Share
## https://sploitus.com/exploit?id=EEA8E7D8-2D34-5231-85C8-D65EB63EEE26
# CVE Exchange

**Stop chasing vulnerability intel across fragmented sources. Get it all in one terminal.**

---

## The Problem

If you've worked in security, you know the drill:

- **Telegram bots** that flood you with noise or miss what matters
- **Twitter/X feeds** that require constant scrolling and hope
- **Email alerts** buried under hundreds of daily notifications
- **NVD alone** which tells you nothing about real-world exploitation
- **Scattered sources** requiring 10 tabs open, each with different formats

You're always late. By the time you learn about a critical vulnerability through these channels, attackers already have weaponized exploits. Defenders are always playing catch-up.

---

## The Solution

CVE Exchange is a **Bloomberg Terminal for vulnerabilities** - a single interface that aggregates 13 intelligence sources, calculates real-time exploitability scores, and surfaces threats before they propagate through mainstream channels.

![CVE Exchange Terminal Interface](assets/screenshot.png)

**For terminal-first security researchers** who want their vuln intel where they already live - in the terminal, running 24/7, auto-updating, zero browser tabs required.

---

## Why This Exists

I built CVE Exchange because I needed a tool that:

1. **Runs in tmux all day** - No browser tabs, no web apps, no distractions
2. **Updates automatically** - New CVEs and intelligence appear in real-time
3. **Prioritizes by actual risk** - Not just CVSS, but exploitation evidence
4. **Gets intel first** - Before Telegram bots, before Twitter, before everyone else

The stock market metaphor isn't accidental. CVEs behave like stocks:
- **Price = Hot Score** (0-100) - calculated from real signals, not just severity
- **Ticker tape** - scrolling feed of activity just like a trading floor
- **Time windows** - 1m, 5m, 1h, 24h, 7d... exactly like market analysis
- **Watchlist** - track CVEs you're monitoring, just like your portfolio

---

## What Makes It Different

### 13 Intelligence Sources vs One

Most tools use NVD and call it a day. CVE Exchange aggregates:

| Tier | Sources | Intelligence |
|------|---------|--------------|
| **Primary** | NVD, CISA KEV, FIRST EPSS | Base data, confirmed exploits, probability scores |
| **Exploit Intel** | ExploitDB, PacketStorm, Metasploit, Nuclei, GitHub PoCs, Trickest | Weaponized code, detection templates, proof-of-concepts |
| **Threat Intel** | InTheWild, AttackerKB, GitHub Advisories, Vendor Feeds | Active exploitation, expert assessments, patch data |

When a CVE gets added to CISA KEV at 2am, you'll know before your Telegram bot wakes up.

### Hot Score: Prioritization That Makes Sense

CVSS 9.8 means nothing if there's no exploit. CVSS 7.0 matters a lot if it's being actively exploited.

The Hot Score weighs what actually matters:

```
+50  CISA KEV (confirmed exploitation)
+45  Ransomware campaigns using it
+40  In-the-wild exploitation
+35  Weaponized module (Metasploit)
+30  EPSS >= 70%
+25  Public exploit available
+20  RCE capability
+15  No authentication required
...
```

**One rule: KEV alone = CRITICAL.** If CISA says it's being exploited, you should care.

### Real-Time Classification

Every CVE is automatically tagged:

| Code | Type | Detection Method |
|------|------|------------------|
| RCE | Remote Code Execution | CWE mapping, keyword patterns |
| AUTH | Authentication Bypass | 20+ CWE identifiers |
| SQLI | SQL Injection | Pattern matching |
| MEM | Memory Corruption | Buffer overflow keywords |
| SSRF | Server-Side Request Forgery | CWE-918 |
| PRIV | Privilege Escalation | Description analysis |
| ... | 20+ types | Multi-layer detection |

No more reading descriptions to figure out impact.

---

## Installation

```bash
# Clone
git clone https://github.com/0xSecBadger/cve_exchange.git
cd cve_exchange

# Install (uv recommended)
uv venv && source .venv/bin/activate
uv pip install -e .

# Or with pip
python -m venv .venv && source .venv/bin/activate
pip install -e .
```

## Quick Start

```bash
# Initialize database
cvex init

# Download vulnerability data (first run takes ~15 minutes)
cvex update

# Launch the terminal interface
cvex tui
```

That's it. You now have a vulnerability dashboard running in your terminal.

