Exploits¶

Track fresh PoCs and wild exploitation listings as they appear. Instantly see if they can affect your assets and what needs to be prioritized for remediation.

Query the Vulners graph to get enriched, real‑world exploitation context for any CVE — in one reliable API.

At Vulners we continuously collect and normalize vulnerability intelligence from 220+ upstream sources—vendor advisories, NVD/CVE, Linux distro feeds, package registries, exploit/PoC trackers, and government/ISAC alerts—into a single graph‑linked corpus. Every record is deduplicated, cross‑referenced (CVE ↔ advisory ↔ patch ↔ exploit), and time‑stamped with standard fields (e.g., CVSS vectors, CWE, affected products) in consistent JSON. Exploits puts a specialized lens on this corpus: it surfaces real‑world exploitation signals — PoCs, KEV inclusion, wild exploitation, and Vulners AI Risk indicators — so a single query returns the complete exploitation context for any CVE—ready for your UI, SIEM/SOAR, or ticketing.

Make Vulners Exploits the exploitation‑signal engine behind your prioritization—without stitching feeds. This page gives you both the why and the how so you can call the API, wire up exploit‑aware enrichment in tickets and dashboards, and start shipping improvements the same day.

Why this matters¶

Severity alone is a poor proxy for real risk. What moves the needle is exploitation signal — PoCs in the wild, weaponized tool releases, and KEV inclusions that indicate active targeting. Exploits turns those signals into prioritization fuel your engineers can act on: What is exploited now? Does it touch us? What goes first?

The value is twofold: (1) faster time-to-value in your product (ship “exploited now” prioritization without building your own crawling/extraction/scoring stack), and (2) trustworthy signal you can stand behind—cleanly linked to CVEs, advisories, and your customers’ inventories.

What you get¶

Live exploitation signal mapped to CVEs and advisories (including KEV inclusion and PoC listings).
Deep source coverage: integrations with 15 exploit sources, including unique extractions from GitHub and Gitee.
Proprietary extraction + scoring for high-quality signals with minimal false positives/negatives.
Cross-product delivery: query via Intelligence, stream via Alerts, export via Datasets, and highlight KEV-related items via Assessment.
Integration-ready JSON: consistent fields like enchantments.exploitation.* and exploits[] with IDs, links, and provenance (wildExploitedSources).

Architecture / Overview¶

Exploits ingests PoC sources (GitHub, Gitee, exploitdb, metasploit, packetstorm, and others) and extracts/links evidence to CVEs using a blend of NLP, reference mining, and repository analysis. Incoming artifacts are scored for quality, mapped to known CVEs (or candidate CVEs mentioned in advisories), and deduplicated. The result is exposed as:

Searchable records (type:cve) with exploits[] and enchantments.exploitation.* fields via Intelligence.
Event-style notifications (e.g., “new PoC for CVE-XXXX”) via Alerts.
Bulk exports for analytics and data lake pipelines via Datasets.
KEV-aware assessment context visible in Assessment reports when relevant.

This cross-linking means your app can prioritize by active threat, automate ticketing, and gate releases in CI/CD with minimal glue code.

Quickstart¶

Before you start: generate an API key and export it as VULNERS_API_KEY. See Authentication docs.

The following script demonstrates how to pick up exploitation signal for CVE remediation prioritization using the Intelligence product. The same signal can also be delivered via Alerts and Datasets, and—specifically for KEV listings—can surface within Assessment outputs.

import vulners
import json

QUERY = "type:cve AND (exploits.type:githubexploit OR exploits.type:metasploit OR exploits.type:packetstorm OR enchantments.exploitation.wildExploited:true)"
LIMIT = 10000

vulners_api = vulners.Vulners()
fields = [
    "reporter", "id", "type", "enchantments.exploitation", "enchantments.short_description", "exploits", "vhref"
]
search_query = {
    "query": QUERY,
    "limit": LIMIT,
    "fields": ",".join(fields)
}
search_result = vulners_api.search(**search_query)
print(json.dumps(search_result, indent=2))

Sample output¶

[
  {
    "reporter": "microsoft",
    "id": "CVE-2025-53770",
    "type": "cve",
    "enchantments": {
      "exploitation": {
        "connections": 2,
        "1dAvg": 1,
        "7dAvg": 0,
        "30dAvg": 1,
        "wildExploited": true,
        "wildExploitedSources": [
          {
            "type": "cisa_kev",
            "idList": [
              "CISA-KEV-CVE-2025-53770"
            ]
          }
        ]
      },
      "short_description": "Deserialization vulnerability in Microsoft SharePoint Server allows unauthorized code execution via network."
    },
    "exploits": [
      {
        "id": "CVE-2025-53770",
        "href": "https://research.eye.security/sharepoint-under-siege/",
        "type": "nvd"
      },
      {
        "id": "93255E5F-7BA9-5EA5-B1DA-135E74A5C4A0",
        "href": "https://github.com/B1ack4sh/Blackash-CVE-2025-53770",
        "type": "githubexploit"
      },
      {
        "id": "D43A9219-68F3-5749-96BE-206A488054AD",
        "href": "https://github.com/Bluefire-Redteam-Cybersecurity/bluefire-sharepoint-cve-2025-53770",
        "type": "githubexploit"
      },
      {
        "...": "41 omitted exploits from exploitdb, metasploit, packetstorm"
      }
    ],
    "vhref": "https://vulners.com/cve/CVE-2025-53770"
  },
  {
    "reporter": "candidate",
    "id": "CVE-2025-60374",
    "type": "cve",
    "exploits": [
      {
        "id": "3EE00381-0B6D-5FF7-A399-83D65E70D9A1",
        "href": "https://github.com/ajansha/CVE-2025-60374",
        "type": "githubexploit"
      },
      {
        "id": "PACKETSTORM:210393",
        "href": "https://packetstorm.news/files/id/210393/",
        "type": "packetstorm"
      }
    ],
    "vhref": "https://vulners.com/cve/CVE-2025-60374"
  },
  {
    "...": "and 2549 more CVE with exploits or KEV listing"
  }
]

