Vulnerability Feed and Patch Urgency

Rank today’s CVEs by exploit status and vendor impact, ship webhooks to ticket queues, burn down exposure over time.

Recent CVEs (NVD)

CVE-1999-009510.0
The debug command in Sendmail is enabled, allowing attackers to execute commands as root.
10/1/1988, 4:00:00 AM
CVE-1999-008210.0
CWD ~root command in ftpd allows root access.
11/11/1988, 5:00:00 AM
CVE-1999-14717.2
Buffer overflow in passwd in BSD based operating systems 4.3 and earlier allows local users to gain root privileges by specifying a long shell or GECOS field.
1/1/1989, 5:00:00 AM
CVE-1999-11224.6
Vulnerability in restore in SunOS 4.0.3 and earlier allows local users to gain privileges.
7/26/1989, 4:00:00 AM
CVE-1999-146710.0
Vulnerability in rcp on SunOS 4.0.x allows remote attackers from trusted hosts to execute arbitrary commands as root, possibly related to the configuration of the nobody user.
10/26/1989, 4:00:00 AM
CVE-1999-15067.5
Vulnerability in SMI Sendmail 4.0 and earlier, on SunOS up to 4.0.3, allows remote attackers to access user bin.
1/29/1990, 5:00:00 AM
CVE-1999-00848.4
Certain NFS servers allow users to use mknod to gain privileges by creating a writable kmem device and setting the UID to 0.
5/1/1990, 4:00:00 AM
CVE-2000-03887.5
Buffer overflow in FreeBSD libmytinfo library allows local users to execute commands via a long TERMCAP environmental variable.
5/9/1990, 4:00:00 AM
CVE-1999-02095.0
The SunView (SunTools) selection_svc facility allows remote users to read files.
8/14/1990, 4:00:00 AM
CVE-1999-11987.2
BuildDisk program on NeXT systems before 2.0 does not prompt users for the root password, which allows local users to gain root privileges.
10/3/1990, 4:00:00 AM
CVE-1999-13917.2
Vulnerability in NeXT 1.0a and 1.0 with publicly accessible printers allows local users to gain privileges via a combination of the npd program and weak directory permissions.
10/3/1990, 4:00:00 AM
CVE-1999-13927.2
Vulnerability in restore0.9 installation script in NeXT 1.0a and 1.0 allows local users to gain root privileges.
10/3/1990, 4:00:00 AM
CVE-1999-10574.6
VMS 4.0 through 5.3 allows local users to gain privileges via the ANALYZE/PROCESS_DUMP dcl command.
10/25/1990, 4:00:00 AM
CVE-1999-15542.1
/usr/sbin/Mail on SGI IRIX 3.3 and 3.3.1 does not properly set the group ID to the group ID of the user who started Mail, which allows local users to read the mail of other users.
10/31/1990, 5:00:00 AM
CVE-1999-11977.2
TIOCCONS in SunOS 4.1.1 does not properly check the permissions of a user who tries to redirect console output and input, which could allow a local user to gain privileges.
12/20/1990, 5:00:00 AM
CVE-1999-11157.2
Vulnerability in the /etc/suid_exec program in HP Apollo Domain/OS sr10.2 and sr10.3 beta, related to the Korn Shell (ksh).
12/31/1990, 5:00:00 AM
CVE-1999-12585.0
rpc.pwdauthd in SunOS 4.1.1 and earlier does not properly prevent remote access to the daemon, which allows remote attackers to obtain sensitive system information.
1/15/1991, 5:00:00 AM
CVE-1999-14387.2
Vulnerability in /bin/mail in SunOS 4.1.1 and earlier allows local users to gain root privileges via certain command line arguments.
2/22/1991, 5:00:00 AM
CVE-1999-12117.2
Vulnerability in in.telnetd in SunOS 4.1.1 and earlier allows local users to gain root privileges.
3/27/1991, 5:00:00 AM
CVE-1999-12127.2
Vulnerability in in.rlogind in SunOS 4.0.3 and 4.0.3c allows local users to gain root privileges.
3/27/1991, 5:00:00 AM
CVE-1999-11947.2
chroot in Digital Ultrix 4.1 and 4.0 is insecurely installed, which allows local users to gain privileges.
5/1/1991, 4:00:00 AM
CVE-1999-119310.0
The "me" user in NeXT NeXTstep 2.1 and earlier has wheel group privileges, which could allow the me user to use the su command to become root.
5/14/1991, 4:00:00 AM
CVE-1999-11237.2
The installation of Sun Source (sunsrc) tapes allows local users to gain root privileges via setuid root programs (1) makeinstall or (2) winstall.
5/20/1991, 4:00:00 AM
CVE-1999-10347.2
Vulnerability in login in AT&T System V Release 4 allows local users to gain privileges.
5/23/1991, 4:00:00 AM
CVE-1999-14154.6
Vulnerability in /usr/bin/mail in DEC ULTRIX before 4.2 allows local users to gain privileges.
8/23/1991, 4:00:00 AM
CVE-1999-10907.5
The default configuration of NCSA Telnet package for Macintosh and PC enables FTP, even though it does not include an "ftp=yes" line, which allows remote attackers to read and modify arbitrary files.
9/10/1991, 4:00:00 AM
CVE-1999-049810.0
TFTP is not running in a restricted directory, allowing a remote attacker to access sensitive information such as password files.
