Actively-exploited vulnerabilities API — the CVEs that actually matter.
Disclosed isn't the same as dangerous. This is the CISA KEV catalog — CVEs CONFIRMED exploited in the wild — each enriched with its EPSS probability, so your agent flags what's actually under attack instead of drowning in every CVE.
The call
Keyless over MCP, or one REST call with a free key. Every datapoint is provenance-stamped and citeable.
# REST (free key)
curl -H "X-API-Key: $KEY" "https://dynamicfeed.ai/exploited-vulnerabilities?limit=5"
# MCP (keyless) — point any client at https://dynamicfeed.ai/mcp, then call:
exploited_vulnerabilities(vendor="Microsoft")Sample response
{ "cve_id": "CVE-2025-53770", "vendor": "Fortinet", "product": "FortiOS",
"vulnerability": "Authentication bypass", "date_added": "2026-06-03",
"epss_probability": 0.94, "known_ransomware": true, "due_date": "2026-06-24" }Why live data
Teams can't patch every CVE. CISA's KEV catalog is the authoritative list of vulnerabilities CONFIRMED exploited in the wild; fusing each with its EPSS exploitation-probability score gives an agent — or a human — a clean, ranked 'fix these first' list, the signal under the noise of tens of thousands of yearly CVEs.
Use it for
- Prioritize patching by real-world exploitation, not raw CVSS
- Alert when a vendor/product you run lands in the KEV catalog
- Flag ransomware-linked CVEs for emergency response
- Pair with check_vulnerability + security_advisories for full coverage
FAQ
How is this different from a CVE feed?
A CVE feed lists everything disclosed; KEV lists only what's confirmed exploited in the wild — a tiny, high-signal subset. We add each entry's EPSS probability so you can rank within it.
Where does it come from?
The CISA Known Exploited Vulnerabilities catalog, enriched with EPSS scores from FIRST.org. Keyless over MCP.
How fresh is it?
Refreshed continuously; each entry carries its KEV date_added and CISA remediation due_date.