CVE data

CVEdetails.com has been a popular website for viewing CVE details since 2010. CVEdetails.com has been able to maintain its popularity thanks to its ease of use and convenience.

Our primary goals regarding CVE data are:

  • Making CVEs easier to understand by providing additional context like threat overviews, EPSS score history, CVE timelines and much more.
  • Providing an easy to use, browsable interface. We do not want our users to "search", they should be able to find what they are looking for with a few easy clicks.
  • Providing everything the users need to know so that they won't need to google for information or go to ten different web sites.

Key Features

Emerging CVEs
Sometimes we all encounter CVE ids in other sources like vendor bulletins, mailing lists etc but the CVE cannot be found in NVD or is still in reserved state at cve.org. As per the CVE process, CVE ids first get reserved by an assigner, and details get published later. Sometimes this delay between CVE id reservation and publishing may take days or weeks. During this time frame, the CVE id gets referenced in other sources by people who are in the know but the public will not have access to full CVE details.
To let users access information as early as possible, CVEdetails.com extracts CVE ids discovered in all processed data, and provides a list of CVE ids referenced in other data but not yet published.
CVE timeline

We create a timeline of events for all CVEs. Timelines show how events unfolded, when the CVE id was first seen, when was the CVE was released, when was it referenced in other sources and much more.

For example the timeline for CVE-2023-45802 includes links to Nessus plugins, individual code changes in Apache http server source code repository, mailing list posts, open source vulnerabilities referencing the CVE and more. Having easy access to this level of detail will help you to handle issues faster while making better decisions.

Risk score

We calculate a risk score for CVEs taking into account everything we know about the CVE, to make it even easier to understand the risks.

Risk score is comprised of two components:

  • Impact score, based on impact values from CVSS scores
  • Likelihood score, calculated taking into account various factors based on available data. This is not the likelihood of exploitation, likelihood score is an indicator of how likely you are to spend time on this issue. Maximum value for the likelihood score is 100, and will be reached under rare circumstances such as CVE-2021-42013.

Risk scores are not calculated in real time, they are calculated by a background process. So scores might be delayed (in the range of hours), the risk score for a CVE will not be updated immediately when the CVE is modified.
Risk scores are available only for CVE-2018-xxxx and later, they are not calculated for older CVEs.

Enhanced data

We collect data from various sources including sources that are not included in other sources like NVD. All collected data is processed and correlated with other data. For example in the above CVE timeline example, you can see that the CVE was mentioned in a Youtube video, CISA and vendor advisories, Nessus plugins. This list might be even longer for other CVEs.

Reviewing CVE timeline and discovered relations will help users to better understand the issue quickly.

Threat overviews

We generate threat overviews, summaries, for CVEs discoverable from the internet. Threat overviews include summary information on where we discovered this CVE, top open ports discovered on systems with this issue, ISPs and threat actors. Please see attack surface documentation for more details.

CVE FAQ

What's the main source of CVE data
We process CVE data from both NVD and CVE project. We also collect related data from other sources like Open Source Vulnerabilities (osv.dev), vendors and other sources. We also collect information about CVEs before they are published and make them available as Emerging CVEs.
Does CVEDetails.com rely on CPE data provided by NVD?
No. We have both automation and manual review processes in place for generating CPE (vendor, product, version) information for CVEs not covered by the NVD. We do review most CVEs manually and add CPE information as necessary. We skip lower priority CVEs such as issues in personal github repositories or less frequently used Wordpress plugins.
What's the main source of EPSS data
We use EPSS data provided by FIRST. We calculate daily changes and create a history of EPSS scores. For more information about EPSS see https://www.first.org/epss.
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!
Accept Close