Intel · Tool review
A free community catalog of exploited CVEs that spots them about 27 days earlier than CISA KEV, plus a mirror of the NIST NVD that doesn't have the NVD's enrichment backlog.
Reviewed by The Field Notes Desk · May 24, 2026 · 4 min read
If your patch-prioritization rule is “exploited in the wild bypasses everything else,” then every day CISA’s KEV catalog stays quiet about a CVE that’s already being shelled in the wild is a day you’re flying with a delayed instrument. VulnCheck’s community KEV spots those CVEs an average of 27 days earlier than CISA, and lists roughly 80% more entries reported as actively exploited. Twenty-seven days is not a rounding error. That’s almost a full Patch Tuesday cycle of warning you didn’t have.
The companion product, NVD++, exists because the NIST NVD has been visibly struggling on enrichment throughput since early 2024. CPEs and CVSS vectors arrive late. Sometimes they don’t arrive at all. If you’ve scripted anything against services.nvd.nist.gov in the last two years, you’ve felt it. NVD++ is the same API surface with the gaps backfilled by a team that actually staffs the work.
Both are free with email registration. That’s the whole pitch.
VulnCheck KEV is a catalog of CVEs with evidence of active exploitation, published as a JSON feed. Same shape as CISA’s catalog, broader inputs.
NVD++ is a mirror of the NIST National Vulnerability Database with enrichment (CPE bindings, CVSS vectors, references) added back where NIST has fallen behind. The API surface is compatible with NVD 2.0, so existing tooling pointed at NIST works against NVD++ with a base-URL swap.
Together they fix the two ways the federal vulnerability data pipeline has gotten unreliable since 2024: KEV trails real exploitation, and NVD enrichment is late or missing.
| Source | What it covers | Freshness | Cost |
|---|---|---|---|
| CISA KEV | CVEs with reliable evidence of exploitation against federal-civilian-relevant targets | Lagging; trails real exploitation by ~27 days on average | Free |
| VulnCheck KEV | CVEs with broader public evidence of exploitation, including vendor advisories and researcher disclosures | Earlier; about 80% more entries than CISA at any given time | Free with registration |
| NIST NVD | All published CVEs | Publication is timely; enrichment (CPE, CVSS) has been visibly slow since early 2024 | Free |
| NVD++ | Same set, with the missing enrichment backfilled | Closer to real-time on enrichment | Free with registration |
The table is the whole comparison. Anyone telling you to choose one or the other is selling something. CISA KEV is still the legal trigger for federal compliance and the highest-confidence signal. VulnCheck KEV is the wider funnel that catches things weeks earlier. You read both.
The cleanest pattern is to wire VulnCheck KEV into whatever script already consumes CISA KEV, and treat it as a second-tier override. CISA KEV stays the “drop everything” list. VulnCheck-only entries become the “look at this today, not next week” list. Same prioritization logic, two thresholds.
For NVD++, the move is even simpler. Change the base URL in your existing NVD client. If you have a vulnerability management script that times out half the time because NIST is slow or returns CVEs without CPE data, that script gets quietly better.
If you don’t have either workflow yet and you’re picking one to start with, start with the KEV feed. The decision impact is bigger and the signal is easier to act on. A working catalog of “things being exploited right now” beats a complete NVD mirror for most operator decisions.
The free tier is real and not crippled, but the paid product (Exploit and Vulnerability Intelligence) is the upsell, and the registration form exists to feed that funnel. Expect outreach. The community data itself is genuinely useful, but if you’re allergic to vendor email, this is the cost of admission.
The other thing worth saying plainly: VulnCheck KEV is broader than CISA KEV because it uses a looser evidence bar. CISA requires “reliable evidence of active exploitation.” VulnCheck includes credible vendor advisories and researcher reports that may not meet that bar. That’s a feature for early warning and a bug for compliance attestation. Don’t tell your auditor that VulnCheck KEV satisfies BOD 22-01. It doesn’t.
NVD++ has fewer caveats. It’s a more complete mirror of a public dataset. The main risk is dependence on a single vendor staying funded to keep the backfill running. So far they have.
KEV catalog: vulncheck.com/kev. NVD++ overview and API docs: vulncheck.com/nvd2. Both require a free account.
The honest reason this combo is on our recommended list is that PatchDay Alert’s own pipeline pulls CISA KEV directly today, and we’ve watched it lag real exploitation often enough to know the gap is real. If you’re running a small shop and “is this being exploited right now” drives your patching order, the cheapest upgrade you can make this quarter is to layer VulnCheck on top of what you already do. It will not replace the judgment call. It will give you that call a few weeks earlier.
Sources
This is an editorial review. PatchDay Alert was not paid by VulnCheck to write it. Sponsored content, when we run it, is labeled Sponsored and kept visually distinct from editorial reviews.