VulnCheck has been a CVE Numbering Authority (CNA) since April 2023 and it is allowed to assign CVE identifiers to vulnerabilities found in software that is not specifically covered by other CNAs. However, CrushFTP was not happy with the decision, arguing that the “real CVE” had been pending. Indeed, roughly 10 days after disclosure, CrushFTP told SecurityWeek that the CVE for this vulnerability is CVE-2025-31161, which was assigned by Outpost24, the security firm credited for responsibly disclosing the flaw to the vendor.
https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/279/568/311/468/701/original/c44506e0803e839c.jpeg