Commentary on the example¶

Purpose & scope: This example is focused on picking up exploitation signal for CVE remediation prioritization. It uses the Intelligence product to search type:cve records enriched with enchantments.exploitation.* and exploits[] fields. The same signal can be delivered via Alerts (push notifications/webhooks) and exported via Datasets (for analytics/ML). For KEV-related visibility, the signal also appears within Assessment reports.
Beyond KEV listings: The type:cve records include the list of all PoC exploits known to Vulners for the CVE (see the exploits[] array). Vulners integrates 15 exploit sources, including unique, proprietary extractions from GitHub and Gitee. Our proprietary extraction and scoring keep quality high with minimal false positives and negatives.
Finding “hidden” PoCs: The same scoring is also applied to all CVE references. That means Vulners can pick up PoCs from repositories without direct CVE references and discover exploits missing from other exploit databases.
Early signal via candidate CVEs: Vulners links exploit PoCs by CVE ID with CVEs mentioned in advisories and other documents even before publication on the CVE List. Seeing candidate CVEs in the context of an advisory or PoC helps you catch early signals on potentially dangerous issues.

Implementation patterns¶

Exploit-first backlog: Flag issues in your vulnerability queue where enchantments.exploitation.wildExploited == true or exploits[].type includes trusted PoC sources; sort by KEV presence + exploit recency.
CI/CD gating: Fail builds that introduce dependencies with recent PoC emergence or KEV inclusion; use Intelligence for lookups and Alerts for push notifications.
Notifications: Use Alerts to deliver “new PoC for a CVE present in tenant’s stack” via webhooks that open tickets or trigger SOAR playbooks.
Analytics & forecasting: Export via Datasets to analyze exploit timelines, patch latency after KEV, and coverage across your customer base.
Assessment tie-in: When Exploits + Assessment indicate “exploited + present here,” escalate with highest priority and target hotfix SLAs.

Production checklist¶

Field selection: Decide on the minimal set you need (id, vhref, exploits[], enchantments.exploitation.*, KEV provenance).
Deduping & provenance: Normalize exploit IDs per source (githubexploit, metasploit, packetstorm, etc.) and store wildExploitedSources for auditability.
Caching strategy: Cache Intelligence query results briefly; subscribe to Alerts for freshness and re-hydrate details as needed.
Security & rate limits: Store API keys securely; implement backoffs and respectful polling where applicable.

Practical details¶

Core fields:
exploits[]: structured list of PoC links per CVE with id, href, and type (githubexploit, metasploit, packetstorm, etc.).
enchantments.exploitation.*: live signal including wildExploited and wildExploitedSources (e.g., cisa_kev).
vhref: canonical Vulners page for verification and exploration.
Cross-product visibility:
Intelligence: search & enrich CVEs with exploitation context.
Alerts: push new PoCs/KEV changes on your cadence via webhooks/email.
Datasets: bulk export for BI, lakehouse, and offline ML.
Assessment: includes KEV-aware context to highlight exploited issues present in your environment.
Prioritization recipe: rank by wildExploited + KEV + PoC recency + asset exposure; fold in severity where needed.

FAQ¶

How is this different from just reading NVD references?
Vulners performs proprietary extraction and scoring across 15 exploit sources (including unique GitHub/Gitee coverage) and links PoCs even when no direct CVE reference exists in the repo. You also get KEV provenance and a consistent JSON schema.

How fresh is the data?
Exploit sources and KEV status are ingested continuously and reflected across Intelligence/Alerts/Datasets soon after discovery. Use Alerts for push freshness; use Intelligence to hydrate details on demand.

Will this create noise for my users?
Scoring and deduping reduce false positives. Combine wildExploited, KEV presence, and PoC recency with your asset context (via Assessment) to focus on what matters now.

Does Vulners support early “candidate CVEs”?
Yes. Vulners links PoCs to candidate CVEs referenced in advisories/docs before they land on the CVE List, providing early warning.

TL;DR¶

Exploits gives you reliable exploitation signal—PoCs, KEV, and provenance—linked to CVEs and advisories, ready to drive prioritization, automation, and CI/CD gates. Use Intelligence to query, Alerts to push, Datasets to analyze at scale, and Assessment for KEV-aware context in customer environments.