diff --git a/README.md b/README.md
index a3be822..75a8bf9 100644
--- a/README.md
+++ b/README.md
@@ -9,6 +9,7 @@ Penetration Test report template written in [typst](https://typst.app).
 - Supports [CVSS V3.1](https://www.first.org/cvss/v3-1/)
 - Supports [TLP V2.0](https://www.first.org/tlp/)
 - Supports [MITRE ATT&CK](https://attack.mitre.org/) references
+- Supports [CVE](https://cve.mitre.org/) references
 
 ## Usage
 
diff --git a/addons/cve.typ b/addons/cve.typ
new file mode 100644
index 0000000..06ea9e5
--- /dev/null
+++ b/addons/cve.typ
@@ -0,0 +1,14 @@
+#let isUsed = state("cveIsUsed", false)
+
+#let reference(name) = {
+  name = upper(name)
+  if not name.starts-with("CVE-") {
+    name = "CVE-" + name
+  }
+
+  text([
+    #name#footnote("https://www.cve.org/CVERecord?id=" + name)
+  ])
+
+  context(isUsed.update(true))
+}
diff --git a/findings.typ b/findings.typ
index d391742..f616128 100644
--- a/findings.typ
+++ b/findings.typ
@@ -1,3 +1,4 @@
+#import "addons/cve.typ"
 #import "addons/cvss.typ"
 #import "addons/mitre.typ"
 
@@ -28,7 +29,7 @@ When searching for administration interfaces, the applications `Uptime Kuma` at
 
 Both applications have a login screen and cannot be used by unauthorized visitors. Since administration accounts are set up during the initial configuration of the applications, it was not possible to log in using default credentials. A brute force attack was not performed to check for common passwords.
 
-The version of `Uptime Kuma` is not specified, while the version of `Nginx Proxy Manager` is 2.11.2 and free of publicly known vulnerabilities (CVEs).
+The version of `Uptime Kuma` is not specified, while the version of `Nginx Proxy Manager` is 2.11.2. This instance of `Nginx Proxy Manager` is not vulnerable to the Command Injection vulnerability referenced to as #cve.reference("2024-39935").
 
 This is referenced in MITRE's ATT&CK framework as #mitre.reference(name: "External Remote Services").