How does the priority scoring system work?

Priority scoring combines CVSS severity, EPSS exploitation probability, CISA KEV status, proof-of-concept availability, and patch status into a single 0-100 score. Each CVE also gets a decision label (Emergency, Act Now, This Week, This Month, or Monitor) for clear remediation timelines.

What are decision labels?

Decision labels translate complex vulnerability data into actionable timelines: Emergency (patch within hours, active exploitation), Act Now (patch within 24-48h), This Week (schedule for current sprint), This Month (plan for next maintenance window), and Monitor (track but no immediate action needed).

How often is the data updated?

New CVEs are fetched every hour. EPSS and KEV data refreshes daily at 06:00 UTC. Critical Watch selections update every 6 hours. Weekly digests are generated every Monday at 07:00 UTC.

What is AI-generated vs from authoritative sources?

AI generates technical summaries, executive analysis, product/vendor tags, attack technique classification, and Critical Watch selections. All scores (CVSS, EPSS), KEV status, exploit/patch availability, and CWE classifications come directly from authoritative sources like NVD, FIRST.org, and CISA.

About & FAQ – vuln.today

Q: What data sources does vuln.today use?

vuln.today aggregates data from 17+ authoritative sources including NVD, CVE.org (MITRE), CISA KEV, EPSS, Exploit-DB, GitHub Advisory Database, VulDB, MISP Galaxies, MITRE ATT&CK, CISA Advisories, ENISA EUVD, and vendor advisories from Ubuntu, Red Hat, Debian, and Chrome.

About vuln.today

Mission

vuln.today is a daily vulnerability intelligence platform for security teams and defenders. We aggregate, enrich, and prioritize CVEs from 17 authoritative sources to help you decide what to patch first.

Every day, dozens of new CVEs are published. Most are noise. vuln.today combines CVSS severity, EPSS exploitation probability, CISA KEV status, POC availability, and patch monitoring into a single priority score with clear decision labels: Emergency, Act Now, This Week, This Month, or Monitor.

Data Sources

vuln.today pulls data from 17 authoritative sources including NVD, CVE.org (MITRE), CISA KEV, EPSS, Exploit-DB, GitHub Advisory Database, VulDB, MISP Galaxies, MITRE ATT&CK, CISA Advisories, ENISA EUVD, Ubuntu Security, Debian Security Tracker, Vulners, and vendor advisory feeds (Red Hat, Chrome, HeroDevs).

CVE data is fetched hourly. EPSS and KEV catalogs are refreshed daily at 06:00 UTC.

Creator

vuln.today is built and maintained by Sebastian Obara, a security engineer focused on vulnerability management, threat intelligence automation, and building tools that help defenders stay ahead of emerging threats.

Contact

For questions, feedback, or data inquiries: [email protected]

Methodology & Pipeline

vuln.today is a daily vulnerability intelligence platform for security teams and defenders. We aggregate, enrich, and prioritize CVEs from 17 authoritative sources to help you decide what to patch first.

Data Pipeline

1. Collect Hourly fetch from NVD, CVE.org, EPSS, KEV, vendor advisories, Exploit-DB, GitHub, VulDB, MISP Galaxies, MITRE ATT&CK, CISA, ENISA EUVD

2. Enrich ML model generates technical summaries, attack scenarios, remediation guidance, and tags for CRITICAL/HIGH CVEs

3. Prioritize Algorithmic scoring combining CVSS severity, EPSS exploitation probability, KEV status, POC availability, and patch status

4. Label Each CVE gets a decision label (Emergency → Monitor) based on combined threat signals, giving clear remediation timelines

What Is AI-Generated?

AI-generated (ML Model)

Technical analysis & risk assessment
Executive summaries (CRITICAL/HIGH only)
Affected product/vendor tags
Attack technique classification
Critical Watch daily selection & reasoning
Related CVE grouping

From authoritative sources

CVSS score & vector (NVD)
EPSS exploitation probability (FIRST.org)
KEV status (CISA)
POC/exploit availability (Exploit-DB, GitHub, VulDB)
Patch status (NVD, vendor advisories)
CWE classification (NVD/MITRE)

Update Frequency

New CVEs Every hour

EPSS & KEV Daily at 06:00 UTC

Critical Watch Every 6 hours

Weekly Digest Monday 07:00 UTC

Severity Levels & CVE Properties

Each CVE is classified by CVSS score into a severity level. The level determines which features and enrichments are available on the detail page.

