User Guide — CVE Analysis Tool

Overview

Introduction

CVE Analysis Tool (CAT) is a browser-based intelligence aggregator that pulls vulnerability data for any CVE from different sources simultaneously and presents them side-by-side in a single, unified card. No registration required — all data is fetched live on demand.

CAT is designed for security analysts, developers, and system administrators who need a quick, consolidated view of a CVE without hopping between NVD, vendor advisories, and distribution trackers. It is not a replacement for authoritative vendor advisories — treat it as a starting point for your investigation.

Its main strength is the aggregation of multiple sources and the implementation of quick access to other data sources. All information comes from external sources, and each of them is systematically referenced to ensure complete transparency on the origin of the data.

ℹ️ All data is fetched in real time from external APIs and pages. Results depend on those services being available and may differ from what you'd find navigating to each source directly. A CORS proxy is used to bypass browser restrictions — see the Technical Docs for details.

Home screen

Landing feed

Before any search, the page displays a dynamic banner aggregating live vulnerability intelligence from four sources simultaneously. It retracts automatically when you search for a CVE and can be toggled back via the ▼ Latest vulnerabilities handle at the top of the results area.

Feed cards

The banner shows a horizontally scrolling carousel of mini-cards drawn from four feeds, interleaved in round-robin order:

🆕 NVD Latest — the most recently published CVEs in the NVD (last 3–14 days).
📈 Top EPSS — the 5 CVEs with the highest current EPSS score, enriched with their NVD description and CVSS data.
⚠️ CISA KEV — the 5 most recently added entries from CISA's Known Exploited Vulnerabilities catalog.
🟠 ENISA Critical — the latest entries from ENISA's critical vulnerabilities feed.

Each card shows the CVE ID, CVSS score (colour-coded), publication date, a short description, an EPSS badge (when available), and a CWE chip. CWE names are resolved from the local database without any additional network request. Hovering the carousel pauses the scroll. Clicking any card instantly loads it into the search results, as if you had typed the CVE ID manually.

Feed filter

Four toggle chips above the carousel let you show or hide each feed independently. Disabling a feed removes its cards from the carousel in real time without reloading any data.

ℹ️ All feed data is cached in sessionStorage for one hour. On a page reload within that window, the banner renders instantly with no network requests. The cache is cleared when the tab is closed.

Getting started

Searching for CVEs

Single CVE lookup

Type or paste a CVE identifier into the search bar at the top of the page and press Search (or hit Enter). CVE IDs must follow the standard format CVE-YYYY-NNNNN.

1

Type the CVE ID

Enter CVE-2024-12345 in the search field. The Search button activates as soon as a valid CVE pattern is detected.

2

Press Search or Enter

A skeleton card appears immediately while all sources are queried in parallel.

3

Read the results

The card fills in progressively as each source responds. Descriptions, CVSS scores, CWEs, and references update in real time — no need to wait for all sources.

Batch search (multiple CVEs)

CAT supports pasting a list of CVE IDs all at once. You can paste raw text, email excerpts, scanner output, or anything containing CVE patterns — the tool automatically extracts all valid identifiers and processes them one by one.

💡 CVEs you have already searched in the current session are deduplicated — pasting the same ID again does nothing. A 400 ms delay is added between consecutive CVEs to avoid rate-limiting.

Card anatomy

Understanding a CVE card

Each CVE renders as a self-contained card. Here is a fully-loaded example card with each section labelled:

mitre • 15/01/2024 • EPSS Score

CVE-2024-12345

NVD RedHat SUSE Debian Ubuntu Microsoft LibreOffice

CVEList NVD

A heap buffer overflow vulnerability in Example Library before 3.2.1 allows remote attackers to execute arbitrary code via a crafted network packet.

RedHat

A flaw was found in Example Library. An unauthenticated remote attacker can trigger a heap overflow leading to code execution in the context of the application user.

CVSS v3.19.8NVD, RedHat CVSS v2.07.5NVD

CWE-122 — Heap-based Buffer Overflow (NVD)

① Header & metadata

The top-left corner shows the assigner — the organization that requested the CVE from MITRE (e.g. mitre, github_m, microsoft). Clicking the assigner badge opens the official CVE Record on cve.org. Next to it is the publication date of the CVE entry.

A small share button (🔗) sits immediately to the right of the CVE ID. Clicking it copies a direct permalink to the clipboard — for example https://alex-brzk.github.io/CVE_Analysis_Tool/?cves=CVE-2024-12345. Opening that URL in any browser loads the card instantly. The button turns green briefly to confirm the copy.

If a CVE is not yet in the CVEList repository (GitHub CVEProject/cvelistV5), the card will show an orange "Not in CVEList" label and a left-side orange border. This is common for very recently reserved CVEs that haven't been assigned a description yet.

② Source status dots

Each source is shown as a pill in the top-right of the card. The coloured dot indicates the status for that source. Dots update in real time as responses arrive:

Waiting… The request is still in flight. The source is being queried.

Green — OK This source has data for the CVE (description, CVSS, or status).

Amber — Not affected The source explicitly states the CVE does not affect their products (e.g. Debian "NOT-FOR-US", Red Hat "does not affect").

Red — Not found The source returned a 404 error or empty response. No advisory page exists for this CVE on that source.

Black/White — Network error The proxy could not reach the source (timeout, DNS failure, or source unreachable)

Clicking any source pill navigates to the source's advisory or detail page for that CVE in a new tab.

Once a source has settled to a non-green state (red, amber, or network error), its pill is automatically collapsed and hidden from the main chip row. A compact +N ▾ button appears at the end of the row — clicking it expands all hidden chips. This keeps the header readable when most niche sources do not cover a given CVE.

⚠️ A red dot does not necessarily mean the CVE is unimportant — it just means that particular source does not have a dedicated page. For example, LibreOffice and PostgreSQL will be red for the vast majority of CVEs that don't affect their products.

③ Descriptions

The description table groups all descriptions from all sources. Sources that provide the exact same text are merged into a single row and their badges appear side-by-side in the left column. Sources with a different description get their own row.

This is intentional: different vendors (e.g. Red Hat or Microsoft) often rephrase or extend the NVD description to add context specific to their products. Having them on separate rows lets you spot these differences at a glance.

The coloured source badge in the left column is a clickable link that opens the raw data source (JSON API, GitHub raw file, etc.) used to extract the description.

④ CVSS scores

CVSS (Common Vulnerability Scoring System) scores quantify the severity of a vulnerability on a 0–10 scale. CAT shows all unique CVSS scores reported across all sources, deduplicating (by version, score, vector triplet). When multiple sources agree on the same score and vector, they are listed together (e.g. NVD, RedHat).

N/A 0.0 None — No impact

LOW 0.1 – 3.9 Low severity

MED 4.0 – 6.9 Medium severity

HIGH 7.0 – 8.9 High severity

CRIT 9.0 – 10.0 Critical severity

Clicking a CVSS badge opens the FIRST CVSS calculator (the reference implementation) pre-filled with the vector string, allowing you to inspect each metric in detail. This applies to all versions: v2.0, v3.0, v3.1, and v4.0.

CAT supports CVSS v2.0, v3.0, v3.1, and v4.0. The scores are sorted by decreasing value (highest first); ties are broken by version (v4.0 > v3.1 > v3.0 > v2.0). Different scores from different sources for the same CVE are normal — vendors often provide their own CVSS analysis.

⑤ CWE classifications

CWE (Common Weakness Enumeration) chips appear below the CVSS section. Each chip links to the CWE detail page on cwe.mitre.org. The chip shows the CWE ID, its name (fetched live from MITRE if not provided by the source), and the sources that reported it.

Multiple sources reporting the same CWE are merged. CWEs are sorted numerically by ID.

When the local CWE database associates a weakness with known attack patterns, one or more CAPEC chips appear below the CWE row (preceded by a ↳ arrow). A single CAPEC is shown directly; when multiple exist, they are collapsed behind a toggle button. Each chip links to the CAPEC detail page on capec.mitre.org.

⑥ EPSS Scoring

EPSS (Exploit Prediction Scoring System) provides a data‑driven probability that a vulnerability will be exploited in the next 30 days. Unlike CVSS, which measures the inherent severity of a weakness, EPSS focuses on real‑world exploitation likelihood using threat intelligence, historical attack data, and machine‑learning models. The score ranges from 0 to 1 and helps teams prioritize vulnerabilities based on actual risk rather than theoretical impact.

The EPSS is defined an maintained by FIRST (https://www.first.org/epss/).

