You can now better assess a vulnerability's impact by exploring its key details directly within the vulnerabilities table for a package or container. We've introduced an expanded row layout that shows all available information for a specific finding, helping you make more informed decisions about your response.

Additionally, we’ve added CVSS scores from more than one CVE numbering authority (CNA), allowing you to view data from multiple sources - including NVD, the vendor, or another CNA.

Explore vulnerability details to better assess impact

We’ve recently released a set of improvements across the Cloudsmith 

 focused on logs, error messaging, and usability.

: You can now select between UTC and your browser’s local time when viewing both Client Logs and Audit Logs, letting you skip the mental time zone math.

Quick package navigation from Client Logs

: We’ve added a hyperlink to the package name within Client Logs, allowing you to click directly to the package details page. This saves time when investigating package activity.

Independent scrolling of logs table and filters

: On the Client Logs page, you can now scroll the filters panel independent of the logs table, a usability improvement for ensuring you can easily set your filters.

 The application now rounds the wait time in a throttling error message to a whole number, removing overly precise fractions of a second to keep the message clear.

: We’ve polished how Docker tags are displayed throughout the UI for better clarity.

: We fixed a bug where the chevron icon to expand Package Groups was not working correctly for non-Docker images.

 Filters for key:value pairs are no longer case sensitive, making it easier and less error-prone to filter the packages view.

Fixed package Copy/Move after Repo rename

: Resolved an issue that prevented you from moving or copying packages to a repository if the repository's display name had recently been changed.

: For packages that fail to synchronize, the UI now displays detailed information about the sync status failure, giving you better insight into the root cause.

 Service accounts are now correctly listed and visible on the Teams management page.

 We've removed the 255-character limit for Webhook Target Endpoint URLs, giving you more flexibility for your integrations.

Recent improvements to the Cloudsmith web app

We’ve improved how Docker images are displayed and navigated in the web app, making it easier to work with tags, architectures and metadata to quickly find what you need.

: An architecture column has been added to the packages table on the packages overview (image 1), and a dropdown on each image overview lets you switch between architectures (image 2).

 Docker tags are shown in a separate component on the image overview (image 2), making them easier to browse and select.

: Package pages now surface richer details, including 

​​These improvements help you quickly find what you need and give clearer insights into an image’s content and supply chain integrity, and are available today in the web application today. 

Improved Docker experience in the Cloudsmith web app

Cloudsmith now displays Docker image signatures and SBOMs (Software Bill of Materials) directly in the web app, giving you greater trust and visibility into the images you use.

SBOMs and signatures have been available through the API to enable client-side verification, but this update makes them directly accessible and easier to inspect in the web app.

 list every dependency, version, and license inside a Docker image, helping you understand what’s in your software supply chain.

 let you verify authenticity with Cosign, including viewing ECDSA key details and checking packages against a trusted public key.

improvements to Docker images in the web app

. All of these enhancements are available today for customers using Docker images in Cloudsmith. 

Verify and inspect Docker images

You can now use quick filters in the package vulnerability view to filter Common Vulnerabilities and Exposures (CVEs) by severity.

The view will still default to ordering vulnerabilities by severity — with Critical issues at the top — but quick filters make it easier to filter directly for High, Medium, Low, or Unknown severities. This helps security teams quickly triage and prioritize, especially when working with artifacts that may have a high number of CVEs (for example, Docker images where the base image alone may contribute a large number). 

Filter CVEs by severity in the package vulnerability view

We've reduced the delay between a download event and its appearance in Client Logs, giving you faster visibility into your package delivery pipeline. This makes it easier to analyze trends, troubleshoot issues, and keep your workflows moving.

, and are part of ongoing upgrades to our edge architecture, designed to deliver faster, more reliable access to Cloudsmith data at scale.

The legacy version of Client Logs will remain accessible in the 

You may notice differences in how the data appears between the legacy Client Logs and the new version:

Legacy Client Logs: logs first show an estimated bytes value, which is later updated with the reconciled value.

New Client Logs: logs are available within ~30-60 seconds and display the correct bytes value immediately.

 in our documentation. If you have any questions, 

Faster access to Client Logs

Packages added to Cloudsmith are scanned for vulnerabilities and malware, and passed through our policy engine. When we identify vulnerable packages, we produce and collate a range of descriptive data to help explain those vulnerabilities. Previously, that data was only available in our legacy web app, and more recently via our API. We've now brought more of this descriptive vulnerability data into 

When you see a vulnerability listed, you can expand the row to show descriptive information. You'll also see links out to sources of information; such as NVD. We've also made minor improvements to vulnerability listings; these are now sorted by severity.

Additional vulnerability data added to our web app

Client log exports now provide a more comprehensive overview of package delivery. In addition to GET requests, client log exports will include other HTTP request types, including HEAD, POST, and OPTIONS requests. This gives you a full view of package delivery, moving beyond just download tracking to include metadata checks and other repository interactions.

The additional HTTP methods appear in the method column of your existing export files, but the file format and your ingestion process remain the same.

This expanded view helps you track repository interactions in detail and analyze costs more accurately by factoring in all request types.

Enhanced logs will begin rolling out to existing customers this week. 

If you programmatically parse your log export files, please review your tooling to handle these new request methods. Pipelines that are coded only to expect GET may require changes to avoid disruption.

Interested in starting to use Log Exports? 

Client log exports now include more HTTP Methods for improved package lifecycle visibility

Broadcasts now support using your own domain as the endpoint for package distribution, helping you deliver a more consistent and trusted experience for developers and end users.

If you've already configured a custom domain for your workspace, it will now automatically apply to your Broadcasts. This means that setup instructions and download URLs will reflect your domain, not Cloudsmith’s.

This builds on existing support for custom domains on the Broadcast site itself. Now, both the portal and distribution endpoints can be fully branded.

In the example below, you can see the Broadcast custom URL and the custom endpoint for package distribution.

Learn more about custom domains for distribution

Broadcasts is currently in Early Access. 

Broadcasts now support custom domains for distribution

We have improved sorting and filtering in the new web application, making it easier to manage members, teams and service accounts in Cloudsmith.

Filter members by name, email address, and role

Use new quick filters to easily narrow down your list of users to a specific role

These improvements are also available for:

If you haven’t made the switch, now is a great time to move to the new web app. It’s where all the latest improvements are landing.

Cloudsmith Changelog