Feed syndication (RSS / Atom)#
Vulnerability-Lookup exposes RSS and Atom feeds for new vulnerabilities, Known Exploited Vulnerabilities (KEV), sightings, comments, bundles, and individual user activity. Feeds are designed for low-volume, human-facing consumers — RSS readers, chat-room bots, alert pipes, dashboards — where a small set of recent items is enough.
Tip
Building a mirror, scanner, or other large-scale automated consumer?
Feeds are not the right tool — paginated history is capped per feed.
See Access patterns for automated consumers for
the canonical sync path (since= over the API, plus the
pub/sub stream where the operator enables it).
Available endpoints#
Path |
Purpose |
|---|---|
|
Recent vulnerabilities, per source or across all sources. Optional |
|
Recent entries from the CISA Known Exploited Vulnerabilities catalog (the classic CISA KEV list). |
|
Recent entries from a single GCVE BCP-07 KEV catalog. Optional |
|
Recent KEV entries aggregated across every GCVE BCP-07 catalog known to this instance; each entry is labelled with its originating catalog. |
|
Recent sightings (across all vulnerabilities). Optional |
|
Recent sightings for any vulnerability affecting the given CPE. |
|
Recent comments. Optional |
|
Recent bundles. Optional |
|
Recent activity (sightings, comments, bundles) for a given user. |
{format}#
Either rss or atom. Both contain the same items; pick whichever your
reader prefers.
{source}#
Either all, or any source identifier configured on this instance. The
authoritative list for a given deployment is exposed on /about and on
https://www.vulnerability-lookup.org/sources.
Common identifiers shipped by default include:
Core:
cvelistv5,nvd,fkie_nvd,github,pysec,gsd,vulnrichmentCommunity & national databases:
jvndb,cnvd,fstec,variot,tailscale,bitnami_vulndb,cleanstart,drupal,ossf_malicious_packages,emb3dCERT-FR:
certfr_avis,certfr_alerteCSAF providers:
csaf_abb,csaf_certbund,csaf_cisa,csaf_cisco,csaf_microsoft,csaf_ncscnl,csaf_nozominetworks,csaf_opensuse,csaf_ox,csaf_redhat,csaf_se,csaf_sick,csaf_siemens,csaf_suse,csaf_trustsourceOSV:
osv_almalinux,osv_haskell,osv_ocaml,osv_ossfuzz,osv_rustsecEnrichment:
cwec,capec
Known Exploited Vulnerabilities (KEV) feeds#
Three KEV feeds are available, covering two different data models:
/known-exploited-vulnerabilities.{format}— the classic CISA KEV list. Entries carry the CISA fields (cveID, vulnerability name, short description, date added). This feed allows a much larger window than the others (see Pagination) and is cached briefly./known-exploited-vulnerabilities-catalog/feed.{format}— a single GCVE BCP-07 KEV catalog. Without parameters it returns this instance’s local catalog. Pass?catalog_uuid={uuid}to follow a specific catalog (for example CISA KEV, EUVD KEV, or another instance’s catalog). Entries are ordered by their BCP-07status_updated_at, so the feed reflects recent exploitation-status activity, and include status, exploitation flag, characteristics, evidence count, and timestamps./kev-catalogs/feed.{format}— the same BCP-07 entries, but aggregated across every catalog the instance knows about, newest status update first. Each entry title is prefixed with its originating catalog (e.g.[CISA KEV],[EUVD KEV]).
Note
The catalog feeds are recent-activity streams: they carry the most
recently updated entries, not the full catalog. A vulnerability can appear
in the coverage table on the /kev-catalogs page yet be absent from the
feed simply because its last status update is older than the feed window.
For the complete contents of a catalog, use the NDJSON
export (/known-exploited-vulnerabilities-catalog/export.ndjson) or the
KEV API. The same CVE may also appear more than once in the
aggregated feed when several catalogs reference it — once per catalog.
The UUIDs of the catalogs known to a given instance are listed on its
/kev-catalogs page.
