Patch and vulnerability tracker

… CVEs tracked.

A free, daily-refreshed dashboard of patch and vulnerability data across Microsoft and open-source software, ranked by real-world exploitation (CISA KEV) and exploit probability (EPSS). Built for IT, Audit and security teams. Pick a tracker to drill in, or pull the feeds and JSON API.

Sourced from Microsoft MSRC, NVD, CISA KEV, FIRST.org EPSS, OSV.dev, VulnCheck KEV, and the ENISA EUVD (EU), with vendor PSIRT advisories for the fix. Refreshed daily.

The trackers

Each is a free, searchable, daily-refreshed view, ranked the same way: actively exploited (CISA KEV) first, then EPSS and CVSS.

Microsoft patch tracker

Every Patch Tuesday and out-of-band update (KB) and the CVEs it fixes, ranked by risk. Per-KB and per-CVE pages, a product-family heatmap, a searchable table, and download links to the Microsoft Update Catalog.

MSRC + NVD + CISA KEV + EPSS

Open the patch tracker

Microsoft CVE list and lookup

Search and rank Microsoft CVEs by severity, type, and real-world exploitation, each cross-referenced to the patch (KB) that fixes it. Filter to actively exploited or ransomware-linked in one click.

NVD + MSRC + CISA KEV + EPSS

Open the CVE lookup

Non-Microsoft exploited CVEs

Every non-Microsoft CVE in the CISA Known Exploited Vulnerabilities catalog, EPSS-ranked. The Cisco, Fortinet, Ivanti, Citrix, VMware, Apache, and Adobe flaws under active attack right now, in one view.

CISA KEV + NVD + EPSS

Open the exploited-CVE tracker

Open source patch tracker

Actively-exploited open-source CVEs mapped to the affected package and the version that fixes each one, via OSV.dev. The exact upgrade across Maven, npm, PyPI, NuGet, Go, RubyGems, Packagist, and more.

CISA KEV + OSV.dev + EPSS

Open the open-source tracker

End of life tracker

Product end-of-life and end-of-support dates across hundreds of products, Microsoft pinned to the top. Out-of-support software gets no security patches, so this flags what you must upgrade, not just patch.

endoflife.date

Open the EOL tracker

Most-exploited vendors

Vendors with the most CVEs added to CISA KEV in the time frame, across Microsoft and the rest of the ecosystem. The red portion of each bar is the ransomware-linked share. Open the full non-Microsoft tracker.

Time frameAll time

Data sources

Every tracker is built from authoritative, public feeds, refreshed automatically. No login, no telemetry, no scan data.

Microsoft MSRC	Patch Tuesday data: KB-to-CVE mappings, Microsoft severity, affected products, and exploitation status.
NVD (NIST)	The U.S. National Vulnerability Database: CVE metadata, CVSS v3 scores and vectors, and CWE weakness types.
CISA KEV	The Known Exploited Vulnerabilities catalog: CVEs confirmed exploited in the wild, with ransomware association.
EPSS (FIRST.org)	Exploit Prediction Scoring System: the probability a CVE is exploited within 30 days, used to rank every list.
OSV.dev	Open-source package and fixed version for each CVE, aggregating GitHub Security Advisories, PyPA, RustSec, and other OSV-schema sources. Used under the Apache-2.0 license; advisory records are CC BY 4.0.
CIRCL CVE Search	CVSS fallback when NVD has no score yet, so newly disclosed CVEs still get a severity.
VulnCheck KEV	A broader Known Exploited Vulnerabilities list than CISA KEV, surfaced as a "VulnCheck KEV" signal. Data courtesy of VulnCheck, used with attribution.
ENISA EUVD	The European Union Vulnerability Database (ENISA, under NIS2), surfaced as an "EU EUVD" signal. Courtesy of ENISA, used with attribution.
Vendor PSIRTs	Each vendor's own security advisory (Cisco, Fortinet, Ivanti, Citrix, Adobe, Apple, VMware/Broadcom, and more), linked as the authoritative fix for non-Microsoft, non-open-source products.

Attribution. Exploitation data labeled VulnCheck KEV is provided by VulnCheck and is used with attribution per VulnCheck's terms. EU cross-references are from the ENISA EU Vulnerability Database (EUVD). Open-source package fixes are from OSV.dev. Vendor PSIRT advisories are linked, not redistributed. Senserva is not affiliated with or endorsed by these providers.

For EU teams: vulnerabilities are cross-referenced to the ENISA EU Vulnerability Database (EUVD), the EU's official database under the NIS2 directive.

Feeds and API

Microsoft patches RSS (ranked by risk)
Non-Microsoft KEV RSS (actively exploited)
Microsoft patches JSON (machine-readable)

How it is built

The feeds are pulled and rebuilt daily, then ranked: actively exploited (CISA KEV) first, then EPSS exploit probability and CVSS severity. Every KB and CVE gets its own linkable, cross-referenced page. Static and fast, with no account required.

From your own estate

These trackers cover the public picture. Senserva ranks the same data against the patches and CVEs actually present across your Microsoft 365, Intune, Defender, and Entra ID estate.