<?xml version='1.0' encoding='UTF-8'?>
<?xml-stylesheet href="/static/style.xsl" type="text/xsl"?>
<rss xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/" version="2.0">
  <channel>
    <title>Most recent sightings.</title>
    <link>https://vulnerability.circl.lu</link>
    <description>Contains only the most 10 recent sightings.</description>
    <docs>http://www.rssboard.org/rss-specification</docs>
    <generator>python-feedgen</generator>
    <language>en</language>
    <lastBuildDate>Fri, 03 Jul 2026 19:12:57 +0000</lastBuildDate>
    <item>
      <title>f8d35d32-893f-4d4d-acdc-2ae5fc78ce35</title>
      <link>https://vulnerability.circl.lu/sighting/f8d35d32-893f-4d4d-acdc-2ae5fc78ce35/export</link>
      <description>{"uuid": "f8d35d32-893f-4d4d-acdc-2ae5fc78ce35", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0002", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/d82b6da1c3a72ae09535e92d4266bb1d", "content": "diff --git a/README.md b/README.md\nindex 57102d1..f1542d3 100644\n--- a/README.md\n+++ b/README.md\n@@ -90,8 +90,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n   - [US-CERT](https://www.us-cert.gov/ncas/alerts)\n   - [JPCERT](http://www.jpcert.or.jp/at/2019.html)\n \n-- CISA(Cybersecurity &amp;amp; Infrastructure Security Agency)\n-  - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+- KEV (Known Exploited Vulnerabilities) - first-class support\n+  - [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+  - [VulnCheck KEV](https://vulncheck.com/)\n \n - Cyber Threat Intelligence(MITRE ATT&amp;amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n@@ -156,6 +157,25 @@ Vuls has some options to detect the vulnerabilities\n \n - [Scan WordPress](https://vuls.io/docs/en/usage-scan-wordpress.html)\n \n+## Configuration\n+\n+An example configuration file is provided at [`config.toml.example`](config.toml.example). Copy it to `config.toml` and fill in your values:\n+\n+```bash\n+cp config.toml.example config.toml\n+vi config.toml\n+```\n+\n+To enable KEV (Known Exploited Vulnerabilities) reporting, configure the `[kevuln]` section with a path to the go-kev database:\n+\n+```toml\n+[kevuln]\n+  type        = \"sqlite3\"\n+  sqlite3Path = \"/path/to/go-kev.sqlite3\"\n+```\n+\n+KEV data from both CISA and VulnCheck sources is reported as a first-class field on each vulnerability (`kevs` in JSON output).\n+\n ## MISC\n \n - Nondestructive testing\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..547e546\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,135 @@\n+# Vuls Configuration Example\n+# Copy this file to config.toml and fill in your real values.\n+# See https://vuls.io/docs/en/config.toml.html for full documentation.\n+#\n+# WARNING: config.toml contains secrets and is gitignored.\n+# Never commit real credentials to version control.\n+\n+# ============================================================\n+# General settings\n+# ============================================================\n+# httpProxy  = \"http://proxy.example.com:8080\"\n+# resultsDir = \"/path/to/results\"\n+# pipe       = false\n+\n+# ============================================================\n+# Default server settings (inherited by all [servers.xxx])\n+# ============================================================\n+[default]\n+user    = \"vuls-user\"\n+port    = \"22\"\n+keyPath = \"/home/vuls-user/.ssh/id_rsa\"\n+# keyPassword = \"SSH_KEY_PASSPHRASE_PLACEHOLDER\"\n+# scanMode    = [\"fast\"]\n+\n+# ============================================================\n+# Server definitions\n+# ============================================================\n+[servers]\n+\n+  [servers.web-server-01]\n+    host     = \"192.168.1.10\"\n+    user     = \"admin\"\n+    port     = \"22\"\n+    keyPath  = \"/home/admin/.ssh/id_rsa\"\n+    scanMode = [\"fast-root\"]\n+    memo     = \"Production web server\"\n+\n+  # Pseudo server for CPE-only scanning (no SSH)\n+  [servers.network-appliance]\n+    type     = \"pseudo\"\n+    cpeNames = [\n+      \"cpe:/a:vendor:product:1.0\",\n+    ]\n+    memo     = \"Network appliance - no SSH access\"\n+\n+# ============================================================\n+# Vulnerability dictionary data sources\n+# Supported types: \"sqlite3\", \"mysql\", \"postgres\", \"redis\", \"http\"\n+# ============================================================\n+\n+[cveDict]\n+  type        = \"sqlite3\"\n+  sqlite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+  type        = \"sqlite3\"\n+  sqlite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+  type        = \"sqlite3\"\n+  sqlite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploit]\n+  type        = \"sqlite3\"\n+  sqlite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+  type        = \"sqlite3\"\n+  sqlite3Path = \"/path/to/go-msfdb.sqlite3\"\n+\n+# KEV (Known Exploited Vulnerabilities) data source\n+# Enables first-class KEV reporting on scanned CVEs.\n+# Supported sources: CISA KEV and VulnCheck KEV.\n+# Data is populated onto VulnInfo.KEVs for each CVE with a KEV entry.\n+[kevuln]\n+  type        = \"sqlite3\"\n+  sqlite3Path = \"/path/to/go-kev.sqlite3\"\n+  # For HTTP mode, set type and url:\n+  # type = \"http\"\n+  # url  = \"http://localhost:1326\"\n+\n+[cti]\n+  type        = \"sqlite3\"\n+  sqlite3Path = \"/path/to/go-cti.sqlite3\"\n+\n+# ============================================================\n+# Notification / Reporting destinations\n+# ============================================================\n+\n+[slack]\n+  hookURL     = \"https://hooks.slack.com/services/XXXXX/XXXXX/XXXXX\"\n+  channel     = \"#vuls-notifications\"\n+  iconEmoji   = \":ghost:\"\n+  authUser    = \"vuls-bot\"\n+  notifyUsers = [\"@admin\"]\n+\n+[email]\n+  smtpAddr     = \"smtp.example.com\"\n+  smtpPort     = \"587\"\n+  tlsMode      = \"STARTTLS\"\n+  user         = \"vuls@example.com\"\n+  password     = \"SMTP_PASSWORD_PLACEHOLDER\"\n+  from         = \"vuls@example.com\"\n+  to           = [\"admin@example.com\"]\n+  cc           = []\n+  subjectPrefix = \"[Vuls] \"\n+\n+[chatWork]\n+  apiToken = \"CHATWORK_API_TOKEN_PLACEHOLDER\"\n+  room     = \"123456789\"\n+\n+[telegram]\n+  token  = \"TELEGRAM_BOT_TOKEN_PLACEHOLDER\"\n+  chatID = \"-123456789\"\n+\n+# [http]\n+#   url = \"http://vuls-report-receiver.example.com:11234\"\n+\n+# [syslog]\n+#   protocol = \"tcp\"\n+#   host     = \"syslog.example.com\"\n+#   port     = \"514\"\n+#   tag      = \"vuls\"\n+\n+# [aws]\n+#   region   = \"us-east-1\"\n+#   s3Bucket = \"vuls-reports-bucket\"\n+\n+# [azure]\n+#   accountName   = \"AZURE_ACCOUNT_NAME\"\n+#   accountKey    = \"AZURE_ACCOUNT_KEY\"\n+#   containerName = \"vuls-reports\"\n+\n+# [wpScan]\n+#   token = \"WPSCAN_API_TOKEN_PLACEHOLDER\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..c50d34b 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,29 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &amp;gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tif len(kevulns) == 0 {\n+\t\t\t\tcontinue\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tfor _, k := range kevulns {\n+\t\t\t\t\tdueDate := k.DueDate\n+\t\t\t\t\tv.KEVs = append(v.KEVs, models.KEV{\n+\t\t\t\t\t\tType:                       models.CISAKEVType,\n+\t\t\t\t\t\tVendorProject:              k.VendorProject,\n+\t\t\t\t\t\tProduct:                    k.Product,\n+\t\t\t\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\t\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\t\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\t\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\t\t\t\tDateAdded:                  k.DateAdded,\n+\t\t\t\t\t\tDueDate:                    &amp;amp;dueDate,\n+\t\t\t\t\t\tCISA: &amp;amp;models.CISAKEV{\n+\t\t\t\t\t\t\tNote: k.Notes,\n+\t\t\t\t\t\t},\n+\t\t\t\t\t})\n+\t\t\t\t}\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +119,23 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &amp;gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n+\t\t\tfor _, k := range kevulns {\n+\t\t\t\tdueDate := k.DueDate\n+\t\t\t\tvuln.KEVs = append(vuln.KEVs, models.KEV{\n+\t\t\t\t\tType:                       models.CISAKEVType,\n+\t\t\t\t\tVendorProject:              k.VendorProject,\n+\t\t\t\t\tProduct:                    k.Product,\n+\t\t\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\t\t\tDateAdded:                  k.DateAdded,\n+\t\t\t\t\tDueDate:                    &amp;amp;dueDate,\n+\t\t\t\t\tCISA: &amp;amp;models.CISAKEV{\n+\t\t\t\t\t\tNote: k.Notes,\n+\t\t\t\t\t},\n \t\t\t\t})\n \t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..3e7a282 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,6 +205,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n@@ -253,13 +254,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &amp;gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &amp;gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +264,18 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n+}\n+\n+// FormatKEVCveSummary returns a summary of CVEs with KEV entries\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &amp;gt; 0 {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &amp;lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &amp;lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &amp;lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/testdata/sample_scan_result_with_kevs.json b/models/testdata/sample_scan_result_with_kevs.json\nnew file mode 100644\nindex 0000000..f9895e9\n--- /dev/null\n+++ b/models/testdata/sample_scan_result_with_kevs.json\n@@ -0,0 +1,88 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"redhat\",\n+  \"release\": \"9\",\n+  \"scannedAt\": \"2026-07-01T00:00:00Z\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0001\": {\n+      \"cveID\": \"CVE-0000-0001\",\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-package\",\n+          \"fixedIn\": \"1.2.4\"\n+        }\n+      ],\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleVendor ExampleProduct contains a remote code execution vulnerability that allows an attacker to execute arbitrary code.\",\n+          \"requiredAction\": \"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-01-15T00:00:00Z\",\n+          \"dueDate\": \"2026-02-05T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"https://example.com/advisory/CVE-0000-0001\"\n+          }\n+        }\n+      ]\n+    },\n+    \"CVE-0000-0002\": {\n+      \"cveID\": \"CVE-0000-0002\",\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"another-package\",\n+          \"notFixedYet\": true\n+        }\n+      ],\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"AnotherVendor\",\n+          \"product\": \"AnotherProduct\",\n+          \"vulnerabilityName\": \"AnotherVendor AnotherProduct Privilege Escalation Vulnerability\",\n+          \"shortDescription\": \"AnotherVendor AnotherProduct contains a privilege escalation vulnerability.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2026-03-01T00:00:00Z\",\n+          \"dueDate\": \"2026-03-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"AnotherVendor\",\n+          \"product\": \"AnotherProduct\",\n+          \"vulnerabilityName\": \"AnotherVendor AnotherProduct Privilege Escalation Vulnerability\",\n+          \"shortDescription\": \"AnotherVendor AnotherProduct contains a privilege escalation vulnerability.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2026-02-20T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-0001\",\n+                \"xdbURL\": \"https://example.com/xdb/0001\",\n+                \"dateAdded\": \"2026-02-20T00:00:00Z\",\n+                \"exploitType\": \"poc\",\n+                \"cloneSSHURL\": \"\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/exploitation-report/0001\",\n+                \"dateAdded\": \"2026-02-18T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..e291d3a 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -268,6 +268,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -910,24 +911,76 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// KEVType represents the source of KEV data\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the CISA KEV source\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is the VulnCheck KEV source\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                        KEVType       `json:\"type\"`\n+\tVendorProject               string        `json:\"vendorProject\"`\n+\tProduct                     string        `json:\"product\"`\n+\tVulnerabilityName           string        `json:\"vulnerabilityName\"`\n+\tShortDescription            string        `json:\"shortDescription\"`\n+\tRequiredAction              string        `json:\"requiredAction\"`\n+\tKnownRansomwareCampaignUse  string        `json:\"knownRansomwareCampaignUse\"`\n+\tDateAdded                   time.Time     `json:\"dateAdded\"`\n+\tDueDate                     *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                        *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                   *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"note\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV information\n+type VulnCheckKEV struct {\n+\tXDB                    []VulnCheckXDB                    `json:\"xdb,omitempty\"`\n+\tReportedExploitation   []VulnCheckReportedExploitation   `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID\"`\n+\tXDBURL      string    `json:\"xdbURL\"`\n+\tDateAdded   time.Time `json:\"dateAdded\"`\n+\tExploitType string    `json:\"exploitType\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL\"`\n+}\n+\n+// VulnCheckReportedExploitation has reported exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url\"`\n+\tDateAdded time.Time `json:\"dateAdded\"`\n+}\n+\n+// AlertDict has target cve JPCERT and USCERT alert data.\n+// The CISA field is deprecated; KEV data now lives on VulnInfo.KEVs.\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"cisa,omitempty\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n-// IsEmpty checks if the content of AlertDict is empty\n+// IsEmpty checks if the content of AlertDict is empty.\n+// CISA alerts are not considered here; KEV data is tracked separately on VulnInfo.KEVs.\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;amp;&amp;amp; len(a.JPCERT) == 0 &amp;amp;&amp;amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;amp;&amp;amp; len(a.USCERT) == 0\n }\n \n-// FormatSource returns which source has this alert\n+// FormatSource returns which source has this alert.\n+// CISA KEV is no longer reported through this path; use VulnInfo.KEVs instead.\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..4772809 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -205,6 +205,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t}\n \t\t} else {\n \t\t\tcols = []interface{}{\n@@ -565,8 +566,8 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n+\t\tfor _, kev := range vuln.KEVs {\n+\t\t\tdata = append(data, []string{fmt.Sprintf(\"KEV (%s)\", kev.Type), kev.VulnerabilityName})\n \t\t}\n \n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..6d88910 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,13 +812,13 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &amp;gt; 0 {\n+\t\tif len(vinfo.KEVs) &amp;gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n+\t\t\t\t\"KEV (Known Exploited Vulnerabilities)\",\n+\t\t\t\t\"======================================\",\n \t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\t\tfor _, kev := range vinfo.KEVs {\n+\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s] %s - %s\", kev.Type, kev.VulnerabilityName, kev.ShortDescription))\n \t\t\t}\n \t\t}\n \n", "creation_timestamp": "2026-07-03T19:06:02.337393Z"}</description>
      <content:encoded>{"uuid": "f8d35d32-893f-4d4d-acdc-2ae5fc78ce35", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0002", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/d82b6da1c3a72ae09535e92d4266bb1d", "content": "diff --git a/README.md b/README.md\nindex 57102d1..f1542d3 100644\n--- a/README.md\n+++ b/README.md\n@@ -90,8 +90,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n   - [US-CERT](https://www.us-cert.gov/ncas/alerts)\n   - [JPCERT](http://www.jpcert.or.jp/at/2019.html)\n \n-- CISA(Cybersecurity &amp;amp; Infrastructure Security Agency)\n-  - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+- KEV (Known Exploited Vulnerabilities) - first-class support\n+  - [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+  - [VulnCheck KEV](https://vulncheck.com/)\n \n - Cyber Threat Intelligence(MITRE ATT&amp;amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n@@ -156,6 +157,25 @@ Vuls has some options to detect the vulnerabilities\n \n - [Scan WordPress](https://vuls.io/docs/en/usage-scan-wordpress.html)\n \n+## Configuration\n+\n+An example configuration file is provided at [`config.toml.example`](config.toml.example). Copy it to `config.toml` and fill in your values:\n+\n+```bash\n+cp config.toml.example config.toml\n+vi config.toml\n+```\n+\n+To enable KEV (Known Exploited Vulnerabilities) reporting, configure the `[kevuln]` section with a path to the go-kev database:\n+\n+```toml\n+[kevuln]\n+  type        = \"sqlite3\"\n+  sqlite3Path = \"/path/to/go-kev.sqlite3\"\n+```\n+\n+KEV data from both CISA and VulnCheck sources is reported as a first-class field on each vulnerability (`kevs` in JSON output).\n+\n ## MISC\n \n - Nondestructive testing\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..547e546\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,135 @@\n+# Vuls Configuration Example\n+# Copy this file to config.toml and fill in your real values.\n+# See https://vuls.io/docs/en/config.toml.html for full documentation.\n+#\n+# WARNING: config.toml contains secrets and is gitignored.\n+# Never commit real credentials to version control.\n+\n+# ============================================================\n+# General settings\n+# ============================================================\n+# httpProxy  = \"http://proxy.example.com:8080\"\n+# resultsDir = \"/path/to/results\"\n+# pipe       = false\n+\n+# ============================================================\n+# Default server settings (inherited by all [servers.xxx])\n+# ============================================================\n+[default]\n+user    = \"vuls-user\"\n+port    = \"22\"\n+keyPath = \"/home/vuls-user/.ssh/id_rsa\"\n+# keyPassword = \"SSH_KEY_PASSPHRASE_PLACEHOLDER\"\n+# scanMode    = [\"fast\"]\n+\n+# ============================================================\n+# Server definitions\n+# ============================================================\n+[servers]\n+\n+  [servers.web-server-01]\n+    host     = \"192.168.1.10\"\n+    user     = \"admin\"\n+    port     = \"22\"\n+    keyPath  = \"/home/admin/.ssh/id_rsa\"\n+    scanMode = [\"fast-root\"]\n+    memo     = \"Production web server\"\n+\n+  # Pseudo server for CPE-only scanning (no SSH)\n+  [servers.network-appliance]\n+    type     = \"pseudo\"\n+    cpeNames = [\n+      \"cpe:/a:vendor:product:1.0\",\n+    ]\n+    memo     = \"Network appliance - no SSH access\"\n+\n+# ============================================================\n+# Vulnerability dictionary data sources\n+# Supported types: \"sqlite3\", \"mysql\", \"postgres\", \"redis\", \"http\"\n+# ============================================================\n+\n+[cveDict]\n+  type        = \"sqlite3\"\n+  sqlite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+  type        = \"sqlite3\"\n+  sqlite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+  type        = \"sqlite3\"\n+  sqlite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploit]\n+  type        = \"sqlite3\"\n+  sqlite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+  type        = \"sqlite3\"\n+  sqlite3Path = \"/path/to/go-msfdb.sqlite3\"\n+\n+# KEV (Known Exploited Vulnerabilities) data source\n+# Enables first-class KEV reporting on scanned CVEs.\n+# Supported sources: CISA KEV and VulnCheck KEV.\n+# Data is populated onto VulnInfo.KEVs for each CVE with a KEV entry.\n+[kevuln]\n+  type        = \"sqlite3\"\n+  sqlite3Path = \"/path/to/go-kev.sqlite3\"\n+  # For HTTP mode, set type and url:\n+  # type = \"http\"\n+  # url  = \"http://localhost:1326\"\n+\n+[cti]\n+  type        = \"sqlite3\"\n+  sqlite3Path = \"/path/to/go-cti.sqlite3\"\n+\n+# ============================================================\n+# Notification / Reporting destinations\n+# ============================================================\n+\n+[slack]\n+  hookURL     = \"https://hooks.slack.com/services/XXXXX/XXXXX/XXXXX\"\n+  channel     = \"#vuls-notifications\"\n+  iconEmoji   = \":ghost:\"\n+  authUser    = \"vuls-bot\"\n+  notifyUsers = [\"@admin\"]\n+\n+[email]\n+  smtpAddr     = \"smtp.example.com\"\n+  smtpPort     = \"587\"\n+  tlsMode      = \"STARTTLS\"\n+  user         = \"vuls@example.com\"\n+  password     = \"SMTP_PASSWORD_PLACEHOLDER\"\n+  from         = \"vuls@example.com\"\n+  to           = [\"admin@example.com\"]\n+  cc           = []\n+  subjectPrefix = \"[Vuls] \"\n+\n+[chatWork]\n+  apiToken = \"CHATWORK_API_TOKEN_PLACEHOLDER\"\n+  room     = \"123456789\"\n+\n+[telegram]\n+  token  = \"TELEGRAM_BOT_TOKEN_PLACEHOLDER\"\n+  chatID = \"-123456789\"\n+\n+# [http]\n+#   url = \"http://vuls-report-receiver.example.com:11234\"\n+\n+# [syslog]\n+#   protocol = \"tcp\"\n+#   host     = \"syslog.example.com\"\n+#   port     = \"514\"\n+#   tag      = \"vuls\"\n+\n+# [aws]\n+#   region   = \"us-east-1\"\n+#   s3Bucket = \"vuls-reports-bucket\"\n+\n+# [azure]\n+#   accountName   = \"AZURE_ACCOUNT_NAME\"\n+#   accountKey    = \"AZURE_ACCOUNT_KEY\"\n+#   containerName = \"vuls-reports\"\n+\n+# [wpScan]\n+#   token = \"WPSCAN_API_TOKEN_PLACEHOLDER\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..c50d34b 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,29 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &amp;gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tif len(kevulns) == 0 {\n+\t\t\t\tcontinue\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tfor _, k := range kevulns {\n+\t\t\t\t\tdueDate := k.DueDate\n+\t\t\t\t\tv.KEVs = append(v.KEVs, models.KEV{\n+\t\t\t\t\t\tType:                       models.CISAKEVType,\n+\t\t\t\t\t\tVendorProject:              k.VendorProject,\n+\t\t\t\t\t\tProduct:                    k.Product,\n+\t\t\t\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\t\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\t\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\t\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\t\t\t\tDateAdded:                  k.DateAdded,\n+\t\t\t\t\t\tDueDate:                    &amp;amp;dueDate,\n+\t\t\t\t\t\tCISA: &amp;amp;models.CISAKEV{\n+\t\t\t\t\t\t\tNote: k.Notes,\n+\t\t\t\t\t\t},\n+\t\t\t\t\t})\n+\t\t\t\t}\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +119,23 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &amp;gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n+\t\t\tfor _, k := range kevulns {\n+\t\t\t\tdueDate := k.DueDate\n+\t\t\t\tvuln.KEVs = append(vuln.KEVs, models.KEV{\n+\t\t\t\t\tType:                       models.CISAKEVType,\n+\t\t\t\t\tVendorProject:              k.VendorProject,\n+\t\t\t\t\tProduct:                    k.Product,\n+\t\t\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\t\t\tDateAdded:                  k.DateAdded,\n+\t\t\t\t\tDueDate:                    &amp;amp;dueDate,\n+\t\t\t\t\tCISA: &amp;amp;models.CISAKEV{\n+\t\t\t\t\t\tNote: k.Notes,\n+\t\t\t\t\t},\n \t\t\t\t})\n \t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..3e7a282 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,6 +205,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n@@ -253,13 +254,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &amp;gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &amp;gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +264,18 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n+}\n+\n+// FormatKEVCveSummary returns a summary of CVEs with KEV entries\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &amp;gt; 0 {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &amp;lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &amp;lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &amp;lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/testdata/sample_scan_result_with_kevs.json b/models/testdata/sample_scan_result_with_kevs.json\nnew file mode 100644\nindex 0000000..f9895e9\n--- /dev/null\n+++ b/models/testdata/sample_scan_result_with_kevs.json\n@@ -0,0 +1,88 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"redhat\",\n+  \"release\": \"9\",\n+  \"scannedAt\": \"2026-07-01T00:00:00Z\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0001\": {\n+      \"cveID\": \"CVE-0000-0001\",\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-package\",\n+          \"fixedIn\": \"1.2.4\"\n+        }\n+      ],\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleVendor ExampleProduct contains a remote code execution vulnerability that allows an attacker to execute arbitrary code.\",\n+          \"requiredAction\": \"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-01-15T00:00:00Z\",\n+          \"dueDate\": \"2026-02-05T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"https://example.com/advisory/CVE-0000-0001\"\n+          }\n+        }\n+      ]\n+    },\n+    \"CVE-0000-0002\": {\n+      \"cveID\": \"CVE-0000-0002\",\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"another-package\",\n+          \"notFixedYet\": true\n+        }\n+      ],\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"AnotherVendor\",\n+          \"product\": \"AnotherProduct\",\n+          \"vulnerabilityName\": \"AnotherVendor AnotherProduct Privilege Escalation Vulnerability\",\n+          \"shortDescription\": \"AnotherVendor AnotherProduct contains a privilege escalation vulnerability.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2026-03-01T00:00:00Z\",\n+          \"dueDate\": \"2026-03-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"AnotherVendor\",\n+          \"product\": \"AnotherProduct\",\n+          \"vulnerabilityName\": \"AnotherVendor AnotherProduct Privilege Escalation Vulnerability\",\n+          \"shortDescription\": \"AnotherVendor AnotherProduct contains a privilege escalation vulnerability.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2026-02-20T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-0001\",\n+                \"xdbURL\": \"https://example.com/xdb/0001\",\n+                \"dateAdded\": \"2026-02-20T00:00:00Z\",\n+                \"exploitType\": \"poc\",\n+                \"cloneSSHURL\": \"\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/exploitation-report/0001\",\n+                \"dateAdded\": \"2026-02-18T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..e291d3a 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -268,6 +268,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -910,24 +911,76 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// KEVType represents the source of KEV data\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the CISA KEV source\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is the VulnCheck KEV source\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                        KEVType       `json:\"type\"`\n+\tVendorProject               string        `json:\"vendorProject\"`\n+\tProduct                     string        `json:\"product\"`\n+\tVulnerabilityName           string        `json:\"vulnerabilityName\"`\n+\tShortDescription            string        `json:\"shortDescription\"`\n+\tRequiredAction              string        `json:\"requiredAction\"`\n+\tKnownRansomwareCampaignUse  string        `json:\"knownRansomwareCampaignUse\"`\n+\tDateAdded                   time.Time     `json:\"dateAdded\"`\n+\tDueDate                     *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                        *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                   *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"note\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV information\n+type VulnCheckKEV struct {\n+\tXDB                    []VulnCheckXDB                    `json:\"xdb,omitempty\"`\n+\tReportedExploitation   []VulnCheckReportedExploitation   `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID\"`\n+\tXDBURL      string    `json:\"xdbURL\"`\n+\tDateAdded   time.Time `json:\"dateAdded\"`\n+\tExploitType string    `json:\"exploitType\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL\"`\n+}\n+\n+// VulnCheckReportedExploitation has reported exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url\"`\n+\tDateAdded time.Time `json:\"dateAdded\"`\n+}\n+\n+// AlertDict has target cve JPCERT and USCERT alert data.\n+// The CISA field is deprecated; KEV data now lives on VulnInfo.KEVs.\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"cisa,omitempty\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n-// IsEmpty checks if the content of AlertDict is empty\n+// IsEmpty checks if the content of AlertDict is empty.\n+// CISA alerts are not considered here; KEV data is tracked separately on VulnInfo.KEVs.\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;amp;&amp;amp; len(a.JPCERT) == 0 &amp;amp;&amp;amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;amp;&amp;amp; len(a.USCERT) == 0\n }\n \n-// FormatSource returns which source has this alert\n+// FormatSource returns which source has this alert.\n+// CISA KEV is no longer reported through this path; use VulnInfo.KEVs instead.\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..4772809 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -205,6 +205,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t}\n \t\t} else {\n \t\t\tcols = []interface{}{\n@@ -565,8 +566,8 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n+\t\tfor _, kev := range vuln.KEVs {\n+\t\t\tdata = append(data, []string{fmt.Sprintf(\"KEV (%s)\", kev.Type), kev.VulnerabilityName})\n \t\t}\n \n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..6d88910 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,13 +812,13 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &amp;gt; 0 {\n+\t\tif len(vinfo.KEVs) &amp;gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n+\t\t\t\t\"KEV (Known Exploited Vulnerabilities)\",\n+\t\t\t\t\"======================================\",\n \t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\t\tfor _, kev := range vinfo.KEVs {\n+\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s] %s - %s\", kev.Type, kev.VulnerabilityName, kev.ShortDescription))\n \t\t\t}\n \t\t}\n \n", "creation_timestamp": "2026-07-03T19:06:02.337393Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/f8d35d32-893f-4d4d-acdc-2ae5fc78ce35/export</guid>
      <pubDate>Fri, 03 Jul 2026 19:06:02 +0000</pubDate>
    </item>
    <item>
      <title>2dcd4263-c820-4bf2-95ae-3bf017747e72</title>
      <link>https://vulnerability.circl.lu/sighting/2dcd4263-c820-4bf2-95ae-3bf017747e72/export</link>