CRITICAL

CVSS 9.0 – 10.0

Summary & technical context
Risk assessment & exploit scenario
Affected products & remediation
CVSS vector breakdown + radar chart
Priority Score calculation
Executive View (Why It Matters)
Recommended Action (24h)
Business Impact assessment
Compensating Controls
Vendor status (Ubuntu/Debian)
MITRE ATT&CK mapping

Act Now / Emergency

HIGH

CVSS 7.0 – 8.9

Summary & technical context
Risk assessment & exploit scenario
Affected products & remediation
CVSS vector breakdown + radar chart
Priority Score calculation
Executive View (Why It Matters)
Recommended Action (24-48h)
Business Impact assessment
Compensating Controls
Vendor status (Ubuntu/Debian)
MITRE ATT&CK mapping

Act Now / This Week

MEDIUM

CVSS 4.0 – 6.9

Summary & technical context
Risk assessment & exploit scenario
Affected products & remediation
CVSS vector breakdown + radar chart
Priority Score calculation
Executive View
Recommended Action
Business Impact
Compensating Controls
Vendor status (Ubuntu/Debian)
MITRE ATT&CK mapping

This Month

LOW

CVSS 0.1 – 3.9

Summary & technical context
Risk assessment & exploit scenario
Affected products & remediation
CVSS vector breakdown + radar chart
Priority Score calculation
Executive View
Recommended Action
Business Impact
Compensating Controls
Vendor status (Ubuntu/Debian)
MITRE ATT&CK mapping

Monitor

Awaiting Data

CVEs without a CVSS score yet (NVD hasn't assigned severity). Basic description available, enrichments added once severity is published.

Decision Labels

Each CVE gets an actionable label based on severity, exploitation signals (KEV, EPSS, POC), and patch availability. Labels help prioritize remediation effort.

Emergency

Immediate action required. CRITICAL severity + in CISA KEV (actively exploited) without a patch, or CRITICAL + EPSS >30% without a patch.

Act Now

Prioritize within 24-48h. KEV with patch available, CRITICAL + public POC, HIGH + EPSS >10%, or any CRITICAL severity.

This Week

Schedule this week. HIGH severity vulnerability requiring timely remediation.

This Month

Plan within 30 days. MEDIUM severity with lower exploitation risk.

Monitor

Track and reassess. LOW severity, minimal exploitation risk. No immediate action needed.

Awaiting Data

Pending NVD analysis. Severity not yet assigned. Label will be updated automatically when CVSS score is published.

Key Indicators

CVSS Score

Common Vulnerability Scoring System v3.1. Rates vulnerability severity on a 0–10 scale based on attack vector, complexity, required privileges, user interaction, scope, and impact (confidentiality, integrity, availability).

9.0–10.0 Critical 7.0–8.9 High 4.0–6.9 Medium 0.1–3.9 Low

Source: NVD (NIST)

EPSS Score

Exploit Prediction Scoring System. Estimates the probability (0–100%) that a vulnerability will be exploited in the wild within the next 30 days. Updated daily.

>50% Very High 10–50% High <10% Lower

Source: FIRST.org

Priority Score

Composite score (0–235) combining multiple threat signals into a single number for ranking CVEs.

KEV (in CISA catalog) → +50

EPSS (probability) → × 100

CVSS (severity) → × 5

POC (exploit exists) → +20

AKB (community score) → × 3

CISA KEV

Known Exploited Vulnerabilities catalog maintained by CISA (U.S. Cybersecurity and Infrastructure Security Agency). Inclusion means the vulnerability has been observed being actively exploited in the wild.

KEV – actively exploited

Updated daily from CISA

POC (Proof of Concept)

Indicates a public proof-of-concept exploit exists. Detected from Exploit-DB, GitHub, VulDB, and cve-search sightings. A public POC significantly increases exploitation probability.

POC – exploit code available

Patch Status

Whether an official fix is available. Detected from NVD references tagged as "Patch", vendor advisories (Ubuntu USN, Debian DSA), and GitHub security advisories.

PATCH – fix available No patch yet

Executive View

Available for CRITICAL and HIGH severity CVEs only. Provides a management-oriented assessment for risk owners and CISOs.

