There are 'many' types and vulnerabilities often depend on the nature of the affected asset, in some cases the type is common such as encryption, misconfiguration and authentication, below is a snippet to give you an idea:

• Public-facing services (like websites, APIs, and applications) commonly face issues such as remote code execution, injection (e.g. SQL, Command), web application (e.g. cross-site scripting, input validation flaws, Insecure deserialization, Server‑side request forgery), denial of service, broken authentication, misconfigurations, insecure coding
• Infrastructure components (such as servers, firewalls, and network devices, vpn gateways) are often affected by misconfigurations, denial of service, authentication, access control and privilege escalation, memory utilization, all of which can be exploited to gain deeper access or disrupt services.
• Endpoints (like laptops, desktops, and mobile devices) typically face risks such as local privilege escalation, malicious code execution, insecure software, and vulnerabilities in commonly used applications like browsers and office tools.

Vulnerability types in CVE data have been classified using the CWE (Common Weakness Enumeration) system which includes hundreds of defined weakness types.

A zero day vulnerability (sometimes referred to in the media as zero-day or 0day) is a security flaw that is either unknown to the software vendor and/or the vendor doesn't have an available patch, leaving systems vulnerable to exploitation by attackers.

A vulnerability is a weakness or flaw in a system, application, or configuration that could potentially be used to compromise security, such as a bug in code, an exposed service, or a misconfiguration.

An exploit, on the other hand, is the actual method or technique used to take advantage of that vulnerability. It’s the practical execution of an attack that leverages the weakness to gain unauthorized access, run malicious code, disrupt services, or steal data.

In short:

• A vulnerability is the opportunity.
• An exploit is the action taken to abuse that opportunity.

Understanding both is key to prioritizing threats and defending against real-world attacks.

Technical impact refers to the direct consequences of a vulnerability on a system or technology, such as data exposure, system crashes, code executions, privilege elevations, unauthorized access, or loss of functionality. It's about how the technology itself is affected. In our CVE reports this is normally the description and weaknesses identified (using MITRE CWE system).

Business impact, on the other hand, focuses on the broader consequences to the organization, including financial loss, reputational damage, legal exposure, customer trust, and regulatory non-compliance. Our reports describe impacts above in terms of confidentialty, integrity and availability based on severity to enable you to calculate business 'your' impacts. Data or business owners prefer these descriptions when asked about priorities.

In short:

• Technical impact answers: What happens to the system?
• Business impact answers: What happens to the organization because of it?

Here is an example hackerstorm CVE report highlighting technical weaknesses and potenital business impact. Understanding both helps prioritize vulnerabilities not just by how dangerous they are technically, but by how much they matter to your business.

Threat Intelligence is the collection and analysis of information about current and emerging cyber threats. It helps organizations understand how vulnerabilities (like those listed as CVEs) are being exploited in the real world, enabling them to prioritize patching and defense strategies based on actual risk.

Gauging the true priority and severity of a CVE is not merely a technical exercise; it's a deeply time-consuming process that extends far beyond understanding the vulnerability's pure technological impact. To effectively triage vulnerabilities with the necessary urgency, it's essential to incorporate dynamic threat intelligence. This includes insights into expert sentiment, whether exploit code is readily available, official government advice and calls to action, evidence of active exploitation, and any established links to APT groups. Without this broader context, determining immediate risk and guiding remediation efforts becomes significantly more challenging and prone to misprioritization.

For these reasons, we try to include pertinent information where possible in our NVD CVE search data and detailed reports to provide that instant view to those remediating weaknesses. Other roles in the organisation also rely on the threat aspects (risk managers, service delivery teams, Infosec managers etc) who may not have access to vulnerability tooling so we provide it here to enhance informed descision making and help explain the threat to business owners and executives in a more buiness context.

Time-to-exploit refers to the time between when a vulnerability (CVE) is publicly disclosed and when it begins to be actively exploited in the wild. On "average", this window is around 5 days.

Our Time-to-Exploit indicator counts down from the CVE's publish date, showing you how much time is left before it reaches that high-risk threshold. This helps you quickly assess urgency, save time on manual calculations, and prioritize vulnerabilities more effectively during triage so you can act before attackers do.

A proof-of-concept (PoC) demonstrates how a vulnerability can be exploited, often including code or detailed steps.

