We’re excited to announce the release of cve-search v6.0.0! This is a major update focusing on modernizing the codebase, improving stability, and cleaning up legacy components.

The most significant changes are major refactoring for MongoDB compatibility (PyMongo 4.x) and extensive cleanup of old, unused, or deprecated features.

Key Highlights and Major Changes

  • Database Modernization & PyMongo 4.x Compatibility:
    • Extensive internal refactoring to ensure full compatibility with PyMongo 4.x and modern MongoDB versions (tested against MongoDB 4.4, 6.0, and 8.0).
    • Implemented lazy-loading for MongoDB connections in the core, web, and authentication handlers to prevent issues in multi-process environments like Gunicorn.
    • Modernized database ranking functions to use update_one() and delete_one().
  • Web Interface & Admin Updates:
    • The /updatedb admin endpoint now allows manual selection of update sources (CPE, CVE, CWE, CAPEC, VIA4, EPSS).
    • Added database update locking to prevent concurrent updates and an option to forcibly clear stale locks in the admin UI.
    • New, more responsive 3-column layout for the web admin page.
    • Improved login route with specific error messages (missing username, invalid password, CSRF errors).
  • API & Core Improvements:
    • Introduced a MongoDB fallback for the Redis-first /api/browse and /api/search-vendor endpoints when the Redis cache is unavailable or empty.
    • Improved fulltext processing with auto-downloading of required NLTK resources and performance optimizations.
    • Fixed handling of CWE lists in CAPEC lookups.
  • Cleanup and Feature Retirement:
    • Retired the Plugin Feature (Flask-Plugins) from the web application.
    • Retired the Whitelist/Blacklist feature due to performance issues and unreliability.
    • Removed obsolete scripts and features: cve_refs.py (CVE Reference DB), cve_doc.py (obsolete documentation script), and the unused authentication API and JWT token logic.
    • Cleaned up and removed several unused settings and helper scripts (.schema_version, ListLoginRequired, redundant updater flags).

Fixes and Minor Changes

  • Updated dump_last.py HTML output to handle optional fields in current CVE data (vulnerable configurations, products, references).
  • Updated project URLs for cve-search and NIST NVD URLs.
  • Fixed a bug where the API and UI could potentially prevent <defunct> (zombie) processes during manual updates.
  • Added expected configuration files to .gitignore.
  • Updated dependencies, including bumping werkzeug from 3.0.6 to 3.1.4 and other Flask-related packages.

Deprecated/Removed

  • The Plugin Feature (Flask-Plugins) is retired.
  • The Whitelist/Blacklist feature is retired.
  • The /api/logout and associated JWT token logic are removed.
  • The cve_refs.py and cve_doc.py scripts are removed.
  • The -m/--minimal flag in db_updater.py is removed as it was redundant with -c/--cache.