Everything IsItPatched does — free
From a one-line "is this version safe?" check to a full vulnerability-management workflow: monitor your stack, prioritise the fixes that matter, scan your SBOM, and export the evidence your auditors want.
1046 actively-exploited CVEs tracked across 613 products · updated several times a day
Instant answers for any version
Paste-a-version checker
Drop in raw output — nginx -v, php -v, Apache/2.4.49 — and get a verdict for that exact version.
0–100 health score
A plain-English verdict and a single score, so you know in seconds whether a version is safe.
Learn more →Minimum safe version
The exact lowest release that clears every open critical & high vulnerability.
Learn more →Version comparison
See precisely which CVEs an upgrade fixes, from one version to another.
Learn more →Per-product vulnerability pages
A full known-CVE list for every well-covered product — severity, CVSS, EPSS and exploitation status, actively-exploited first.
Learn more →Plain-English glossary
CVE, CVSS, KEV, EPSS, SSVC, SBOM, VEX and end-of-life — each explained and linked to the tool that uses it.
Learn more →Your private security command center
Free passwordless account
Sign in with a one-time code — no password — to sync your stack and unlock insights, history & exports.
Learn more →My Stack dashboard
Monitor your products, see what’s actively exploited at a glance (gauges + charts), and track risk over time.
Learn more →Per-version tracking
Record the exact version you run; the dashboard tailors the verdict, score and min-safe version to that version.
Learn more →Risk history & trends
Watch your exposure rise and fall — a 90-day trend of exploited + critical findings across your stack.
Learn more →“A fix is available” alerts
The dashboard flags when a version you actually run sits below the latest safe release — and highlights the fixes that shipped recently, so you upgrade the moment one lands.
Learn more →A context-aware patch queue
Act / Attend / Track
One ranked “fix these first” queue — not 400 CVEs. Every item is scored and labelled.
Learn more →Your context counts
Ranking combines exploitation with the exposure and business importance you set per product.
Learn more →No black box
Every point in the score is shown inline, and the whole formula is published (SSVC-inspired).
Learn more →Live exploitation radar
Actively-exploited CVEs (CISA KEV) and high-EPSS flaws surfaced first, newest at the top.
Learn more →Recently patched feed
The positive counterpart to the radar — tracked software that just shipped a new supported release, newest first, with the safe version to move to.
Learn more →Emerging newsroom (BETA)
Trusted security reporting (BleepingComputer, Krebs, SecurityWeek, The Hacker News, CISA) auto-linked to the software you track — and flagged when it’s in your stack. Attributed, never asserted; often ahead of NVD.
Learn more →Exposure leaderboard
See the most-exposed tracked software and vendors right now — ranked by active exploitation + open critical CVEs.
Learn more →Free, private SBOM scanner
CycloneDX & SPDX
Drop in an SBOM and get a fix-first patch queue for every component, matched against OSV.
Learn more →100% in your browser
The file never leaves your device — parsed client-side, no upload, no account needed.
Learn more →Optional monitoring
Opt in to be emailed when a new vulnerability later hits one of your components.
Learn more →End-of-life calendar & per-product pages
A 12-month timeline of when releases stop getting security fixes, plus a dedicated EOL page per product — the full support timeline and the safe version to move to.
Learn more →Compliance editions & evidence
Compliance editions
Seventeen purpose-built editions — EU CRA, IEC 62443, FDA 524B, ISO/SAE 21434, NIS2, EO 14028, CISA BOD 26-04, PCI DSS, SOC 2, ISO 27001, DORA, NIST CSF/CMMC, CIS Controls, Cyber Essentials, Essential Eight, HIPAA and the UK Software Security Code — with a "which applies to me?" selector.
Learn more →Software risk register
Export a CSV / print-to-PDF register citing the exact versions you run and the recommended action.
Learn more →VEX authoring
Triage each SBOM component (Affected · Not affected — code not reachable, etc. · False positive · Resolved) and export a CycloneDX VEX that cuts false-positive noise for your customers and auditors.
Learn more →Multi-dimensional risk model
Beyond one blended score: your SBOM and stack split into Vulnerability, Version, End-of-life, Licence and Unmatched dimensions — each scored, colour-coded, and carried into every evidence pack. Every formula is published.
Learn more →Compliance posture dashboard
A live readiness check in My Stack: your stack scored against all 17 standards at once, filtered to your region & sector, each with what needs attention and a one-click evidence pack.
Learn more →Biggest wins & posture trend
Fix-one-clear-many: the products that unlock the most standards if fixed, plus a signed-in posture-over-time trend tracking the standards you've cleared week over week.
Learn more →Per-framework evidence packs
A dedicated, audit-ready evidence pack for each edition — EU CRA, FDA 524B, IEC 62443, ISO 21434, NIS2, EO 14028 and PCI DSS — each flagging the priority rows that framework cares about.
Learn more →Enterprise-clean PDF reports
Print/PDF exports use a light, board-room template — a titled cover page (scope, date, data sources, disclaimer) and dense colour-coded tables — so an auditor can file it in an audit pack. The live app stays dark.
Learn more →White-label reports
Add your own organisation name, accent colour and logo to every exported evidence pack — for client / MSP-branded deliverables. Stored only in your browser.
Learn more →Alerts & feeds, your way
Free, and private by default
The browser tools need no account and place no tracking on your lookups. Built on authoritative public data — NVD · CISA KEV · EPSS · OSV · endoflife.date — with a published methodology and a clear privacy posture.