diff --git a/security/vuxml/Makefile b/security/vuxml/Makefile
index 243b5cd5723e..0f00f3364b0b 100644
--- a/security/vuxml/Makefile
+++ b/security/vuxml/Makefile
@@ -1,116 +1,119 @@
 PORTNAME=	vuxml
 PORTVERSION=	1.1
 PORTREVISION=	6
 CATEGORIES=	security textproc
 MASTER_SITES=	http://www.vuxml.org/dtd/vuxml-1/
 DISTFILES=	vuxml-10.dtd  vuxml-model-10.mod \
 		vuxml-11.dtd  vuxml-model-11.mod \
 		xml1.dcl catalog catalog.xml
 DIST_SUBDIR=	vuxml
 
 MAINTAINER=	ports-secteam@FreeBSD.org
 COMMENT=	Vulnerability and eXposure Markup Language DTD
 WWW=		https://vuxml.freebsd.org/
 
 LICENSE=	BSD2CLAUSE
 
 RUN_DEPENDS=	xmlcatmgr:textproc/xmlcatmgr \
 		xsltproc:textproc/libxslt \
 		${LOCALBASE}/share/xml/dtd/xhtml-modularization/VERSION:textproc/xhtml-modularization \
 		${LOCALBASE}/share/xml/dtd/xhtml-basic/xhtml-basic10.dtd:textproc/xhtml-basic
 
 USES=		python:run
 
 NO_MTREE=	yes
 NO_ARCH=	yes
 NO_BUILD=	yes
 WRKSRC=		${WRKDIR}
 
 dir_DTD=	share/xml/dtd/vuxml
 
 .include <bsd.port.pre.mk>
 
 VUXML_FILE?=	${PKGDIR}/vuln.xml
 VUXML_FLAT_NAME=	vuln-flat.xml
 VUXML_FLAT_FILE?=	${PKGDIR}/${VUXML_FLAT_NAME}
 _YEAR!=	date +%Y
 VUXML_CURRENT_FILE?=	${PKGDIR}/vuln/${_YEAR}.xml
 
 post-clean:
 	@${RM} "${VUXML_FILE}.tidy"
 	@${RM} "${VUXML_FLAT_FILE}"
 
 do-extract:
 	@${RM} -r ${WRKDIR}
 	@${MKDIR} ${WRKDIR}
 .for f in ${DISTFILES}
 	${CP} ${_DISTDIR}/${f} ${WRKDIR}/${f}
 .endfor
 
 do-install:
 	@${MKDIR} ${STAGEDIR}${PREFIX}/${dir_DTD}
 .for f in ${DISTFILES}
 	${INSTALL_DATA} ${WRKSRC}/${f} ${STAGEDIR}${PREFIX}/${dir_DTD}/${f}
 .endfor
 
 do-test:
 	@${MKDIR} ${WRKDIR}/test
 	@${CP} -R ${.CURDIR}/vuln.xml ${.CURDIR}/vuln ${WRKDIR}/test
 	@cd ${.CURDIR} && make validate PKGDIR=${WRKDIR}/test
 
 ${VUXML_FLAT_NAME}: ${VUXML_FILE} vuln/*.xml
 	xmllint -noent ${.ALLSRC:[1]} > ${.TARGET}
 
-validate: tidy
+validate: tidy check-portepoch
 	@${SH} ${FILESDIR}/validate.sh "${VUXML_FLAT_FILE}"
 	@${ECHO_MSG} Checking if tidy differs...
 	@if ${DIFF} -u "${VUXML_FLAT_FILE}" "${VUXML_FILE}.tidy"; \
 	then \
 		${ECHO_MSG} ... seems okay; \
 		${RM} "${VUXML_FILE}.tidy"; \
 	else \
 		return 1; \
 	fi
 	@${ECHO_MSG} Checking for space/tab...
 	@unexpand "${VUXML_FLAT_FILE}" | ${SED} -E 's,[[:space:]]*$$,,g' > "${VUXML_FILE}.unexpanded"
 	@if ${DIFF} -u "${VUXML_FLAT_FILE}" "${VUXML_FILE}.unexpanded"; \
 	then \
 		${ECHO_MSG} ... seems okay; \
 		${RM} "${VUXML_FILE}.unexpanded"; \
 	else \
 		${ECHO_MSG} ... see above; \
 		${ECHO_CMD} Consider using ${VUXML_FILE}.unexpanded for final commit; \
 		return 1; \
 	fi
 	${PYTHON_CMD} ${FILESDIR}/extra-validation.py ${VUXML_FLAT_FILE}
 	@${ECHO_CMD}
 	@${ECHO_CMD} 'Be sure to get versioning right for PORTEPOCH and remember possible linux-* ports!'
 	@${ECHO_CMD} 'Also, <gt> tags are usually wrong in ranges. Use <ge> where adequate.'
 	@${ECHO_CMD}
 
 tidy: ${VUXML_FLAT_NAME}
 	@if [ ! -e ${LOCALBASE}/share/xml/dtd/vuxml/catalog.xml ]; \
 	then \
 		echo "Please install the VuXML port prior to running make validate/tidy."; \
 		exit 1; \
 	fi
 	${SH} ${FILESDIR}/tidy.sh "${FILESDIR}/tidy.xsl" "${VUXML_FLAT_FILE}" > "${VUXML_FILE}.tidy"
 
