package Index (PyPI):
| Tool | Description |
|---|---|
| ShadowSight | A client that retrieves vulnerability observations from the The Shadowserver Foundation and pushes them to a Vulnerability-Lookup instance. |
| FediVuln | A client to gather vulnerability-related information from the Fediverse. |
| BlueSkySight | A client to gather vulnerability-related information from Bluesky. |
| MISPSight | A client that retrieves vulnerability observations from a MISP server and pushes them to a Vulnerability-Lookup instance. |
| NucleiVuln | A client designed to retrieve vulnerability-related observations from the Nuclei Git repository of templates and pushes them to a Vulnerability-Lookup instance. |
| ExploitDBSighting | A client that retrieves vulnerability observations from Exploit-DB and pushes them to a Vulnerability-Lookup instance. |
| KEVSight | A client to generate sightings for Vulnerability-Lookup from the Known Exploited Vulnerabilities (KEV) catalog. |
| GistSight | A client for gathering vulnerability-related information from GitHub Gists. |
| MetasploitSight | A client designed to retrieve vulnerability-related information from the modules available in Metasploit. |
If you want to create your own sigthing tool, it's recommended to use PyVulnerabilityLookup, a Python library to access Vulnerability-Lookup via its REST API.
Generally speaking, requirements are the following:
- Recent version of Python 3.10
- Recent version of Poetry
- Kvrocks database
Installation instructions are available in the documentation.
Vulnerability-Lookup is free software released under the "GNU Affero General Public License v3.0".
Copyright (c) 2023-2026 Computer Incident Response Center Luxembourg (CIRCL)
Copyright (c) 2023-2026 Alexandre Dulaunoy - https://github.com/adulau
Copyright (c) 2023-2026 Raphaël Vinot - https://github.com/Rafiot
Copyright (c) 2024-2026 Cédric Bonhomme - https://github.com/cedricbonhomme