cve-search - tool-set to perform local searches for known vulnerabilities

cve-search v6.0.0 released: Database Modernization, PyMongo 4.x, and Feature Cleanup

Tue, 09 Dec 2025 09:05:33 +0100

We’re excited to announce the release of cve-search v6.0.0! This is a major update focusing on modernizing the codebase, improving stability, and cleaning up legacy components.

The most significant changes are major refactoring for MongoDB compatibility (PyMongo 4.x) and extensive cleanup of old, unused, or deprecated features.

Key Highlights and Major Changes

Database Modernization & PyMongo 4.x Compatibility:
- Extensive internal refactoring to ensure full compatibility with PyMongo 4.x and modern MongoDB versions (tested against MongoDB 4.4, 6.0, and 8.0).
- Implemented lazy-loading for MongoDB connections in the core, web, and authentication handlers to prevent issues in multi-process environments like Gunicorn.
- Modernized database ranking functions to use update_one() and delete_one().
Web Interface & Admin Updates:
- The /updatedb admin endpoint now allows manual selection of update sources (CPE, CVE, CWE, CAPEC, VIA4, EPSS).
- Added database update locking to prevent concurrent updates and an option to forcibly clear stale locks in the admin UI.
- New, more responsive 3-column layout for the web admin page.
- Improved login route with specific error messages (missing username, invalid password, CSRF errors).
API & Core Improvements:
- Introduced a MongoDB fallback for the Redis-first /api/browse and /api/search-vendor endpoints when the Redis cache is unavailable or empty.
- Improved fulltext processing with auto-downloading of required NLTK resources and performance optimizations.
- Fixed handling of CWE lists in CAPEC lookups.
Cleanup and Feature Retirement:
- Retired the Plugin Feature (Flask-Plugins) from the web application.
- Retired the Whitelist/Blacklist feature due to performance issues and unreliability.
- Removed obsolete scripts and features: cve_refs.py (CVE Reference DB), cve_doc.py (obsolete documentation script), and the unused authentication API and JWT token logic.
- Cleaned up and removed several unused settings and helper scripts (.schema_version, ListLoginRequired, redundant updater flags).

Fixes and Minor Changes

Updated dump_last.py HTML output to handle optional fields in current CVE data (vulnerable configurations, products, references).
Updated project URLs for cve-search and NIST NVD URLs.
Fixed a bug where the API and UI could potentially prevent <defunct> (zombie) processes during manual updates.
Added expected configuration files to .gitignore.
Updated dependencies, including bumping werkzeug from 3.0.6 to 3.1.4 and other Flask-related packages.

Deprecated/Removed

The Plugin Feature (Flask-Plugins) is retired.
The Whitelist/Blacklist feature is retired.
The /api/logout and associated JWT token logic are removed.
The cve_refs.py and cve_doc.py scripts are removed.
The -m/--minimal flag in db_updater.py is removed as it was redundant with -c/--cache.

cve search 5.2.0 released with bugs fixed and minor improvements

Mon, 17 Mar 2025 09:05:33 +0100

cve-search v5.2.0 released with improvements and bug fixes (2025-03-17)

v5.2.0 released

Other

Update web/VERSION 5.1.0.dev9. [GitHub Action]
Update requirements.txt (#1141) [PT]
WebUI: improve tables (#1136) [Esa Jokinen]
Maintain a CWE array in webui and swagger (#1132) [SashaTail]
Update requirements.txt. [PT]
Add cvss4 in webui #1128 (#1129) [SashaTail]
- Add CVSS4 display on the vulnerability page
- Add filter, sorting to vulnerabilities page
- Fix td size for Cvss4 cases
- Improve filter logic for cvss4
- Add CVSSv4 in swagger doc
- Delete score from cvss4
- Update version
Feat(search): limit results by days since modified (#1121) [Esa Jokinen]
- feat(search): limit results by days since modified
Add search.py -T to limit results to results from n days by the last modification, while -t does it based on the date published.
- build(ci): update actions/upload-artifact to v4
This test was using a deprecated version of actions/upload-artifact: v2.
Update web/VERSION 5.1.0.dev2. [GitHub Action]
Bump nltk from 3.8.1 to 3.9 (#1118) [dependabot[bot]]

Bumps nltk from 3.8.1 to 3.9.
- Changelog
- Commits

updated-dependencies:

dependency-name: nltk dependency-type: direct:production …
Remove support for search.py -q (#1117) [Esa Jokinen]

cve search 5.0.1 released with bugs fixed and minor improvements Latest

Sun, 28 Jan 2024 09:05:33 +0100

cve-search v5.0.1 released with bugs fixed and minor improvements. Thanks to contributors and users who helped us to improve cve-search.

v5.0.1 (2024-01-28)

New

[release] changelog updated to match release v5.0.0. [Alexandre Dulaunoy]

Other

Update README.md (#1055) [Esa Jokinen]
- systemd services: rename mongod.service
- black formatting
- README.md add workflow badges
- README.md update copyright years
- README.md update changelog link
The changelog on the site hasn’t been updated for ages.
Systemd services: rename mongod.service (#1052) [Esa Jokinen]
- systemd services: rename mongod.service
- black formatting
- README.md add workflow badges
Update script tweaks (#1051) [PT]
- tweaks to update script
Add check for missing ‘vulnerable_configuration’ field (#1050) [PT]
Fixes #1038. [Paul Tikken]
Merge pull request #1047 from cve-search/cve-search-1042. [PT]

Additional check
Added check for missing epss values. [Paul Tikken]
Merge pull request #1041 from oh2fih/master. [PT]

Add workflow to check black formatting
Black formatting (23.12.1) [Esa Jokinen]
Add workflow to check black formatting. [Esa Jokinen]
Black formatting. [Paul Tikken]

cve-search v5.0.0 released with major improvements for the NVD NIST API import, other improvements and many bugs fixed

Mon, 18 Dec 2023 09:05:33 +0100

cve-search v5.0.0 released with major improvements for the NVD NIST API import, other improvements and many bugs fixed.

