ENISA, the EUVD, and CRA reporting
ENISA operates the reporting and vulnerability infrastructure at the centre of the Cyber Resilience Act. Here is how each touchpoint works and how the platform aligns with it.
ENISA's role under the CRA
Under Article 14 of the Cyber Resilience Act, a manufacturer that becomes aware of an actively exploited vulnerability in a product with digital elements must notify the coordinating CSIRT and ENISA through a single reporting platform. An early warning is due within 24 hours, a fuller notification within 72 hours, and a final report once the vulnerability is handled. ENISA also runs the European Vulnerability Database, the EU's public record of critical and exploited vulnerabilities.
CRA Portal is an independent platform and is not affiliated with or endorsed by ENISA or the EU. It aligns with these touchpoints so a manufacturer can meet the obligation with less manual effort.
Touchpoints and platform alignment
ENISA Single Reporting Platform
Where manufacturers file the Article 14 notifications for actively exploited vulnerabilities and severe incidents.
The platform runs the full Article 14 cascade: early warning within 24 hours, notification within 72 hours, and a final report, each with its own deadline timer. It generates a pre-filled ENISA submission package ready to paste into the Single Reporting Platform.
European Vulnerability Database (EUVD)
ENISA's public database of vulnerabilities, including critical and actively exploited entries.
CRA Portal pulls the live EUVD feeds directly from ENISA and uses them for monitoring and impact assessment against your SBOM. The feed below is the same source.
National CSIRTs
The Article 14 notification also goes to the CSIRT designated as coordinator in the manufacturer's member state.
The platform derives the correct national CSIRT and its Article 14 contact from a per-country directory, so the notification is routed to the right coordinator.
CSAF 2.0 advisories
Machine-readable security advisories that align with the EU move toward automated vulnerability information exchange.
CRA Portal generates CSAF 2.0 VEX advisories and publishes a provider metadata feed, so disclosures are machine-readable for downstream consumers.
EU Vulnerability Database (EUVD) Pulse
Official feed of the latest critical and actively exploited vulnerabilities tracked by European authorities.
Latest Critical Vulnerabilities
CVSS 9.0+VMware Avi Load Balancer contains an authentication bypass vulnerability. A malicious user with network access may be able to access the Avi Control plane by bypassing the authentication mechanism. Affected versions: 31.1.1 through 31.2.2 (fixed in 31.2.2-2p3) 30.1.1 through 30.2.6 (fixed in 30.2.7) 22.1.1 through 22.1.7 (fixed in 30.2.7)
WordPress 6.9.x before 6.9.5 and 7.0.x before 7.0.2 is affected by a REST API batch endpoint route confusion issue which, combined with the author__not_in WP_Query SQL Injection (CVE-2026-60137), could allow an attacker to perform SQL Injection and achieve Remote Code Execution.
IBM Langflow OSS 1.0.0 through 1.10.0 allows unauthenticated attackers to chain /api/v1/auto_login (mints SUPERUSER tokens to any network caller) with /api/v1/validate/code (executes user code via exec()) to achieve full RCE on default Langflow deployments
IBM Langflow OSS 1.0.0 through 1.10.0 allows unauthenticated attackers to create unlimited user accounts on any Langflow instance; when NEW_USER_IS_ACTIVE=true (documented deployment option), newly created accounts are immediately active and can authenticate to reach RCE endpoints, bypassing the need for AUTO_LOGIN.
Actively Exploited (KEV)
In the wildDeserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network.
A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.8 may allow attacker to execute unauthorized code or commands via <insert attack vector here>
A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox Cloud 5.0.4 through 5.0.5, FortiSandbox PaaS 5.0.4 through 5.0.5 may allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests
KNX devices that use KNX Connection Authorization and support Option 1 are, depending on the implementation, vulnerable to being locked and users being unable to reset them to gain access to the device. The BCU key feature on the devices can be used to create a password for the device, but this password can often not be reset without entering the current password. If the device is configured to interface with a network, an attacker with access to that network could interface with the KNX installation, purge all devices without additional security options enabled, and set a BCU key, locking the device. Even if a device is not connected to a network, an attacker with physical access to the device could also exploit this vulnerability in the same way.
Be ready for the 24-hour clock
Run Article 14 reporting with deadline timers and a pre-filled ENISA submission package.