Why It Matters

Non-technical explanation of the vulnerability's business significance – what's at risk and why it matters for the organization.

Recommended Action

Specific, timeboxed remediation steps. CRITICAL: within 24h. HIGH: within 24-48h. Includes patch instructions or workarounds.

Business Impact

Assessment of potential operational, financial, and reputational impact. Rated as low, medium, high, or severe.

Compensating Controls

Interim mitigations when a patch is not yet available or cannot be applied immediately (e.g., WAF rules, network segmentation, access restrictions).

Data Confidence

Measures how many independent sources confirm information about a CVE. More sources = higher confidence in the data accuracy.

High

5+ sources

Medium

3–4 sources

Low

1–2 sources

Counted sources: NVD/CVE.org (base), EPSS, ENISA EUVD, vendor advisories (Ubuntu/Debian), MISP Galaxies, MITRE ATT&CK, CISA, Exploit-DB, GitHub, VulDB.

Data Sources

We aggregate data from multiple authoritative vulnerability databases and feeds, updated hourly.

NVD – CVSS scores, CWE, CPE, references (NIST)

CVE.org – MITRE cvelistV5 delta feed (publishes before NVD)

EPSS – exploitation probability scores (FIRST.org, daily)

CISA KEV – Known Exploited Vulnerabilities catalog (daily)

ENISA EUVD – SSVC scoring, product versions, EU advisories

MISP Galaxies – threat actor and malware family mappings (CC0)

MITRE ATT&CK – threat group, malware, and technique mappings

CISA Advisories – ICS advisories, cybersecurity alerts (public domain)

Ubuntu Security – per-release patch status, USN notices

Debian Security – per-release status, DSA/DLA advisories

Exploit-DB – public exploits & proof-of-concepts

GitHub Advisory – ecosystem-specific security advisories

VulDB – exploit availability & technical details

HeroDevs – end-of-life software vulnerability advisories

Security Dashboard

Priority-based view for security teams. Available at /dashboard. Configurable time range: 7, 14, 30, or 90 days.

KPI Summary

Total CVEs

All CVEs published in the selected period

Avg Priority

Mean Priority Score (0-220) across all CVEs in period

KEV

CVEs in CISA Known Exploited Vulnerabilities catalog

POC

CVEs with public proof-of-concept exploits

Unpatched

CRITICAL/HIGH CVEs without an available patch

Patch Now

CVEs in CISA KEV catalog, sorted by Priority Score. These are actively exploited and require immediate remediation.

Priority Distribution

Bar chart showing CVE count in each Priority Score bucket: Low (0-40), Medium (40-80), High (80-120), Critical (120+).

Priority Table

All CVEs sorted by Priority Score descending. Shows severity, CVSS, EPSS, indicators (KEV/POC/FIX), and publication date. Filterable by severity, KEV, POC, or unpatched.

Oldest Unpatched CRIT/HIGH

CRITICAL and HIGH CVEs without a patch, sorted by age (days open). Highlights remediation gaps requiring attention.

Vulnerability Trends & Charts

Interactive trend analysis available at /trends. Switchable time range: 30d, 90d, YTD, All.

KPI Summary

Total CVEs

Count with delta vs previous period (e.g. +12%)

Avg / Day

Average daily CVE volume with period-over-period change

Critical + High %

Share of high-severity CVEs with delta in percentage points

CISA KEV

New KEV additions in period with delta

Charts

CVEs per Day (by Severity)

Stacked area chart showing daily CVE volume split by CRITICAL, HIGH, MEDIUM, LOW. Reveals spikes and patterns in disclosure activity.

Severity Distribution

Doughnut chart showing proportion of CVEs at each severity level for the selected period.

Top CWE Weaknesses

Horizontal bar chart of the most common weakness types (CWE). Shows which vulnerability classes dominate (e.g. XSS, SQLi, buffer overflow).

EPSS vs CVSS Scatter

Bubble chart plotting CVSS score (X) vs EPSS probability (Y). Bubble size indicates KEV status. Color-coded by severity. Identifies CVEs with high exploitation likelihood but lower CVSS, or vice versa.

Vendor Trends (Monthly)

Line chart tracking CVE volume per vendor over months. Shows which vendors have increasing or decreasing vulnerability counts.

