{"id":45930538,"url":"https://github.com/exploitintel/eip-search","last_synced_at":"2026-05-27T20:00:53.669Z","repository":{"id":359424632,"uuid":"1246058172","full_name":"exploitintel/eip-search","owner":"exploitintel","description":"Search exploits, vulnerabilities, and threat intelligence from the Exploit Intelligence Platform.","archived":false,"fork":false,"pushed_at":"2026-05-26T18:25:29.000Z","size":1447,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-26T19:25:07.741Z","etag":null,"topics":["cve","database","exploit","vulnerability"],"latest_commit_sha":null,"homepage":"https://exploit-intel.com","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/exploitintel.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-05-21T20:41:36.000Z","updated_at":"2026-05-26T18:26:13.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/exploitintel/eip-search","commit_stats":null,"previous_names":["exploitintel/eip-search"],"tags_count":9,"template":false,"template_full_name":null,"purl":"pkg:github/exploitintel/eip-search","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/exploitintel%2Feip-search","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/exploitintel%2Feip-search/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/exploitintel%2Feip-search/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/exploitintel%2Feip-search/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/exploitintel","download_url":"https://codeload.github.com/exploitintel/eip-search/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/exploitintel%2Feip-search/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33581559,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-27T02:00:06.184Z","response_time":53,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cve","database","exploit","vulnerability"],"created_at":"2026-02-28T09:28:00.851Z","updated_at":"2026-05-27T20:00:53.632Z","avatar_url":"https://github.com/exploitintel.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Exploit Intel Platform CLI Search Tool\n\nPackage/command: `eip-search`\n\n\u003cp align=\"center\"\u003e\n \u003cimg src=\"https://exploit-intel.com/static/brand/mark-cyan.svg\" width=\"160\" alt=\"Exploit Intel Platform (EIP)\" /\u003e\n\u003c/p\u003e\n\nA modern **searchsploit replacement** powered by the [Exploit Intelligence Platform](https://exploit-intel.com).\n\n![eip-search CLI screenshot](https://raw.githubusercontent.com/exploitintel/eip-search/main/eip-search.png)\n\n## Overview\n\n`eip-search` is the terminal client for the [Exploit Intelligence Platform](https://exploit-intel.com). It replaces `searchsploit` with a tool that understands *risk* — combining CVSS, EPSS, KEV, and exploit quality into every search result. Installed as a Python package or native APT package; works online against the live API or offline with a local SQLite database.\n\nLegacy score behavior is preserved:\n- `--min-cvss` and `--sort cvss_desc` remain CVSS v3-only\n- explicit mixed-family score behavior uses `--min-score`, `--score-version v3|v4|effective`, and `--sort score_desc`\n\nPart of the same project family:\n- [`eip-search`](https://github.com/exploitintel/eip-search) — terminal client (this repo)\n- [`eip-mcp`](https://github.com/exploitintel/eip-mcp) — MCP server for AI assistants\n\n## Highlights\n\n- Search large-scale vulnerability and exploit intelligence from one CLI\n- Browse exploits directly by source, language, vendor, or attack type\n- **Generate PoC exploits** for any CVE using a local LLM (Ollama) with optional vision pipeline for writeup screenshots\n- Download exploit code by CVE ID — interactive picker selects the best match\n- Combine CVSS, EPSS, KEV, and exploit quality in one view\n- Display CVSS v4 when v3 is absent, without silently changing legacy v3 filters\n- Surface trusted exploit sources first and flag trojans clearly\n- Pull Nuclei templates plus Shodan/FOFA/Google recon dorks\n- Browse authors, CWEs, vendors, and products — resolve EDB/GHSA IDs to CVEs\n\n## Why eip-search?\n\n**searchsploit** is grep over a CSV. It can tell you an exploit exists, but nothing about how dangerous the vulnerability is, how reliable the exploit is, or whether it's secretly a trojan.