Vulnerability databases are the backbone of modern security research, patch management, and risk assessment. When a new flaw is discovered and assigned a CVE identifier, practitioners need fast, reliable access to affected versions, CVSS scores, public exploits, and vendor patches — all of which are scattered across dozens of authoritative and community-maintained sources. Whether you’re triaging a zero-day, validating scanner output, building a vulnerability management program, or writing threat-intelligence reports, knowing where to look is just as important as knowing what to look for. The platforms below span government-operated national databases, open-source community registries, cloud-focused advisories, vendor security portals, and real-time CVE feeds — together forming a comprehensive ecosystem for vulnerability intelligence.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/edoardottt/awesome-hacker-search-engines/llms.txt
Use this file to discover all available pages before exploring further.
Major CVE Databases
NIST NVD
US National Vulnerability Database — the authoritative U.S. government repository for standards-based vulnerability management data, including CVSS scores and CPE mappings.
MITRE CVE
Identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. The canonical source for CVE identifiers and their official descriptions.
GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub-originated security advisories covering open-source packages across all major ecosystems.
osv.dev
Open Source Vulnerabilities — Google’s open database of vulnerabilities affecting open-source projects, with structured, machine-readable data and ecosystem-level coverage.
CVEDetails
The ultimate security vulnerability datasource — browse vulnerabilities by vendor, product, version, and CVSS score with extensive cross-referencing.
Google Project Zero
Vulnerabilities including zero-days discovered and responsibly disclosed by Google’s elite Project Zero security research team.
Red Hat Security Advisories
Information about security flaws that affect Red Hat products and services in the form of security advisories — essential for RHEL, CentOS, and Fedora environments.
Cisco Security Advisories
Security advisories and vulnerability information for Cisco products, including network equipment and software — critical for infrastructure-heavy environments.
Microsoft Security Response Center
Reports of security vulnerabilities affecting Microsoft products and services — the definitive source for Patch Tuesday details and Windows/Office CVEs.
Trend Micro Zero Day Initiative
Publicly disclosed vulnerabilities discovered by Zero Day Initiative researchers — a leading vendor-neutral bug acquisition program publishing detailed advisories.
cnvd.org.cn
Chinese National Vulnerability Database — the authoritative vulnerability registry maintained by CNCERT/CC covering Chinese software and global products.
InTheWild.io
Check CVEs in our free, open source feed of exploited vulnerabilities — tracks which CVEs have confirmed in-the-wild exploitation for prioritization.
Vendor & Specialized Databases
cloudvulndb.org
The Open Cloud Vulnerability & Security Issue Database — focused on cloud-specific flaws across AWS, Azure, GCP, and major SaaS platforms.
Vulners.com
Your Search Engine for Security Intelligence — aggregates bulletins, CVEs, and exploits from hundreds of sources into a single, full-text searchable platform.
opencve.io
Easiest way to track CVE updates and be alerted about new vulnerabilities — provides subscription-based monitoring and diff views of CVE changes over time.
security.snyk.io
Open Source Vulnerability Database — Snyk’s developer-focused vulnerability intelligence covering npm, PyPI, Maven, NuGet, and other package ecosystems.
Mend Vulnerability Database
The largest open source vulnerability DB — comprehensive coverage of open-source component vulnerabilities with actionable remediation guidance.
Rapid7 - DB
Vulnerability & Exploit Database — Rapid7’s curated database of vulnerabilities and corresponding exploit modules used within Metasploit.
VulnIQ
Vulnerability intelligence and management solution — provides enriched CVE data, scoring, and workflow integrations for enterprise vuln management programs.
SynapsInt
The unified OSINT research tool — aggregates vulnerability data alongside domain, IP, and threat-intelligence lookups into a single interface.
Aqua Vulnerability Database
Vulnerabilities and weaknesses in open source applications and cloud native infrastructure — Aqua’s AVD is tailored for container and Kubernetes security.
Vulmon
Vulnerability and exploit search engine — links CVE records directly to known public exploits, making it easy to assess exploitability at a glance.
VulDB
Number one vulnerability database — one of the longest-running independent vulnerability databases with detailed timeline, patch, and countermeasure data.
ScanFactory
Realtime Security Monitoring — CVEmon tracks newly published CVEs and maps them to live targets for rapid exposure assessment.
Trickest CVE Repository
Gather and update all available and newest CVEs with their PoC — a GitHub-hosted repository that automatically collects proof-of-concept code for new CVEs.
Vulnerability Lab
Vulnerability research, bug bounties and vulnerability assessments — an independent research lab publishing original advisories and security papers.
VARIoT
VARIoT IoT Vulnerabilities Database — specialized database tracking vulnerabilities in IoT devices, firmware, and embedded systems.
Lambda Watchdog
Your CVE dashboard for AWS Lambda — monitors CVEs relevant to serverless Lambda runtimes and their dependencies.
cvefeed.io
Comprehensive and up-to-date feed of the latest CVEs, security advisories, and other vulnerabilities — a real-time aggregation feed with filtering capabilities.
CVE Crowd
Keep track of actively discussed CVEs and integrate them into your application or business — surfaces trending CVEs based on community discussion signals.
Wiz Vulnerability Database
A comprehensive resource for monitoring high-profile vulnerabilities in cloud environments, tailored for security teams and cloud professionals.
Shodan CVEDB
The CVEDB API offers a quick way to check information about vulnerabilities in a service — cross-references CVE data with Shodan’s internet-wide scan results.
Vulert
Recent security issues found in open-source packages — monitors open-source dependencies and alerts on newly disclosed vulnerabilities without code access.
promptfoo.dev LM Security Database
A comprehensive collection of LLM vulnerabilities, curated from cutting-edge research papers and real-world discoveries — focused on AI/ML model security.
opencryptography.com
Free public database of 10,000+ unique Docker image scans for hidden cryptographic assets and critical implementation flaws.
pathfinding.cloud
Comprehensive, community-maintained library documenting AWS IAM privilege escalation paths — essential for cloud red teaming and IAM hardening.
BaseFortify.eu
Monitor software vulnerabilities with CVE matching, exploit risk alerts, and mitigation guidance — provides continuous exposure tracking for software inventories.
Understanding CVE Identifiers
Every publicly disclosed vulnerability is assigned a CVE (Common Vulnerabilities and Exposures) identifier in the formatCVE-YEAR-NUMBER (e.g., CVE-2024-21762). The year reflects when the CVE was reserved, not necessarily when the vulnerability was discovered or patched. Key attributes to look for in any database entry include:
| Field | What It Tells You |
|---|---|
| CVSS Score | Severity rating (0–10). ≥ 9.0 = Critical, 7–8.9 = High |
| CPE | Affected product/version in structured format |
| CWE | Root-cause weakness class (e.g., CWE-79 = XSS) |
| References | Patches, PoCs, vendor advisories, and NVD analyses |
| EPSS Score | Probability the vulnerability will be exploited in the wild |
Search Tips
- By product version: Use NVD’s CPE search or VulnIQ to scope results to a specific software version.
- By weakness type: Filter by CWE to find all SQL-injection or buffer-overflow class bugs in a product.
- By exploit availability: Use Vulmon or Sploitus to filter only CVEs with known public exploits.
- By recency: Use cvefeed.io or opencve.io for real-time alerts on newly published or updated CVEs.
- By environment: Use cloudvulndb.org, Wiz, or Lambda Watchdog for cloud-native and serverless workload targeting.
Some platforms (like Vulners, VulnIQ) require free registration for full access. Check individual tool terms for commercial use.