cvefind is a CLI tool that collects CVE data for a package name from multiple advisory sources and merges the results into one view.
It is optimized for:
- Fast lookup by package name
- Lower miss rate by combining sources (OSV, GHSA, NVD)
- supports JSON/YAML output
- Multi-source collection:
- CVE deduplication and source merge
- Optional inclusion of GHSA records that do not have CVE IDs yet
- Severity filtering (
low,medium,high,critical) - CVSS score/vector support (when available, typically from NVD)
- Output formats:
default,json,yaml
git clone https://github.com/sm1ee/cvefind.git
cd cvefind
python3 -m venv .venv
source .venv/bin/activate
pip install .Use this if you want to run cvefind from any directory.
cd /path/to/cvefind
python3 -m pip install --user .
echo 'export PATH="$(python3 -m site --user-base)/bin:$PATH"' >> ~/.zshrc
source ~/.zshrc
cvefind --helpIf you specifically want editable install (-e .), upgrade packaging tools first:
python3 -m pip install --user --upgrade pip setuptools wheel
python3 -m pip install --user -e .cvefind --help
Usage: cvefind [OPTIONS] PACKAGE_NAME
╭─ Arguments ─────────────────────────────────────────────────────────────╮
│ * package_name TEXT Package name. Example: n8n [required] │
╰─────────────────────────────────────────────────────────────────────────╯
╭─ Options ───────────────────────────────────────────────────────────────╮
│ --ecosystem -e TEXT Package ecosystem [default: npm] │
│ --alias -a TEXT Additional search alias. │
│ Repeatable. │
│ --include-ghsa-pending Include GHSA advisories that do │
│ not have a CVE yet. │
│ --min-severity TEXT Filter by minimum severity: low, │
│ medium, moderate, high, │
│ critical. │
│ --output -o TEXT Output format: default, json, │
│ yaml. │
│ [default: default] │
│ --timeout FLOAT HTTP timeout (seconds) │
│ [default: 20.0] │
│ --help Show this message and exit. │
╰─────────────────────────────────────────────────────────────────────────╯
# default output
cvefind n8n --ecosystem npm# include GHSA items without CVE + filter by severity + JSON output
cvefind n8n -e npm --include-ghsa-pending --min-severity high -o json# YAML output
cvefind n8n -e npm -o yamlcvefind [OPTIONS] PACKAGE_NAMEPACKAGE_NAME
Target package name, e.g.n8n
-
-e, --ecosystem TEXT
Package ecosystem (default:npm)
Supported:npm,pypi,maven,nuget,go,packagist,rubygems,cargo -
-a, --alias TEXT
Extra alias term for fallback searching (repeatable) -
--include-ghsa-pending
Include GHSA advisories that do not yet have a CVE ID -
--min-severity [low|medium|moderate|high|critical]
Minimum severity threshold -
-o, --output [default|json|yaml]
Output format (default:default) -
--timeout FLOAT
HTTP timeout in seconds (default:20.0)
Block style:
[Critical] CVE-2026-25115 (CVSSv3.1 9.9)
Summary: n8n has a Python sandbox escape
⤷ GHSA: https://github.com/advisories/GHSA-...
⤷ NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25115
Records are sorted by newest published date first.
Structured output includes:
package,ecosystemaliases_usedmin_severitycountcves[]with:cve_id,severitycvss_score,cvss_vectorpublished_at,summarysources[],references[]
pending_ghsa[](if--include-ghsa-pendingis enabled)errorsper source
-
GITHUB_TOKEN(recommended)
Improves GitHub API rate limits and reliability -
NVD_API_KEY(recommended)
Improves NVD API rate limits and reliability
- Focused on CVE discovery and aggregation
- Does not currently perform version impact resolution (affected vs fixed for a specific installed version)
- Source APIs can have sync delays; using multiple sources reduces, but does not eliminate, misses
Run tests:
PYTHONPATH=src python3 -m unittest discover -s tests -qBasic syntax check:
PYTHONPYCACHEPREFIX=/tmp/pycache python3 -m py_compile src/cvefind/*.py tests/test_service.py