A vulnerability intelligence graph to build on
Bring assets data you have.
Ask if you're affected — and how serious.
Products
Vulnerability IntelligenceQuery the Vulners database to get enriched context for CVE, including all metrics, exploitability, and correlated real-world risk signals.
Learn moreAssessmentInstantly turn software inventories or host data into vulnerability reports. Make vulnerability assessment a seamless feature in your product.
Learn moreDatasetsFetch the connected world of vulnerability intelligence. Export full datasets and see how CVEs, advisories, exploits, and observations link together.
Learn moreAlertsStay updated about vulnerabilities that matter to you with real-time push and pull notifications. Trigger actions automatically when new vulnerabilities appear.
Learn moreExploitsTrack fresh PoCs and wild exploitation listings as they appear. Instantly see if they can affect your assets and what needs to be prioritized for remediation.
Learn moreMCPUse Vulners MCP to power your AI agents. Break through the LLM knowledge cut-off and use real-time vulnerability insight.
Learn moreVulners is a vulnerability intelligence platform built around the assessment problem. Send asset data in the standard formats your tools and workflows produce; get back what's affected and the risk context to act on first.
Solutions
Blog
May 21 • 8 min. read
View more articlesLibrary Audit: from a PURL to vulnerabilities and compromisesMany npm and PyPI compromises never get a CVE — the package is yanked and an OSV advisory is shipped instead. Library Audit takes raw PURLs from any ecosystem to flag CVE-tracked vulnerabilities and registry-yanked compromises before `pip install`, not the morning after.
Apr 19 • 5 min. readYour asset inventory doesn't wait for NVDNIST moved the NVD to risk-based enrichment on April 15 — a quarter of recent CVEs now arrive Not Scheduled. Vulners has been filling the CPE gap since February 2024. Here is the four-source configuration layer and how to use it.
Mar 4 • 6 min. readSBOM Audit: from a file upload to a prioritized vulnerability reportYou have an SBOM. Now what? Vulners SBOM Analyzer turns a standard SPDX or CycloneDX file into a vulnerability report enriched with CVSS, EPSS, AI Score, exploit references, and fix versions — in the browser or via a single API call.
Resources
Frequently Asked Questions
Vulners is a vulnerability intelligence platform that aggregates 230+ sources — CVE records, vendor advisories, exploits, patches, KEV status, EPSS scoring — into one connected, queryable graph. Founded 2015. Bootstrapped and profitable.
The U.S. NIST National Vulnerability Database (NVD) publishes CVE records with CVSS scores and partial CPE configurations. Vulners aggregates NVD plus 217 other sources — CISA KEV, vendor advisories from Microsoft, Red Hat, Cisco, and others, exploit databases (Exploit-DB, Metasploit), Linux distribution feeds, and first-party PoC harvesting from GitHub and Gitee — and links them into one queryable graph. Vulners also fills NVD's CPE gaps using data direct from CVE Numbering Authorities.
Vulners' APIs accept the standard formats real tools and workflows produce: SBOMs (SPDX and CycloneDX), package manager lockfiles via PURLs (npm, PyPI, Maven, Go modules, others), vendor:product:version tuples, CPE strings, and software inventory exports from CMDBs. No reformatting required before the API call.
Each CVE record in Vulners' graph carries CVSS score, EPSS exploitation probability, CISA KEV inclusion, public exploit availability (from Exploit-DB, Metasploit, GitHub PoCs), and Vulners' AI Risk Score. The Assessment API surfaces these signals together so prioritization reflects real-world exploitation pressure, not raw CVSS alone.
Vulners aggregates 230+ sources: the CVE Program, NIST NVD, CISA KEV, vendor advisories (Microsoft MSRC, Red Hat, Oracle, F5, Cisco, Check Point), Linux distribution feeds (Ubuntu USN, SUSE, Oracle Linux), exploit databases (Exploit-DB, Metasploit, Packet Storm, Seebug), security blogs and news, and first-party PoC harvesting from GitHub and Gitee.
Vulners ingests CVE records, vendor advisories, exploit listings, and KEV updates continuously. Typical CVE-to-exploit indexing window is measured in hours, not days. Full and delta archives are available through the Archive API with stable IDs and timestamps for reproducible analytics.
Three integration modes. White Label embeds Vulners' graph into a product you ship under your own brand. The SDK lets your team add Vulners' intelligence to anything you build, through one API. Model Context Protocol (MCP) connects AI agents to live vulnerability facts with verifiable citations.
No. Vulners does not install agents, scan networks, or pull data from customer environments. Defenders send asset data to Vulners' APIs in the standard formats their tools already produce; Vulners returns what's affected. All consumption is through the API.
Product builders embedding vulnerability intelligence under their brand; MSSPs running client enrichment workflows; enterprise security teams making patch decisions; AI agent developers grounding LLM answers in live vulnerability facts. Vulners has been bootstrapped and profitable since 2015.
Sign up for a free trial at vulners.com — query the graph directly through the API. Higher-volume usage and commercial integrations (White Label, SDK, MCP) are available on paid plans, with engineering support included on every tier.