      <description>{"uuid": "2dcd4263-c820-4bf2-95ae-3bf017747e72", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0002", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/a262637f0b6614e6fc25dbfb9f74b4fd", "content": "diff --git a/README.md b/README.md\nindex 57102d1..eb603ab 100644\n--- a/README.md\n+++ b/README.md\n@@ -90,8 +90,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n   - [US-CERT](https://www.us-cert.gov/ncas/alerts)\n   - [JPCERT](http://www.jpcert.or.jp/at/2019.html)\n \n-- CISA(Cybersecurity &amp;amp; Infrastructure Security Agency)\n-  - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+- Known Exploited Vulnerabilities\n+  - [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+  - [VulnCheck KEV](https://vulncheck.com/kev)\n \n - Cyber Threat Intelligence(MITRE ATT&amp;amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n@@ -179,6 +180,11 @@ Vuls has some options to detect the vulnerabilities\n For more information such as Installation, Tutorial, Usage, visit [vuls.io](https://vuls.io/)  \n [\u65e5\u672c\u8a9e\u7ffb\u8a33\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8](https://vuls.io/ja/)\n \n+### Examples\n+\n+- `examples/config.toml.example` is a synthetic, ready-to-edit configuration that enables KEV reporting with the `[kevuln]` dictionary.\n+- `examples/kev-scan-result.sample.json` shows the new first-class `kevs` scan result field with synthetic CISA and VulnCheck entries.\n+\n ----\n \n ## Authors\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..34a2ca1 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -6,6 +6,7 @@ package detector\n import (\n \t\"encoding/json\"\n \t\"net/http\"\n+\t\"strings\"\n \t\"time\"\n \n \t\"github.com/cenkalti/backoff\"\n@@ -74,23 +75,17 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\treturn err\n \t\t}\n \t\tfor _, res := range responses {\n-\t\t\tkevulns := []kevulnmodels.KEVuln{}\n-\t\t\tif err := json.Unmarshal([]byte(res.json), &amp;amp;kevulns); err != nil {\n+\t\t\tkevs, err := convertKEVulnJSON([]byte(res.json))\n+\t\t\tif err != nil {\n \t\t\t\treturn err\n \t\t\t}\n-\n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &amp;gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tif len(kevs) == 0 {\n+\t\t\t\tcontinue\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tv.KEVs = kevs\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +103,12 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &amp;gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tkevs, err := convertKEVulns(kevulns)\n+\t\t\tif err != nil {\n+\t\t\t\treturn err\n \t\t\t}\n \n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = kevs\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +118,95 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+type kevulnJSON struct {\n+\tType                       models.KEVType `json:\"type\"`\n+\tVendorProject              string         `json:\"vendorProject\"`\n+\tProduct                    string         `json:\"product\"`\n+\tVulnerabilityName          string         `json:\"vulnerabilityName\"`\n+\tShortDescription           string         `json:\"shortDescription\"`\n+\tRequiredAction             string         `json:\"requiredAction\"`\n+\tKnownRansomwareCampaignUse string         `json:\"knownRansomwareCampaignUse\"`\n+\tDateAdded                  time.Time      `json:\"dateAdded\"`\n+\tDueDate                    *time.Time     `json:\"dueDate\"`\n+\tNote                       string         `json:\"note\"`\n+\tNotes                      string         `json:\"notes\"`\n+\tCISA                       *models.CISAKEV `json:\"cisa\"`\n+\tVulnCheck                  *struct {\n+\t\tXDB                  []models.VulnCheckXDB                  `json:\"xdb\"`\n+\t\tReportedExploitation []models.VulnCheckReportedExploitation `json:\"reportedExploitation\"`\n+\t} `json:\"vulncheck\"`\n+\tXDB                  []models.VulnCheckXDB                  `json:\"xdb\"`\n+\tReportedExploitation []models.VulnCheckReportedExploitation `json:\"reportedExploitation\"`\n+}\n+\n+func convertKEVulns(kevulns []kevulnmodels.KEVuln) ([]models.KEV, error) {\n+\tbs, err := json.Marshal(kevulns)\n+\tif err != nil {\n+\t\treturn nil, err\n+\t}\n+\treturn convertKEVulnJSON(bs)\n+}\n+\n+func convertKEVulnJSON(bs []byte) ([]models.KEV, error) {\n+\tvar kevulns []kevulnJSON\n+\tif err := json.Unmarshal(bs, &amp;amp;kevulns); err != nil {\n+\t\treturn nil, err\n+\t}\n+\n+\tkevs := make([]models.KEV, 0, len(kevulns))\n+\tfor _, kevuln := range kevulns {\n+\t\tkevType := kevuln.Type\n+\t\tif kevType == \"\" {\n+\t\t\tkevType = models.CISAKEVType\n+\t\t}\n+\n+\t\tkev := models.KEV{\n+\t\t\tType:                       kevType,\n+\t\t\tVendorProject:              kevuln.VendorProject,\n+\t\t\tProduct:                    kevuln.Product,\n+\t\t\tVulnerabilityName:          kevuln.VulnerabilityName,\n+\t\t\tShortDescription:           kevuln.ShortDescription,\n+\t\t\tRequiredAction:             kevuln.RequiredAction,\n+\t\t\tKnownRansomwareCampaignUse: kevuln.KnownRansomwareCampaignUse,\n+\t\t\tDateAdded:                  kevuln.DateAdded,\n+\t\t\tDueDate:                    kevuln.DueDate,\n+\t\t}\n+\n+\t\tswitch kevType {\n+\t\tcase models.CISAKEVType:\n+\t\t\tif kevuln.CISA != nil {\n+\t\t\t\tkev.CISA = kevuln.CISA\n+\t\t\t} else if note := firstNonEmpty(kevuln.Note, kevuln.Notes); note != \"\" {\n+\t\t\t\tkev.CISA = &amp;amp;models.CISAKEV{Note: note}\n+\t\t\t}\n+\t\tcase models.VulnCheckKEVType:\n+\t\t\tkev.VulnCheck = &amp;amp;models.VulnCheckKEV{}\n+\t\t\tif kevuln.VulnCheck != nil {\n+\t\t\t\tkev.VulnCheck.XDB = kevuln.VulnCheck.XDB\n+\t\t\t\tkev.VulnCheck.ReportedExploitation = kevuln.VulnCheck.ReportedExploitation\n+\t\t\t}\n+\t\t\tif len(kevuln.XDB) &amp;gt; 0 {\n+\t\t\t\tkev.VulnCheck.XDB = kevuln.XDB\n+\t\t\t}\n+\t\t\tif len(kevuln.ReportedExploitation) &amp;gt; 0 {\n+\t\t\t\tkev.VulnCheck.ReportedExploitation = kevuln.ReportedExploitation\n+\t\t\t}\n+\t\t}\n+\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs, nil\n+}\n+\n+func firstNonEmpty(values ...string) string {\n+\tfor _, value := range values {\n+\t\tif strings.TrimSpace(value) != \"\" {\n+\t\t\treturn value\n+\t\t}\n+\t}\n+\treturn \"\"\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/examples/config.toml.example b/examples/config.toml.example\nnew file mode 100644\nindex 0000000..c4e1c93\n--- /dev/null\n+++ b/examples/config.toml.example\n@@ -0,0 +1,43 @@\n+# Synthetic Vuls configuration example with KEV reporting enabled.\n+# Replace all placeholder paths, hosts, and credentials before use.\n+\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\n+\n+[default]\n+port = \"22\"\n+user = \"replace-me\"\n+keyPath = \"/path/to/id_rsa\"\n+scanMode = [\"fast-root\"]\n+scanModules = [\"ospkg\"]\n+\n+[servers]\n+\n+[servers.example-web]\n+host = \"192.0.2.10\"\n+memo = \"Synthetic example target\"\ndiff --git a/examples/kev-scan-result.sample.json b/examples/kev-scan-result.sample.json\nnew file mode 100644\nindex 0000000..46414a7\n--- /dev/null\n+++ b/examples/kev-scan-result.sample.json\n@@ -0,0 +1,76 @@\n+{\n+  \"jsonVersion\": 0,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2026-07-03T00:00:00Z\",\n+  \"scanMode\": \"fast-root\",\n+  \"scannedVersion\": \"vuls-example\",\n+  \"scannedRevision\": \"example\",\n+  \"scannedBy\": \"example\",\n+  \"reportedAt\": \"2026-07-03T00:00:00Z\",\n+  \"reportedVersion\": \"vuls-example\",\n+  \"reportedRevision\": \"example\",\n+  \"reportedBy\": \"vuls-report\",\n+  \"errors\": [],\n+  \"warnings\": [],\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Command Injection Vulnerability\",\n+          \"shortDescription\": \"This synthetic CVE demonstrates the first-class KEV JSON field.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic sample only. Do not treat as real vulnerability intelligence.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Command Injection Vulnerability\",\n+          \"shortDescription\": \"This synthetic entry demonstrates VulnCheck-specific KEV data.\",\n+          \"requiredAction\": \"Review exploitation evidence and patch affected systems.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.invalid/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.invalid:research/example-xdb.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.invalid/reports/example-exploitation\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"alertDict\": {\n+        \"jpcert\": [],\n+        \"uscert\": []\n+      }\n+    }\n+  },\n+  \"packages\": {},\n+  \"config\": {\n+    \"scan\": {},\n+    \"report\": {}\n+  }\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..40ab335 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV cve.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &amp;lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &amp;gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &amp;gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -425,6 +433,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &amp;lt; v.Mitigations[j].URL\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &amp;lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &amp;lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \n \t\tv.CveContents.Sort()\n \ndiff --git a/models/scanresults_kev_test.go b/models/scanresults_kev_test.go\nnew file mode 100644\nindex 0000000..62e934b\n--- /dev/null\n+++ b/models/scanresults_kev_test.go\n@@ -0,0 +1,62 @@\n+package models\n+\n+import (\n+\t\"reflect\"\n+\t\"testing\"\n+)\n+\n+func TestScanResult_FormatKEVCveSummary(t *testing.T) {\n+\ttests := []struct {\n+\t\tname string\n+\t\tr    ScanResult\n+\t\twant string\n+\t}{\n+\t\t{\n+\t\t\tname: \"no kev\",\n+\t\t\tr: ScanResult{ScannedCves: VulnInfos{\n+\t\t\t\t\"CVE-0000-0001\": {CveID: \"CVE-0000-0001\"},\n+\t\t\t}},\n+\t\t\twant: \"0 kevs\",\n+\t\t},\n+\t\t{\n+\t\t\tname: \"count cves with kev entries\",\n+\t\t\tr: ScanResult{ScannedCves: VulnInfos{\n+\t\t\t\t\"CVE-0000-0001\": {CveID: \"CVE-0000-0001\", KEVs: []KEV{{Type: CISAKEVType}}},\n+\t\t\t\t\"CVE-0000-0002\": {CveID: \"CVE-0000-0002\", KEVs: []KEV{{Type: CISAKEVType}, {Type: VulnCheckKEVType}}},\n+\t\t\t\t\"CVE-0000-0003\": {CveID: \"CVE-0000-0003\"},\n+\t\t\t}},\n+\t\t\twant: \"2 kevs\",\n+\t\t},\n+\t}\n+\n+\tfor _, tt := range tests {\n+\t\tt.Run(tt.name, func(t *testing.T) {\n+\t\t\tif got := tt.r.FormatKEVCveSummary(); got != tt.want {\n+\t\t\t\tt.Errorf(\"got %q, want %q\", got, tt.want)\n+\t\t\t}\n+\t\t})\n+\t}\n+}\n+\n+func TestScanResult_SortForJSONOutputKEVs(t *testing.T) {\n+\tr := &amp;amp;ScanResult{ScannedCves: VulnInfos{\n+\t\t\"CVE-0000-0001\": {\n+\t\t\tKEVs: []KEV{\n+\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"Beta\"},\n+\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"Gamma\"},\n+\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"Alpha\"},\n+\t\t\t},\n+\t\t},\n+\t}}\n+\n+\tr.SortForJSONOutput()\n+\n+\twant := []KEV{\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"Alpha\"},\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"Gamma\"},\n+\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"Beta\"},\n+\t}\n+\tif got := r.ScannedCves[\"CVE-0000-0001\"].KEVs; !reflect.DeepEqual(got, want) {\n+\t\tt.Errorf(\"got %+v, want %+v\", got, want)\n+\t}\n+}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..feefdba 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -267,6 +267,7 @@ type VulnInfo struct {\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n@@ -284,6 +285,58 @@ type Alert struct {\n \tTeam  string `json:\"team,omitempty\"`\n }\n \n+// KEVType is a source of Known Exploited Vulnerability data.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is CISA Known Exploited Vulnerabilities Catalog data.\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is VulnCheck KEV data.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information.\n+type KEV struct {\n+\tType                       KEVType       `json:\"type,omitempty\"`\n+\tVendorProject              string        `json:\"vendorProject,omitempty\"`\n+\tProduct                    string        `json:\"product,omitempty\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV fields.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV fields.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB information.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // GitHubSecurityAlerts is a list of GitHubSecurityAlert\n type GitHubSecurityAlerts []GitHubSecurityAlert\n \n@@ -910,7 +963,7 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data.\n type AlertDict struct {\n \tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n@@ -919,15 +972,12 @@ type AlertDict struct {\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;amp;&amp;amp; len(a.JPCERT) == 0 &amp;amp;&amp;amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;amp;&amp;amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a2dfbd0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..25b4125 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,13 +812,34 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &amp;gt; 0 {\n+\t\tif len(vinfo.KEVs) &amp;gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n+\t\t\t\t\"Known Exploited Vulnerabilities\",\n+\t\t\t\t\"==============================\",\n \t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\t\tfor _, kev := range vinfo.KEVs {\n+\t\t\t\tname := kev.VulnerabilityName\n+\t\t\t\tif name == \"\" {\n+\t\t\t\t\tname = strings.TrimSpace(strings.Join([]string{kev.VendorProject, kev.Product}, \" \"))\n+\t\t\t\t}\n+\t\t\t\tif name == \"\" {\n+\t\t\t\t\tname = string(kev.Type)\n+\t\t\t\t}\n+\t\t\t\tlines = append(lines, fmt.Sprintf(\"* %s (%s)\", name, kev.Type))\n+\t\t\t\tif kev.ShortDescription != \"\" {\n+\t\t\t\t\tlines = append(lines, fmt.Sprintf(\"  * %s\", kev.ShortDescription))\n+\t\t\t\t}\n+\t\t\t\tif kev.CISA != nil &amp;amp;&amp;amp; kev.CISA.Note != \"\" {\n+\t\t\t\t\tlines = append(lines, fmt.Sprintf(\"  * Note: %s\", kev.CISA.Note))\n+\t\t\t\t}\n+\t\t\t\tif kev.VulnCheck != nil {\n+\t\t\t\t\tfor _, xdb := range kev.VulnCheck.XDB {\n+\t\t\t\t\t\tlines = append(lines, fmt.Sprintf(\"  * XDB: %s\", xdb.XDBURL))\n+\t\t\t\t\t}\n+\t\t\t\t\tfor _, exploitation := range kev.VulnCheck.ReportedExploitation {\n+\t\t\t\t\t\tlines = append(lines, fmt.Sprintf(\"  * Reported exploitation: %s\", exploitation.URL))\n+\t\t\t\t\t}\n+\t\t\t\t}\n \t\t\t}\n \t\t}\n \n", "creation_timestamp": "2026-07-03T19:06:02.220619Z"}</description>
      <content:encoded>{"uuid": "2dcd4263-c820-4bf2-95ae-3bf017747e72", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0002", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/a262637f0b6614e6fc25dbfb9f74b4fd", "content": "diff --git a/README.md b/README.md\nindex 57102d1..eb603ab 100644\n--- a/README.md\n+++ b/README.md\n@@ -90,8 +90,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n   - [US-CERT](https://www.us-cert.gov/ncas/alerts)\n   - [JPCERT](http://www.jpcert.or.jp/at/2019.html)\n \n-- CISA(Cybersecurity &amp;amp; Infrastructure Security Agency)\n-  - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+- Known Exploited Vulnerabilities\n+  - [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+  - [VulnCheck KEV](https://vulncheck.com/kev)\n \n - Cyber Threat Intelligence(MITRE ATT&amp;amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n@@ -179,6 +180,11 @@ Vuls has some options to detect the vulnerabilities\n For more information such as Installation, Tutorial, Usage, visit [vuls.io](https://vuls.io/)  \n [\u65e5\u672c\u8a9e\u7ffb\u8a33\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8](https://vuls.io/ja/)\n \n+### Examples\n+\n+- `examples/config.toml.example` is a synthetic, ready-to-edit configuration that enables KEV reporting with the `[kevuln]` dictionary.\n+- `examples/kev-scan-result.sample.json` shows the new first-class `kevs` scan result field with synthetic CISA and VulnCheck entries.\n+\n ----\n \n ## Authors\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..34a2ca1 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -6,6 +6,7 @@ package detector\n import (\n \t\"encoding/json\"\n \t\"net/http\"\n+\t\"strings\"\n \t\"time\"\n \n \t\"github.com/cenkalti/backoff\"\n@@ -74,23 +75,17 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\treturn err\n \t\t}\n \t\tfor _, res := range responses {\n-\t\t\tkevulns := []kevulnmodels.KEVuln{}\n-\t\t\tif err := json.Unmarshal([]byte(res.json), &amp;amp;kevulns); err != nil {\n+\t\t\tkevs, err := convertKEVulnJSON([]byte(res.json))\n+\t\t\tif err != nil {\n \t\t\t\treturn err\n \t\t\t}\n-\n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &amp;gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tif len(kevs) == 0 {\n+\t\t\t\tcontinue\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tv.KEVs = kevs\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +103,12 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &amp;gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tkevs, err := convertKEVulns(kevulns)\n+\t\t\tif err != nil {\n+\t\t\t\treturn err\n \t\t\t}\n \n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = kevs\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +118,95 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+type kevulnJSON struct {\n+\tType                       models.KEVType `json:\"type\"`\n+\tVendorProject              string         `json:\"vendorProject\"`\n+\tProduct                    string         `json:\"product\"`\n+\tVulnerabilityName          string         `json:\"vulnerabilityName\"`\n+\tShortDescription           string         `json:\"shortDescription\"`\n+\tRequiredAction             string         `json:\"requiredAction\"`\n+\tKnownRansomwareCampaignUse string         `json:\"knownRansomwareCampaignUse\"`\n+\tDateAdded                  time.Time      `json:\"dateAdded\"`\n+\tDueDate                    *time.Time     `json:\"dueDate\"`\n+\tNote                       string         `json:\"note\"`\n+\tNotes                      string         `json:\"notes\"`\n+\tCISA                       *models.CISAKEV `json:\"cisa\"`\n+\tVulnCheck                  *struct {\n+\t\tXDB                  []models.VulnCheckXDB                  `json:\"xdb\"`\n+\t\tReportedExploitation []models.VulnCheckReportedExploitation `json:\"reportedExploitation\"`\n+\t} `json:\"vulncheck\"`\n+\tXDB                  []models.VulnCheckXDB                  `json:\"xdb\"`\n+\tReportedExploitation []models.VulnCheckReportedExploitation `json:\"reportedExploitation\"`\n+}\n+\n+func convertKEVulns(kevulns []kevulnmodels.KEVuln) ([]models.KEV, error) {\n+\tbs, err := json.Marshal(kevulns)\n+\tif err != nil {\n+\t\treturn nil, err\n+\t}\n+\treturn convertKEVulnJSON(bs)\n+}\n+\n+func convertKEVulnJSON(bs []byte) ([]models.KEV, error) {\n+\tvar kevulns []kevulnJSON\n+\tif err := json.Unmarshal(bs, &amp;amp;kevulns); err != nil {\n+\t\treturn nil, err\n+\t}\n+\n+\tkevs := make([]models.KEV, 0, len(kevulns))\n+\tfor _, kevuln := range kevulns {\n+\t\tkevType := kevuln.Type\n+\t\tif kevType == \"\" {\n+\t\t\tkevType = models.CISAKEVType\n+\t\t}\n+\n+\t\tkev := models.KEV{\n+\t\t\tType:                       kevType,\n+\t\t\tVendorProject:              kevuln.VendorProject,\n+\t\t\tProduct:                    kevuln.Product,\n+\t\t\tVulnerabilityName:          kevuln.VulnerabilityName,\n+\t\t\tShortDescription:           kevuln.ShortDescription,\n+\t\t\tRequiredAction:             kevuln.RequiredAction,\n+\t\t\tKnownRansomwareCampaignUse: kevuln.KnownRansomwareCampaignUse,\n+\t\t\tDateAdded:                  kevuln.DateAdded,\n+\t\t\tDueDate:                    kevuln.DueDate,\n+\t\t}\n+\n+\t\tswitch kevType {\n+\t\tcase models.CISAKEVType:\n+\t\t\tif kevuln.CISA != nil {\n+\t\t\t\tkev.CISA = kevuln.CISA\n+\t\t\t} else if note := firstNonEmpty(kevuln.Note, kevuln.Notes); note != \"\" {\n+\t\t\t\tkev.CISA = &amp;amp;models.CISAKEV{Note: note}\n+\t\t\t}\n+\t\tcase models.VulnCheckKEVType:\n+\t\t\tkev.VulnCheck = &amp;amp;models.VulnCheckKEV{}\n+\t\t\tif kevuln.VulnCheck != nil {\n+\t\t\t\tkev.VulnCheck.XDB = kevuln.VulnCheck.XDB\n+\t\t\t\tkev.VulnCheck.ReportedExploitation = kevuln.VulnCheck.ReportedExploitation\n+\t\t\t}\n+\t\t\tif len(kevuln.XDB) &amp;gt; 0 {\n+\t\t\t\tkev.VulnCheck.XDB = kevuln.XDB\n+\t\t\t}\n+\t\t\tif len(kevuln.ReportedExploitation) &amp;gt; 0 {\n+\t\t\t\tkev.VulnCheck.ReportedExploitation = kevuln.ReportedExploitation\n+\t\t\t}\n+\t\t}\n+\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs, nil\n+}\n+\n+func firstNonEmpty(values ...string) string {\n+\tfor _, value := range values {\n+\t\tif strings.TrimSpace(value) != \"\" {\n+\t\t\treturn value\n+\t\t}\n+\t}\n+\treturn \"\"\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/examples/config.toml.example b/examples/config.toml.example\nnew file mode 100644\nindex 0000000..c4e1c93\n--- /dev/null\n+++ b/examples/config.toml.example\n@@ -0,0 +1,43 @@\n+# Synthetic Vuls configuration example with KEV reporting enabled.\n+# Replace all placeholder paths, hosts, and credentials before use.\n+\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\n+\n+[default]\n+port = \"22\"\n+user = \"replace-me\"\n+keyPath = \"/path/to/id_rsa\"\n+scanMode = [\"fast-root\"]\n+scanModules = [\"ospkg\"]\n+\n+[servers]\n+\n+[servers.example-web]\n+host = \"192.0.2.10\"\n+memo = \"Synthetic example target\"\ndiff --git a/examples/kev-scan-result.sample.json b/examples/kev-scan-result.sample.json\nnew file mode 100644\nindex 0000000..46414a7\n--- /dev/null\n+++ b/examples/kev-scan-result.sample.json\n@@ -0,0 +1,76 @@\n+{\n+  \"jsonVersion\": 0,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2026-07-03T00:00:00Z\",\n+  \"scanMode\": \"fast-root\",\n+  \"scannedVersion\": \"vuls-example\",\n+  \"scannedRevision\": \"example\",\n+  \"scannedBy\": \"example\",\n+  \"reportedAt\": \"2026-07-03T00:00:00Z\",\n+  \"reportedVersion\": \"vuls-example\",\n+  \"reportedRevision\": \"example\",\n+  \"reportedBy\": \"vuls-report\",\n+  \"errors\": [],\n+  \"warnings\": [],\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Command Injection Vulnerability\",\n+          \"shortDescription\": \"This synthetic CVE demonstrates the first-class KEV JSON field.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic sample only. Do not treat as real vulnerability intelligence.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Command Injection Vulnerability\",\n+          \"shortDescription\": \"This synthetic entry demonstrates VulnCheck-specific KEV data.\",\n+          \"requiredAction\": \"Review exploitation evidence and patch affected systems.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.invalid/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.invalid:research/example-xdb.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.invalid/reports/example-exploitation\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"alertDict\": {\n+        \"jpcert\": [],\n+        \"uscert\": []\n+      }\n+    }\n+  },\n+  \"packages\": {},\n+  \"config\": {\n+    \"scan\": {},\n+    \"report\": {}\n+  }\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..40ab335 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV cve.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &amp;lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &amp;gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &amp;gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -425,6 +433,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &amp;lt; v.Mitigations[j].URL\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &amp;lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &amp;lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \n \t\tv.CveContents.Sort()\n \ndiff --git a/models/scanresults_kev_test.go b/models/scanresults_kev_test.go\nnew file mode 100644\nindex 0000000..62e934b\n--- /dev/null\n+++ b/models/scanresults_kev_test.go\n@@ -0,0 +1,62 @@\n+package models\n+\n+import (\n+\t\"reflect\"\n+\t\"testing\"\n+)\n+\n+func TestScanResult_FormatKEVCveSummary(t *testing.T) {\n+\ttests := []struct {\n+\t\tname string\n+\t\tr    ScanResult\n+\t\twant string\n+\t}{\n+\t\t{\n+\t\t\tname: \"no kev\",\n+\t\t\tr: ScanResult{ScannedCves: VulnInfos{\n+\t\t\t\t\"CVE-0000-0001\": {CveID: \"CVE-0000-0001\"},\n+\t\t\t}},\n+\t\t\twant: \"0 kevs\",\n+\t\t},\n+\t\t{\n+\t\t\tname: \"count cves with kev entries\",\n+\t\t\tr: ScanResult{ScannedCves: VulnInfos{\n+\t\t\t\t\"CVE-0000-0001\": {CveID: \"CVE-0000-0001\", KEVs: []KEV{{Type: CISAKEVType}}},\n+\t\t\t\t\"CVE-0000-0002\": {CveID: \"CVE-0000-0002\", KEVs: []KEV{{Type: CISAKEVType}, {Type: VulnCheckKEVType}}},\n+\t\t\t\t\"CVE-0000-0003\": {CveID: \"CVE-0000-0003\"},\n+\t\t\t}},\n+\t\t\twant: \"2 kevs\",\n+\t\t},\n+\t}\n+\n+\tfor _, tt := range tests {\n+\t\tt.Run(tt.name, func(t *testing.T) {\n+\t\t\tif got := tt.r.FormatKEVCveSummary(); got != tt.want {\n+\t\t\t\tt.Errorf(\"got %q, want %q\", got, tt.want)\n+\t\t\t}\n+\t\t})\n+\t}\n+}\n+\n+func TestScanResult_SortForJSONOutputKEVs(t *testing.T) {\n+\tr := &amp;amp;ScanResult{ScannedCves: VulnInfos{\n+\t\t\"CVE-0000-0001\": {\n+\t\t\tKEVs: []KEV{\n+\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"Beta\"},\n+\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"Gamma\"},\n+\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"Alpha\"},\n+\t\t\t},\n+\t\t},\n+\t}}\n+\n+\tr.SortForJSONOutput()\n+\n+\twant := []KEV{\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"Alpha\"},\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"Gamma\"},\n+\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"Beta\"},\n+\t}\n+\tif got := r.ScannedCves[\"CVE-0000-0001\"].KEVs; !reflect.DeepEqual(got, want) {\n+\t\tt.Errorf(\"got %+v, want %+v\", got, want)\n+\t}\n+}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..feefdba 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -267,6 +267,7 @@ type VulnInfo struct {\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n@@ -284,6 +285,58 @@ type Alert struct {\n \tTeam  string `json:\"team,omitempty\"`\n }\n \n+// KEVType is a source of Known Exploited Vulnerability data.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is CISA Known Exploited Vulnerabilities Catalog data.\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is VulnCheck KEV data.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information.\n+type KEV struct {\n+\tType                       KEVType       `json:\"type,omitempty\"`\n+\tVendorProject              string        `json:\"vendorProject,omitempty\"`\n+\tProduct                    string        `json:\"product,omitempty\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV fields.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV fields.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB information.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // GitHubSecurityAlerts is a list of GitHubSecurityAlert\n type GitHubSecurityAlerts []GitHubSecurityAlert\n \n@@ -910,7 +963,7 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data.\n type AlertDict struct {\n \tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n@@ -919,15 +972,12 @@ type AlertDict struct {\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;amp;&amp;amp; len(a.JPCERT) == 0 &amp;amp;&amp;amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;amp;&amp;amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a2dfbd0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..25b4125 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,13 +812,34 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &amp;gt; 0 {\n+\t\tif len(vinfo.KEVs) &amp;gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n+\t\t\t\t\"Known Exploited Vulnerabilities\",\n+\t\t\t\t\"==============================\",\n \t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\t\tfor _, kev := range vinfo.KEVs {\n+\t\t\t\tname := kev.VulnerabilityName\n+\t\t\t\tif name == \"\" {\n+\t\t\t\t\tname = strings.TrimSpace(strings.Join([]string{kev.VendorProject, kev.Product}, \" \"))\n+\t\t\t\t}\n+\t\t\t\tif name == \"\" {\n+\t\t\t\t\tname = string(kev.Type)\n+\t\t\t\t}\n+\t\t\t\tlines = append(lines, fmt.Sprintf(\"* %s (%s)\", name, kev.Type))\n+\t\t\t\tif kev.ShortDescription != \"\" {\n+\t\t\t\t\tlines = append(lines, fmt.Sprintf(\"  * %s\", kev.ShortDescription))\n+\t\t\t\t}\n+\t\t\t\tif kev.CISA != nil &amp;amp;&amp;amp; kev.CISA.Note != \"\" {\n+\t\t\t\t\tlines = append(lines, fmt.Sprintf(\"  * Note: %s\", kev.CISA.Note))\n+\t\t\t\t}\n+\t\t\t\tif kev.VulnCheck != nil {\n+\t\t\t\t\tfor _, xdb := range kev.VulnCheck.XDB {\n+\t\t\t\t\t\tlines = append(lines, fmt.Sprintf(\"  * XDB: %s\", xdb.XDBURL))\n+\t\t\t\t\t}\n+\t\t\t\t\tfor _, exploitation := range kev.VulnCheck.ReportedExploitation {\n+\t\t\t\t\t\tlines = append(lines, fmt.Sprintf(\"  * Reported exploitation: %s\", exploitation.URL))\n+\t\t\t\t\t}\n+\t\t\t\t}\n \t\t\t}\n \t\t}\n \n", "creation_timestamp": "2026-07-03T19:06:02.220619Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/2dcd4263-c820-4bf2-95ae-3bf017747e72/export</guid>
      <pubDate>Fri, 03 Jul 2026 19:06:02 +0000</pubDate>
    </item>
    <item>
      <title>e1e98c98-ef55-4a04-89de-a629588d474c</title>
      <link>https://vulnerability.circl.lu/sighting/e1e98c98-ef55-4a04-89de-a629588d474c/export</link>