9/27/1991, 4:00:00 AM
CVE-1999-14686.2
rdist in various UNIX systems uses popen to execute sendmail, which allows local users to gain root privileges by modifying the IFS (Internal Field Separator) variable.
10/22/1991, 4:00:00 AM
CVE-1999-01674.6
In SunOS, NFS file handles could be guessed, giving unauthorized access to the exported file system.
12/6/1991, 5:00:00 AM
CVE-1999-149310.0
Vulnerability in crp in Hewlett Packard Apollo Domain OS SR10 through SR10.3 allows remote attackers to gain root privileges via insecure system calls, (1) pad_$dm_cmd and (2) pad_$def_pfk().
12/18/1991, 5:00:00 AM
CVE-1999-103210.0
Vulnerability in LAT/Telnet Gateway (lattelnet) on Ultrix 4.1 and 4.2 allows attackers to gain root privileges.
12/31/1991, 5:00:00 AM
CVE-1999-105910.0
Vulnerability in rexec daemon (rexecd) in AT&T TCP/IP 4.0 for various SVR4 systems allows remote attackers to execute arbitrary commands.
2/25/1992, 5:00:00 AM
CVE-1999-06270.0
The rexd service is running, which uses weak authentication that can allow an attacker to execute commands.
3/1/1992, 5:00:00 AM
CVE-1999-11217.2
The default configuration for UUCP in AIX before 3.2 allows local users to gain root privileges.
3/19/1992, 5:00:00 AM
CVE-1999-01177.2
AIX passwd allows local users to gain root access.
3/31/1992, 5:00:00 AM
CVE-1999-111910.0
FTP installation script anon.ftp in AIX insecurely configures anonymous FTP, which allows remote attackers to execute arbitrary commands.
4/27/1992, 4:00:00 AM
CVE-1999-11427.2
SunOS 4.1.2 and earlier allows local users to gain privileges via "LD_*" environmental variables to certain dynamically linked setuid or setgid programs such as (1) login, (2) su, or (3) sendmail, that change the real and effective user ids to the same user.
5/27/1992, 4:00:00 AM
CVE-1999-01687.5
The portmapper may act as a proxy and redirect service requests from an attacker, making the request appear to come from the local host, possibly bypassing authentication that would otherwise have taken place. For example, NFS file systems could be mounted through the portmapper despite export restrictions.
6/4/1992, 4:00:00 AM
CVE-1999-021410.0
Denial of service by sending forged ICMP unreachable packets.
7/21/1992, 4:00:00 AM
CVE-1999-13967.2
Vulnerability in integer multiplication emulation code on SPARC architectures for SunOS 4.1 through 4.1.2 allows local users to gain root access or cause a denial of service (crash).
7/21/1992, 4:00:00 AM
CVE-1999-13957.2
Vulnerability in Monitor utility (SYS$SHARE:SPISHR.EXE) in VMS 5.0 through 5.4-2 allows local users to gain privileges.
11/17/1992, 5:00:00 AM
CVE-1999-13067.5
Cisco IOS 9.1 and earlier does not properly handle extended IP access lists when the IP route cache is enabled and the "established" keyword is set, which could allow attackers to bypass filters.
12/10/1992, 5:00:00 AM
CVE-1999-14667.5
Vulnerability in Cisco routers versions 8.2 through 9.1 allows remote attackers to bypass access control lists when extended IP access lists are used on certain interfaces, the IP route cache is enabled, and the access list uses the "established" keyword.
12/10/1992, 5:00:00 AM
CVE-1999-10217.2
NFS on SunOS 4.1 through 4.1.2 ignores the high order 16 bits in a 32 bit UID, which allows a local user to gain root access if the lower 16 bits are set to 0, as fixed by the NFS jumbo patch upgrade.
12/30/1992, 5:00:00 AM
CVE-1999-1056n/a
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1395. Reason: This candidate is a duplicate of CVE-1999-1395. Notes: All CVE users should reference CVE-1999-1395 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage
12/31/1992, 5:00:00 AM
CVE-1999-03125.0
HP ypbind allows attackers with root privileges to modify NIS data.
1/13/1993, 5:00:00 AM
CVE-1999-15077.2
Sun SunOS 4.1 through 4.1.3 allows local attackers to gain root access via insecure permissions on files and directories such as crash.
2/3/1993, 5:00:00 AM
CVE-1999-12182.1
Vulnerability in finger in Commodore Amiga UNIX 2.1p2a and earlier allows local users to read arbitrary files.
2/18/1993, 5:00:00 AM
CVE-1999-13127.2
Vulnerability in DEC OpenVMS VAX 5.5-2 through 5.0, and OpenVMS AXP 1.0, allows local users to gain system privileges.
2/24/1993, 5:00:00 AM
CVE-1999-12167.5
Cisco routers 9.17 and earlier allow remote attackers to bypass security restrictions via certain IP source routed packets that should normally be denied using the "no ip source-route" command.
4/22/1993, 4:00:00 AM

Build goals

Rank today’s CVEs by exploit status and vendor impact, ship webhooks to ticket queues, burn down exposure over time.

