Software security glossary

The vulnerability-management terms that actually matter — in plain English · 613 products tracked · 1046 CVEs actively exploited now · updated June 2026

Every term below is a quick definition with a deeper guide behind it. Together they answer the real question: which vulnerabilities should I fix first, and is the software I run affected? CVSS says how severe, EPSS says how likely, and KEV says what's being exploited right now.

CVECommon Vulnerabilities and Exposures

The unique public ID for one specific vulnerability — the shared name the whole industry uses.

Read the guide →

CVSSCommon Vulnerability Scoring System

A 0–10 severity score: how bad a flaw is, in theory. 9.0+ is Critical.

Read the guide →

KEVKnown Exploited Vulnerabilities

CISA's list of vulnerabilities being actively exploited right now — the fix-first signal.

Read the guide →

EPSSExploit Prediction Scoring System

A 0–100% probability a vulnerability will be exploited in the next 30 days.

Read the guide →

SSVCStakeholder-Specific Vulnerability Categorization

A decision framework — Track / Attend / Act — that prioritises by exploitation and your context.

Read the guide →

SBOMSoftware Bill of Materials

A machine-readable list of every component inside a piece of software.

Read the guide →

VEXVulnerability Exploitability eXchange

A statement of which vulnerabilities in your components actually affect you, and why.

Read the guide →

EOLEnd-of-life software

A release the vendor no longer supports — so it stops getting security patches.

Read the guide →

Agentic AI security

As teams ship autonomous AI agents, a new set of terms describes risks that don't apply to static software — agents that can plan, call tools, hold memory and act on their own. Read the guide or score your agents free →

AIVSSAgentic AI Vulnerability Scoring System

An OWASP 0–10 score that extends CVSS with ten agent-specific amplification factors.

Read the guide →

Lethal TrifectaAI agent data-theft conditions

Private data + untrusted content + external comms — the combination that lets an agent leak secrets.

Read the guide →

Agentic Top 10OWASP ASI01–ASI10

The ten most critical security risks specific to autonomous AI agents.

Read the guide →

How they fit together

A CVE names a vulnerability. CVSS rates its severity, EPSS predicts its exploitation, and KEV confirms it's being exploited. SSVC turns those signals plus your context into a Track / Attend / Act decision. An SBOM lists your components, a VEX says which of their vulnerabilities actually affect you, and end-of-life dates tell you when patches stop coming. IsItPatched combines them into one verdict — see the methodology.

Check your own software

Check a version — paste a product + version for an instant verdict.
Scan an SBOM — a fix-first patch queue for every component, in your browser.
Actively exploited CVEs — the 1046 KEV flaws affecting tracked software.

Check a version now →