Share
## https://sploitus.com/exploit?id=EEA8E7D8-2D34-5231-85C8-D65EB63EEE26
# CVE Exchange
**Stop chasing vulnerability intel across fragmented sources. Get it all in one terminal.**
---
## The Problem
If you've worked in security, you know the drill:
- **Telegram bots** that flood you with noise or miss what matters
- **Twitter/X feeds** that require constant scrolling and hope
- **Email alerts** buried under hundreds of daily notifications
- **NVD alone** which tells you nothing about real-world exploitation
- **Scattered sources** requiring 10 tabs open, each with different formats
You're always late. By the time you learn about a critical vulnerability through these channels, attackers already have weaponized exploits. Defenders are always playing catch-up.
---
## The Solution
CVE Exchange is a **Bloomberg Terminal for vulnerabilities** - a single interface that aggregates 13 intelligence sources, calculates real-time exploitability scores, and surfaces threats before they propagate through mainstream channels.

**For terminal-first security researchers** who want their vuln intel where they already live - in the terminal, running 24/7, auto-updating, zero browser tabs required.
---
## Why This Exists
I built CVE Exchange because I needed a tool that:
1. **Runs in tmux all day** - No browser tabs, no web apps, no distractions
2. **Updates automatically** - New CVEs and intelligence appear in real-time
3. **Prioritizes by actual risk** - Not just CVSS, but exploitation evidence
4. **Gets intel first** - Before Telegram bots, before Twitter, before everyone else
The stock market metaphor isn't accidental. CVEs behave like stocks:
- **Price = Hot Score** (0-100) - calculated from real signals, not just severity
- **Ticker tape** - scrolling feed of activity just like a trading floor
- **Time windows** - 1m, 5m, 1h, 24h, 7d... exactly like market analysis
- **Watchlist** - track CVEs you're monitoring, just like your portfolio
---
## What Makes It Different
### 13 Intelligence Sources vs One
Most tools use NVD and call it a day. CVE Exchange aggregates:
| Tier | Sources | Intelligence |
|------|---------|--------------|
| **Primary** | NVD, CISA KEV, FIRST EPSS | Base data, confirmed exploits, probability scores |
| **Exploit Intel** | ExploitDB, PacketStorm, Metasploit, Nuclei, GitHub PoCs, Trickest | Weaponized code, detection templates, proof-of-concepts |
| **Threat Intel** | InTheWild, AttackerKB, GitHub Advisories, Vendor Feeds | Active exploitation, expert assessments, patch data |
When a CVE gets added to CISA KEV at 2am, you'll know before your Telegram bot wakes up.
### Hot Score: Prioritization That Makes Sense
CVSS 9.8 means nothing if there's no exploit. CVSS 7.0 matters a lot if it's being actively exploited.
The Hot Score weighs what actually matters:
```
+50 CISA KEV (confirmed exploitation)
+45 Ransomware campaigns using it
+40 In-the-wild exploitation
+35 Weaponized module (Metasploit)
+30 EPSS >= 70%
+25 Public exploit available
+20 RCE capability
+15 No authentication required
...
```
**One rule: KEV alone = CRITICAL.** If CISA says it's being exploited, you should care.
### Real-Time Classification
Every CVE is automatically tagged:
| Code | Type | Detection Method |
|------|------|------------------|
| RCE | Remote Code Execution | CWE mapping, keyword patterns |
| AUTH | Authentication Bypass | 20+ CWE identifiers |
| SQLI | SQL Injection | Pattern matching |
| MEM | Memory Corruption | Buffer overflow keywords |
| SSRF | Server-Side Request Forgery | CWE-918 |
| PRIV | Privilege Escalation | Description analysis |
| ... | 20+ types | Multi-layer detection |
No more reading descriptions to figure out impact.
---
## Installation
```bash
# Clone
git clone https://github.com/0xSecBadger/cve_exchange.git
cd cve_exchange
# Install (uv recommended)
uv venv && source .venv/bin/activate
uv pip install -e .
# Or with pip
python -m venv .venv && source .venv/bin/activate
pip install -e .
```
## Quick Start
```bash
# Initialize database
cvex init
# Download vulnerability data (first run takes ~15 minutes)
cvex update
# Launch the terminal interface
cvex tui
```
That's it. You now have a vulnerability dashboard running in your terminal.
