NIST National Vulnerability Database. Authoritative metadata + CVSS scoring. Free API (5 req/30s anon, 50 req/30s with key).
CVE Databases
Authoritative CVE assignment + metadata. The canonical source upstream of NVD enrichment.
CVE Databases
Google's open-source vulnerability database. Excellent for SBOM + dependency-graph queries.
CVE Databases
Curated advisories for npm, PyPI, Maven, NuGet, Composer, RubyGems, Cargo, Pub. Free GraphQL API.
CVE Databases Vendor PSIRTs
Sonatype's open vulnerability index. Free REST API for component lookups.
CVE Databases
Snyk-curated DB. Stronger metadata than NVD on package-ecosystem CVEs; free browse + paid API.
CVE Databases
Independent NVD mirror with faster updates and additional enrichment (CPE, CWE, EPSS). Free with signup.
CVE Databases
Independent vuln database with exploit prices, attacker-side metadata. Limited free tier.
CVE Databases Research & Trackers
Aggregated vuln search across 200+ sources (NVD, Exploit-DB, Metasploit, Nessus). Free tier limited.
CVE Databases Research & Trackers
CIRCL's CVE search API. Mirrors NVD with fast queries; OSS code at github.com/cve-search.
CVE Databases
Self-hostable local CVE search engine. Imports NVD + CPE into MongoDB so sensitive queries stay on-prem. AGPL-3.0, the original project behind CIRCL's cve.circl.lu public instance (now superseded by Vulnerability-Lookup).
Unified CVE aggregator pulling NVD, MITRE, CNNVD, JVN, CERT-FR, Exploit-DB, CIRCL into a single search. Strong when you need to query non-English national CERTs. Self-hostable, TypeScript/Next.js.
CVE Databases Research & Trackers Search CVE + CWE + CISA KEV + CPE with free configurable real-time email alerts (per-keyword, per-vendor/product, per-CWE, per-CVSS-range, per-KEV). Operated by tesweb SA / bexxo.
CVE Databases Alert Feeds
Red Hat-maintained mirror with severity + RHEL-specific impact ratings. Often more accurate than NVD for RHEL CVEs.
CVE Databases Vendor PSIRTs
Debian-maintained CVE tracker per source package. The reference for Debian/Ubuntu vuln state.
CVE Databases Vendor PSIRTs Offensive Security exploit archive. PoCs, shellcodes, exploitation techniques — historical + current.
Exploit / PoC
Rapid7 module DB — searchable. If a CVE has a Metasploit module, this is where to find it.
Exploit / PoC
GitHub search for "CVE-YYYY-NNNNN poc". Many fresh PoCs land here days before official catalogs pick them up.
Exploit / PoC
~9000 community templates including thousands of CVE detection templates. Detection-grade, not weaponised.
Exploit / PoC
Long-running exploit + advisory archive. Older but still updated daily.
Exploit / PoC
Rapid7's CVE-by-CVE attacker-perspective ratings. Often has working exploitation notes earlier than NVD or KEV.
Exploit / PoC Research & Trackers
Aggregates "in the wild" exploitation evidence per CVE — cross-referencing CISA KEV, vendor PSIRTs, and reports. RSS + JSON.
Exploit / PoC Scoring & Prioritization
Known Exploited Vulnerabilities catalog. The "patch this first" list — every entry has confirmed exploitation.
Exploit / PoC Scoring & Prioritization Alert Feeds
Weekly weaponised-CVE writeups. Often shows attacker behaviour observed in EDR data.
Exploit / PoC Research & Trackers
Microsoft Security Response Center update guide. Patch Tuesday + out-of-band advisories. CVRF + REST API.
Vendor PSIRTs Alert Feeds
Cisco Product Security Incident Response Team. JSON API + advisory listing for all Cisco products.
Vendor PSIRTs
Adobe ASBs. Patch Tuesday + APSB releases for Acrobat, Photoshop, ColdFusion, Magento, etc.
Vendor PSIRTs Alert Feeds
macOS / iOS / iPadOS / Safari security updates. Often released without prior notice; check often.
Vendor PSIRTs
Quarterly Oracle CPU plus interim alerts. Java SE, MySQL, WebLogic, Oracle DB, etc.
Vendor PSIRTs
RHSAs — the canonical patch advisory for RHEL packages. CVRF feeds available.
Vendor PSIRTs
Ubuntu Security Notices. JSON + RSS feeds; per-package CVE state.
Vendor PSIRTs
Official Kubernetes CVE list. JSON feed; useful for K8s compliance + audit pipelines.
Vendor PSIRTs
AWS-side CVEs (EKS, EMR, etc) plus AWS-rated impact for upstream package CVEs.