When a PoC becomes public, especially if amplified by media coverage it acts like an instruction manual for attackers, accelerating exploitation dramatically. In many cases, PoC availability can reduce the time-to-exploit to near zero, regardless of when the CVE was originally published. This makes PoCs a critical signal for prioritization: once a PoC is out, a vulnerability moves from theoretical to highly actionable for threat actors, increasing real-world risk almost instantly.

For the latest NIST NVD data, visit our CVE search and insights page where you can view by 24hrs, 7, 30 or 90 days data.

You can view the entire CISA KEV (known exploited vulnerabilities) here in our CISA CVEs search and insights page.

Yes. The data table for our NIST NVD CVE data contains a column 'in the media', which indicates if the CVE has been reported by the media, you can also use our predefined filters to view just those CVEs if you wish. Go to our NVD CVE search and insights to view.

Yes, with HackStorm you can easily start by reading news and advisories in our news search and insights page and then click and explore related CVE reports. We track CVEs across a 90-day timeline, giving you a current view of emerging threats from the media standpoint. Our platform includes filters categorized by;

• Threat Status
• Government Advisories
• Active Threat Groups
• Top CVE Mentions.

You can also use the keyword search to find specific vendors, products, or technologies of interest, making it easy to connect real-world events to actionable vulnerability data.

For all of our data table searches, use the pipe symbol | to search for multiple terms at once. It acts as an OR operator returning results that match any of the terms.

Examples:

• Single words:
  Microsoft | Cisco | Fortinet
  → Matches vulnerabilities related to any of these vendors.
• 
  
  
• Single words combined with phrase:
  APT29 | Lazarus | Charming Kitten
  → Finds references to any of these threat groups.
• 
  
  
• Multiple Words (single phrase):
  remote code execution
  → Matches results containing this exact phrase.
• 
  
  
• Multiple phrases:
  remote code execution | privilege escalation
  → Finds vulnerabilities mentioning either phrase.

We match newly published CVE's against the CISA catalog and indicate the matches in the NVD data dashboard and data tables. We also provide a filter to show just those that are reported by CISA as under active exploitation or known to used with ransomware.

No. We cannot provide garantees or assurance on the timeliness or the quality of the information being shared with you. All data, news, opinions on this website is provided "as is" from the source and its best efforts only.

We cannot and do not replace a lack of policy, process, responsibility for your organisation. You must ensure you have these in place with apporpriate support contracts for timely notifications and updates.

For advice on managing vulnerabilities, here is some advice and guidance.

U.K. NCSC Guidance for Vulnerability Management

U.S. NIST Guidance for Vulnerbaility Management

Our vulnerability data and insights service is designed to support a wide range of stakeholders across the organization, here are some examples:

• IT and Cybersecurity Teams
  Use the platform as a supplemental intelligence and triage tool, helping to assess the urgency of vulnerabilities in the context of real-world threats. When patching responsibilities are outsourced, the service can also fill critical visibility gaps, especially when vendor support alerts or notifications are recieved by the third party.
• 
  
  
• Management
  Empower governance discussions and high-level risk reviews by surfacing business-relevant vulnerability trends and media-reported CVEs. The service enables managers to answer questions from senior leadership with confidence, using timely, curated insights to stay ahead of potential reputational or operational risks.
• 
  
  
• Auditors & 2nd Line Assurance Functions
  Access independent, comprehensive vulnerability data to test the robustness of internal processes, without relying on IT or cybersecurity teams to pre-select samples. This strengthens the objectivity of audits and ensures that governance processes—such as exception handling, applicability assessments, and documentation are properly followed for all relevant CVEs, whether they are applicable, inapplicable, or pending remediation.

Other roles that could benefit include ethical hackers and penetrations testers for vulnerbaility research, security testers as part of design and development, architects involved in vendor or product evaluations.

We offer a range of curated vulnerability insights to help you focus on what truly matters:

• NIST NVD Data: Access the official CVE database enriched with threat intelligence combined with predefined filters and keyword search. We layer in threat intelligence including CISA priority CVEs and those reported by the media, this is to help you assess urgency, relevance, and sentiment at a glance.

  
  
  

• CISA KEVs (Known Exploited Vulnerabilities) Catalog: Explore vulnerabilities flagged by CISA using keyword search and predefined filters. We also indicate ransomware association where applicable to help you focus on high-risk issues.

