Loading
Site index
Every search route, workflow tool, guide, feed, and API endpoint on the site, in one place. 45 features across 5 categories.
Find a specific CVE or pivot from any angle — vendor, product, year, severity, weakness, or attack technique.
Full-text and CVE-ID search across the NVD corpus, with trending CVEs and recent search history.
When to use
When you have a query, a keyword, or a CVE ID and want results fast.
Per-CVE page with CVSS, EPSS, KEV status, affected products, references, related CVEs, and AI tools.
When to use
After picking a result from search, or by typing /cve/CVE-YYYY-NNNN directly.
Browse every vendor with CVE counts.
When to use
You want a vendor-wide view rather than a single CVE.
Drill into one vendor or one product line and see every CVE attached to it.
When to use
Auditing a specific component in your stack.
CVEs grouped by publication year, with severity and trend breakdowns.
When to use
Year-end reviews, historical trend analysis, or compliance reporting.
Filter to Critical, High, Medium, or Low CVSS severity.
When to use
Triaging by severity rather than by component.
CVEs that appear on the CISA Known Exploited Vulnerabilities catalog.
When to use
When you only want vulnerabilities with confirmed in-the-wild exploitation.
Top-25 weakness categories with per-CWE detail pages and linked CVEs.
When to use
Pivoting from a class of weakness (e.g. CWE-79) to specific CVEs.
ATT&CK techniques cross-referenced with CVEs.
When to use
Mapping vulnerabilities to adversary behaviour.
Move from a single CVE to a portfolio view, an SBOM, or an AI-assisted briefing.
Microsoft monthly patch summary with a countdown to the next release.
When to use
Planning your monthly patching window.
CVEs filtered to OSS and developer tooling, with summarised guidance.
When to use
You build software and want vulnerabilities relevant to your dependencies.
Interactive charts: CVE volume over time, severity mix, top vendors.
When to use
Reporting trends or building executive slides.
Upload a CycloneDX or SPDX SBOM and get vulnerable components flagged.
When to use
You have an SBOM for an internal service and want a quick exposure check.
Paste a list of CVE IDs and get severity + KEV + remediation context in one report (export CSV / JSON).
When to use
You have a backlog of CVEs from a scanner and need them enriched.
On any CVE page, generate a structured remediation plan: vendor patches to apply, temporary mitigations when no patch exists, detection signals, and validation steps. Streams in real time and is grounded in the CVE description, CWE, KEV status, EPSS score, and vendor references.
When to use
You’re looking at a single CVE and need an actionable starting point you can hand to a patching team.
A short, plain-English brief on a CVE: what it is, what it affects, why it matters, and how urgent it is — stripped of jargon. Ideal as the top of an incident write-up or a Slack message to leadership.
When to use
You need to brief a non-technical audience on a vulnerability without writing it from scratch.
Reference material for CVE, CVSS, EPSS, KEV, weakness taxonomies, and operational vulnerability management.
Index of guides plus the glossary, in one place.
When to use
You are new to vulnerability management and want a starting point.
Around 50 security terms with definitions.
When to use
You hit an acronym you don’t recognise.
What a CVE is, how IDs are assigned, who runs the program.
When to use
Onboarding someone to vulnerability terminology.
How CVSS v3 / v4 base, temporal, and environmental scores break down.
When to use
You need to interpret a score, not just sort by it.
What EPSS predicts (probability of exploitation in the next 30 days) and how to use it alongside CVSS.
When to use
Prioritising patching against likelihood, not just severity.
What CISA KEV is, what gets added, and why you should treat it as a hard deadline.
When to use
Building an internal SLA against known-exploited CVEs.
Operational patching guidance: cadence, testing, rollback, communications.
When to use
Standing up or refining a patching program.
Programmatic VM lifecycle: discovery, prioritisation, remediation, verification, reporting.
When to use
Maturing vulnerability management beyond ad-hoc scanning.
Top-25 CWEs and per-CWE detail pages with linked CVEs.
When to use
Understanding the underlying weakness pattern behind a vulnerability.
ATT&CK techniques cross-referenced with CVEs.
When to use
Mapping vulnerabilities to TTPs for detection engineering.
FAQ and how-to articles for the site itself.
When to use
You’re stuck or want to know how a feature works.
Long-form posts on vulnerability trends and notable CVEs.
When to use
Catching up on commentary and analysis.
Subscribe, integrate, or automate. Every feed is RSS; the API is documented JSON.
Documented JSON endpoints for search, CVE detail, and threat intel.
When to use
You want to query CVE data from a script or service.
All recent CVEs in one feed.
When to use
You want everything in your reader.
Per-vendor, per-CWE, per-severity, per-search RSS feeds.
When to use
You only care about a slice — one vendor, one weakness, one saved search.
RSS scoped to a single vendor.
When to use
You operate one vendor’s products and want their CVEs only.
Updates for one specific CVE (e.g. when KEV status changes).
When to use
Watching a single CVE for changes.
New CVEs that map to a specific weakness.
When to use
Following a class of weakness over time.
New CVEs that map to a specific ATT&CK technique.
When to use
Detection engineering on a TTP.
Saved-search RSS — pin a query and get new matches.
When to use
Recurring keyword monitoring.
Add CVEDatabase.com to your browser address bar.
When to use
You search the site often and want it as a browser keyword.
Install the site as a PWA. Recent CVEs and the offline shell stay reachable without a network.
When to use
On the move, or you want a single-tap shortcut on your home screen.
Receive shared text from your OS share sheet (Android / iOS PWA).
When to use
You highlight a CVE ID in another app and want to open it here.
Background on the project plus the legal and privacy pages.
Who runs the site and what it is for.
When to use
You want to know who is behind the data.
How the site is funded and how to sponsor.
When to use
You’re evaluating sponsorship options.
Get in touch with the maintainers.
When to use
Bug reports, partnership enquiries, takedowns.
What data is collected and how it is used.
When to use
You want the privacy details before you continue.
Cookie usage and how to change consent.
When to use
Reviewing or changing your cookie choices.
Terms of service.
When to use
Required reading for any commercial use.
We surface NVD, CISA KEV, EPSS, and MITRE data and layer AI explanations on top. There is no Microsoft MSRC integration (we fall back to NVD), no user accounts beyond auth scaffolding, and no commercial scanner connectors. If you need one of these, use thecontact page.