Vulnerability Databases#
Reference of vulnerability identifier schemes (CVE, CWE, CPE, CVSS, EPSS, etc.) and the databases / advisories the operator consults during triage, scanning, and threat-modeling.
For threat-actor TTPs, see MITRE ATT&CK. For threat- intel feeds, see CTI Sources. For bug bounty disclosure, see Bug Bounty Programs.
Identifier schemes#
Scheme |
Notes |
|---|---|
CVE |
Common Vulnerabilities and Exposures; MITRE-coordinated; CVE Numbering Authorities (CNAs) issue IDs (CVE-YYYY-NNNNN). |
CWE |
Common Weakness Enumeration; bug-class taxonomy (CWE-79 = XSS, CWE-787 = OOB write, CWE-89 = SQLi). CWE Top 25. |
CPE |
Common Platform Enumeration; product / version naming (cpe:2.3). |
CVSS v2 / v3.1 / v4.0 |
Common Vulnerability Scoring System; 0.0-10.0 severity. |
EPSS |
Exploit Prediction Scoring System; 0.0-1.0 probability of exploitation in next 30 days; updated daily; FIRST.org. |
SSVC |
Stakeholder-Specific Vulnerability Categorization; CISA-CMU decision-tree alternative to CVSS. |
KEV |
CISA Known Exploited Vulnerabilities catalog; mandates US federal patching deadlines. |
VEX |
Vulnerability Exploitability eXchange; CycloneDX + OpenVEX + CSAF VEX; “is my product affected”. |
CSAF |
Common Security Advisory Framework; OASIS standard for vendor advisories. |
PURL |
Package URL spec for cross-ecosystem package identification. |
GHSA |
GitHub Security Advisory ID. |
RHSA / DSA / USN |
Red Hat / Debian / Ubuntu security advisory IDs. |
MS-CVE / MSRC |
Microsoft advisory IDs. |
ICSA |
ICS-CERT advisory ID (CISA). |
ICSMA |
Medical-device advisory ID. |
CVE / NVD / OSV#
Database |
Notes |
|---|---|
NVD |
NIST National Vulnerability Database; CVE + CVSS + CPE + CWE enrichment; standard US source (slow since 2024 backlog). |
CVE.org |
MITRE-managed CVE list; CNA-fed; faster than NVD lately. |
CISA KEV |
cisa.gov/known-exploited-vulnerabilities-catalog; binding for US Federal. |
EUVD |
EU Vulnerability Database (ENISA); launching to align with NIS2. |
CNNVD |
China National Vulnerability Database; CN MSS-aligned; sometimes leads disclosure. |
JVN |
Japan Vulnerability Notes; JPCERT/CC + IPA. |
KISA / KrCERT |
South Korean. |
BDU FSTEC |
Russian. |
OSV.dev |
Google OSS Vulnerability database; per-ecosystem; precise affected ranges (semver). |
GHSA |
GitHub Security Advisories; powers Dependabot; also published to OSV. |
GitLab Advisory DB |
GitLab. |
Snyk Vulnerability DB |
Snyk’s curated database. |
Mend Vulnerability D B |
Mend (WhiteSource); commercial. |
Sonatype OSS Index |
OSS-focused. |
VulDB |
Commercial; fast publishing; some criticism. |
Vulners |
Commercial aggregator. |
exploit-db |
Offensive Security; PoC + exploits archive. |
0day.today |
Commercial 0day market. |
Packet Storm |
Long-running advisory + exploit archive. |
Vendor advisory feeds#
Vendor |
Feed |
|---|---|
Microsoft |
MSRC; MAPP; Patch Tuesday (2nd Tuesday); .NET, Edge, Office. |
Apple |
support.apple.com/security; per-device-class advisories. |
Android security bulletin (1st Mon); Chrome release blog. |
|
Adobe |
PSIRT. |
Oracle |
CPU (Critical Patch Update; quarterly). |
Red Hat |
RHSA + RHBA; Errata. |
Debian |
DSA + DLA (LTS). |
Ubuntu |
USN; LTS extended security maintenance. |
SUSE |
SUSE-SU. |
VMware (Broadcom) |
VMSA. |