\n\n**eip-search** combines data from NVD, CISA KEV, VulnCheck KEV, InTheWild.io, ENISA EUVD, EPSS, ExploitDB, Metasploit, GitHub, and nomi-sec into a single tool that answers questions searchsploit never could:\n\n- \"What critical Fortinet vulns are being actively exploited right now?\"\n- \"Which of these 127 BlueKeep exploits is actually reliable — and which one is a trojan?\"\n- \"Give me the Shodan dork to find exposed TeamCity instances for CVE-2024-27198\"\n\n## Setup\n\n### Requirements\n\n- **Python 3.10 or newer** (check with `python3 --version` or `python --version`)\n- **pip** (comes with Python on most systems)\n\n### macOS\n\n```bash\n# Install Python 3 via Homebrew (if not already installed)\nbrew install python3\n\n# Option 1: Virtual environment (recommended)\npython3 -m venv ~/.venvs/eip\nsource ~/.venvs/eip/bin/activate\npip install eip-search\n\n# Option 2: pipx (isolated, no venv activation needed)\nbrew install pipx\npipx install eip-search\n\n# The 'eip-search' command is now available\neip-search --version\n```\n\n### Kali Linux / Debian / Ubuntu\n\n```bash\n# Option 1: Native APT repo (recommended on Kali/Debian/Ubuntu)\ncurl -fsSL https://repo.exploit-intel.com/setup.sh | sudo bash\nsudo apt install -y eip-search\n\n# Option 2: Install into a virtual environment\nsudo apt update \u0026\u0026 sudo apt install -y python3-pip python3-venv\npython3 -m venv ~/.venvs/eip\nsource ~/.venvs/eip/bin/activate\npip install eip-search\n\n# Option 3: Install with pipx (isolated, no venv management)\nsudo apt install -y pipx\npipx install eip-search\n\n# The 'eip-search' command is now available\neip-search --version\n```\n\n\u003e **Kali users**: If you see `error: externally-managed-environment`, use APT, `pipx`, or a virtual environment. Kali 2024+ enforces PEP 668 and blocks global pip installs.\n\n### Windows\n\n```powershell\n# Install Python 3 from https://python.org (check \"Add to PATH\" during install)\n\n# Option 1: Virtual environment\npython -m venv %USERPROFILE%\\.venvs\\eip\n%USERPROFILE%\\.venvs\\eip\\Scripts\\activate\npip install eip-search\n\n# Option 2: pipx\npip install pipx\npipx install eip-search\n\n# The 'eip-search' command is now available\neip-search --version\n```\n\n\u003e **Windows Terminal** or **PowerShell** is recommended for full color and Unicode support. The classic `cmd.exe` may not render tables correctly.\n\n### Arch Linux / Manjaro\n\n```bash\nsudo pacman -S python python-pip python-pipx\npipx install eip-search\n```\n\n### From Source (all platforms)\n\n```bash\ngit clone https://github.com/exploitintel/eip-search.git\ncd eip-search\npython3 -m venv .venv\nsource .venv/bin/activate # Linux/macOS\n# .venv\\Scripts\\activate # Windows\npip install -e .\n```\n\n## Shell Completion (optional)\n\nEnable tab completion for your shell (run from an interactive terminal):\n\n```bash\n# Bash\neip-search --install-completion bash\n\n# Zsh\neip-search --install-completion zsh\n\n# Fish\neip-search --install-completion fish\n\n# PowerShell\neip-search --install-completion powershell\n```\n\n## Verify Installation\n\n```bash\neip-search --version\n# eip-search X.Y.Z\n\neip-search stats\n# Should display platform statistics if your network can reach exploit-intel.com\n```\n\n## Troubleshooting\n\n| Problem | Solution |\n|---|---|\n| `command not found: eip-search` | Make sure your virtual environment is activated, or use `pipx` which manages PATH automatically |\n| `externally-managed-environment` | Use a virtual environment or `pipx` — see instructions above |\n| `SSL certificate error` | Your Python may lack certificates. On macOS: `brew reinstall python3`. On Linux: `sudo apt install ca-certificates` |\n| `Connection refused` / timeouts | Check that you can reach `https://exploit-intel.com` — the tool requires internet access |\n| Tables look broken | Use a terminal with Unicode support (Windows Terminal, iTerm2, any modern Linux terminal) |\n\n## Usage\n\n### Quick Start\n\nThe simplest usage mirrors searchsploit — just type what you're looking for:\n\n```\n$ eip-search \"palo alto\"\n```\n```\n┏━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━┳━━━━━━━┳━━━━━━━━┳━━━━━━┳━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓\n┃CVE ┃ Sev ┃ CVSS ┃ EPSS ┃ Exp ┃ ┃ Title ┃\n┡━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━╇━━━━━━━╇━━━━━━━━╇━━━━━━╇━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩\n│CVE-2025-0108 │ CRITICAL │ 9.1 │ 94.0% │ 16 │ KEV │ Palo Alto Networks PAN-OS … │\n│CVE-2025-0107 │ CRITICAL │ 9.8 │ 77.0% │ 1 │ │ Palo Alto Networks Expedi… │\n│CVE-2025-0111 │ MEDIUM │ 6.5 │ 2.0% │ 2 │ KEV │ Palo Alto Networks PAN-OS … │\n│ ... │ │ │ │ │ │ │\n└─────────────────┴────────────┴───────┴────────┴──────┴─────┴──────────────────────────────┘\nPage 1/9 (41 total results)\n```\n\nExplicit score mode example:\n\n```bash\neip-search search --score-version effective --min-score 9.0 --sort score_desc\n```\n\nEvery result includes CVSS score, EPSS exploitation probability, exploit count, CISA KEV status, VulnCheck KEV, InTheWild.io signals, and ransomware attribution — context searchsploit simply doesn't have.\n\n### CVE Intelligence Briefs\n\nType a CVE ID and get a full intelligence brief — no subcommand needed:\n\n```\n$ eip-search CVE-2024-3400\n```\n```\n╭──────────────────────────────╮\n│ CVE-2024-3400 CRITICAL KEV │\n╰──────────────────────────────╯\n Palo Alto Networks PAN-OS Unauthenticated Remote Code Execution\n CVSS: 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n EPSS: 94.3% (99.9th percentile)\n Attack Vector: NETWORK | CWE: CWE-77, CWE-20 | Published: 2024-04-12 | KEV added: 2024-04-12\n\n A command injection as a result of arbitrary file creation vulnerability in\n the GlobalProtect feature of Palo Alto Networks PAN-OS software ...\n\n Affected Products\n - paloaltonetworks/pan-os\n ... and 40 more\n\n Exploits (43)\n\n MODULES\n #48006 metasploit ruby panos_telemetry_cmd_exec.rb\n Rank: excellent LLM: working_poc has code\n\n PROOF OF CONCEPT\n #9546 exploitdb text EDB-51996\n LLM: working_poc has code\n #370108 ★ 161 github http h4x0r-dz/CVE-2024-3400\n LLM: working_poc has code\n #369757 ★ 90 github python W01fh4cker/CVE-2024-3400-RCE-Scan\n LLM: working_poc has code\n #369206 ★ 72 github python 0x0d3ad/CVE-2024-3400\n LLM: working_poc has code\n ...\n ... and 32 more PoCs (use --all to show)\n\n Tip: eip-search view \u003cid\u003e | eip-search download \u003cid\u003e -x\n\n Also Known As\n - EDB: EDB-51996\n - GHSA: GHSA-v475-xhc9-wfxg\n\n References\n - [Vendor Advisory] https://security.paloaltonetworks.com/CVE-2024-3400\n - [Exploit, Vendor Advisory] https://unit42.paloaltonetworks.com/cve-2024-3400/\n ...\n```\n\nExploits are **grouped by quality** (Metasploit modules first, then verified ExploitDB, then GitHub PoCs ranked by stars) and **ranked by a composite score**.\n\n### Trojan Detection\n\nBlueKeep (CVE-2019-0708) has 127 exploits. One of them is a trojan. eip-search warns you:\n\n```\n$ eip-search info CVE-2019-0708\n```\n```\n╭──────────────────────────────╮\n│ CVE-2019-0708 CRITICAL KEV │\n╰──────────────────────────────╯\n CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free\n CVSS: 9.8 EPSS: 94.5% (100.0th percentile)\n\n Exploits (127)\n\n MODULES\n #47841 metasploit ruby cve_2019_0708_bluekeep_rce.rb\n Rank: manual LLM: working_poc has code\n #47840 metasploit ruby cve_2019_0708_bluekeep.rb\n LLM: working_poc has code\n\n VERIFIED\n #9123 exploitdb ruby EDB-47416\n LLM: working_poc ✓ verified has code\n\n PROOF OF CONCEPT\n #72412 ★ 1187 nomisec Ekultek/BlueKeep\n #72419 ★ 497 nomisec n1xbyte/CVE-2019-0708\n #72417 ★ 389 nomisec k8gege/CVE-2019-0708\n ...\n ... and 113 more PoCs (use --all to show)\n\n SUSPICIOUS\n #72431 ★ 2 nomisec ttsite/CVE-2019-0708-\n ⚠ TROJAN — flagged by AI analysis\n\n Tip: eip-search view \u003cid\u003e | eip-search download \u003cid\u003e -x\n\n```\n\nThe Metasploit modules and verified ExploitDB entry surface to the top. The trojan sinks to the bottom with a clear warning.\n\n### Risk-Based Triage\n\n\"What critical Fortinet vulnerabilities with public exploits should I worry about right now?