Open dataset of CVE reference links qualified for exploitation insights — each link classified (heuristics + LLM) for proof-of-concept, exploit code, and reproduction steps.
A consolidated, regularly-refreshed dataset that takes the reference links attached to public CVEs and enriches each one with exploitability signals: is there a working proof-of-concept, weaponized exploit code, or step-by-step reproduction behind this URL? It's meant to help defenders triage and hunt for actively-exploitable vulnerabilities.
Produced by Patrowl R&D team. Machine-generated and best-effort — treat it as a prioritization aid, not ground truth.
| File | Contents |
|---|---|
exploits_untagged.json |
All links from NVD flagged with a PoC, exploit code, or reproduction steps. |
Each file is a single JSON document:
{
"generated_at": "2026-06-24T09:00:00+00:00",
"count": 736,
"links": [ /* … records … */ ]
}| Field | Type | Description |
|---|---|---|
link |
string | The reference URL. |
cve_ids |
string[] | CVE IDs that cite this link (a link may back several CVEs). |
last_analysis |
string | null | ISO-8601 timestamp of the latest classification (null if never analysed). |
exploit_analysis.kind |
string | null | Resource type — see table below. |
exploit_analysis.confidence |
number | null | Classifier confidence, 0.0–1.0. |
exploit_analysis.title |
string | null | Page title captured at fetch time. |
exploit_analysis.availability.reachable |
bool | null | Whether the URL was reachable when probed. |
exploit_analysis.availability.status_code |
int | null | HTTP status observed. |
exploit_artifacts.has_poc |
bool | null | A usable proof-of-concept is present. |
exploit_artifacts.has_exploit_code |
bool | null | Weaponized exploit code is present. |
exploit_artifacts.has_reproduction_steps |
bool | null | Step-by-step reproduction is present. |
poc, exploit_code, writeup_blog, video, advisory_official, patch_commit, issue_tracker, vendor_kb, vulnerability_db, mailing_list, social_media,
documentation, broken, unknown.
{
"link": "https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-hgqq-whf5-mrrf",
"cve_ids": ["CVE-2026-48764"],
"last_analysis": "2026-06-23T19:17:31.788788+00:00",
"exploit_analysis": {
"kind": "advisory_official",
"confidence": 0.97,
"title": "SSRF in HTTP request and script fetch flows via DNS rebinding bypass · Advisory · baptisteArno/typebot.io · GitHub",
"availability": { "reachable": true, "status_code": 200 }
},
"exploit_artifacts": {
"has_poc": true,
"has_exploit_code": false,
"has_reproduction_steps": true
}
}- Collection — CVE reference links are pulled from the Patrowl Intel API (which aggregates NVD and vendor/community advisories). For each link we track which CVEs cite it.
- Probing — every link is fetched with a capped, timeout-bounded request; availability (reachable / HTTP status) and page title are recorded.
- Heuristic qualification — URL host/path rules and regex content extraction produce a baseline classification (
kind) and detect code blocks, reproduction sections, embedded videos, and exploit IDs. - LLM refinement — for reachable pages with content, a language model reviews the extracted evidence and sets the final
kind,confidence, and thehas_poc/has_exploit_code/has_reproduction_stepsflags. Low-signal aggregator/advisory-database sources are trusted to the heuristic layer and skipped from the LLM pass to save cost and avoid noise.
An exploit_artifacts flag being true means the classifier concluded that actionable material — a real PoC, exploit script, or reproduction recipe — is present, not merely that a vulnerability is mentioned.
The dataset is regenerated daily (generated_at reflects the export time). Newly published CVEs are collected continuously and classified in batches.
# All links flagged with exploit code
jq '.links[] | select(.exploit_artifacts.has_exploit_code) | .link' exploits_untagged.json
# Links for a specific CVE
jq '.links[] | select(.cve_ids | index("CVE-2026-48764"))' exploits_untagged.jsonimport json
data = json.load(open("exploits.json"))
poc_links = [r for r in data["links"] if r["exploit_artifacts"]["has_poc"]]
print(f"{len(poc_links)} links with a PoC out of {data['count']}")- References, not exploits. This repository hosts URLs and metadata only. It does not host, mirror, or redistribute exploit code or the fetched page content. Links point to third-party public sources; follow them at your own discretion.
- Automated classification. Labels come from heuristics and an LLM and will contain false positives and false negatives. Confidence scores are indicative. Verify before acting.
- Point-in-time. Availability and titles reflect when each link was last probed (
last_analysis); upstream pages change or disappear. - Coverage is partial. Only links reachable and present in the upstream feed are included.
This dataset exists to support defensive security, vulnerability triage, and research. Use it to prioritize patching, detection, and threat hunting. Do not use the referenced material to attack systems you are not authorized to test.
Reference links and CVE associations originate from public vulnerability data (NVD, MITRE, vendor and community advisories) surfaced through the Patrowl Intel platform. Individual links are the property of their respective publishers.
- Data (the JSON files): Creative Commons Attribution 4.0 International (CC BY 4.0) — you may share and adapt it with attribution.
- Linked third-party content is not covered by this license and remains under its original terms.
Attribution suggestion: "CVE Exploit-Link Intelligence — generated by Patrowl."