A vulnerability intelligence graph to build on

Bring assets data you have.
Ask if you're affected — and how serious.

Book a demo

Products

Vulners is a vulnerability intelligence platform built around the assessment problem. Send asset data in the standard formats your tools and workflows produce; get back what's affected and the risk context to act on first.

Solutions

Blog

View more articles

Resources

Frequently Asked Questions

Vulners is a vulnerability intelligence platform that aggregates 230+ sources — CVE records, vendor advisories, exploits, patches, KEV status, EPSS scoring — into one connected, queryable graph. Founded 2015. Bootstrapped and profitable.

The U.S. NIST National Vulnerability Database (NVD) publishes CVE records with CVSS scores and partial CPE configurations. Vulners aggregates NVD plus 217 other sources — CISA KEV, vendor advisories from Microsoft, Red Hat, Cisco, and others, exploit databases (Exploit-DB, Metasploit), Linux distribution feeds, and first-party PoC harvesting from GitHub and Gitee — and links them into one queryable graph. Vulners also fills NVD's CPE gaps using data direct from CVE Numbering Authorities.

Vulners' APIs accept the standard formats real tools and workflows produce: SBOMs (SPDX and CycloneDX), package manager lockfiles via PURLs (npm, PyPI, Maven, Go modules, others), vendor:product:version tuples, CPE strings, and software inventory exports from CMDBs. No reformatting required before the API call.

Each CVE record in Vulners' graph carries CVSS score, EPSS exploitation probability, CISA KEV inclusion, public exploit availability (from Exploit-DB, Metasploit, GitHub PoCs), and Vulners' AI Risk Score. The Assessment API surfaces these signals together so prioritization reflects real-world exploitation pressure, not raw CVSS alone.

Vulners aggregates 230+ sources: the CVE Program, NIST NVD, CISA KEV, vendor advisories (Microsoft MSRC, Red Hat, Oracle, F5, Cisco, Check Point), Linux distribution feeds (Ubuntu USN, SUSE, Oracle Linux), exploit databases (Exploit-DB, Metasploit, Packet Storm, Seebug), security blogs and news, and first-party PoC harvesting from GitHub and Gitee.

Vulners ingests CVE records, vendor advisories, exploit listings, and KEV updates continuously. Typical CVE-to-exploit indexing window is measured in hours, not days. Full and delta archives are available through the Archive API with stable IDs and timestamps for reproducible analytics.

Three integration modes. White Label embeds Vulners' graph into a product you ship under your own brand. The SDK lets your team add Vulners' intelligence to anything you build, through one API. Model Context Protocol (MCP) connects AI agents to live vulnerability facts with verifiable citations.

No. Vulners does not install agents, scan networks, or pull data from customer environments. Defenders send asset data to Vulners' APIs in the standard formats their tools already produce; Vulners returns what's affected. All consumption is through the API.

Product builders embedding vulnerability intelligence under their brand; MSSPs running client enrichment workflows; enterprise security teams making patch decisions; AI agent developers grounding LLM answers in live vulnerability facts. Vulners has been bootstrapped and profitable since 2015.

Sign up for a free trial at vulners.com — query the graph directly through the API. Higher-volume usage and commercial integrations (White Label, SDK, MCP) are available on paid plans, with engineering support included on every tier.