\"\n\n```\n$ eip-search triage --vendor fortinet --severity critical\n```\n```\nTRIAGE — vulnerabilities with exploits, sorted by exploitation risk\nFilters: vendor=fortinet, severity=critical, EPSS\u003e=0.5\n\n┏━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━┳━━━━━━━┳━━━━━━━━┳━━━━━━┳━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓\n┃CVE ┃ Sev ┃ CVSS ┃ EPSS ┃ Exp ┃ ┃ Title ┃\n┡━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━╇━━━━━━━╇━━━━━━━━╇━━━━━━╇━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩\n│CVE-2018-13379 │ CRITICAL │ 9.1 │ 94.5% │ 14 │ KEV │ Fortinet FortiProxy Path … │\n│CVE-2022-40684 │ CRITICAL │ 9.8 │ 94.4% │ 30 │ KEV │ Fortinet FortiProxy Auth … │\n│CVE-2023-48788 │ CRITICAL │ 9.8 │ 94.2% │ 1 │ KEV │ Fortinet FortiClient SQL … │\n│CVE-2024-55591 │ CRITICAL │ 9.8 │ 94.2% │ 8 │ KEV │ Fortinet FortiProxy Auth … │\n│CVE-2022-42475 │ CRITICAL │ 9.8 │ 94.0% │ 7 │ KEV │ Fortinet FortiOS Buffer … │\n└─────────────────┴────────────┴───────┴────────┴──────┴─────┴──────────────────────────────┘\nPage 1/1 (17 total results)\n```\n\nTriage defaults to showing vulnerabilities with public exploits and EPSS \u003e= 0.5, sorted by exploitation probability. Every result here is confirmed actively exploited (KEV), has dozens of public exploits, and has a \u003e94% chance of being exploited in the wild.\n\n### Nuclei Templates \u0026 Recon Dorks\n\nGet scanner templates with ready-to-paste Shodan, FOFA, and Google dorks:\n\n```\n$ eip-search nuclei CVE-2024-27198\n```\n```\n╭──────────────────────────────────╮\n│ CVE-2024-27198 Nuclei Templates │\n╰──────────────────────────────────╯\n TeamCity \u003c 2023.11.4 - Authentication Bypass\n\n Nuclei Templates (1)\n\n CVE-2024-27198 ✓ verified critical\n TeamCity \u003c 2023.11.4 - Authentication Bypass\n Author: DhiyaneshDk\n Tags: cve, cve2024, teamcity, jetbrains, auth-bypass, kev, vkev, vuln\n\n Recon Queries:\n Shodan: http.component:\"TeamCity\" || http.title:teamcity || http.component:\"teamcity\"\n FOFA: title=teamcity\n Google: intitle:teamcity\n\n Run: nuclei -t CVE-2024-27198 -u https://target.com\n```\n\n### Browse Exploits\n\nSearch exploits directly by source, language, vendor, author, or attack type — no CVE ID needed:\n\n```bash\n# All Metasploit RCE modules\neip-search exploits --source metasploit --attack-type RCE\n\n# Python exploits for Fortinet with downloadable code\neip-search exploits \"fortinet\" --language python --has-code\n\n# Exploits for a specific CVE\neip-search exploits --cve CVE-2024-3400\n\n# Exploits by a specific author, ranked by GitHub stars\neip-search exploits --author \"Chocapikk\" --sort stars_desc\n```\n\n```\n$ eip-search exploits \"mitel\" --has-code -n 5\n```\n```\n┏━━━━━━━━━┳━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━┳━━━━━━━━━━━━━┳━━━━━━━━┳━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━┓\n┃ ID ┃ CVE ┃ Sev ┃ Source ┃ Lang ┃ ★ ┃ Name ┃\n┡━━━━━━━━━╇━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━╇━━━━━━━━━━━━━╇━━━━━━━━╇━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━┩\n│ 426906 │ CVE-2024-41713 │ CRITICAL │ nomisec │ │ 19 │ watchtowrlabs/Mitel-M… │\n│ 426908 │ CVE-2024-41713 │ CRITICAL │ nomisec │ │ │ Sanandd/cve-2024-CVE… │\n│ 426907 │ CVE-2024-41713 │ CRITICAL │ nomisec │ │ │ zxj-hub/CVE-2024-417… │\n│ 426615 │ CVE-2024-35315 │ MEDIUM │ nomisec │ │ 1 │ ewilded/CVE-2024-353… │\n│ 426909 │ CVE-2024-41713 │ CRITICAL │ nomisec │ │ │ amanverma-wsu/CVE-20… │\n└─────────┴──────────────────┴────────────┴─────────────┴────────┴─────┴─────────────────────────┘\nPage 1/5 (89 total results)\nTip: eip-search view \u003cid\u003e | eip-search download \u003cid\u003e -x\n```\n\nEvery result includes the exploit ID, associated CVE, severity, source, language, and GitHub stars. Use the exploit ID directly with `view` or `download`.\n\n### Reference Data\n\nBrowse authors, CWEs, vendors, and products, or resolve alternate identifiers to CVEs:\n\n```bash\n# Top exploit authors\neip-search authors\n\n# Author profile with their exploits\neip-search author Metasploit\neip-search author \"Chocapikk\" --page 2\n\n# CWE categories ranked by vuln count\neip-search cwes\n\n# CWE detail\neip-search cwe 79\neip-search cwe CWE-89\n\n# Top vendors by vulnerability count\neip-search vendors\n\n# Products for a vendor (discover exact CPE names for filtering)\neip-search products apache\neip-search products microsoft\n\n# Resolve ExploitDB or GHSA ID to its CVE\neip-search lookup EDB-45961\neip-search lookup GHSA-jfh8-c2jp-5v3q\n```\n\nThe `products` command is especially useful for discovering exact product names to use with `--product` filters. Product names follow CPE conventions (e.g. `http_server` not `apache httpd`, `exchange_server` not `exchange`).