OculusCyber Logo

OculusCyber

Home

Browse Topics

Security Best Practices

AI Security Frameworks

Threat Intelligence

Compliance

The Ultimate Guide to Vulnerability Databases and Scoring Systems: CVE, CVSS, CWE, EPSS, KEV, and Beyond

By oculus

November 2, 2025

Excellent — here's a comprehensive list of the major vulnerability databases and scoring systems, along with short, clear explanations for each. This covers global standards, exploit intelligence, and modern predictive scoring models used by security engineers and AppSec teams.

Core Vulnerability Identifiers & Standards

1. CVE (Common Vulnerabilities and Exposures)

  • What it is: A unique identifier (e.g., CVE-2025-1234) assigned to publicly known vulnerabilities.
  • Purpose: Provides a standardized reference for vulnerabilities across tools and vendors.
  • Maintained by: MITRE, under sponsorship from the U.S. Department of Homeland Security (CISA).

2. CWE (Common Weakness Enumeration)

  • What it is: A catalog of software weakness types (e.g., CWE-79: Cross-Site Scripting).
  • Purpose: Describes root causes or code-level flaw patterns behind CVEs.
  • Maintained by: MITRE.
  • Used by: SAST tools to classify code vulnerabilities.

3. CVSS (Common Vulnerability Scoring System)

  • What it is: The de-facto standard for measuring the severity of vulnerabilities on a 0–10 scale.
  • Components:
    • Base Score (impact + exploitability)
    • Temporal Score (availability of exploits/fixes)
    • Environmental Score (organization-specific factors)
  • Maintained by: FIRST.org.

Exploitability and Threat Intelligence Sources

4. EPSS (Exploit Prediction Scoring System)

  • What it is: Predicts the likelihood a CVE will be exploited in the next 30 days (0–1 probability).
  • Purpose: Helps prioritize patching beyond static severity (CVSS).
  • Maintained by: FIRST.org in partnership with threat intelligence contributors.

5. CISA KEV (Known Exploited Vulnerabilities Catalog)

  • What it is: A live list of CVEs confirmed to be exploited in the wild.
  • Purpose: U.S. government–mandated patch list for federal agencies; excellent patch prioritization signal.
  • Maintained by: CISA (Cybersecurity & Infrastructure Security Agency).

6. Exploit-DB (OffSec Exploit Database)

  • What it is: A public archive of verified exploit code, PoCs, and security papers.
  • Purpose: Confirms exploit availability and helps assess exploitability.
  • Maintained by: Offensive Security (creators of Kali Linux).

7. Metasploit Exploit Database

  • What it is: Exploit modules integrated into the Metasploit Framework.
  • Purpose: Used for penetration testing and confirming exploit reliability.
  • Maintained by: Rapid7.

8. NVD (National Vulnerability Database)

  • What it is: The U.S. government's official vulnerability database linked to CVEs.
  • Contains: CVSS scores, CPE (Common Platform Enumeration), and JSON feeds for automation.
  • Maintained by: NIST.

9. OSV (Open Source Vulnerabilities Database)

  • What it is: A modern vulnerability database focusing on open-source ecosystems (npm, PyPI, Maven, etc.).
  • Purpose: Maps vulnerabilities to exact package versions and commit ranges.
  • Maintained by: Google's Open Source Security Team.

10. GitHub Security Advisories (GHSA)

  • What it is: GitHub's repository of advisories affecting open-source projects.
  • Purpose: Integrates directly with Dependabot and SCA tools to notify developers automatically.
  • Linked to: OSV schema for compatibility.

11. VulnDB (by Risk Based Security / Flashpoint)

  • What it is: A commercial vulnerability database with deeper coverage (many CVEs not listed in NVD).
  • Purpose: Used by enterprises for early warning and enriched metadata (vendor advisories, timelines, etc.).

12. CERT Vulnerability Notes Database

  • What it is: Advisories and analyses from CERT/CC at Carnegie Mellon.
  • Purpose: Focuses on coordination and vendor patch timelines, especially for infrastructure and ICS.

13. JVN (Japan Vulnerability Notes)

  • What it is: Japan's national vulnerability database for domestic software products.
  • Linked to: CVE and NVD for global consistency.

14. CNVD / CNNVD (China National Vulnerability Databases)

  • What they are: Chinese national equivalents of NVD, sometimes listing local or undisclosed vulnerabilities earlier than Western databases.

Additional Contextual / Specialized Databases

15. Exploit-In-The-Wild (ETW) Feeds

  • Aggregators (like Mandiant, Recorded Future, GreyNoise) publish real-time telemetry on exploitation attempts.

16. Vulners.com

  • Unified API aggregator for CVE, Exploit-DB, Metasploit, KEV, EPSS, and vendor advisories. Excellent for programmatic enrichment.

17. Debian Security Tracker / Red Hat CVE Database

  • Vendor-specific vulnerability databases linking patches to OS package versions.

18. MITRE ATT&CK

  • Framework of adversary tactics and techniques, often cross-referenced with CVEs to understand exploitation context.

19. CWE CAPEC (Common Attack Pattern Enumeration and Classification)

  • Complementary to CWE: describes how attacks are carried out (e.g., CAPEC-66: SQL Injection).
  • Useful for mapping vulnerabilities to attack techniques.

20. Snyk Vulnerability Database

  • Enriched open-source vulnerability data (merged from NVD, OSV, and proprietary research).
  • Offers exploit maturity and fix availability scoring.

21. OpenCVE

  • Open-source CVE monitoring and alerting platform that aggregates NVD + vendor feeds.

22. GitLab Advisory Database

  • Similar to GitHub's, powering dependency scanning and patch automation within GitLab pipelines.

23. Exploit-In-The-Wild (EITW) by Mandiant / Recorded Future

  • Tracks active exploitation telemetry for high-risk CVEs used in campaigns.