SBOM Vulnerability Scanner

Stop juggling Grype, OSV, and NVD separately. Upload your CycloneDX or SPDX Software Bill of Materials and get a single prioritized view – what to patch now, what can wait.

vuln.today's dependency vulnerability scanner checks every component in your SBOM against 15+ databases including NVD, OSV, CISA KEV, and GitHub Advisories. Results include CVSS scores, EPSS exploitation probability, KEV flags, decision labels, and copy-paste fix commands.

15+ data sources 250k+ CVEs tracked Updated every 15 min EPSS + KEV enrichment
1

Drop your SBOM

CycloneDX, SPDX, or any dependency file – package.json, requirements.txt, go.sum and more. We auto-detect the format. No account needed.

2

One scan, 15+ sources

NVD, OSV, GitHub Advisories, CISA KEV, EPSS – correlated automatically. No more conflicting results from different scanners.

3

Know what to fix first

Every CVE ranked by real-world exploitability (EPSS), not just CVSS score. Copy-paste fix commands included.

Supported SBOM and dependency formats

CycloneDX JSON & XML
SPDX JSON, RDF & tag-value
package.json / package-lock.json
requirements.txt / Pipfile.lock
go.sum / go.mod
pom.xml / build.gradle
Gemfile.lock / Cargo.lock
Plain text (name version per line)

Format is auto-detected. Your file is parsed in the browser and only package names and versions are sent to the scanner API.

Frequently asked questions

What data sources does the scanner check?
Each package is matched against 15+ vulnerability databases: NVD (NIST), OSV (Google), GitHub Advisory Database, CISA Known Exploited Vulnerabilities (KEV), EPSS exploitation probability scores, VulDB, Exploit-DB, and vendor-specific feeds from Ubuntu, Red Hat, and Debian. Results are correlated and deduplicated so you get a single view instead of conflicting reports from different scanners.
How are vulnerabilities prioritized?
Every CVE receives a composite priority score combining CVSS severity, EPSS exploitation probability, CISA KEV status, proof-of-concept availability, and patch status. Based on this score, each vulnerability gets a decision label – emergency, act now, this week, this month, or monitor – so your team knows exactly what to fix first without manual triage.
What is EPSS and why does it matter?
EPSS (Exploit Prediction Scoring System) is a data-driven model maintained by FIRST.org that estimates the probability a vulnerability will be exploited in the wild within the next 30 days. Unlike CVSS, which measures theoretical severity, EPSS measures real-world risk. A CVE with a high CVSS but low EPSS may not need immediate action, while a medium-CVSS vulnerability with high EPSS should be patched urgently.
Is my SBOM data stored or shared?
No. SBOM files are parsed client-side in your browser. Only the extracted package names and versions are sent to the scan API. No file contents are stored on our servers. Scan results are not persisted unless you explicitly choose to save them to your monitored stack (requires a free account).

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy