Share
## https://sploitus.com/exploit?id=23193CDC-4EA6-5B05-8C15-860A006EDA03
# Exploit Intel Platform CLI Search Tool

Package/command: `eip-search`


  


A modern **searchsploit replacement** powered by the [Exploit Intelligence Platform](https://exploit-intel.com).

![eip-search CLI screenshot](https://raw.githubusercontent.com/exploitintel/eip-search/main/eip-search.png)

## Overview

`eip-search` is the terminal client for the [Exploit Intelligence Platform](https://exploit-intel.com). It replaces `searchsploit` with a tool that understands *risk* โ€” combining CVSS, EPSS, KEV, and exploit quality into every search result. Installed as a Python package or native APT package; works online against the live API or offline with a local SQLite database.

Legacy score behavior is preserved:
- `--min-cvss` and `--sort cvss_desc` remain CVSS v3-only
- explicit mixed-family score behavior uses `--min-score`, `--score-version v3|v4|effective`, and `--sort score_desc`

Part of the same project family:
- [`eip-search`](https://github.com/exploitintel/eip-search) โ€” terminal client (this repo)
- [`eip-mcp`](https://github.com/exploitintel/eip-mcp) โ€” MCP server for AI assistants

## Highlights

- Search large-scale vulnerability and exploit intelligence from one CLI
- Browse exploits directly by source, language, vendor, or attack type
- **Generate PoC exploits** for any CVE using a local LLM (Ollama) with optional vision pipeline for writeup screenshots
- Download exploit code by CVE ID โ€” interactive picker selects the best match
- Combine CVSS, EPSS, KEV, and exploit quality in one view
- Display CVSS v4 when v3 is absent, without silently changing legacy v3 filters
- Surface trusted exploit sources first and flag trojans clearly
- Pull Nuclei templates plus Shodan/FOFA/Google recon dorks
- Browse authors, CWEs, vendors, and products โ€” resolve EDB/GHSA IDs to CVEs

## Why eip-search?

**searchsploit** is grep over a CSV. It can tell you an exploit exists, but nothing about how dangerous the vulnerability is, how reliable the exploit is, or whether it's secretly a trojan.

**eip-search** combines data from NVD, CISA KEV, VulnCheck KEV, InTheWild.io, ENISA EUVD, EPSS, ExploitDB, Metasploit, GitHub, and nomi-sec into a single tool that answers questions searchsploit never could:

- "What critical Fortinet vulns are being actively exploited right now?"
- "Which of these 127 BlueKeep exploits is actually reliable โ€” and which one is a trojan?"
- "Give me the Shodan dork to find exposed TeamCity instances for CVE-2024-27198"

## Setup

### Requirements

- **Python 3.10 or newer** (check with `python3 --version` or `python --version`)
- **pip** (comes with Python on most systems)

### macOS

```bash
# Install Python 3 via Homebrew (if not already installed)
brew install python3

# Option 1: Virtual environment (recommended)
python3 -m venv ~/.venvs/eip
source ~/.venvs/eip/bin/activate
pip install eip-search

# Option 2: pipx (isolated, no venv activation needed)
brew install pipx
pipx install eip-search

# The 'eip-search' command is now available
eip-search --version
```

### Kali Linux / Debian / Ubuntu

```bash
# Option 1: Native APT repo (recommended on Kali/Debian/Ubuntu)
curl -fsSL https://repo.exploit-intel.com/setup.sh | sudo bash
sudo apt install -y eip-search

# Option 2: Install into a virtual environment
sudo apt update && sudo apt install -y python3-pip python3-venv
python3 -m venv ~/.venvs/eip
source ~/.venvs/eip/bin/activate
pip install eip-search

# Option 3: Install with pipx (isolated, no venv management)
sudo apt install -y pipx
pipx install eip-search

# The 'eip-search' command is now available
eip-search --version
```

> **Kali users**: If you see `error: externally-managed-environment`, use APT, `pipx`, or a virtual environment. Kali 2024+ enforces PEP 668 and blocks global pip installs.