---

## Terminal Interface

The TUI is designed for keyboard-driven workflows:

### Navigation
| Key | Action |
|-----|--------|
| `j/k` or `โ†‘/โ†“` | Navigate CVE list |
| `Enter` | View full CVE details |
| `Tab` | Cycle between panels |
| `/` | Search (CVE ID, vendor, CWE) |
| `Esc` | Close detail view / clear search |

### Instant Filters (number keys)
| Key | Filter |
|-----|--------|
| `1` | KEV only |
| `2` | RCE only |
| `3` | Exploit available |
| `4` | Critical (score >= 50) |
| `5` | Auth Bypass |
| `6` | Memory Corruption |
| `7` | SQL Injection |
| `8` | SSRF |
| `9` | Privilege Escalation |
| `0` | Deserialization |

### Time Windows
Press `t` to cycle: 1m > 5m > 10m > 30m > 1h > 6h > 24h > 3d > 7d > 30d > All

### Data Updates
| Key | Action |
|-----|--------|
| `r` | Refresh from database |
| `u` | Quick update (recent CVEs only) |
| `U` | Full update (all sources) |

### Search Syntax
```
CVE-2024-12345     # Exact CVE
cwe-89             # By CWE
cwe:89             # Alternative
type:rce           # By vulnerability type
microsoft          # By vendor
"remote code"      # In description
```

---

## CLI Reference

```bash
# Setup
cvex init                              # Initialize database
cvex update                            # Download/update vulnerability data
cvex update --force                    # Force full refresh
cvex vacuum                            # Optimize database

# Interface
cvex tui                               # Terminal UI (full dashboard)

# Listings
cvex top                               # Top CVEs by score
cvex top --sort recency                # By modification time
cvex top --window 24                   # Last 24 hours
cvex fresh                             # Recently modified
cvex show CVE-2024-12345               # Single CVE details
cvex stats                             # Database statistics

# Collections
cvex watchlist                         # View watchlist
cvex watchlist add CVE-2024-12345      # Add to watchlist
cvex portfolio                         # View portfolio
cvex portfolio add CVE-2024-12345 --category investigating
```

---

## Configuration

### Data Directory
```
~/.cve_exchange/
โ”œโ”€โ”€ cve_exchange.db     # SQLite database
โ”œโ”€โ”€ export_*.json       # JSON exports
โ””โ”€โ”€ export_*.csv        # CSV exports
```

### Environment Variables
```bash
# Optional - improves rate limits and enables additional sources
export NVD_API_KEY="..."           # 50 req/30s vs 5 req/30s
export GITHUB_TOKEN="..."          # Required for GitHub-based sources
export ATTACKERKB_API_KEY="..."    # Required for AttackerKB
```

---

## Data Sources

### No API Key Required
| Source | Data |
|--------|------|
| NVD | CVE records, CVSS, CWE, CPE |
| CISA KEV | Confirmed exploitation, ransomware use |
| EPSS | 30-day exploitation probability |
| ExploitDB | Public exploit database |
| PacketStorm | Security tools and exploits |
| InTheWild | Active exploitation reports |
| Vendor Feeds | Microsoft, Cisco, Oracle advisories |

### GitHub Token Recommended
| Source | Data |
|--------|------|
| GitHub PoC | Proof-of-concept repositories |
| Nuclei | Detection template availability |
| Metasploit | Weaponized module presence |
| Trickest | Verified PoC collection |
| GitHub Advisories | Security advisories |

### API Key Required
| Source | Key |
|--------|-----|
| AttackerKB | `ATTACKERKB_API_KEY` |
| NVD (higher limits) | `NVD_API_KEY` |

---

## Documentation

| Document | Content |
|----------|---------|
| [ARCHITECTURE.md](docs/ARCHITECTURE.md) | System design and components |
| [DATA_MODEL.md](docs/DATA_MODEL.md) | Database schema and models |
| [SCORING.md](docs/SCORING.md) | Hot Score calculation details |
| [CLASSIFICATION.md](docs/CLASSIFICATION.md) | Vulnerability type detection |
| [TUI_GUIDE.md](docs/TUI_GUIDE.md) | Complete TUI reference |
| [SOURCES.md](docs/SOURCES.md) | Data source details |
| [API_REFERENCE.md](docs/API_REFERENCE.md) | Internal API documentation |

---

## Contributing

See [CONTRIBUTING.md](CONTRIBUTING.md) for development setup and guidelines.

---

## License

MIT License - See [LICENSE](LICENSE)

---

*Built for defenders who live in the terminal.*