Exploits Search
Search for vulnerabilities with known exploits across the VDB, filtered by ecosystem, severity, source, EPSS, and CISA KEV status.
The Exploits Search skill discovers exploited vulnerabilities across the entire Vulnetix VDB, with filtering by ecosystem, severity, exploit source, EPSS score, and CISA KEV status. Use it to find exploited vulnerabilities relevant to your repository’s technology stack.
This skill does not modify application code – it only updates .vulnetix/memory.yaml to track findings.
How this differs from /vulnetix:exploits: The Exploit Analysis skill performs deep analysis of a single known vulnerability (PoC fetching, ATT&CK mapping, CWSS scoring). This skill discovers exploited vulnerabilities across the landscape, optionally filtered to your repository’s ecosystems.
Invocation
/vulnetix:exploits-search [flags]
For example:
/vulnetix:exploits-search --ecosystem npm --severity CRITICAL
/vulnetix:exploits-search --in-kev --min-epss 0.5
/vulnetix:exploits-search -q "remote code execution"
/vulnetix:exploits-search --source metasploit --ecosystem maven
CLI Flags
| Flag | Type | Default | Description |
|---|---|---|---|
--ecosystem | string | auto-detected | Package ecosystem (npm, pypi, maven, go, cargo, nuget, rubygems, packagist) |
--source | enum | – | Exploit source: exploitdb, metasploit, nuclei, vulncheck-xdb, crowdsec, github, poc |
--severity | enum | – | CVSS severity: CRITICAL, HIGH, MEDIUM, LOW |
--in-kev | bool | false | Only show exploits listed in the CISA KEV catalog |
--min-epss | float | – | Minimum EPSS score threshold (0.0–1.0) |
-q | string | – | Free-text search query (CVE ID, title, description) |
--sort | enum | recent | Sort order: recent, epss, severity, maturity |
--limit | int | 100 | Maximum results per page (1–100) |
--offset | int | 0 | Pagination offset |
Auto-Ecosystem Detection
If the user does not specify an ecosystem, the skill auto-detects the repository’s ecosystem from manifest files and applies it as a default filter. If the repo uses multiple ecosystems, the skill asks whether to filter or search across all of them.
Natural Language Mapping
The skill maps natural language to CLI flags:
| User says | Flags applied |
|---|---|
| “npm exploits” | --ecosystem npm |
| “critical vulnerabilities” | --severity CRITICAL |
| “metasploit modules” | --source metasploit |
| “actively exploited” or “in KEV” | --in-kev |
| “high EPSS” or “likely exploited” | --min-epss 0.7 --sort epss |
| “sort by maturity” | --sort maturity |
| “first 20” | --limit 20 |
| “next page” | --offset <previous + limit> |
Output
Results are presented in a table:
| # | CVE ID | Severity | EPSS | Maturity | Exploit Sources | KEV | Fix? |
|---|---|---|---|---|---|---|---|
| 1 | CVE-2021-44228 | critical | 0.97 | WIDESPREAD | ExDB:3 MSF:2 Nuc:5 | Yes | Yes |
| 2 | CVE-2024-XXXXX | critical | 0.82 | ACTIVE | MSF:1 GH:3 | Yes | Yes |
| 3 | CVE-2023-YYYYY | critical | 0.65 | WEAPONIZED | ExDB:1 Nuc:2 | No | No |
Column Definitions
- EPSS – Exploit Prediction Scoring System probability (0.00–1.00)
- Maturity – exploitation maturity level (see below)
- Exploit Sources – abbreviated counts: ExDB (ExploitDB), MSF (Metasploit), Nuc (Nuclei), GH (GitHub PoCs), VCX (VulnCheck XDB), CS (CrowdSec)
- KEV – in CISA Known Exploited Vulnerabilities catalog. If overdue, appends “(overdue)”
- Fix? – whether a registry or source fix is available
Exploitation Maturity Levels
| Level | Score Range | Meaning |
|---|---|---|
| NONE | 0–14 | No known exploitation activity |
| POC | 15–34 | Proof-of-concept exists |
| WEAPONIZED | 35–54 | Exploit integrated into frameworks or tools |
| ACTIVE | 55–74 | Active exploitation observed |
| WIDESPREAD | 75+ | Widespread exploitation across many targets |
CrowdSec Sightings
If any result has active CrowdSec sightings (live exploitation detected from real network traffic), it is flagged prominently:
3 results have active CrowdSec sightings (live exploitation detected)
Ransomware Associations
If any CISA KEV result has ransomwareUse: true, it is always surfaced:
2 results are associated with known ransomware campaigns
Pagination
Showing 1-20 of 142. Say "next page" or "page 3" for more.
Memory Updates
After completing the search, the skill updates .vulnetix/memory.yaml:
- For each result that matches a dependency in the repository (cross-referenced against manifest files), a stub entry is created with
status: under_investigationanddiscovery.source: scan - Existing entries are not modified
- If no results match repo dependencies, memory updates are skipped
Actionable Recommendations
For each result, the skill suggests next steps:
/vulnetix:exploits <vuln-id>– deep exploit analysis with PoCs, ATT&CK mapping, and CWSS scoring/vulnetix:fix <vuln-id>– fix intelligence for results with available fixes/vulnetix:remediation <vuln-id>– context-aware remediation plan/vulnetix:vuln <vuln-id>– full vulnerability details
Example
/vulnetix:exploits-search --ecosystem npm --severity CRITICAL --sort epss
The skill detects npm from package.json, searches for critical npm exploits sorted by EPSS score, presents a table of results with maturity levels and exploit source counts, flags any with active CrowdSec sightings or ransomware associations, and creates memory entries for results matching installed dependencies.