The badge also shows a trend arrow comparing the current score to the value from one month ago: ↑ means the exploitation probability is rising, ↓ means it is falling, and – means it is stable (change below 0.1 %). Hovering the badge reveals the exact delta. The colour of the badge shifts from neutral blue-grey toward red as the score increases.

⑦ References

The references section lists all external URLs collected from all sources. References are deduplicated (the same URL from multiple sources shows an entry with merged source badges).

CAT automatically filters the links already present on source badges (for example, direct links to the NVD page for the CVE) and raw API files. References from sources that say "unaffected" also have their domain-specific links removed.

This reference list is therefore condensed.

Interface controls

Options panel

The ⚙ Options button in the search bar opens a unified panel with four sections: Sort, Visible fields, Visible sources, and Cards. Click anywhere outside the panel to close it. Sort, field visibility, and source filter preferences are all persisted in localStorage and restored on every visit.

CVE navigator

The CVEs button embedded at the left of the search bar shows a count badge of how many CVE cards are currently on the page. Clicking it opens a compact dropdown listing every active CVE with a colour-coded dot reflecting its highest CVSS severity. Clicking any entry smoothly scrolls to the corresponding card and briefly highlights it with a blue glow. The dropdown closes automatically when you click anywhere outside it.

💡 The navigator list always reflects the current card order — if you apply a sort, the order in the list updates accordingly.

Environmental requirements

The Requirements (Environmental) section in the Options panel is split into two tiers.

Compact panel — Security Requirements (CR / IR / AR). Three toggles let you set the business importance of Confidentiality, Integrity, and Availability for your environment (X Not Defined · L Low · M Medium · H High). Once any value differs from X, CAT instantly recomputes an environmental score for every CVSS v2, v3 and v4 badge across all active cards.

Full modal — Modified Base Metrics (🧮). Clicking the 🧮 Modified base metrics… button opens a modal exposing all optional overrides organised in four groups:

Security Requirements — CR, IR, AR (same as the compact panel, synced).
Modified Base — Common (v3 + v4) — MAV (Attack Vector), MAC (Attack Complexity), MPR (Privileges Required).
Modified Base — v3.x — MUI (User Interaction), MS (Scope), MC/MI/MA (CIA impact).
Modified Base — v4.0 — MAT (Attack Requirements), MUI (User Interaction), MVC/MVI/MVA (Vulnerable System CIA), MSC/MSI/MSA (Subsequent System CIA, including Safety override).

Hovering any option chip shows a contextual tooltip explaining its effect on the score. All chips in the panel and the modal are synchronised — changing a value in one place updates the other.

The adjusted score appears as a compact Env X.X badge below the base score badge, preceded by a ↳ arrow and colour-coded with the same severity scale. Clicking that badge opens the FIRST CVSS calculator (v3.x / v4.0) or the NVD calculator (v2.0) in a new tab, pre-filled with the base vector and your settings — all temporal metrics are left as Not Defined.

ℹ️ All requirements and modified metrics apply globally to all cards at once and are persisted in localStorage. Setting everything back to X (Not Defined) removes all sub-badges. The ↺ Reset all metrics button inside the modal resets every metric at once.

💡 Start with CR/IR/AR in the compact panel for a quick risk adjustment. Use the 🧮 modal when you need to override specific base metrics (e.g. set MAV to Local if the vulnerability is not network-reachable in your environment) to get a more accurate environmental score.

Field visibility

The Visible fields section lets you hide entire sections across all CVE cards at once. The available toggles are: Description, CVSS v3, CVSS v4, CVSS v2, CWE, and References. Hiding a field does not delete its data — re-enabling the toggle instantly restores it. This preference is persisted in localStorage.

💡 If you are only interested in critical metadata, try hiding Description and References to get a compact view focused on CVSS scores and CWE classifications.

Source filter

The Visible sources section lets you enable or disable individual sources. When a source is disabled, all content attributed exclusively to it is hidden — its description row, CVSS badges, CWE chips, and reference links — unless another active source shares the same information.

Sources are organised into two sub-groups: Databases (CVEList, NVD, ENISA) and Editors (all vendor sources). All sources — including CVEList and NVD — are freely toggleable. Preferences are persisted in localStorage.