### Windows

```powershell
# Install Python 3 from https://python.org (check "Add to PATH" during install)

# Option 1: Virtual environment
python -m venv %USERPROFILE%\.venvs\eip
%USERPROFILE%\.venvs\eip\Scripts\activate
pip install eip-search

# Option 2: pipx
pip install pipx
pipx install eip-search

# The 'eip-search' command is now available
eip-search --version
```

> **Windows Terminal** or **PowerShell** is recommended for full color and Unicode support. The classic `cmd.exe` may not render tables correctly.

### Arch Linux / Manjaro

```bash
sudo pacman -S python python-pip python-pipx
pipx install eip-search
```

### From Source (all platforms)

```bash
git clone https://github.com/exploitintel/eip-search.git
cd eip-search
python3 -m venv .venv
source .venv/bin/activate      # Linux/macOS
# .venv\Scripts\activate       # Windows
pip install -e .
```

## Shell Completion (optional)

Enable tab completion for your shell (run from an interactive terminal):

```bash
# Bash
eip-search --install-completion bash

# Zsh
eip-search --install-completion zsh

# Fish
eip-search --install-completion fish

# PowerShell
eip-search --install-completion powershell
```

## Verify Installation

```bash
eip-search --version
# eip-search X.Y.Z

eip-search stats
# Should display platform statistics if your network can reach exploit-intel.com
```

## Troubleshooting

| Problem | Solution |
|---|---|
| `command not found: eip-search` | Make sure your virtual environment is activated, or use `pipx` which manages PATH automatically |
| `externally-managed-environment` | Use a virtual environment or `pipx` โ€” see instructions above |
| `SSL certificate error` | Your Python may lack certificates. On macOS: `brew reinstall python3`. On Linux: `sudo apt install ca-certificates` |
| `Connection refused` / timeouts | Check that you can reach `https://exploit-intel.com` โ€” the tool requires internet access |
| Tables look broken | Use a terminal with Unicode support (Windows Terminal, iTerm2, any modern Linux terminal) |

## Usage

### Quick Start

The simplest usage mirrors searchsploit โ€” just type what you're looking for:

```
$ eip-search "palo alto"
```
```
โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”ณโ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”ณโ”โ”โ”โ”โ”โ”โ”โ”ณโ”โ”โ”โ”โ”โ”โ”โ”โ”ณโ”โ”โ”โ”โ”โ”โ”ณโ”โ”โ”โ”โ”โ”ณโ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”“
โ”ƒCVE              โ”ƒ    Sev     โ”ƒ  CVSS โ”ƒ   EPSS โ”ƒ  Exp โ”ƒ     โ”ƒ Title                        โ”ƒ
โ”กโ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ•‡โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ•‡โ”โ”โ”โ”โ”โ”โ”โ•‡โ”โ”โ”โ”โ”โ”โ”โ”โ•‡โ”โ”โ”โ”โ”โ”โ•‡โ”โ”โ”โ”โ”โ•‡โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”ฉ
โ”‚CVE-2025-0108    โ”‚  CRITICAL  โ”‚   9.1 โ”‚  94.0% โ”‚   16 โ”‚ KEV โ”‚ Palo Alto Networks PAN-OS โ€ฆ  โ”‚
โ”‚CVE-2025-0107    โ”‚  CRITICAL  โ”‚   9.8 โ”‚  77.0% โ”‚    1 โ”‚     โ”‚ Palo Alto Networks Expediโ€ฆ   โ”‚
โ”‚CVE-2025-0111    โ”‚   MEDIUM   โ”‚   6.5 โ”‚   2.0% โ”‚    2 โ”‚ KEV โ”‚ Palo Alto Networks PAN-OS โ€ฆ  โ”‚
โ”‚ ...             โ”‚            โ”‚       โ”‚        โ”‚      โ”‚     โ”‚                              โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
Page 1/9 (41 total results)
```

Explicit score mode example:

```bash
eip-search search --score-version effective --min-score 9.0 --sort score_desc
```

Every result includes CVSS score, EPSS exploitation probability, exploit count, CISA KEV status, VulnCheck KEV, InTheWild.io signals, and ransomware attribution โ€” context searchsploit simply doesn't have.

