All patch & vulnerability trackers

Open source patch trackerBeta

Actively-exploited open-source vulnerabilities from CISA's Known Exploited Vulnerabilities catalog, each mapped to the package and the version that fixes it using OSV.dev. A CVE list tells you what is broken. This tells you the exact upgrade: the ecosystem (Maven, npm, PyPI, and more), the package, and the fixed version, ranked by EPSS exploit probability.

  • Confirmed exploited. Straight from CISA KEV, the authoritative actively-exploited list.
  • The fix, not just the flaw. The package and the fixed version from OSV.dev, so you know the upgrade.
  • Every ecosystem. Maven, npm, PyPI, NuGet, Go, RubyGems, Packagist, and more.
  • Open data. Search, sort, and export to CSV or JSON.

Exploited CVEs from CISA KEV and FIRST.org EPSS, mapped to package fixes via OSV.dev (Apache-2.0). Last updated 2026-06-30.

Most-affected open-source projects
Open-source projects with the most actively-exploited CVEs that have a package fix. The red portion of each bar is the ransomware-linked share.
Exploitation trend
Exploited open-source CVEs added to CISA KEV per month, ransomware-linked highlighted.
12 months
Export:RSS

Tracking Microsoft instead?
See the Microsoft Patch Tracker for every Patch Tuesday KB and the CVEs it fixes, EPSS-ranked.
Microsoft Patch Tracker

Data sources

Every row is built from authoritative, public security feeds, refreshed automatically.

Source What it provides
CISA KEV catalogThe actively-exploited list: which CVEs are exploited in the wild, plus ransomware use and the date added.
OSV.devThe open-source package and the fixed version for each CVE. OSV.dev aggregates GitHub Security Advisories, PyPA, RustSec, and other OSV-schema sources across Maven, npm, PyPI, NuGet, Go, RubyGems, Packagist, and more.
NVD (NIST)CVSS base score and severity for each CVE.
CIRCL CVE SearchCVSS fallback when NVD has no score yet, so newly added CVEs still get a severity.
EPSS (FIRST.org)Exploit Prediction Scoring System: probability a CVE is exploited within 30 days, used to rank the list.
VulnCheck KEVA broader Known Exploited Vulnerabilities list than CISA KEV, surfaced as a "VulnCheck KEV" signal. Data courtesy of VulnCheck, used with attribution.
ENISA EUVDThe European Union Vulnerability Database (ENISA, under NIS2), surfaced as an "EU EUVD" signal for EU teams. Courtesy of ENISA, used with attribution.

Package and fixed-version data from OSV.dev and the google/osv.dev project, used under the Apache License 2.0. Underlying GitHub Security Advisory records are licensed CC BY 4.0. Exploitation data labeled VulnCheck KEV is provided by VulnCheck and used with attribution per VulnCheck's terms; EU cross-references are from the ENISA EUVD. Senserva is not affiliated with or endorsed by OSV.dev, Google, VulnCheck, or ENISA. Always confirm the fixed version against the linked advisory before deploying.

Senserva makes sure your Microsoft products are actually running the way your compliance rules require, reports on all of it in one place, and helps you fix what is wrong.

Configured to the rules
Continuously checks that your Microsoft 365, Intune, Defender, Entra ID, and Purview are set up the way your compliance frameworks require (MCSB, CIS, NIST 800-53, SOC 2, HIPAA, CISA SCuBA), and flags every drift.
One easy report across every product
Pulls all the data across these products into clear, easy-to-read reports, so you stop stitching separate consoles together to see where you stand.
Full AI enhancement and remediation
Every finding comes with AI-written context and guided, agentic remediation, so you fix what matters instead of just reading about it.
This is the list. Senserva tells you which ones are in your tenant.
This page is the actively-exploited open-source CVEs that have a known package fix. Senserva matches exploited CVEs against the software, devices, and apps it finds in your Microsoft 365, Intune, Defender, and Entra ID estate, then ranks what is actually exposed by CISA KEV and EPSS, so you patch the few that matter first.
Scan my tenant free See the Security Center