\n\n### View Exploit Source Code\n\nRead exploit code directly in your terminal with syntax highlighting. Pass an exploit ID or a CVE ID:\n\n```bash\n# By exploit ID (from search, info, or exploits output)\n$ eip-search view 77423\n\n# By CVE ID — shows an interactive picker to choose which exploit\n$ eip-search view CVE-2024-3400\n```\n```\n Exploits for CVE-2024-3400:\n\n [1] #48006 metasploit ruby panos_telemetry_cmd_exec.rb\n Rank: excellent working_poc\n [2] #9546 exploitdb text EDB-51996\n working_poc\n [3] #370108 ★ 161 github http h4x0r-dz/CVE-2024-3400\n working_poc\n\n Select [1-43, default=1]: 1\n```\n```\n panos_telemetry_cmd_exec.rb\n\n 1 ##\n 2 # This module requires Metasploit: https://metasploit.com/download\n 3 # Current source: https://github.com/rapid7/metasploit-framework\n 4 ##\n 5\n 6 class MetasploitModule \u003c Msf::Exploit::Remote\n 7 Rank = ExcellentRanking\n 8 ...\n```\n\nWhen an exploit has multiple files, eip-search auto-selects the most relevant code file. Use `--file` to pick a specific one.\n\n### Download Exploit Code\n\nDownload and optionally extract exploit archives. Pass an exploit ID or a CVE ID:\n\n```bash\n# By CVE ID — interactive picker, auto-extracts\n$ eip-search download CVE-2024-3400 --extract\n```\n```\n Exploits with code for CVE-2024-3400:\n\n [1] #48006 metasploit ruby panos_telemetry_cmd_exec.rb\n Rank: excellent working_poc\n [2] #9546 exploitdb text EDB-51996\n working_poc\n ...\n\n Select [1-43, default=1]: 1\n\nDownloaded: metasploit-modules_exploits_linux_http_panos_telemetry_cmd_exec.rb.zip\nZIP password: eip (exploit archives are password-protected to prevent AV quarantine)\nExtracted: metasploit-modules_exploits_linux_http_panos_telemetry_cmd_exec.rb/\nFiles (1):\n - panos_telemetry_cmd_exec.rb\n```\n\n```bash\n# By exploit ID — downloads directly, no picker\n$ eip-search download 77423 --extract\n```\n```\nDownloaded: nomisec-fullhunt_log4j-scan.zip\nZIP password: eip (exploit archives are password-protected to prevent AV quarantine)\nExtracted: nomisec-fullhunt_log4j-scan/\nFiles (10):\n - fullhunt-log4j-scan-07f7e32/.gitignore\n - fullhunt-log4j-scan-07f7e32/Dockerfile\n - fullhunt-log4j-scan-07f7e32/log4j-scan.py\n - fullhunt-log4j-scan-07f7e32/requirements.txt\n ...\n```\n\n\u003e **Note:** Downloaded ZIPs are encrypted with password **`eip`** as a safety measure to prevent antivirus software from quarantining exploit code. Use `--extract` / `-x` to automatically unzip.\n\n### Advanced Search\n\nThe `search` subcommand exposes the full filter set:\n\n```bash\n# All SQL injection vulns with public exploits, sorted by CVSS\neip-search search --cwe 89 --has-exploits --sort cvss_desc\n\n# Critical KEV entries with high exploitation probability\neip-search search --kev --severity critical --min-epss 0.9\n\n# Recent npm vulnerabilities with exploits\neip-search search --ecosystem npm --has-exploits --sort newest\n\n# Microsoft Exchange critical vulns\neip-search search --product exchange --severity critical --has-exploits\n```\n\n```\n$ eip-search search --cwe 89 --has-exploits --sort cvss_desc -n 5\n```\n```\n┏━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━┳━━━━━━━┳━━━━━━━━┳━━━━━━┳━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓\n┃CVE ┃ Sev ┃ CVSS ┃ EPSS ┃ Exp ┃ ┃ Title ┃\n┡━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━╇━━━━━━━╇━━━━━━━━╇━━━━━━╇━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩\n│CVE-2024-3605 │ CRITICAL │ 10.0 │ 64.9% │ 1 │ │ Thimpress WP Hotel Booking… │\n│CVE-2024-3922 │ CRITICAL │ 10.0 │ 88.5% │ 3 │ │ Dokan Pro Plugin SQL Inje… │\n│CVE-2024-39911 │ CRITICAL │ 10.0 │ 68.3% │ 1 │ │ Fit2cloud 1panel SQL Inje… │\n│CVE-2025-52694 │ CRITICAL │ 10.0 │ 9.7% │ 1 │ │ Advantech IoT Edge SQL In… │\n│CVE-2024-43918 │ CRITICAL │ 10.0 │ 48.9% │ 1 │ │ Woobewoo Product Table SQ… │\n└─────────────────┴────────────┴───────┴────────┴──────┴─────┴──────────────────────────────┘\nPage 1/817 (4,082 total results)\n```\n\n### JSON Output for Scripting\n\nMost data/query commands support `--json` for piping into `jq`, scripts, or SIEMs:\n\n```\n$ eip-search search \"log4j\" --has-exploits --sort epss_desc -n 5 --json\n```\n```json\n{\n \"total\": 15,\n \"page\": 1,\n \"per_page\": 5,\n \"total_pages\": 3,\n \"items\": [\n {\n \"cve_id\": \"CVE-2021-44228\",\n \"title\": \"Log4Shell HTTP Header Injection\",\n \"severity_label\": \"critical\",\n \"cvss_v3_score\": 10.0,\n \"epss_score\": 0.94358,\n \"is_kev\": true,\n \"exploit_count\": 401\n },\n ...