Vulnerabilities CONFIRMED exploited in the wild — the CISA Known Exploited Vulnerabilities (KEV)
catalog, each enriched with its EPSS exploitation-probability score (FIRST.org), plus a risk
`summary`. The 'which CVEs actually matter right now' layer that pairs with security_advisories
(disclosed CVEs) and check_vulnerability (is package@version affected).
Args:
query: match a CVE id / name / description.
vendor: filter by vendor — accepts a COMMA LIST (e.g. "Microsoft, Cisco, Fortinet"), match ANY.
product: filter by product — accepts a COMMA LIST (e.g. "Windows, PAN-OS"), match ANY.
stack: a client's whole tech stack as a comma list (e.g. "Fortinet, Ivanti, Citrix, Apache"),
matched against vendor OR product — returns exactly the actively-exploited CVEs affecting that
stack: a live per-stack vulnerability watch (see the `summary` for the headline risk).
ransomware_only: only CVEs linked to known ransomware campaigns.
recent_days: only CVEs added to the KEV catalog in the last N days.
sort: "recent" (newest catalogued first, default) or "risk" (highest EPSS first).
limit: max results.
Every value is returned in an Ed25519-signed, provenance-stamped envelope (source and observation time) you can verify offline against /.well-known/keys, no account required.