KEVIntel
KEV feed API docs Get Pro
KEVIntel Pro

Real-time exploitation intelligence, fully enriched

Everything in the free feed, plus complete CVSS & EPSS scoring, exploit status, proof-of-concepts, scanner integrations, mentions and tags β€” and immediate attacker telemetry from our global honeypot network, including per-CVE observations and 24h/7d rollups.

Get Pro access View API docs

Free of charge for Ukrainian πŸ‡ΊπŸ‡¦ organisations

Free API

Public KEV data, open to everyone.

$0 / forever
  • Basic KEV data
  • CVE enrichment via the web UI
  • Attacker telemetry on the web UI only (delayed)
  • No dedicated support
Browse the free feed
Most complete

Pro API

Full enrichment plus immediate attacker telemetry from global honeypots.

Custom / contact us
  • Complete KEV data
  • CVSS score data
  • Exploit status data
  • Proof of Concepts (PoCs) data
  • Private PoCs not shown publicly
  • Scanner integrations data
  • Mentions data
  • Tag data (e.g. "wordpress", "drupal")
  • Attacker telemetry (honeypots)
  • Immediate honeypot telemetry via API
  • Priority support
Get Pro access

Why teams upgrade to Pro

Live coverage stats from the KEVIntel catalog. Updated every 30 minutes.

2,555

Exploited CVEs tracked

Includes all CISA KEV entries plus additional attestations.

938

Beyond CISA KEV

1,617 in CISA KEV; 938 additional exploited CVEs only in KEVIntel.

23

Listed before CISA KEV

Past 30 days from reporting, advisories, and honeypot signals.

1,490

Scanner integrations

Nuclei, Metasploit, Nessus and more β€” available in the Pro API.

Free vs Pro API data coverage

Same exploited CVE catalog; Pro adds operational enrichment and immediate attacker telemetry from global honeypots.

Data Free Pro
Exploited CVE records 2,555 2,555
CVSS scoring 2,554 summary 2,554 full breakdown
EPSS scores 603 603
CWE weaknesses β€” 1,961
Exploit status β€” 2,555
Proof-of-concepts β€” 913
Private PoCs β€” Pro only
Scanner integrations β€” 1,490
Mentions β€” 136
Tags β€” 2,283
Attacker telemetry UI only, delayed Immediate API

Recent CVEs listed before CISA KEV

Earliest exploitation signal vs official CISA catalog entry (past 30 days).

CVE Vendor / product Lead time
CVE-2025-48595 Google / Android 6 hours faster than CISA KEV
CVE-2026-50751 checkpoint / Quantum Security Gateway, Spark Firewalls 6 hours faster than CISA KEV
CVE-2026-11645 Google / Chrome 5 hours faster than CISA KEV
CVE-2022-0492 Linux / kernel 1 hour faster than CISA KEV
CVE-2024-21182 Oracle Corporation / WebLogic Server 1 hour faster than CISA KEV
CVE-2026-45321 @tanstack / arktype-adapter, eslint-plugin-router, eslint... 6 days faster than CISA KEV
CVE-2026-48027 nrwl / nx-console 6 days faster than CISA KEV
CVE-2026-8398 AVB Disc Soft / DAEMON Tools Lite 6 days faster than CISA KEV
CVE-2020-7796 Zimbra / Zimbra Collaboration Suite 5 days faster than CISA KEV
CVE-2025-25257 Fortinet / FortiWeb 5 days faster than CISA KEV
CVE-2025-6205 Dassault Systèmes / DELMIA Apriso 5 days faster than CISA KEV
CVE-2026-21643 Fortinet / FortiClientEMS 5 days faster than CISA KEV

Ready for Pro?

Contact us to get started with the KEVIntel Pro API.

Contact us View API docs

Free of charge for Ukrainian πŸ‡ΊπŸ‡¦ organisations

API response examples

For complete documentation, including all endpoints and parameters, view the API docs.

