Share
## https://sploitus.com/exploit?id=9A32A3B1-BA55-5EDD-A200-30432EDB282C
# Intelligence Engine

> A lean Python CLI that aggregates CVE intelligence from NVD, CISA KEV, GitHub, and Exploit-DB into a normalized **0โ€“100 risk score**.

![Python](https://img.shields.io/badge/python-3.10%2B-blue)
![License](https://img.shields.io/badge/license-MIT-green)
![Status](https://img.shields.io/badge/status-active-success)
![Platform](https://img.shields.io/badge/platform-Windows%20%7C%20Linux%20%7C%20macOS-lightgrey)

Intelligence Engine answers the three questions every security engineer actually cares about for any given CVE:

1. **Is it being exploited in the wild?**  โ†’ CISA Known Exploited Vulnerabilities catalog
2. **Is a public PoC available?**  โ†’ GitHub code search + Exploit-DB references
3. **How bad is it really?**  โ†’ CVSS fused with exploit availability and recency into a 0โ€“100 risk score

No SaaS. No API keys required. One file. One command.

![Risk-ranked CVE table](images/image1.png)

---

## Features

- **Live data** from NVD 2.0, CISA KEV, GitHub code search, and Exploit-DB
- **Normalized 0โ€“100 risk score** that fuses CVSS, exploit availability, and recency
- **Threat classification ladder:** *Actively Exploited โ†’ Likely Exploited โ†’ PoC Available โ†’ No Public Exploit*
- **Two query modes:** single CVE lookup, or date-range / recency sweep with CVSS filtering
- **Color-graded terminal output** powered by `rich` โ€” severity, risk, and classification cells are visually weighted
- **Resilient by default:** retry-with-backoff on rate limits, graceful KEV-unavailable fallback, optional GitHub disable
- **Zero config to start.** Optional `NVD_API_KEY` and `GITHUB_TOKEN` env vars raise rate limits

---

## Installation

```bash
git clone https://github.com/pashasec/search-cve.git
cd search-cve
pip install -r requirements.txt
```

Requires Python 3.10 or newer.

---

## Usage

### Look up a single CVE

```bash
python cve.py CVE-2026-43341
```

![Single CVE detail panel](images/image2.png)

### Sweep recent high-severity CVEs

```bash
python cve.py --recent --days 7 --min-cvss 8.0
```

### Query a date range

```bash
python cve.py --start-date 2026-05-01 --end-date 2026-05-15 --min-cvss 7.0
```

### All flags

| Flag | Purpose |
|------|---------|
| `` | Look up a specific CVE (positional) |
| `--recent` | Fetch recently published CVEs |
| `--days N` | Lookback window for `--recent` (default: 7) |
| `--start-date YYYY-MM-DD` | Range start (inclusive) |
| `--end-date YYYY-MM-DD` | Range end (inclusive) |
| `--min-cvss FLOAT` | Minimum CVSS score to include |
| `--limit N` | Max results to enrich and display (default: 25) |
| `--no-github` | Skip GitHub PoC search (offline / rate-limited runs) |

---

## How the risk score works

The 0โ€“100 score is computed deterministically from four signals:

| Signal | Contribution | Notes |
|--------|--------------|-------|
| **CVSS base score** | up to **70** points | `min(cvss, 10) ร— 7` |
| **Listed in CISA KEV** | **+25** points | Known-exploited in the wild |
| **Public PoC available** | up to **+15** points | GitHub repos > 0, or Exploit-DB reference present |
| **Recency** | **+10** if < 7 days, **+5** if < 30 days | New vulnerabilities get a boost |

Final score is clamped to `[0, 100]`. The classification label is derived independently:

- `Actively Exploited` &nbsp;โ€” present in CISA KEV
- `Likely Exploited` &nbsp;โ€” 3+ GitHub PoCs **or** Exploit-DB reference
- `PoC Available` &nbsp;โ€” 1โ€“2 GitHub PoCs
- `No Public Exploit` &nbsp;โ€” nothing found

---

## Data sources

| Source | Purpose | Auth |
|--------|---------|------|
| [NVD 2.0 API](https://nvd.nist.gov/developers/vulnerabilities) | CVE metadata, CVSS v3.1/v3.0/v2 (auto-fallback), references | Optional `NVD_API_KEY` |
| [CISA KEV catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) | Actively exploited vulnerabilities | None |
| [GitHub Search API](https://docs.github.com/en/rest/search) | Public PoC repository discovery | Optional `GITHUB_TOKEN` |
| Exploit-DB references | Surfaced from NVD reference tags | None |

### Raising rate limits

```bash
# Windows PowerShell
$env:NVD_API_KEY  = "your-nvd-api-key"
$env:GITHUB_TOKEN = "your-github-pat"

# Linux / macOS
export NVD_API_KEY=your-nvd-api-key
export GITHUB_TOKEN=your-github-pat
```

NVD keys: request at https://nvd.nist.gov/developers/request-an-api-key
GitHub tokens: https://github.com/settings/tokens (no scopes needed for public search)

---

## Example output

```
CVE-2021-44228   CVSS 10.0 (CRITICAL)   Risk 100/100   Actively Exploited

Published:  2021-12-10T10:15:09.143
Exploit:    YES
CISA KEV:   listed (added 2021-12-10)
GitHub PoC: 2820 repo(s)  โ†’  https://github.com/projectdiscovery/nuclei
Exploit-DB: http://packetstormsecurity.com/files/165270/...

Description:
Apache Log4j2 2.0-beta9 through 2.15.0 JNDI features used in configuration,
log messages, and parameters do not protect against attacker controlled
LDAP and other JNDI related endpoints...
```

---

## Roadmap

- [ ] JSON output mode for piping into SIEMs / scripts
- [ ] EPSS (Exploit Prediction Scoring System) integration
- [ ] Vendor / product / CWE filtering
- [ ] Caching layer for repeated lookups
- [ ] Optional CSV / Markdown export

---

## License

[MIT](LICENSE) ยฉ 2026 pashasec

---

## Part of the 30-Day Cybersecurity Tools Challenge

Day **2 / 30**. One real, useful security utility every day, no toys.