Technique Trends (Monthly)

Line chart tracking attack technique frequency over months (e.g. XSS, SQL Injection, Buffer Overflow). Reveals shifts in attack surface.

Risk Indicators Over Time

Stacked area chart of daily POC, KEV, and Patch availability counts. Shows how risk posture evolves over time.

Patch Response Time

Line chart showing monthly average days between CVE publication and patch availability. Measures industry patch velocity.

Patch Gap by Severity

Bar chart comparing average patch response time across severity levels. CRITICAL CVEs should be patched faster than LOW.

MITRE ATT&CK Tactics

Bar chart showing CVE distribution across ATT&CK tactics (Initial Access, Execution, Privilege Escalation, etc.). Maps vulnerabilities to attacker behavior.

Weekly Digest

Published every Monday at 07:00 UTC. Summarizes the previous week's vulnerability landscape.

Included in digest:

Total CVEs published that week
Breakdown by severity (Critical/High/Medium/Low)
Top CVEs by Priority Score
New KEV additions
CVEs with public exploits (POC)
Most affected vendors & technologies
Week-over-week trends

Update schedule:

New CVEs fetched every hour
Modified CVEs updated every hour
EPSS & KEV refreshed daily at 06:00
Weekly digest generated Monday 07:00

ZDI Advisories

vuln.today tracks Zero Day Initiative advisories - both published and upcoming. Upcoming advisories represent vulnerabilities reported to vendors with a 120-day disclosure deadline.

Upcoming

Advisories where the vendor has been given a deadline to release a patch. These are pre-disclosure - no CVE ID yet, limited technical details.

ZDI-CAN ID, vendor, CVSS score
Disclosure deadline and days remaining
Researcher attribution
AI-generated context summary

Published

Advisories where the deadline has passed or the vendor has released a fix. Full technical details and CVE IDs are available.

ZDI ID, linked CVE ID
Full description and analysis
CVSS vector breakdown
Tags and technique classification

Overdue

Advisories past their disclosure deadline where the vendor has not released a patch. These represent the highest risk - the vulnerability exists but remains unpatched.

Homepage Integration

The homepage shows two ZDI sections: a collapsible timeline with all upcoming dates (requires login to expand), and a dedicated card section showing advisories from the nearest disclosure date. Both are toggleable via the layout gear menu.

Homepage Layout Customization

Logged-in users can customize the homepage layout using the gear icon () in the stats bar. Preferences are saved to your account and persist across sessions.

Sections

Toggle visibility of major homepage sections:

Critical Watch hero card
Trend Chart box
ZDI Timeline
Weekly Report
ICT Providers at Risk
Vendor / Technique filters

CVE Sections

Control which CVE grouping sections are visible:

Act Now
Critical
ZDI Upcoming Boxes
High
Medium / This Week
Monitor

Chart Tabs & Filter Pills

Fine-grained control over individual elements:

Chart tabs: 7-Day Trend, Attack Techniques, OWASP, Top Vendors, Trending
Filter pills: CRITICAL, HIGH, MEDIUM, LOW, Act Now, POC, KEV, PATCH, Unpatched

Chart auto-rotation skips hidden tabs.

RSS Feeds

Public RSS feeds for integrating vuln.today into your existing tools. Available at /rss.

CVE Feed

Latest 50 published CVEs. Filterable by severity, decision label, KEV status, and POC availability.

/feed.xml

ZDI Feed

Latest 50 ZDI advisories. Filterable by status (upcoming, published, overdue) and severity.

/feed-zdi.xml

Both feeds support RSS 2.0 and work with Feedly, Inoreader, Slack RSS bots, SIEM connectors, and automation tools (n8n, Zapier, Make).

Stack Monitoring

Define your technology stack at /my/stack and get automatic vulnerability matching. Requires login.

How it works

Add products with name and optional version
System matches CVEs using CPE and NVD version ranges
Get alerts when new CVEs affect your stack
Scan results show matching CVEs with severity and status

Features

On-demand scan via API
Automated alerts on new matches
Version-aware matching (e.g. "nginx 1.24" vs "nginx 1.25")
Integrates with Slack and Jira notifications

Search

Full-text search across all CVEs, tags, and vendors. Available from the search bar in the navigation.