  
  
  

• News & Media Trends: For those with a preference to view CVEs trending in the media, supported by numerous predefined filters for threat status, various government advisories, APT and state sponsor threat actor groups, and the most widely reported vulnerabilities.

These insights are designed to support prioritization, situational awareness, and rapid decision-making.

We limit instant search to the last 90 days to ensure fast, high-performance results and because quick access to current data matters.

Most organizations also operate with SLA windows of up to 90 days for vulnerability remediation, so this timeframe aligns with real-world expectations. If you're still dealing with issues older than 90 days, it's likely a sign of deeper systemic problems that need addressing beyond simple search.

Additionally, this service is free, and extending historical search capabilities at scale would require additional infrastructure, meaning, we’d need to start charging users.

That said, if you know the CVE identifier, you can still access any CVE dating back to 1999 through our database, regardless of its age.

Our Threat Intel Briefs are in-depth, quarterly reports that analyze the evolving vulnerability and threat landscape. These insights go beyond surface-level data, offering deeper context around actively exploited vulnerabilities. Some of our briefs cover:

• Most commonly targeted vulnerability types.
• Time-to-Exploit averages for various vulnerabilities types and categories.
• Adversary insights, highlighting activity from APT groups and state-sponsored actors.

These briefs help security teams understand threats at a much deeper level enabling more strategic defense planning or triage (e.g. Who, when and what weaknesses). This can be particularly useful where the scale of remediation is extremely big, complex or time restricted.

All data with the exception of our blogs is updated every 30 minutes. This includes all metrics or stats on the homepage as well as the search and insights pages and the news page.

It largely depends on how popular the site becomes. We dont want to charge for what is free publicly available informaion already but if we get too many visitors we'll need to consider some options and pick the lesser evil as they say if that day ever comes.

EPSS (Exploit Prediction Scoring System) estimates the probability that a vulnerability will be exploited by Threat Actors. It focuses on attacker behavior and also contextual threats based on your organisation including security maturity.

The traditional CVSS (Common Vulnerability Scoring System) measures the technical severity of the flaw itself (e.g., how bad the impact is, how complex the exploit is), but does not factor in real-world exploitation likelihood.

We use EPSS for prioritization and CVSS for impact assessment.

You see multiple scores because our calculator applies a contextual risk model based on common network architecture. We analyze the vulnerability's attack vector (e.g., Network, Local) and its compatibility with six defined security Zones (like Air-Gapped, Internal Corporate, or Public Facing). A vulnerability exploitable locally may score high in a restricted zone (Z2), but low in a public zone (Z5). This ensures you prioritize based on where the vulnerability actually poses the greatest threat in your environment.

Our score starts with a Base Risk Score derived from the Verizon Data Breach Investigations Report (DBIR) 2025 data, tailored to your industry, region, and security maturity. This base score is then adjusted using a multiplicative formula that includes:

• CVE Threat Indicators: Confirmed active exploitation (CISA KEV), Proof of Concept (PoC) availability, and media attention.

  
  
  

• Time Factor: How long the CVE has been public (older flaws get higher multipliers).

  
  
  

• Zone Compatibility: The Attack Vector × Zone Matrix.

• Organizational Modifiers: Your security maturity, size, and the business criticality of the system.

Our core threat intelligence—such as CISA KEV and active exploitation status—is updated daily to provide the most current risk prediction. The organizational baselines (Industry and Region multipliers, Base Risk Scores) are derived from the Verizon DBIR dataset, which is typically released annually around April. We continually review all factors and adjust EPSS multiplier factors as and when a material change occurs and.or when the latest DBIR data is released.

A low EPSS score suggests that, despite the vulnerability's high technical severity, it is not currently being widely exploited by attackers or tooling has not been broadly developed.

Our recommendation: Do not ignore it, but prioritize patching the vulnerabilities with high EPSS scores first, even if their CVSS is lower. Follow the recommended action associated with the EPSS score (e.g., "Monitor, standard patching cycle" for Low Risk).

Older vulnerabilities pose a higher risk because they have been available long enough for attackers to:

1. Develop reliable and automated exploitation tools.

   
   
   

2. Ensure more targets remain unpatched, increasing the size of the vulnerable population.

Our time multiplier correctly increases the score for threats that have been public for 90 days or more, reflecting this maturity in the attack lifecycle.