178 commits, 14 feature areas, and a whole new way to search vulnerabilities. Here’s everything new in CVEFeed.io.
Read more: Product Update • v2.2 | CVEQL, Jira Integration, and a Complete Visual OverhaulIt’s been three weeks since our v2.1 release, and we haven’t been sitting around. Today we’re rolling out what might be our most ambitious update yet — a new query language, two major integrations, a full visual redesign, a brand-new documentation site, and a long list of under-the-hood improvements that make everything faster, safer, and more polished.
Let’s walk through the highlights.
Introducing CVEQL — A Query Language Built for Vulnerability Hunting
This is the big one. CVEQL (CVE Query Language) is a purpose-built query engine that lets you write precise, powerful vulnerability searches — the kind that used to require chaining filters or hitting the API directly.
Instead of clicking through dropdown after dropdown, you can now write queries like:
cvss_score >= 9.0 and products.vendor.name = “apache”
CVEQL supports full relation traversal across six models — Vulnerability, Product, Vendor, CWE, CISA KEV, and EPSS Score — so you can slice your data from any angle. Need all critical Apache vulnerabilities that are in the CISA KEV catalog with an EPSS score above 0.8? That’s one query now, not five clicks.
You’ll find CVEQL at the new /query/ page, complete with an autocomplete widget, example queries, an operator reference, and a preview mode that shows match counts before you commit to a full search.
We’ve also baked in smart guardrails — a 2,000-character query limit, 10-second statement timeouts, field whitelists, and a max page size of 100 — so complex queries stay fast and safe. Five new API endpoints back the whole thing: schema introspection for autocomplete, suggestions, validation, paginated search, and count preview.
Jira Cloud and Microsoft Teams Integrations
Vulnerability alerts are only useful if they reach the right people in the right place. With this release, we’re adding two new channels to make that happen.
🔗Jira Cloud Integration
Connect your Jira Cloud instance via OAuth 2.0 and let CVEFeed.io automatically create issues when new vulnerability alerts fire. Severity maps directly to Jira priority — Critical vulnerabilities become Highest-priority tickets, and ransomware alerts get flagged with dedicated warning panels.
- Rich issue descriptions with vulnerability details and direct CVEFeed.io links
- Configurable target project, issue type, and labels
- Four-stage setup flow that mirrors our Slack integration UX
Available on the PRO plan.
💬Microsoft Teams
Teams joins Slack, Email, and Webhooks as a notification channel. If your security team lives in Teams, alerts now show up right where the conversations happen — no extra tab-switching required.
Both integrations appear as cards in your dashboard’s integrations grid, with clear status indicators so you always know what’s connected and what needs attention.
CISA KEV Alert Signals
Speaking of alerts — we’ve added CISA Known Exploited Vulnerabilities (KEV) as a first-class alert signal. When a vulnerability lands on the KEV catalog, you’ll now get proactive notifications automatically. No manual checking required.
A Complete Visual Overhaul — Dark and Light
If the platform looks different today, you’re not imagining things. We’ve rebuilt the entire UI from the ground up with a dual-theme system.
The new dark theme (now the default) features a near-black background with an indigo accent palette, glassmorphism effects on cards and modals, hover animations with border glow, and scroll-triggered reveals. The light theme offers a clean, minimal alternative with white cards, subtle shadows, and the same indigo accents.
Landing Page
Animated hero with cycling slot text, gradient headlines, floating security pills with parallax tracking, and a live terminal preview.
Dashboard
Consolidated integration cards into a compact table layout. API Tokens and Audit Log grouped under a Settings card. Cleaner single-row design.
Theme Toggle
Moved from sidebar to topbar. Persists across sessions, syncs between landing page and app, and restores before CSS loads to prevent flash.
Full Coverage
Every surface themed — forms, dropdowns, modals, tables, code blocks, auth pages, cookie consent, and the 500 error page.
We also switched the font from Plus Jakarta Sans to Inter for better readability across the board, and moved the sidebar to a flush-left layout to give your content more room to breathe.
Everything Else
The three features above got the headlines, but there’s a lot more in this release.
New documentation site. We replaced the old docs with a modern Astro Starlight site at docs.cvefeed.io — 27 pages across six sections covering everything from getting started to API reference and billing.
API improvements. Separated alert API filters from template filters for cleaner endpoint design, enabled anonymous access to public vulnerability data, cleaned up the OpenAPI docs, and added alert ordering support.
SEO and performance. Added rel=”nofollow” to external links, og:type meta tags across all public pages, and proper image dimensions to prevent layout shift.
Privacy-first analytics. We replaced Google Analytics with PostHog, with session recording limited to authenticated users only.
Security and dependencies. 40+ backend packages upgraded with Django LTS security patches applied. On the frontend, we patched an XSS vulnerability in clipboard handling and a DOM clobbering XSS in the carousel component. Docker base images and CI/CD actions are all on latest versions.
Bug fixes. Squashed a Chrome-on-iPhone infinite reload loop caused by browser-injected HTML attributes, fixed email delivery issues, resolved redirect loops, and made CVSS score buttons actually readable in dark mode (turns out, matching text and background colors isn’t ideal).
That’s 178 commits worth of work, and we’re already heads-down on what’s next. If you want the full technical breakdown, the complete changelog is available on our docs site.
Leave a Reply