      <description>{"uuid": "e1e98c98-ef55-4a04-89de-a629588d474c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0002", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/9f9098838bcb23c3397b3e734fb658e6", "content": "diff --git a/.gitignore b/.gitignore\nindex 7f21d1e..71b4c8d 100644\n--- a/.gitignore\n+++ b/.gitignore\n@@ -4,6 +4,7 @@\n *.sqlite3*\n *.db\n *.toml\n+!config.toml.example\n tags\n .gitmodules\n coverage.out\ndiff --git a/README.md b/README.md\nindex 57102d1..2786497 100644\n--- a/README.md\n+++ b/README.md\n@@ -90,8 +90,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n   - [US-CERT](https://www.us-cert.gov/ncas/alerts)\n   - [JPCERT](http://www.jpcert.or.jp/at/2019.html)\n \n-- CISA(Cybersecurity &amp;amp; Infrastructure Security Agency)\n-  - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+- KEV (Known Exploited Vulnerabilities) \u2014 first-class support\n+  - [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+  - [VulnCheck KEV](https://vulncheck.com/)\n \n - Cyber Threat Intelligence(MITRE ATT&amp;amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n@@ -163,6 +164,7 @@ Vuls has some options to detect the vulnerabilities\n   - Vuls works well with Continuous Integration since tests can be run every day. This allows you to find vulnerabilities very quickly.\n - Auto-generation of configuration file template\n   - Auto-detection of servers set using CIDR, generate configuration file template\n+  - See [`config.toml.example`](config.toml.example) for a ready-to-use example configuration\n - Email and Slack notification is possible (supports Japanese language)\n - Scan result is viewable on accessory software, TUI Viewer in a terminal or Web UI ([VulsRepo](https://github.com/ishiDACo/vulsrepo)).\n \ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..b14e873\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,131 @@\n+# Vuls - VULnerability Scanner\n+# Example configuration file\n+#\n+# See https://vuls.io/docs/en/config.toml.html for full documentation.\n+#\n+# Copy this file to config.toml and fill in the values for your environment.\n+# All credential/secret values below are PLACEHOLDERS \u2014 replace them before use.\n+\n+# --- Global Options ---\n+\n+#debug = false\n+#debugSQL = false\n+#logToFile = false\n+#logDir = \"/var/log/vuls\"\n+\n+# HTTP proxy (optional)\n+#httpProxy = \"http://proxy.example.com:8080\"\n+\n+# Directory to store scan results (default: current directory)\n+#resultsDir = \"/path/to/results\"\n+\n+# --- Vulnerability Dictionary Databases ---\n+# Each section configures a vulnerability data source.\n+# Supported types: \"sqlite3\", \"mysql\", \"postgres\", \"redis\", \"http\"\n+# For sqlite3, set sqlite3Path. For http, set url to the API endpoint.\n+\n+[cveDict]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/cve.sqlite3\"\n+#url = \"http://localhost:1323\"\n+\n+[ovalDict]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/oval.sqlite3\"\n+#url = \"http://localhost:1324\"\n+\n+[gost]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/gost.sqlite3\"\n+#url = \"http://localhost:1325\"\n+\n+[exploit]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+#url = \"http://localhost:1326\"\n+\n+[metasploit]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-msfdb.sqlite3\"\n+#url = \"http://localhost:1327\"\n+\n+# KEV (Known Exploited Vulnerabilities) database - CISA &amp;amp; VulnCheck sources\n+# Enables first-class KEV reporting on scanned vulnerabilities.\n+[kevuln]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-kev.sqlite3\"\n+#url = \"http://localhost:1328\"\n+\n+[cti]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-cti.sqlite3\"\n+#url = \"http://localhost:1329\"\n+\n+# --- Notification / Output Targets ---\n+\n+[slack]\n+#hookURL = \"https://hooks.slack.com/services/YOUR/WEBHOOK/TOKEN\"\n+#channel = \"#vuls-notifications\"\n+#iconEmoji = \":ghost:\"\n+#authUser = \"vuls\"\n+#notifyUsers = [\"@admin\"]\n+\n+[email]\n+#smtpAddr = \"smtp.example.com\"\n+#smtpPort = \"587\"\n+#tlsMode = \"STARTTLS\"\n+#user = \"vuls@example.com\"\n+#password = \"REPLACE_WITH_SMTP_PASSWORD\"\n+#from = \"vuls@example.com\"\n+#to = [\"admin@example.com\"]\n+#cc = [\"security-team@example.com\"]\n+#subjectPrefix = \"[Vuls]\"\n+\n+[http]\n+#url = \"http://example.com:11234/vuls\"\n+\n+[syslog]\n+#protocol = \"tcp\"\n+#host = \"syslog.example.com\"\n+#port = \"514\"\n+#severity = \"warning\"\n+#facility = \"daemon\"\n+#tag = \"vuls\"\n+\n+[chatwork]\n+#apiToken = \"REPLACE_WITH_CHATWORK_API_TOKEN\"\n+#room = \"12345678\"\n+\n+[telegram]\n+#token = \"REPLACE_WITH_TELEGRAM_BOT_TOKEN\"\n+#chatID = \"123456789\"\n+\n+[googlechat]\n+#webHookURL = \"https://chat.googleapis.com/v1/spaces/SPACE/messages?key=KEY&amp;amp;token=TOKEN\"\n+\n+# --- Default Server Settings ---\n+# These values are applied to all servers unless overridden per-server.\n+\n+[default]\n+#port = \"22\"\n+#user = \"vuls-scan\"\n+#keyPath = \"/home/vuls-scan/.ssh/id_rsa\"\n+#scanMode = [\"fast\"]\n+#scanModules = [\"ospkg\", \"lockfile\"]\n+\n+# --- Target Servers ---\n+# Define one section per server to scan.\n+\n+#[servers.web-server]\n+#host = \"web.example.com\"\n+#port = \"22\"\n+#user = \"vuls-scan\"\n+#keyPath = \"/home/vuls-scan/.ssh/id_rsa\"\n+#scanMode = [\"fast-root\"]\n+#scanModules = [\"ospkg\", \"lockfile\"]\n+\n+#[servers.db-server]\n+#host = \"db.example.com\"\n+#port = \"22\"\n+#user = \"vuls-scan\"\n+#scanMode = [\"deep\"]\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..9fea4b8 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,13 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &amp;gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tif len(kevulns) == 0 {\n+\t\t\t\tcontinue\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tv.KEVs = kevulnsToKEVs(kevulns)\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +103,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &amp;gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = kevulnsToKEVs(kevulns)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -226,6 +212,28 @@ func httpGetKEVuln(url string, req kevulnRequest, resChan chan&amp;lt;- kevulnResponse,\n \t}\n }\n \n+func kevulnsToKEVs(kevulns []kevulnmodels.KEVuln) []models.KEV {\n+\tvar kevs []models.KEV\n+\tfor _, k := range kevulns {\n+\t\tkev := models.KEV{\n+\t\t\tType:                       models.CISAKEVType,\n+\t\t\tVendorProject:              k.VendorProject,\n+\t\t\tProduct:                    k.Product,\n+\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\tDateAdded:                  k.DateAdded,\n+\t\t\tDueDate:                    &amp;amp;k.DueDate,\n+\t\t\tCISA: &amp;amp;models.CISAKEV{\n+\t\t\t\tNote: k.Notes,\n+\t\t\t},\n+\t\t}\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs\n+}\n+\n func newKEVulnDB(cnf config.VulnDictInterface) (kevulndb.DB, error) {\n \tif cnf.IsFetchViaHTTP() {\n \t\treturn nil, nil\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..64d59bc 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -253,13 +254,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &amp;gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &amp;gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +264,18 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n+}\n+\n+// FormatKEVCveSummary returns a summary of how many scanned CVEs have KEV entries\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tkevCnt := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &amp;gt; 0 {\n+\t\t\tkevCnt++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", kevCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &amp;lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &amp;lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &amp;lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/testdata/sample_kevs_scan_result.json b/models/testdata/sample_kevs_scan_result.json\nnew file mode 100644\nindex 0000000..8d61d3a\n--- /dev/null\n+++ b/models/testdata/sample_kevs_scan_result.json\n@@ -0,0 +1,81 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"serverName\": \"example-host\",\n+  \"family\": \"centos\",\n+  \"release\": \"8\",\n+  \"scannedAt\": \"2026-07-01T00:00:00Z\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0001\": {\n+      \"cveID\": \"CVE-0000-0001\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleVendor ExampleProduct contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2024-01-15T00:00:00Z\",\n+          \"dueDate\": \"2024-02-05T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"https://example.com/security/advisory-001\"\n+          }\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-pkg\",\n+          \"fixedIn\": \"1.2.4\"\n+        }\n+      ]\n+    },\n+    \"CVE-0000-0002\": {\n+      \"cveID\": \"CVE-0000-0002\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"AnotherVendor\",\n+          \"product\": \"AnotherProduct\",\n+          \"vulnerabilityName\": \"AnotherVendor AnotherProduct Privilege Escalation Vulnerability\",\n+          \"shortDescription\": \"AnotherVendor AnotherProduct contains a privilege escalation vulnerability.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2024-03-10T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-0001\",\n+                \"xdbURL\": \"https://vulncheck.example.com/xdb/XDB-0001\",\n+                \"dateAdded\": \"2024-03-11T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@github.com:example/exploit-repo.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/blog/exploitation-report\",\n+                \"dateAdded\": \"2024-03-12T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"another-pkg\",\n+          \"notFixedYet\": true\n+        }\n+      ]\n+    },\n+    \"CVE-0000-0003\": {\n+      \"cveID\": \"CVE-0000-0003\",\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"safe-pkg\",\n+          \"fixedIn\": \"2.0.1\"\n+        }\n+      ]\n+    }\n+  }\n+}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..03e298b 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -268,6 +268,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -910,28 +911,78 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// KEVType represents the source type of a Known Exploited Vulnerability entry\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the CISA KEV source\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is the VulnCheck KEV source\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                        KEVType       `json:\"type\"`\n+\tVendorProject               string        `json:\"vendorProject\"`\n+\tProduct                     string        `json:\"product\"`\n+\tVulnerabilityName           string        `json:\"vulnerabilityName\"`\n+\tShortDescription            string        `json:\"shortDescription\"`\n+\tRequiredAction              string        `json:\"requiredAction\"`\n+\tKnownRansomwareCampaignUse  string        `json:\"knownRansomwareCampaignUse\"`\n+\tDateAdded                   time.Time     `json:\"dateAdded\"`\n+\tDueDate                     *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                        *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                   *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"note\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV information\n+type VulnCheckKEV struct {\n+\tXDB                   []VulnCheckXDB                   `json:\"xdb,omitempty\"`\n+\tReportedExploitation  []VulnCheckReportedExploitation  `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID\"`\n+\tXDBURL      string    `json:\"xdbURL\"`\n+\tDateAdded   time.Time `json:\"dateAdded\"`\n+\tExploitType string    `json:\"exploitType\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url\"`\n+\tDateAdded time.Time `json:\"dateAdded\"`\n+}\n+\n+// AlertDict has target cve JPCERT, USCERT alert data\n+// Deprecated: The CISA field is retained for backward compatibility but KEV data\n+// should be accessed through VulnInfo.KEVs instead.\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"cisa,omitempty\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;amp;&amp;amp; len(a.JPCERT) == 0 &amp;amp;&amp;amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;amp;&amp;amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n-\tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n-\t\ts = append(s, \"CERT\")\n+\t\treturn \"CERT\"\n \t}\n-\treturn strings.Join(s, \"/\")\n+\treturn \"\"\n }\n \n // Confidences is a list of Confidence\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a44ae57 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -565,10 +565,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &amp;gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &amp;gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T18:57:43.107773Z"}</description>
      <content:encoded>{"uuid": "e1e98c98-ef55-4a04-89de-a629588d474c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0002", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/9f9098838bcb23c3397b3e734fb658e6", "content": "diff --git a/.gitignore b/.gitignore\nindex 7f21d1e..71b4c8d 100644\n--- a/.gitignore\n+++ b/.gitignore\n@@ -4,6 +4,7 @@\n *.sqlite3*\n *.db\n *.toml\n+!config.toml.example\n tags\n .gitmodules\n coverage.out\ndiff --git a/README.md b/README.md\nindex 57102d1..2786497 100644\n--- a/README.md\n+++ b/README.md\n@@ -90,8 +90,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n   - [US-CERT](https://www.us-cert.gov/ncas/alerts)\n   - [JPCERT](http://www.jpcert.or.jp/at/2019.html)\n \n-- CISA(Cybersecurity &amp;amp; Infrastructure Security Agency)\n-  - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+- KEV (Known Exploited Vulnerabilities) \u2014 first-class support\n+  - [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+  - [VulnCheck KEV](https://vulncheck.com/)\n \n - Cyber Threat Intelligence(MITRE ATT&amp;amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n@@ -163,6 +164,7 @@ Vuls has some options to detect the vulnerabilities\n   - Vuls works well with Continuous Integration since tests can be run every day. This allows you to find vulnerabilities very quickly.\n - Auto-generation of configuration file template\n   - Auto-detection of servers set using CIDR, generate configuration file template\n+  - See [`config.toml.example`](config.toml.example) for a ready-to-use example configuration\n - Email and Slack notification is possible (supports Japanese language)\n - Scan result is viewable on accessory software, TUI Viewer in a terminal or Web UI ([VulsRepo](https://github.com/ishiDACo/vulsrepo)).\n \ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..b14e873\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,131 @@\n+# Vuls - VULnerability Scanner\n+# Example configuration file\n+#\n+# See https://vuls.io/docs/en/config.toml.html for full documentation.\n+#\n+# Copy this file to config.toml and fill in the values for your environment.\n+# All credential/secret values below are PLACEHOLDERS \u2014 replace them before use.\n+\n+# --- Global Options ---\n+\n+#debug = false\n+#debugSQL = false\n+#logToFile = false\n+#logDir = \"/var/log/vuls\"\n+\n+# HTTP proxy (optional)\n+#httpProxy = \"http://proxy.example.com:8080\"\n+\n+# Directory to store scan results (default: current directory)\n+#resultsDir = \"/path/to/results\"\n+\n+# --- Vulnerability Dictionary Databases ---\n+# Each section configures a vulnerability data source.\n+# Supported types: \"sqlite3\", \"mysql\", \"postgres\", \"redis\", \"http\"\n+# For sqlite3, set sqlite3Path. For http, set url to the API endpoint.\n+\n+[cveDict]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/cve.sqlite3\"\n+#url = \"http://localhost:1323\"\n+\n+[ovalDict]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/oval.sqlite3\"\n+#url = \"http://localhost:1324\"\n+\n+[gost]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/gost.sqlite3\"\n+#url = \"http://localhost:1325\"\n+\n+[exploit]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+#url = \"http://localhost:1326\"\n+\n+[metasploit]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-msfdb.sqlite3\"\n+#url = \"http://localhost:1327\"\n+\n+# KEV (Known Exploited Vulnerabilities) database - CISA &amp;amp; VulnCheck sources\n+# Enables first-class KEV reporting on scanned vulnerabilities.\n+[kevuln]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-kev.sqlite3\"\n+#url = \"http://localhost:1328\"\n+\n+[cti]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-cti.sqlite3\"\n+#url = \"http://localhost:1329\"\n+\n+# --- Notification / Output Targets ---\n+\n+[slack]\n+#hookURL = \"https://hooks.slack.com/services/YOUR/WEBHOOK/TOKEN\"\n+#channel = \"#vuls-notifications\"\n+#iconEmoji = \":ghost:\"\n+#authUser = \"vuls\"\n+#notifyUsers = [\"@admin\"]\n+\n+[email]\n+#smtpAddr = \"smtp.example.com\"\n+#smtpPort = \"587\"\n+#tlsMode = \"STARTTLS\"\n+#user = \"vuls@example.com\"\n+#password = \"REPLACE_WITH_SMTP_PASSWORD\"\n+#from = \"vuls@example.com\"\n+#to = [\"admin@example.com\"]\n+#cc = [\"security-team@example.com\"]\n+#subjectPrefix = \"[Vuls]\"\n+\n+[http]\n+#url = \"http://example.com:11234/vuls\"\n+\n+[syslog]\n+#protocol = \"tcp\"\n+#host = \"syslog.example.com\"\n+#port = \"514\"\n+#severity = \"warning\"\n+#facility = \"daemon\"\n+#tag = \"vuls\"\n+\n+[chatwork]\n+#apiToken = \"REPLACE_WITH_CHATWORK_API_TOKEN\"\n+#room = \"12345678\"\n+\n+[telegram]\n+#token = \"REPLACE_WITH_TELEGRAM_BOT_TOKEN\"\n+#chatID = \"123456789\"\n+\n+[googlechat]\n+#webHookURL = \"https://chat.googleapis.com/v1/spaces/SPACE/messages?key=KEY&amp;amp;token=TOKEN\"\n+\n+# --- Default Server Settings ---\n+# These values are applied to all servers unless overridden per-server.\n+\n+[default]\n+#port = \"22\"\n+#user = \"vuls-scan\"\n+#keyPath = \"/home/vuls-scan/.ssh/id_rsa\"\n+#scanMode = [\"fast\"]\n+#scanModules = [\"ospkg\", \"lockfile\"]\n+\n+# --- Target Servers ---\n+# Define one section per server to scan.\n+\n+#[servers.web-server]\n+#host = \"web.example.com\"\n+#port = \"22\"\n+#user = \"vuls-scan\"\n+#keyPath = \"/home/vuls-scan/.ssh/id_rsa\"\n+#scanMode = [\"fast-root\"]\n+#scanModules = [\"ospkg\", \"lockfile\"]\n+\n+#[servers.db-server]\n+#host = \"db.example.com\"\n+#port = \"22\"\n+#user = \"vuls-scan\"\n+#scanMode = [\"deep\"]\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..9fea4b8 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,13 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &amp;gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tif len(kevulns) == 0 {\n+\t\t\t\tcontinue\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tv.KEVs = kevulnsToKEVs(kevulns)\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +103,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &amp;gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = kevulnsToKEVs(kevulns)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -226,6 +212,28 @@ func httpGetKEVuln(url string, req kevulnRequest, resChan chan&amp;lt;- kevulnResponse,\n \t}\n }\n \n+func kevulnsToKEVs(kevulns []kevulnmodels.KEVuln) []models.KEV {\n+\tvar kevs []models.KEV\n+\tfor _, k := range kevulns {\n+\t\tkev := models.KEV{\n+\t\t\tType:                       models.CISAKEVType,\n+\t\t\tVendorProject:              k.VendorProject,\n+\t\t\tProduct:                    k.Product,\n+\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\tDateAdded:                  k.DateAdded,\n+\t\t\tDueDate:                    &amp;amp;k.DueDate,\n+\t\t\tCISA: &amp;amp;models.CISAKEV{\n+\t\t\t\tNote: k.Notes,\n+\t\t\t},\n+\t\t}\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs\n+}\n+\n func newKEVulnDB(cnf config.VulnDictInterface) (kevulndb.DB, error) {\n \tif cnf.IsFetchViaHTTP() {\n \t\treturn nil, nil\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..64d59bc 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -253,13 +254,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &amp;gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &amp;gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +264,18 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n+}\n+\n+// FormatKEVCveSummary returns a summary of how many scanned CVEs have KEV entries\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tkevCnt := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &amp;gt; 0 {\n+\t\t\tkevCnt++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", kevCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &amp;lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &amp;lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &amp;lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/testdata/sample_kevs_scan_result.json b/models/testdata/sample_kevs_scan_result.json\nnew file mode 100644\nindex 0000000..8d61d3a\n--- /dev/null\n+++ b/models/testdata/sample_kevs_scan_result.json\n@@ -0,0 +1,81 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"serverName\": \"example-host\",\n+  \"family\": \"centos\",\n+  \"release\": \"8\",\n+  \"scannedAt\": \"2026-07-01T00:00:00Z\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0001\": {\n+      \"cveID\": \"CVE-0000-0001\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleVendor ExampleProduct contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2024-01-15T00:00:00Z\",\n+          \"dueDate\": \"2024-02-05T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"https://example.com/security/advisory-001\"\n+          }\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-pkg\",\n+          \"fixedIn\": \"1.2.4\"\n+        }\n+      ]\n+    },\n+    \"CVE-0000-0002\": {\n+      \"cveID\": \"CVE-0000-0002\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"AnotherVendor\",\n+          \"product\": \"AnotherProduct\",\n+          \"vulnerabilityName\": \"AnotherVendor AnotherProduct Privilege Escalation Vulnerability\",\n+          \"shortDescription\": \"AnotherVendor AnotherProduct contains a privilege escalation vulnerability.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2024-03-10T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-0001\",\n+                \"xdbURL\": \"https://vulncheck.example.com/xdb/XDB-0001\",\n+                \"dateAdded\": \"2024-03-11T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@github.com:example/exploit-repo.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/blog/exploitation-report\",\n+                \"dateAdded\": \"2024-03-12T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"another-pkg\",\n+          \"notFixedYet\": true\n+        }\n+      ]\n+    },\n+    \"CVE-0000-0003\": {\n+      \"cveID\": \"CVE-0000-0003\",\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"safe-pkg\",\n+          \"fixedIn\": \"2.0.1\"\n+        }\n+      ]\n+    }\n+  }\n+}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..03e298b 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -268,6 +268,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -910,28 +911,78 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// KEVType represents the source type of a Known Exploited Vulnerability entry\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the CISA KEV source\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is the VulnCheck KEV source\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                        KEVType       `json:\"type\"`\n+\tVendorProject               string        `json:\"vendorProject\"`\n+\tProduct                     string        `json:\"product\"`\n+\tVulnerabilityName           string        `json:\"vulnerabilityName\"`\n+\tShortDescription            string        `json:\"shortDescription\"`\n+\tRequiredAction              string        `json:\"requiredAction\"`\n+\tKnownRansomwareCampaignUse  string        `json:\"knownRansomwareCampaignUse\"`\n+\tDateAdded                   time.Time     `json:\"dateAdded\"`\n+\tDueDate                     *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                        *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                   *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"note\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV information\n+type VulnCheckKEV struct {\n+\tXDB                   []VulnCheckXDB                   `json:\"xdb,omitempty\"`\n+\tReportedExploitation  []VulnCheckReportedExploitation  `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID\"`\n+\tXDBURL      string    `json:\"xdbURL\"`\n+\tDateAdded   time.Time `json:\"dateAdded\"`\n+\tExploitType string    `json:\"exploitType\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url\"`\n+\tDateAdded time.Time `json:\"dateAdded\"`\n+}\n+\n+// AlertDict has target cve JPCERT, USCERT alert data\n+// Deprecated: The CISA field is retained for backward compatibility but KEV data\n+// should be accessed through VulnInfo.KEVs instead.\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"cisa,omitempty\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;amp;&amp;amp; len(a.JPCERT) == 0 &amp;amp;&amp;amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;amp;&amp;amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n-\tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n-\t\ts = append(s, \"CERT\")\n+\t\treturn \"CERT\"\n \t}\n-\treturn strings.Join(s, \"/\")\n+\treturn \"\"\n }\n \n // Confidences is a list of Confidence\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a44ae57 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -565,10 +565,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &amp;gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &amp;gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T18:57:43.107773Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/e1e98c98-ef55-4a04-89de-a629588d474c/export</guid>
      <pubDate>Fri, 03 Jul 2026 18:57:43 +0000</pubDate>
    </item>
    <item>
      <title>d33ff251-4fed-4ba0-838c-38aba26d6057</title>
      <link>https://vulnerability.circl.lu/sighting/d33ff251-4fed-4ba0-838c-38aba26d6057/export</link>
      <description>{"uuid": "d33ff251-4fed-4ba0-838c-38aba26d6057", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0002", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/1263fa8ea1c9d2bdbbb4410ed0273673", "content": "diff --git a/.gitignore b/.gitignore\nindex 7f21d1e..71b4c8d 100644\n--- a/.gitignore\n+++ b/.gitignore\n@@ -4,6 +4,7 @@\n *.sqlite3*\n *.db\n *.toml\n+!config.toml.example\n tags\n .gitmodules\n coverage.out\ndiff --git a/README.md b/README.md\nindex 57102d1..c8a5ae7 100644\n--- a/README.md\n+++ b/README.md\n@@ -93,6 +93,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n - CISA(Cybersecurity &amp;amp; Infrastructure Security Agency)\n   - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n \n+- VulnCheck\n+  - Known Exploited Vulnerabilities data through go-kev\n+\n - Cyber Threat Intelligence(MITRE ATT&amp;amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n \n@@ -166,6 +169,18 @@ Vuls has some options to detect the vulnerabilities\n - Email and Slack notification is possible (supports Japanese language)\n - Scan result is viewable on accessory software, TUI Viewer in a terminal or Web UI ([VulsRepo](https://github.com/ishiDACo/vulsrepo)).\n \n+## KEV Reporting Example\n+\n+Use `config.toml.example` as a redacted starting point for enabling KEV reporting with go-kev. The KEV database is configured with the `[kevuln]` section:\n+\n+```toml\n+[kevuln]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+```\n+\n+The report JSON exposes KEV information on each vulnerability under `scannedCves..kevs`. See `sample-kev-result.json` for a synthetic redacted scan result containing both CISA and VulnCheck KEV entries.\n+\n ----\n \n ## What Vuls Doesn't Do\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..ed5b6b5\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,36 @@\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.10\"\n+port = \"22\"\n+user = \"vuls\"\n+keyPath = \"/home/vuls/.ssh/id_ed25519\"\n+scanMode = [\"fast-root\"]\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..45568db 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -5,7 +5,10 @@ package detector\n \n import (\n \t\"encoding/json\"\n+\t\"fmt\"\n \t\"net/http\"\n+\t\"reflect\"\n+\t\"strings\"\n \t\"time\"\n \n \t\"github.com/cenkalti/backoff\"\n@@ -79,18 +82,9 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &amp;gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n-\t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\tif ok &amp;amp;&amp;amp; len(kevulns) &amp;gt; 0 {\n+\t\t\t\tv.KEVs = append(v.KEVs, convertKEVulns(kevulns)...)\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +102,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &amp;gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = append(vuln.KEVs, convertKEVulns(kevulns)...)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +112,181 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func convertKEVulns(kevulns []kevulnmodels.KEVuln) []models.KEV {\n+\tkevs := make([]models.KEV, 0, len(kevulns))\n+\tfor _, kevuln := range kevulns {\n+\t\tv := reflect.ValueOf(kevuln)\n+\t\tkevs = append(kevs, models.KEV{\n+\t\t\tType:                       toKEVType(stringField(v, \"Type\", \"Source\")),\n+\t\t\tVendorProject:              stringField(v, \"VendorProject\", \"Vendor\", \"Project\"),\n+\t\t\tProduct:                    stringField(v, \"Product\"),\n+\t\t\tVulnerabilityName:          stringField(v, \"VulnerabilityName\", \"Name\"),\n+\t\t\tShortDescription:           stringField(v, \"ShortDescription\", \"Description\"),\n+\t\t\tRequiredAction:             stringField(v, \"RequiredAction\"),\n+\t\t\tKnownRansomwareCampaignUse: stringField(v, \"KnownRansomwareCampaignUse\"),\n+\t\t\tDateAdded:                  timeField(v, \"DateAdded\"),\n+\t\t\tDueDate:                    timePtrField(v, \"DueDate\"),\n+\t\t\tCISA:                       cisaKEVField(v),\n+\t\t\tVulnCheck:                  vulnCheckKEVField(v),\n+\t\t})\n+\t}\n+\treturn kevs\n+}\n+\n+func toKEVType(source string) models.KEVType {\n+\tswitch strings.ToLower(source) {\n+\tcase string(models.VulnCheckKEVType):\n+\t\treturn models.VulnCheckKEVType\n+\tdefault:\n+\t\treturn models.CISAKEVType\n+\t}\n+}\n+\n+func stringField(v reflect.Value, names ...string) string {\n+\tfor _, name := range names {\n+\t\tf := fieldByName(v, name)\n+\t\tif f.IsValid() {\n+\t\t\tswitch f.Kind() {\n+\t\t\tcase reflect.String:\n+\t\t\t\treturn f.String()\n+\t\t\tcase reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:\n+\t\t\t\treturn fmt.Sprint(f.Int())\n+\t\t\tcase reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64:\n+\t\t\t\treturn fmt.Sprint(f.Uint())\n+\t\t\t}\n+\t\t}\n+\t}\n+\treturn \"\"\n+}\n+\n+func timeField(v reflect.Value, names ...string) time.Time {\n+\tfor _, name := range names {\n+\t\tf := fieldByName(v, name)\n+\t\tif f.IsValid() &amp;amp;&amp;amp; f.Type() == reflect.TypeOf(time.Time{}) {\n+\t\t\treturn f.Interface().(time.Time)\n+\t\t}\n+\t}\n+\treturn time.Time{}\n+}\n+\n+func timePtrField(v reflect.Value, names ...string) *time.Time {\n+\tfor _, name := range names {\n+\t\tf := fieldByName(v, name)\n+\t\tif !f.IsValid() {\n+\t\t\tcontinue\n+\t\t}\n+\t\tif f.Type() == reflect.TypeOf(time.Time{}) {\n+\t\t\tt := f.Interface().(time.Time)\n+\t\t\treturn &amp;amp;t\n+\t\t}\n+\t\tif f.Type() == reflect.TypeOf((*time.Time)(nil)) &amp;amp;&amp;amp; !f.IsNil() {\n+\t\t\tt := f.Interface().(*time.Time)\n+\t\t\treturn t\n+\t\t}\n+\t}\n+\treturn nil\n+}\n+\n+func cisaKEVField(v reflect.Value) *models.CISAKEV {\n+\tf := fieldByName(v, \"CISA\", \"Cisa\")\n+\tif !f.IsValid() {\n+\t\treturn nil\n+\t}\n+\tif f.Kind() == reflect.Pointer {\n+\t\tif f.IsNil() {\n+\t\t\treturn nil\n+\t\t}\n+\t\tf = f.Elem()\n+\t}\n+\treturn &amp;amp;models.CISAKEV{Note: stringField(f, \"Note\")}\n+}\n+\n+func vulnCheckKEVField(v reflect.Value) *models.VulnCheckKEV {\n+\tf := fieldByName(v, \"VulnCheck\", \"Vulncheck\")\n+\tif !f.IsValid() {\n+\t\treturn nil\n+\t}\n+\tif f.Kind() == reflect.Pointer {\n+\t\tif f.IsNil() {\n+\t\t\treturn nil\n+\t\t}\n+\t\tf = f.Elem()\n+\t}\n+\treturn &amp;amp;models.VulnCheckKEV{\n+\t\tXDB:                  vulnCheckXDBField(f),\n+\t\tReportedExploitation: vulnCheckReportedExploitationField(f),\n+\t}\n+}\n+\n+func vulnCheckXDBField(v reflect.Value) []models.VulnCheckXDB {\n+\tf := fieldByName(v, \"XDB\", \"Xdb\")\n+\tif !f.IsValid() || f.Kind() != reflect.Slice {\n+\t\treturn nil\n+\t}\n+\txdbs := make([]models.VulnCheckXDB, 0, f.Len())\n+\tfor i := 0; i &amp;lt; f.Len(); i++ {\n+\t\titem := f.Index(i)\n+\t\tif item.Kind() == reflect.Pointer {\n+\t\t\tif item.IsNil() {\n+\t\t\t\tcontinue\n+\t\t\t}\n+\t\t\titem = item.Elem()\n+\t\t}\n+\t\txdbs = append(xdbs, models.VulnCheckXDB{\n+\t\t\tXDBID:       stringField(item, \"XDBID\", \"XdbID\", \"ID\"),\n+\t\t\tXDBURL:      stringField(item, \"XDBURL\", \"XdbURL\", \"URL\"),\n+\t\t\tDateAdded:   timeField(item, \"DateAdded\"),\n+\t\t\tExploitType: stringField(item, \"ExploitType\"),\n+\t\t\tCloneSSHURL: stringField(item, \"CloneSSHURL\"),\n+\t\t})\n+\t}\n+\treturn xdbs\n+}\n+\n+func vulnCheckReportedExploitationField(v reflect.Value) []models.VulnCheckReportedExploitation {\n+\tf := fieldByName(v, \"ReportedExploitation\")\n+\tif !f.IsValid() || f.Kind() != reflect.Slice {\n+\t\treturn nil\n+\t}\n+\texploitations := make([]models.VulnCheckReportedExploitation, 0, f.Len())\n+\tfor i := 0; i &amp;lt; f.Len(); i++ {\n+\t\titem := f.Index(i)\n+\t\tif item.Kind() == reflect.Pointer {\n+\t\t\tif item.IsNil() {\n+\t\t\t\tcontinue\n+\t\t\t}\n+\t\t\titem = item.Elem()\n+\t\t}\n+\t\texploitations = append(exploitations, models.VulnCheckReportedExploitation{\n+\t\t\tURL:       stringField(item, \"URL\"),\n+\t\t\tDateAdded: timeField(item, \"DateAdded\"),\n+\t\t})\n+\t}\n+\treturn exploitations\n+}\n+\n+func fieldByName(v reflect.Value, names ...string) reflect.Value {\n+\tif !v.IsValid() {\n+\t\treturn reflect.Value{}\n+\t}\n+\tif v.Kind() == reflect.Pointer {\n+\t\tif v.IsNil() {\n+\t\t\treturn reflect.Value{}\n+\t\t}\n+\t\tv = v.Elem()\n+\t}\n+\tif v.Kind() != reflect.Struct {\n+\t\treturn reflect.Value{}\n+\t}\n+\tfor _, name := range names {\n+\t\tf := v.FieldByName(name)\n+\t\tif f.IsValid() &amp;amp;&amp;amp; f.CanInterface() {\n+\t\t\treturn f\n+\t\t}\n+\t}\n+\treturn reflect.Value{}\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/models/kev_test.go b/models/kev_test.go\nnew file mode 100644\nindex 0000000..651dcc1\n--- /dev/null\n+++ b/models/kev_test.go\n@@ -0,0 +1,92 @@\n+package models\n+\n+import \"testing\"\n+\n+func TestScanResult_FormatKEVCveSummary(t *testing.T) {\n+\ttests := []struct {\n+\t\tname string\n+\t\tr    ScanResult\n+\t\twant string\n+\t}{\n+\t\t{\n+\t\t\tname: \"counts cves with kev entries\",\n+\t\t\tr: ScanResult{ScannedCves: VulnInfos{\n+\t\t\t\t\"CVE-0000-0001\": {KEVs: []KEV{{Type: CISAKEVType}, {Type: VulnCheckKEVType}}},\n+\t\t\t\t\"CVE-0000-0002\": {},\n+\t\t\t\t\"CVE-0000-0003\": {KEVs: []KEV{{Type: CISAKEVType}}},\n+\t\t\t}},\n+\t\t\twant: \"2 kevs\",\n+\t\t},\n+\t\t{\n+\t\t\tname: \"empty\",\n+\t\t\tr:    ScanResult{ScannedCves: VulnInfos{}},\n+\t\t\twant: \"0 kevs\",\n+\t\t},\n+\t}\n+\n+\tfor _, tt := range tests {\n+\t\tt.Run(tt.name, func(t *testing.T) {\n+\t\t\tif got := tt.r.FormatKEVCveSummary(); got != tt.want {\n+\t\t\t\tt.Errorf(\"FormatKEVCveSummary() = %q, want %q\", got, tt.want)\n+\t\t\t}\n+\t\t})\n+\t}\n+}\n+\n+func TestScanResult_FormatAlertSummaryExcludesCISA(t *testing.T) {\n+\tr := ScanResult{ScannedCves: VulnInfos{\n+\t\t\"CVE-0000-0001\": {AlertDict: AlertDict{\n+\t\t\tCISA:   []Alert{{Title: \"old kev alert\"}},\n+\t\t\tUSCERT: []Alert{{Title: \"uscert-1\"}},\n+\t\t\tJPCERT: []Alert{{Title: \"jpcert-1\"}, {Title: \"jpcert-2\"}},\n+\t\t}},\n+\t}}\n+\n+\tif got, want := r.FormatAlertSummary(), \"uscert: 1, jpcert: 2 alerts\"; got != want {\n+\t\tt.Errorf(\"FormatAlertSummary() = %q, want %q\", got, want)\n+\t}\n+}\n+\n+func TestAlertDict_CISAIgnoredForGenericAlertState(t *testing.T) {\n+\ta := AlertDict{CISA: []Alert{{Title: \"old kev alert\"}}}\n+\n+\tif !a.IsEmpty() {\n+\t\tt.Errorf(\"IsEmpty() = false, want true for CISA-only alert dict\")\n+\t}\n+\tif got := a.FormatSource(); got != \"\" {\n+\t\tt.Errorf(\"FormatSource() = %q, want empty source for CISA-only alert dict\", got)\n+\t}\n+\n+\ta.USCERT = []Alert{{Title: \"uscert\"}}\n+\tif a.IsEmpty() {\n+\t\tt.Errorf(\"IsEmpty() = true, want false for CERT alert dict\")\n+\t}\n+\tif got, want := a.FormatSource(), \"CERT\"; got != want {\n+\t\tt.Errorf(\"FormatSource() = %q, want %q\", got, want)\n+\t}\n+}\n+\n+func TestScanResult_SortForJSONOutputSortsKEVs(t *testing.T) {\n+\tr := ScanResult{ScannedCves: VulnInfos{\n+\t\t\"CVE-0000-0001\": {KEVs: []KEV{\n+\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n+\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"a\"},\n+\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t}},\n+\t}}\n+\n+\tr.SortForJSONOutput()\n+\tgot := r.ScannedCves[\"CVE-0000-0001\"].KEVs\n+\twant := []KEV{\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"a\"},\n+\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n+\t}\n+\tfor i := range want {\n+\t\tif got[i] != want[i] {\n+\t\t\tt.Fatalf(\"KEVs[%d] = %+v, want %+v\", i, got[i], want[i])\n+\t\t}\n+\t}\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..6cf2b38 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,11 +197,12 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n@@ -229,6 +230,17 @@ func (r ScanResult) FormatUpdatablePkgsSummary() string {\n \t\tnUpdatable)\n }\n \n+// FormatKEVCveSummary returns a summary of CVEs with KEV entries.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &amp;lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatExploitCveSummary returns a summary of exploit cve\n func (r ScanResult) FormatExploitCveSummary() string {\n \tnExploitCve := 0\n@@ -253,13 +265,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &amp;gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &amp;gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -425,6 +433,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &amp;lt; v.Mitigations[j].URL\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &amp;lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &amp;lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \n \t\tv.CveContents.Sort()\n \ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..6a3df97 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -267,6 +267,7 @@ type VulnInfo struct {\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n@@ -284,6 +285,57 @@ type Alert struct {\n \tTeam  string `json:\"team,omitempty\"`\n }\n \n+// KEVType is a known exploited vulnerability source.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType represents CISA KEV catalog entries.\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType represents VulnCheck KEV entries.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has known exploited vulnerability information.\n+type KEV struct {\n+\tType                       KEVType       `json:\"type,omitempty\"`\n+\tVendorProject              string        `json:\"vendorProject,omitempty\"`\n+\tProduct                    string        `json:\"product,omitempty\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV information.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV information.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // GitHubSecurityAlerts is a list of GitHubSecurityAlert\n type GitHubSecurityAlerts []GitHubSecurityAlert\n \n@@ -910,7 +962,7 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n \tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n@@ -919,15 +971,12 @@ type AlertDict struct {\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;amp;&amp;amp; len(a.JPCERT) == 0 &amp;amp;&amp;amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;amp;&amp;amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..3aa23ae 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -202,6 +202,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.ScannedCves.FormatCveSummary(),\n \t\t\t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n@@ -565,8 +566,29 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n+\t\tfor _, kev := range vuln.KEVs {\n+\t\t\tsource := \"KEV\"\n+\t\t\tswitch kev.Type {\n+\t\t\tcase models.CISAKEVType:\n+\t\t\t\tsource = \"CISA KEV\"\n+\t\t\tcase models.VulnCheckKEVType:\n+\t\t\t\tsource = \"VulnCheck KEV\"\n+\t\t\t}\n+\t\t\tif kev.CISA != nil &amp;amp;&amp;amp; kev.CISA.Note != \"\" {\n+\t\t\t\tdata = append(data, []string{source, kev.CISA.Note})\n+\t\t\t}\n+\t\t\tif kev.VulnCheck != nil {\n+\t\t\t\tfor _, xdb := range kev.VulnCheck.XDB {\n+\t\t\t\t\tif xdb.XDBURL != \"\" {\n+\t\t\t\t\t\tdata = append(data, []string{source, xdb.XDBURL})\n+\t\t\t\t\t}\n+\t\t\t\t}\n+\t\t\t\tfor _, exploitation := range kev.VulnCheck.ReportedExploitation {\n+\t\t\t\t\tif exploitation.URL != \"\" {\n+\t\t\t\t\t\tdata = append(data, []string{source, exploitation.URL})\n+\t\t\t\t\t}\n+\t\t\t\t}\n+\t\t\t}\n \t\t}\n \n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\ndiff --git a/sample-kev-result.json b/sample-kev-result.json\nnew file mode 100644\nindex 0000000..005e83b\n--- /dev/null\n+++ b/sample-kev-result.json\n@@ -0,0 +1,58 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2026-07-03T00:00:00Z\",\n+  \"scannedVersion\": \"vuls-example\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic sample showing the first-class KEV JSON shape.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic sample showing VulnCheck KEV details.\",\n+          \"requiredAction\": \"Review exploitation evidence and remediate.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.invalid/vulncheck/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"proof-of-concept\",\n+                \"cloneSSHURL\": \"git@example.invalid:example/research.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.invalid/advisory/CVE-0000-0000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &amp;gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &amp;gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T18:57:42.627830Z"}</description>
