Why We Built CVD Portal and Why the September Deadline Made Us Give It Away for Free
We didn't set out to build a SaaS product. We set out to answer a question that kept coming up in our conversations with EU manufacturers: “We know the Cyber Resilience Act is coming. We know we need to do something about vulnerability disclosure. But where do we actually start?” The honest answer, every time, was: “It's more complicated than it should be.” That bothered us enough to do something about it.
EU Cyber Resilience Act Compliance Roadmap
CRA Published
Regulation (EU) 2024/2847 published in the Official Journal; enters into force 11 December 2024
Art. 14 Enforcement Begins
Vulnerability reporting obligations apply to all products in scope
Full Conformity Deadline
Design and production requirements (Annex I, CE marking) apply to new products placed on the market
Three Pillars of CRA CVD Compliance
A complete vulnerability disclosure infrastructure designed for economic operators subject to the Cyber Resilience Act.
Art. 13 + Art. 14 SLA Compliance
48-hour acknowledgment per CVD best practice (ISO/IEC 29147, Art. 13). For actively exploited vulnerabilities and significant incidents, Art. 14 mandates three reporting milestones to ENISA/CSIRT: 24h early warning, 72h detailed report, and a final report within 14 days or 1 month.
Single Point of Contact
A unified, branded vulnerability intake portal for your organization. Security researchers submit reports through a standardized, encrypted channel.
ENISA-Aligned Triage
All submissions follow ENISA coordinated vulnerability disclosure (CVD) best practices with CVSS scoring, reporter communication, and mitigation tracking.
Are You CRA Ready?
EU Vulnerability Database (EUVD) Pulse
Official feed of the latest critical and actively exploited vulnerabilities tracked by European authorities.
Latest Critical Vulnerabilities
CVSS 9.0+Delta Sql 1.8.2 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to docs_upload.php with crafted multipart form data. Attackers can upload PHP files with arbitrary content to the upload directory and execute them on the server for remote code execution.
OneUptime is an open-source monitoring and observability platform. Prior to 10.0.98, OneUptime uses the Node.js' vm module as an isolation primitive. This API was not designed for that and can be escaped via error objects and infinite recursion. This vulnerability is fixed in 10.0.98.
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, two distinct authorization defects in the team settings allowed any authenticated panel user to take over the RBAC system. Settings/Team/Index had no mount() authorization. Any authenticated user could load the page and use its public actions to create new roles and delete other users, including administrators. Settings/Team/RolePermission gated its write actions on the read-only view_users permission. Any user holding view_users could grant themselves or any other user arbitrary permissions, including manage_users and edit_orders, effectively escalating to full panel administrator from a read-only account. Combined, these two defects allow a low-privilege authenticated user to obtain administrator privileges and remove the legitimate administrators from the panel. This vulnerability is fixed in 2.8.0.
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.1 and earlier, a command injection vulnerability exists in the Docker file upload functionality. When an authenticated user uploads a file to a container, the destinationPath parameter is not properly sanitized and is directly interpolated into a shell command string. By including shell metacharacters such as ; or ", an attacker can escape the intended docker cp command and execute arbitrary OS commands on the Dokploy host.
Actively Exploited (KEV)
In the wildAuthentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions and establish an unauthorized VPN connection. Panorama and Cloud NGFW are not impacted by these issues.
On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.
Nx Console is the user interface for Nx & Lerna. On 19 May 2026, a malicious version of Nx Console, 18.95.0, was published at 12:30 PM UTC and removed soon after at 12:48 PM UTC, leaving it available for ~18 minutes in Visual Studio Marketplace. For OpenVSX, the problem was detected later, and the compromised version was available from 12:33 UTC to 13:09 UTC (~36 minutes). Version 18.100.0 of Nx Console is not compromised and users may remediate by upgrading to that version.
A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows versions 12.5.0.2421 through 12.5.0.2434), distributed from the legitimate website daemon-tools.cc between approximately April 8, 2026, and May 5, 2026. Attackers gained unauthorized access to the vendor's (AVB Disc Soft) build or distribution infrastructure and trojanized three binaries: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. These files were digitally signed with the legitimate AVB Disc Soft code-signing certificate, allowing the malicious installers to appear trustworthy and bypass signature-based detection.
“Organisations increasingly recognise that software development nowadays requires an active, positive response to vulnerability reports, which strengthens security and is becoming a strong selling point when handled properly.”
What NIS2 Expects of Organisations on Coordinated Vulnerability Disclosure
NIS2 splits coordinated vulnerability disclosure between a national CSIRT layer and an organisational layer. Here is what a compliant CVD policy is expected to contain, how the process should run day to day, and how it sets up the groundwork the CRA will require.
7 min readCRA ComplianceWhy We Built CVD Portal and Why the September Deadline Made Us Give It Away for Free
A note from the team at Porta Regulus BV on why CVD Portal exists, why the September 2026 Article 14 tier is permanently free, and how we separated the September 2026 and December 2027 deadlines in the product model.
9 min readCRA CompliancePricing the September 2026 Deadline: A PERT Cost Estimate for SME CRA Compliance
A defensible three-point PERT estimate for what it actually costs an EU SME manufacturer to meet the CRA Article 14 reporting deadline on 11 September 2026. Expected cost: ~€39,700 with a 90% interval of €33,900 to €45,500.
11 min read