\n ]\n}\n```\n\n```bash\n# Get all critical KEV CVE IDs as a flat list\neip-search search --kev --severity critical -n 100 --json | jq -r '.items[].cve_id'\n\n# Feed into nuclei\neip-search search --has-nuclei --severity critical --json | jq -r '.items[].cve_id' | xargs -I{} nuclei -t {} -u https://target.com\n```\n\n`--json` is currently available on: `search`, `info`, `triage`, `exploits`, `nuclei`, `stats`, `authors`, `author`, `cwes`, `cwe`, `vendors`, `products`, and `lookup`.\n\n### Platform Statistics\n\n```\n$ eip-search stats\n```\n```\n╭───────────────────────────────╮\n│ Exploit Intelligence Platform │\n╰───────────────────────────────╯\n\n ┌──────────────────────────────┬─────────────────────┐\n │ Total Vulnerabilities │ 370,791 │\n │ Published │ 191,380 │\n │ With CVSS Scores │ 238,607 │\n │ With EPSS Scores │ 315,656 │\n │ Critical Severity │ 29,145 │\n │ CISA KEV Entries │ 1,522 │\n │ │ │\n │ Vulns with Exploits │ 90,481 │\n │ Total Exploits │ 105,731 │\n │ With Nuclei Templates │ 404 │\n │ │ │\n │ Vendors Tracked │ 37,508 │\n │ Exploit Authors │ 23,281 │\n │ │ │\n │ Last Updated │ 2026-02-17 23:07:26 │\n └──────────────────────────────┴─────────────────────┘\n```\n\n### Generate Exploits with Local LLM\n\nGenerate a proof-of-concept exploit for any CVE using a local [Ollama](https://ollama.com) instance. The tool fetches all available intelligence from the platform — writeup text, existing exploit code, and screenshots — then uses a two-stage LLM pipeline to produce a clean, minimal Python PoC.\n\n```bash\n# Check feasibility first (no Ollama needed)\n$ eip-search generate CVE-2026-2686 --check\n```\n```\n CVE-2026-2686 — SECCN Dingcheng G10 Command Injection\n CVSS 9.8 | RCE | trivial | Feasibility: EXCELLENT (11)\n Reasons: web-based (RCE), trivial, has writeup, HTTP details in summary, known CWE pattern\n Files: 1 text, 8 screenshots\n```\n\n```bash\n# Generate the exploit\n$ eip-search generate CVE-2026-2686 -o exploit.py\n```\n```\n CVE-2026-2686 — SECCN Dingcheng G10 Command Injection\n CVSS 9.8 | RCE | trivial | Feasibility: EXCELLENT (11)\n\n Analyzing 8 screenshots...\n img-001: telnet session, root shell on BusyBox (8.9s)\n img-003: POST /cgi-bin/session_login.cgi with injection payload (10.7s)\n img-008: Burp capture with full request headers (16.9s)\n 2 screenshots skipped (no actionable details)\n\n Generating PoC with kimi-k2:1t-cloud... done (11s)\n\n (syntax-highlighted Python exploit)\n\n Saved: exploit.py\n```\n\nThe generator works in three modes depending on what's available:\n- **Writeup + screenshots** → vision model extracts technical details from images, code model generates PoC from enriched context\n- **Existing exploit code** → code model rewrites/fixes it into a clean, standardized Python PoC\n- **CVE description only** → generates from NVD description and LLM analysis (lower quality)\n\nGenerated exploits are minimal proofs of concept (inject `id` for RCE, extract `@@version` for SQLi) — no backdoors, reverse shells, or weaponization. Each script is clearly marked as LLM-generated and untested.\n\n**Requirements:** [Ollama](https://ollama.com) running locally with a code model pulled. Vision model is optional (used for screenshot analysis).