A real-time CVE feed for AI security agents.
Point your security agent at one keyless endpoint and it gets CVEs confirmed exploited in the wild - the CISA KEV catalog with EPSS scores - plus a per-package version vulnerability lookup, every row signed and time-stamped.
The call
One keyless POST returns the latest known-exploited CVEs (CISA KEV plus FIRST.org EPSS) and an OSV lookup for a specific package version - the two questions a triage agent asks first:
curl -s -X POST https://dynamicfeed.ai/v1/batch \
-H "Content-Type: application/json" \
-d '{"calls":[
{"tool":"exploited_vulnerabilities","args":{}},
{"tool":"check_vulnerability","args":{"package":"lodash","version":"4.17.10","ecosystem":"npm"}}
]}'Sample response
{
"calls": [
{ "tool": "exploited_vulnerabilities", "args": {} },
{ "tool": "check_vulnerability",
"args": { "package": "lodash", "version": "4.17.10", "ecosystem": "npm" } }
]
}Why live data
A model trained months ago has a stale view of which CVEs are actively exploited - and "is this version vulnerable" is a fact, not a guess, so an agent should look it up rather than recall it. exploited_vulnerabilities returns the CISA Known Exploited Vulnerabilities catalog (CVEs confirmed exploited in the wild, not merely disclosed) joined with FIRST.org EPSS exploitation-probability scores; check_vulnerability matches a package, version and ecosystem against the OSV.dev corpus. Each datapoint is Ed25519-signed and stamped with its source, source URL and observed-at time. Be precise about what the signature means - it is proof-of-existence and tamper-evidence (we reported this row at this time, unaltered in transit), not a claim that the CVE rating, the EPSS number, or any remediation is true, accurate or safe. Your agent still owns the decision; we make the input citeable and verifiable.
Use it for
- Triage a dependency manifest against known-exploited CVEs at runtime
- Let a SOC agent rank findings by EPSS and CISA-KEV status instead of stale memory
- Block a deploy when a pinned package version has a fix-available OSV advisory
- Attach a signed, source-stamped CVE record to an audit trail or ticket
FAQ
Do I need an API key?
No. POST https://dynamicfeed.ai/v1/batch and the remote MCP endpoint at https://dynamicfeed.ai/mcp are both keyless and free for fair use.
What is the difference between exploited_vulnerabilities and check_vulnerability?
exploited_vulnerabilities lists CVEs CISA has confirmed are being exploited in the wild, scored with EPSS - call it with no args. check_vulnerability answers whether one specific package, version and ecosystem (for example lodash 4.17.10 on npm) has known advisories in OSV.dev.
Does an Ed25519 signature mean the CVE rating is correct?
No. The signature is proof-of-existence and tamper-evidence - it proves we returned this exact record at this time. It is not a truth, accuracy or safety claim about the CVE, its score or any remediation. Your agent makes the call.