## https://sploitus.com/exploit?id=D6422A92-80B3-5208-A4D7-8B6F56D6CF81
# CVE Hunter Pro
A Chrome extension for fast, single-lookup CVE triage โ CVSS scoring, EPSS exploit-probability, CISA KEV status, and GitHub proof-of-concept discovery in one popup.
  
---
## Overview
CVE Hunter Pro takes a CVE ID and, in one request cycle, pulls together everything needed for an initial severity read:
- **CVSS** base score and severity, auto-selecting the newest available metric version (v4.0 โ v3.1 โ v3.0 โ v2.0), rendered as a gauge with attack-vector breakdown (AV / AC / AT / PR / UI).
- **EPSS** exploit-probability score and percentile, so you're not triaging on CVSS alone.
- **CISA KEV** status โ flags known-exploited vulnerabilities with the required-action deadline.
- **Affected products**, parsed from CPE match strings.
- **GitHub proof-of-concept search** โ repositories referencing the CVE ID, sorted by stars.
- **Quick-pivot links** to Exploit-DB, GitHub, Nuclei templates, Metasploit, VulDB, and Snyk.
- **Reference list** from NVD, tagged by type (Patch, Vendor Advisory, Exploit, Mitigation, Third-Party Advisory).
Data sources: [NVD API v2](https://nvd.nist.gov/developers), [FIRST.org EPSS API](https://www.first.org/epss/), [GitHub Search API](https://docs.github.com/en/rest/search).
---
## Installation
1. Download and unzip `cve-hunter-pro.zip` (or clone this folder).
2. Open `chrome://extensions` in Chrome.
3. Enable **Developer mode** (top-right toggle).
4. Click **Load unpacked** and select the extracted `cve-hunter-pro/` folder.
5. Pin the extension from the toolbar overflow menu for one-click access.
**Requires Chrome 102+** (uses `chrome.storage.session`, added in that release).
---
## Configuration
Open the extension's **Settings** (gear icon in the header) to add:
| Field | Purpose | Required? |
|---|---|---|
| **NVD API Key** | Raises the NVD rate limit from 5 to 50 requests / 30s. [Request one here](https://nvd.nist.gov/developers/request-an-api-key). | Optional, strongly recommended |
| **GitHub PAT** | Avoids GitHub Search API rate limiting on PoC lookups. [Create a token](https://github.com/settings/tokens) (no scopes needed for public search). | Optional |
Both are stored locally via `chrome.storage.local` and are never transmitted anywhere other than their respective API's own request headers.
---
## Usage
1. Click the extension icon.
2. Enter a CVE ID in any of these formats โ the input is normalized automatically:
- `CVE-2024-12345`
- `2024-12345`
- `CVE2024-12345`
3. Press **Enter** or click **Hunt**.
4. Use the **Overview / Exploits / References** tabs to move between the description + affected products, exploit sources, and reference links.
5. Recent lookups are saved under the clock icon in the header for one-click re-search.
> PoC links are provided for authorized security research and testing only.
---
## Architecture
```
cve-hunter-pro/
โโโ manifest.json # MV3 manifest โ permissions, host permissions, icons
โโโ background.js # Minimal service worker (install/update lifecycle only)
โโโ popup.html # Popup markup
โโโ popup.css # Popup styling
โโโ popup.js # All application logic (fetch, render, state)
โโโ icons/
โโโ icon16.png
โโโ icon48.png
โโโ icon128.png
```
**No build step.** This is plain HTML/CSS/JS โ edit and reload via `chrome://extensions`.
### Request flow
1. `fetchNVD(cveId)` โ required; the popup shows an error state if this fails.
2. `fetchEPSS(cveId)` and `fetchGitHub(cveId)` โ run in parallel via `Promise.all`, and are allowed to fail independently without blocking the CVSS/description render.
3. Results render into the DOM, then get cached (see **Session persistence** below).
### Session persistence
Chrome tears down extension popups the instant they lose focus โ which happens every time a reference, PoC, or quick-link (all `target="_blank"`) opens a new tab. To prevent that from wiping your current lookup:
- Every completed search is cached to `chrome.storage.session` (in-memory, cleared on browser restart โ not `storage.local`, which is used for settings/history and persists indefinitely).
- The active tab (Overview / Exploits / References) is cached alongside it.
- `init()` attempts to restore this cache before falling back to the empty state.
### Permissions
| Permission | Why |
|---|---|
| `storage` | Settings (API keys), search history, and session-cached results |
| `clipboardWrite` | "Copy CVE ID" button |
| `host_permissions`: `services.nvd.nist.gov`, `api.first.org`, `api.github.com` | The three data sources above โ no broader host access is requested |
---
## Changelog
### 1.1.0
- **Fixed:** search results and active tab are now cached and restored across popup teardown (previously any outbound link click โ references, PoCs, quick-links โ silently discarded the current lookup).
- **Fixed:** closing Settings now returns to whatever screen was actually open, instead of always resetting to the empty state.
- **Fixed:** `--blue-hi` CSS custom property was referenced in five hover states but never defined, so those hovers had no effect.
- **Fixed:** `manifest.json` icon paths pointed to an `icons/` folder that didn't exist in the packaged extension.
- **Changed:** replaced all emoji glyphs with a consistent inline SVG icon set for cross-platform visual consistency.
- **Changed:** rebalanced the color palette toward a more restrained, professional dark theme; reduced glow/pulse/shake effects.
- Added `minimum_chrome_version: "102"` (required by `chrome.storage.session`).
### 1.0.0
- Initial release.
---
## Disclaimer
This tool surfaces publicly available vulnerability intelligence for defensive triage and authorized security research. It does not host, generate, or execute exploit code. Use of any linked proof-of-concept or exploit resource is the user's responsibility and subject to the terms of the site it's hosted on.