After the funding crisis at MITRE in the beginning of 2025, the European Union Agency for Cybersecurity (ENISA, European Network and Information Security Agency) started the European Vulnerability Database (EUVD).
Since then some articles have been published that let this database appear in a unfavourable light, to put it charitably. An example of such article was already published in May 2025 in the blog of Vulncheck. Of course there is bias in this article as the author works for some kind of competitor with its own vulnerability database.
First of all it is good to have such a database in Europe to become more and more independent of things hosted in the US. But you are not able to directly add your own research of vulnerabilities to EUVD. Therefore you need an account at CIRAS (Cybersecurity Incident Reporting and Analysis System), which is also operated by ENISA. Obtaining such an account is not really an easy task. Lots of links on the website show a 404. Anyway, for whatever reason in 2025 only about 1100 issues have been reported via CIRAS, so compared with the MITRE CVE database, this is nothing at all.
One point of criticism was some inconsistent information about CVEs in the EUVD.
On the website, using Search by ID with CVE-2024-, CVE-2024-* or CVE-2024-.* results in an error The introduced ID does not exist..
Maybe my expectations to be able to use modern things like regex, are pitched too high.
One can also Search by text and CVE-2024- gives 30991 entries. The correct number of such CVEs can be obtained from cve.org and is 38912. So even some months after the negative report, there is no improvement. The website UI still does not show all vulnerabilities.
The current API of EUVD also allows to retrieve single EUVD-ID-entries.
Using this method, on can obtain about 38969 EUVD-ID-entries, that contain CVE-2024-* in their dataset. The mentioned constrains in the Vulncheck blog are still present, so downloading lots of data this way is not really fun. Yes, there are about 1700 EUVDs in 2025 that were published later and that also contain CVE-2024, I considered this. The Debian Security tracker contains 38920 entries for CVE-2024. So the small difference between all those numbers might be related to rejected CVEs that are not correctly processed. Anyway, these results show that at least all information related to CVEs are available in EUVD but have to be found.
For whatever reason, the total number of EUVD-2024-* is above 55000. What are these issues unrelated to a CVE?
For example EUVD-2024-0027 is associated with PYSEC-2024-55, which is a problem related to the ecosystem (some malicious code was uploaded). This seems to be fine.
Another bunch of EUVD issues without an associated CVE are related to npm where malicious packages have been uploaded. So more or less another ecosystem with problems.
Here a small excursion offers itself: In case of Debian packages it is totally fine to only look at cve.org to catch all vulnerabilities of the packages. The exception of the rule are packages whose watch-file does not point to the repository of the software but to any kind of repository of a language ecosystems like for pypi and npm. For those packages the corresponding PYSEC needs to be investigated. What would have happened when version 0.5 of gratient (EUVD-2024-0076) would have been uploaded to Debian?
Back to EUVD entries without a corresponding CVE. Unfortunately there is also EUVD-2024-11941 in the database. There is not much information available about this issue, only another ID: MAL-2024-11737 is mentioned. It points to osv.dev, a Google project to collect all vulnerabilities. Rather similar to EUVD, but run by Google. The entry at Google shows a bit more information and gives credit to ReversingLabs as “finder”. Those company makes “AI-Driven Binary Analysis to Identify Malicious Components”.
Anyway the issue is in PyPI package urlcon, so lets see what PyPI is telling us about this software. Ok, nice, there are five packages that have the string “urlcon” in their name, but no package urlcon is available.
Unfortunately I couldn’t find any other information about this issue on ReversingLabs website. But all in all I found about 7000 submissions of ReversingLabs with an ID MAL-2024-*.
I looked at some of them and didn’t found one that refers to an existing PyPI or npm package. From my point of view it looks like EUVD has been polluted by lots of artificially generated entries. Of course not only EUVD is affected. As all other services like osv.dev, Vulners.com, OSSF and whatever else, just automatically collect data without verifying them and sync with each other, from my point of view all these databases are just useless.
As a result I would state that the idea of EUVD is nice but as they collect everything without verification, the database is only one among others without any unique selling point. Especially as the competition has a way better UI.
I also found another glitch totally unrelated to the above in CVE-2024-45568: In a product made by Qualcom, the CVSS score from NVD is 7.8, which makes it a high score. The vector is: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
The same issue evaluated by Qualcom, results in a vector of: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The CVSS score will be 6.7, which makes it a medium issue.
Shamed be he who thinks evil of it.