      <content:encoded>{"uuid": "d33ff251-4fed-4ba0-838c-38aba26d6057", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0002", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/1263fa8ea1c9d2bdbbb4410ed0273673", "content": "diff --git a/.gitignore b/.gitignore\nindex 7f21d1e..71b4c8d 100644\n--- a/.gitignore\n+++ b/.gitignore\n@@ -4,6 +4,7 @@\n *.sqlite3*\n *.db\n *.toml\n+!config.toml.example\n tags\n .gitmodules\n coverage.out\ndiff --git a/README.md b/README.md\nindex 57102d1..c8a5ae7 100644\n--- a/README.md\n+++ b/README.md\n@@ -93,6 +93,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n - CISA(Cybersecurity &amp;amp; Infrastructure Security Agency)\n   - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n \n+- VulnCheck\n+  - Known Exploited Vulnerabilities data through go-kev\n+\n - Cyber Threat Intelligence(MITRE ATT&amp;amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n \n@@ -166,6 +169,18 @@ Vuls has some options to detect the vulnerabilities\n - Email and Slack notification is possible (supports Japanese language)\n - Scan result is viewable on accessory software, TUI Viewer in a terminal or Web UI ([VulsRepo](https://github.com/ishiDACo/vulsrepo)).\n \n+## KEV Reporting Example\n+\n+Use `config.toml.example` as a redacted starting point for enabling KEV reporting with go-kev. The KEV database is configured with the `[kevuln]` section:\n+\n+```toml\n+[kevuln]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+```\n+\n+The report JSON exposes KEV information on each vulnerability under `scannedCves..kevs`. See `sample-kev-result.json` for a synthetic redacted scan result containing both CISA and VulnCheck KEV entries.\n+\n ----\n \n ## What Vuls Doesn't Do\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..ed5b6b5\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,36 @@\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.10\"\n+port = \"22\"\n+user = \"vuls\"\n+keyPath = \"/home/vuls/.ssh/id_ed25519\"\n+scanMode = [\"fast-root\"]\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..45568db 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -5,7 +5,10 @@ package detector\n \n import (\n \t\"encoding/json\"\n+\t\"fmt\"\n \t\"net/http\"\n+\t\"reflect\"\n+\t\"strings\"\n \t\"time\"\n \n \t\"github.com/cenkalti/backoff\"\n@@ -79,18 +82,9 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &amp;gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n-\t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\tif ok &amp;amp;&amp;amp; len(kevulns) &amp;gt; 0 {\n+\t\t\t\tv.KEVs = append(v.KEVs, convertKEVulns(kevulns)...)\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +102,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &amp;gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = append(vuln.KEVs, convertKEVulns(kevulns)...)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +112,181 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func convertKEVulns(kevulns []kevulnmodels.KEVuln) []models.KEV {\n+\tkevs := make([]models.KEV, 0, len(kevulns))\n+\tfor _, kevuln := range kevulns {\n+\t\tv := reflect.ValueOf(kevuln)\n+\t\tkevs = append(kevs, models.KEV{\n+\t\t\tType:                       toKEVType(stringField(v, \"Type\", \"Source\")),\n+\t\t\tVendorProject:              stringField(v, \"VendorProject\", \"Vendor\", \"Project\"),\n+\t\t\tProduct:                    stringField(v, \"Product\"),\n+\t\t\tVulnerabilityName:          stringField(v, \"VulnerabilityName\", \"Name\"),\n+\t\t\tShortDescription:           stringField(v, \"ShortDescription\", \"Description\"),\n+\t\t\tRequiredAction:             stringField(v, \"RequiredAction\"),\n+\t\t\tKnownRansomwareCampaignUse: stringField(v, \"KnownRansomwareCampaignUse\"),\n+\t\t\tDateAdded:                  timeField(v, \"DateAdded\"),\n+\t\t\tDueDate:                    timePtrField(v, \"DueDate\"),\n+\t\t\tCISA:                       cisaKEVField(v),\n+\t\t\tVulnCheck:                  vulnCheckKEVField(v),\n+\t\t})\n+\t}\n+\treturn kevs\n+}\n+\n+func toKEVType(source string) models.KEVType {\n+\tswitch strings.ToLower(source) {\n+\tcase string(models.VulnCheckKEVType):\n+\t\treturn models.VulnCheckKEVType\n+\tdefault:\n+\t\treturn models.CISAKEVType\n+\t}\n+}\n+\n+func stringField(v reflect.Value, names ...string) string {\n+\tfor _, name := range names {\n+\t\tf := fieldByName(v, name)\n+\t\tif f.IsValid() {\n+\t\t\tswitch f.Kind() {\n+\t\t\tcase reflect.String:\n+\t\t\t\treturn f.String()\n+\t\t\tcase reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:\n+\t\t\t\treturn fmt.Sprint(f.Int())\n+\t\t\tcase reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64:\n+\t\t\t\treturn fmt.Sprint(f.Uint())\n+\t\t\t}\n+\t\t}\n+\t}\n+\treturn \"\"\n+}\n+\n+func timeField(v reflect.Value, names ...string) time.Time {\n+\tfor _, name := range names {\n+\t\tf := fieldByName(v, name)\n+\t\tif f.IsValid() &amp;amp;&amp;amp; f.Type() == reflect.TypeOf(time.Time{}) {\n+\t\t\treturn f.Interface().(time.Time)\n+\t\t}\n+\t}\n+\treturn time.Time{}\n+}\n+\n+func timePtrField(v reflect.Value, names ...string) *time.Time {\n+\tfor _, name := range names {\n+\t\tf := fieldByName(v, name)\n+\t\tif !f.IsValid() {\n+\t\t\tcontinue\n+\t\t}\n+\t\tif f.Type() == reflect.TypeOf(time.Time{}) {\n+\t\t\tt := f.Interface().(time.Time)\n+\t\t\treturn &amp;amp;t\n+\t\t}\n+\t\tif f.Type() == reflect.TypeOf((*time.Time)(nil)) &amp;amp;&amp;amp; !f.IsNil() {\n+\t\t\tt := f.Interface().(*time.Time)\n+\t\t\treturn t\n+\t\t}\n+\t}\n+\treturn nil\n+}\n+\n+func cisaKEVField(v reflect.Value) *models.CISAKEV {\n+\tf := fieldByName(v, \"CISA\", \"Cisa\")\n+\tif !f.IsValid() {\n+\t\treturn nil\n+\t}\n+\tif f.Kind() == reflect.Pointer {\n+\t\tif f.IsNil() {\n+\t\t\treturn nil\n+\t\t}\n+\t\tf = f.Elem()\n+\t}\n+\treturn &amp;amp;models.CISAKEV{Note: stringField(f, \"Note\")}\n+}\n+\n+func vulnCheckKEVField(v reflect.Value) *models.VulnCheckKEV {\n+\tf := fieldByName(v, \"VulnCheck\", \"Vulncheck\")\n+\tif !f.IsValid() {\n+\t\treturn nil\n+\t}\n+\tif f.Kind() == reflect.Pointer {\n+\t\tif f.IsNil() {\n+\t\t\treturn nil\n+\t\t}\n+\t\tf = f.Elem()\n+\t}\n+\treturn &amp;amp;models.VulnCheckKEV{\n+\t\tXDB:                  vulnCheckXDBField(f),\n+\t\tReportedExploitation: vulnCheckReportedExploitationField(f),\n+\t}\n+}\n+\n+func vulnCheckXDBField(v reflect.Value) []models.VulnCheckXDB {\n+\tf := fieldByName(v, \"XDB\", \"Xdb\")\n+\tif !f.IsValid() || f.Kind() != reflect.Slice {\n+\t\treturn nil\n+\t}\n+\txdbs := make([]models.VulnCheckXDB, 0, f.Len())\n+\tfor i := 0; i &amp;lt; f.Len(); i++ {\n+\t\titem := f.Index(i)\n+\t\tif item.Kind() == reflect.Pointer {\n+\t\t\tif item.IsNil() {\n+\t\t\t\tcontinue\n+\t\t\t}\n+\t\t\titem = item.Elem()\n+\t\t}\n+\t\txdbs = append(xdbs, models.VulnCheckXDB{\n+\t\t\tXDBID:       stringField(item, \"XDBID\", \"XdbID\", \"ID\"),\n+\t\t\tXDBURL:      stringField(item, \"XDBURL\", \"XdbURL\", \"URL\"),\n+\t\t\tDateAdded:   timeField(item, \"DateAdded\"),\n+\t\t\tExploitType: stringField(item, \"ExploitType\"),\n+\t\t\tCloneSSHURL: stringField(item, \"CloneSSHURL\"),\n+\t\t})\n+\t}\n+\treturn xdbs\n+}\n+\n+func vulnCheckReportedExploitationField(v reflect.Value) []models.VulnCheckReportedExploitation {\n+\tf := fieldByName(v, \"ReportedExploitation\")\n+\tif !f.IsValid() || f.Kind() != reflect.Slice {\n+\t\treturn nil\n+\t}\n+\texploitations := make([]models.VulnCheckReportedExploitation, 0, f.Len())\n+\tfor i := 0; i &amp;lt; f.Len(); i++ {\n+\t\titem := f.Index(i)\n+\t\tif item.Kind() == reflect.Pointer {\n+\t\t\tif item.IsNil() {\n+\t\t\t\tcontinue\n+\t\t\t}\n+\t\t\titem = item.Elem()\n+\t\t}\n+\t\texploitations = append(exploitations, models.VulnCheckReportedExploitation{\n+\t\t\tURL:       stringField(item, \"URL\"),\n+\t\t\tDateAdded: timeField(item, \"DateAdded\"),\n+\t\t})\n+\t}\n+\treturn exploitations\n+}\n+\n+func fieldByName(v reflect.Value, names ...string) reflect.Value {\n+\tif !v.IsValid() {\n+\t\treturn reflect.Value{}\n+\t}\n+\tif v.Kind() == reflect.Pointer {\n+\t\tif v.IsNil() {\n+\t\t\treturn reflect.Value{}\n+\t\t}\n+\t\tv = v.Elem()\n+\t}\n+\tif v.Kind() != reflect.Struct {\n+\t\treturn reflect.Value{}\n+\t}\n+\tfor _, name := range names {\n+\t\tf := v.FieldByName(name)\n+\t\tif f.IsValid() &amp;amp;&amp;amp; f.CanInterface() {\n+\t\t\treturn f\n+\t\t}\n+\t}\n+\treturn reflect.Value{}\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/models/kev_test.go b/models/kev_test.go\nnew file mode 100644\nindex 0000000..651dcc1\n--- /dev/null\n+++ b/models/kev_test.go\n@@ -0,0 +1,92 @@\n+package models\n+\n+import \"testing\"\n+\n+func TestScanResult_FormatKEVCveSummary(t *testing.T) {\n+\ttests := []struct {\n+\t\tname string\n+\t\tr    ScanResult\n+\t\twant string\n+\t}{\n+\t\t{\n+\t\t\tname: \"counts cves with kev entries\",\n+\t\t\tr: ScanResult{ScannedCves: VulnInfos{\n+\t\t\t\t\"CVE-0000-0001\": {KEVs: []KEV{{Type: CISAKEVType}, {Type: VulnCheckKEVType}}},\n+\t\t\t\t\"CVE-0000-0002\": {},\n+\t\t\t\t\"CVE-0000-0003\": {KEVs: []KEV{{Type: CISAKEVType}}},\n+\t\t\t}},\n+\t\t\twant: \"2 kevs\",\n+\t\t},\n+\t\t{\n+\t\t\tname: \"empty\",\n+\t\t\tr:    ScanResult{ScannedCves: VulnInfos{}},\n+\t\t\twant: \"0 kevs\",\n+\t\t},\n+\t}\n+\n+\tfor _, tt := range tests {\n+\t\tt.Run(tt.name, func(t *testing.T) {\n+\t\t\tif got := tt.r.FormatKEVCveSummary(); got != tt.want {\n+\t\t\t\tt.Errorf(\"FormatKEVCveSummary() = %q, want %q\", got, tt.want)\n+\t\t\t}\n+\t\t})\n+\t}\n+}\n+\n+func TestScanResult_FormatAlertSummaryExcludesCISA(t *testing.T) {\n+\tr := ScanResult{ScannedCves: VulnInfos{\n+\t\t\"CVE-0000-0001\": {AlertDict: AlertDict{\n+\t\t\tCISA:   []Alert{{Title: \"old kev alert\"}},\n+\t\t\tUSCERT: []Alert{{Title: \"uscert-1\"}},\n+\t\t\tJPCERT: []Alert{{Title: \"jpcert-1\"}, {Title: \"jpcert-2\"}},\n+\t\t}},\n+\t}}\n+\n+\tif got, want := r.FormatAlertSummary(), \"uscert: 1, jpcert: 2 alerts\"; got != want {\n+\t\tt.Errorf(\"FormatAlertSummary() = %q, want %q\", got, want)\n+\t}\n+}\n+\n+func TestAlertDict_CISAIgnoredForGenericAlertState(t *testing.T) {\n+\ta := AlertDict{CISA: []Alert{{Title: \"old kev alert\"}}}\n+\n+\tif !a.IsEmpty() {\n+\t\tt.Errorf(\"IsEmpty() = false, want true for CISA-only alert dict\")\n+\t}\n+\tif got := a.FormatSource(); got != \"\" {\n+\t\tt.Errorf(\"FormatSource() = %q, want empty source for CISA-only alert dict\", got)\n+\t}\n+\n+\ta.USCERT = []Alert{{Title: \"uscert\"}}\n+\tif a.IsEmpty() {\n+\t\tt.Errorf(\"IsEmpty() = true, want false for CERT alert dict\")\n+\t}\n+\tif got, want := a.FormatSource(), \"CERT\"; got != want {\n+\t\tt.Errorf(\"FormatSource() = %q, want %q\", got, want)\n+\t}\n+}\n+\n+func TestScanResult_SortForJSONOutputSortsKEVs(t *testing.T) {\n+\tr := ScanResult{ScannedCves: VulnInfos{\n+\t\t\"CVE-0000-0001\": {KEVs: []KEV{\n+\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n+\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"a\"},\n+\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t}},\n+\t}}\n+\n+\tr.SortForJSONOutput()\n+\tgot := r.ScannedCves[\"CVE-0000-0001\"].KEVs\n+\twant := []KEV{\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"a\"},\n+\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n+\t}\n+\tfor i := range want {\n+\t\tif got[i] != want[i] {\n+\t\t\tt.Fatalf(\"KEVs[%d] = %+v, want %+v\", i, got[i], want[i])\n+\t\t}\n+\t}\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..6cf2b38 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,11 +197,12 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n@@ -229,6 +230,17 @@ func (r ScanResult) FormatUpdatablePkgsSummary() string {\n \t\tnUpdatable)\n }\n \n+// FormatKEVCveSummary returns a summary of CVEs with KEV entries.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &amp;lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatExploitCveSummary returns a summary of exploit cve\n func (r ScanResult) FormatExploitCveSummary() string {\n \tnExploitCve := 0\n@@ -253,13 +265,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &amp;gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &amp;gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -425,6 +433,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &amp;lt; v.Mitigations[j].URL\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &amp;lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &amp;lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \n \t\tv.CveContents.Sort()\n \ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..6a3df97 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -267,6 +267,7 @@ type VulnInfo struct {\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n@@ -284,6 +285,57 @@ type Alert struct {\n \tTeam  string `json:\"team,omitempty\"`\n }\n \n+// KEVType is a known exploited vulnerability source.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType represents CISA KEV catalog entries.\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType represents VulnCheck KEV entries.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has known exploited vulnerability information.\n+type KEV struct {\n+\tType                       KEVType       `json:\"type,omitempty\"`\n+\tVendorProject              string        `json:\"vendorProject,omitempty\"`\n+\tProduct                    string        `json:\"product,omitempty\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV information.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV information.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // GitHubSecurityAlerts is a list of GitHubSecurityAlert\n type GitHubSecurityAlerts []GitHubSecurityAlert\n \n@@ -910,7 +962,7 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n \tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n@@ -919,15 +971,12 @@ type AlertDict struct {\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;amp;&amp;amp; len(a.JPCERT) == 0 &amp;amp;&amp;amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;amp;&amp;amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..3aa23ae 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -202,6 +202,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.ScannedCves.FormatCveSummary(),\n \t\t\t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n@@ -565,8 +566,29 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n+\t\tfor _, kev := range vuln.KEVs {\n+\t\t\tsource := \"KEV\"\n+\t\t\tswitch kev.Type {\n+\t\t\tcase models.CISAKEVType:\n+\t\t\t\tsource = \"CISA KEV\"\n+\t\t\tcase models.VulnCheckKEVType:\n+\t\t\t\tsource = \"VulnCheck KEV\"\n+\t\t\t}\n+\t\t\tif kev.CISA != nil &amp;amp;&amp;amp; kev.CISA.Note != \"\" {\n+\t\t\t\tdata = append(data, []string{source, kev.CISA.Note})\n+\t\t\t}\n+\t\t\tif kev.VulnCheck != nil {\n+\t\t\t\tfor _, xdb := range kev.VulnCheck.XDB {\n+\t\t\t\t\tif xdb.XDBURL != \"\" {\n+\t\t\t\t\t\tdata = append(data, []string{source, xdb.XDBURL})\n+\t\t\t\t\t}\n+\t\t\t\t}\n+\t\t\t\tfor _, exploitation := range kev.VulnCheck.ReportedExploitation {\n+\t\t\t\t\tif exploitation.URL != \"\" {\n+\t\t\t\t\t\tdata = append(data, []string{source, exploitation.URL})\n+\t\t\t\t\t}\n+\t\t\t\t}\n+\t\t\t}\n \t\t}\n \n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\ndiff --git a/sample-kev-result.json b/sample-kev-result.json\nnew file mode 100644\nindex 0000000..005e83b\n--- /dev/null\n+++ b/sample-kev-result.json\n@@ -0,0 +1,58 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2026-07-03T00:00:00Z\",\n+  \"scannedVersion\": \"vuls-example\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic sample showing the first-class KEV JSON shape.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic sample showing VulnCheck KEV details.\",\n+          \"requiredAction\": \"Review exploitation evidence and remediate.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.invalid/vulncheck/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"proof-of-concept\",\n+                \"cloneSSHURL\": \"git@example.invalid:example/research.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.invalid/advisory/CVE-0000-0000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &amp;gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &amp;gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T18:57:42.627830Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/d33ff251-4fed-4ba0-838c-38aba26d6057/export</guid>
      <pubDate>Fri, 03 Jul 2026 18:57:42 +0000</pubDate>
    </item>
    <item>
      <title>cf61058a-6d79-48f0-ba1c-2a5aa4f5278d</title>
      <link>https://vulnerability.circl.lu/sighting/cf61058a-6d79-48f0-ba1c-2a5aa4f5278d/export</link>
      <description>{"uuid": "cf61058a-6d79-48f0-ba1c-2a5aa4f5278d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0002", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/b406807432d2ab4699665d06f95c5feb", "content": "diff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..31a7f05\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,90 @@\n+# Vuls - VULnerability Scanner\n+# Example configuration file\n+#\n+# Copy this file to config.toml and edit it to match your environment.\n+# All values below are PLACEHOLDERS \u2014 replace them with your actual settings.\n+#\n+# Documentation: https://vuls.io/docs/en/config.toml.html\n+\n+# [default]\n+# port = \"22\"\n+# user = \"scan-user\"\n+# keyPath = \"/home/scan-user/.ssh/id_rsa\"\n+# keyPassword = \"REPLACE_WITH_SSH_KEY_PASSPHRASE\"\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.1\"   # Replace with target host IP or hostname\n+port = \"22\"\n+user = \"scan-user\"\n+keyPath = \"/home/scan-user/.ssh/id_rsa\"\n+# keyPassword = \"REPLACE_WITH_SSH_KEY_PASSPHRASE\"\n+# scanMode = [\"fast\"]\n+\n+# Vulnerability dictionary databases\n+# See: https://vuls.io/docs/en/usage-settings.html\n+\n+[cveDict]\n+type = \"sqlite3\"\n+# SQLite3 path or URL for go-cve-dictionary\n+sqlite3Path = \"/path/to/cve.sqlite3\"\n+# url = \"http://127.0.0.1:1323\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-msfdb.sqlite3\"\n+\n+# KEV (Known Exploited Vulnerabilities) \u2014 CISA &amp;amp; VulnCheck\n+# This enables KEV detection so that vulnerabilities listed in the\n+# CISA KEV catalog are flagged with first-class KEV data in scan results.\n+# See: https://vuls.io/docs/en/usage-report.html\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-kev.sqlite3\"\n+# Alternatively, fetch via HTTP from a running go-kev server:\n+# type = \"http\"\n+# url = \"http://127.0.0.1:1326\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-cti.sqlite3\"\n+\n+# --- Notification settings (all optional) ---\n+\n+# [slack]\n+# hookURL = \"https://hooks.slack.com/services/REPLACE/WITH/TOKEN\"\n+# channel = \"#vuls-notifications\"\n+# authUser = \"vuls\"\n+\n+# [email]\n+# smtpAddr = \"smtp.example.com\"\n+# smtpPort = \"587\"\n+# user = \"vuls@example.com\"\n+# password = \"REPLACE_WITH_SMTP_PASSWORD\"\n+# from = \"vuls@example.com\"\n+# to = [\"admin@example.com\"]\n+\n+# [chatwork]\n+# room = \"123456789\"\n+# apiToken = \"REPLACE_WITH_CHATWORK_API_TOKEN\"\n+\n+# [http]\n+# url = \"http://127.0.0.1:11234\"\n+\n+# [syslog]\n+# protocol = \"tcp\"\n+# host = \"127.0.0.1\"\n+# port = \"514\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..fb9d192 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,27 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &amp;gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tif len(kevulns) == 0 {\n+\t\t\t\tcontinue\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tfor _, k := range kevulns {\n+\t\t\t\t\tdueDate := k.DueDate\n+\t\t\t\t\tv.KEVs = append(v.KEVs, models.KEV{\n+\t\t\t\t\t\tType:                       models.CISAKEVType,\n+\t\t\t\t\t\tVendorProject:              k.VendorProject,\n+\t\t\t\t\t\tProduct:                    k.Product,\n+\t\t\t\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\t\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\t\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\t\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\t\t\t\tDateAdded:                  k.DateAdded,\n+\t\t\t\t\t\tDueDate:                    &amp;amp;dueDate,\n+\t\t\t\t\t\tCISA:                       &amp;amp;models.CISAKEV{Note: k.Notes},\n+\t\t\t\t\t})\n+\t\t\t\t}\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +117,21 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &amp;gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n+\t\t\tfor _, k := range kevulns {\n+\t\t\t\tdueDate := k.DueDate\n+\t\t\t\tvuln.KEVs = append(vuln.KEVs, models.KEV{\n+\t\t\t\t\tType:                       models.CISAKEVType,\n+\t\t\t\t\tVendorProject:              k.VendorProject,\n+\t\t\t\t\tProduct:                    k.Product,\n+\t\t\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\t\t\tDateAdded:                  k.DateAdded,\n+\t\t\t\t\tDueDate:                    &amp;amp;dueDate,\n+\t\t\t\t\tCISA:                       &amp;amp;models.CISAKEV{Note: k.Notes},\n \t\t\t\t})\n \t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..ca11565 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of CVEs with KEV entries\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &amp;gt; 0 {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &amp;gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &amp;gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,13 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &amp;lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &amp;lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &amp;lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/testdata/sample_kevs.json b/models/testdata/sample_kevs.json\nnew file mode 100644\nindex 0000000..643bbe6\n--- /dev/null\n+++ b/models/testdata/sample_kevs.json\n@@ -0,0 +1,79 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"serverName\": \"example-host\",\n+  \"family\": \"debian\",\n+  \"release\": \"12\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0001\": {\n+      \"cveID\": \"CVE-0000-0001\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleVendor ExampleProduct contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2024-01-15T00:00:00Z\",\n+          \"dueDate\": \"2024-02-05T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"https://example.com/security/advisory-0001\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleVendor ExampleProduct contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply mitigations per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2024-01-10T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-0001\",\n+                \"xdbURL\": \"https://vulncheck.example.com/xdb/XDB-0001\",\n+                \"dateAdded\": \"2024-01-12T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@github.com:example/poc-CVE-0000-0001.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/threat-report/CVE-0000-0001\",\n+                \"dateAdded\": \"2024-01-11T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-lib\",\n+          \"fixedIn\": \"2.0.1-1\"\n+        }\n+      ]\n+    },\n+    \"CVE-0000-0002\": {\n+      \"cveID\": \"CVE-0000-0002\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"AnotherVendor\",\n+          \"product\": \"AnotherProduct\",\n+          \"vulnerabilityName\": \"AnotherVendor AnotherProduct Privilege Escalation Vulnerability\",\n+          \"shortDescription\": \"AnotherVendor AnotherProduct contains a privilege escalation vulnerability.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2024-03-01T00:00:00Z\",\n+          \"dueDate\": \"2024-03-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"\"\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..8503450 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -268,6 +268,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -910,28 +911,80 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// KEVType represents the source of KEV data\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the CISA KEV source\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is the VulnCheck KEV source\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                        KEVType       `json:\"type\"`\n+\tVendorProject               string        `json:\"vendorProject\"`\n+\tProduct                     string        `json:\"product\"`\n+\tVulnerabilityName           string        `json:\"vulnerabilityName\"`\n+\tShortDescription            string        `json:\"shortDescription\"`\n+\tRequiredAction              string        `json:\"requiredAction\"`\n+\tKnownRansomwareCampaignUse  string        `json:\"knownRansomwareCampaignUse\"`\n+\tDateAdded                   time.Time     `json:\"dateAdded\"`\n+\tDueDate                     *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                        *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                   *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV fields\n+type CISAKEV struct {\n+\tNote string `json:\"note\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV fields\n+type VulnCheckKEV struct {\n+\tXDB                    []VulnCheckXDB                    `json:\"xdb,omitempty\"`\n+\tReportedExploitation   []VulnCheckReportedExploitation   `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID\"`\n+\tXDBURL      string    `json:\"xdbURL\"`\n+\tDateAdded   time.Time `json:\"dateAdded\"`\n+\tExploitType string    `json:\"exploitType\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url\"`\n+\tDateAdded time.Time `json:\"dateAdded\"`\n+}\n+\n+// AlertDict has target cve JPCERT and USCERT alert data.\n+// CISA KEV data is no longer reported through this struct;\n+// use VulnInfo.KEVs instead.\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"cisa,omitempty\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n-// IsEmpty checks if the content of AlertDict is empty\n+// IsEmpty checks if the content of AlertDict is empty.\n+// CISA alerts are excluded; KEV data is tracked via VulnInfo.KEVs.\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;amp;&amp;amp; len(a.JPCERT) == 0 &amp;amp;&amp;amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;amp;&amp;amp; len(a.USCERT) == 0\n }\n \n-// FormatSource returns which source has this alert\n+// FormatSource returns which source has this alert.\n+// CISA alerts are excluded; KEV data is tracked via VulnInfo.KEVs.\n func (a AlertDict) FormatSource() string {\n-\tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n-\t\ts = append(s, \"CERT\")\n+\t\treturn \"CERT\"\n \t}\n-\treturn strings.Join(s, \"/\")\n+\treturn \"\"\n }\n \n // Confidences is a list of Confidence\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..71016b7 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -565,8 +565,8 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n+\t\tfor _, kev := range vuln.KEVs {\n+\t\t\tdata = append(data, []string{fmt.Sprintf(\"KEV (%s)\", kev.Type), kev.VulnerabilityName})\n \t\t}\n \n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..982cbef 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,13 +812,13 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &amp;gt; 0 {\n+\t\tif len(vinfo.KEVs) &amp;gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n+\t\t\t\t\"KEV (Known Exploited Vulnerabilities)\",\n+\t\t\t\t\"=====================================\",\n \t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\t\tfor _, kev := range vinfo.KEVs {\n+\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s] %s - %s\", kev.Type, kev.VulnerabilityName, kev.ShortDescription))\n \t\t\t}\n \t\t}\n \n", "creation_timestamp": "2026-07-03T18:57:42.505195Z"}</description>