The update is now done via CveXplore.

Thanks to all the contributors to make this release a reality.

What’s Changed

Configurable DownloadMaxWorkers (#890) by @oh2fih in https://github.com/cve-search/cve-search/pull/998
Update requirements.txt by @nsmfoo in https://github.com/cve-search/cve-search/pull/1002
Rewrite of database update to use NVD NIST API from cvexplore lib by @P-T-I in https://github.com/cve-search/cve-search/pull/1010
wrong key when populating redis cache by @P-T-I in https://github.com/cve-search/cve-search/pull/1019
mongodb connections by @P-T-I in https://github.com/cve-search/cve-search/pull/1022
Pass mongodb connection string when initialize CveXplore by @baonq-me in https://github.com/cve-search/cve-search/pull/1030
Use count_documents() to count mongo documents instead of old and deprecated count() by @baonq-me in https://github.com/cve-search/cve-search/pull/1032
Fixed Inappropriate Logical Expression by @fazledyn-or in https://github.com/cve-search/cve-search/pull/1031
Improve CVEs search speed in bin/search.py by @baonq-me in https://github.com/cve-search/cve-search/pull/1033
Fix counting results when searching for CVE using cli by @baonq-me in https://github.com/cve-search/cve-search/pull/1034

New Contributors

@nsmfoo made their first contribution in https://github.com/cve-search/cve-search/pull/1002
@baonq-me made their first contribution in https://github.com/cve-search/cve-search/pull/1030
@fazledyn-or made their first contribution in https://github.com/cve-search/cve-search/pull/1031

Full Changelog: https://github.com/cve-search/cve-search/compare/v4.2.2…v5.0.0

cve search 4.2.2 - maintenance release including CAPEC source bugfix

Tue, 08 Aug 2023 10:05:33 +0200

cve search 4.2.2 was released including multiple bugs fixed and improvements.

Thanks a lot to all contributors who helped us by reporting issues, proposing pull-request or supporting us.

Don’t hesitate to review the cve-search Changelog to have a detailed overview of what changes in 3.0.

cve-search v3.0 (2020-10-01) released with a rewritten import process, unit tests and many bugs fixed.

Thu, 01 Oct 2020 10:05:33 +0200

cve-search v3.0 (2020-10-01) released with a rewritten import process, unit tests and many bugs fixed.

A huge thank to Paul Tikken for the updates and especially the rewritten import process. Many bugs were fixed in this release.

Thanks a lot to all contributors who helped us by reporting issues, proposing pull-request or supporting us.

Don’t hesitate to review the cve-search Changelog to have a detailed overview of what changes in 3.0.

cve-search v2.5 released including bugs fixed and improvement in the CPE/CWE JSON import

Tue, 24 Sep 2019 04:05:33 +0200

cve-search v2.5 has been released including bugs fixed and improvement in the CPE/CWE JSON import.

cve-search is on Twitter. We will publish software updates, projects and activities of cve-search project on our account. Don’t hesitate to follow us.

Thanks a lot to all contributors who helped us by reporting issues, proposing pull-request or supporting us.

Don’t hesitate to review the cve-search Changelog to have a detailed overview of what changes in 2.5.

cve-search v2.4 released including many bugs fixed and web interface improvements

Wed, 18 Sep 2019 04:05:33 +0200

cve-search v2.4 has been released including many bugs fixed and improvements to the web interface pagination.

A huge thank to Ján Doboš for the updates in the web interface pagination. This update was performed during the CyberExchange program where staff exchange within the CSIRTs/CERTs (for this contribution between CIRCL and SK-CERT. This program is funded by the EC under the CEF program (2017-EU-IA-0118).

cve-search is now on Twitter. We will publish software updates, projects and activities of cve-search project on our account. Don’t hesitate to follow us.

Thanks a lot to all contributors who helped us by reporting issues, proposing pull-request or supporting us.

Don’t hesitate to review the cve-search Changelog to have a detailed overview of what changes in 2.4.

cve-search v2.3 released including new JSON format from NVD/NIST

Wed, 18 Sep 2019 04:05:33 +0200

cve-search v2.3 has been released including many bugs fixed and a new support to the NVD/NIST format in JSON. The new NVD/NIST JSON replaces the XML format which will be deprecated very soon. We welcome feedback or contribution to improve the support of the new JSON format. The current support includes all the original functionality from the original XML format with some improvements.

Thanks a lot to all contributions who helped us by reporting issues, proposing pull-request or supporting us.

Don’t hesitate to review the cve-search Changelog to have a detailed overview of what changes in 2.3.

cve-search team at OSSS hackathon

Fri, 14 Apr 2017 11:05:33 +0200

cve-search core team (including adulau and pidgeyL) will be at the Open Source Security Software Hackathon which takes place in Luxembourg (Kirchberg), the 2nd and 3rd of May 2017. If you want to meet us, work with us or contribute to cve-search , it’s a great opportunity to meet us in real life.

During hackathon, the cve-search core team has some objectives:

Testing and merging the current development branch which has significant improvements in the API and web interface into the cve-search master branch.
Updating the model of release and development to ease collaboration to the cve-search project.
Improving documentation and overview to describe the full scale of open data challenges in vulnerability information (VIA4CVE). A call is made to vendors (including security vendors) to release vulnerability information into open format with a license allowing the integration with open source and free software projects.
and the most important aspect, distributing cve-search stickers ;-)

We hope to see you there. If you cannot join us physically, we will be in the gitter chat of cve-search.