How do I find out if my system is affected by a CVE?

Check the CVE's affected versions against your installed package versions (apt list --installed, pip list, npm list). For automatic matching: create an SBOM of your infrastructure and match it against CVE databases. ClawGuru's Stack MRI (/neuro) detects exposed CVEs automatically.

What does CVSS score mean and how do I prioritize?

CVSS rates vulnerabilities 0-10: Critical (9-10), High (7-8.9), Medium (4-6.9), Low (0-3.9). Priority by: 1) CVSS score, 2) Whether you are affected (SBOM match), 3) Internet exposure (exposed = higher risk), 4) Active exploit in the wild (CISA KEV). Critical + internet-exposed + active exploit = patch immediately.

How quickly must I patch after a CVE?

SLA recommendation: Critical (CVSS 9+) with active exploit → 24 hours. Critical without exploit → 7 days. High (CVSS 7-8.9) → 14 days. Medium → 30 days. Low → 90 days or next maintenance window. NIS2-obligated entities: critical CVEs in critical systems must be reported and addressed within 24h.

"Not a Pentest" Notice: All guides are for protecting your own systems.

Academy · CVE Feed

CVE Feed: Latest Vulnerabilities & Fixes

Curated CVE database with actionable mitigation steps — no security noise, only what is relevant for self-hosted infrastructure. Every entry includes CVSS score, affected versions, and immediately applicable fix steps.

CVEs curated

CRITICAL

HIGH

24h

Patch SLA (Critical)

All CVEs — sorted by severity

CVE ID	Name	CVSS	Software	Fix
CVE-2024-3094	XZ Utils Backdoor – Supply Chain Attack	10.0	XZ Utils (liblzma)	Fix →
CVE-2024-27198	JetBrains TeamCity Authentication Bypass	10.0	JetBrains TeamCity	Fix →
CVE-2025-29927	Next.js Middleware Authorization Bypass	9.1	Next.js	Fix →
CVE-2024-45337	Go crypto/ssh – Misuse of ServerConfig.PublicKeyCallback	9.1	Go standard library (crypto/ssh)	Fix →
CVE-2024-6387	OpenSSH regreSSHion – Unauthenticated RCE	8.1	OpenSSH	Fix →
CVE-2024-21626	runc Container Escape – Leaky Vessels	8.6	runc (Docker, Kubernetes, containerd)	Fix →
CVE-2023-44487	HTTP/2 Rapid Reset DDoS Attack	7.5	HTTP/2 servers (nginx, Apache, Node.js, Go, AWS, Cloudflare)	Fix →
CVE-2024-56374	Django SQL Injection via QuerySet.annotate()	7.5	Django	Fix →

Patch SLA Guide

CRITICAL (CVSS 9–10)

With active exploit: 24 hours. Without active exploit: 7 days. NIS2: Report and address immediately.

HIGH (CVSS 7–8.9)

14 days. Internet-exposed systems: 7 days.

MEDIUM (CVSS 4–6.9)

30 days or next maintenance window.

LOW (CVSS 0–3.9)

90 days. In the next regular update cycle.

Frequently Asked Questions

How do I find out if my system is affected?

Check affected versions against your packages (apt list --installed, pip list, npm list). Stack MRI (/neuro) detects exposed CVEs automatically via SBOM matching.

What is CISA KEV?

The CISA Known Exploited Vulnerabilities (KEV) catalog contains CVEs with confirmed active exploits in the wild. All KEV entries must be prioritized and patched within set deadlines per CISA guidelines.

How do I automate CVE monitoring?

1) Create SBOM (Syft, Trivy). 2) Match SBOM against NVD/OSV/GitHub Advisory DB (Grype, Trivy). 3) Alerts on new matches: Slack/PagerDuty/email. 4) Automatic ticket creation. 5) SLA tracking per CVE. Moltbot orchestrates all steps as a runbook.

Further Resources

Stack MRI

Automatically detect CVEs in your infrastructure

Real-Time CVE Feed

Automate CVE integration with Moltbot

AI Agent Security

Secure CVEs in AI agent stacks

Academy

All security courses and tracks