      <content:encoded>{"uuid": "cf61058a-6d79-48f0-ba1c-2a5aa4f5278d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0002", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/b406807432d2ab4699665d06f95c5feb", "content": "diff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..31a7f05\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,90 @@\n+# Vuls - VULnerability Scanner\n+# Example configuration file\n+#\n+# Copy this file to config.toml and edit it to match your environment.\n+# All values below are PLACEHOLDERS \u2014 replace them with your actual settings.\n+#\n+# Documentation: https://vuls.io/docs/en/config.toml.html\n+\n+# [default]\n+# port = \"22\"\n+# user = \"scan-user\"\n+# keyPath = \"/home/scan-user/.ssh/id_rsa\"\n+# keyPassword = \"REPLACE_WITH_SSH_KEY_PASSPHRASE\"\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.1\"   # Replace with target host IP or hostname\n+port = \"22\"\n+user = \"scan-user\"\n+keyPath = \"/home/scan-user/.ssh/id_rsa\"\n+# keyPassword = \"REPLACE_WITH_SSH_KEY_PASSPHRASE\"\n+# scanMode = [\"fast\"]\n+\n+# Vulnerability dictionary databases\n+# See: https://vuls.io/docs/en/usage-settings.html\n+\n+[cveDict]\n+type = \"sqlite3\"\n+# SQLite3 path or URL for go-cve-dictionary\n+sqlite3Path = \"/path/to/cve.sqlite3\"\n+# url = \"http://127.0.0.1:1323\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-msfdb.sqlite3\"\n+\n+# KEV (Known Exploited Vulnerabilities) \u2014 CISA &amp;amp; VulnCheck\n+# This enables KEV detection so that vulnerabilities listed in the\n+# CISA KEV catalog are flagged with first-class KEV data in scan results.\n+# See: https://vuls.io/docs/en/usage-report.html\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-kev.sqlite3\"\n+# Alternatively, fetch via HTTP from a running go-kev server:\n+# type = \"http\"\n+# url = \"http://127.0.0.1:1326\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-cti.sqlite3\"\n+\n+# --- Notification settings (all optional) ---\n+\n+# [slack]\n+# hookURL = \"https://hooks.slack.com/services/REPLACE/WITH/TOKEN\"\n+# channel = \"#vuls-notifications\"\n+# authUser = \"vuls\"\n+\n+# [email]\n+# smtpAddr = \"smtp.example.com\"\n+# smtpPort = \"587\"\n+# user = \"vuls@example.com\"\n+# password = \"REPLACE_WITH_SMTP_PASSWORD\"\n+# from = \"vuls@example.com\"\n+# to = [\"admin@example.com\"]\n+\n+# [chatwork]\n+# room = \"123456789\"\n+# apiToken = \"REPLACE_WITH_CHATWORK_API_TOKEN\"\n+\n+# [http]\n+# url = \"http://127.0.0.1:11234\"\n+\n+# [syslog]\n+# protocol = \"tcp\"\n+# host = \"127.0.0.1\"\n+# port = \"514\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..fb9d192 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,27 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &amp;gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tif len(kevulns) == 0 {\n+\t\t\t\tcontinue\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tfor _, k := range kevulns {\n+\t\t\t\t\tdueDate := k.DueDate\n+\t\t\t\t\tv.KEVs = append(v.KEVs, models.KEV{\n+\t\t\t\t\t\tType:                       models.CISAKEVType,\n+\t\t\t\t\t\tVendorProject:              k.VendorProject,\n+\t\t\t\t\t\tProduct:                    k.Product,\n+\t\t\t\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\t\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\t\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\t\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\t\t\t\tDateAdded:                  k.DateAdded,\n+\t\t\t\t\t\tDueDate:                    &amp;amp;dueDate,\n+\t\t\t\t\t\tCISA:                       &amp;amp;models.CISAKEV{Note: k.Notes},\n+\t\t\t\t\t})\n+\t\t\t\t}\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +117,21 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &amp;gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n+\t\t\tfor _, k := range kevulns {\n+\t\t\t\tdueDate := k.DueDate\n+\t\t\t\tvuln.KEVs = append(vuln.KEVs, models.KEV{\n+\t\t\t\t\tType:                       models.CISAKEVType,\n+\t\t\t\t\tVendorProject:              k.VendorProject,\n+\t\t\t\t\tProduct:                    k.Product,\n+\t\t\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\t\t\tDateAdded:                  k.DateAdded,\n+\t\t\t\t\tDueDate:                    &amp;amp;dueDate,\n+\t\t\t\t\tCISA:                       &amp;amp;models.CISAKEV{Note: k.Notes},\n \t\t\t\t})\n \t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..ca11565 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of CVEs with KEV entries\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &amp;gt; 0 {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &amp;gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &amp;gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,13 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &amp;lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &amp;lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &amp;lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/testdata/sample_kevs.json b/models/testdata/sample_kevs.json\nnew file mode 100644\nindex 0000000..643bbe6\n--- /dev/null\n+++ b/models/testdata/sample_kevs.json\n@@ -0,0 +1,79 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"serverName\": \"example-host\",\n+  \"family\": \"debian\",\n+  \"release\": \"12\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0001\": {\n+      \"cveID\": \"CVE-0000-0001\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleVendor ExampleProduct contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2024-01-15T00:00:00Z\",\n+          \"dueDate\": \"2024-02-05T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"https://example.com/security/advisory-0001\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleVendor ExampleProduct contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply mitigations per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2024-01-10T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-0001\",\n+                \"xdbURL\": \"https://vulncheck.example.com/xdb/XDB-0001\",\n+                \"dateAdded\": \"2024-01-12T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@github.com:example/poc-CVE-0000-0001.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/threat-report/CVE-0000-0001\",\n+                \"dateAdded\": \"2024-01-11T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-lib\",\n+          \"fixedIn\": \"2.0.1-1\"\n+        }\n+      ]\n+    },\n+    \"CVE-0000-0002\": {\n+      \"cveID\": \"CVE-0000-0002\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"AnotherVendor\",\n+          \"product\": \"AnotherProduct\",\n+          \"vulnerabilityName\": \"AnotherVendor AnotherProduct Privilege Escalation Vulnerability\",\n+          \"shortDescription\": \"AnotherVendor AnotherProduct contains a privilege escalation vulnerability.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2024-03-01T00:00:00Z\",\n+          \"dueDate\": \"2024-03-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"\"\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..8503450 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -268,6 +268,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -910,28 +911,80 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// KEVType represents the source of KEV data\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the CISA KEV source\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is the VulnCheck KEV source\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                        KEVType       `json:\"type\"`\n+\tVendorProject               string        `json:\"vendorProject\"`\n+\tProduct                     string        `json:\"product\"`\n+\tVulnerabilityName           string        `json:\"vulnerabilityName\"`\n+\tShortDescription            string        `json:\"shortDescription\"`\n+\tRequiredAction              string        `json:\"requiredAction\"`\n+\tKnownRansomwareCampaignUse  string        `json:\"knownRansomwareCampaignUse\"`\n+\tDateAdded                   time.Time     `json:\"dateAdded\"`\n+\tDueDate                     *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                        *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                   *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV fields\n+type CISAKEV struct {\n+\tNote string `json:\"note\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV fields\n+type VulnCheckKEV struct {\n+\tXDB                    []VulnCheckXDB                    `json:\"xdb,omitempty\"`\n+\tReportedExploitation   []VulnCheckReportedExploitation   `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID\"`\n+\tXDBURL      string    `json:\"xdbURL\"`\n+\tDateAdded   time.Time `json:\"dateAdded\"`\n+\tExploitType string    `json:\"exploitType\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url\"`\n+\tDateAdded time.Time `json:\"dateAdded\"`\n+}\n+\n+// AlertDict has target cve JPCERT and USCERT alert data.\n+// CISA KEV data is no longer reported through this struct;\n+// use VulnInfo.KEVs instead.\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"cisa,omitempty\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n-// IsEmpty checks if the content of AlertDict is empty\n+// IsEmpty checks if the content of AlertDict is empty.\n+// CISA alerts are excluded; KEV data is tracked via VulnInfo.KEVs.\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;amp;&amp;amp; len(a.JPCERT) == 0 &amp;amp;&amp;amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;amp;&amp;amp; len(a.USCERT) == 0\n }\n \n-// FormatSource returns which source has this alert\n+// FormatSource returns which source has this alert.\n+// CISA alerts are excluded; KEV data is tracked via VulnInfo.KEVs.\n func (a AlertDict) FormatSource() string {\n-\tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n-\t\ts = append(s, \"CERT\")\n+\t\treturn \"CERT\"\n \t}\n-\treturn strings.Join(s, \"/\")\n+\treturn \"\"\n }\n \n // Confidences is a list of Confidence\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..71016b7 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -565,8 +565,8 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n+\t\tfor _, kev := range vuln.KEVs {\n+\t\t\tdata = append(data, []string{fmt.Sprintf(\"KEV (%s)\", kev.Type), kev.VulnerabilityName})\n \t\t}\n \n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..982cbef 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,13 +812,13 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &amp;gt; 0 {\n+\t\tif len(vinfo.KEVs) &amp;gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n+\t\t\t\t\"KEV (Known Exploited Vulnerabilities)\",\n+\t\t\t\t\"=====================================\",\n \t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\t\tfor _, kev := range vinfo.KEVs {\n+\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s] %s - %s\", kev.Type, kev.VulnerabilityName, kev.ShortDescription))\n \t\t\t}\n \t\t}\n \n", "creation_timestamp": "2026-07-03T18:57:42.505195Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/cf61058a-6d79-48f0-ba1c-2a5aa4f5278d/export</guid>
      <pubDate>Fri, 03 Jul 2026 18:57:42 +0000</pubDate>
    </item>
    <item>
      <title>1ef3907b-7ab3-4168-a758-d41d4ce82487</title>
      <link>https://vulnerability.circl.lu/sighting/1ef3907b-7ab3-4168-a758-d41d4ce82487/export</link>
      <description>{"uuid": "1ef3907b-7ab3-4168-a758-d41d4ce82487", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0002", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/bf5a07af21818760cf4f439ed75dfe0a", "content": "diff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..30fed1a\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,89 @@\n+# Vuls example configuration file\n+# Copy this file to config.toml and edit the values for your environment.\n+# See https://vuls.io/docs/en/config.toml.html for full documentation.\n+\n+# ----- Vulnerability Dictionary Databases -----\n+\n+# NVD / JVN CVE dictionary\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+# OVAL dictionary\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+# gost (Security Tracker)\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+# go-exploitdb\n+[exploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+# Metasploit\n+[metasploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-msfdb.sqlite3\"\n+\n+# Known Exploited Vulnerabilities (CISA / VulnCheck KEV)\n+# This enables KEV reporting as a first-class field on each vulnerability.\n+[kevuln]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-kev.sqlite3\"\n+\n+# MITRE ATT&amp;amp;CK / CAPEC Cyber Threat Intelligence\n+[cti]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-cti.sqlite3\"\n+\n+# ----- Notification Channels -----\n+\n+# Slack notifications\n+[slack]\n+hookURL = \"https://hooks.slack.com/services/YOUR/WEBHOOK/TOKEN\"\n+channel = \"#vuls-notifications\"\n+authUser = \"vuls\"\n+\n+# Email notifications\n+[email]\n+smtpAddr = \"smtp.example.com\"\n+smtpPort = \"587\"\n+user = \"vuls@example.com\"\n+password = \"REPLACE_WITH_SMTP_PASSWORD\"\n+from = \"vuls@example.com\"\n+to = [\"admin@example.com\"]\n+\n+# ChatWork notifications\n+[chatWork]\n+apiToken = \"REPLACE_WITH_CHATWORK_API_TOKEN\"\n+room = \"12345678\"\n+\n+# ----- Default Server Settings -----\n+\n+[default]\n+port = \"22\"\n+user = \"vuls-scan-user\"\n+keyPath = \"/home/vuls/.ssh/id_rsa\"\n+scanMode = [\"fast\"]\n+\n+# ----- Scan Targets -----\n+\n+# Example Linux server\n+[servers.example-server]\n+host = \"192.0.2.1\"\n+port = \"22\"\n+user = \"scan-user\"\n+keyPath = \"/home/vuls/.ssh/id_rsa\"\n+scanMode = [\"fast\"]\n+\n+# Example server with CPE-based scanning for non-OS packages\n+[servers.example-appliance]\n+host = \"192.0.2.2\"\n+type = \"pseudo\"\n+cpeNames = [\n+    \"cpe:/a:example:product:1.0\",\n+]\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..ec9b7eb 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV cves\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &amp;gt; 0 {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &amp;gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &amp;gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &amp;lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &amp;lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &amp;lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..cef4b1d 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -268,6 +268,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -910,6 +911,58 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n+// KEVType represents the source of KEV data\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the CISA KEV source\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is the VulnCheck KEV source\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                        KEVType       `json:\"type\"`\n+\tVendorProject               string        `json:\"vendorProject\"`\n+\tProduct                     string        `json:\"product\"`\n+\tVulnerabilityName           string        `json:\"vulnerabilityName\"`\n+\tShortDescription            string        `json:\"shortDescription\"`\n+\tRequiredAction              string        `json:\"requiredAction\"`\n+\tKnownRansomwareCampaignUse  string        `json:\"knownRansomwareCampaignUse\"`\n+\tDateAdded                   time.Time     `json:\"dateAdded\"`\n+\tDueDate                     *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                        *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                   *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"note\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV information\n+type VulnCheckKEV struct {\n+\tXDB                   []VulnCheckXDB                   `json:\"xdb,omitempty\"`\n+\tReportedExploitation  []VulnCheckReportedExploitation  `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID\"`\n+\tXDBURL      string    `json:\"xdbURL\"`\n+\tDateAdded   time.Time `json:\"dateAdded\"`\n+\tExploitType string    `json:\"exploitType\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url\"`\n+\tDateAdded time.Time `json:\"dateAdded\"`\n+}\n+\n // AlertDict has target cve JPCERT, USCERT and CISA alert data\n type AlertDict struct {\n \tCISA   []Alert `json:\"cisa\"`\n@@ -919,15 +972,12 @@ type AlertDict struct {\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;amp;&amp;amp; len(a.JPCERT) == 0 &amp;amp;&amp;amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;amp;&amp;amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..72499b0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\ndiff --git a/testdata/sample_kev_scan.json b/testdata/sample_kev_scan.json\nnew file mode 100644\nindex 0000000..4bdeae0\n--- /dev/null\n+++ b/testdata/sample_kev_scan.json\n@@ -0,0 +1,88 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"redhat\",\n+  \"release\": \"9\",\n+  \"scannedAt\": \"2026-07-01T00:00:00Z\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0001\": {\n+      \"cveID\": \"CVE-0000-0001\",\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-lib\",\n+          \"fixedIn\": \"1.2.4\"\n+        }\n+      ],\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleProduct contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-01-15T00:00:00Z\",\n+          \"dueDate\": \"2026-02-05T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"https://example.com/advisory/CVE-0000-0001\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleProduct contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-01-10T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-0001\",\n+                \"xdbURL\": \"https://vulncheck.example.com/xdb/XDB-0001\",\n+                \"dateAdded\": \"2026-01-10T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@github.example.com:exploits/CVE-0000-0001.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/threat-report/CVE-0000-0001\",\n+                \"dateAdded\": \"2026-01-12T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    },\n+    \"CVE-0000-0002\": {\n+      \"cveID\": \"CVE-0000-0002\",\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-util\",\n+          \"notFixedYet\": true\n+        }\n+      ],\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleUtil\",\n+          \"vulnerabilityName\": \"ExampleUtil Privilege Escalation Vulnerability\",\n+          \"shortDescription\": \"ExampleUtil contains a privilege escalation vulnerability.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2026-03-01T00:00:00Z\",\n+          \"dueDate\": \"2026-03-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"\"\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\n", "creation_timestamp": "2026-07-03T16:13:56.663876Z"}</description>
      <content:encoded>{"uuid": "1ef3907b-7ab3-4168-a758-d41d4ce82487", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0002", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/bf5a07af21818760cf4f439ed75dfe0a", "content": "diff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..30fed1a\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,89 @@\n+# Vuls example configuration file\n+# Copy this file to config.toml and edit the values for your environment.\n+# See https://vuls.io/docs/en/config.toml.html for full documentation.\n+\n+# ----- Vulnerability Dictionary Databases -----\n+\n+# NVD / JVN CVE dictionary\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+# OVAL dictionary\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+# gost (Security Tracker)\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+# go-exploitdb\n+[exploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+# Metasploit\n+[metasploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-msfdb.sqlite3\"\n+\n+# Known Exploited Vulnerabilities (CISA / VulnCheck KEV)\n+# This enables KEV reporting as a first-class field on each vulnerability.\n+[kevuln]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-kev.sqlite3\"\n+\n+# MITRE ATT&amp;amp;CK / CAPEC Cyber Threat Intelligence\n+[cti]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-cti.sqlite3\"\n+\n+# ----- Notification Channels -----\n+\n+# Slack notifications\n+[slack]\n+hookURL = \"https://hooks.slack.com/services/YOUR/WEBHOOK/TOKEN\"\n+channel = \"#vuls-notifications\"\n+authUser = \"vuls\"\n+\n+# Email notifications\n+[email]\n+smtpAddr = \"smtp.example.com\"\n+smtpPort = \"587\"\n+user = \"vuls@example.com\"\n+password = \"REPLACE_WITH_SMTP_PASSWORD\"\n+from = \"vuls@example.com\"\n+to = [\"admin@example.com\"]\n+\n+# ChatWork notifications\n+[chatWork]\n+apiToken = \"REPLACE_WITH_CHATWORK_API_TOKEN\"\n+room = \"12345678\"\n+\n+# ----- Default Server Settings -----\n+\n+[default]\n+port = \"22\"\n+user = \"vuls-scan-user\"\n+keyPath = \"/home/vuls/.ssh/id_rsa\"\n+scanMode = [\"fast\"]\n+\n+# ----- Scan Targets -----\n+\n+# Example Linux server\n+[servers.example-server]\n+host = \"192.0.2.1\"\n+port = \"22\"\n+user = \"scan-user\"\n+keyPath = \"/home/vuls/.ssh/id_rsa\"\n+scanMode = [\"fast\"]\n+\n+# Example server with CPE-based scanning for non-OS packages\n+[servers.example-appliance]\n+host = \"192.0.2.2\"\n+type = \"pseudo\"\n+cpeNames = [\n+    \"cpe:/a:example:product:1.0\",\n+]\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..ec9b7eb 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV cves\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &amp;gt; 0 {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &amp;gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &amp;gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &amp;lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &amp;lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &amp;lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..cef4b1d 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -268,6 +268,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -910,6 +911,58 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n+// KEVType represents the source of KEV data\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the CISA KEV source\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is the VulnCheck KEV source\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                        KEVType       `json:\"type\"`\n+\tVendorProject               string        `json:\"vendorProject\"`\n+\tProduct                     string        `json:\"product\"`\n+\tVulnerabilityName           string        `json:\"vulnerabilityName\"`\n+\tShortDescription            string        `json:\"shortDescription\"`\n+\tRequiredAction              string        `json:\"requiredAction\"`\n+\tKnownRansomwareCampaignUse  string        `json:\"knownRansomwareCampaignUse\"`\n+\tDateAdded                   time.Time     `json:\"dateAdded\"`\n+\tDueDate                     *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                        *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                   *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"note\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV information\n+type VulnCheckKEV struct {\n+\tXDB                   []VulnCheckXDB                   `json:\"xdb,omitempty\"`\n+\tReportedExploitation  []VulnCheckReportedExploitation  `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID\"`\n+\tXDBURL      string    `json:\"xdbURL\"`\n+\tDateAdded   time.Time `json:\"dateAdded\"`\n+\tExploitType string    `json:\"exploitType\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url\"`\n+\tDateAdded time.Time `json:\"dateAdded\"`\n+}\n+\n // AlertDict has target cve JPCERT, USCERT and CISA alert data\n type AlertDict struct {\n \tCISA   []Alert `json:\"cisa\"`\n@@ -919,15 +972,12 @@ type AlertDict struct {\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;amp;&amp;amp; len(a.JPCERT) == 0 &amp;amp;&amp;amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;amp;&amp;amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..72499b0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\ndiff --git a/testdata/sample_kev_scan.json b/testdata/sample_kev_scan.json\nnew file mode 100644\nindex 0000000..4bdeae0\n--- /dev/null\n+++ b/testdata/sample_kev_scan.json\n@@ -0,0 +1,88 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"redhat\",\n+  \"release\": \"9\",\n+  \"scannedAt\": \"2026-07-01T00:00:00Z\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0001\": {\n+      \"cveID\": \"CVE-0000-0001\",\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-lib\",\n+          \"fixedIn\": \"1.2.4\"\n+        }\n+      ],\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleProduct contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-01-15T00:00:00Z\",\n+          \"dueDate\": \"2026-02-05T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"https://example.com/advisory/CVE-0000-0001\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleProduct contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-01-10T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-0001\",\n+                \"xdbURL\": \"https://vulncheck.example.com/xdb/XDB-0001\",\n+                \"dateAdded\": \"2026-01-10T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@github.example.com:exploits/CVE-0000-0001.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/threat-report/CVE-0000-0001\",\n+                \"dateAdded\": \"2026-01-12T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    },\n+    \"CVE-0000-0002\": {\n+      \"cveID\": \"CVE-0000-0002\",\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-util\",\n+          \"notFixedYet\": true\n+        }\n+      ],\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleUtil\",\n+          \"vulnerabilityName\": \"ExampleUtil Privilege Escalation Vulnerability\",\n+          \"shortDescription\": \"ExampleUtil contains a privilege escalation vulnerability.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2026-03-01T00:00:00Z\",\n+          \"dueDate\": \"2026-03-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"\"\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\n", "creation_timestamp": "2026-07-03T16:13:56.663876Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/1ef3907b-7ab3-4168-a758-d41d4ce82487/export</guid>
      <pubDate>Fri, 03 Jul 2026 16:13:56 +0000</pubDate>
    </item>
    <item>
      <title>09d6d8e3-35b7-4f07-80a7-2f5cfad660d2</title>
      <link>https://vulnerability.circl.lu/sighting/09d6d8e3-35b7-4f07-80a7-2f5cfad660d2/export</link>
      <description>{"uuid": "09d6d8e3-35b7-4f07-80a7-2f5cfad660d2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0002", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/58deef2a32dde82375b4ad31f234dea0", "content": "diff --git a/README.md b/README.md\nindex 57102d1..71b5fe3 100644\n--- a/README.md\n+++ b/README.md\n@@ -93,6 +93,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n - CISA(Cybersecurity &amp;amp; Infrastructure Security Agency)\n   - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n \n+- VulnCheck\n+  - Known Exploited Vulnerabilities data\n+\n - Cyber Threat Intelligence(MITRE ATT&amp;amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n \n@@ -179,6 +182,12 @@ Vuls has some options to detect the vulnerabilities\n For more information such as Installation, Tutorial, Usage, visit [vuls.io](https://vuls.io/)  \n [\u65e5\u672c\u8a9e\u7ffb\u8a33\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8](https://vuls.io/ja/)\n \n+## Example Configuration\n+\n+Use `config.toml.example` as a synthetic starting point for enabling KEV reporting via `go-kev`. It includes a `[kevuln]` SQLite configuration and placeholder scan target values only; replace paths, users, and hosts before use.\n+\n+`sample-scan-result-kev.json` shows the new `scannedCves.*.kevs` output shape for CISA and VulnCheck KEV entries with redacted sample data.\n+\n ----\n \n ## Authors\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..5e9d067\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,42 @@\n+# Synthetic Vuls configuration with KEV reporting enabled.\n+# Copy to config.toml and replace all placeholder paths and hosts before use.\n+\n+resultsDir = \"/var/lib/vuls/results\"\n+lang = \"en\"\n+\n+[default]\n+port = \"22\"\n+user = \"vuls\"\n+keyPath = \"/home/vuls/.ssh/id_rsa\"\n+scanMode = [\"fast-root\"]\n+\n+[servers.example-host]\n+host = \"192.0.2.10\"\n+\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-cve-dictionary.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/goval-dictionary.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..c84d57d 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -78,22 +78,16 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\tif err := json.Unmarshal([]byte(res.json), &amp;amp;kevulns); err != nil {\n \t\t\t\treturn err\n \t\t\t}\n-\n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &amp;gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tif len(kevulns) == 0 {\n+\t\t\t\tcontinue\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tv.KEVs = append(v.KEVs, convertKEVulnsToModel(kevulns)...)\n \t\t\t\tnKEV++\n+\t\t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t\t}\n-\t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t}\n \t} else {\n \t\tfor cveID, vuln := range r.ScannedCves {\n@@ -108,16 +102,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &amp;gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = append(vuln.KEVs, convertKEVulnsToModel(kevulns)...)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +112,59 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func convertKEVulnsToModel(kevulns []kevulnmodels.KEVuln) (kevs []models.KEV) {\n+\tfor _, kevuln := range kevulns {\n+\t\tbs, err := json.Marshal(kevuln)\n+\t\tif err != nil {\n+\t\t\tcontinue\n+\t\t}\n+\n+\t\tvar raw struct {\n+\t\t\tType                       models.KEVType       `json:\"type,omitempty\"`\n+\t\t\tVendorProject              string               `json:\"vendorProject,omitempty\"`\n+\t\t\tProduct                    string               `json:\"product,omitempty\"`\n+\t\t\tVulnerabilityName          string               `json:\"vulnerabilityName,omitempty\"`\n+\t\t\tShortDescription           string               `json:\"shortDescription,omitempty\"`\n+\t\t\tRequiredAction             string               `json:\"requiredAction,omitempty\"`\n+\t\t\tKnownRansomwareCampaignUse string               `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\t\t\tDateAdded                  time.Time            `json:\"dateAdded,omitempty\"`\n+\t\t\tDueDate                    *time.Time           `json:\"dueDate,omitempty\"`\n+\t\t\tNotes                      string               `json:\"notes,omitempty\"`\n+\t\t\tNote                       string               `json:\"note,omitempty\"`\n+\t\t\tCISA                       *models.CISAKEV      `json:\"cisa,omitempty\"`\n+\t\t\tVulnCheck                  *models.VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+\t\t}\n+\t\tif err := json.Unmarshal(bs, &amp;amp;raw); err != nil {\n+\t\t\tcontinue\n+\t\t}\n+\n+\t\tkev := models.KEV{\n+\t\t\tType:                       raw.Type,\n+\t\t\tVendorProject:              raw.VendorProject,\n+\t\t\tProduct:                    raw.Product,\n+\t\t\tVulnerabilityName:          raw.VulnerabilityName,\n+\t\t\tShortDescription:           raw.ShortDescription,\n+\t\t\tRequiredAction:             raw.RequiredAction,\n+\t\t\tKnownRansomwareCampaignUse: raw.KnownRansomwareCampaignUse,\n+\t\t\tDateAdded:                  raw.DateAdded,\n+\t\t\tDueDate:                    raw.DueDate,\n+\t\t\tCISA:                       raw.CISA,\n+\t\t\tVulnCheck:                  raw.VulnCheck,\n+\t\t}\n+\t\tif kev.Type == \"\" {\n+\t\t\tkev.Type = models.CISAKEVType\n+\t\t}\n+\t\tif kev.CISA == nil &amp;amp;&amp;amp; kev.Type == models.CISAKEVType {\n+\t\t\tkev.CISA = &amp;amp;models.CISAKEV{Note: raw.Note}\n+\t\t\tif kev.CISA.Note == \"\" {\n+\t\t\t\tkev.CISA.Note = raw.Notes\n+\t\t\t}\n+\t\t}\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..80359c6 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,11 +197,12 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n@@ -229,6 +230,17 @@ func (r ScanResult) FormatUpdatablePkgsSummary() string {\n \t\tnUpdatable)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV CVEs.