Most recent entries from all

# Feed syndication (RSS / Atom)

Vulnerability-Lookup exposes RSS and Atom feeds for new vulnerabilities,
sightings, comments, bundles, and individual user activity. Feeds are
designed for low-volume, human-facing consumers — RSS readers, chat-room
bots, alert pipes, dashboards — where a small set of recent items is
enough.

```{tip}
Building a mirror, scanner, or other large-scale automated consumer?
Feeds are not the right tool — paginated history is capped per feed.
See [Access patterns for automated consumers](access-patterns.md) for
the canonical sync path (`since=` over the [API](api-v1.md), plus the
pub/sub stream where the operator enables it).
```

## Available endpoints

| Path | Purpose |
| --- | --- |
| `/recent/{source}.{format}` | Recent vulnerabilities, per source or across all sources. Optional `?vendor={vendor-id}` filters by vendor; optional `?vulnerability={vuln-id}` returns vulnerabilities linked to the given one. |
| `/sightings/feed.{format}` | Recent sightings (across all vulnerabilities). Optional `?vulnerability={vuln-id}` narrows to a single vulnerability. |
| `/sightings/cpesearch/{cpe}/feed.{format}` | Recent sightings for any vulnerability affecting the given CPE. |
| `/comments/feed.{format}` | Recent comments. Optional `?user={login}` narrows to one author. |
| `/bundles/feed.{format}` | Recent bundles. Optional `?user={login}` narrows to one author. |
| `/user/{login}.{format}` | Recent activity (sightings, comments, bundles) for a given user. |

### `{format}`

Either `rss` or `atom`. Both contain the same items; pick whichever your
reader prefers.

### `{source}`

Either `all`, or any source identifier configured on this instance. The
authoritative list for a given deployment is exposed on `/about` and on
[https://www.vulnerability-lookup.org/sources](https://www.vulnerability-lookup.org/sources).
Common identifiers shipped by default include:

- **Core:** `cvelistv5`, `nvd`, `fkie_nvd`, `github`, `pysec`, `gsd`, `vulnrichment`
- **Community & national databases:** `jvndb`, `cnvd`, `fstec`, `variot`, `tailscale`, `bitnami_vulndb`, `cleanstart`, `drupal`, `ossf_malicious_packages`, `emb3d`
- **CERT-FR:** `certfr_avis`, `certfr_alerte`
- **CSAF providers:** `csaf_abb`, `csaf_certbund`, `csaf_cisa`, `csaf_cisco`, `csaf_microsoft`, `csaf_ncscnl`, `csaf_nozominetworks`, `csaf_opensuse`, `csaf_ox`, `csaf_redhat`, `csaf_se`, `csaf_sick`, `csaf_siemens`, `csaf_suse`, `csaf_trustsource`
- **OSV:** `osv_almalinux`, `osv_haskell`, `osv_ocaml`, `osv_ossfuzz`, `osv_rustsec`
- **Enrichment:** `cwec`, `capec`

### Pagination

Feeds accept `page` and `per_page` query parameters. The default page
size is set per instance via `FEED_MAX_PER_PAGE` in `config/website.py`.
Most readers don't paginate, so the default is sized for one page of
recent items.

## Examples

### Subscribing to recent vulnerabilities

All sources, Atom format:

```bash
$ curl https://vulnerability.circl.lu/recent/all.atom
```

A single source:

```bash
$ curl https://vulnerability.circl.lu/recent/pysec.atom
```

### Filtering recent vulnerabilities

By vendor:

```bash
$ curl 'https://vulnerability.circl.lu/recent/cvelistv5.atom?vendor=MISP&per_page=2&page=8'
```

Vulnerabilities linked to a specific vulnerability (e.g. cross-source
correlation, follow-ups):

```bash
$ curl 'https://vulnerability.circl.lu/recent/all.atom?vulnerability=cve-2021-22280'
```

Sample response:

```xml
<?xml version='1.0' encoding='UTF-8'?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
  <id>https://vulnerability.circl.lu/rss/recent/all/10</id>
  <title>Most recent entries from all</title>
  <updated>2024-11-26T08:03:09.000211+00:00</updated>
  <author>
    <name>Vulnerability-Lookup</name>
    <email>info@circl.lu</email>
  </author>
  <link href="https://vulnerability.circl.lu" rel="alternate"/>
  <subtitle>Contains only the most 10 recent entries.</subtitle>
  <entry>
    <id>https://vulnerability.circl.lu/vuln/ghsa-x53h-2cjp-mwcx</id>
    <title>ghsa-x53h-2cjp-mwcx</title>
    <updated>2024-11-26T08:03:09.013675+00:00</updated>
    <link href="https://vulnerability.circl.lu/vuln/ghsa-x53h-2cjp-mwcx"/>
  </entry>
  <!-- ... -->
</feed>
```

### Subscribing to sightings

For a specific vulnerability:

```bash
$ curl 'https://vulnerability.circl.lu/sightings/feed.atom?vulnerability=CVE-2024-0012'
```

For every vulnerability affecting a product (CPE):

```bash
$ curl 'https://vulnerability.circl.lu/sightings/cpesearch/cpe:2.3:a:fortinet:forticlient_enterprise_management_server:*:*:*:*:*:*:*:*/feed.atom'
```

Sightings are aggregated from various trusted sources, including security
websites, Exploit-DB, GitHub repositories, security blogs, social
networks, and MISP.

### Subscribing to comments, bundles, or user activity

Recent comments across the instance:

```bash
$ curl https://vulnerability.circl.lu/comments/feed.atom
```

Comments by a single user:

```bash
$ curl 'https://vulnerability.circl.lu/comments/feed.atom?user=alice'
```

Recent activity for a single user (sightings + comments + bundles in one
feed):

```bash
$ curl https://vulnerability.circl.lu/user/alice.atom
```

## See also

- [API v1](api-v1.md) — paginated, programmatic access including
  `since=`-based incremental sync, cross-source correlation, and the
  full OpenAPI specification.
- [Access patterns for automated consumers](access-patterns.md) —
  authoritative guidance on which surface to use for which use case
  (feeds vs. API vs. stream vs. bulk dumps), identification etiquette,
  and rate-limit posture.