GET /api/v1/kevs 
{
  "cve_id": "CVE-2025-1976",
  "title": "Code injection exposure in Fabric OS 9.1.0 through 9.1.1d6",
  "vendor": "Brocade",
  "product": "Fabric OS",
  "cvss_score": 8.6,
  "cvss_severity": "HIGH",
  "cvss_highlights": {
    "network": true,
    "no_user_interaction": true,
    "low_complexity": true
  },
  "epss_score": 0.04,
  "epss_percentile": 0.91,
  "used_in_malware": "unknown",
  "ahead_of_cisa_kev": null,
  "added_date": "2025-04-28T00:00:00.000Z"
}
Pro GET /api/v1/pro/kevs 
{
  "kevs": [
    {
      "cve_id": "CVE-2024-1234",
      "title": "Remote Code Execution in Example Software",
      "description": "A critical vulnerability allowing remote code execution...",
      "affected_vendor": "Example Vendor",
      "affected_product": "Example Product",
      "references": [
        "https://example.com/ref1",
        "https://example.com/ref2"
      ],
      "state": "PUBLISHED",
      "notes": "Additional information about the vulnerability",
      "date_published": "2024-01-01T00:00:00Z",
      "date_updated": "2024-01-02T00:00:00Z",
      "date_reserved": "2024-01-01T00:00:00Z",
      "added_date": "2024-01-01T00:00:00Z",
      "epss_score": 0.95,
      "epss_percentile": 0.98,
      "epss_date": "2024-01-01T00:00:00Z",
      "ssvc_exploitation": "ACTIVE",
      "ssvc_automatable": "YES",
      "ssvc_technical_impact": "TOTAL",
      "cvss_score": 9.8,
      "cvss_severity": "CRITICAL",
      "cvss_highlights": {
        "network": true,
        "no_user_interaction": true,
        "low_complexity": true
      },
      "used_in_malware": "unknown",
      "cvss_v4_0": {
        "version": "4.0",
        "base_score": 9.8,
        "base_severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"
      },
      "cvss_v3_1": {
        "version": "3.1",
        "base_score": 9.8,
        "base_severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
      },
      "cvss_v3_0": {
        "version": "3.0",
        "base_score": 9.8,
        "base_severity": "CRITICAL",
        "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
      },
      "cvss_v2_0": {
        "version": "2.0",
        "base_score": 10,
        "base_severity": "HIGH",
        "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"
      },
      "primary_source": {
        "name": "CISA",
        "url": "https://example.com/kev/1234"
      },
      "all_sources": [
        { "name": "CISA", "url": "https://example.com/kev/1234" },
        { "name": "Microsoft CVRF", "url": "https://example.com/msrc/1234" }
      ],
      "cwes": [
        {
          "cwe_id": "CWE-79",
          "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
          "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
        }
      ],
      "tags": [
        {
          "name": "wordpress",
          "colour": "#FF5733",
          "description": "WordPress-related vulnerability"
        }
      ],
      "exploit_status": {
        "status": "EXPLOITED",
        "date": "2024-01-01T00:00:00Z"
      },
      "proof_of_concepts": [
        {
          "poc_type": "private",
          "title": "Private exploit validation PoC",
          "description": "Private validation notes",
          "url": null,
          "stars": null,
          "created_at_repo": "2024-01-01T00:00:00Z",
          "content": "curl https://target.example/pro-only-check",
          "private": true
        }
      ],
      "scanner_integrations": [
        {
          "scanner": "Nuclei",
          "plugin_id": "12345",
          "date": "2024-01-01T00:00:00Z"
        }
      ],
      "mentions": [
        {
          "source": "TheHackerNews",
          "url": "https://thehackernews.com/2024/01/01/example-vulnerability-exploit.html",
          "date": "2024-01-01T00:00:00Z"
        }
      ],
      "iocs": [
        {
          "ioc_type": "ip",
          "value": "203.0.113.10",
          "first_seen_at": "2024-01-01T00:00:00Z",
          "last_seen_at": "2024-01-15T00:00:00Z",
          "source_url": "https://example.com/threat-report",
          "metadata": {}
        }
      ]
    }
  ],
  "pagination": {
    "current_page": 1,
    "total_pages": 3,
    "total_count": 30,
    "per_page": 25,
    "next_page": 2,
    "prev_page": null,
    "first_page": 1,
    "last_page": 3
  }
}