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &amp;lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatExploitCveSummary returns a summary of exploit cve\n func (r ScanResult) FormatExploitCveSummary() string {\n \tnExploitCve := 0\n@@ -253,13 +265,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &amp;gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &amp;gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -425,6 +433,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &amp;lt; v.Mitigations[j].URL\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &amp;lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &amp;lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \n \t\tv.CveContents.Sort()\n \n@@ -434,9 +448,6 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &amp;lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &amp;lt; v.AlertDict.CISA[j].Title\n-\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/scanresults_kev_test.go b/models/scanresults_kev_test.go\nnew file mode 100644\nindex 0000000..8aa7c35\n--- /dev/null\n+++ b/models/scanresults_kev_test.go\n@@ -0,0 +1,73 @@\n+package models\n+\n+import \"testing\"\n+\n+func TestScanResult_FormatKEVCveSummary(t *testing.T) {\n+\tr := ScanResult{\n+\t\tScannedCves: VulnInfos{\n+\t\t\t\"CVE-0000-0001\": {CveID: \"CVE-0000-0001\", KEVs: []KEV{{Type: CISAKEVType}}},\n+\t\t\t\"CVE-0000-0002\": {CveID: \"CVE-0000-0002\", KEVs: []KEV{{Type: CISAKEVType}, {Type: VulnCheckKEVType}}},\n+\t\t\t\"CVE-0000-0003\": {CveID: \"CVE-0000-0003\"},\n+\t\t},\n+\t}\n+\n+\tif got, want := r.FormatKEVCveSummary(), \"2 kevs\"; got != want {\n+\t\tt.Fatalf(\"FormatKEVCveSummary() = %q, want %q\", got, want)\n+\t}\n+}\n+\n+func TestScanResult_SortForJSONOutputKEVs(t *testing.T) {\n+\tr := ScanResult{\n+\t\tScannedCves: VulnInfos{\n+\t\t\t\"CVE-0000-0001\": {\n+\t\t\t\tCveID: \"CVE-0000-0001\",\n+\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t},\n+\t}\n+\n+\tr.SortForJSONOutput()\n+\n+\tgot := r.ScannedCves[\"CVE-0000-0001\"].KEVs\n+\twant := []KEV{\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n+\t}\n+\tif len(got) != len(want) {\n+\t\tt.Fatalf(\"len(KEVs) = %d, want %d\", len(got), len(want))\n+\t}\n+\tfor i := range want {\n+\t\tif got[i] != want[i] {\n+\t\t\tt.Fatalf(\"KEVs[%d] = %+v, want %+v\", i, got[i], want[i])\n+\t\t}\n+\t}\n+}\n+\n+func TestScanResult_FormatAlertSummaryIgnoresLegacyCISA(t *testing.T) {\n+\tr := ScanResult{\n+\t\tScannedCves: VulnInfos{\n+\t\t\t\"CVE-0000-0001\": {\n+\t\t\t\tAlertDict: AlertDict{\n+\t\t\t\t\tCISA:   []Alert{{Title: \"legacy cisa\"}},\n+\t\t\t\t\tUSCERT: []Alert{{Title: \"uscert\"}},\n+\t\t\t\t\tJPCERT: []Alert{{Title: \"jpcert\"}},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t},\n+\t}\n+\n+\tif got, want := r.FormatAlertSummary(), \"uscert: 1, jpcert: 1 alerts\"; got != want {\n+\t\tt.Fatalf(\"FormatAlertSummary() = %q, want %q\", got, want)\n+\t}\n+\tif got, want := r.ScannedCves[\"CVE-0000-0001\"].AlertDict.FormatSource(), \"CERT\"; got != want {\n+\t\tt.Fatalf(\"FormatSource() = %q, want %q\", got, want)\n+\t}\n+\tif r.ScannedCves[\"CVE-0000-0001\"].AlertDict.IsEmpty() {\n+\t\tt.Fatal(\"IsEmpty() = true, want false\")\n+\t}\n+}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..b4986cf 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -263,6 +263,7 @@ type VulnInfo struct {\n \tAffectedPackages     PackageFixStatuses   `json:\"affectedPackages,omitempty\"`\n \tDistroAdvisories     DistroAdvisories     `json:\"distroAdvisories,omitempty\"` // for Amazon, RHEL, Fedora, FreeBSD, Microsoft\n \tCveContents          CveContents          `json:\"cveContents,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tExploits             []Exploit            `json:\"exploits,omitempty\"`\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n@@ -277,6 +278,58 @@ type VulnInfo struct {\n \tDiffStatus           DiffStatus           `json:\"diffStatus,omitempty\"`\n }\n \n+// KEVType is a Known Exploited Vulnerabilities source.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the CISA KEV catalog source.\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is the VulnCheck KEV source.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerabilities information.\n+type KEV struct {\n+\tType                       KEVType       `json:\"type,omitempty\"`\n+\tVendorProject              string        `json:\"vendorProject,omitempty\"`\n+\tProduct                    string        `json:\"product,omitempty\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV information.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV information.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB exploit information.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation evidence.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // Alert has CERT alert information\n type Alert struct {\n \tURL   string `json:\"url,omitempty\"`\n@@ -910,24 +963,22 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data.\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\t// CISA is kept only for reading legacy JSON. KEV data is reported via VulnInfo.KEVs.\n+\tCISA   []Alert `json:\"-\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;amp;&amp;amp; len(a.JPCERT) == 0 &amp;amp;&amp;amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;amp;&amp;amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..703e9c8 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -202,6 +202,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.ScannedCves.FormatCveSummary(),\n \t\t\t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/sample-scan-result-kev.json b/sample-scan-result-kev.json\nnew file mode 100644\nindex 0000000..02b7457\n--- /dev/null\n+++ b/sample-scan-result-kev.json\n@@ -0,0 +1,76 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"ipv4Addrs\": [\"192.0.2.10\"],\n+  \"scannedAt\": \"2026-07-03T00:00:00Z\",\n+  \"scanMode\": \"fast-root\",\n+  \"scannedVersion\": \"example\",\n+  \"reportedAt\": \"2026-07-03T00:00:00Z\",\n+  \"reportedVersion\": \"example\",\n+  \"errors\": [],\n+  \"warnings\": [],\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic KEV entry showing the CISA shape in scan output.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic sample only.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic KEV entry showing the VulnCheck shape in scan output.\",\n+          \"requiredAction\": \"Review exploitation evidence and prioritize remediation.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.com/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.com:example/exploit.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/reports/CVE-0000-0000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-package\",\n+          \"fixedIn\": \"1.0.1\"\n+        }\n+      ],\n+      \"alertDict\": {}\n+    }\n+  },\n+  \"packages\": {},\n+  \"config\": {\n+    \"scan\": {},\n+    \"report\": {}\n+  }\n+}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &amp;gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &amp;gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T15:14:59.246591Z"}</description>
      <content:encoded>{"uuid": "09d6d8e3-35b7-4f07-80a7-2f5cfad660d2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0002", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/58deef2a32dde82375b4ad31f234dea0", "content": "diff --git a/README.md b/README.md\nindex 57102d1..71b5fe3 100644\n--- a/README.md\n+++ b/README.md\n@@ -93,6 +93,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n - CISA(Cybersecurity &amp;amp; Infrastructure Security Agency)\n   - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n \n+- VulnCheck\n+  - Known Exploited Vulnerabilities data\n+\n - Cyber Threat Intelligence(MITRE ATT&amp;amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n \n@@ -179,6 +182,12 @@ Vuls has some options to detect the vulnerabilities\n For more information such as Installation, Tutorial, Usage, visit [vuls.io](https://vuls.io/)  \n [\u65e5\u672c\u8a9e\u7ffb\u8a33\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8](https://vuls.io/ja/)\n \n+## Example Configuration\n+\n+Use `config.toml.example` as a synthetic starting point for enabling KEV reporting via `go-kev`. It includes a `[kevuln]` SQLite configuration and placeholder scan target values only; replace paths, users, and hosts before use.\n+\n+`sample-scan-result-kev.json` shows the new `scannedCves.*.kevs` output shape for CISA and VulnCheck KEV entries with redacted sample data.\n+\n ----\n \n ## Authors\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..5e9d067\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,42 @@\n+# Synthetic Vuls configuration with KEV reporting enabled.\n+# Copy to config.toml and replace all placeholder paths and hosts before use.\n+\n+resultsDir = \"/var/lib/vuls/results\"\n+lang = \"en\"\n+\n+[default]\n+port = \"22\"\n+user = \"vuls\"\n+keyPath = \"/home/vuls/.ssh/id_rsa\"\n+scanMode = [\"fast-root\"]\n+\n+[servers.example-host]\n+host = \"192.0.2.10\"\n+\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-cve-dictionary.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/goval-dictionary.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..c84d57d 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -78,22 +78,16 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\tif err := json.Unmarshal([]byte(res.json), &amp;amp;kevulns); err != nil {\n \t\t\t\treturn err\n \t\t\t}\n-\n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &amp;gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tif len(kevulns) == 0 {\n+\t\t\t\tcontinue\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tv.KEVs = append(v.KEVs, convertKEVulnsToModel(kevulns)...)\n \t\t\t\tnKEV++\n+\t\t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t\t}\n-\t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t}\n \t} else {\n \t\tfor cveID, vuln := range r.ScannedCves {\n@@ -108,16 +102,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &amp;gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = append(vuln.KEVs, convertKEVulnsToModel(kevulns)...)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +112,59 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func convertKEVulnsToModel(kevulns []kevulnmodels.KEVuln) (kevs []models.KEV) {\n+\tfor _, kevuln := range kevulns {\n+\t\tbs, err := json.Marshal(kevuln)\n+\t\tif err != nil {\n+\t\t\tcontinue\n+\t\t}\n+\n+\t\tvar raw struct {\n+\t\t\tType                       models.KEVType       `json:\"type,omitempty\"`\n+\t\t\tVendorProject              string               `json:\"vendorProject,omitempty\"`\n+\t\t\tProduct                    string               `json:\"product,omitempty\"`\n+\t\t\tVulnerabilityName          string               `json:\"vulnerabilityName,omitempty\"`\n+\t\t\tShortDescription           string               `json:\"shortDescription,omitempty\"`\n+\t\t\tRequiredAction             string               `json:\"requiredAction,omitempty\"`\n+\t\t\tKnownRansomwareCampaignUse string               `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\t\t\tDateAdded                  time.Time            `json:\"dateAdded,omitempty\"`\n+\t\t\tDueDate                    *time.Time           `json:\"dueDate,omitempty\"`\n+\t\t\tNotes                      string               `json:\"notes,omitempty\"`\n+\t\t\tNote                       string               `json:\"note,omitempty\"`\n+\t\t\tCISA                       *models.CISAKEV      `json:\"cisa,omitempty\"`\n+\t\t\tVulnCheck                  *models.VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+\t\t}\n+\t\tif err := json.Unmarshal(bs, &amp;amp;raw); err != nil {\n+\t\t\tcontinue\n+\t\t}\n+\n+\t\tkev := models.KEV{\n+\t\t\tType:                       raw.Type,\n+\t\t\tVendorProject:              raw.VendorProject,\n+\t\t\tProduct:                    raw.Product,\n+\t\t\tVulnerabilityName:          raw.VulnerabilityName,\n+\t\t\tShortDescription:           raw.ShortDescription,\n+\t\t\tRequiredAction:             raw.RequiredAction,\n+\t\t\tKnownRansomwareCampaignUse: raw.KnownRansomwareCampaignUse,\n+\t\t\tDateAdded:                  raw.DateAdded,\n+\t\t\tDueDate:                    raw.DueDate,\n+\t\t\tCISA:                       raw.CISA,\n+\t\t\tVulnCheck:                  raw.VulnCheck,\n+\t\t}\n+\t\tif kev.Type == \"\" {\n+\t\t\tkev.Type = models.CISAKEVType\n+\t\t}\n+\t\tif kev.CISA == nil &amp;amp;&amp;amp; kev.Type == models.CISAKEVType {\n+\t\t\tkev.CISA = &amp;amp;models.CISAKEV{Note: raw.Note}\n+\t\t\tif kev.CISA.Note == \"\" {\n+\t\t\t\tkev.CISA.Note = raw.Notes\n+\t\t\t}\n+\t\t}\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..80359c6 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,11 +197,12 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n@@ -229,6 +230,17 @@ func (r ScanResult) FormatUpdatablePkgsSummary() string {\n \t\tnUpdatable)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV CVEs.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &amp;lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatExploitCveSummary returns a summary of exploit cve\n func (r ScanResult) FormatExploitCveSummary() string {\n \tnExploitCve := 0\n@@ -253,13 +265,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &amp;gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &amp;gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -425,6 +433,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &amp;lt; v.Mitigations[j].URL\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &amp;lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &amp;lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \n \t\tv.CveContents.Sort()\n \n@@ -434,9 +448,6 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &amp;lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &amp;lt; v.AlertDict.CISA[j].Title\n-\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/scanresults_kev_test.go b/models/scanresults_kev_test.go\nnew file mode 100644\nindex 0000000..8aa7c35\n--- /dev/null\n+++ b/models/scanresults_kev_test.go\n@@ -0,0 +1,73 @@\n+package models\n+\n+import \"testing\"\n+\n+func TestScanResult_FormatKEVCveSummary(t *testing.T) {\n+\tr := ScanResult{\n+\t\tScannedCves: VulnInfos{\n+\t\t\t\"CVE-0000-0001\": {CveID: \"CVE-0000-0001\", KEVs: []KEV{{Type: CISAKEVType}}},\n+\t\t\t\"CVE-0000-0002\": {CveID: \"CVE-0000-0002\", KEVs: []KEV{{Type: CISAKEVType}, {Type: VulnCheckKEVType}}},\n+\t\t\t\"CVE-0000-0003\": {CveID: \"CVE-0000-0003\"},\n+\t\t},\n+\t}\n+\n+\tif got, want := r.FormatKEVCveSummary(), \"2 kevs\"; got != want {\n+\t\tt.Fatalf(\"FormatKEVCveSummary() = %q, want %q\", got, want)\n+\t}\n+}\n+\n+func TestScanResult_SortForJSONOutputKEVs(t *testing.T) {\n+\tr := ScanResult{\n+\t\tScannedCves: VulnInfos{\n+\t\t\t\"CVE-0000-0001\": {\n+\t\t\t\tCveID: \"CVE-0000-0001\",\n+\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t},\n+\t}\n+\n+\tr.SortForJSONOutput()\n+\n+\tgot := r.ScannedCves[\"CVE-0000-0001\"].KEVs\n+\twant := []KEV{\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n+\t}\n+\tif len(got) != len(want) {\n+\t\tt.Fatalf(\"len(KEVs) = %d, want %d\", len(got), len(want))\n+\t}\n+\tfor i := range want {\n+\t\tif got[i] != want[i] {\n+\t\t\tt.Fatalf(\"KEVs[%d] = %+v, want %+v\", i, got[i], want[i])\n+\t\t}\n+\t}\n+}\n+\n+func TestScanResult_FormatAlertSummaryIgnoresLegacyCISA(t *testing.T) {\n+\tr := ScanResult{\n+\t\tScannedCves: VulnInfos{\n+\t\t\t\"CVE-0000-0001\": {\n+\t\t\t\tAlertDict: AlertDict{\n+\t\t\t\t\tCISA:   []Alert{{Title: \"legacy cisa\"}},\n+\t\t\t\t\tUSCERT: []Alert{{Title: \"uscert\"}},\n+\t\t\t\t\tJPCERT: []Alert{{Title: \"jpcert\"}},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t},\n+\t}\n+\n+\tif got, want := r.FormatAlertSummary(), \"uscert: 1, jpcert: 1 alerts\"; got != want {\n+\t\tt.Fatalf(\"FormatAlertSummary() = %q, want %q\", got, want)\n+\t}\n+\tif got, want := r.ScannedCves[\"CVE-0000-0001\"].AlertDict.FormatSource(), \"CERT\"; got != want {\n+\t\tt.Fatalf(\"FormatSource() = %q, want %q\", got, want)\n+\t}\n+\tif r.ScannedCves[\"CVE-0000-0001\"].AlertDict.IsEmpty() {\n+\t\tt.Fatal(\"IsEmpty() = true, want false\")\n+\t}\n+}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..b4986cf 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -263,6 +263,7 @@ type VulnInfo struct {\n \tAffectedPackages     PackageFixStatuses   `json:\"affectedPackages,omitempty\"`\n \tDistroAdvisories     DistroAdvisories     `json:\"distroAdvisories,omitempty\"` // for Amazon, RHEL, Fedora, FreeBSD, Microsoft\n \tCveContents          CveContents          `json:\"cveContents,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tExploits             []Exploit            `json:\"exploits,omitempty\"`\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n@@ -277,6 +278,58 @@ type VulnInfo struct {\n \tDiffStatus           DiffStatus           `json:\"diffStatus,omitempty\"`\n }\n \n+// KEVType is a Known Exploited Vulnerabilities source.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the CISA KEV catalog source.\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is the VulnCheck KEV source.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerabilities information.\n+type KEV struct {\n+\tType                       KEVType       `json:\"type,omitempty\"`\n+\tVendorProject              string        `json:\"vendorProject,omitempty\"`\n+\tProduct                    string        `json:\"product,omitempty\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV information.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV information.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB exploit information.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation evidence.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // Alert has CERT alert information\n type Alert struct {\n \tURL   string `json:\"url,omitempty\"`\n@@ -910,24 +963,22 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data.\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\t// CISA is kept only for reading legacy JSON. KEV data is reported via VulnInfo.KEVs.\n+\tCISA   []Alert `json:\"-\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;amp;&amp;amp; len(a.JPCERT) == 0 &amp;amp;&amp;amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;amp;&amp;amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..703e9c8 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -202,6 +202,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.ScannedCves.FormatCveSummary(),\n \t\t\t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/sample-scan-result-kev.json b/sample-scan-result-kev.json\nnew file mode 100644\nindex 0000000..02b7457\n--- /dev/null\n+++ b/sample-scan-result-kev.json\n@@ -0,0 +1,76 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"ipv4Addrs\": [\"192.0.2.10\"],\n+  \"scannedAt\": \"2026-07-03T00:00:00Z\",\n+  \"scanMode\": \"fast-root\",\n+  \"scannedVersion\": \"example\",\n+  \"reportedAt\": \"2026-07-03T00:00:00Z\",\n+  \"reportedVersion\": \"example\",\n+  \"errors\": [],\n+  \"warnings\": [],\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic KEV entry showing the CISA shape in scan output.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic sample only.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic KEV entry showing the VulnCheck shape in scan output.\",\n+          \"requiredAction\": \"Review exploitation evidence and prioritize remediation.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.com/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.com:example/exploit.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/reports/CVE-0000-0000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-package\",\n+          \"fixedIn\": \"1.0.1\"\n+        }\n+      ],\n+      \"alertDict\": {}\n+    }\n+  },\n+  \"packages\": {},\n+  \"config\": {\n+    \"scan\": {},\n+    \"report\": {}\n+  }\n+}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &amp;gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &amp;gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T15:14:59.246591Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/09d6d8e3-35b7-4f07-80a7-2f5cfad660d2/export</guid>
      <pubDate>Fri, 03 Jul 2026 15:14:59 +0000</pubDate>
    </item>
    <item>
      <title>7778ec4f-3a5d-487e-ad58-16bc809fd2be</title>
      <link>https://vulnerability.circl.lu/sighting/7778ec4f-3a5d-487e-ad58-16bc809fd2be/export</link>
      <description>{"uuid": "7778ec4f-3a5d-487e-ad58-16bc809fd2be", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0002", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/f1cdb10bf413a796b61ebd49200001b6", "content": "diff --git a/README.md b/README.md\nindex 57102d1..1f2116e 100644\n--- a/README.md\n+++ b/README.md\n@@ -93,6 +93,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n - CISA(Cybersecurity &amp;amp; Infrastructure Security Agency)\n   - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n \n+- VulnCheck\n+  - Known Exploited Vulnerabilities data through go-kev\n+\n - Cyber Threat Intelligence(MITRE ATT&amp;amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n \n@@ -179,6 +182,12 @@ Vuls has some options to detect the vulnerabilities\n For more information such as Installation, Tutorial, Usage, visit [vuls.io](https://vuls.io/)  \n [\u65e5\u672c\u8a9e\u7ffb\u8a33\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8](https://vuls.io/ja/)\n \n+### Example Configuration\n+\n+Use `examples/config.toml.example` as a redacted starting point for enabling database-backed reporting, including KEV enrichment via the `[kevuln]` section. The example uses placeholder hosts and paths only; do not publish values from a live `config.toml` because it may contain credentials.\n+\n+A synthetic scan-result sample showing the first-class `kevs` field is available at `examples/kev-scan-result.json`.\n+\n ----\n \n ## Authors\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..80b3d08 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -6,6 +6,7 @@ package detector\n import (\n \t\"encoding/json\"\n \t\"net/http\"\n+\t\"strings\"\n \t\"time\"\n \n \t\"github.com/cenkalti/backoff\"\n@@ -17,7 +18,6 @@ import (\n \t\"github.com/future-architect/vuls/models\"\n \t\"github.com/future-architect/vuls/util\"\n \tkevulndb \"github.com/vulsio/go-kev/db\"\n-\tkevulnmodels \"github.com/vulsio/go-kev/models\"\n \tkevulnlog \"github.com/vulsio/go-kev/utils\"\n )\n \n@@ -74,23 +74,18 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\treturn err\n \t\t}\n \t\tfor _, res := range responses {\n-\t\t\tkevulns := []kevulnmodels.KEVuln{}\n+\t\t\tkevulns := []map[string]json.RawMessage{}\n \t\t\tif err := json.Unmarshal([]byte(res.json), &amp;amp;kevulns); err != nil {\n \t\t\t\treturn err\n \t\t\t}\n-\n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &amp;gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tkevs, err := convertKEVulns(kevulns)\n+\t\t\tif err != nil {\n+\t\t\t\treturn err\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n-\t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\tif ok &amp;amp;&amp;amp; len(kevs) &amp;gt; 0 {\n+\t\t\t\tv.KEVs = kevs\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +103,12 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &amp;gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tkevs, err := convertKEVulns(kevulns)\n+\t\t\tif err != nil {\n+\t\t\t\treturn err\n \t\t\t}\n \n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = kevs\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +118,132 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func convertKEVulns(src any) ([]models.KEV, error) {\n+\tb, err := json.Marshal(src)\n+\tif err != nil {\n+\t\treturn nil, err\n+\t}\n+\tvar raws []map[string]json.RawMessage\n+\tif err := json.Unmarshal(b, &amp;amp;raws); err != nil {\n+\t\treturn nil, err\n+\t}\n+\n+\tkevs := make([]models.KEV, 0, len(raws))\n+\tfor _, raw := range raws {\n+\t\tkev := models.KEV{\n+\t\t\tType:                       kevType(raw),\n+\t\t\tVendorProject:              rawString(raw, \"vendorProject\", \"vendor_project\", \"VendorProject\"),\n+\t\t\tProduct:                    rawString(raw, \"product\", \"Product\"),\n+\t\t\tVulnerabilityName:          rawString(raw, \"vulnerabilityName\", \"vulnerability_name\", \"VulnerabilityName\"),\n+\t\t\tShortDescription:           rawString(raw, \"shortDescription\", \"short_description\", \"ShortDescription\"),\n+\t\t\tRequiredAction:             rawString(raw, \"requiredAction\", \"required_action\", \"RequiredAction\"),\n+\t\t\tKnownRansomwareCampaignUse: rawString(raw, \"knownRansomwareCampaignUse\", \"known_ransomware_campaign_use\", \"KnownRansomwareCampaignUse\"),\n+\t\t\tDateAdded:                  rawTime(raw, \"dateAdded\", \"date_added\", \"DateAdded\"),\n+\t\t}\n+\t\tif dueDate := rawTime(raw, \"dueDate\", \"due_date\", \"DueDate\"); !dueDate.IsZero() {\n+\t\t\tkev.DueDate = &amp;amp;dueDate\n+\t\t}\n+\n+\t\tswitch kev.Type {\n+\t\tcase models.VulnCheckKEVType:\n+\t\t\tkev.VulnCheck = &amp;amp;models.VulnCheckKEV{\n+\t\t\t\tXDB:                  vulnCheckXDB(raw),\n+\t\t\t\tReportedExploitation: vulnCheckReportedExploitation(raw),\n+\t\t\t}\n+\t\tdefault:\n+\t\t\tkev.Type = models.CISAKEVType\n+\t\t\tkev.CISA = &amp;amp;models.CISAKEV{Note: rawString(raw, \"note\", \"notes\", \"Note\", \"Notes\")}\n+\t\t}\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs, nil\n+}\n+\n+func kevType(raw map[string]json.RawMessage) models.KEVType {\n+\tt := strings.ToLower(rawString(raw, \"type\", \"source\", \"Type\", \"Source\"))\n+\tswitch t {\n+\tcase string(models.VulnCheckKEVType):\n+\t\treturn models.VulnCheckKEVType\n+\t}\n+\tif _, ok := raw[\"xdb\"]; ok {\n+\t\treturn models.VulnCheckKEVType\n+\t}\n+\tif _, ok := raw[\"reportedExploitation\"]; ok {\n+\t\treturn models.VulnCheckKEVType\n+\t}\n+\tif _, ok := raw[\"reported_exploitation\"]; ok {\n+\t\treturn models.VulnCheckKEVType\n+\t}\n+\treturn models.CISAKEVType\n+}\n+\n+func vulnCheckXDB(raw map[string]json.RawMessage) []models.VulnCheckXDB {\n+\tvar xs []map[string]json.RawMessage\n+\tif !rawValue(raw, &amp;amp;xs, \"xdb\", \"XDB\") {\n+\t\treturn nil\n+\t}\n+\tres := make([]models.VulnCheckXDB, 0, len(xs))\n+\tfor _, x := range xs {\n+\t\tres = append(res, models.VulnCheckXDB{\n+\t\t\tXDBID:       rawString(x, \"xdbID\", \"xdb_id\", \"XDBID\"),\n+\t\t\tXDBURL:      rawString(x, \"xdbURL\", \"xdb_url\", \"XDBURL\"),\n+\t\t\tDateAdded:   rawTime(x, \"dateAdded\", \"date_added\", \"DateAdded\"),\n+\t\t\tExploitType: rawString(x, \"exploitType\", \"exploit_type\", \"ExploitType\"),\n+\t\t\tCloneSSHURL: rawString(x, \"cloneSSHURL\", \"clone_ssh_url\", \"CloneSSHURL\"),\n+\t\t})\n+\t}\n+\treturn res\n+}\n+\n+func vulnCheckReportedExploitation(raw map[string]json.RawMessage) []models.VulnCheckReportedExploitation {\n+\tvar xs []map[string]json.RawMessage\n+\tif !rawValue(raw, &amp;amp;xs, \"reportedExploitation\", \"reported_exploitation\", \"ReportedExploitation\") {\n+\t\treturn nil\n+\t}\n+\tres := make([]models.VulnCheckReportedExploitation, 0, len(xs))\n+\tfor _, x := range xs {\n+\t\tres = append(res, models.VulnCheckReportedExploitation{\n+\t\t\tURL:       rawString(x, \"url\", \"URL\"),\n+\t\t\tDateAdded: rawTime(x, \"dateAdded\", \"date_added\", \"DateAdded\"),\n+\t\t})\n+\t}\n+\treturn res\n+}\n+\n+func rawString(raw map[string]json.RawMessage, keys ...string) string {\n+\tvar s string\n+\tif rawValue(raw, &amp;amp;s, keys...) {\n+\t\treturn s\n+\t}\n+\treturn \"\"\n+}\n+\n+func rawTime(raw map[string]json.RawMessage, keys ...string) time.Time {\n+\ts := rawString(raw, keys...)\n+\tif s == \"\" {\n+\t\treturn time.Time{}\n+\t}\n+\tfor _, layout := range []string{time.RFC3339Nano, time.RFC3339, \"2006-01-02\"} {\n+\t\tif t, err := time.Parse(layout, s); err == nil {\n+\t\t\treturn t\n+\t\t}\n+\t}\n+\treturn time.Time{}\n+}\n+\n+func rawValue(raw map[string]json.RawMessage, v any, keys ...string) bool {\n+\tfor _, key := range keys {\n+\t\tb, ok := raw[key]\n+\t\tif !ok || len(b) == 0 || string(b) == \"null\" {\n+\t\t\tcontinue\n+\t\t}\n+\t\tif err := json.Unmarshal(b, v); err == nil {\n+\t\t\treturn true\n+\t\t}\n+\t}\n+\treturn false\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/examples/config.toml.example b/examples/config.toml.example\nnew file mode 100644\nindex 0000000..83118f3\n--- /dev/null\n+++ b/examples/config.toml.example\n@@ -0,0 +1,39 @@\n+# Synthetic example configuration for enabling KEV enrichment.\n+# Do not copy secrets from a live config.toml into this file.\n+\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.10\"\n+port = \"22\"\n+user = \"vuls\"\n+keyPath = \"/home/vuls/.ssh/id_rsa\"\n+scanMode = [\"fast-root\"]\ndiff --git a/examples/kev-scan-result.json b/examples/kev-scan-result.json\nnew file mode 100644\nindex 0000000..03cf142\n--- /dev/null\n+++ b/examples/kev-scan-result.json\n@@ -0,0 +1,78 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2026-07-03T00:00:00Z\",\n+  \"scanMode\": \"fast-root\",\n+  \"scannedVersion\": \"example\",\n+  \"scannedRevision\": \"example\",\n+  \"reportedAt\": \"2026-07-03T00:00:00Z\",\n+  \"reportedVersion\": \"example\",\n+  \"reportedRevision\": \"example\",\n+  \"errors\": [],\n+  \"warnings\": [],\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic CISA KEV entry for documentation.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic example; not sourced from production results.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic VulnCheck KEV entry for documentation.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.com/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.com:example/xdb-000000.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/reports/example-exploitation\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-package\",\n+          \"fixedIn\": \"1.0.1\"\n+        }\n+      ]\n+    }\n+  },\n+  \"packages\": {\n+    \"example-package\": {\n+      \"name\": \"example-package\",\n+      \"version\": \"1.0.0\",\n+      \"newVersion\": \"1.0.1\"\n+    }\n+  }\n+}\ndiff --git a/models/kev_test.go b/models/kev_test.go\nnew file mode 100644\nindex 0000000..a2e170c\n--- /dev/null\n+++ b/models/kev_test.go\n@@ -0,0 +1,48 @@\n+package models\n+\n+import \"testing\"\n+\n+func TestScanResult_SortForJSONOutput_KEVs(t *testing.T) {\n+\tr := ScanResult{\n+\t\tScannedCves: VulnInfos{\n+\t\t\t\"CVE-0000-0000\": {\n+\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"beta\"},\n+\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"beta\"},\n+\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"alpha\"},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t},\n+\t}\n+\n+\tr.SortForJSONOutput()\n+\n+\tgot := r.ScannedCves[\"CVE-0000-0000\"].KEVs\n+\twant := []KEV{\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"alpha\"},\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"beta\"},\n+\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"beta\"},\n+\t}\n+\tif len(got) != len(want) {\n+\t\tt.Fatalf(\"got %d KEVs, want %d\", len(got), len(want))\n+\t}\n+\tfor i := range want {\n+\t\tif got[i] != want[i] {\n+\t\t\tt.Errorf(\"got KEVs[%d] = %+v, want %+v\", i, got[i], want[i])\n+\t\t}\n+\t}\n+}\n+\n+func TestScanResult_FormatKEVCveSummary(t *testing.T) {\n+\tr := ScanResult{\n+\t\tScannedCves: VulnInfos{\n+\t\t\t\"CVE-0000-0001\": {KEVs: []KEV{{Type: CISAKEVType}}},\n+\t\t\t\"CVE-0000-0002\": {KEVs: []KEV{{Type: CISAKEVType}, {Type: VulnCheckKEVType}}},\n+\t\t\t\"CVE-0000-0003\": {},\n+\t\t},\n+\t}\n+\n+\tif got, want := r.FormatKEVCveSummary(), \"2 kevs\"; got != want {\n+\t\tt.Errorf(\"got %q, want %q\", got, want)\n+\t}\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..ac3f157 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV CVEs.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &amp;lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &amp;gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &amp;gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -425,6 +433,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &amp;lt; v.Mitigations[j].URL\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &amp;lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &amp;lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \n \t\tv.CveContents.Sort()\n \ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..e090f64 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -267,6 +267,7 @@ type VulnInfo struct {\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n@@ -910,24 +911,73 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// KEVType is a known exploited vulnerability source.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is CISA Known Exploited Vulnerabilities Catalog.\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType is VulnCheck KEV.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has known exploited vulnerability information.\n+type KEV struct {\n+\tType                          KEVType        `json:\"type,omitempty\"`\n+\tVendorProject                 string         `json:\"vendorProject,omitempty\"`\n+\tProduct                       string         `json:\"product,omitempty\"`\n+\tVulnerabilityName             string         `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription              string         `json:\"shortDescription,omitempty\"`\n+\tRequiredAction                string         `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse    string         `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                     time.Time      `json:\"dateAdded,omitempty\"`\n+\tDueDate                       *time.Time     `json:\"dueDate,omitempty\"`\n+\tCISA                          *CISAKEV       `json:\"cisa,omitempty\"`\n+\tVulnCheck                     *VulnCheckKEV  `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV information.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV information.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB exploit information.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n+// AlertDict has target cve JPCERT and USCERT alert data.\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\t// CISA is deprecated. KEV data is reported through VulnInfo.KEVs.\n+\tCISA   []Alert `json:\"-\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;amp;&amp;amp; len(a.JPCERT) == 0 &amp;amp;&amp;amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;amp;&amp;amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..4ad6455 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,8 +566,8 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n+\t\tfor _, kev := range vuln.KEVs {\n+\t\t\tdata = append(data, []string{fmt.Sprintf(\"%s KEV\", strings.ToUpper(string(kev.Type))), kev.VulnerabilityName})\n \t\t}\n \n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n@@ -616,7 +617,7 @@ No CVE-IDs are found in updatable packages.\n }\n \n func formatCsvList(r models.ScanResult, path string) error {\n-\tdata := [][]string{{\"CVE-ID\", \"CVSS\", \"Attack\", \"PoC\", \"CERT\", \"Fixed\", \"NVD\"}}\n+\tdata := [][]string{{\"CVE-ID\", \"CVSS\", \"Attack\", \"PoC\", \"KEV\", \"CERT\", \"Fixed\", \"NVD\"}}\n \tfor _, vinfo := range r.ScannedCves.ToSortedSlice() {\n \t\tmax := vinfo.MaxCvssScore().Value.Score\n \n@@ -637,6 +638,7 @@ func formatCsvList(r models.ScanResult, path string) error {\n \t\t\tfmt.Sprintf(\"%4.1f\", max),\n \t\t\tvinfo.AttackVector(),\n \t\t\texploits,\n+\t\t\tfmt.Sprintf(\"%t\", len(vinfo.KEVs) &amp;gt; 0),\n \t\t\tvinfo.AlertDict.FormatSource(),\n \t\t\tvinfo.PatchStatus(r.Packages),\n \t\t\tlink,\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..7b4c278 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,13 +812,13 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &amp;gt; 0 {\n+\t\tif len(vinfo.KEVs) &amp;gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n+\t\t\t\t\"KEV\",\n+\t\t\t\t\"===\",\n \t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\t\tfor _, kev := range vinfo.KEVs {\n+\t\t\t\tlines = append(lines, fmt.Sprintf(\"* %s: %s\", strings.ToUpper(string(kev.Type)), kev.VulnerabilityName))\n \t\t\t}\n \t\t}\n \n", "creation_timestamp": "2026-07-03T15:14:58.754466Z"}</description>
