CVEProtect
Sign inStart free
CVE detection · one-click mitigation

Know exactly which CVEs hit your servers.Fix them in one click.

CVEProtect imports the public CVE database, generates per-CVE detection and mitigation scripts with an LLM, and runs them on your Linux servers via a zero-dependency agent. When something is vulnerable, you get an email — and a single button to patch it.

Start free See how it works
No credit card. Self-hostable. Zero-dependency agent — empty dependencies in package.json, on purpose.
cveprotect.com / dashboard / projects / prod-fleet
criticalvulnerable
CVE-2025-31200
Sudo heap buffer overflow on long hostnames
device: web-01
highvulnerable
CVE-2025-28342
OpenSSH agent forwarding TOCTOU
device: edge-02
mediummitigated
CVE-2025-27771
systemd-resolved DNS cache poisoning
device: db-03
The problem

You can’t patch what you can’t see.

A new CVE drops every few minutes. Reading them all is a job. Mapping each one to your actual fleet — which kernel, which sshd, which libc, which container — is a different job. By the time anyone gets to step two, the announcement is on Hacker News and someone is already scanning your IPs.

CVE databases tell you about the world. They don’t tell you about your servers. CVEProtect closes that gap: same CVE feed, but mapped to the boxes you own, with the specific bash command to detect it and the specific command to fix it.

How it works

Four steps. The boring ones are automated.

  1. Step one

    CVEs land, automatically.

    CVEProtect clones the public CVE List V5 repo and imports every new CVE from 2025 onward — refreshing every 30 minutes so newly disclosed bugs land fast.

  2. Step two

    An LLM writes the detect + mitigate scripts.

    For each new CVE, we fetch its reference URLs, feed them to OpenRouter alongside the CVE record, and ask for exactly two bash scripts: one to detect, one to mitigate. We cache them per-CVE so we never pay twice.

  3. Step three

    A zero-dep agent runs on your servers.

    Each device gets its own Bun standalone binary. No npm dependencies, no transitive surface — its key is appended on download, not baked at compile time. The agent pulls only the CVEs it hasn’t seen, runs the detect scripts, and reports findings.

  4. Step four

    You get an email. You click one button.

    When a finding is vulnerable, the project owner gets an email with severity and CVSS. In the dashboard, "Approve mitigation" hands the script back to the agent on its next poll — which runs it as root and reports the result.

The agent

Zero dependencies.On purpose.

The CVEProtect agent runs as root on your servers. Anything it pulls in — even transitively — is a supply chain you didn’t pick. So we picked nothing.

Its package.json has an empty dependencies object. It compiles to a single Bun standalone binary. Your device key is appended on download — no recompile, no template substitution, no NPM in the loop.

Create a device
cveprotect-agent / package.json
{
  "name": "cveprotect-agent",
  "version": "0.1.0",
  "private": true,
  "type": "module",
  "scripts": {
    "build:x64":   "bun build --compile --target=bun-linux-x64   src/index.ts",
    "build:arm64": "bun build --compile --target=bun-linux-arm64 src/index.ts"
  },
  "dependencies": {}
}
  • Runs as root. Reads /etc/os-release, runs bash, that’s it.
  • Polls every 15 minutes. Per-CVE detect script runs in a tempfile, output is capped at 32 KB.
  • Mitigations are pulled only after you click Approve mitigation in the dashboard. Nothing destructive happens without a human in the loop.
Pricing

14 days free.Then one straightforward plan.

Start with a 14-day trial — unlimited projects, unlimited servers, every feature. After that, Pro at a flat rate. If you outgrow it, add capacity in $10 blocks; if you outgrow that, the Enterprise team is one form away.

Trial
Free

14 days. Unlimited everything. No credit card.

  • Unlimited projects & devices
  • Full CVE database (2025+)
  • AI detect + mitigate scripts
  • Email alerts on vulnerable findings
Start 14-day trial
Most teams
Pro
$45
/ month

Up to 3 projects and 100 servers total across them.

  • Everything in Trial, with no time limit
  • 3 projects, 100 servers (fleet-wide cap)
  • Hosted CVE refresh + LLM bill included
  • Email + Slack-ready webhook alerts
Add-on
+$10/mo for +1 project and +50 servers.
Server cap is across the whole account, not per project. Stack add-ons until you outgrow it.
Start free trial
Enterprise
Contact us

Hundreds or thousands of servers, SSO, SLA, on-prem — let’s talk.

  • Unlimited projects & servers
  • SSO / SAML, audit log export
  • SLA on ingest + alert delivery
  • Dedicated support & onboarding
Talk to sales
Talk to us

Big fleet? Special requirements?We’ve got an answer.

CVEProtect Enterprise covers the cases the Pro plan deliberately doesn’t: hundreds to thousands of servers, SAML SSO, on-prem deployment, audit log export, and a real SLA on ingest and alert delivery.

Tell us a bit about your environment and we’ll come back within one business day — usually faster.

We use your message to reply. No newsletter, no third parties.

Stop reading CVE feeds at 2 a.m.

Spin up CVEProtect, add a device, download the agent. Within an hour you’ll know exactly which CVEs hit your fleet — and you’ll have a button to fix each one.

Start free Sign in