DEV.co
Open-Source Security · trickest

cve

CVE is an automated repository that aggregates publicly available CVE proof-of-concepts (PoCs) from multiple sources, organized by year. It uses workflows to gather CVE details, search for PoC references, and filter results into searchable markdown files.

Source: GitHub — github.com/trickest/cve
7.9k
GitHub stars
976
Forks
HTML
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorytrickest/cve
Ownertrickest
Primary languageHTML
LicenseMIT — OSI-approved
Stars7.9k
Forks976
Open issues20
Latest releaseUnknown
Last updated2026-07-08
Sourcehttps://github.com/trickest/cve

What cve is

The project automatically collects CVE data from CVEProject/cvelist, searches GitHub and references for PoCs using ffuf and keyword matching, and generates year-organized markdown documentation with version badges via shields.io. Results are deduplicated and filtered against a blacklist to reduce false positives.

Quickstart

Get the cve source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/trickest/cve.gitcd cve# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Red Team and Penetration Testing Resource

Security professionals can browse or search the repository for publicly available exploits relevant to their target systems, accelerating proof-of-concept research during engagements.

Vulnerability Monitoring and Alerting

Teams can watch the repository or subscribe to the Atom feed to receive notifications when new PoCs are published for specific products or CVE IDs of interest.

Product Vulnerability Inventory

Search for a specific product name and version to identify all publicly disclosed exploits associated with that software, useful for risk assessment and patch prioritization.

Implementation considerations

  • The repository contains links and references to external PoCs; accessing and executing them carries inherent risk and legal liability—ensure proper authorization and legal review before use.
  • Data quality depends on the accuracy of the automated workflow (ffuf regex matching, GitHub searches, blacklist filtering). Manual spot-checks recommended before relying on findings.
  • Last push timestamp shows active maintenance, but no formal release versioning exists; treat updates as continuous with no stability guarantees.
  • Primary language is HTML; the markdown files are human-readable but custom tooling or scripts are needed for programmatic access and filtering.
  • Blacklist-based false positive filtering is present but not transparent; misclassification risk remains, particularly for edge-case CVE descriptions.

When to avoid it — and what to weigh

  • Requiring Proprietary or Premium Exploit Data — This repository contains only publicly available PoCs. If you need zero-day exploits or commercial-grade vulnerability intelligence with validation guarantees, this is insufficient.
  • Expecting Verified or Tested Exploits — The workflow is automated and results are filtered but not manually verified for functionality. PoCs may be outdated, broken, or incomplete; each must be independently validated before use.
  • Needing Integration into a Centralized Platform — This is a static repository of markdown files with no API, database, or integration framework. Pulling data requires parsing markdown or using custom scripts.
  • Using in Restricted or Regulated Environments — Organizations in strict compliance regimes may face policy restrictions around hosting or using publicly available exploit collections without formal security assessment.

License & commercial use

Licensed under MIT (Massachusetts Institute of Technology License), a permissive open-source license.

MIT is a permissive OSI-approved license that permits commercial use, modification, and distribution with minimal restrictions. However, the repository contains references to and links toward third-party PoC code; commercial users must ensure compliance with the licenses of those external resources. No indemnification or liability protection is provided by the MIT license itself.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitPossible
Assessment confidenceHigh
Security considerations

This repository indexes publicly available exploits and attack vectors. Use carries inherent risk: PoCs may be malicious, outdated, or environment-dependent. Executing any PoC without proper isolation, authorization, and legal review poses security and legal exposure. No attestation of PoC accuracy or safety is provided. Organizations should treat this as a research reference, not a production tool, and implement strict access controls and code review before any use.

Alternatives to consider

ExploitDB (Offensive Security)

Curated, manually reviewed exploit collection with filtering by platform, type, and date; higher confidence in quality but requires subscription for full access.

National Vulnerability Database (NVD) + Custom Crawling

Authoritative CVE source with structured data and reference tracking; no integrated PoC collection, but enables building a custom aggregation with more control over data validation.

Metasploit Framework

Comprehensive exploit framework with built-in modules, testing infrastructure, and professional support; more heavyweight but provides execution and validation environment.

Software development agency

Build on cve with DEV.co software developers

This repository is best suited as a research reference for penetration testing and red team operations. For production vulnerability management, audit third-party PoC licenses and implement rigorous code review. Contact our team to discuss integration into a secure development or security operations platform.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

cve FAQ

Can I use this repository in a production security tool or product?
Legally, yes, under MIT license. Practically, no—the data is auto-generated, unverified, and contains links to external code. Building a production tool requires independent validation, licensing compliance checks on third-party PoCs, and legal review.
How current is the CVE data?
The repository is actively maintained (last push July 2026). Data freshness depends on the CVEProject/cvelist source and how frequently the workflow runs. No explicit SLA or latency guarantee is documented.
What if I find a broken or malicious PoC link?
Open a GitHub issue to report it. The project welcomes contributions and bug reports, though response time and remediation SLA are unknown.
Can I download all CVE data and host it offline?
Yes, under MIT license you can clone and redistribute the repository. However, you remain responsible for the licenses and legality of the third-party PoC code it references.

Work with a software development agency

Need help beyond evaluating cve? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source security integrations — and maintain them long-term.

Evaluate CVE PoC for Your Security Workflow

This repository is best suited as a research reference for penetration testing and red team operations. For production vulnerability management, audit third-party PoC licenses and implement rigorous code review. Contact our team to discuss integration into a secure development or security operations platform.