### CVE Intelligence Briefs

Type a CVE ID and get a full intelligence brief โ€” no subcommand needed:

```
$ eip-search CVE-2024-3400
```
```
โ•ญโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ
โ”‚ CVE-2024-3400  CRITICAL  KEV โ”‚
โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ
  Palo Alto Networks PAN-OS Unauthenticated Remote Code Execution
  CVSS: 10.0  (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
  EPSS: 94.3%  (99.9th percentile)
  Attack Vector: NETWORK | CWE: CWE-77, CWE-20 | Published: 2024-04-12 | KEV added: 2024-04-12

  A command injection as a result of arbitrary file creation vulnerability in
  the GlobalProtect feature of Palo Alto Networks PAN-OS software ...

  Affected Products
    - paloaltonetworks/pan-os
    ... and 40 more

  Exploits (43)

    MODULES
      #48006          metasploit  ruby      panos_telemetry_cmd_exec.rb
                      Rank: excellent  LLM: working_poc  has code

    PROOF OF CONCEPT
      #9546           exploitdb   text      EDB-51996
                      LLM: working_poc  has code
      #370108  โ˜… 161   github      http      h4x0r-dz/CVE-2024-3400
                      LLM: working_poc  has code
      #369757  โ˜… 90    github      python    W01fh4cker/CVE-2024-3400-RCE-Scan
                      LLM: working_poc  has code
      #369206  โ˜… 72    github      python    0x0d3ad/CVE-2024-3400
                      LLM: working_poc  has code
      ...
    ... and 32 more PoCs (use --all to show)

    Tip: eip-search view  | eip-search download  -x

  Also Known As
    - EDB: EDB-51996
    - GHSA: GHSA-v475-xhc9-wfxg

  References
    - [Vendor Advisory] https://security.paloaltonetworks.com/CVE-2024-3400
    - [Exploit, Vendor Advisory] https://unit42.paloaltonetworks.com/cve-2024-3400/
    ...
```

Exploits are **grouped by quality** (Metasploit modules first, then verified ExploitDB, then GitHub PoCs ranked by stars) and **ranked by a composite score**.

### Trojan Detection

BlueKeep (CVE-2019-0708) has 127 exploits. One of them is a trojan. eip-search warns you:

```
$ eip-search info CVE-2019-0708
```
```
โ•ญโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ
โ”‚ CVE-2019-0708  CRITICAL  KEV โ”‚
โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ
  CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free
  CVSS: 9.8  EPSS: 94.5%  (100.0th percentile)

  Exploits (127)

    MODULES
      #47841          metasploit  ruby      cve_2019_0708_bluekeep_rce.rb
                      Rank: manual  LLM: working_poc  has code
      #47840          metasploit  ruby      cve_2019_0708_bluekeep.rb
                      LLM: working_poc  has code

    VERIFIED
      #9123           exploitdb   ruby      EDB-47416
                      LLM: working_poc  โœ“ verified  has code

    PROOF OF CONCEPT
      #72412  โ˜… 1187  nomisec               Ekultek/BlueKeep
      #72419  โ˜… 497   nomisec               n1xbyte/CVE-2019-0708
      #72417  โ˜… 389   nomisec               k8gege/CVE-2019-0708
      ...
    ... and 113 more PoCs (use --all to show)

    SUSPICIOUS
      #72431  โ˜… 2     nomisec               ttsite/CVE-2019-0708-
                      โš  TROJAN โ€” flagged by AI analysis

    Tip: eip-search view  | eip-search download  -x

```

The Metasploit modules and verified ExploitDB entry surface to the top. The trojan sinks to the bottom with a clear warning.

