Vulnerability Management
Actionable risk, not a wall of CVEs.
Every component in your SBOM is watched and every vulnerability enriched (exploit-aware prioritization, reachability and context re-scoring), so your team reacts to what matters, in order.
Risk score
3.0Low
EV Platform E-3
Resolved
1,135
of 1,245 findings
Open
154
Critical 4
High 13
Medium 5
Low 132
| Vulnerability | Component | CVSS | Exploitation | State |
|---|---|---|---|---|
| CVE-2026-4187 | gstreamer 1.14.4 | 9.8 | KEV | under review |
| CVE-2026-3350 | botan 2.19.5 | 8.4 | exploit | to validate |
| CVE-2026-0915 | bluez 5.66 | 7.5 | PoC | to validate |
| CVE-2026-1204 | libexpat 2.2.6 | 6.8 | none | suppressed |
How it triages
Built for what your SBOM ships.
Exploit-aware prioritizationKEV, EPSS and real exploitation evidence move the findings that are actually being used to the top.
Reachability and contextA vulnerability re-scored for the product in the field: which node, which interface, whether the code path is reachable.
Fed by your SBOMThe bill of materials is the input: one row per component, matched to advisories automatically.
A queue, not a feedWhat needs a reaction, with a state and an owner: suppressed, validated or escalated, all recorded.
Context re-scoring
One score does not fit all products.
A base CVSS score assumes the worst case everywhere. Correlens re-scores each finding for the product it actually sits in, on CVSS 3.0, 3.1 or 4.0, and records why. How the re-scoring weighs your context is part of the demo, not the website.
- Environmental reality. A 9.8 on an isolated node without network exposure is not your first problem.
- Recorded reasoning. Every re-score keeps the analyst, the context flags and the justification.
- Standards-native. Scores stay valid CVSS vectors, so exports and reports keep meaning outside the platform.
9.8
CVE-2026-4187 · gstreamer 1.14.4CVSS 3.1 base · network attack vector assumed
5.1
Re-scored for the vehiclereachable only over the internal bus, no external path
Node context drives the score
no network accessgateway-isolateddebug port fusedread-only media path
Triage states & VEX
A decision is a record, not a status color.
Findings move through explicit states: to validate, under review, suppressed or escalated. A suppression is a VEX statement with a reason attached, so "not affected" is something you can hand an assessor, not a silent filter.
- VEX suppression. Not-affected claims carry machine-readable justification.
- Owned queue. Every finding has a state and a person, so nothing dies in a spreadsheet.
- Feeds compliance. The same records serve the R155 CSMS monitoring evidence and 21434 clause 8.
P1CVE-2026-4187 · gstreamerUNDER REVIEW · K.M.
P1CVE-2026-3350 · wolfSSLTO VALIDATE
P2CVE-2026-0915 · bluezTO VALIDATE
P3CVE-2026-2044 · u-bootVEX · not affected
states and reasons recorded per finding · exportable with the enriched SBOM