KEV
Ostorlab KEV: One-command to detect most remotely known exploitable vulnerabilities. Sourced from CISA KEV, Google's Tsunami, Ostorlab's Asteroid and Bug Bounty programs.
Install / Use
/learn @Ostorlab/KEVREADME
Known Exploited Vulnerabilities (KEV) Detector
Introduction
This project is dedicated to automate the detection of known exploited vulnerabilities through a single command, it includes exploits for vulnerabilities from:
- Known Exploited Vulnerabilities Catalog by CISA
- Tsunami by Google
- Agent Asteroid by Ostorlab
- Bug Bounty Programs
Requirements
Python 3.9 or greater is required to install KEV via pip.
Docker is required to run scans locally. To install docker, please follow these instructions.
Installing
Ostorlab ships as a Python package on pypi. To install it, simply run the following command if you have pip already
installed.
pip install -U ostorlab
Agent group definition
This repo is an Agent Group Definition of the open-source ostorlab scanner. An agent
group is nothing but a config file that defines the list of components to run during the scan.
For a full tutorial on how to use Ostorlab CLI, check the following tutorial.
By default, Ostorlab KEV agent group agent_group.yaml uses the following agents:
Getting Started
To perform your first scan, you have several options depending on your target.
Here's how you can get started:
Scanning an IP Address
To scan an IP address, simply run the following command:
ostorlab scan run --install -g agent_group.yaml ip 8.8.8.8
And you can scan more than one IP address by specifying them, separated by spaces:
ostorlab scan run --install -g agent_group.yaml ip 8.8.8.8 1.1.1.1 4.4.4.0/24
Scanning a Host:
To scan a domain, simply run the following command:
ostorlab scan run --install -g agent_group.yaml domain-name www.example.com
This command will download and install the required agents specified in the YAML file and perform the scan on the
domain www.example.com.
Scanning a Link:
To scan a link, simply run the following command:
ostorlab scan run --install -g agent_group.yaml link --url https://www.example.com --method GET
This command will download and install the required agents specified in the YAML file and perform the scan on the link https://www.example.com using the specified method.
Targeting all subdomains
To improve the scope of detection, it's possible to enumerate and target subdomains of a given asset by adding subfinder and/or dnsx to the agent group definition agent_group.yaml.
agent:
...
- key: agent/ostorlab/subfinder
- key: agent/ostorlab/dnsx
...
And then run it on the domain you would like to target:
ostorlab scan run --install -g agent_group.yaml domain-name example.com
[!TIP] The default settings use public DNS servers which can affect enumeration results for very large domains due to rate limiting or caching. Consider using a custom list of DNS resolvers. To do so, set resolvers arguments in the
AmassandSubfinderagents.
Docker Image
To run oxo in a container, you may use the publicly available image and run the following command:
docker run -v /var/run/docker.sock:/var/run/docker.sock -v ./agent_group.yaml:/agent_group.yaml ostorlab/oxo:latest scan run --install -g /agent_group.yaml link --url https://www.example.com --method GET
Notes:
- The command starts directly with:
scan run, this is because theostorlab/oxoimage hasoxoas anentrypoint. - It is important to mount the docker socket so
oxocan create the agent in the host machine.
Scan Progress
To see the scan progress, use the scan list command:
ostorlab scan list
Access Results
List findings in a particular scan:
ostorlab vulnz list -s <scan-id>
To list the details of a vulnerability:
ostorlab vulnz describe -v <vuln-id>
Current Coverage
For the moment, we are currently focused on the CISA KEV Database and Google Tsunami.
| CVE ID | Implemented | Detail | Published Date | |:--------------------------------------------------------|:-----------:|:--------------------------------------------------------|:--------------:| | CVE-2026-2599 | ✅ | Custom Nuclei template by Ostorlab. | 2026-03-12 | | CVE-2026-27971 | ✅ | Official Nuclei template (modified by Ostorlab) . | 2026-03-12 | | CVE-2025-68461 | ✅ | Official Nuclei template by Ostorlab . | 2026-03-04 | | CVE-2026-0770 | ✅ | Official Nuclei template (modified by Ostorlab). | 2026-03-02 | | GHSA-cr3w-cw5w-h3fj | ✅ | Custom Exploit by Ostorlab | 2026-02-25 | | CVE-2026-1357 | ✅ | Custom Nuclei template by Ostorlab. | 2026-02-16 | | CVE-2025-32101 | ✅ | Official Nuclei template (modified by Ostorlab). | 2026-02-03 | | CVE-2025-4008 | ✅ | Official Nuclei template. | 2025-10-07 | | CVE-2025-10035 | ✅ | Custom Exploit by Ostorlab: included in Agent Asteroid. | 2025-09-22 | | CVE-2025-5086 | ✅ | Official Nuclei template. | 2025-09-22 | | CVE-2025-31324 | ✅ | Official Nuclei template. | 2025-07-28 | | CVE-2025-53770 | ✅ | Official Nuclei template. | 2025-07-26 | | CVE-2025-4322 | ✅ | Custom Exploit by Ostorlab: included in Agent Asteroid. | 2025-05-20 | | CVE-2025-32756 | ✅ | Custom Exploit by Ostorlab: included in Agent Asteroid. | 2025-05-13 | | CVE-2025-4427 | ✅ | Official Nuclei template. | 2025-05-13 | | CVE-2025-20188 | ✅ | Official Nuclei template (modified by Ostorlab). | 2025-05-07 | | CVE-2025-32432 | ✅ | Official Nuclei template. | 2025-04-25 | | CVE-2025-34028 | ✅ | Official Nuclei template. | 2025-04-22 | | CVE-2025-28367 | ✅ | Official Nuclei template. | 2025-04-21 | | CVE-2025-32433 | ✅ | Custom Exploit by Ostorlab: included in Agent Asteroid. | 2025-04-16 | | CVE-2025-2636 | ✅ | Custom Nuclei template. | 2025-04-11 | | CVE-2025-31161 | ✅ | Official Nuclei template. | 2025-03-26 | | CVE-2025-1974 | ✅ | Official Nuclei template. | 2025-03-24 | | CVE-2025-29927 | ✅ | Official Nuclei template. | 2025-03-21 | | CVE-2025-29891 | ✅ | Custom Nuclei template. | 2025-03-12 | | CVE-2025-27636 | ✅ | Custom Nuclei template. | 2025-03-09 | | CVE-2025-22457 | ✅ | Custom Exploit by Ostorlab: included in Agent Asteroid. | 2025-03-04 | | CVE-2024-48248 | ✅ | Official Nuclei template. | 2025-03-04 | | CVE-2025-27364 | ✅ | Custom Exploit by Ostorlab: included in Agent Asteroid. | 2025-02-24 | | CVE-2025-0108 | ✅ | Custom Nuclei template. | 2025-02-12 | | CVE-2025-0674 | ✅ | Custom Exploit by Ostorlab: included in Agent Asteroid. | 2025-02-04 | | CVE-2025-0890 | ✅ | Custom Exploit by Ostorlab: included in Agent Asteroid. | 2025-02-04 | | CVE-2024-12084 | ✅ | Custom Exploit by Ostorlab: included in Agent Asteroid. | 2025-01-15 | |
Security Score
Audited on Mar 23, 2026