### Risk-Based Triage

"What critical Fortinet vulnerabilities with public exploits should I worry about right now?"

```
$ eip-search triage --vendor fortinet --severity critical
```
```
TRIAGE โ€” vulnerabilities with exploits, sorted by exploitation risk
Filters: vendor=fortinet, severity=critical, EPSS>=0.5

โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”ณโ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”ณโ”โ”โ”โ”โ”โ”โ”โ”ณโ”โ”โ”โ”โ”โ”โ”โ”โ”ณโ”โ”โ”โ”โ”โ”โ”ณโ”โ”โ”โ”โ”โ”ณโ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”“
โ”ƒCVE              โ”ƒ    Sev     โ”ƒ  CVSS โ”ƒ   EPSS โ”ƒ  Exp โ”ƒ     โ”ƒ Title                        โ”ƒ
โ”กโ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ•‡โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ•‡โ”โ”โ”โ”โ”โ”โ”โ•‡โ”โ”โ”โ”โ”โ”โ”โ”โ•‡โ”โ”โ”โ”โ”โ”โ•‡โ”โ”โ”โ”โ”โ•‡โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”ฉ
โ”‚CVE-2018-13379   โ”‚  CRITICAL  โ”‚   9.1 โ”‚  94.5% โ”‚   14 โ”‚ KEV โ”‚ Fortinet FortiProxy Path โ€ฆ   โ”‚
โ”‚CVE-2022-40684   โ”‚  CRITICAL  โ”‚   9.8 โ”‚  94.4% โ”‚   30 โ”‚ KEV โ”‚ Fortinet FortiProxy Auth โ€ฆ   โ”‚
โ”‚CVE-2023-48788   โ”‚  CRITICAL  โ”‚   9.8 โ”‚  94.2% โ”‚    1 โ”‚ KEV โ”‚ Fortinet FortiClient SQL โ€ฆ   โ”‚
โ”‚CVE-2024-55591   โ”‚  CRITICAL  โ”‚   9.8 โ”‚  94.2% โ”‚    8 โ”‚ KEV โ”‚ Fortinet FortiProxy Auth โ€ฆ   โ”‚
โ”‚CVE-2022-42475   โ”‚  CRITICAL  โ”‚   9.8 โ”‚  94.0% โ”‚    7 โ”‚ KEV โ”‚ Fortinet FortiOS Buffer โ€ฆ    โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
Page 1/1 (17 total results)
```

Triage defaults to showing vulnerabilities with public exploits and EPSS >= 0.5, sorted by exploitation probability. Every result here is confirmed actively exploited (KEV), has dozens of public exploits, and has a >94% chance of being exploited in the wild.

### Nuclei Templates & Recon Dorks

Get scanner templates with ready-to-paste Shodan, FOFA, and Google dorks:

```
$ eip-search nuclei CVE-2024-27198
```
```
โ•ญโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ
โ”‚ CVE-2024-27198  Nuclei Templates โ”‚
โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ
  TeamCity  | eip-search download  -x
```

Every result includes the exploit ID, associated CVE, severity, source, language, and GitHub stars. Use the exploit ID directly with `view` or `download`.

### Reference Data

Browse authors, CWEs, vendors, and products, or resolve alternate identifiers to CVEs:

```bash
# Top exploit authors
eip-search authors

# Author profile with their exploits
eip-search author Metasploit
eip-search author "Chocapikk" --page 2

# CWE categories ranked by vuln count
eip-search cwes

# CWE detail
eip-search cwe 79
eip-search cwe CWE-89

# Top vendors by vulnerability count
eip-search vendors

# Products for a vendor (discover exact CPE names for filtering)
eip-search products apache
eip-search products microsoft

# Resolve ExploitDB or GHSA ID to its CVE
eip-search lookup EDB-45961
eip-search lookup GHSA-jfh8-c2jp-5v3q
```

The `products` command is especially useful for discovering exact product names to use with `--product` filters. Product names follow CPE conventions (e.g. `http_server` not `apache httpd`, `exchange_server` not `exchange`).

### View Exploit Source Code

Read exploit code directly in your terminal with syntax highlighting. Pass an exploit ID or a CVE ID:

```bash
# By exploit ID (from search, info, or exploits output)
$ eip-search view 77423

# By CVE ID โ€” shows an interactive picker to choose which exploit
$ eip-search view CVE-2024-3400
```
```
  Exploits for CVE-2024-3400:

  [1]  #48006          metasploit  ruby      panos_telemetry_cmd_exec.rb
                       Rank: excellent  working_poc
  [2]  #9546           exploitdb   text      EDB-51996
                       working_poc
  [3]  #370108  โ˜… 161   github      http      h4x0r-dz/CVE-2024-3400
                       working_poc

  Select [1-43, default=1]: 1
```
```
  panos_telemetry_cmd_exec.rb

      1 ##
      2 # This module requires Metasploit: https://metasploit.com/download
      3 # Current source: https://github.com/rapid7/metasploit-framework
      4 ##
      5
      6 class MetasploitModule  **Note:** Downloaded ZIPs are encrypted with password **`eip`** as a safety measure to prevent antivirus software from quarantining exploit code. Use `--extract` / `-x` to automatically unzip.

### Advanced Search

The `search` subcommand exposes the full filter set:

```bash
# All SQL injection vulns with public exploits, sorted by CVSS
eip-search search --cwe 89 --has-exploits --sort cvss_desc

# Critical KEV entries with high exploitation probability
eip-search search --kev --severity critical --min-epss 0.9

# Recent npm vulnerabilities with exploits
eip-search search --ecosystem npm --has-exploits --sort newest

# Microsoft Exchange critical vulns
eip-search search --product exchange --severity critical --has-exploits
```

```
$ eip-search search --cwe 89 --has-exploits --sort cvss_desc -n 5
```
```
โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”ณโ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”ณโ”โ”โ”โ”โ”โ”โ”โ”ณโ”โ”โ”โ”โ”โ”โ”โ”โ”ณโ”โ”โ”โ”โ”โ”โ”ณโ”โ”โ”โ”โ”โ”ณโ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”“
โ”ƒCVE              โ”ƒ    Sev     โ”ƒ  CVSS โ”ƒ   EPSS โ”ƒ  Exp โ”ƒ     โ”ƒ Title                        โ”ƒ
โ”กโ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ•‡โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ•‡โ”โ”โ”โ”โ”โ”โ”โ•‡โ”โ”โ”โ”โ”โ”โ”โ”โ•‡โ”โ”โ”โ”โ”โ”โ•‡โ”โ”โ”โ”โ”โ•‡โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”ฉ
โ”‚CVE-2024-3605    โ”‚  CRITICAL  โ”‚  10.0 โ”‚  64.9% โ”‚    1 โ”‚     โ”‚ Thimpress WP Hotel Bookingโ€ฆ  โ”‚
โ”‚CVE-2024-3922    โ”‚  CRITICAL  โ”‚  10.0 โ”‚  88.5% โ”‚    3 โ”‚     โ”‚ Dokan Pro Plugin SQL Injeโ€ฆ   โ”‚
โ”‚CVE-2024-39911   โ”‚  CRITICAL  โ”‚  10.0 โ”‚  68.3% โ”‚    1 โ”‚     โ”‚ Fit2cloud 1panel SQL Injeโ€ฆ   โ”‚
โ”‚CVE-2025-52694   โ”‚  CRITICAL  โ”‚  10.0 โ”‚   9.7% โ”‚    1 โ”‚     โ”‚ Advantech IoT Edge SQL Inโ€ฆ   โ”‚
โ”‚CVE-2024-43918   โ”‚  CRITICAL  โ”‚  10.0 โ”‚  48.9% โ”‚    1 โ”‚     โ”‚ Woobewoo Product Table SQโ€ฆ   โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
Page 1/817 (4,082 total results)
```

### JSON Output for Scripting

Most data/query commands support `--json` for piping into `jq`, scripts, or SIEMs:

```
$ eip-search search "log4j" --has-exploits --sort epss_desc -n 5 --json
```
```json
{
  "total": 15,
  "page": 1,
  "per_page": 5,
  "total_pages": 3,
  "items": [
    {
      "cve_id": "CVE-2021-44228",
      "title": "Log4Shell HTTP Header Injection",
      "severity_label": "critical",
      "cvss_v3_score": 10.0,
      "epss_score": 0.94358,
      "is_kev": true,
      "exploit_count": 401
    },
    ...
  ]
}
```

```bash
# Get all critical KEV CVE IDs as a flat list
eip-search search --kev --severity critical -n 100 --json | jq -r '.items[].cve_id'

# Feed into nuclei
eip-search search --has-nuclei --severity critical --json | jq -r '.items[].cve_id' | xargs -I{} nuclei -t {} -u https://target.com
```

`--json` is currently available on: `search`, `info`, `triage`, `exploits`, `nuclei`, `stats`, `authors`, `author`, `cwes`, `cwe`, `vendors`, `products`, and `lookup`.

### Platform Statistics

```
$ eip-search stats
```
```
โ•ญโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ
โ”‚ Exploit Intelligence Platform โ”‚
โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ

  โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
  โ”‚ Total Vulnerabilities        โ”‚             370,791 โ”‚
  โ”‚ Published                    โ”‚             191,380 โ”‚
  โ”‚ With CVSS Scores             โ”‚             238,607 โ”‚
  โ”‚ With EPSS Scores             โ”‚             315,656 โ”‚
  โ”‚ Critical Severity            โ”‚              29,145 โ”‚
  โ”‚ CISA KEV Entries             โ”‚               1,522 โ”‚
  โ”‚                              โ”‚                     โ”‚
  โ”‚ Vulns with Exploits          โ”‚              90,481 โ”‚
  โ”‚ Total Exploits               โ”‚             105,731 โ”‚
  โ”‚ With Nuclei Templates        โ”‚                 404 โ”‚
  โ”‚                              โ”‚                     โ”‚
  โ”‚ Vendors Tracked              โ”‚              37,508 โ”‚
  โ”‚ Exploit Authors              โ”‚              23,281 โ”‚
  โ”‚                              โ”‚                     โ”‚
  โ”‚ Last Updated                 โ”‚ 2026-02-17 23:07:26 โ”‚
  โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
```

### Generate Exploits with Local LLM

Generate a proof-of-concept exploit for any CVE using a local [Ollama](https://ollama.com) instance. The tool fetches all available intelligence from the platform โ€” writeup text, existing exploit code, and screenshots โ€” then uses a two-stage LLM pipeline to produce a clean, minimal Python PoC.

```bash
# Check feasibility first (no Ollama needed)
$ eip-search generate CVE-2026-2686 --check
```
```
  CVE-2026-2686 โ€” SECCN Dingcheng G10 Command Injection
  CVSS 9.8 | RCE | trivial | Feasibility: EXCELLENT (11)
  Reasons: web-based (RCE), trivial, has writeup, HTTP details in summary, known CWE pattern
  Files: 1 text, 8 screenshots
```

```bash
# Generate the exploit
$ eip-search generate CVE-2026-2686 -o exploit.py
```
```
  CVE-2026-2686 โ€” SECCN Dingcheng G10 Command Injection
  CVSS 9.8 | RCE | trivial | Feasibility: EXCELLENT (11)

  Analyzing 8 screenshots...
    img-001: telnet session, root shell on BusyBox (8.9s)
    img-003: POST /cgi-bin/session_login.cgi with injection payload (10.7s)
    img-008: Burp capture with full request headers (16.9s)
    2 screenshots skipped (no actionable details)

  Generating PoC with kimi-k2:1t-cloud... done (11s)

  (syntax-highlighted Python exploit)

  Saved: exploit.py
```

The generator works in three modes depending on what's available:
- **Writeup + screenshots** โ†’ vision model extracts technical details from images, code model generates PoC from enriched context
- **Existing exploit code** โ†’ code model rewrites/fixes it into a clean, standardized Python PoC
- **CVE description only** โ†’ generates from NVD description and LLM analysis (lower quality)

Generated exploits are minimal proofs of concept (inject `id` for RCE, extract `@@version` for SQLi) โ€” no backdoors, reverse shells, or weaponization. Each script is clearly marked as LLM-generated and untested.

**Requirements:** [Ollama](https://ollama.com) running locally with a code model pulled. Vision model is optional (used for screenshot analysis).

```bash
# Install Ollama, then pull models
ollama pull kimi-k2:1t-cloud                   # code generation (required)
ollama pull qwen3-vl:235b-instruct-cloud       # screenshot analysis (optional)
```

```bash
# Options
eip-search generate CVE-ID                     # full pipeline (vision + code)
eip-search generate CVE-ID --check             # feasibility check only
eip-search generate CVE-ID --no-vision         # skip screenshots (faster)
eip-search generate CVE-ID -m glm-5:cloud      # override code model
eip-search generate CVE-ID -o exploit.py       # save to file
```

Configure defaults in `~/.eip-search.toml`:

```toml
[generate]
ollama_url = "http://127.0.0.1:11434"
code_model = "kimi-k2:1t-cloud"
vision_model = "qwen3-vl:235b-instruct-cloud"
```

## All Commands

| Command | Description |
|---|---|
| `eip-search "query"` | Quick search (auto-routes CVE IDs to detail view) |
| `eip-search search "query" [filters]` | Search vulnerabilities with full filter support |
| `eip-search exploits "query" [filters]` | Browse/search exploits directly |
| `eip-search info CVE-ID` | Full intelligence brief for a vulnerability |
| `eip-search generate CVE-ID` | Generate a PoC exploit using local LLM (requires Ollama) |
| `eip-search triage [filters]` | Risk-sorted view of what to worry about |
| `eip-search nuclei CVE-ID` | Nuclei templates + Shodan/FOFA/Google dorks |
| `eip-search view ID-or-CVE` | Syntax-highlighted exploit source code |
| `eip-search download ID-or-CVE` | Download exploit code as ZIP |
| `eip-search stats` | Platform-wide statistics |
| `eip-search authors` | Top exploit authors ranked by exploit count |
| `eip-search author NAME` | Author profile with their exploits |
| `eip-search cwes` | CWE categories ranked by vulnerability count |
| `eip-search cwe ID` | CWE detail (accepts `79` or `CWE-79`) |
| `eip-search vendors` | Top vendors ranked by vulnerability count |
| `eip-search products VENDOR` | Products for a vendor (discover CPE names for filtering) |
| `eip-search analysis ID-or-CVE` | Full AI analysis for an exploit (classification, MITRE, trojan indicators) |
| `eip-search lookup ALT-ID` | Resolve EDB/GHSA identifier to CVE |
| `eip-search update-db` | Download/update the offline SQLite database |

The `view`, `download`, and `analysis` commands accept either an exploit ID (e.g. `77423`) or a CVE ID (e.g. `CVE-2024-3400`). When given a CVE, they show an interactive picker ranked by exploit quality.

### Offline Mode

All read-only commands work offline with a local SQLite database:

```bash
eip-search update-db                       # download the database (~200 MB compressed)
eip-search --offline search "apache httpd"  # search locally
eip-search --offline info CVE-2024-3400     # full detail from local DB
eip-search --db /path/to/eip.db search "log4j"  # custom DB path (implies --offline)
```

#### Offline Exploit Code

Sync the exploit archive to enable `view` and `download` offline:

```bash
rsync -avz rsync://rsync.exploit-intel.com/exploits/ ~/eip-exploits/
```

Configure in `~/.eip-search.toml`:

```toml
[offline]
exploits_dir = "~/eip-exploits"
```

Then `view` and `download` work without an internet connection:

```bash
eip-search --offline view CVE-2024-3400      # view exploit source code locally
eip-search --offline download 77423 -x       # copy and extract local archive
```

The archive contains tens of thousands of repositories (tens of GB). Both the database and archive are refreshed multiple times daily.

## Search Filters

| Filter | Short | Description |
|---|---|---|
| `--severity` | `-s` | critical, high, medium, low |
| `--has-exploits` | `-e` | Only CVEs with public exploit code |
| `--kev` | `-k` | Only CISA Known Exploited Vulnerabilities |
| `--exploited` | `-x` | Only CVEs exploited in the wild (CISA + VulnCheck + InTheWild) |
| `--ransomware` | | Only CVEs with confirmed ransomware campaign use |
| `--has-nuclei` | | Only CVEs with Nuclei scanner templates |
| `--vendor` | `-v` | Filter by vendor name |
| `--product` | `-p` | Filter by product name |
| `--ecosystem` | | npm, pip, maven, go, crates |
| `--cwe` | | CWE ID (e.g. `79` or `CWE-79`) |
| `--year` | `-y` | CVE publication year |
| `--min-cvss` | | Minimum CVSS score (0-10) |
| `--min-epss` | | Minimum EPSS score (0-1) |
| `--date-from` | | Start date (YYYY-MM-DD) |
| `--date-to` | | End date (YYYY-MM-DD) |
| `--sort` | | newest, oldest, cvss_desc, epss_desc, relevance |
| `--json` | `-j` | JSON output for scripting |

## Exploit Filters

The `exploits` command has its own filter set for exploit-centric searching:

| Filter | Short | Description |
|---|---|---|
| `--source` | | github, metasploit, exploitdb, nomisec |
| `--language` | `-l` | python, ruby, go, c, etc. |
| `--classification` | | LLM class: working_poc, scanner, trojan |
| `--attack-type` | | RCE, SQLi, XSS, DoS, LPE, auth_bypass, info_leak |
| `--complexity` | | trivial, simple, moderate, complex |
| `--reliability` | | reliable, unreliable, untested |
| `--author` | | Filter by exploit author name |
| `--min-stars` | | Minimum GitHub stars |
| `--has-code` | `-c` | Only exploits with downloadable code |
| `--cve` | | Filter by CVE ID |
| `--vendor` | `-v` | Filter by vendor name |
| `--product` | `-p` | Filter by product name |
| `--sort` | | newest, stars_desc |
| `--json` | `-j` | JSON output for scripting |

The positional query is auto-detected: CVE IDs map to `--cve`, other text maps to `--vendor`.

## How Exploit Ranking Works

When a CVE has dozens or hundreds of exploits, eip-search ranks them by quality so the best ones surface first:

| Source | Base Score | Why |
|---|---|---|
| Metasploit (`excellent`) | 1000 | Peer-reviewed, maintained by Rapid7 |
| Metasploit (other ranks) | 500-900 | Still curated and tested |
| ExploitDB (verified) | 550 | Human-verified by Offsec |
| ExploitDB (unverified) | 300 | Published but not verified |
| nomi-sec / GitHub | log10(stars) * 100 + bonus | Community signal via GitHub stars |

On top of the base score, LLM classification modifiers apply: `working_poc` gets +100, `scanner` gets +50, while `trojan` gets -9999 (always last, with a warning).

Exploit sources are ExploitDB (~88K), nomi-sec (~11K), Metasploit (~3.3K), and GitHub (~2.2K).

## Architecture