Sort

The Sort options reorder all CVE cards currently on the page. Six options are available:

CVSS highest / lowest first — sorted by CVSS score (CVEs without a score appear last).
Date newest first / oldest first — sorted by CVEList publication date.
CVE ID A→Z / Z→A — lexicographic sort on the CVE identifier.

💡 The sort is live — if a CVSS score arrives from a Phase-2 source after the card is rendered, the card is repositioned automatically. Repositioning is debounced so cards do not jump repeatedly when multiple sources respond at the same time. Sort preference is persisted in localStorage.

Card actions

Each CVE card has two small action buttons in its top-right corner:

↻ Refresh — re-queries only the sources that returned a red (not found) or black/white (network error) dot. Sources that already responded successfully are left untouched. If CVEList failed on the initial load (reserved-but-unpublished CVE), it is also silently retried — on success the card header, assigner, date, and CVEList scores are updated in place. The icon spins while requests are in flight.
🗑 Delete — removes the card from the page and clears the CVE from the persistent storage and session cache. The example card reappears if no cards remain.

The Cards section of the Options panel also contains a Remove all CVE cards button, which deletes every card at once and clears all stored CVEs. This section is only visible when at least one card is present.

CVE persistence

To avoid re-fetching all sources on every page return, searched CVEs are automatically saved to sessionStorage and localStorage. When you navigate to another page and come back to the search page, all previous CVE cards are restored — in the same order — without any user action required.

Up to 25 CVEs are stored in localStorage (TTL: 7 days). When a 26th is added, the oldest is removed automatically. Cards are rebuilt instantly from this cache on the next visit — no network request is made until the TTL expires.

The landing feed (CISA KEV, ENISA, NVD latest, EPSS top 5) is cached separately in sessionStorage with a 1-hour TTL and is cleared when the tab is closed.

ℹ️ Deleting a card or using Remove all clears both the localStorage and sessionStorage entry and the session cache for the affected CVEs.

Interface controls

Dark / Light mode

Click the 🌗 button in the top-right to toggle between light and dark themes. Your preference is saved in localStorage and persists across page reloads and browser restarts.

Pro tips

Tips & best practices

💡 Compare descriptions across sources. When NVD and Red Hat have different descriptions on separate rows, Red Hat's version often contains more specific context about affected products and components.

💡 Watch for CISA KEV. If the CISA dot is green, the vulnerability is in CISA's Known Exploited Vulnerabilities catalog — meaning it has been actively exploited in the wild and US federal agencies are required to patch it. Treat these as high priority regardless of CVSS score.

💡 Check the ENISA EUVD score. If the ENISA dot is green, the EU Vulnerability Database has an independent entry for this CVE. ENISA may publish a different CVSS score or additional references compared to NVD — useful for a European regulatory context.

💡 Use amber dots to discard noise. If multiple distro sources (SUSE, Debian, Ubuntu) show amber, the CVE likely doesn't affect those ecosystems. Combine with the filter to hide their entries and focus on what matters to you.

💡 Don't Clean CVE Batch. Don’t bother cutting out your reports or cleaning up your search to have a clean list of CVE IDs. Copy and paste the entire report into the search box — CAT extracts all CVE-XXXX-XXXXX patterns automatically.

Caveats

Known limitations

Data freshness: All data is fetched live on demand. For CVEs published very recently, some sources may not have ingested them yet — especially NVD, which can take a few days or weeks after a CVE is reserved.

Amazon Linux: The Amazon Linux page is scraped via HTML. Layout changes on their side can break extraction silently; the dot may show green even if parsing returned empty.

Oracle and PostgreSQL: Only CVEs that Oracle or PostgreSQL publish their own dedicated advisory page for are detected. These are niche products — most CVEs will show red.

Network errors: CAT uses a CORS proxy. If the proxy is unavailable or a source blocks the proxy IP, you will see black/white dots. This is a proxy issue, not a problem with your CVE.

Not a substitute for vendor advisories: Always verify with the official vendor advisory before taking remediation decisions. CVSS scores, descriptions and sources reported here are informational only.

Cache staleness: CVE card data is reused for up to 7 days. If a CVE was updated by a source (new CVSS score, new advisory) within that window, the cached version will not reflect the change until the TTL expires or the card is deleted and re-searched. The landing feed cache (CISA KEV, ENISA, NVD latest) expires after 1 hour.