A curated list of vulnerability databases and security advisories from around the world.
Name
Maintainer
API
Free
Description
CVE MITRE
yes
yes
The authoritative source for CVE identifiers. Every public vulnerability gets a CVE ID here.
NVD NIST (US Gov)
yes
yes
Enriches CVE entries with CVSS scores, CWE tags, CPE data and fix info. The most widely used reference.
OSV Google
yes
yes
Open Source Vulnerabilities - focuses on packages (npm, PyPI, Go, Maven, etc.) with precise version ranges.
GitHub Advisory Database GitHub
yes
yes
Security advisories for open source packages, tightly integrated with Dependabot.
VulnDB VulDB
yes
partial
Community-driven database with detailed timelines and CVSS scores. Free tier available.
Exploit-DB Offensive Security
yes
yes
Archive of public exploits and PoC code. Maintained by the Kali Linux team.
Rapid7 VulnDB Rapid7
no
yes
Vulnerability and exploit data from Rapid7's research team, used in Metasploit.
Vulners Vulners
yes
partial
Aggregator that indexes CVE, exploits, advisories and vendor bulletins in one search.
PacketStorm Security PacketStorm
no
yes
Long-running archive of advisories, exploits and tools.
Snyk Vulnerability DB Snyk
yes
partial
Deep coverage of open source package vulnerabilities with remediation guidance.
OVAL Repository CIS
no
yes
Machine-readable vulnerability definitions in OVAL XML format for automated assessment.
Tenable CVE Database Tenable
no
yes
CVE details enriched with Tenable's severity ratings and plugin coverage.
OpenVAS / Greenbone Feed Greenbone
no
yes
Open source vulnerability scanner feed with NVTs (Network Vulnerability Tests).
Zero Day Initiative (ZDI) Trend Micro
no
yes
Coordinated disclosure program - advisories often published before vendor patches.
Name
Maintainer
API
Free
Description
CERT/CC Carnegie Mellon
no
yes
Vulnerability notes from one of the oldest and most respected CERT organizations.
CISA KEV CISA (US Gov)
yes
yes
Known Exploited Vulnerabilities catalog - the definitive list of CVEs being actively exploited in the wild. Mandatory patching reference for US federal agencies.
Name
Maintainer
API
Free
Description
EUVD ENISA
yes
yes
European Union Vulnerability Database - the EU's official CVE equivalent, launched 2024.
CERT-EU EU Institutions
no
yes
Security advisories for EU institutions, bodies and agencies.
BSI Germany
no
yes
Germany's Federal Office for Information Security. Advisories in German and English.
CERT-FR / ANSSI France
no
yes
France's national cybersecurity agency. High-quality advisories, often ahead of public CVE disclosure.
CERT-SE Sweden (MSB)
no
yes
Sweden's national CERT, operated by the Swedish Civil Contingencies Agency (MSB).
NCSC-NL Netherlands
no
yes
Dutch National Cyber Security Centre. Known for detailed advisories on enterprise software.
NCSC-UK GCHQ / UK Gov
no
yes
UK's National Cyber Security Centre vulnerability guidance.
Name
Maintainer
API
Free
Description
CNNVD CNITSEC (China)
no
yes
China's national vulnerability database, run by the Ministry of State Security.
CNVD CNCERT (China)
no
yes
Complementary to CNNVD, run by CNCERT/CC under the Ministry of Industry and IT.
JVN JPCERT/CC & IPA
no
yes
Japan Vulnerability Notes - coordinated disclosure portal for Japan-origin software.
JVNDB IPA (Japan)
no
yes
Japan's enriched CVE database with Japanese product coverage and translations.
ACSC ASD (Australia)
no
yes
Australian Cyber Security Centre advisories and alerts.
Name
Maintainer
API
Free
Description
CISA ICS Advisories CISA (US Gov)
yes
yes
Advisories for Industrial Control Systems - critical infrastructure, SCADA, PLCs.
ICS-CERT CISA (US Gov)
no
yes
The original ICS-CERT portal, now merged into CISA. Historical archive of ICS vulnerability reports.
Name
Maintainer
API
Free
Description
Microsoft MSRC Microsoft
yes
yes
Microsoft Security Response Center. Patch Tuesday updates and out-of-band advisories.
Red Hat Security Red Hat
yes
yes
CVE tracking for RHEL, OpenShift, OpenStack with errata and fix status.
Debian Security Tracker Debian
no
yes
Real-time tracking of CVE status across all Debian packages and releases.
Ubuntu Security Notices Canonical
yes
yes
USN advisories for all supported Ubuntu releases.
Android Security Bulletins Google
no
yes
Monthly security bulletins for Android OS and Pixel devices.
Apple Security Updates Apple
no
yes
Security content for iOS, macOS, Safari and other Apple products.
Cisco PSIRT Cisco
no
yes
Cisco Product Security Incident Response Team advisories. High-impact network device vulnerabilities.
Oracle CPU Oracle
no
yes
Oracle Critical Patch Update - quarterly advisories covering all Oracle products.
Mailing Lists & Raw Feeds
Name
Format
Description
Full Disclosure Mailing list
The original public security disclosure mailing list. Unfiltered, high signal.
oss-security Mailing list
Coordinated disclosure for open source software. Patches often posted before CVE assignment.
NVD JSON API JSON API
NIST's official CVE API with filtering, pagination and webhook support.
OSV API JSON API
Google's OSV REST API - query by package, version or commit hash.
CISA KEV JSON JSON feed
Machine-readable version of the Known Exploited Vulnerabilities catalog.
See CONTRIBUTING.md for guidelines on how to add a new database.
A machine-readable version of this list is available in databases.json .
