Skip to content

Patrowl/PatrowlIntelData

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 

Repository files navigation

CVE Exploit-Link Intelligence

Open dataset of CVE reference links qualified for exploitation insights — each link classified (heuristics + LLM) for proof-of-concept, exploit code, and reproduction steps.

License: CC BY 4.0

A consolidated, regularly-refreshed dataset that takes the reference links attached to public CVEs and enriches each one with exploitability signals: is there a working proof-of-concept, weaponized exploit code, or step-by-step reproduction behind this URL? It's meant to help defenders triage and hunt for actively-exploitable vulnerabilities.

Produced by Patrowl R&D team. Machine-generated and best-effort — treat it as a prioritization aid, not ground truth.


What's inside

File Contents
exploits_untagged.json All links from NVD flagged with a PoC, exploit code, or reproduction steps.

Each file is a single JSON document:

{
    "generated_at": "2026-06-24T09:00:00+00:00",
    "count": 736,
    "links": [ /* … records … */ ]
}

Record schema

Field Type Description
link string The reference URL.
cve_ids string[] CVE IDs that cite this link (a link may back several CVEs).
last_analysis string | null ISO-8601 timestamp of the latest classification (null if never analysed).
exploit_analysis.kind string | null Resource type — see table below.
exploit_analysis.confidence number | null Classifier confidence, 0.01.0.
exploit_analysis.title string | null Page title captured at fetch time.
exploit_analysis.availability.reachable bool | null Whether the URL was reachable when probed.
exploit_analysis.availability.status_code int | null HTTP status observed.
exploit_artifacts.has_poc bool | null A usable proof-of-concept is present.
exploit_artifacts.has_exploit_code bool | null Weaponized exploit code is present.
exploit_artifacts.has_reproduction_steps bool | null Step-by-step reproduction is present.

kind values

poc, exploit_code, writeup_blog, video, advisory_official, patch_commit, issue_tracker, vendor_kb, vulnerability_db, mailing_list, social_media, documentation, broken, unknown.

Example record

{
    "link": "https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-hgqq-whf5-mrrf",
    "cve_ids": ["CVE-2026-48764"],
    "last_analysis": "2026-06-23T19:17:31.788788+00:00",
    "exploit_analysis": {
        "kind": "advisory_official",
        "confidence": 0.97,
        "title": "SSRF in HTTP request and script fetch flows via DNS rebinding bypass · Advisory · baptisteArno/typebot.io · GitHub",
        "availability": { "reachable": true, "status_code": 200 }
    },
    "exploit_artifacts": {
        "has_poc": true,
        "has_exploit_code": false,
        "has_reproduction_steps": true
    }
}

Methodology

  1. Collection — CVE reference links are pulled from the Patrowl Intel API (which aggregates NVD and vendor/community advisories). For each link we track which CVEs cite it.
  2. Probing — every link is fetched with a capped, timeout-bounded request; availability (reachable / HTTP status) and page title are recorded.
  3. Heuristic qualification — URL host/path rules and regex content extraction produce a baseline classification (kind) and detect code blocks, reproduction sections, embedded videos, and exploit IDs.
  4. LLM refinement — for reachable pages with content, a language model reviews the extracted evidence and sets the final kind, confidence, and the has_poc / has_exploit_code / has_reproduction_steps flags. Low-signal aggregator/advisory-database sources are trusted to the heuristic layer and skipped from the LLM pass to save cost and avoid noise.

An exploit_artifacts flag being true means the classifier concluded that actionable material — a real PoC, exploit script, or reproduction recipe — is present, not merely that a vulnerability is mentioned.

Refresh cadence

The dataset is regenerated daily (generated_at reflects the export time). Newly published CVEs are collected continuously and classified in batches.


Using the data

# All links flagged with exploit code
jq '.links[] | select(.exploit_artifacts.has_exploit_code) | .link' exploits_untagged.json

# Links for a specific CVE
jq '.links[] | select(.cve_ids | index("CVE-2026-48764"))' exploits_untagged.json
import json

data = json.load(open("exploits.json"))
poc_links = [r for r in data["links"] if r["exploit_artifacts"]["has_poc"]]
print(f"{len(poc_links)} links with a PoC out of {data['count']}")

Scope & limitations

  • References, not exploits. This repository hosts URLs and metadata only. It does not host, mirror, or redistribute exploit code or the fetched page content. Links point to third-party public sources; follow them at your own discretion.
  • Automated classification. Labels come from heuristics and an LLM and will contain false positives and false negatives. Confidence scores are indicative. Verify before acting.
  • Point-in-time. Availability and titles reflect when each link was last probed (last_analysis); upstream pages change or disappear.
  • Coverage is partial. Only links reachable and present in the upstream feed are included.

Responsible use

This dataset exists to support defensive security, vulnerability triage, and research. Use it to prioritize patching, detection, and threat hunting. Do not use the referenced material to attack systems you are not authorized to test.

Sources & attribution

Reference links and CVE associations originate from public vulnerability data (NVD, MITRE, vendor and community advisories) surfaced through the Patrowl Intel platform. Individual links are the property of their respective publishers.

License

Attribution suggestion: "CVE Exploit-Link Intelligence — generated by Patrowl."

About

Threat-intel dataset from Patrowl R&D Team: CVE reference links classified for exploitability to help defenders prioritize and hunt. Machine-generated, best-effort.

Topics

Resources

Stars

1 star

Watchers

1 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors