CVE Tracker
Fresh CVE disclosures across nine security vendors since 1 May 2026 — what's critical, what's already being exploited.
A Cloudflare Worker cron pulls five public feeds every four hours — no AI, just HTTP requests and idempotent writes into SQLite (Cloudflare D1). This page is static, served from Cloudflare Pages; the source lives on GitHub and GitHub Actions redeploys it on every push to the main branch.
- NIST NVD
- CVE 2.0 REST API — CVSS base scores
- CISA KEV
- known-exploited catalogue — the “known exploited” flag
- FIRST EPSS
- per-CVE exploitation probability — ≥ 0.7 reads as likely exploited
- Microsoft MSRC
- CVRF feed — authoritative on Patch Tuesday, where NVD lags
- MITRE CVE List v5
- the canonical records — new IDs drip in from the CVEProject/cvelistV5 GitHub releases
- Vendor PSIRT
- each vendor’s own advisory page — linked from the breakdown above
Why five feeds and not one? The official pipeline has wobbled. NIST’s NVD fell so far behind that in 2026 it narrowed enrichment to only the highest-risk CVEs, and the CVE Program itself nearly lost its funding in 2025. CISA’s KEV is the gold standard for confirmed exploitation but reactive by design — it only lists what’s already been caught. Triangulating NVD, EPSS, KEV, MSRC and the MITRE CVE List keeps the count honest when any one of them stalls.