Warning: Old RSS and JSON feeds has been discontinued as of November 15
Old RSS (/vulnerability-feed.php) and JSON (/json-feed.php) feeds are no longer available. Subscribe to access new RSS feeds and APIs.

December 2023 release

  • Public beta period ended by the end of November
  • Free trial accounts will no longer have access to Attack Surface pages (except Tech Stack)
  • Online payments are now available for Pro and Business plans

October 2023 release

  • Membership and sign in: Users can now log in using their SecurityScorecard accounts. If you don't have a SecurityScorecard you can create one for free.
  • Vulnerability intelligence: We have added extended vulnerability intelligence capabilities to the platform and will continue to add more. Registered users can now access advisories, source code changes, exploits, CVSS scores from different sources and much more besides CVEs.
  • RSS feeds: Users can create custom RSS feeds (old feeds will be discontinued by the end of 2023)
  • API access: New APIs are now available. Users can query CVEs and all related data using APIs (more endpoints to be added). (Old json feeds will be discontinued by the end of 2023)
  • Threat overviews: For products and CVEs, which can be detected remotely over the internet, threat overviews will be displayed on product dashboard and CVE details pages.
  • Attack surface intelligence: Attack surface summaries extracted from SecurityScorecard Attack Surface Intelligence for domains of registered users, this feature will be available by mid-October.
  • Product and version deprecation information: Product and/or versions can be deprecated due to name changes, acquisitions or other reasons such as typos. We are now extracting deprecation information from NVD CPE data and letting users know if a product or version is deprecated, providing a link to the replacement.
  • Email alerts
  • Open source vulnerabilities from osv.dev
  • Risk scores for CVEs
  • Tech stack

August 2023

  • CVE processing, adding version range and CVSS v3 support
  • CISA KEV data
  • EPSS data
  • Metasploit modules
  • Full-text search in CVE data
  • Version matches
  • Search by CPE
  • CVE assigners, sources

No longer available

  • Bugtraq data: Bugtraq is no longer available
  • MS security bulletin data: Old MS security bulletin format was discontinued by Microsoft and old MS security bulletin data is available for historical purposes only. Existing urls will continue to work but no new data will be added.

Other known issues

  • Missing vendor, product and versions: The old version contained a small number of duplicates and/or incorrect data which were removed during the migration to the new version. A small number of old vendor, product, version urls might have changed (especially the ones with non-alphanumeric characters in their names) or may no longer be available. Please update your bookmarks accordingly.

Changelog

New
  • February 24, 2024: Added ransomware utilization information to CVEs (i.e whether the CVE is known to have been leveraged as part of a ransomware campaign or not). Added isUsedForRansomware parameters to various vulnerability API endpoints.
  • February 06, 2024: /api/v1/vulnerability/list-by-cpe endpoint now supports searching by product CPE (without version information).
  • January 20, 2024: Added automatic CVE-product associations. CVEs will be automatically associated with products when possible without waiting for manual analysis. Initial product assignments may not be available for all CVEs or might not be 100% accurate. Auto-generated initial assignments will be removed once manually curated product information is available. Some versions might appear to be "0" in automatic assignments, "0" is used as a placeholder when exact version information is not available. CVEs will be associated with products and vendors as usual even when the version number seems to be "0". CVEs might be associated with multiple products with similar names, this is intentional to be on the safe side, i.e instead of failing to generate an alert we prefer to be generating an extra alert. In case of multi-product matches, such as an operating system and application with the same name, CVEs will be associated with all potential matches. This will be fixed after manual analysis.
    Update January 26, 2024: Improved product matching and fixed bugs leading to invalid/unfiltered version strings, duplicate product matches.
  • January 6, 2024: Add email alerts for CVEs affecting products/versions in tech stack
  • December 29: UI updates. Various changes to visual elements. Please hard refresh (typically achieved by clicking the refresh button while holding down the shift key) your browser if you notice any UI or layout problems.
  • December 23: Added product risk scores (beta), product search and product info APIs.
  • December 12: Added tech stack dashboard, providing statistics and insights about your tech stack. Also changed tech stack layout, separating products and versions.
  • December 8: Added tech stack/inventory API endpoints. Added export to tsv option and API examples to tech stack vulnerabilities.
  • December 4: Added RSS feeds for tech stack and labels. Also added the ability to search for vendor, products, version in the RSS feed form, making it more convenient to create RSS feeds.
  • December 4: Added filtering options to tech stack vulnerabilities
  • November 26: Added online payments for Pro and Business plans.
  • November 14:
    • Added item labels which can be used to add custom labels to items such as CVEs, products, versions etc.
    • Added item notes (look for icons), users can now add notes to items such as CVEs, products, versions etc.
    • Added tech stack functionality allowing users to add products and/or versions to their tech stack/inventory. Tech stack reporting and alerting will be added in upcoming releases.
  • November 5: Added risk scores for CVEs. This feature is in beta status and may change. See CVE-2023-36812 for an example.
  • November 5: CVE details pages will display warnings when the CVE affects a product discovered on the user's attack surface.
  • October 22: Added Open Source Vulnerability data from https://osv.dev. Users will have easy access to many new types of information.
Changed
  • February 24, 2024 : The way CVE assigners are displayed and stored were changed. A small number of entries (e.g Jetbrains and Usom.gov.tr) were deprecated to remove duplicate entries. Other assigners were not impacted by this change. Going forward, organization names will be displayed on various pages instead of email addresses (e.g Apache Software Foundation instead of security@apache.org), and vulnerability search API responses will include an additional field named assignerSourceName containing the organization name.
  • February 24, 2024 : Added an option to allow users skip login confirmation page.
  • February 24, 2024 : Enabled deep linking, i.e users will be redirected to the page that they were trying to access after login. For example when an anonymous user clicks a link that requires authentication, the user will be redirected to the login form and after authentication the user will be redirected to the original link url, instead of the home page.
  • February 24, 2024 : N/A will be displayed instead of 0.0 when a score is not available.
  • October 11: Changed ipAddressList parameter for /api/v1/threat-intel/my-asi-ip-cpes endpoint to "comma separated string" type to make it more convenient for users
  • October 22: Alerts configured with ASAP option will be processed once every hour and only one email per 24 hour window will be sent. Because emails were being marked as spam and were not reaching users.
Fixed
  • December 23: Fixed a bug causing some vendors to be incorrectly marked as deprecated. Fixed a bug causing "null" strings to appear in some nessus plugin descriptions.
  • December 8: Fixed a bug causing Remove buttons to be shown for items not in tech stack.
  • December 4: Fixed an issue causing configured EPSS scores to be miscalculated in RSS feeds and causing the feed to return some CVEs that would not match the configured EPSS score criteria. No change is needed in existing feed configurations.
  • November 4: Fixed an issue causing some alert emails to fail.
  • October 22: Fixed an issue preventing cc addresses for alerts from receiving emails.
  • October 15: Fixed an issue affecting vendor, product, version statistics and recalculated all statistics and relations. Alert processing was skipped for this period to prevent excessive alerts.
  • October 12: The issue preventing users from viewing IP details
  • October 12: A javascript error causing some pages to fail to render properly
  • October 11: A minor issue causing RSS feed urls to return an empty response
  • October 11: A minor issue affecting editing alerts. If no end date is selected it will default to December 31 of next year.
  • October 10: A minor issue affecting alerts.
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!