Loading recent KEV additions…
Canadian Centre for Cyber Security
rss2json API key (optional — raises the shared free-tier limit)
Additional cross-reference sources (applied on demand to whichever tab is active — not run automatically)
Cross-reference current results
Stop cross-referencing
Live NVD Feed
My Enterprise Import
SEVERITY DISTRIBUTION
—
Critical
High
Medium
Low
Unscored
Loading CISA KEV catalog…
Data sources: NVD API 2.0 (services.nvd.nist.gov) for CVE records; the CISA Known Exploited Vulnerabilities
(KEV) catalog (cisa.gov) for confirmed real-world exploitation; and FIRST.org's EPSS API (api.first.org) for
predicted exploitation probability. All three are called directly from your browser, no server or key required.
NVD rate-limits unauthenticated requests to roughly 5 per 30 seconds (get a free key at
nvd.nist.gov/developers/request-an-api-key for more). If CISA's direct feed blocks the browser request, this
page automatically falls back to a public GitHub mirror of the same catalog. Priority score
blends CVSS severity and EPSS probability (roughly 55/45), but any KEV-listed CVE is automatically scored 100
— confirmed real-world exploitation always outranks a theoretical score. Under "My Enterprise Import,"
your CSV never leaves your browser: parsing, column detection, and enrichment all happen locally, and only the
CVE IDs found in your file are sent to the public EPSS API to fetch scores. Cross-reference sources
(opt-in, via the panel above): MITRE/CVE.org (cveawg.mitre.org) flags CVEs later marked REJECTED or DISPUTED;
OSV.dev (api.osv.dev) matches against open-source package advisories; GitHub Security Advisories
(api.github.com) is capped at 60 requests/hour without a token. OpenCVE was considered but excluded since its
API requires a login/token, unlike the other sources here. The Security News Roundup pulls
headlines from The Hacker News, the Canadian Centre for Cyber Security, and Krebs on Security — since none
of those sites allow direct cross-origin requests from a browser, headlines are routed through a chain of public
proxies (rss2json.com, then allorigins.win, then corsproxy.io) rather than fetched directly. BleepingComputer is
included too but its bot-protection appears to block all three public proxies, so that column will likely just
show a direct link to their site rather than live headlines — that's a deliberate choice on their end, not
something fixable from client-side code. If the other three stop loading, that's more likely the shared free
proxy tiers being rate-limited; a free rss2json API key (field above the feed) will restore them.