The same verified CVE and briefing data that powers this site, as static JSON files. No key, no signup, no rate limit – just attribution.
These are static JSON files served from a CDN, not a queryable API server. They are regenerated by the same daily pipeline that publishes the site (around 04:00 UTC), so the feed can never disagree with the rendered pages – the exploitation state in the JSON is asserted at publish time to equal the state used to render each CVE’s page. There is no authentication and no enforced rate limit; because the files sit on a CDN, polling them more than a few times a day buys you nothing – once daily after ~05:00 UTC is the sensible cadence. No SLA is offered; this is a free community feed.
Every CVE currently tracked by defend.network – one record per weekly-report or briefing CVE, the same set as the permanent /cve/ pages. Each record carries:
| Field | Meaning |
|---|---|
| id | CVE identifier (e.g. CVE-2026-11645). |
| product | Affected vendor/product label, attributed the same way as on the CVE pages: CISA KEV’s human-curated vendor/product wins; otherwise the best-grounded NVD CPE vendor; otherwise the source article’s label. |
| exploitation | kev-confirmed | source-reported | poc-published | none – the exact state string the site renders (see below). |
| status | Triage badge derived from the exploitation state: active | poc | review | none. |
| verification | verified | partial – the site’s confidence tier (see below). |
| kev | Boolean – listed in the CISA Known Exploited Vulnerabilities catalog. kevDateAdded / kevDueDate (federal patch deadline) appear when known. |
| cvss | Object: score, severity (NVD label), version, vector, source (e.g. “NVD CVSS 3.1”). Omitted when NVD has not published a score yet. |
| epss | Object: score (FIRST.org probability of exploitation within 30 days), percentile, date. Omitted when not scored. |
| references | Cached NVD reference URLs, deduplicated. Omitted when NVD data is not yet available. |
| permalink | Canonical page: https://defend.network/cve/<ID>.html. |
| lastUpdated | NVD record’s lastModified timestamp; for CVEs NVD hasn’t published, the time we last checked NVD. Omitted when no NVD data exists at all. |
Optional fields are omitted (not nulled) when the underlying data does not exist – the feed never invents values.
Same record shape, filtered to recent CVEs only: a CVE is included when it has dated activity within the last 7 calendar days (UTC) – its CISA KEV dateAdded, the date of a daily briefing that covered it, or the published date of a weekly report listing it. The exact cutoff used is stated in meta.window.
The last 30 daily threat briefings. Per briefing: date, title, severity (critical/high/medium/low, calibrated from structured CVE data), threats and industries tags, and the absolute url.
Every file starts with a meta object: generated (ISO timestamp of the build), schemaVersion (currently “1.0”), source, docs, license / licenseUrl, attribution, and count.
Both values come from the same classification code that renders the site – they mean exactly what the badges on the dashboard and CVE pages mean:
| exploitation | Meaning |
|---|---|
| kev-confirmed | Listed in the CISA KEV catalog – confirmed exploited in the wild (the “In CISA KEV” badge). |
| source-reported | Active exploitation reported by source articles, not (yet) in CISA KEV (the “In the wild” badge alone). |
| poc-published | Public exploit code exists; no in-the-wild exploitation reported. |
| none | No exploitation reported and not in CISA KEV – prioritize by CVSS/EPSS. |
| verification | Meaning |
|---|---|
| verified | Verified The CVE is published in NVD – CVSS, products, and references are ground-truth canonical data (the green “Verified facts” zone on weekly reports). |
| partial | Partial The CVE ID is real and confirmed in source articles, but NVD enrichment is still pending (reserved/awaiting analysis) – the yellow “Partially verified” zone. Normal for CVEs disclosed in the last 1–3 days; records upgrade automatically when NVD publishes. |
A third site tier, ai-only, exists for stories with no assigned CVE; it cannot appear in this feed because every record has a CVE ID.
The feeds are licensed CC BY 4.0. You may use, redistribute, and build on the data – commercially or not – as long as you credit defend.network with a link. Underlying CVE facts come from NVD (NIST), the CISA KEV catalog, and FIRST.org EPSS, which are public data; the aggregation, verification, exploitation classification, and product attribution are ours.
curl -s https://defend.network/api/v1/cves/latest.json \ | jq -r '.cves[] | select(.exploitation=="kev-confirmed") | "\(.id) \(.product)"'
import requests
feed = requests.get("https://defend.network/api/v1/cves.json", timeout=30).json()
print(feed["meta"]["generated"], feed["meta"]["count"], "CVEs")
actively_exploited = [c for c in feed["cves"] if c["status"] == "active"]
for c in actively_exploited:
print(c["id"], c.get("cvss", {}).get("score"), c["product"], c["permalink"])
Point any tool that can poll a JSON URL (Splunk via a scheduled curl input or the JSON source type, Elastic Filebeat httpjson input, Sentinel Logic Apps, MISP feed of type JSON, OpenCTI connector script) at /api/v1/cves/latest.json once daily after 05:00 UTC. Use id as the dedup key and exploitation / kevDueDate for prioritization. Note this is vulnerability intelligence, not an IOC feed – there are no network/file indicators in it.
Schema changes will bump meta.schemaVersion; existing fields won’t be repurposed within v1. If something looks wrong in the data, email contact@defend.network and we will correct it promptly.
Get daily cybersecurity intelligence delivered to your inbox. Free for security professionals.