One corpus, four feeds, deterministic answers.

vulnd stitches four upstream sources into a single queryable corpus: NVD (CVE records + CVSS), MITRE (the CWE weakness hierarchy), CISA KEV (known-exploited flags), and FIRST EPSS (exploit-probability scores). Records are deduplicated and version ranges normalised so a lookup returns the same answer every time — the boundary between a vulnerable and a fixed build is decided by the dataset, not a heuristic.

What you can ask

• A CVE — full scoring, KEV/EPSS, mapped weaknesses, affected products, and references.
• A CWE — the weakness with its parent/child hierarchy, and the CVEs mapped to it.
• A build — whether an exact vendor/product/version is affected by anything known.

Current size

34,028 CVEs · 0 CWEs · 0 CPE products.

Beyond the browser

The same corpus is reachable over an HTTP API and the vuln CLI for automation. This console is the public face; it reads through a service identity so the daemon's endpoints stay authenticated while anyone can look data up here.