---
## Terminal Interface
The TUI is designed for keyboard-driven workflows:
### Navigation
| Key | Action |
|-----|--------|
| `j/k` or `โ/โ` | Navigate CVE list |
| `Enter` | View full CVE details |
| `Tab` | Cycle between panels |
| `/` | Search (CVE ID, vendor, CWE) |
| `Esc` | Close detail view / clear search |
### Instant Filters (number keys)
| Key | Filter |
|-----|--------|
| `1` | KEV only |
| `2` | RCE only |
| `3` | Exploit available |
| `4` | Critical (score >= 50) |
| `5` | Auth Bypass |
| `6` | Memory Corruption |
| `7` | SQL Injection |
| `8` | SSRF |
| `9` | Privilege Escalation |
| `0` | Deserialization |
### Time Windows
Press `t` to cycle: 1m > 5m > 10m > 30m > 1h > 6h > 24h > 3d > 7d > 30d > All
### Data Updates
| Key | Action |
|-----|--------|
| `r` | Refresh from database |
| `u` | Quick update (recent CVEs only) |
| `U` | Full update (all sources) |
### Search Syntax
```
CVE-2024-12345 # Exact CVE
cwe-89 # By CWE
cwe:89 # Alternative
type:rce # By vulnerability type
microsoft # By vendor
"remote code" # In description
```
---
## CLI Reference
```bash
# Setup
cvex init # Initialize database
cvex update # Download/update vulnerability data
cvex update --force # Force full refresh
cvex vacuum # Optimize database
# Interface
cvex tui # Terminal UI (full dashboard)
# Listings
cvex top # Top CVEs by score
cvex top --sort recency # By modification time
cvex top --window 24 # Last 24 hours
cvex fresh # Recently modified
cvex show CVE-2024-12345 # Single CVE details
cvex stats # Database statistics
# Collections
cvex watchlist # View watchlist
cvex watchlist add CVE-2024-12345 # Add to watchlist
cvex portfolio # View portfolio
cvex portfolio add CVE-2024-12345 --category investigating
```
---
## Configuration
### Data Directory
```
~/.cve_exchange/
โโโ cve_exchange.db # SQLite database
โโโ export_*.json # JSON exports
โโโ export_*.csv # CSV exports
```
### Environment Variables
```bash
# Optional - improves rate limits and enables additional sources
export NVD_API_KEY="..." # 50 req/30s vs 5 req/30s
export GITHUB_TOKEN="..." # Required for GitHub-based sources
export ATTACKERKB_API_KEY="..." # Required for AttackerKB
```
---
## Data Sources
### No API Key Required
| Source | Data |
|--------|------|
| NVD | CVE records, CVSS, CWE, CPE |
| CISA KEV | Confirmed exploitation, ransomware use |
| EPSS | 30-day exploitation probability |
| ExploitDB | Public exploit database |
| PacketStorm | Security tools and exploits |
| InTheWild | Active exploitation reports |
| Vendor Feeds | Microsoft, Cisco, Oracle advisories |
### GitHub Token Recommended
| Source | Data |
|--------|------|
| GitHub PoC | Proof-of-concept repositories |
| Nuclei | Detection template availability |
| Metasploit | Weaponized module presence |
| Trickest | Verified PoC collection |
| GitHub Advisories | Security advisories |
### API Key Required
| Source | Key |
|--------|-----|
| AttackerKB | `ATTACKERKB_API_KEY` |
| NVD (higher limits) | `NVD_API_KEY` |
---
## Documentation
| Document | Content |
|----------|---------|
| [ARCHITECTURE.md](docs/ARCHITECTURE.md) | System design and components |
| [DATA_MODEL.md](docs/DATA_MODEL.md) | Database schema and models |
| [SCORING.md](docs/SCORING.md) | Hot Score calculation details |
| [CLASSIFICATION.md](docs/CLASSIFICATION.md) | Vulnerability type detection |
| [TUI_GUIDE.md](docs/TUI_GUIDE.md) | Complete TUI reference |
| [SOURCES.md](docs/SOURCES.md) | Data source details |
| [API_REFERENCE.md](docs/API_REFERENCE.md) | Internal API documentation |
---
## Contributing
See [CONTRIBUTING.md](CONTRIBUTING.md) for development setup and guidelines.
---
## License
MIT License - See [LICENSE](LICENSE)
---
*Built for defenders who live in the terminal.*