Vulnerability intelligence

You cannot fix/mitigate/accept/ignore an issue without understanding it and you cannot understand an issue without information. Poor data leads to poor decisions which result in poor security.

We collect information about vulnerabilities to give you a full context. Better information leads to better decisions which eventually leads to better security. You cannot defend against an unknown issue, or fix an issue you don't understand. Information is the key to success.

CVEdetails.com provides you the following information about vulnerabilities (usually even more than the following):

• CVEs with full details
• Whether a public exploit exists: From metasploit modules, exploit-db, packetstorm etc
• CVSS scores both from NVD and other sources like vendors
• EPSS score history: We calculate daily EPSS score changes and show EPSS score change history
• References: Both from sources like NVD, OSV and mentions we discover. We provide a brief summary and preview screenshot of reference urls, to save you from visiting irrelevant or no longer valid references
• Whether the CVE is in the CISA known exploited vulnerabilities catalog
• Vendor and third party advisories
• Threat overview for CVEs: SecurityScorecard continuously scans the entire internet and captures attack surface data for the entire internet. CVEdetails.com provides CVE and product threat overview summaries extracted from SecurityScorecard attack surface intelligence. Whether the CVE is discoverable from the internet and/or if it affects products open to the internet should always be a key factor in vulnerability prioritization.
• Browsable list of affected products and versions: This has been a differentiating feature of CVEdetails.com since 2010. Allowing users to easily browse products, versions and related CVEs helps users to better understand the impact.
• Open source vulnerabilities and packages: CVEdetails.com provides more than just CVEs. Open source vulnerabilities from osv.dev project add more context to vulnerabilities. These issues can be viewed by open source packages such as maven packages.
• Links to individual commits in open source repositories mentioning the vulnerability
• Risk score: Our custom score based on all other factors, to provide a summary of all factors.

Most vulnerability intelligence products focus on exploitability and prioritization but we try to maintain a wider perspective to give you what you need to know so that you can make your own informed decisions.

Open source developers fix various issues everyday in their code base, including potential security issues. Most of the time there are not any CVEs or similar for most issues, the developer notices a problem and fixes it routinely, at best with a short commit message indicating they fixed some potential overflow or similar.

For example you might be using version 8.3.1 of some software, and the developers fix a potential security issue which hasn't been noticed or reported by anyone. It gets quietly fixed and they release version 8.3.2 along with many other changes, most of the time the potential security issue won't even make it to the release notes. You check if there are any new CVEs fixed in 8.3.2 and don't see anything, you assume you are safe and continue to use 8.3.1.

But then an attacker who checks code changes in new releases to find potentially exploitable issues in older versions notices the potential security issue. Reviews the code change and develops an exploit that can be used against 8.3.1, suddenly leaving you exposed to a zero day.

How can we help?

We monitor open source repositories and discover changes that might be relevant from a security perspective. We label individual code changes and add them to our database so that you can easily review potential security issues in code repositories.

For example if you are using Nodejs, you can easily view code changes labeled "use-after-free" by CVEdetails in the last 30 days, which will allow you to quickly review if there is anything that you should be aware of, even if there are no CVEs or similar. Or you can quickly view what CVEs were mentioned in the code repository and from there you can easily see fixed versions.