Package Vulnerability Checker
Check individual packages for known vulnerabilities with CVSS, EPSS, KEV, fixed version, and remediation guidance.
Find the right package, pick a real version, then check risk.
Autocomplete now shows popular packages immediately after ecosystem selection and can suggest known versions for supported registries.
What package vulnerability checking does
This tool checks an ecosystem, package name, and version against known vulnerability data. It is useful for triage before upgrading dependencies or reviewing a suspicious software inventory item.
How to interpret severity
CVE identifiers describe known vulnerabilities. CVSS estimates technical severity, EPSS estimates exploitation probability, and KEV indicates vulnerabilities known to be exploited in the wild. Use these signals together rather than relying on one score.
Remediation workflow
- Confirm the package name and exact version.
- Review fixed versions and vendor advisories.
- Test the upgrade in staging or CI.
- Document exceptions when a finding is not reachable in your application.
Limitations
False positives and false negatives are possible. Package names can differ between ecosystems, backported patches may not change upstream version numbers, and a vulnerable library may not be exploitable in every deployment.
Related tools
Scan inventories with SBOM Vulnerability Scanner, inspect JSON with JSON Formatter, and verify downloaded files with Hash Generator.