CVE Watch

CVE Watch checks your dependency inventory against the OSV database every hour. When a new CVE is disclosed that affects a package you already use, Vygl fires an alert — without rescanning your code. Alerts are enriched daily with EPSS (probability of exploitation in the next 30 days) and CISA KEV (Known Exploited Vulnerabilities — actively exploited in the wild).

Enabling CVE Watch

Toggle CVE Watch enabled in Settings → CVE Watch Settings. Once enabled, your organization is included in the hourly run. There’s no per-project opt-in; CVE Watch operates on your entire dependency inventory.

How it works

Cadence	What runs
Every 6 hours	Vygl syncs the OSV database incrementally. New CVEs are mirrored.
Every hour	Vygl checks each enabled org’s dependency inventory against the local OSV mirror; new matches generate alerts.
Daily at 04:00 UTC	EPSS and CISA KEV feeds are refreshed and applied to existing alerts.

End-to-end alert lag is up to ~6 hours from the time a CVE is published to OSV. EPSS/KEV signals arrive with up to 24-hour delay relative to upstream.

Alert lifecycle

Each alert has its own status:

Status	Meaning
new	Just detected; awaiting triage.
acknowledged	Triaged, work in progress.
fixed	The vulnerable dependency has been upgraded.
dismissed	Won’t fix (with reason — accepted risk, mitigated upstream, etc.).

Triage from the CVE Watch page. Bulk actions are supported.

Sorting & prioritization

Three sort options:

• CVSS — base severity score from the upstream advisory.
• EPSS — predicted exploit probability. A CVE in the 95th EPSS percentile is far more likely to be attacked than one in the 5th.
• KEV-first — CISA KEV-listed CVEs sort to the top.

Filter to KEV only when you want to focus on what’s actively being exploited right now.

Notifications

CVE Watch routes through the same integrations as scan findings. Subscribe channels (Slack, Teams, email, webhooks) to:

• cve_critical — per-alert, critical severity.
• cve_high — per-alert, high severity.
• cve_batch_summary — end-of-run digest summarizing all new alerts.

See the Slack, Teams, Email, or Webhooks integration pages for setup.

What’s matched

CVE Watch matches on ecosystem + package name + version range. Range matching uses ecosystem-specific semantics — npm tilde/caret ranges, Python PEP 440, Go module proxy semantics, etc. Vygl applies the OSV affected.ranges definition for each ecosystem.

Version-range evaluation is the most common source of edge cases

Most CVE-Watch false positives or misses come from version-range edge cases — distro-backported patches, off-by-one in semver pre-release ordering, ecosystem-specific quirks. If an alert seems wrong, dismiss it with a reason; the dismissal is preserved if the same CVE re-fires later.

EPSS and KEV in AI verification

EPSS and KEV signals also feed into AI Verification prompts for SCA findings, so AI verdicts incorporate real-world exploit data automatically. No extra configuration.