Data & Sources — Quanteta CVE Tracker
This page describes exactly what data we present, where each value comes from, and how the database is maintained. Every score is an official value assigned by a third-party authority. Quanteta does not compute, predict, or assign its own severity, risk or priority rating, and publishes no remediation advice.
Source data as of:
Fields and their sources
- CVSS base score, severity, vector
- Common Vulnerability Scoring System values as published by NVD (NIST National Vulnerability Database). Where multiple CVSS versions (v3.1, v4.0, v2.0) are published for a record, all are shown and labelled; the table/sort uses v3.1 when available, otherwise v4.0, otherwise v2.0. These are NVD's values, reproduced verbatim — not a Quanteta assessment.
- EPSS score & percentile
- Exploit Prediction Scoring System probability (0–1) from EPSS (FIRST.org). EPSS estimates the probability of exploitation in the wild; it is FIRST.org's model output, reproduced here.
- CISA KEV status
- Whether the CVE appears in the CISA Known Exploited Vulnerabilities Catalog, including the catalog's date-added and remediation-due dates. These dates are CISA's; we reproduce them and do not characterise their urgency.
- CWE, affected configurations (CPE), vendors
- Weakness classification, affected-product configurations and derived vendor list, all from the NVD record.
- References
- Reference URLs as listed in the NVD record. External links carry
rel="nofollow noopener".
Why there is no Quanteta risk score
CVSS, EPSS and KEV are produced by recognised authorities (NIST/NVD, FIRST.org, CISA). Inventing an additional composite "risk" or "patch-priority" number would (a) re-interpret those official severities, and (b) amount to security advice about what to act on first. Quanteta's role is to organise and cross-reference official data faithfully, so the value of this database is its structure, coverage and machine-readability — not a competing opinion.
Coverage & record selection
This build contains 487 publishable records (10 flagged in CISA KEV) across 98 vendors. A record is published when it has a description and at least one official signal (CVSS, EPSS, or KEV). Past CVE records are retained as a permanent archive (evergreen); new records are appended as collected.
Update policy
Data is collected by automated collectors. Pages are regenerated only when the underlying data changes; the "Source data as of" timestamp reflects the actual data collection time, never a cosmetic edit. We do not falsify freshness.
Data quality & integrity
- Faithful reproduction: official scores are shown exactly as sourced, with the source named on every value.
- No fabricated fields: a value is shown only if present in the source; otherwise the field is omitted, not imputed.
- Single source of truth: Schema.org JSON-LD and the visible HTML are generated from the same variables; a build-time gate fails the build on any mismatch, and re-checks every record in every language.
- Safe embedding: third-party text is HTML-escaped and JSON payloads are hardened against script-context breakout.
Limitations & caveats
- Accuracy depends on the upstream sources (NVD, FIRST.org, CISA, GitHub).
- EPSS is a probabilistic model output and can change daily; the date shown is the EPSS-as-of date.
- Not every record carries a CVSS score, an EPSS score, or a KEV flag.
- Nothing on this site is security advice. It is a factual record of what authorities have published.