+check-portepoch:
+	${PYTHON_CMD} ${FILESDIR}/check_vuln_portepoch.py ${VUXML_CURRENT_FILE}
+
 newentry:
 	@${ECHO_CMD}
 	@${ECHO_CMD} 'Be sure to get versioning right for PORTEPOCH and remember possible linux-* ports!'
 	@${ECHO_CMD} 'Also, <gt> tags are usually wrong in ranges. Use <ge> where adequate.'
 	@${ECHO_CMD}
 	@${SH} ${FILESDIR}/newentry.sh "${VUXML_CURRENT_FILE}" "CVE_ID=${CVE_ID}" "SA_ID=${SA_ID}"
 
 .if defined(VID) && !empty(VID)
 html: work/${VID}.html
 work/${VID}.html: ${FILESDIR}/html.xsl ${FILESDIR}/common.css ${VUXML_FILE}
 	${MKDIR} work
 	xsltproc --stringparam vid "${VID}" \
 	    --output ${.TARGET} \
 	    ${FILESDIR}/html.xsl ${VUXML_FILE}
 	${INSTALL_DATA} ${FILESDIR}/common.css work
 .endif
 
 .include <bsd.port.post.mk>
diff --git a/security/vuxml/files/check_vuln_portepoch.py b/security/vuxml/files/check_vuln_portepoch.py
new file mode 100755
index 000000000000..2f9884a7de74
--- /dev/null
+++ b/security/vuxml/files/check_vuln_portepoch.py
@@ -0,0 +1,94 @@
+#!/usr/bin/env python3
+
+import argparse
+import csv
+import os
+import subprocess
+import sys
+import time
+from xml.dom.minidom import parseString
+
+
+def check_pkg(vid, node, allpackages):
+    name = str(node.getElementsByTagName('name')[0].firstChild.data)
+    knownversion = allpackages.get(name, None)
+    range = node.getElementsByTagName('range')[0]
+    for r in range.childNodes:
+        if r.nodeType == r.TEXT_NODE:
+            continue
+        if r.tagName not in ['eq', 'le', 'lt', 'ge', 'gt']:
+            raise Exception('Unknown range type ' + r.tagName)
+        version = r.firstChild.data
+        if knownversion and ',' in knownversion and ',' not in version:
+            print(vid + ' (' + name + ') might have a portepoch issue')
+
+
+def read_index(path_to_index, max_age_secs, create_locally):
+    if path_to_index is None:
+        os_version = subprocess.check_output(['freebsd-version']).decode()
+        os_major_version = os_version.split('.', 2)[0]
+        index_file = "INDEX-" + os_major_version
+        portsdir = os.getenv('PORTSDIR')
+        if portsdir is None:
+            portsdir = subprocess.check_output(
+              ['make', '-V', 'PORTSDIR']).decode().strip()
+        path_to_index = portsdir + "/" + index_file
+        fetch_index = True
+        if os.path.isfile(path_to_index):
+            stat = os.stat(path_to_index)
+            if time.time() - stat.st_ctime < max_age_secs and (
+              stat.st_size > 1024 * 1024 * 4):  # 4mb
+                fetch_index = False
+        if fetch_index:
+            cwd = os.getcwd()
+            os.chdir(portsdir)
+            if create_locally:
+                subprocess.check_output(["make", "index"])
+            else:
+                subprocess.check_output(["make", "fetchindex"])
+            os.chdir(cwd)
+
+    ret = {}
+    with open(path_to_index) as f:
+        reader = csv.reader(f, delimiter='|')
+        for row in reader:
+            (name, ver) = row[0].rsplit('-', 1)
+            ret[name] = ver
+    return ret
+
+
+def main():
+    parser = argparse.ArgumentParser(
+      prog=sys.argv[0],
+      description='Check vuxml vuln file PORTEPOCH',
+      epilog='Example: ' + sys.argv[0] + ' vuln/2026.xml')
+    parser.add_argument(
+      '-i', metavar='path_to_index',
+      help='path to index file, disables automatic detection/updating.')
+    parser.add_argument(
+      '-l', action=argparse.BooleanOptionalAction,
+      help='make index locally instead of fetching from cluster')
+    parser.add_argument(
+      '-m', metavar='index_max_age', default=3600, type=float,
+      help='maximum age of index file before re-fetching (seconds)')
+    parser.add_argument(
+      'vuln_file',
+      help='path to yearly vuln file to check, e.g., vuln/2026.xml')
+    args = parser.parse_args(sys.argv[1:])
+
+    with open(args.vuln_file) as f:
+        doc = parseString(
+          '<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">' +
+          f.read()
+          + "\n</vuxml>")
+    allpackages = read_index(args.i, args.m, args.l)
+    vulns = doc.getElementsByTagName('vuln')
+    for vuln in vulns:
+        vid = vuln.getAttribute('vid')
+        packages = vuln.getElementsByTagName('package')
+        for package in packages:
+            check_pkg(vid, package, allpackages)
+
+
+if __name__ == '__main__':
+    main()