Frequently Asked Questions

What is CVEFinder.io?

CVEFinder.io is a free vulnerability intelligence platform that scans websites to identify technologies, detect vulnerable npm dependencies, and discover known CVEs (Common Vulnerabilities and Exposures) that may affect them. It helps developers and security professionals quickly assess security risks without complex setup or expensive tools.

Do I need to create an account?

No! Guest users can perform 1 scan per day without logging in. However, creating a free account unlocks 3 scans per day, full CVE database access, and the ability to view your scan history. Sign up is completely free and takes less than a minute.

What is a CVE?

CVE (Common Vulnerabilities and Exposures) is a standardized identifier for known security vulnerabilities. Each CVE has a unique ID (like CVE-2025-1234) and includes information about the vulnerability, affected software, severity rating, and available patches or workarounds.

How often is your CVE database updated?

Our CVE database is synced daily with the latest vulnerabilities from the National Vulnerability Database (NVD) and other authoritative sources including GitHub Security Advisories. This ensures you always have access to the most current vulnerability information.

How does the scanning work?

CVEFinder performs a non-intrusive scan by analyzing:

• HTTP Headers: Server information, technology headers, version numbers
• HTML Content: Meta tags, generator tags, framework patterns
• JavaScript Files: Framework signatures, library versions
• Package Files: package.json for npm dependency analysis

Once technologies are detected, we match them against our CVE database to identify known vulnerabilities.

What is dependency scanning?

Dependency scanning analyzes package.json files found on your website to identify npm packages and their versions. We then check these packages against our vulnerability database to identify known CVEs in your dependencies. This helps you find security issues in third-party libraries you're using, which are often a major source of vulnerabilities.

How accurate is the technology detection?

Our technology detection is highly accurate, especially for common web technologies. We analyze multiple sources and use pattern matching to identify technologies. Each detection comes with a confidence score:

• High (80-100%): Strong evidence from multiple sources
• Medium (50-79%): Good evidence but some uncertainty
• Low (0-49%): Weak signals, possible false positive

Version detection accuracy depends on whether the technology exposes version information in headers or files.

Can I scan private/internal websites?

Currently, CVEFinder can only scan publicly accessible websites. The target URL must be reachable over the internet. If you need to scan internal/private websites or have special requirements, please contact us to discuss custom solutions.

Are scans public or private?

Guest scans (without login) are public and can be viewed by anyone with the scan URL. Authenticated scans (free and Pro users) are private and only visible to you in your account dashboard.

How long are scan results stored?

Scan results are stored indefinitely and can be accessed anytime through your account dashboard. Free users can view scans from the last 7 days, while Pro users have unlimited access to their entire scan history. Note that older scans for free users are hidden (not deleted) and become accessible again when you upgrade to Pro.

What if I scan the same URL multiple times?

If you scan the same URL within a short period, we'll show you the cached results instantly without counting it toward your daily limit. Pro users can force a fresh rescan using the manual rescan/refresh feature.

What is bulk scanning?

Bulk scanning (Pro feature) allows you to scan up to 20 URLs at once by pasting them into a textarea. This is perfect for security audits, portfolio monitoring, or assessing multiple properties. All scans are processed in parallel and results are organized in a single dashboard view.

What is email monitoring?

Email monitoring (Pro feature) lets you subscribe to up to 5 URLs. When new CVEs are discovered that affect technologies detected on your monitored URLs, you'll receive an email notification. This helps you stay informed about new vulnerabilities without manually checking each site.

What are Product/Vendor alerts?

CVE alerts (Pro feature) allow you to follow specific products or vendors. You can add up to 10 products/vendors to your watchlist and receive email notifications when new CVEs are published for them. For example, you can monitor "WordPress" or "React" to stay updated on new vulnerabilities.

What is the exploit database?

The exploit database (Pro feature) provides access to proof-of-concept (PoC) code and exploit information for CVEs. This helps security researchers understand how vulnerabilities can be exploited and allows penetration testers to validate fixes. Access is restricted to Pro users for security reasons.

Can I export scan results?

Yes! Pro users can export scan results in JSON format for integration with other tools, automated reporting, or data analysis. The export includes all detected technologies, versions, CVEs, severity ratings, and dependency analysis results.

What is version-based CVE filtering?

Version-based filtering (Pro feature) shows only CVEs that specifically affect the detected version of a technology. For example, if WordPress 5.8.0 is detected, you'll only see CVEs that affect version 5.8.0 or earlier, hiding vulnerabilities fixed in later versions. This reduces false positives and helps prioritize patching.

Is CVEFinder really free?

Yes! CVEFinder offers a completely free tier with 3 scans per day, full CVE database access, technology detection, and unlimited scan history (7-day view). No credit card required. Guest users (not logged in) get 1 scan per day but can't access CVE details.

What's the difference between Free and Pro plans?

Pro plan ($9/month) includes:

• 20 scans per day (vs 3 for free)
• Bulk scanning (20 URLs at once)
• API keys for integration (up to 5 keys)
• JSON exports
• Manual rescan/refresh
• Exploit database access with PoC code
• Email monitoring for 5 URLs
• Product/Vendor CVE alerts (10 max)
• Version-based CVE filtering
• Unlimited scan history access

Can I upgrade or downgrade anytime?

Yes! You can upgrade to Pro or downgrade to Free at any time. Changes take effect immediately. When you downgrade, you'll keep access to Pro features until the end of your billing period.

What payment methods do you accept?

We accept all major credit/debit cards, UPI, net banking, and wallets via Razorpay. All payments are secure and encrypted. We don't store your card details on our servers.

Can I cancel my Pro subscription anytime?

Yes! You can cancel your Pro subscription at any time from your account settings. Your Pro features will remain active until the end of your billing period, then you'll automatically switch to the Free plan.

Do you offer refunds?

We offer a 7-day money-back guarantee for new Pro subscriptions. If you're not satisfied within the first 7 days, contact us for a full refund. After 7 days, subscriptions are non-refundable, but you can cancel anytime to avoid future charges.

Does CVEFinder have an API?

Yes! Pro users can generate up to 5 API keys to integrate CVEFinder into their applications, CI/CD pipelines, or automated security workflows. The API allows you to programmatically scan URLs, retrieve results, and access our CVE database.

Is there API documentation?

Yes! Our API documentation is publicly available and includes all endpoints, examples, and best practices. However, you need a Pro plan to generate API keys and actually use the API for integration with your applications.

Are there API rate limits?

Yes, API calls are subject to your plan's daily scan limit (20 scans per day for Pro users). We also have rate limiting to prevent abuse. If you need higher limits, please contact us for enterprise options.

Is my data secure?

Yes! We take security seriously. All connections use HTTPS encryption, and we never store sensitive scan data longer than necessary. Payment processing is handled by Razorpay (PCI DSS compliant) - we never see or store your card details.

Do you share my data with third parties?

No! We never sell or share your personal information or scan data with third parties. The only exception is essential service providers (payment processing via Razorpay, email delivery) who are bound by strict confidentiality agreements. See our Privacy Policy for complete details.

Can I delete my account and data?

Yes! If you wish to delete your account and all associated data, please contact our support team. We'll permanently remove your personal information, scan history, and all data associated with your account. This action cannot be undone.

Is scanning legal and ethical?

CVEFinder performs passive, non-intrusive scans that only analyze publicly accessible information (similar to what a web browser does). We don't attempt to exploit vulnerabilities or access restricted areas. However, always ensure you have permission to scan websites you don't own, especially for commercial/professional use.