45.9K+ CVEs enriched with EPSS, CISA KEV, CERT-FR, MSRC, GHSA, Exploit-DB, and Nuclei. Public REST API, free tier available.
NVD-backed, continuously synced
CISA KEV catalog ∪ SSVC=active
Severity = CRITICAL, published in window
FIRST exploit-prediction probability
Refreshed every 30 minutes from production database
Recent high-severity CVEs straight from our PostgreSQL catalog — with KEV, EPSS, and exploitation flags inline.
Incorrect Permission Assignment for Critical Resource, Improper Access Control vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus-Parental-Control allows DNS Spoofing. This issue affects Pardus-Parental-Control…
Missing Authorization vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus Update allows Privilege Escalation. This issue affects Pardus Update: from <=0.6.3 before 0.6.6.
A vulnerability was found in code-projects Hotel and Tourism Reservation 1.0. Affected by this issue is some unknown functionality of the file /admin/add_tour.php of the component Tour Management Page. The manipulation of the argument delet…
A vulnerability has been found in code-projects Hotel and Tourism Reservation 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/reservations.php of the component Reservations Management Page. The manipulatio…
Invocation of process using visible sensitive information vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus Domain Joiner allows Excavation. This issue affects Pardus Domain Joiner: from 0.5.2 before 0.5.4.
A flaw has been found in code-projects Hotel and Tourism Reservation 1.0. Affected is an unknown function of the file /admin/add_room.php. Executing a manipulation of the argument delete_image/edit/description/number/price/rooms/type can le…
A vulnerability was detected in mjperpinosa stumasy up to 327d1b0f2915ba79d7ef8ebb74553e987609d9be. This impacts an unknown function of the file /PHP/objects/notes of the component Note Handler/Assignment Handler. Performing a manipulation…
A security flaw has been discovered in mjperpinosa stumasy up to 327d1b0f2915ba79d7ef8ebb74553e987609d9be. The affected element is the function Notes_controller::accessing_dictionary_authorization of the file application/PHP/objects/notes/a…
A vulnerability was identified in mjperpinosa stumasy up to 327d1b0f2915ba79d7ef8ebb74553e987609d9be. Impacted is the function eval of the file application/pages/imba_calculator/calculate.php. The manipulation of the argument mathematical_s…
Same database, different cuts. Each list is a real query against cveCatalog at request time.
No new KEV adds in the last 30 days.
In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible
In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible
In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.
No unauthenticated RCEs flagged yet.
Nine upstream sources, one normalized record per CVE.
Base CVE record + CVSS v3 scores and vectors
Known Exploited Vulnerabilities catalog with due dates
FIRST exploit-prediction score and percentile
French national CSIRT advisories with severity
Microsoft Security Response Center title + KB articles
GitHub Security Advisories cross-references
Public proof-of-concept and exploit identifiers
Detection-template availability flag
Change-log titles and history counts
Continuous CPE-based monitoring with KEV / EPSS prioritization for the products you actually run.
Combine CVSS, EPSS, and KEV signals to rank which CVEs deserve emergency change windows.
Block pull requests when a dependency surfaces a high-EPSS or KEV-flagged CVE in the bulk API.
Export filtered CVE lists with CERT-FR / KEV / GHSA links for audit packets.
Stable public pages for CVEs with exploitation, KEV, EPSS, or severity signals useful during vendor and patch-risk research.
The full NVD CVE catalog from 1999 to present is ingested with continuous backfill, and the count above reflects the live row count in our PostgreSQL store. We enrich each record with CISA KEV, EPSS, CERT-FR, MSRC, GHSA, Exploit-DB, Nuclei template availability, and OpenCVE change history when available.
Daily NVD sync plus EPSS daily snapshots, CISA KEV refresh, and external enrichment cron jobs. The most recent CVEs typically land within a few hours of NVD publication.
A CVE is shown as actively exploited when at least one of these is true: it appears in the CISA KEV catalog, FIRST has classified its SSVC exploitation level as "active", or our GCVE (Google CVE) enrichment has confirmed in-the-wild exploitation evidence.
CVSS measures intrinsic severity (impact × exploitability). EPSS measures the empirical probability that a CVE will be exploited in the wild within the next 30 days, based on global telemetry. We surface both — most teams prioritize on EPSS × KEV first, then CVSS for ties.
Yes. The Free plan ($0, no credit card) includes 30 reputation/CVE checks per month with rate-limited API access. Pro ($99/mo) raises that to 10,000 and unlocks bulk, downloadable blocklists, AI threat analysis, the SSE stream, webhooks, and STIX/TAXII.
Yes — that is what CVE Watch is for. You define perimeters of CPE strings (the products and versions you run) and we continuously match new CVEs to those perimeters. Alerts are delivered via dashboard, email, webhook, or the SSE stream.
The /api/cve and /api/cve/recent endpoints are publicly accessible (rate-limited) so you can integrate without an API key for low-volume usage. Higher-volume access requires registration and a free or paid plan.
Every CVE in the catalog gets a stable canonical page at https://ismalicious.com/cve/CVE-YYYY-NNNNN with full metadata, JSON-LD, and links to the original NVD/KEV/CERT-FR/MSRC/GHSA references.
Free API key, 30 checks/month, no credit card. Bulk and stream endpoints available on Pro.