CVE RSS Feeds: Official-source CVE feeds for vendors and products

Summary

A free public service that merges CVE data from four official sources into composable, vendor-filtered streams. Supply a list of vendor or product names and the service returns a merged, de-duplicated feed of matching CVEs sorted by recency.

The same result set is available as RSS 2.0 (subscribe in any feed reader) or as JSON (ingest into a SIEM, ticketing system, or monitoring pipeline). Responses are cached for one hour. Each CVE links directly to its NVD entry.

NVD JSON feeds

CVSS scores, weaknesses, CPE product ranges

CVE List v5

Authoritative CVE catalog from MITRE / CVE Program

CISA KEV

Known Exploited Vulnerabilities, confirmed in-the-wild exploitation

CISA Vulnrichment

ADP enrichment, CVSS, CPE, and CWE before NVD processes entries

Quick start

Copy a URL and paste it into your feed reader, browser or HTTP client.

Critical CVEs across your SaaS stack as RSS to subscribe anywhere

https://cve.assurestart.co/api/feed.xml?term=slack,jira,salesforce&cvss_min=9

High and critical Microsoft and Atlassian CVEs as JSON to ingest into a SIEM or ticketing pipeline

https://cve.assurestart.co/api?term=microsoft,atlassian&cvss_min=7&limit=50

Recent CVEs

Live data from the feed, High and Critical severities for confluence, jira, salesforce.

Severity	CVE ID	Description	Score
CRITICAL	CVE-2026-2298	Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud…	9.4
HIGH	CVE-2025-52454	Server-Side Request Forgery (SSRF) vulnerability in Salesforce Tableau Server on Windows, Linux (Amazon S3 Connector modules)…	8.2
CRITICAL	CVE-2026-22582	Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud…	9.8
CRITICAL	CVE-2026-22583	Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud…	9.8
CRITICAL	CVE-2026-22585	Use of a Broken or Risky Cryptographic Algorithm vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a…	9.8

Showing 5 of 26 results

View full feed

URL builder

Enter your terms and options to generate a ready-to-use feed URL.

Search terms

Comma-separated vendor or product names. 1–10 terms.

Minimum CVSS score

0–10. Leave blank for all severities.

Result limit

1–100. Default: 50.

Format

RSS feed JSON

Generated URL

Enter at least one term above to generate a URL.

Reference

Both endpoints accept the same query parameters and return the same result set. Only the serialisation differs. The raw OpenAPI 3.1 spec is available at cve.assurestart.co .

Endpoint	Response	Use for
GET /api/feed.xml	RSS 2.0	Feed readers
GET /api	JSON	SIEM, ticketing, pipelines

Parameter	Required	Default	Description
term	Yes	N/A	Comma-separated vendor or product names. 1-10 terms, each 2-64 characters long. Terms are normalised to lowercase ASCII, e.g. `Slack` and `slack` are the same term.
cvss_min	No	0	Inclusive CVSS floor, 0–10. Uses highest available version per CVE (v4.0 → v3.1 → v3.0 → v2.0). Use `7` for High+Critical, `9` for Critical only.
limit	No	50	Maximum results after de-duplication and recency sort. 1-100.

Term limit: Up to 10 comma-separated terms per request. If exceeded, the API returns 422 with: "You can subscribe to as many feeds as you want, but you need to use a new request per 10 vendors/products." Check meta.unmatched_terms and meta.ambiguous_terms in the JSON response to verify how your terms resolved before subscribing the RSS URL.

Response

The JSON response has three top-level keys: meta, matches, and data. The RSS feed carries the same CVE data: CVSS score and severity in the item title, vendors and weaknesses in the HTML description body, and severity and vendor <category> tags for feed-reader filtering. You may wish to use the JSON endpoint first to verify your terms resolved correctly before subscribing the RSS URL.

meta.unmatched_terms: Terms that resolved to no CVE target. Check spelling or try a more specific name.
meta.ambiguous_terms: Terms that matched multiple targets. The service over-reports (includes all matches) rather than guessing the wrong one.
matches[].matched[].source: How the term resolved: alias, exact_vendor, or fuzzy_vendor. Worth double-checking fuzzy matches.

Example response (truncated)

{
  "meta": {
    "canonical_query": "term=jira%2Cslack&cvss_min=7",
    "canonical_terms": ["jira", "slack"],
    "cache_ttl": 3600,
    "count": 2,
    "limit": 50,
    "unmatched_terms": [],
    "ambiguous_terms": []
  },
  "matches": [
    {
      "input": "jira",
      "normalized": "jira",
      "matched": [{ "type": "product", "vendor": "atlassian",
        "product": "jira", "source": "alias", "confidence": 1 }],
      "ambiguous": false,
      "unmatched": false
    }
  ],
  "data": [
    {
      "cve_id": "CVE-2025-12345",
      "title": "Remote code execution in Jira Data Center",
      "description": "A critical RCE vulnerability in Jira Data Center...",
      "created_at": "2025-03-01T00:00:00+00:00",
      "updated_at": "2025-03-10T12:00:00+00:00",
      "cvss_score": 9.8,
      "cvss_severity": "CRITICAL",
      "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "weaknesses": ["CWE-94"],
      "vendors": ["atlassian"],
      "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-12345"
    }
  ]
}

Limits & caching

Rate limiting

30 requests per minute per IP address
429 response: plain text "Too many requests. Please retry later."
For pipelines, poll at the cache interval (60 min) to stay well within limits

Caching

Cached for 1 hour (Cache-Control: public, max-age=3600, ETag)
Stale fallback served for up to 6 hours if upstream CVE data is unavailable

This service is built and run by Assure Start as a free resource for the GRC and security community. CVE data is sourced directly from the National Vulnerability Database, the CVE List v5, CISA KEV, and CISA Vulnrichment, no third-party intermediary. Each CVE links to its corresponding NVD entry.