```
Terminal user
      โ”‚
      โ”‚  eip-search  [flags]
      โ–ผ
eip_search/cli.py         โ† Typer app โ€” command definitions, arg parsing, offline routing
      โ”‚
      โ”œโ”€โ”€ eip_search/client.py       โ† httpx โ†’ https://exploit-intel.com/api/v1/โ€ฆ  (online)
      โ”‚
      โ””โ”€โ”€ eip_search/local_client.py โ† SQLite โ†’ ~/.local/share/eip-search/eip.db  (--offline)
              โ”‚
              โ–ผ
      eip_search/models.py           โ† Shared data models
      eip_search/ranking.py          โ† Exploit quality ranking + grouping
      eip_search/display.py          โ† Rich output rendering
      eip_search/generate.py         โ† Ollama PoC generation (optional)
```

The CLI auto-routes bare arguments: if the first positional arg looks like a CVE ID, it routes to `info`; otherwise to `search`. Both `client.py` and `local_client.py` share the same interface โ€” adding a new command requires mirroring it in both.

## Deploy

Distribution is handled via two channels:

- **PyPI** โ€” `pip install eip-search` / `pipx install eip-search`
- **APT repo** โ€” `repo.exploit-intel.com` (native packages for Kali, Debian, Ubuntu)

Release process uses the Makefile:

```bash
# CI-driven release (recommended): bump version, commit, tag, push; GitHub Actions builds + uploads
make tag-release VERSION=X.Y.Z

# Local legacy release path: avoid unless you intentionally need the manual path
make release VERSION=X.Y.Z
```

Version is bumped atomically in `pyproject.toml` and `eip_search/__init__.py` via `scripts/bump_version.py`.

## Configuration

Optional config at `~/.eip-search.toml`:

```toml
[api]
base_url = "https://exploit-intel.com"
api_key = "your-key-here"   # optional, for higher rate limits

[display]
per_page = 20               # default results per page
```

No API key is required. The public API allows 60 requests/minute.

## Security

- **ZIP Slip protection**: All ZIP extraction paths are validated against directory traversal attacks
- **Filename sanitization**: Download filenames are stripped of path components and special characters
- **Download size cap**: 50 MB hard limit prevents memory exhaustion from malicious responses
- **Markup injection prevention**: All API data is escaped before terminal rendering
- **TLS verification**: All connections use standard certificate verification

## Git Workflow

**Never push directly to `main`.** All changes go through a branch and PR.

```bash
git checkout -b 
# make changes
git push origin 
gh pr create
```

PRs require review before merge.

## License

MIT