CVEye

Stop chasing CVEs that don't affect you. Know what actually matters.

---

The Problem

You search "nginx" on NVD. You get 500+ CVEs. Half of them are for nginx-ui, nginx-proxy-manager, or some random project that has "nginx" in the description. The other half are for versions you're not even running.

Security tools love to throw CVE counts at you. High numbers look scary. But most of them are noise.

CVEye cuts through that noise. It fetches CVEs from NVD, checks the CPE data to see which products and versions are actually affected, and only shows you the ones that matter for your stack.

---

Features

• Version-aware filtering — Only shows CVEs that affect your specific versions
• CPE-based matching — Uses NVD's CPE configuration data, not regex on descriptions
• Multiple output formats — Text, JSON, Table or send directly to Slack
• Parallel fetching — Scans multiple technologies concurrently
• Simple config — One YAML file defines your entire stack
• CI/CD ready — Run on schedule in GitLab/GitHub Actions

---

Installation

From Source

# From source
git clone https://github.com/yourpwnguy/cveye.git
cd cveye
make install

# Or just build
make build
./bin/cveye --help

Setup

Create a config file at ~/.config/cveye/config.yaml:

technologies:
  - name: react
    version: "19.0.0"
  - name: nextjs
    version: "13.0.0"
  - name: magento
    cpe: magento_open_source
    version: "2.4"

api:
  timeout: 30s

defaults:
  limit: 50
  severity: ""
  format: text

Usage

Basic Commands

# Summary only (no CVE details)
cveye fetch

# Full output to console
cveye fetch -o text

# JSON output
cveye fetch -o json

# Filter by severity
cveye fetch -o text -s CRITICAL
cveye fetch -o text -s HIGH

# Limit results per technology
cveye fetch -o text -l 10

# Custom config file
cveye --config ./my-config.yaml fetch

# Disable colors (for logs/pipes)
cveye fetch -o text --no-color

Slack Notifications

Send results directly to a Slack webhook:

# Slack only (no console output)
cveye fetch --report https://hooks.slack.com/services/XXX/YYY/ZZZ

# Console + Slack
cveye fetch -o text --report https://hooks.slack.com/services/XXX/YYY/ZZZ

Combining flags

# Critical CVEs only, max 5 per tech, send to Slack
cveye fetch -s CRITICAL -l 5 --report https://hooks.slack.com/...

# JSON to file
cveye fetch -o json > cves.json

# Pipe to jq
cveye fetch -o json | jq

Output

══ REACT (19.0.0) ══

[1] HIGH CVE-2025-55184 (CVSS: 7.5)
    Description:
      • A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-ser...
    Attack Vector:
      • NETWORK
    Affected:
      • react (facebook)
        - >=19.0.0, <19.0.2
        - >=19.1.0, <19.1.3
        - >=19.2.0, <19.2.2
      • next.js (vercel)
        - >=13.3.0, <14.2.35
        - >=15.0.0, <15.0.7
        - >=15.1.0, <15.1.11
        - >=15.2.0, <15.2.8
        - >=15.3.0, <15.3.8
        - >=15.4.0, <15.4.10
        - >=15.5.0, <15.5.9
        - >=16.0.0, <16.0.10
        - 15.6.0
        - 16.1.0
    Published:
      • 2025-12-11
    References:
      • https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
      • https://www.facebook.com/security/advisories/cve-2025-55184
      • https://github.com/KingHacker353/CVE-2025-55184

[2] MEDIUM CVE-2025-55183 (CVSS: 5.3)
    ...

Understanding CPE

This is where CVEye shines. NVD uses CPE (Common Platform Enumeration) to identify exactly which products and versions a CVE affects.

A CPE string looks like this:

cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*
          │     │                   │
          │     │                   └── version (* = see range fields)
          │     └── product name
          └── vendor

so when the names vendor and product don't match, use the cpe field:

technologies:
  - name: magento             # For display and keyword search
    cpe: magento_open_source  # For CPE matching
    version: "2.4.0"

How CVEye Matches

1. Keyword search — Uses name to query NVD (returns broad results)
2. Product filter — Checks if CPE product matches cpe (or name if cpe not set)
3. Version filter — Checks if your version falls within the affected range

A CVE only shows up if it passes all three checks.

How CVEye Works

1. Read config — Load technologies with names and versions
2. Fetch from NVD — Parallel requests using technology names as keywords
3. Parse CVEs — Extract CVSS scores (V4→V3.1→V3→V2 fallback), descriptions, references
4. Parse CPE data — Extract affected vendor/product/version ranges from configurations
5. Filter by product — Keep only CVEs where CPE product matches your technology
6. Filter by version — Keep only CVEs where your version falls in affected range
7. Output — Format and display (or send to Slack)

Project Structure

cveye/
├── cmd/cveye/
│   ├── main.go
│   └── cli/
│       ├── root.go
│       └── fetch.go
├── internal/
│   ├── client/      # NVD API client
│   ├── config/      # Config loading
│   ├── cve/         # Core logic: types, filtering, service
│   ├── output/      # Formatters: text, json, table
│   └── notifier/    # Slack notifications
├── config.yaml      # Example config
├── Dockerfile
├── Makefile
└── README.md

Contributing

Contributions are welcome! If you have any suggestions, bug reports, or feature requests, feel free to open an issue or submit a pull request.