\n\n```bash\n# Install Ollama, then pull models\nollama pull kimi-k2:1t-cloud # code generation (required)\nollama pull qwen3-vl:235b-instruct-cloud # screenshot analysis (optional)\n```\n\n```bash\n# Options\neip-search generate CVE-ID # full pipeline (vision + code)\neip-search generate CVE-ID --check # feasibility check only\neip-search generate CVE-ID --no-vision # skip screenshots (faster)\neip-search generate CVE-ID -m glm-5:cloud # override code model\neip-search generate CVE-ID -o exploit.py # save to file\n```\n\nConfigure defaults in `~/.eip-search.toml`:\n\n```toml\n[generate]\nollama_url = \"http://127.0.0.1:11434\"\ncode_model = \"kimi-k2:1t-cloud\"\nvision_model = \"qwen3-vl:235b-instruct-cloud\"\n```\n\n## All Commands\n\n| Command | Description |\n|---|---|\n| `eip-search \"query\"` | Quick search (auto-routes CVE IDs to detail view) |\n| `eip-search search \"query\" [filters]` | Search vulnerabilities with full filter support |\n| `eip-search exploits \"query\" [filters]` | Browse/search exploits directly |\n| `eip-search info CVE-ID` | Full intelligence brief for a vulnerability |\n| `eip-search generate CVE-ID` | Generate a PoC exploit using local LLM (requires Ollama) |\n| `eip-search triage [filters]` | Risk-sorted view of what to worry about |\n| `eip-search nuclei CVE-ID` | Nuclei templates + Shodan/FOFA/Google dorks |\n| `eip-search view ID-or-CVE` | Syntax-highlighted exploit source code |\n| `eip-search download ID-or-CVE` | Download exploit code as ZIP |\n| `eip-search stats` | Platform-wide statistics |\n| `eip-search authors` | Top exploit authors ranked by exploit count |\n| `eip-search author NAME` | Author profile with their exploits |\n| `eip-search cwes` | CWE categories ranked by vulnerability count |\n| `eip-search cwe ID` | CWE detail (accepts `79` or `CWE-79`) |\n| `eip-search vendors` | Top vendors ranked by vulnerability count |\n| `eip-search products VENDOR` | Products for a vendor (discover CPE names for filtering) |\n| `eip-search analysis ID-or-CVE` | Full AI analysis for an exploit (classification, MITRE, trojan indicators) |\n| `eip-search lookup ALT-ID` | Resolve EDB/GHSA identifier to CVE |\n| `eip-search update-db` | Download/update the offline SQLite database |\n\nThe `view`, `download`, and `analysis` commands accept either an exploit ID (e.g. `77423`) or a CVE ID (e.g. `CVE-2024-3400`). When given a CVE, they show an interactive picker ranked by exploit quality.\n\n### Offline Mode\n\nAll read-only commands work offline with a local SQLite database:\n\n```bash\neip-search update-db # download the database (~200 MB compressed)\neip-search --offline search \"apache httpd\" # search locally\neip-search --offline info CVE-2024-3400 # full detail from local DB\neip-search --db /path/to/eip.db search \"log4j\" # custom DB path (implies --offline)\n```\n\n#### Offline Exploit Code\n\nSync the exploit archive to enable `view` and `download` offline:\n\n```bash\nrsync -avz rsync://rsync.exploit-intel.com/exploits/ ~/eip-exploits/\n```\n\nConfigure in `~/.eip-search.toml`:\n\n```toml\n[offline]\nexploits_dir = \"~/eip-exploits\"\n```\n\nThen `view` and `download` work without an internet connection:\n\n```bash\neip-search --offline view CVE-2024-3400 # view exploit source code locally\neip-search --offline download 77423 -x # copy and extract local archive\n```\n\nThe archive contains tens of thousands of repositories (tens of GB). Both the database and archive are refreshed multiple times daily.\n\n## Search Filters\n\n| Filter | Short | Description |\n|---|---|---|\n| `--severity` | `-s` | critical, high, medium, low |\n| `--has-exploits` | `-e` | Only CVEs with public exploit code |\n| `--kev` | `-k` | Only CISA Known Exploited Vulnerabilities |\n| `--exploited` | `-x` | Only CVEs exploited in the wild (CISA + VulnCheck + InTheWild) |\n| `--ransomware` | | Only CVEs with confirmed ransomware campaign use |\n| `--has-nuclei` | | Only CVEs with Nuclei scanner templates |\n| `--vendor` | `-v` | Filter by vendor name |\n| `--product` | `-p` | Filter by product name |\n| `--ecosystem` | | npm, pip, maven, go, crates |\n| `--cwe` | | CWE ID (e.g. `79` or `CWE-79`) |\n| `--year` | `-y` | CVE publication year |\n| `--min-cvss` | | Minimum CVSS score (0-10) |\n| `--min-epss` | | Minimum EPSS score (0-1) |\n| `--date-from` | | Start date (YYYY-MM-DD) |\n| `--date-to` | | End date (YYYY-MM-DD) |\n| `--sort` | | newest, oldest, cvss_desc, epss_desc, relevance |\n| `--json` | `-j` | JSON output for scripting |\n\n## Exploit Filters\n\nThe `exploits` command has its own filter set for exploit-centric searching:\n\n| Filter | Short | Description |\n|---|---|---|\n| `--source` | | github, metasploit, exploitdb, nomisec |\n| `--language` | `-l` | python, ruby, go, c, etc. |\n| `--classification` | | LLM class: working_poc, scanner, trojan |\n| `--attack-type` | | RCE, SQLi, XSS, DoS, LPE, auth_bypass, info_leak |\n| `--complexity` | | trivial, simple, moderate, complex |\n| `--reliability` | | reliable, unreliable, untested |\n| `--author` | | Filter by exploit author name |\n| `--min-stars` | | Minimum GitHub stars |\n| `--has-code` | `-c` | Only exploits with downloadable code |\n| `--cve` | | Filter by CVE ID |\n| `--vendor` | `-v` | Filter by vendor name |\n| `--product` | `-p` | Filter by product name |\n| `--sort` | | newest, stars_desc |\n| `--json` | `-j` | JSON output for scripting |\n\nThe positional query is auto-detected: CVE IDs map to `--cve`, other text maps to `--vendor`.\n\n## How Exploit Ranking Works\n\nWhen a CVE has dozens or hundreds of exploits, eip-search ranks them by quality so the best ones surface first:\n\n| Source | Base Score | Why |\n|---|---|---|\n| Metasploit (`excellent`) | 1000 | Peer-reviewed, maintained by Rapid7 |\n| Metasploit (other ranks) | 500-900 | Still curated and tested |\n| ExploitDB (verified) | 550 | Human-verified by Offsec |\n| ExploitDB (unverified) | 300 | Published but not verified |\n| nomi-sec / GitHub | log10(stars) * 100 + bonus | Community signal via GitHub stars |\n\nOn top of the base score, LLM classification modifiers apply: `working_poc` gets +100, `scanner` gets +50, while `trojan` gets -9999 (always last, with a warning).\n\nExploit sources are ExploitDB (~88K), nomi-sec (~11K), Metasploit (~3.3K), and GitHub (~2.2K).\n\n## Architecture\n\n```\nTerminal user\n │\n │ eip-search \u003ccommand\u003e [flags]\n ▼\neip_search/cli.py ← Typer app — command definitions, arg parsing, offline routing\n │\n ├── eip_search/client.py ← httpx → https://exploit-intel.com/api/v1/… (online)\n │\n └── eip_search/local_client.py ← SQLite → ~/.local/share/eip-search/eip.db (--offline)\n │\n ▼\n eip_search/models.py ← Shared data models\n eip_search/ranking.py ← Exploit quality ranking + grouping\n eip_search/display.py ← Rich output rendering\n eip_search/generate.py ← Ollama PoC generation (optional)\n```\n\nThe CLI auto-routes bare arguments: if the first positional arg looks like a CVE ID, it routes to `info`; otherwise to `search`. Both `client.py` and `local_client.py` share the same interface — adding a new command requires mirroring it in both.\n\n## Deploy\n\nDistribution is handled via two channels:\n\n- **PyPI** — `pip install eip-search` / `pipx install eip-search`\n- **APT repo** — `repo.exploit-intel.com` (native packages for Kali, Debian, Ubuntu)\n\nRelease process uses the Makefile:\n\n```bash\n# CI-driven release (recommended): bump version, commit, tag, push; GitHub Actions builds + uploads\nmake tag-release VERSION=X.Y.Z\n\n# Local legacy release path: avoid unless you intentionally need the manual path\nmake release VERSION=X.Y.Z\n```\n\nVersion is bumped atomically in `pyproject.toml` and `eip_search/__init__.py` via `scripts/bump_version.py`.\n\n## Configuration\n\nOptional config at `~/.eip-search.toml`:\n\n```toml\n[api]\nbase_url = \"https://exploit-intel.com\"\napi_key = \"your-key-here\" # optional, for higher rate limits\n\n[display]\nper_page = 20 # default results per page\n```\n\nNo API key is required. The public API allows 60 requests/minute.\n\n## Security\n\n- **ZIP Slip protection**: All ZIP extraction paths are validated against directory traversal attacks\n- **Filename sanitization**: Download filenames are stripped of path components and special characters\n- **Download size cap**: 50 MB hard limit prevents memory exhaustion from malicious responses\n- **Markup injection prevention**: All API data is escaped before terminal rendering\n- **TLS verification**: All connections use standard certificate verification\n\n## Git Workflow\n\n**Never push directly to `main`.** All changes go through a branch and PR.\n\n```bash\ngit checkout -b \u003cbranch-name\u003e\n# make changes\ngit push origin \u003cbranch-name\u003e\ngh pr create\n```\n\nPRs require review before merge.\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fexploitintel%2Feip-search","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fexploitintel%2Feip-search","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fexploitintel%2Feip-search/lists"}