Search by

CVE ID (e.g. CVE-2026-1234)
Product name and version (e.g. "nginx 1.24")
Vendor name (e.g. "Microsoft")
Keywords from descriptions
CWE ID (e.g. CWE-79)

Version matching

When you search with a version number, the system uses CPE data and NVD version ranges to find CVEs that actually affect your specific version - not just keyword matches.

Regulatory Compliance (NIS2 & DORA)

The /compliance module helps security teams track vulnerabilities relevant to EU regulatory frameworks – NIS2 and DORA. It surfaces CVEs that matter for compliance, tracks ICT provider risk, and provides a workflow for documenting remediation actions.

Algorithmic

All compliance classification is purely algorithmic – based on existing CVE data (severity, CWE, tags, EPSS, KEV, patch status).

Three Tabs

Regulatory Triage Filter and prioritize CRITICAL/HIGH CVEs by NIS2 and DORA relevance, signals, and risk indicators

ICT Providers Track 85+ third-party ICT providers across 14 categories, monitor their CVE exposure and patch rates

My Actions Personal compliance action log – track remediation status, owners, due dates, and notes per CVE

What Requires Login?

Public (no account needed)

Browse Regulatory Triage – all CVEs, filters, KPIs, “Why flagged?”
Browse ICT Providers – view all providers, categories, risk metrics

Requires login

Workflow panel – create/edit compliance actions
My Actions tab – personal action list
CSV audit export
Send to Slack
Watch / unwatch ICT providers

When Is a CVE Regulatory-Relevant?

NIS2

The EU Network and Information Security Directive. A CVE is flagged as NIS2-relevant when all conditions are met:

Severity is CRITICAL or HIGH
Internet-facing (CWE or attack technique) OR affects a third-party ICT provider
Evidence strength is not “weak”

DORA

Digital Operational Resilience Act – focused on financial sector ICT risk. A CVE is flagged as DORA-relevant when:

Severity is CRITICAL or HIGH
Affects a third-party ICT provider (matched by product tags)

Evidence Strength

Measures how confident we are that a CVE poses real-world risk. Used to filter out low-confidence NIS2 flags.

Strong

In CISA KEV, EPSS >30%, or 5+ independent sources confirming the vulnerability

Moderate

Public PoC available, EPSS >5%, or 3+ independent sources

Weak

No exploitation signals, low source count – excluded from NIS2 relevance

Risk Signals

Each compliance CVE can carry one or more signal badges indicating specific risk factors:

edge-exposure Internet-facing vulnerability – CWE or attack technique indicates exposure at the network edge (e.g. XSS, SSRF, SQLi, RCE, path traversal)

ict-dependency Affects a third-party ICT provider in your supply chain (matched via product tags)

active-exploit Actively exploited – in CISA KEV catalog, or PoC exists with EPSS >10%

no-patch No official fix available for a CRITICAL or HIGH severity CVE – compensating controls needed

mgmt-plane Management plane issue – authentication, authorization, or privilege escalation weakness (CWE-287, 306, 269, etc.)

KPI Cards

Six metrics displayed at the top of the Triage page. All count only CRITICAL and HIGH published CVEs within the selected time window (7/14/30/90 days).

NIS2 Relevant Internet-facing + third-party ICT CVEs (union)

DORA Relevant CVEs affecting tracked ICT providers

Internet-Facing CVEs with edge-exposure CWE or technique

Third-Party ICT CVEs matching ICT provider product tags

Unpatched CRITICAL/HIGH without an available fix

Exploited CVEs with KEV status or public PoC

Filters & Sorting

Framework selector

NIS2 – only NIS2-relevant CVEs
DORA – only DORA-relevant CVEs (ICT provider dependency)
Both – CVEs relevant to either framework (default)

Sub-filters (toggles)

Internet-facing – edge-exposure CVEs only
Third-party – ICT provider CVEs only
Exploited – KEV or PoC available
Unpatched – no fix available

Time window

7, 14, 30, or 90 days. Controls which CVEs appear and how KPIs are calculated.

Sort order

Priority – composite Priority Score (default)
CVSS – severity score
EPSS – exploitation probability
Newest – publication date

Each CVE has an expandable “Why flagged?” section showing the exact reasons it was included – which CWEs, techniques, or providers triggered the NIS2/DORA flag.

