If you work in IT or cybersecurity, staying on top of the latest Common Vulnerabilities and Exposures (CVEs) isn’t optional — it’s essential. A CVE is a unique identifier assigned to a publicly known security vulnerability. They’re the shared language security teams use to communicate about threats, patches, and mitigations. But with hundreds of new CVEs published every week, knowing where to look is half the battle.
Here’s a breakdown of the best sources for tracking the latest CVEs, from authoritative databases to community feeds.
MITRE CVE Program
MITRE is the organization that created and maintains the CVE standard itself. Every CVE starts here. The CVE Program assigns CVE IDs and maintains the official list. If you want the raw source of truth, MITRE is it.
The CVE website includes:
- The full CVE list searchable by ID, keyword, or date
- CVE Numbering Authorities (CNAs) — organizations authorized to assign CVEs
- CVE JSON feeds for automated ingestion
MITRE is also home to the Common Weakness Enumeration (CWE) and Common Attack Pattern Enumeration and Classification (CAPEC) — useful companions to CVE research.
NIST National Vulnerability Database (NVD)
The NIST National Vulnerability Database is arguably the most widely used CVE resource. It builds on top of MITRE’s CVE list by adding:
- CVSS scores (Common Vulnerability Scoring System) — severity ratings that help you prioritize
- CPE data (Common Platform Enumeration) — what software/hardware is affected
- CWE mappings — the weakness type behind the vulnerability
- References — vendor advisories, patches, and exploitation details
NVD also provides RSS feeds, APIs, and data feeds in JSON format — making it easy to integrate into your own tooling. If you only use one source, make it NVD.
CISA Known Exploited Vulnerabilities (KEV) Catalog
cisa.gov/known-exploited-vulnerabilities-catalog
Published by the Cybersecurity and Infrastructure Security Agency (CISA), the KEV catalog is a curated list of CVEs that are actively being exploited in the wild. This is the list that matters most for defenders — if a CVE is on KEV, it’s not theoretical. Someone is using it.
CISA even mandates that federal agencies patch KEV vulnerabilities within specific timeframes. For everyone else, it’s an excellent signal for what to prioritize.
Features:
- Filterable by vendor, product, and date added
- Downloadable as CSV or JSON
- Includes required remediation dates for federal agencies
Exploit Database (Exploit-DB)
Maintained by Offensive Security (the folks behind Kali Linux), Exploit-DB is a public archive of exploits and vulnerable software. Unlike NVD, it focuses on working exploit code — proof-of-concept or production-grade exploits cross-referenced to CVEs.
For pentesters, red teamers, and defensive security engineers who need to understand how a vulnerability is exploited, Exploit-DB is invaluable. The searchsploit command-line tool lets you search the database offline.
GitHub Security Advisories
GitHub maintains its own security advisory database (GHSA) that tracks vulnerabilities in open source packages across npm, PyPI, Maven, Go modules, RubyGems, NuGet, and more. It’s tightly integrated with Dependabot, which automatically opens PRs to update vulnerable dependencies.
If you work with open source software (and who doesn’t?), GitHub Advisories surfaces CVEs that directly affect your dependency graph — not just a generic list of everything.
OSV — Open Source Vulnerabilities
OSV is Google’s open, machine-readable vulnerability database for open source software. It aggregates data from multiple sources:
- GitHub Security Advisories
- Python Advisory Database
- Go Vulnerability Database
- Rust Advisory Database
- npm Advisory Database
- OSS-Fuzz vulnerabilities
- And more
The data is in a standardized JSON format and the API is free. OSV is particularly powerful for developers who want to query vulnerability data programmatically against their dependency trees.
Vendor Security Advisories
For enterprise environments, vendor-specific advisories are critical because they include:
- Confirmed affected versions
- Official patches and mitigations
- Vendor-specific CVSS adjustments
- Workarounds when patches aren’t yet available
Key vendor advisory pages:
- Microsoft: msrc.microsoft.com — Patch Tuesday drops every second Tuesday of the month
- Red Hat: access.redhat.com/security/vulnerabilities
- Cisco: tools.cisco.com/security/center
- VMware/Broadcom: broadcom.com/support/resources/product-security-center
- Apple: support.apple.com/en-us/100100
- Google Chrome: chromereleases.googleblog.com
- Ubuntu: ubuntu.com/security/cves
Packet Storm Security
Packet Storm has been around since 1998 and is one of the oldest security resources on the internet. It aggregates:
- Advisories from dozens of sources
- Exploit code
- Tools and papers
- Zero-day reports
It’s less polished than some modern alternatives, but its breadth and history make it a useful reference — especially for older CVEs and historical context.
VulnDB / Risk Based Security
VulnDB (now part of Cyber Risk Analytics) is a commercial vulnerability intelligence database that covers more vulnerabilities than NVD — including ones that haven’t received CVE IDs yet. It’s used by enterprises and security vendors who need more comprehensive coverage.
If you’re running a product security program or vulnerability management at scale, the additional coverage and enriched data may justify the cost.
SecurityFocus / BugTraq
BugTraq is one of the oldest full-disclosure mailing lists in security. SecurityFocus hosts the archives. While less active than it once was, it remains a historical record and still receives disclosures. It’s worth subscribing if you want to see vulnerabilities discussed before they’re formally assigned CVE IDs.
Twitter/X, Mastodon, and Security Communities
For breaking news on zero-days and actively exploited vulnerabilities, social media and community forums often beat formal databases by hours or days:
- Twitter/X: Follow security researchers, vendors, and CISA’s official account
- Mastodon / Infosec.exchange: The security community has a strong presence here
- Reddit: r/netsec, r/cybersecurity — community-curated news and discussion
- Discord: Many security communities run active CVE discussion channels
Putting It Together: A Practical Workflow
With so many sources, the key is building a workflow that fits your role:
- Subscribe to CISA KEV — treat this as your highest-priority queue
- Use NVD/MITRE for deep research on specific CVEs
- Set up vendor advisory alerts for the products in your environment
- Enable Dependabot or OSV for your code repositories
- Monitor Exploit-DB for proof-of-concept code on CVEs affecting you
- Follow the security community on social media for early warning
No single source gives you the complete picture. But combining a few of these — especially NVD, CISA KEV, and your vendor advisories — puts you well ahead of most defenders.
The threat landscape moves fast. Your vulnerability intelligence should too.