Pagination#
Feeds accept page and per_page query parameters. per_page is
capped per instance by FEED_MAX_PER_PAGE in config/website.py
(default 50); requests above the cap are clamped to it. Each feed has
its own default page size, applied when per_page is omitted — most
readers don’t paginate, so the default is sized for one page of recent
items:
Most feeds (recent vulnerabilities, sightings, comments, bundles, user activity) default to 10 entries.
The BCP-07 KEV catalog feeds (
/known-exploited-vulnerabilities-catalogand/kev-catalogs) default to 20 entries.The CISA KEV feed (
/known-exploited-vulnerabilities) is the exception: it is not bound byFEED_MAX_PER_PAGEand serves up to 3000 entries, making it a practical snapshot of the whole CISA list.
Examples#
Subscribing to recent vulnerabilities#
All sources, Atom format:
$ curl https://vulnerability.circl.lu/recent/all.atom
A single source:
$ curl https://vulnerability.circl.lu/recent/pysec.atom
Filtering recent vulnerabilities#
By vendor:
$ curl 'https://vulnerability.circl.lu/recent/cvelistv5.atom?vendor=MISP&per_page=2&page=8'
Vulnerabilities linked to a specific vulnerability (e.g. cross-source correlation, follow-ups):
$ curl 'https://vulnerability.circl.lu/recent/all.atom?vulnerability=cve-2021-22280'
Sample response:
<?xml version='1.0' encoding='UTF-8'?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
<id>https://vulnerability.circl.lu/rss/recent/all/10</id>
<title>Most recent entries from all</title>
<updated>2024-11-26T08:03:09.000211+00:00</updated>
<author>
<name>Vulnerability-Lookup</name>
<email>info@circl.lu</email>
</author>
<link href="https://vulnerability.circl.lu" rel="alternate"/>
<subtitle>Contains only the most 10 recent entries.</subtitle>
<entry>
<id>https://vulnerability.circl.lu/vuln/ghsa-x53h-2cjp-mwcx</id>
<title>ghsa-x53h-2cjp-mwcx</title>
<updated>2024-11-26T08:03:09.013675+00:00</updated>
<link href="https://vulnerability.circl.lu/vuln/ghsa-x53h-2cjp-mwcx"/>
</entry>
<!-- ... -->
</feed>
Subscribing to Known Exploited Vulnerabilities#
The classic CISA KEV list:
$ curl https://vulnerability.circl.lu/known-exploited-vulnerabilities.atom
This instance’s local GCVE BCP-07 catalog:
$ curl https://vulnerability.circl.lu/known-exploited-vulnerabilities-catalog/feed.atom
A specific BCP-07 catalog by UUID (UUIDs are listed on /kev-catalogs):
$ curl 'https://vulnerability.circl.lu/known-exploited-vulnerabilities-catalog/feed.atom?catalog_uuid=405284c2-e461-4670-8979-7fd2c9755a60'
All catalogs at once, aggregated and labelled by source:
$ curl https://vulnerability.circl.lu/kev-catalogs/feed.atom
Subscribing to sightings#
For a specific vulnerability:
$ curl 'https://vulnerability.circl.lu/sightings/feed.atom?vulnerability=CVE-2024-0012'
For every vulnerability affecting a product (CPE):
$ curl 'https://vulnerability.circl.lu/sightings/cpesearch/cpe:2.3:a:fortinet:forticlient_enterprise_management_server:*:*:*:*:*:*:*:*/feed.atom'
Sightings are aggregated from various trusted sources, including security websites, Exploit-DB, GitHub repositories, security blogs, social networks, and MISP.
Subscribing to comments, bundles, or user activity#
Recent comments across the instance:
$ curl https://vulnerability.circl.lu/comments/feed.atom
Comments by a single user:
$ curl 'https://vulnerability.circl.lu/comments/feed.atom?user=alice'
Recent activity for a single user (sightings + comments + bundles in one feed):
$ curl https://vulnerability.circl.lu/user/alice.atom
See also#
API — paginated, programmatic access including
since=-based incremental sync, cross-source correlation, and the full OpenAPI specification.Access patterns for automated consumers — authoritative guidance on which surface to use for which use case (feeds vs. API vs. stream vs. bulk dumps), identification etiquette, and rate-limit posture.