About the free CVE lookup
The free CVE lookup is a searchable catalog of 362,516 CVEs, including 1,630 actively exploited on the CISA KEV list, each with its severity, exploit-prediction, and the fix to apply. This page explains what the tool does, the terms it uses, exactly where its data comes from, and how each source is licensed.
Understanding CVEs, CVSS, EPSS, and KEV
- What is a CVE?
- A CVE (Common Vulnerabilities and Exposures) is a unique identifier for a publicly disclosed security vulnerability, in the form CVE-YYYY-NNNN. Each CVE record describes the flaw, the affected software, and references to advisories and fixes.
- What is CVSS severity?
- The Common Vulnerability Scoring System (CVSS) rates how severe a vulnerability is on a 0 to 10 scale, mapped to Low, Medium, High, and Critical. The score is derived from a vector describing how the flaw can be exploited and its impact.
- What is an EPSS score?
- The Exploit Prediction Scoring System (EPSS), published by FIRST.org, estimates the probability that a CVE will be exploited in the next 30 days. A high EPSS percentile means a vulnerability is far more likely to be attacked than most others.
- What is the CISA KEV catalog?
- The CISA Known Exploited Vulnerabilities (KEV) catalog lists CVEs that are confirmed to be actively exploited in the wild. KEV entries include a remediation due date and flag vulnerabilities tied to known ransomware campaigns.
How to use the lookup
Type a CVE ID such as CVE-2021-44228 into the search box to jump straight to its record, or use the filters to browse by severity, EPSS, CISA KEV status, weakness type, or year. Sort by EPSS to see the vulnerabilities most likely to be exploited, or filter to KEV to focus on what is already being attacked. Every CVE page shows its CVSS score and vector, EPSS probability and percentile, CISA KEV remediation timeline, CWE weakness types, references grouped by type, and the remediation (the exact fixed versions to upgrade to).
Need to find and fix these vulnerabilities across your own fleet? TridentStack Control continuously scans Windows, macOS, and Linux endpoints for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.
Every actively-exploited vulnerability has an actionable next step
Most CVE tools stop at a score. This one tells you what to do about it. For every vulnerability on the CISA Known Exploited Vulnerabilities list, we show either a sourced fix or the official CISA remediation action and deadline.
Sourced remediation by platform
These cover roughly 35.1% of the 362,516 CVEs ever published. The published CVE corpus spans more than 25 years; the majority are research-disclosed, low-severity, superseded, or affect software that never had a tracked fixed version. Our coverage concentrates on the vulnerabilities that are actually actionable today, and it grows every day as new advisories land.
Data sources and licenses
We combine public-domain government data, openly-licensed advisory databases, and factual vendor records. Each source below links to its origin. Where a source requires attribution, this page provides it.
CVE records, CVSS severity scores, and product (CPE) data, including the affected-version ranges some fixes are derived from.
Actively-exploited status, the required remediation action, and the federal due date.
Exploit-prediction scores (the probability a CVE is exploited in the next 30 days).
Fixed versions for open-source software packages.
Fixed versions across open-source language ecosystems and Linux distributions.
Will-not-fix decisions and recommended mitigations for Red Hat products.
Fixed package versions for Ubuntu releases.
Fixed package versions for Debian releases.
Security updates (KBs) for Windows and core Microsoft products.
Fixed versions for macOS, iOS, iPadOS, and other Apple platforms.
Fixed versions for third-party desktop applications.
Product end-of-life and extended-security-maintenance dates.
Sources marked CC BY are reproduced under the Creative Commons Attribution license with the attribution above. Ubuntu Security Notices are licensed CC BY-SA (share-alike) and are kept as discrete, individually-attributed records. Vendor records (Microsoft, Apple, and application catalogs) are presented as factual fixed-version data linked back to the vendor; we do not reproduce their advisory text.
How we build remediation
We ingest official vendor and distribution security advisories on a continuous schedule, normalize them into a single model, and link every fix back to the advisory it came from. A CVE can carry fixes from several sources at once: an open-source package version, a Linux distribution package, a Windows update, and an Apple platform release.
We never invent a fix. When no published remediation has been found for a vulnerability, the tool says so plainly instead of guessing. Where a fix is inferred from NVD's published affected-version data rather than a vendor advisory, it is clearly marked as derived. For actively-exploited vulnerabilities that have no vendor fix yet, it surfaces the official CISA required action and deadline so you still have a next step.
Vulnerability and exploit data refreshes throughout the day; remediation data refreshes daily. The same data that powers this free tool powers TridentStack Control, where it drives automated patching, vulnerability detection, and compliance across your fleet.