Stack

Frontend: React 18, Mapbox GL or deck.gl when needed, D3 for charts, TanStack Query, Zustand for local state, plain CSS with design tokens. No runtime CSS frameworks.
API: Python 3.11 FastAPI or Node 20 Fastify (choose per project spec), Pydantic or Zod models, Uvicorn or Node cluster, OpenAPI JSON at /openapi.json.
Storage: Redis 7 for hot cache, Postgres 15 with PostGIS for spatial and Timescale extension for time series where needed, S3 compatible bucket for tiles and artifacts.
Ingest: Async fetchers with ETag or Last Modified, paging, retry with backoff and jitter, circuit breakers, structured logs.
Tiles: Vector tiles for heavy map layers, long cache with ETag, CDN in front.
Observability: Prometheus metrics, OpenTelemetry traces, structured logs, freshness and error rate alerts.
Security: Keys server side only, CORS scoped, token bucket rate limits, audit logs for sensitive actions.

Data sources

Source	Endpoint	Cadence	Access	Auth	Notes
NVD CVE 2.0	services.nvd.nist.gov/rest/json/cves/2.0	frequent	REST JSON	None	Vulnerability catalog with CVSS
CISA KEV	cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json	frequent	JSON	None	Known exploited list
MITRE CVE	cveawg.mitre.org/api	frequent	REST JSON	None	CVE records and metadata

Architecture

Python FastAPI, reconcile CVE IDs, urgency scoring with KEV boost and temporal features plus vendor prevalence, daily snapshots, webhook connectors for Jira and Slack.

Models

Models are expressed in DB tables and mirrored as API schemas. All timestamps are UTC. All coordinates are WGS84. Stable IDs, soft deletes by valid_to when needed.

cve(id, cvss, published, vendor, product, refs jsonb)
kev(cve_id, date_added)
urgency(cve_id, score, reasons jsonb)
snapshot(day, counts jsonb)

Algorithms

Urgency score with transparent components: KEV flag, recency decay, vendor prevalence weight
Daily snapshot diffs and idempotent ingest

API surface

GET /cves?q=&vendor=&product=&since=&until=&kev=
GET /urgency?min_score=&vendor=
POST /webhooks/jira, body { filter, destination }

UI and visualization

Stacked bars by vendor and severity
Burn down charts and saved filters
Score explainer for trust and audit

Performance budgets

Daily ingest windows complete under 5 minutes
List queries p95 under 200 ms on indexed fields
FCP under 2 s on broadband mid tier laptop.
API p95 under 300 ms for common list endpoints, p99 under 800 ms.
Map render p95 frame time under 20 ms for target layers and volumes (document per tool).
Frontend app code under 180 KB gzip excluding map library.
API memory under 200 MB under normal load.

Accessibility

WCAG 2.2 AA, automated axe checks clean, no critical issues.
Keyboard navigable controls, focus rings visible, ARIA roles correct.
Color contrast at or above 4.5 to 1, colorblind safe palettes.
Live regions announce dynamic updates, prefers reduced motion honored.

Evidence pack and quality gates

Contract tests with recorded cassettes for each provider, JSON Schema validation, drift alarms within 15 minutes.
Load tests with k6, thresholds enforced in CI for p95 and p99.
Lighthouse performance and a11y reports stored as CI artifacts.
Golden tests for algorithms with synthetic datasets and expected outputs.
Cost workbook with cache hit ratios, tile and API egress estimates, retention policies.

CI configuration

name: ci
on: [push, pull_request]
jobs:
  api:
    runs-on: ubuntu-latest
    services:
      postgres:
        image: postgis/postgis:15-3.3
        ports: [ "5432:5432" ]
        env: { POSTGRES_PASSWORD: postgres }
      redis:
        image: redis:7
        ports: [ "6379:6379" ]
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with: { node-version: "20" }
      - uses: actions/setup-python@v5
        with: { python-version: "3.11" }
      - run: pip install -e packages/api[dev] || true
      - run: psql postgresql://postgres:postgres@localhost:5432/postgres -f packages/api/src/db/schema.sql || true
      - run: pytest -q packages/api/src/tests || true
      - run: cd packages/web && npm ci && npm run build && npm test --silent

Risks and mitigations

NVD cooldowns and paging, add backoff and caching
Vendor weight drift, schedule periodic recalibration

Acceptance checklist

CI green on main, all quality gates met.
Freshness SLOs met for hot regions or feeds.
Performance budgets met or better.
A11y audits pass with zero critical findings.
Provenance and license panels render correct metadata.
Runbook covers stale feed handling, provider errors, and key rotation.

Implementation sequence

Ingest and reconcile, schemas and cassette tests
Urgency score and snapshots with golden tests
Webhooks and exports
Evidence pack and dashboards

Runbook

make up         # docker compose up db, redis, api, web
make ingest     # start ingest workers for this tool
make tiles      # build vector tiles if applicable
make test       # unit + contract + golden
make e2e        # browser tests