The vuln CLI

vuln is a one-shot HTTP client for a vulnd daemon. It never opens a local database — it just speaks to the service, so it builds small and starts fast. Install it from the download page:

curl -fsSL https://vulnd.cypherassassin.com/install.sh | sh

Pointing it at a daemon

Every command resolves the daemon URL from VULND_URL, or from --url per invocation:

export VULND_URL=https://api.vulnd.cypherassassin.com
# …or…
vuln --url https://api.vulnd.cypherassassin.com stats

Two global flags apply everywhere:

• --json — emit the raw wire object instead of the pretty text view.
• -v / -vv / -vvv — progressively more logging to stderr.

Reading the corpus

These need no account — the reads are public.

Signing in

Notes require a session. Use the OAuth 2.1 device grant — no API keys, no static tokens:

vuln login --url https://api.vulnd.cypherassassin.com

It prints a code and a verification URL; approve it in the browser. The CLI caches the access + refresh token and refreshes silently. vuln logout clears the cached session.

Keeping notes

A note is free-text bound to a CVE, CWE, or CPE record — your triage decisions, travelling with the corpus. The target is kind/id (cve/…, cwe/…, cpe/…):

# Write or replace a note (body from a file, or `-` for stdin; tags comma-separated)
echo "patched in prod 2024-03-01" \
  | vuln note set cve/CVE-2021-44228 --tags log4shell,triaged --body-file -

vuln note get cve/CVE-2021-44228   # read it back
vuln note rm  cve/CVE-2021-44228   # delete it

# List notes carrying a tag
vuln notes --tag log4shell

Notes are scoped to your account and attributed to you — see Accounts.