      <content:encoded>{"uuid": "7778ec4f-3a5d-487e-ad58-16bc809fd2be", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0002", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/f1cdb10bf413a796b61ebd49200001b6", "content": "diff --git a/README.md b/README.md\nindex 57102d1..1f2116e 100644\n--- a/README.md\n+++ b/README.md\n@@ -93,6 +93,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n - CISA(Cybersecurity &amp;amp; Infrastructure Security Agency)\n   - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n \n+- VulnCheck\n+  - Known Exploited Vulnerabilities data through go-kev\n+\n - Cyber Threat Intelligence(MITRE ATT&amp;amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n \n@@ -179,6 +182,12 @@ Vuls has some options to detect the vulnerabilities\n For more information such as Installation, Tutorial, Usage, visit [vuls.io](https://vuls.io/)  \n [\u65e5\u672c\u8a9e\u7ffb\u8a33\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8](https://vuls.io/ja/)\n \n+### Example Configuration\n+\n+Use `examples/config.toml.example` as a redacted starting point for enabling database-backed reporting, including KEV enrichment via the `[kevuln]` section. The example uses placeholder hosts and paths only; do not publish values from a live `config.toml` because it may contain credentials.\n+\n+A synthetic scan-result sample showing the first-class `kevs` field is available at `examples/kev-scan-result.json`.\n+\n ----\n \n ## Authors\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..80b3d08 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -6,6 +6,7 @@ package detector\n import (\n \t\"encoding/json\"\n \t\"net/http\"\n+\t\"strings\"\n \t\"time\"\n \n \t\"github.com/cenkalti/backoff\"\n@@ -17,7 +18,6 @@ import (\n \t\"github.com/future-architect/vuls/models\"\n \t\"github.com/future-architect/vuls/util\"\n \tkevulndb \"github.com/vulsio/go-kev/db\"\n-\tkevulnmodels \"github.com/vulsio/go-kev/models\"\n \tkevulnlog \"github.com/vulsio/go-kev/utils\"\n )\n \n@@ -74,23 +74,18 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\treturn err\n \t\t}\n \t\tfor _, res := range responses {\n-\t\t\tkevulns := []kevulnmodels.KEVuln{}\n+\t\t\tkevulns := []map[string]json.RawMessage{}\n \t\t\tif err := json.Unmarshal([]byte(res.json), &amp;amp;kevulns); err != nil {\n \t\t\t\treturn err\n \t\t\t}\n-\n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &amp;gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tkevs, err := convertKEVulns(kevulns)\n+\t\t\tif err != nil {\n+\t\t\t\treturn err\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n-\t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\tif ok &amp;amp;&amp;amp; len(kevs) &amp;gt; 0 {\n+\t\t\t\tv.KEVs = kevs\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +103,12 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &amp;gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tkevs, err := convertKEVulns(kevulns)\n+\t\t\tif err != nil {\n+\t\t\t\treturn err\n \t\t\t}\n \n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = kevs\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +118,132 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func convertKEVulns(src any) ([]models.KEV, error) {\n+\tb, err := json.Marshal(src)\n+\tif err != nil {\n+\t\treturn nil, err\n+\t}\n+\tvar raws []map[string]json.RawMessage\n+\tif err := json.Unmarshal(b, &amp;amp;raws); err != nil {\n+\t\treturn nil, err\n+\t}\n+\n+\tkevs := make([]models.KEV, 0, len(raws))\n+\tfor _, raw := range raws {\n+\t\tkev := models.KEV{\n+\t\t\tType:                       kevType(raw),\n+\t\t\tVendorProject:              rawString(raw, \"vendorProject\", \"vendor_project\", \"VendorProject\"),\n+\t\t\tProduct:                    rawString(raw, \"product\", \"Product\"),\n+\t\t\tVulnerabilityName:          rawString(raw, \"vulnerabilityName\", \"vulnerability_name\", \"VulnerabilityName\"),\n+\t\t\tShortDescription:           rawString(raw, \"shortDescription\", \"short_description\", \"ShortDescription\"),\n+\t\t\tRequiredAction:             rawString(raw, \"requiredAction\", \"required_action\", \"RequiredAction\"),\n+\t\t\tKnownRansomwareCampaignUse: rawString(raw, \"knownRansomwareCampaignUse\", \"known_ransomware_campaign_use\", \"KnownRansomwareCampaignUse\"),\n+\t\t\tDateAdded:                  rawTime(raw, \"dateAdded\", \"date_added\", \"DateAdded\"),\n+\t\t}\n+\t\tif dueDate := rawTime(raw, \"dueDate\", \"due_date\", \"DueDate\"); !dueDate.IsZero() {\n+\t\t\tkev.DueDate = &amp;amp;dueDate\n+\t\t}\n+\n+\t\tswitch kev.Type {\n+\t\tcase models.VulnCheckKEVType:\n+\t\t\tkev.VulnCheck = &amp;amp;models.VulnCheckKEV{\n+\t\t\t\tXDB:                  vulnCheckXDB(raw),\n+\t\t\t\tReportedExploitation: vulnCheckReportedExploitation(raw),\n+\t\t\t}\n+\t\tdefault:\n+\t\t\tkev.Type = models.CISAKEVType\n+\t\t\tkev.CISA = &amp;amp;models.CISAKEV{Note: rawString(raw, \"note\", \"notes\", \"Note\", \"Notes\")}\n+\t\t}\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs, nil\n+}\n+\n+func kevType(raw map[string]json.RawMessage) models.KEVType {\n+\tt := strings.ToLower(rawString(raw, \"type\", \"source\", \"Type\", \"Source\"))\n+\tswitch t {\n+\tcase string(models.VulnCheckKEVType):\n+\t\treturn models.VulnCheckKEVType\n+\t}\n+\tif _, ok := raw[\"xdb\"]; ok {\n+\t\treturn models.VulnCheckKEVType\n+\t}\n+\tif _, ok := raw[\"reportedExploitation\"]; ok {\n+\t\treturn models.VulnCheckKEVType\n+\t}\n+\tif _, ok := raw[\"reported_exploitation\"]; ok {\n+\t\treturn models.VulnCheckKEVType\n+\t}\n+\treturn models.CISAKEVType\n+}\n+\n+func vulnCheckXDB(raw map[string]json.RawMessage) []models.VulnCheckXDB {\n+\tvar xs []map[string]json.RawMessage\n+\tif !rawValue(raw, &amp;amp;xs, \"xdb\", \"XDB\") {\n+\t\treturn nil\n+\t}\n+\tres := make([]models.VulnCheckXDB, 0, len(xs))\n+\tfor _, x := range xs {\n+\t\tres = append(res, models.VulnCheckXDB{\n+\t\t\tXDBID:       rawString(x, \"xdbID\", \"xdb_id\", \"XDBID\"),\n+\t\t\tXDBURL:      rawString(x, \"xdbURL\", \"xdb_url\", \"XDBURL\"),\n+\t\t\tDateAdded:   rawTime(x, \"dateAdded\", \"date_added\", \"DateAdded\"),\n+\t\t\tExploitType: rawString(x, \"exploitType\", \"exploit_type\", \"ExploitType\"),\n+\t\t\tCloneSSHURL: rawString(x, \"cloneSSHURL\", \"clone_ssh_url\", \"CloneSSHURL\"),\n+\t\t})\n+\t}\n+\treturn res\n+}\n+\n+func vulnCheckReportedExploitation(raw map[string]json.RawMessage) []models.VulnCheckReportedExploitation {\n+\tvar xs []map[string]json.RawMessage\n+\tif !rawValue(raw, &amp;amp;xs, \"reportedExploitation\", \"reported_exploitation\", \"ReportedExploitation\") {\n+\t\treturn nil\n+\t}\n+\tres := make([]models.VulnCheckReportedExploitation, 0, len(xs))\n+\tfor _, x := range xs {\n+\t\tres = append(res, models.VulnCheckReportedExploitation{\n+\t\t\tURL:       rawString(x, \"url\", \"URL\"),\n+\t\t\tDateAdded: rawTime(x, \"dateAdded\", \"date_added\", \"DateAdded\"),\n+\t\t})\n+\t}\n+\treturn res\n+}\n+\n+func rawString(raw map[string]json.RawMessage, keys ...string) string {\n+\tvar s string\n+\tif rawValue(raw, &amp;amp;s, keys...) {\n+\t\treturn s\n+\t}\n+\treturn \"\"\n+}\n+\n+func rawTime(raw map[string]json.RawMessage, keys ...string) time.Time {\n+\ts := rawString(raw, keys...)\n+\tif s == \"\" {\n+\t\treturn time.Time{}\n+\t}\n+\tfor _, layout := range []string{time.RFC3339Nano, time.RFC3339, \"2006-01-02\"} {\n+\t\tif t, err := time.Parse(layout, s); err == nil {\n+\t\t\treturn t\n+\t\t}\n+\t}\n+\treturn time.Time{}\n+}\n+\n+func rawValue(raw map[string]json.RawMessage, v any, keys ...string) bool {\n+\tfor _, key := range keys {\n+\t\tb, ok := raw[key]\n+\t\tif !ok || len(b) == 0 || string(b) == \"null\" {\n+\t\t\tcontinue\n+\t\t}\n+\t\tif err := json.Unmarshal(b, v); err == nil {\n+\t\t\treturn true\n+\t\t}\n+\t}\n+\treturn false\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/examples/config.toml.example b/examples/config.toml.example\nnew file mode 100644\nindex 0000000..83118f3\n--- /dev/null\n+++ b/examples/config.toml.example\n@@ -0,0 +1,39 @@\n+# Synthetic example configuration for enabling KEV enrichment.\n+# Do not copy secrets from a live config.toml into this file.\n+\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.10\"\n+port = \"22\"\n+user = \"vuls\"\n+keyPath = \"/home/vuls/.ssh/id_rsa\"\n+scanMode = [\"fast-root\"]\ndiff --git a/examples/kev-scan-result.json b/examples/kev-scan-result.json\nnew file mode 100644\nindex 0000000..03cf142\n--- /dev/null\n+++ b/examples/kev-scan-result.json\n@@ -0,0 +1,78 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2026-07-03T00:00:00Z\",\n+  \"scanMode\": \"fast-root\",\n+  \"scannedVersion\": \"example\",\n+  \"scannedRevision\": \"example\",\n+  \"reportedAt\": \"2026-07-03T00:00:00Z\",\n+  \"reportedVersion\": \"example\",\n+  \"reportedRevision\": \"example\",\n+  \"errors\": [],\n+  \"warnings\": [],\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic CISA KEV entry for documentation.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic example; not sourced from production results.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic VulnCheck KEV entry for documentation.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.com/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.com:example/xdb-000000.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/reports/example-exploitation\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-package\",\n+          \"fixedIn\": \"1.0.1\"\n+        }\n+      ]\n+    }\n+  },\n+  \"packages\": {\n+    \"example-package\": {\n+      \"name\": \"example-package\",\n+      \"version\": \"1.0.0\",\n+      \"newVersion\": \"1.0.1\"\n+    }\n+  }\n+}\ndiff --git a/models/kev_test.go b/models/kev_test.go\nnew file mode 100644\nindex 0000000..a2e170c\n--- /dev/null\n+++ b/models/kev_test.go\n@@ -0,0 +1,48 @@\n+package models\n+\n+import \"testing\"\n+\n+func TestScanResult_SortForJSONOutput_KEVs(t *testing.T) {\n+\tr := ScanResult{\n+\t\tScannedCves: VulnInfos{\n+\t\t\t\"CVE-0000-0000\": {\n+\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"beta\"},\n+\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"beta\"},\n+\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"alpha\"},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t},\n+\t}\n+\n+\tr.SortForJSONOutput()\n+\n+\tgot := r.ScannedCves[\"CVE-0000-0000\"].KEVs\n+\twant := []KEV{\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"alpha\"},\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"beta\"},\n+\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"beta\"},\n+\t}\n+\tif len(got) != len(want) {\n+\t\tt.Fatalf(\"got %d KEVs, want %d\", len(got), len(want))\n+\t}\n+\tfor i := range want {\n+\t\tif got[i] != want[i] {\n+\t\t\tt.Errorf(\"got KEVs[%d] = %+v, want %+v\", i, got[i], want[i])\n+\t\t}\n+\t}\n+}\n+\n+func TestScanResult_FormatKEVCveSummary(t *testing.T) {\n+\tr := ScanResult{\n+\t\tScannedCves: VulnInfos{\n+\t\t\t\"CVE-0000-0001\": {KEVs: []KEV{{Type: CISAKEVType}}},\n+\t\t\t\"CVE-0000-0002\": {KEVs: []KEV{{Type: CISAKEVType}, {Type: VulnCheckKEVType}}},\n+\t\t\t\"CVE-0000-0003\": {},\n+\t\t},\n+\t}\n+\n+\tif got, want := r.FormatKEVCveSummary(), \"2 kevs\"; got != want {\n+\t\tt.Errorf(\"got %q, want %q\", got, want)\n+\t}\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..ac3f157 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV CVEs.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &amp;lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &amp;gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &amp;gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -425,6 +433,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &amp;lt; v.Mitigations[j].URL\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &amp;lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &amp;lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \n \t\tv.CveContents.Sort()\n \ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..e090f64 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -267,6 +267,7 @@ type VulnInfo struct {\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n@@ -910,24 +911,73 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// KEVType is a known exploited vulnerability source.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is CISA Known Exploited Vulnerabilities Catalog.\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType is VulnCheck KEV.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has known exploited vulnerability information.\n+type KEV struct {\n+\tType                          KEVType        `json:\"type,omitempty\"`\n+\tVendorProject                 string         `json:\"vendorProject,omitempty\"`\n+\tProduct                       string         `json:\"product,omitempty\"`\n+\tVulnerabilityName             string         `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription              string         `json:\"shortDescription,omitempty\"`\n+\tRequiredAction                string         `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse    string         `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                     time.Time      `json:\"dateAdded,omitempty\"`\n+\tDueDate                       *time.Time     `json:\"dueDate,omitempty\"`\n+\tCISA                          *CISAKEV       `json:\"cisa,omitempty\"`\n+\tVulnCheck                     *VulnCheckKEV  `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV information.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV information.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB exploit information.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n+// AlertDict has target cve JPCERT and USCERT alert data.\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\t// CISA is deprecated. KEV data is reported through VulnInfo.KEVs.\n+\tCISA   []Alert `json:\"-\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;amp;&amp;amp; len(a.JPCERT) == 0 &amp;amp;&amp;amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;amp;&amp;amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..4ad6455 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,8 +566,8 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n+\t\tfor _, kev := range vuln.KEVs {\n+\t\t\tdata = append(data, []string{fmt.Sprintf(\"%s KEV\", strings.ToUpper(string(kev.Type))), kev.VulnerabilityName})\n \t\t}\n \n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n@@ -616,7 +617,7 @@ No CVE-IDs are found in updatable packages.\n }\n \n func formatCsvList(r models.ScanResult, path string) error {\n-\tdata := [][]string{{\"CVE-ID\", \"CVSS\", \"Attack\", \"PoC\", \"CERT\", \"Fixed\", \"NVD\"}}\n+\tdata := [][]string{{\"CVE-ID\", \"CVSS\", \"Attack\", \"PoC\", \"KEV\", \"CERT\", \"Fixed\", \"NVD\"}}\n \tfor _, vinfo := range r.ScannedCves.ToSortedSlice() {\n \t\tmax := vinfo.MaxCvssScore().Value.Score\n \n@@ -637,6 +638,7 @@ func formatCsvList(r models.ScanResult, path string) error {\n \t\t\tfmt.Sprintf(\"%4.1f\", max),\n \t\t\tvinfo.AttackVector(),\n \t\t\texploits,\n+\t\t\tfmt.Sprintf(\"%t\", len(vinfo.KEVs) &amp;gt; 0),\n \t\t\tvinfo.AlertDict.FormatSource(),\n \t\t\tvinfo.PatchStatus(r.Packages),\n \t\t\tlink,\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..7b4c278 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,13 +812,13 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &amp;gt; 0 {\n+\t\tif len(vinfo.KEVs) &amp;gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n+\t\t\t\t\"KEV\",\n+\t\t\t\t\"===\",\n \t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\t\tfor _, kev := range vinfo.KEVs {\n+\t\t\t\tlines = append(lines, fmt.Sprintf(\"* %s: %s\", strings.ToUpper(string(kev.Type)), kev.VulnerabilityName))\n \t\t\t}\n \t\t}\n \n", "creation_timestamp": "2026-07-03T15:14:58.754466Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/7778ec4f-3a5d-487e-ad58-16bc809fd2be/export</guid>
      <pubDate>Fri, 03 Jul 2026 15:14:58 +0000</pubDate>
    </item>
    <item>
      <title>587b1931-6a78-4f0b-b3a4-be2953a0483c</title>
      <link>https://vulnerability.circl.lu/sighting/587b1931-6a78-4f0b-b3a4-be2953a0483c/export</link>
      <description>{"uuid": "587b1931-6a78-4f0b-b3a4-be2953a0483c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0002", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/34fffd9821afd5c9ec50f7981b3267f0", "content": "diff --git a/README.md b/README.md\nindex 57102d1..c63c43c 100644\n--- a/README.md\n+++ b/README.md\n@@ -90,8 +90,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n   - [US-CERT](https://www.us-cert.gov/ncas/alerts)\n   - [JPCERT](http://www.jpcert.or.jp/at/2019.html)\n \n-- CISA(Cybersecurity &amp;amp; Infrastructure Security Agency)\n-  - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+- KEV (Known Exploited Vulnerabilities)\n+  - [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+  - [VulnCheck KEV](https://vulncheck.com/)\n \n - Cyber Threat Intelligence(MITRE ATT&amp;amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n@@ -174,6 +175,12 @@ Vuls has some options to detect the vulnerabilities\n \n ----\n \n+## Configuration\n+\n+An example configuration file is provided at [`config.toml.example`](config.toml.example). Copy it to `config.toml` and edit to match your environment. See [vuls.io](https://vuls.io/docs/en/config.toml.html) for full reference.\n+\n+To enable KEV (Known Exploited Vulnerabilities) reporting, configure the `[kevuln]` section with a path to a go-kev database. KEV entries from CISA and VulnCheck will appear as first-class fields on each vulnerability in the scan output.\n+\n ## Document\n \n For more information such as Installation, Tutorial, Usage, visit [vuls.io](https://vuls.io/)  \ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..58e5bc0\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,96 @@\n+# Vuls configuration file example\n+# Copy this file to config.toml and edit to match your environment.\n+# See https://vuls.io/docs/en/config.toml.html for full reference.\n+#\n+# IMPORTANT: Replace all placeholder values before use.\n+# Never commit real credentials to version control.\n+\n+# -------------------------------------------------------------------\n+# Vulnerability dictionary databases\n+# -------------------------------------------------------------------\n+# Each database section supports: type (\"sqlite3\"|\"mysql\"|\"postgres\"|\"redis\"|\"http\"),\n+# url (connection string or HTTP endpoint), sqlite3Path (path to .sqlite3 file).\n+\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-msfdb.sqlite3\"\n+\n+# KEV (Known Exploited Vulnerabilities) \u2014 enables CISA/VulnCheck KEV reporting.\n+# Populate this database with go-kev (https://github.com/vulsio/go-kev)\n+# to surface known-exploited vulnerabilities as first-class KEV entries\n+# on each CVE in the scan results.\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-cti.sqlite3\"\n+\n+# -------------------------------------------------------------------\n+# Notification / output targets (uncomment and configure as needed)\n+# -------------------------------------------------------------------\n+\n+# [slack]\n+# hookURL = \"https://hooks.slack.com/services/YOUR/WEBHOOK/URL\"\n+# channel = \"#vuls-notifications\"\n+# authUser = \"vuls\"\n+# notifyUsers = [\"@admin\"]\n+\n+# [email]\n+# smtpAddr = \"smtp.example.com\"\n+# smtpPort = \"587\"\n+# tlsMode = \"STARTTLS\"\n+# user = \"vuls@example.com\"\n+# password = \"REPLACE_WITH_SMTP_PASSWORD\"\n+# from = \"vuls@example.com\"\n+# to = [\"admin@example.com\"]\n+# subjectPrefix = \"[Vuls]\"\n+\n+# [chatwork]\n+# apiToken = \"REPLACE_WITH_CHATWORK_API_TOKEN\"\n+# room = \"123456\"\n+\n+# [telegram]\n+# token = \"REPLACE_WITH_TELEGRAM_BOT_TOKEN\"\n+# chatID = \"REPLACE_WITH_CHAT_ID\"\n+\n+# -------------------------------------------------------------------\n+# Default scan settings (applied to all servers unless overridden)\n+# -------------------------------------------------------------------\n+[default]\n+port = \"22\"\n+user = \"scan-user\"\n+keyPath = \"/home/scan-user/.ssh/id_rsa\"\n+scanMode = [\"fast\"]\n+\n+# -------------------------------------------------------------------\n+# Servers to scan\n+# -------------------------------------------------------------------\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.1\"\n+port = \"22\"\n+user = \"scan-user\"\n+scanMode = [\"fast-root\"]\n+\n+[servers.example-container-host]\n+host = \"192.0.2.2\"\n+containersIncluded = [\"webapp-container\"]\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..81e9925 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,24 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &amp;gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n-\t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\tif ok &amp;amp;&amp;amp; len(kevulns) &amp;gt; 0 {\n+\t\t\t\tfor _, k := range kevulns {\n+\t\t\t\t\tdueDate := k.DueDate\n+\t\t\t\t\tkev := models.KEV{\n+\t\t\t\t\t\tType:                       models.CISAKEVType,\n+\t\t\t\t\t\tVendorProject:              k.VendorProject,\n+\t\t\t\t\t\tProduct:                    k.Product,\n+\t\t\t\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\t\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\t\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\t\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\t\t\t\tDateAdded:                  k.DateAdded,\n+\t\t\t\t\t\tDueDate:                    &amp;amp;dueDate,\n+\t\t\t\t\t\tCISA:                       &amp;amp;models.CISAKEV{Note: k.Notes},\n+\t\t\t\t\t}\n+\t\t\t\t\tv.KEVs = append(v.KEVs, kev)\n+\t\t\t\t}\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +114,22 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &amp;gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tfor _, k := range kevulns {\n+\t\t\t\tdueDate := k.DueDate\n+\t\t\t\tkev := models.KEV{\n+\t\t\t\t\tType:                       models.CISAKEVType,\n+\t\t\t\t\tVendorProject:              k.VendorProject,\n+\t\t\t\t\tProduct:                    k.Product,\n+\t\t\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\t\t\tDateAdded:                  k.DateAdded,\n+\t\t\t\t\tDueDate:                    &amp;amp;dueDate,\n+\t\t\t\t\tCISA:                       &amp;amp;models.CISAKEV{Note: k.Notes},\n+\t\t\t\t}\n+\t\t\t\tvuln.KEVs = append(vuln.KEVs, kev)\n \t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\ndiff --git a/docs/sample-kev-scanresult.json b/docs/sample-kev-scanresult.json\nnew file mode 100644\nindex 0000000..5ec272a\n--- /dev/null\n+++ b/docs/sample-kev-scanresult.json\n@@ -0,0 +1,107 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"debian\",\n+  \"release\": \"12\",\n+  \"scannedAt\": \"2026-07-01T00:00:00Z\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0001\": {\n+      \"cveID\": \"CVE-0000-0001\",\n+      \"confidences\": [\n+        {\n+          \"score\": 100,\n+          \"detectionMethod\": \"OvalMatch\"\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-library\",\n+          \"fixedIn\": \"1.2.4\"\n+        }\n+      ],\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleVendor ExampleProduct contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-01-15T00:00:00Z\",\n+          \"dueDate\": \"2026-02-05T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleVendor ExampleProduct contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-01-10T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"00000000-0000-0000-0000-000000000001\",\n+                \"xdbURL\": \"https://vulncheck.com/xdb/placeholder\",\n+                \"dateAdded\": \"2026-01-10T00:00:00Z\",\n+                \"exploitType\": \"poc\",\n+                \"cloneSSHURL\": \"\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/exploitation-report\",\n+                \"dateAdded\": \"2026-01-12T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"alertDict\": {}\n+    },\n+    \"CVE-0000-0002\": {\n+      \"cveID\": \"CVE-0000-0002\",\n+      \"confidences\": [\n+        {\n+          \"score\": 100,\n+          \"detectionMethod\": \"OvalMatch\"\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"another-library\",\n+          \"notFixedYet\": true\n+        }\n+      ],\n+      \"alertDict\": {\n+        \"uscert\": [\n+          {\n+            \"url\": \"https://www.example.com/cert-alert-placeholder\",\n+            \"title\": \"Example CERT Alert\"\n+          }\n+        ]\n+      }\n+    }\n+  },\n+  \"packages\": {\n+    \"example-library\": {\n+      \"name\": \"example-library\",\n+      \"version\": \"1.2.3\",\n+      \"release\": \"1\",\n+      \"newVersion\": \"1.2.4\",\n+      \"newRelease\": \"1\"\n+    },\n+    \"another-library\": {\n+      \"name\": \"another-library\",\n+      \"version\": \"3.0.0\",\n+      \"release\": \"1\"\n+    }\n+  }\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..ec9b7eb 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV cves\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &amp;gt; 0 {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &amp;gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &amp;gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &amp;lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &amp;lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &amp;lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..b563fa4 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -268,6 +268,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -910,24 +911,73 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n+// KEVType represents the source of a KEV entry\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType represents the CISA KEV source\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType represents the VulnCheck KEV source\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                       KEVType       `json:\"type\"`\n+\tVendorProject              string        `json:\"vendorProject\"`\n+\tProduct                    string        `json:\"product\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName\"`\n+\tShortDescription           string        `json:\"shortDescription\"`\n+\tRequiredAction             string        `json:\"requiredAction\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"note\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV information\n+type VulnCheckKEV struct {\n+\tXDB                    []VulnCheckXDB                    `json:\"xdb,omitempty\"`\n+\tReportedExploitation   []VulnCheckReportedExploitation   `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID\"`\n+\tXDBURL      string    `json:\"xdbURL\"`\n+\tDateAdded   time.Time `json:\"dateAdded\"`\n+\tExploitType string    `json:\"exploitType\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url\"`\n+\tDateAdded time.Time `json:\"dateAdded\"`\n+}\n+\n // AlertDict has target cve JPCERT, USCERT and CISA alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"cisa,omitempty\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;amp;&amp;amp; len(a.JPCERT) == 0 &amp;amp;&amp;amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;amp;&amp;amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a44ae57 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -565,10 +565,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..bdc18d2 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,13 +812,14 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &amp;gt; 0 {\n+\t\tif len(vinfo.KEVs) &amp;gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n+\t\t\t\t\"Known Exploited Vulnerabilities (KEV)\",\n+\t\t\t\t\"======================================\",\n \t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\t\tfor _, kev := range vinfo.KEVs {\n+\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s] %s - %s\",\n+\t\t\t\t\tkev.Type, kev.VulnerabilityName, kev.ShortDescription))\n \t\t\t}\n \t\t}\n \n", "creation_timestamp": "2026-07-03T15:14:58.527080Z"}</description>
