Methodology & data sources
CVEDigest builds its CVE explainers from public, authoritative sources. The catalog is anchored to the CISA Known Exploited Vulnerabilities (KEV) feed, with CVSS severity and weakness (CWE) context. A scheduled job fetches the KEV catalog, normalizes each record to our page shape, gates out thin entries, and commits the result as JSON so the static build is fully deterministic — no network calls happen at build time. Every data table on the site shows its source and an "as of" date.
Data as of 2026-06-13.
Data sources
| Source | Refresh cadence | License |
|---|---|---|
| CISA Known Exploited Vulnerabilities (KEV) Catalog | daily | U.S. Government Work (public domain) |
| NIST National Vulnerability Database (NVD) | daily | U.S. Government Work (public domain) |
How the data pipeline works
- Fetch.
scripts/fetch-data.mjsdownloads the CISA KEV catalog JSON feed (public, no API key). - Normalize. Each KEV entry is mapped to our CVE shape: id, slug, title, vendor/product, CWE, ransomware flag, date added, remediation due date, plain-English summary and required action.
- Validate. Records without a valid CVE ID, a date, or a meaningful summary are dropped and the count is logged — never silently discarded.
- Commit. The result is written to
src/data/cves.jsonand committed, so the build regenerates pages from a fixed snapshot.
A scheduled GitHub Action (.github/workflows/refresh.yml) runs the fetch and commits
any changes; Cloudflare Pages then rebuilds automatically. The site build itself makes
no network calls.
About CVSS scores
The CISA KEV feed does not include a CVSS base score. For our seed catalog we record the published CVSS v3.x score where it is known and label the version; live-fetched KEV entries leave the score empty until a CVSS source (NVD) is joined in. See our CVSS severity guide for what the bands mean. Joining NVD CVSS data to the live feed is a documented follow-up.
Illustrative entries
A small number of catalog entries are illustrative worked examples — they share the exact structure of a real KEV record but do not claim to be a specific published vulnerability. They are clearly flagged on their pages and exist to demonstrate the format. We never present an estimate or example as an authoritative fact.
Limitations
This site is a convenience layer over public data; it can lag the upstream source, and summaries are simplified for clarity. It is not a substitute for vendor advisories, your own vulnerability scanner, or professional security advice. Always verify against the primary CISA, NVD and vendor records before acting. See our disclaimer.
Last updated: 2026-06-13