Methodology

How every score is calculated · last updated June 2026

IsItPatched answers one question — is your software version safe? — by combining four authoritative, free data sources into a single plain-English verdict.

Data sources

NVD (NIST National Vulnerability Database) — CVEs, CVSS severity, and affected-version ranges.
CISA KEV — the Known Exploited Vulnerabilities catalog (what's being exploited in the wild right now).
EPSS (FIRST.org) — the probability a vulnerability will be exploited.
endoflife.date — product support lifecycles and latest released versions.

The health score (0–100)

Every version starts at 100 and loses points for the known vulnerabilities affecting it:

−15 per open Critical CVE (max −45)
−8 per open High CVE (max −32)
−3 per open Medium CVE (max −18)
−15 if any open High/Critical has an EPSS exploitation probability over 50%

Two hard caps override the maths:

If a vulnerability is actively exploited (in CISA KEV), the score is capped at 20 — it can never read "healthy."
If the version is end-of-life, the score is capped at 40 — no patches are coming.

Higher = safer. Bands: 90–100 Healthy · 70–89 Good · 50–69 Attention · 20–49 High risk · 0–19 Critical.

"Latest safe version" & "fixed in"

We take the latest supported release from endoflife.date, and read the first patched version from NVD's version-range data (the version a CVE was fixed in).

Update cadence

Data refreshes daily, and the actively-exploited feed more often. Every page shows when it was last checked.

Limitations (please read)

We surface known issues. Absence of a listing is not a guarantee of safety.
NVD can lag in enriching brand-new CVEs, and some lack precise version data — so counts may be conservative.
Build-numbered products (Microsoft, VMware, F5, some Cisco) are assessed at product level on recent activity, pending exact-build data — we never show them a false "healthy."
This is informational, not a substitute for your vendor's advisories. See our disclaimer.