CVE Card in Triage

Each CVE in the triage list is displayed as a card with three sections:

Left – ID & status

CVE ID (link to detail page)
Workflow status button (logged in)
Owner & due date preview

Middle – summary & badges

AI summary or description excerpt
NIS2 / DORA badges
Signal badges (edge-exposure, etc.)
Provider name badges
KEV / PoC indicator badges
Expandable “Why flagged?”

Right – scores

CVSS – color-coded by severity
EPSS – exploitation probability (%)
Priority – composite score (0–235)

Compliance Actions (Workflow)

For each flagged CVE you can create a compliance action to track remediation progress. Actions are personal (per user) and accessible from both the Triage page (inline panel) and the dedicated My Actions tab.

Action fields

Owner – who is responsible (e.g. “security-team”, “devops”)
Due date – remediation deadline (YYYY-MM-DD)
Notes – free-text field for context, decisions, or references
Status – workflow state (see below)

Available actions

Create/update action from inline workflow panel in Triage
Remove action (delete) from My Actions or inline panel
Export as CSV – includes action fields alongside CVE data (max 500 rows)
Send to Slack – post CVE details to a configured webhook (rate limit: 10 per minute)

Workflow statuses

new → in_review → mitigated or accepted_risk → closed

One action per CVE per user. Changes auto-save. Status can be updated inline via dropdown on both Triage and My Actions pages.

My Actions has an “Open” filter that combines new + in_review statuses – showing all actions that still need attention.

ICT Provider Tracking

The ICT Providers tab tracks 85+ third-party technology providers across 14 categories. This supports DORA Article 28 requirements for ICT third-party risk management.

Cloud

Identity & Access

Collaboration

Dev & CI/CD

Network & Security

Endpoint / EDR

Infrastructure

Database

Backup & DR

Observability

ERP & Business

CDN & Edge

Hardware

Operating Systems

Risk metrics per provider

CVE count – published CVEs in the selected time window
Top severity – highest severity level among those CVEs
Patch rate – percentage of CVEs with a fix available
KEV count – how many are actively exploited (CISA KEV)

Watchlist (requires login)

Watch providers relevant to your organization
Watched providers appear in a dedicated section at the top
Their CVEs are flagged as “third-party ICT” in Triage
Unwatch anytime to remove from your tracked list

Provider Detail Page

Click any provider name on the ICT Providers list to open a detailed risk assessment page. The detail page answers four questions: Is this provider a problem today? Why? Which CVEs hurt? What to do?

Page sections

KPI tiles – 6 key metrics: Open CVEs, Exploited, KEV, Unpatched, No Workaround, Internet-facing
Why risky now – narrative explanation plus signal badges with counts (KEV, Exploited, Unpatched, Mgmt Plane, Public PoC, No Workaround, Internet-facing)
Top Risky CVEs – top 10 CVEs by priority score with decision label, severity, signals, patch status, exploitation, and recommended action
Risk Breakdown – three-column analysis: By Exposure (internet-facing, mgmt plane, identity/auth, internal), By Exploitability (known exploited, PoC, high EPSS, remote unauth, local), By Remediation (patch available, no patch, workaround, no workaround)
Affected Services – CVEs grouped by product/service family within the provider (collapsible sections)
Recommended Actions – algorithmically generated checklist based on risk data (rule-based)
CSV Export – download all provider CVEs as CSV for audit evidence (requires login)

Internal criticality (requires login + watch)

Watched providers can be classified as Critical, Important, or Standard – a per-user setting that reflects how essential this provider is to your organization.

ICT Providers at Risk (Homepage)

When providers have active risk signals, a compact “ICT Providers at Risk” box appears on the homepage below Critical Watch. It shows the top 4 most impacted providers with their KEV count, unpatched CVEs, and internet-facing exposure. Clicking a provider opens the detail page.

Visible to all users (no login required). Appears only when at least one provider has KEV, unpatched CRITICAL/HIGH, or exploited CVEs in the last 30 days.

CSV Audit Export

Export filtered compliance data as a CSV file (up to 500 rows) for audit documentation or import into GRC tools. Available from the Triage page (requires login).

CVE ID, Severity, CVSS, EPSS

Priority Score

NIS2 / DORA relevance flags

NIS2 & DORA reasons

Signals & providers

KEV, PoC, Patch status

Action status & owner

Due date & notes

Published date & description