Vendor PSIRTs
Google Cloud security bulletins. GKE, Anthos, Cloud Run vulns.
Vendor PSIRTs
Azure-specific vuln entries within MSRC's update guide.
Vendor PSIRTs
Firefox / Thunderbird / NSS advisories. Per-release MFSA list + CVE mapping.
Vendor PSIRTs
WordPress core + plugin + theme CVEs. Free browse, paid API for scanning at scale.
Vendor PSIRTs CVE Databases
VMSA listing. Critical for vCenter / ESXi patching cadence.
Vendor PSIRTs
Fortinet Product Security Incident Response Team advisories. RSS + JSON.
Vendor PSIRTs
PAN-OS, Prisma, Cortex, GlobalProtect. CSAF JSON-formatted feed.
Vendor PSIRTs
Connect Secure / Policy Secure / EPM advisories. Watch closely after the 2024 mass-exploit incidents.
Vendor PSIRTs
FIRST CVSS v4.0 spec + calculator. Replaces v3.1 — supports environmental + threat vector metrics.
Scoring & Prioritization
Exploit Prediction Scoring System — probability that a CVE will be exploited in the next 30 days. Free API.
Scoring & Prioritization
Independent KEV catalog — earlier exploitation signals than CISA, broader source set. Free API.
Scoring & Prioritization Exploit / PoC
CISA-led CVE enrichment effort — adds SSVC, CWE, CVSS, mitigations to CVEs MITRE has assigned. Daily updates on GitHub.
Scoring & Prioritization
Stakeholder-Specific Vulnerability Categorization. Decision-tree replacement for raw CVSS — outputs Track / Track*/ Attend / Act.
Scoring & Prioritization
Tenable's Vulnerability Priority Rating. Combines CVSS + threat intel + exploit availability. Paid product.
Scoring & Prioritization
Vendor-agnostic vuln-prioritisation platform with extended KEV signals.
Scoring & Prioritization
In-depth vulnerability research blog. Bug tracker also public at bugs.chromium.org/p/project-zero.
Research & Trackers
Zero Day Initiative published advisories. Many CVEs originate here via Pwn2Own + responsible disclosure.
Research & Trackers
Mandiant (Google) advanced threat-actor + 0day research. Often first to publish detection guidance.
Research & Trackers
CrowdStrike Falcon team writeups. Strong on actor-attribution + EDR-observable behaviour.
Research & Trackers
Palo Alto threat intel + vuln research. Fast on mass-exploit campaigns.
Research & Trackers
Cisco Talos blog. Vuln research, malware analysis, weekly threat round-ups.
Research & Trackers
Memory-forensics + 0day research. Often discovers nation-state APT activity ahead of public disclosure.
Research & Trackers
NodeZero attack-research team. Very fast publication of weaponised exploit details after CVE drops.
Research & Trackers Exploit / PoC
Aggressive vuln research with PoCs published days after vendor patches. Strong on edge / appliance bugs.
Research & Trackers Exploit / PoC
CVEs trending on Twitter/X right now. Useful "what is the security community panicking about today" signal.
Research & Trackers Alert Feeds
Independent CVE search engine with exploit availability indicators.
Research & Trackers CVE Databases
WordPress + plugin CVE database with virtual-patch focus. More current than NVD on WP.
Research & Trackers CVE Databases
Google OSS-Fuzz finds vulns in OSS daily. Issue tracker is public for fixed bugs.
CISA Cybersecurity Advisories. RSS + email. Often includes joint advisories with FBI / NSA / international CSIRTs.
Alert Feeds
NCAS alert feeds (now CISA-branded). RSS for Alerts, Bulletins, Tips.
Alert Feeds
KEV catalog as a JSON feed. Pull every hour to catch new entries; the cron-job hook for KEV alerting.
Alert Feeds Exploit / PoC
Patrick Gray's weekly podcast + newsletter. Strong "what mattered this week" filter; free podcast, paid newsletter tier.
Alert Feeds
Hackaday's weekly security round-up. Approachable summaries of the week's CVEs + exploits.
Alert Feeds Research & Trackers
New CVE additions as RSS. Filterable by severity.
Alert Feeds CVE Databases
Enriched CVE browser with vendor + product trees + RSS feeds per product. Useful for "alert me when nginx has a new CVE".
Alert Feeds CVE Databases
Daily / hourly JSON + XML feeds + RSS. The lowest-friction way to mirror NVD locally.
Alert Feeds CVE Databases
Official Kubernetes security announcement list. Subscribe + filter; lower noise than the full discuss list.
Alert Feeds Vendor PSIRTs
Openwall oss-security list. Coordinated disclosure for OSS vulnerabilities. Many CVEs surface here before NVD.
Alert Feeds Research & Trackers