How does it work?

  • All CVE data are taken from APIs/feeds provided by NVD (National Vulnerability Database).
  • All vendor, product and version data are taken from NVD CVE and CPE data. CPE dictionary is processed to create a complete list of vendor, product and versions but data listed on this site may not be exhaustive. For example, a product may have more versions than those are listed on this site. Vendor, product, version information and related statistics are for informational purposes only and may not be fully accurate.
  • Metasploit module information is taken from Metasploit.
  • Vulnerability types/categories are determined using keyword matching and CWE numbers. Vulnerability type/category information should be used as additional information, it may not be reliable.
  • Please Note: CVE data have inconsistencies which affect accuracy of data displayed on this site. For example a single product might have been defined with several different names. If a product is defined with different names in CVE data then they will be treated as different products by this site. For example vulnerabilities related to Oracle Database 10g might have been defined for products "Oracle Database", "Oracle Database10g", "Database10g", "Oracle 10g" and similar. Or a PHP vulnerability might have been defined for Fedora Linux 10, so number of vulnerabilities or statistics are only as accurate as CVE data and are provided for informational purposes only. Please make sure that you manually verify all data before using.
    If you think that there inconsistencies or errors in data published by this site please contact us by email at [email protected].

Technical details, limitations

  • "vulnerable products" are taken from NVD CVE data and accuracy and/or completeness of the data is only as good as the data provided by NVD. Vulnerable configurations listed for vulnerabilities may not be always consistent with vulnerable softwares listed in CVE definitions.
  • There may be some inconsistencies in NVD data and data published by this site, for example some products may be listed under several names like Adobe Reader, Adobe Acrobat Reader or IE and Internet Explorer. So some of the vulnerabilities may be reported for IE while others are reported for Internet Explorer. Make sure that you manually verify that you have checked all possible names for a product.
  • Rejected CVE entries are not included in our database. Because of that, number of CVE vulnerabilities on this site and NVD web site may be different. specific CVE, CPE FAQ

What are the data sources used by

The main data source for is NVD CVE and CPE feeds/APIs. regularly fetches new and modified data from NVD and updates its database.
Metasploit module information is extracted from Metasploit.

How does calculate vulnerability statistics? processes all CVE and CPE data and creates a list of all known vendor, product and versions, then calculates a list of vulnerabilities affecting each version, product and vendor.
All statistics (just like all data published on this site) are provided for informational purposes only. They are not guaranteed to be accurate.

How can a version, product or vendor appear to have zero vulnerabilities?

This might happen under a few circumstances, including (but may not be limited to):
  • The product/version in question was used only as a condition, e.g if X is vulnerable when used together with Y, then Y will still be in our database but won't have any vulnerabilities itself.
  • The product/version was listed as vulnerable in a CVE definition at some point but later the CVE definition was modified and the product/version is removed from the list of vulnerable items. The product/version will still remain in our database, we won't delete them just because they are no longer used in any CVE definitions.
  • There may be an inconsistency in CVE and/or CPE data.

Why is a version x.y.z of a product missing in your database?

We only have versions included in CVE and/or CPE data. Having a complete list of every single version of every single product is not feasible or possible in practice.

Why do you have apparently duplicate vendor/product/versions in your database?

We rely on CVE and/or CPE data, which may contain inconsistencies, for example two different vendors named "Abc project" (with a space) and "Abcproject" (without a space) might have been used at different times. These vendors are probably the same and two different entries were created probably unintentionally. But we can't know if they are the same or not for sure, so we treat them differently.

How do you categorize vulnerabilities? assigns types/categories to vulnerabilities using CWE ids and keywords. For example if "CWE - 89 : Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" is assigned to a CVE then we assign 'sql injection' type to that CVE. Or if the CVE description contains certain keywords like "XXE" then we assign 'XXE' category to that CVE.
This web site uses cookies for managing your session and website analytics (Google analytics) purposes as described in our privacy policy.
By using this web site you are agreeing to terms of use!