Cisco |
PSIRT. |
Juniper |
JSA. |
Palo Alto |
PAN-SA. |
Fortinet |
FG-IR. |
F5 |
K-articles. |
Citrix |
CTX articles. |
Pulse Secure / Ivanti |
KA articles. |
Atlassian |
security.atlassian.com. |
Apache |
|
Eclipse |
projects.eclipse.org/security. |
PHP |
php.net/security. |
Linux kernel |
syzkaller / linux-distros / oss-security mailing list. |
Mozilla |
MFSA. |
HashiCorp |
hcsec. |
GitLab |
gitlab.com/gitlab-org/cves. |
Atlassian |
security advisories. |
Aggregators / search#
Service |
Notes |
|---|---|
NVD |
nvd.nist.gov; standard CVE search. |
Vulners |
vulners.com; aggregator + API + scoring. |
VulnDB |
risk-based; commercial. |
Tenable Vuln Intelli gence |
Tenable’s research feed. |
Qualys VMDR |
Qualys’s intel. |
Rapid7 AttackerKB |
community discussion + technical detail. |
ExploitDB |
OffSec; archive of public PoCs. |
GitHub PoC search |
“POC CVE-XXXX-YYYYY” is often the fastest find. |
sploitus |
Ad-hoc PoC aggregator. |
Tenable / Qualys / Ra pid7 |
Vendor aggregators paired with scanners. |
Recorded Future |
Commercial threat-intel + vuln context. |
VulnCheck |
CVE + KEV + EPSS aggregator. |
RH Bugzilla / Issu es |
Red Hat product bug tracker. |
Scanners#
Tool |
Vendor |
Notes |
|---|---|---|
Nessus |
Tenable |
The de-facto enterprise scanner. |
Qualys VMDR |
Qualys |
Cloud + agent. |
Rapid7 InsightVM |
Rapid7 |
Nexpose-derived. |
Tenable.io / .sc |
Tenable |
Cloud + on-prem. |
OpenVAS / Greenbone |
Greenbone |
OSS + commercial. |
Nuclei |
ProjectDiscovery |
Template-based; community-curated. |
Nikto |
OSS |
Web vuln scanner. |
sslyze / testssl.sh |
OSS |
TLS posture. |
trivy |
Aqua |
Container / IaC / SBOM / OS package CVE scan. |
grype |
Anchore |
SBOM-aware CVE scan. |
clair |
Quay |
Container scanner. |
SBOM-vuln-scan |
Various |
Cyclonedx / SPDX SBOM ingest. |
Wiz / Lacework / Orca |
Various |
CSPM + CWPP including CVE. |
Microsoft Defender |
Microsoft |
MDC for Cloud + Vulnerability Mgmt. |
GitHub Dependabot |
GitHub |
Dependency CVE alerts. |
Renovate |
Mend |
Multi-platform. |
SBOM formats#
Format |
Notes |
|---|---|
SPDX 2.3 / 3.0 |
ISO/IEC 5962; Linux Foundation; the gov-favored format. |
CycloneDX 1.5 / 1.6 |
OWASP; the developer-favored format; rich VEX support. |
SWID |
ISO/IEC 19770-2; software ID tags. |
in-toto attestations |
Supply-chain attestation framework; sigstore + SLSA. |
Operator notes#
CVSS is severity, not risk, combine with EPSS + KEV + asset criticality + reachability for prioritization.
NVD enrichment lag since Feb 2024 has been months; fall back to vendor + GitHub + Vulners + EUVD.
CISA KEV is the most operator-actionable signal of in-the-wild exploitation; subscribe.
EPSS top 1% identifies the ~30 CVEs/day actually worth panicking about.
VEX statements (CycloneDX VEX, OpenVEX, CSAF VEX) let vendors say “we ship X but it’s not exploitable here”; the missing piece for SBOM-driven scanners.
Reserved CVEs (RESERVED status), placeholder numbers; details follow disclosure.
Wormable / pre-auth RCE in internet-facing software (Exchange, Confluence, Citrix, Ivanti, SAP, MOVEit) gets weaponised in days; have a playbook.
Don’t trust scanner severity blindly, false positives on package CVEs are common; container scanners are noisy for known-not-exploitable CVEs without VEX context.