      <content:encoded>{"uuid": "587b1931-6a78-4f0b-b3a4-be2953a0483c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0002", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/34fffd9821afd5c9ec50f7981b3267f0", "content": "diff --git a/README.md b/README.md\nindex 57102d1..c63c43c 100644\n--- a/README.md\n+++ b/README.md\n@@ -90,8 +90,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n   - [US-CERT](https://www.us-cert.gov/ncas/alerts)\n   - [JPCERT](http://www.jpcert.or.jp/at/2019.html)\n \n-- CISA(Cybersecurity &amp;amp; Infrastructure Security Agency)\n-  - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+- KEV (Known Exploited Vulnerabilities)\n+  - [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+  - [VulnCheck KEV](https://vulncheck.com/)\n \n - Cyber Threat Intelligence(MITRE ATT&amp;amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n@@ -174,6 +175,12 @@ Vuls has some options to detect the vulnerabilities\n \n ----\n \n+## Configuration\n+\n+An example configuration file is provided at [`config.toml.example`](config.toml.example). Copy it to `config.toml` and edit to match your environment. See [vuls.io](https://vuls.io/docs/en/config.toml.html) for full reference.\n+\n+To enable KEV (Known Exploited Vulnerabilities) reporting, configure the `[kevuln]` section with a path to a go-kev database. KEV entries from CISA and VulnCheck will appear as first-class fields on each vulnerability in the scan output.\n+\n ## Document\n \n For more information such as Installation, Tutorial, Usage, visit [vuls.io](https://vuls.io/)  \ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..58e5bc0\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,96 @@\n+# Vuls configuration file example\n+# Copy this file to config.toml and edit to match your environment.\n+# See https://vuls.io/docs/en/config.toml.html for full reference.\n+#\n+# IMPORTANT: Replace all placeholder values before use.\n+# Never commit real credentials to version control.\n+\n+# -------------------------------------------------------------------\n+# Vulnerability dictionary databases\n+# -------------------------------------------------------------------\n+# Each database section supports: type (\"sqlite3\"|\"mysql\"|\"postgres\"|\"redis\"|\"http\"),\n+# url (connection string or HTTP endpoint), sqlite3Path (path to .sqlite3 file).\n+\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-msfdb.sqlite3\"\n+\n+# KEV (Known Exploited Vulnerabilities) \u2014 enables CISA/VulnCheck KEV reporting.\n+# Populate this database with go-kev (https://github.com/vulsio/go-kev)\n+# to surface known-exploited vulnerabilities as first-class KEV entries\n+# on each CVE in the scan results.\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-cti.sqlite3\"\n+\n+# -------------------------------------------------------------------\n+# Notification / output targets (uncomment and configure as needed)\n+# -------------------------------------------------------------------\n+\n+# [slack]\n+# hookURL = \"https://hooks.slack.com/services/YOUR/WEBHOOK/URL\"\n+# channel = \"#vuls-notifications\"\n+# authUser = \"vuls\"\n+# notifyUsers = [\"@admin\"]\n+\n+# [email]\n+# smtpAddr = \"smtp.example.com\"\n+# smtpPort = \"587\"\n+# tlsMode = \"STARTTLS\"\n+# user = \"vuls@example.com\"\n+# password = \"REPLACE_WITH_SMTP_PASSWORD\"\n+# from = \"vuls@example.com\"\n+# to = [\"admin@example.com\"]\n+# subjectPrefix = \"[Vuls]\"\n+\n+# [chatwork]\n+# apiToken = \"REPLACE_WITH_CHATWORK_API_TOKEN\"\n+# room = \"123456\"\n+\n+# [telegram]\n+# token = \"REPLACE_WITH_TELEGRAM_BOT_TOKEN\"\n+# chatID = \"REPLACE_WITH_CHAT_ID\"\n+\n+# -------------------------------------------------------------------\n+# Default scan settings (applied to all servers unless overridden)\n+# -------------------------------------------------------------------\n+[default]\n+port = \"22\"\n+user = \"scan-user\"\n+keyPath = \"/home/scan-user/.ssh/id_rsa\"\n+scanMode = [\"fast\"]\n+\n+# -------------------------------------------------------------------\n+# Servers to scan\n+# -------------------------------------------------------------------\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.1\"\n+port = \"22\"\n+user = \"scan-user\"\n+scanMode = [\"fast-root\"]\n+\n+[servers.example-container-host]\n+host = \"192.0.2.2\"\n+containersIncluded = [\"webapp-container\"]\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..81e9925 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,24 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &amp;gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n-\t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\tif ok &amp;amp;&amp;amp; len(kevulns) &amp;gt; 0 {\n+\t\t\t\tfor _, k := range kevulns {\n+\t\t\t\t\tdueDate := k.DueDate\n+\t\t\t\t\tkev := models.KEV{\n+\t\t\t\t\t\tType:                       models.CISAKEVType,\n+\t\t\t\t\t\tVendorProject:              k.VendorProject,\n+\t\t\t\t\t\tProduct:                    k.Product,\n+\t\t\t\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\t\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\t\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\t\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\t\t\t\tDateAdded:                  k.DateAdded,\n+\t\t\t\t\t\tDueDate:                    &amp;amp;dueDate,\n+\t\t\t\t\t\tCISA:                       &amp;amp;models.CISAKEV{Note: k.Notes},\n+\t\t\t\t\t}\n+\t\t\t\t\tv.KEVs = append(v.KEVs, kev)\n+\t\t\t\t}\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +114,22 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &amp;gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tfor _, k := range kevulns {\n+\t\t\t\tdueDate := k.DueDate\n+\t\t\t\tkev := models.KEV{\n+\t\t\t\t\tType:                       models.CISAKEVType,\n+\t\t\t\t\tVendorProject:              k.VendorProject,\n+\t\t\t\t\tProduct:                    k.Product,\n+\t\t\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\t\t\tDateAdded:                  k.DateAdded,\n+\t\t\t\t\tDueDate:                    &amp;amp;dueDate,\n+\t\t\t\t\tCISA:                       &amp;amp;models.CISAKEV{Note: k.Notes},\n+\t\t\t\t}\n+\t\t\t\tvuln.KEVs = append(vuln.KEVs, kev)\n \t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\ndiff --git a/docs/sample-kev-scanresult.json b/docs/sample-kev-scanresult.json\nnew file mode 100644\nindex 0000000..5ec272a\n--- /dev/null\n+++ b/docs/sample-kev-scanresult.json\n@@ -0,0 +1,107 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"debian\",\n+  \"release\": \"12\",\n+  \"scannedAt\": \"2026-07-01T00:00:00Z\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0001\": {\n+      \"cveID\": \"CVE-0000-0001\",\n+      \"confidences\": [\n+        {\n+          \"score\": 100,\n+          \"detectionMethod\": \"OvalMatch\"\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-library\",\n+          \"fixedIn\": \"1.2.4\"\n+        }\n+      ],\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleVendor ExampleProduct contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-01-15T00:00:00Z\",\n+          \"dueDate\": \"2026-02-05T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleVendor ExampleProduct contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-01-10T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"00000000-0000-0000-0000-000000000001\",\n+                \"xdbURL\": \"https://vulncheck.com/xdb/placeholder\",\n+                \"dateAdded\": \"2026-01-10T00:00:00Z\",\n+                \"exploitType\": \"poc\",\n+                \"cloneSSHURL\": \"\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/exploitation-report\",\n+                \"dateAdded\": \"2026-01-12T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"alertDict\": {}\n+    },\n+    \"CVE-0000-0002\": {\n+      \"cveID\": \"CVE-0000-0002\",\n+      \"confidences\": [\n+        {\n+          \"score\": 100,\n+          \"detectionMethod\": \"OvalMatch\"\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"another-library\",\n+          \"notFixedYet\": true\n+        }\n+      ],\n+      \"alertDict\": {\n+        \"uscert\": [\n+          {\n+            \"url\": \"https://www.example.com/cert-alert-placeholder\",\n+            \"title\": \"Example CERT Alert\"\n+          }\n+        ]\n+      }\n+    }\n+  },\n+  \"packages\": {\n+    \"example-library\": {\n+      \"name\": \"example-library\",\n+      \"version\": \"1.2.3\",\n+      \"release\": \"1\",\n+      \"newVersion\": \"1.2.4\",\n+      \"newRelease\": \"1\"\n+    },\n+    \"another-library\": {\n+      \"name\": \"another-library\",\n+      \"version\": \"3.0.0\",\n+      \"release\": \"1\"\n+    }\n+  }\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..ec9b7eb 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV cves\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &amp;gt; 0 {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &amp;gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &amp;gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &amp;lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &amp;lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &amp;lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..b563fa4 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -268,6 +268,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -910,24 +911,73 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n+// KEVType represents the source of a KEV entry\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType represents the CISA KEV source\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType represents the VulnCheck KEV source\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                       KEVType       `json:\"type\"`\n+\tVendorProject              string        `json:\"vendorProject\"`\n+\tProduct                    string        `json:\"product\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName\"`\n+\tShortDescription           string        `json:\"shortDescription\"`\n+\tRequiredAction             string        `json:\"requiredAction\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"note\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV information\n+type VulnCheckKEV struct {\n+\tXDB                    []VulnCheckXDB                    `json:\"xdb,omitempty\"`\n+\tReportedExploitation   []VulnCheckReportedExploitation   `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID\"`\n+\tXDBURL      string    `json:\"xdbURL\"`\n+\tDateAdded   time.Time `json:\"dateAdded\"`\n+\tExploitType string    `json:\"exploitType\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url\"`\n+\tDateAdded time.Time `json:\"dateAdded\"`\n+}\n+\n // AlertDict has target cve JPCERT, USCERT and CISA alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"cisa,omitempty\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;amp;&amp;amp; len(a.JPCERT) == 0 &amp;amp;&amp;amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;amp;&amp;amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a44ae57 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -565,10 +565,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..bdc18d2 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,13 +812,14 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &amp;gt; 0 {\n+\t\tif len(vinfo.KEVs) &amp;gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n+\t\t\t\t\"Known Exploited Vulnerabilities (KEV)\",\n+\t\t\t\t\"======================================\",\n \t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\t\tfor _, kev := range vinfo.KEVs {\n+\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s] %s - %s\",\n+\t\t\t\t\tkev.Type, kev.VulnerabilityName, kev.ShortDescription))\n \t\t\t}\n \t\t}\n \n", "creation_timestamp": "2026-07-03T15:14:58.527080Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/587b1931-6a78-4f0b-b3a4-be2953a0483c/export</guid>
      <pubDate>Fri, 03 Jul 2026 15:14:58 +0000</pubDate>
    </item>
    <item>
      <title>ee492b8d-8c14-4b7f-8291-76a3474264b0</title>
      <link>https://vulnerability.circl.lu/sighting/ee492b8d-8c14-4b7f-8291-76a3474264b0/export</link>
      <description>{"uuid": "ee492b8d-8c14-4b7f-8291-76a3474264b0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0002", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/ebeb967895d63df9e37ecbc6fc615891", "content": "diff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..292c202\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,102 @@\n+# Vuls - Example Configuration\n+#\n+# Copy this file to config.toml and adjust settings for your environment.\n+# All values below are PLACEHOLDER EXAMPLES \u2014 replace them with real values.\n+#\n+# See https://vuls.io/docs/en/config.toml.html for full documentation.\n+\n+# https://vuls.io/docs/en/config.toml.html#database-section\n+[cveDict]\n+#type        = \"sqlite3\"\n+#sqlite3Path = \"/path/to/cve.sqlite3\"\n+#url         = \"\"\n+\n+[ovalDict]\n+#type        = \"sqlite3\"\n+#sqlite3Path = \"/path/to/oval.sqlite3\"\n+#url         = \"\"\n+\n+[gost]\n+#type        = \"sqlite3\"\n+#sqlite3Path = \"/path/to/gost.sqlite3\"\n+#url         = \"\"\n+\n+[exploit]\n+#type        = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+#url         = \"\"\n+\n+[metasploit]\n+#type        = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-msfdb.sqlite3\"\n+#url         = \"\"\n+\n+# KEV (Known Exploited Vulnerabilities) data source\n+# Enable this section to enrich scan results with CISA/VulnCheck KEV data.\n+# The kevs field on each vulnerability will be populated automatically.\n+[kevuln]\n+#type        = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-kev.sqlite3\"\n+#url         = \"\"\n+\n+[cti]\n+#type        = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-cti.sqlite3\"\n+#url         = \"\"\n+\n+# https://vuls.io/docs/en/config.toml.html#slack-section\n+#[slack]\n+#hookURL      = \"https://hooks.slack.com/services/EXAMPLE/EXAMPLE/EXAMPLE\"\n+#channel      = \"#vuls-notifications\"\n+#iconEmoji    = \":ghost:\"\n+#authUser     = \"vuls-reporter\"\n+#notifyUsers  = [\"@admin\"]\n+\n+# https://vuls.io/docs/en/config.toml.html#email-section\n+#[email]\n+#smtpAddr              = \"smtp.example.com\"\n+#smtpPort              = \"587\"\n+#tlsMode               = \"STARTTLS\"\n+#tlsInsecureSkipVerify = false\n+#user                  = \"vuls-reporter@example.com\"\n+#password              = \"REPLACE_WITH_SMTP_PASSWORD\"\n+#from                  = \"vuls-reporter@example.com\"\n+#to                    = [\"admin@example.com\"]\n+#cc                    = [\"security-team@example.com\"]\n+#subjectPrefix         = \"[vuls]\"\n+\n+# https://vuls.io/docs/en/config.toml.html#http-section\n+#[http]\n+#url = \"http://localhost:11234\"\n+\n+# https://vuls.io/docs/en/config.toml.html#chatwork-section\n+#[chatwork]\n+#room     = \"1234567890\"\n+#apiToken = \"REPLACE_WITH_CHATWORK_API_TOKEN\"\n+\n+# https://vuls.io/docs/en/config.toml.html#telegram-section\n+#[telegram]\n+#chatID = \"1234567890\"\n+#token  = \"REPLACE_WITH_TELEGRAM_TOKEN\"\n+\n+#[wpscan]\n+#token          = \"REPLACE_WITH_WPSCAN_TOKEN\"\n+#detectInactive = false\n+\n+# https://vuls.io/docs/en/config.toml.html#default-section\n+[default]\n+#port        = \"22\"\n+#user        = \"vuls-scan-user\"\n+#keyPath     = \"/home/vuls/.ssh/id_rsa\"\n+#scanMode    = [\"fast\"]\n+#scanModules = [\"ospkg\", \"lockfile\"]\n+\n+# https://vuls.io/docs/en/config.toml.html#servers-section\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.1\"\n+#port = \"22\"\n+#user = \"vuls-scan-user\"\n+#keyPath = \"/home/vuls/.ssh/id_rsa\"\n+#scanMode = [\"fast\"]\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..9d8a586 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,13 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &amp;gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tif len(kevulns) == 0 {\n+\t\t\t\tcontinue\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tv.KEVs = convertToKEVs(kevulns)\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +103,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &amp;gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = convertToKEVs(kevulns)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +113,29 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func convertToKEVs(kevulns []kevulnmodels.KEVuln) []models.KEV {\n+\tkevs := make([]models.KEV, 0, len(kevulns))\n+\tfor _, k := range kevulns {\n+\t\tdueDate := k.DueDate\n+\t\tkev := models.KEV{\n+\t\t\tType:                       models.CISAKEVType,\n+\t\t\tVendorProject:              k.VendorProject,\n+\t\t\tProduct:                    k.Product,\n+\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\tDateAdded:                  k.DateAdded,\n+\t\t\tDueDate:                    &amp;amp;dueDate,\n+\t\t\tCISA: &amp;amp;models.CISAKEV{\n+\t\t\t\tNote: k.Notes,\n+\t\t\t},\n+\t\t}\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..6557b83 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV CVEs\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &amp;gt; 0 {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &amp;gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &amp;gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &amp;lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &amp;lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &amp;lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/testdata/sample_kev_scan_result.json b/models/testdata/sample_kev_scan_result.json\nnew file mode 100644\nindex 0000000..c244703\n--- /dev/null\n+++ b/models/testdata/sample_kev_scan_result.json\n@@ -0,0 +1,88 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"debian\",\n+  \"release\": \"12\",\n+  \"scannedAt\": \"2026-07-01T00:00:00Z\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0001\": {\n+      \"cveID\": \"CVE-0000-0001\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleVendor ExampleProduct contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2025-01-15T00:00:00Z\",\n+          \"dueDate\": \"2025-02-05T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"https://example.com/advisory/0001\"\n+          }\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-pkg\",\n+          \"fixedIn\": \"2.0.1-1\"\n+        }\n+      ]\n+    },\n+    \"CVE-0000-0002\": {\n+      \"cveID\": \"CVE-0000-0002\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"AnotherVendor\",\n+          \"product\": \"AnotherProduct\",\n+          \"vulnerabilityName\": \"AnotherVendor AnotherProduct Privilege Escalation Vulnerability\",\n+          \"shortDescription\": \"AnotherVendor AnotherProduct contains a privilege escalation vulnerability.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2025-03-10T00:00:00Z\",\n+          \"dueDate\": \"2025-03-31T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"AnotherVendor\",\n+          \"product\": \"AnotherProduct\",\n+          \"vulnerabilityName\": \"AnotherVendor AnotherProduct Privilege Escalation Vulnerability\",\n+          \"shortDescription\": \"AnotherVendor AnotherProduct contains a privilege escalation vulnerability.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2025-03-08T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-0001\",\n+                \"xdbURL\": \"https://vulncheck.example.com/xdb/0001\",\n+                \"dateAdded\": \"2025-03-08T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.com:exploits/0001.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/threat-report/0001\",\n+                \"dateAdded\": \"2025-03-09T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"another-pkg\",\n+          \"notFixedYet\": true\n+        }\n+      ]\n+    }\n+  }\n+}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..74d61f9 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -267,6 +267,7 @@ type VulnInfo struct {\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n@@ -910,28 +911,81 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n+// KEVType represents the source of KEV data\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the CISA KEV source\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is the VulnCheck KEV source\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                       KEVType       `json:\"type\"`\n+\tVendorProject              string        `json:\"vendorProject\"`\n+\tProduct                    string        `json:\"product\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName\"`\n+\tShortDescription           string        `json:\"shortDescription\"`\n+\tRequiredAction             string        `json:\"requiredAction\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV fields\n+type CISAKEV struct {\n+\tNote string `json:\"note\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV fields\n+type VulnCheckKEV struct {\n+\tXDB                    []VulnCheckXDB                    `json:\"xdb,omitempty\"`\n+\tReportedExploitation   []VulnCheckReportedExploitation   `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID\"`\n+\tXDBURL      string    `json:\"xdbURL\"`\n+\tDateAdded   time.Time `json:\"dateAdded\"`\n+\tExploitType string    `json:\"exploitType\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url\"`\n+\tDateAdded time.Time `json:\"dateAdded\"`\n+}\n+\n // AlertDict has target cve JPCERT, USCERT and CISA alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"cisa,omitempty\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;amp;&amp;amp; len(a.JPCERT) == 0 &amp;amp;&amp;amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;amp;&amp;amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n-\tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n-\t\ts = append(s, \"CERT\")\n+\t\treturn \"CERT\"\n \t}\n-\treturn strings.Join(s, \"/\")\n+\treturn \"\"\n+}\n+\n+// HasCISA returns whether CISA alerts exist (deprecated: use VulnInfo.KEVs instead)\n+func (a AlertDict) HasCISA() bool {\n+\treturn len(a.CISA) &amp;gt; 0\n }\n \n // Confidences is a list of Confidence\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..e3aef8f 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,8 +566,8 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n+\t\tfor _, kev := range vuln.KEVs {\n+\t\t\tdata = append(data, []string{fmt.Sprintf(\"KEV (%s)\", kev.Type), kev.VulnerabilityName})\n \t\t}\n \n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..bdc18d2 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,13 +812,14 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &amp;gt; 0 {\n+\t\tif len(vinfo.KEVs) &amp;gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n+\t\t\t\t\"Known Exploited Vulnerabilities (KEV)\",\n+\t\t\t\t\"======================================\",\n \t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\t\tfor _, kev := range vinfo.KEVs {\n+\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s] %s - %s\",\n+\t\t\t\t\tkev.Type, kev.VulnerabilityName, kev.ShortDescription))\n \t\t\t}\n \t\t}\n \n", "creation_timestamp": "2026-07-03T15:14:58.439746Z"}</description>
      <content:encoded>{"uuid": "ee492b8d-8c14-4b7f-8291-76a3474264b0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0002", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/ebeb967895d63df9e37ecbc6fc615891", "content": "diff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..292c202\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,102 @@\n+# Vuls - Example Configuration\n+#\n+# Copy this file to config.toml and adjust settings for your environment.\n+# All values below are PLACEHOLDER EXAMPLES \u2014 replace them with real values.\n+#\n+# See https://vuls.io/docs/en/config.toml.html for full documentation.\n+\n+# https://vuls.io/docs/en/config.toml.html#database-section\n+[cveDict]\n+#type        = \"sqlite3\"\n+#sqlite3Path = \"/path/to/cve.sqlite3\"\n+#url         = \"\"\n+\n+[ovalDict]\n+#type        = \"sqlite3\"\n+#sqlite3Path = \"/path/to/oval.sqlite3\"\n+#url         = \"\"\n+\n+[gost]\n+#type        = \"sqlite3\"\n+#sqlite3Path = \"/path/to/gost.sqlite3\"\n+#url         = \"\"\n+\n+[exploit]\n+#type        = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+#url         = \"\"\n+\n+[metasploit]\n+#type        = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-msfdb.sqlite3\"\n+#url         = \"\"\n+\n+# KEV (Known Exploited Vulnerabilities) data source\n+# Enable this section to enrich scan results with CISA/VulnCheck KEV data.\n+# The kevs field on each vulnerability will be populated automatically.\n+[kevuln]\n+#type        = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-kev.sqlite3\"\n+#url         = \"\"\n+\n+[cti]\n+#type        = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-cti.sqlite3\"\n+#url         = \"\"\n+\n+# https://vuls.io/docs/en/config.toml.html#slack-section\n+#[slack]\n+#hookURL      = \"https://hooks.slack.com/services/EXAMPLE/EXAMPLE/EXAMPLE\"\n+#channel      = \"#vuls-notifications\"\n+#iconEmoji    = \":ghost:\"\n+#authUser     = \"vuls-reporter\"\n+#notifyUsers  = [\"@admin\"]\n+\n+# https://vuls.io/docs/en/config.toml.html#email-section\n+#[email]\n+#smtpAddr              = \"smtp.example.com\"\n+#smtpPort              = \"587\"\n+#tlsMode               = \"STARTTLS\"\n+#tlsInsecureSkipVerify = false\n+#user                  = \"vuls-reporter@example.com\"\n+#password              = \"REPLACE_WITH_SMTP_PASSWORD\"\n+#from                  = \"vuls-reporter@example.com\"\n+#to                    = [\"admin@example.com\"]\n+#cc                    = [\"security-team@example.com\"]\n+#subjectPrefix         = \"[vuls]\"\n+\n+# https://vuls.io/docs/en/config.toml.html#http-section\n+#[http]\n+#url = \"http://localhost:11234\"\n+\n+# https://vuls.io/docs/en/config.toml.html#chatwork-section\n+#[chatwork]\n+#room     = \"1234567890\"\n+#apiToken = \"REPLACE_WITH_CHATWORK_API_TOKEN\"\n+\n+# https://vuls.io/docs/en/config.toml.html#telegram-section\n+#[telegram]\n+#chatID = \"1234567890\"\n+#token  = \"REPLACE_WITH_TELEGRAM_TOKEN\"\n+\n+#[wpscan]\n+#token          = \"REPLACE_WITH_WPSCAN_TOKEN\"\n+#detectInactive = false\n+\n+# https://vuls.io/docs/en/config.toml.html#default-section\n+[default]\n+#port        = \"22\"\n+#user        = \"vuls-scan-user\"\n+#keyPath     = \"/home/vuls/.ssh/id_rsa\"\n+#scanMode    = [\"fast\"]\n+#scanModules = [\"ospkg\", \"lockfile\"]\n+\n+# https://vuls.io/docs/en/config.toml.html#servers-section\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.1\"\n+#port = \"22\"\n+#user = \"vuls-scan-user\"\n+#keyPath = \"/home/vuls/.ssh/id_rsa\"\n+#scanMode = [\"fast\"]\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..9d8a586 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,13 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &amp;gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tif len(kevulns) == 0 {\n+\t\t\t\tcontinue\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tv.KEVs = convertToKEVs(kevulns)\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +103,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &amp;gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = convertToKEVs(kevulns)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +113,29 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func convertToKEVs(kevulns []kevulnmodels.KEVuln) []models.KEV {\n+\tkevs := make([]models.KEV, 0, len(kevulns))\n+\tfor _, k := range kevulns {\n+\t\tdueDate := k.DueDate\n+\t\tkev := models.KEV{\n+\t\t\tType:                       models.CISAKEVType,\n+\t\t\tVendorProject:              k.VendorProject,\n+\t\t\tProduct:                    k.Product,\n+\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\tDateAdded:                  k.DateAdded,\n+\t\t\tDueDate:                    &amp;amp;dueDate,\n+\t\t\tCISA: &amp;amp;models.CISAKEV{\n+\t\t\t\tNote: k.Notes,\n+\t\t\t},\n+\t\t}\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..6557b83 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV CVEs\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &amp;gt; 0 {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &amp;gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &amp;gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &amp;lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &amp;lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &amp;lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/testdata/sample_kev_scan_result.json b/models/testdata/sample_kev_scan_result.json\nnew file mode 100644\nindex 0000000..c244703\n--- /dev/null\n+++ b/models/testdata/sample_kev_scan_result.json\n@@ -0,0 +1,88 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"debian\",\n+  \"release\": \"12\",\n+  \"scannedAt\": \"2026-07-01T00:00:00Z\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0001\": {\n+      \"cveID\": \"CVE-0000-0001\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleVendor ExampleProduct contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2025-01-15T00:00:00Z\",\n+          \"dueDate\": \"2025-02-05T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"https://example.com/advisory/0001\"\n+          }\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-pkg\",\n+          \"fixedIn\": \"2.0.1-1\"\n+        }\n+      ]\n+    },\n+    \"CVE-0000-0002\": {\n+      \"cveID\": \"CVE-0000-0002\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"AnotherVendor\",\n+          \"product\": \"AnotherProduct\",\n+          \"vulnerabilityName\": \"AnotherVendor AnotherProduct Privilege Escalation Vulnerability\",\n+          \"shortDescription\": \"AnotherVendor AnotherProduct contains a privilege escalation vulnerability.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2025-03-10T00:00:00Z\",\n+          \"dueDate\": \"2025-03-31T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"AnotherVendor\",\n+          \"product\": \"AnotherProduct\",\n+          \"vulnerabilityName\": \"AnotherVendor AnotherProduct Privilege Escalation Vulnerability\",\n+          \"shortDescription\": \"AnotherVendor AnotherProduct contains a privilege escalation vulnerability.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2025-03-08T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-0001\",\n+                \"xdbURL\": \"https://vulncheck.example.com/xdb/0001\",\n+                \"dateAdded\": \"2025-03-08T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.com:exploits/0001.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/threat-report/0001\",\n+                \"dateAdded\": \"2025-03-09T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"another-pkg\",\n+          \"notFixedYet\": true\n+        }\n+      ]\n+    }\n+  }\n+}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..74d61f9 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -267,6 +267,7 @@ type VulnInfo struct {\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n@@ -910,28 +911,81 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n+// KEVType represents the source of KEV data\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the CISA KEV source\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is the VulnCheck KEV source\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                       KEVType       `json:\"type\"`\n+\tVendorProject              string        `json:\"vendorProject\"`\n+\tProduct                    string        `json:\"product\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName\"`\n+\tShortDescription           string        `json:\"shortDescription\"`\n+\tRequiredAction             string        `json:\"requiredAction\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV fields\n+type CISAKEV struct {\n+\tNote string `json:\"note\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV fields\n+type VulnCheckKEV struct {\n+\tXDB                    []VulnCheckXDB                    `json:\"xdb,omitempty\"`\n+\tReportedExploitation   []VulnCheckReportedExploitation   `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID\"`\n+\tXDBURL      string    `json:\"xdbURL\"`\n+\tDateAdded   time.Time `json:\"dateAdded\"`\n+\tExploitType string    `json:\"exploitType\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url\"`\n+\tDateAdded time.Time `json:\"dateAdded\"`\n+}\n+\n // AlertDict has target cve JPCERT, USCERT and CISA alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"cisa,omitempty\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;amp;&amp;amp; len(a.JPCERT) == 0 &amp;amp;&amp;amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;amp;&amp;amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n-\tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n-\t\ts = append(s, \"CERT\")\n+\t\treturn \"CERT\"\n \t}\n-\treturn strings.Join(s, \"/\")\n+\treturn \"\"\n+}\n+\n+// HasCISA returns whether CISA alerts exist (deprecated: use VulnInfo.KEVs instead)\n+func (a AlertDict) HasCISA() bool {\n+\treturn len(a.CISA) &amp;gt; 0\n }\n \n // Confidences is a list of Confidence\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..e3aef8f 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,8 +566,8 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n+\t\tfor _, kev := range vuln.KEVs {\n+\t\t\tdata = append(data, []string{fmt.Sprintf(\"KEV (%s)\", kev.Type), kev.VulnerabilityName})\n \t\t}\n \n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..bdc18d2 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,13 +812,14 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &amp;gt; 0 {\n+\t\tif len(vinfo.KEVs) &amp;gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n+\t\t\t\t\"Known Exploited Vulnerabilities (KEV)\",\n+\t\t\t\t\"======================================\",\n \t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\t\tfor _, kev := range vinfo.KEVs {\n+\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s] %s - %s\",\n+\t\t\t\t\tkev.Type, kev.VulnerabilityName, kev.ShortDescription))\n \t\t\t}\n \t\t}\n \n", "creation_timestamp": "2026-07-03T15:14:58.439746Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/ee492b8d-8c14-4b7f-8291-76a3474264b0/export</guid>
      <pubDate>Fri, 03 Jul 2026 15:14:58 +0000</pubDate>
    </item>
  </channel>
</rss>
