{"vulnerability": "CVE-0000-0000", "sightings": [{"uuid": "82d21f71-2fff-460f-a966-61a123d08341", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/39a0c077393cf71c2b957bc078e70ef8", "content": "diff --git a/README.md b/README.md\nindex 57102d1..09fd604 100644\n--- a/README.md\n+++ b/README.md\n@@ -90,8 +90,11 @@ Vuls is a tool created to solve the problems listed above. It has the following\n   - [US-CERT](https://www.us-cert.gov/ncas/alerts)\n   - [JPCERT](http://www.jpcert.or.jp/at/2019.html)\n \n-- CISA(Cybersecurity &amp; Infrastructure Security Agency)\n-  - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+- Known Exploited Vulnerabilities\n+  - [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+  - [VulnCheck KEV](https://vulncheck.com/)\n+\n+KEV reporting can be enabled with the `kevuln` dictionary. See `examples/config.kev.toml.example` for a ready-to-use synthetic configuration with placeholder values only, and `examples/scanresult-kev.json` for the new `kevs` JSON output shape.\n \n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..6cc6421 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -6,6 +6,7 @@ package detector\n import (\n \t\"encoding/json\"\n \t\"net/http\"\n+\t\"strings\"\n \t\"time\"\n \n \t\"github.com/cenkalti/backoff\"\n@@ -74,26 +75,20 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\treturn err\n \t\t}\n \t\tfor _, res := range responses {\n-\t\t\tkevulns := []kevulnmodels.KEVuln{}\n-\t\t\tif err := json.Unmarshal([]byte(res.json), &amp;kevulns); err != nil {\n+\t\t\tkevs, err := convertKEVulnJSON([]byte(res.json))\n+\t\t\tif err != nil {\n \t\t\t\treturn err\n \t\t\t}\n-\n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tif len(kevs) == 0 {\n+\t\t\t\tcontinue\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tv.KEVs = kevs\n \t\t\t\tnKEV++\n+\t\t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t\t}\n-\t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t}\n \t} else {\n \t\tfor cveID, vuln := range r.ScannedCves {\n@@ -107,17 +102,15 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\tif len(kevulns) == 0 {\n \t\t\t\tcontinue\n \t\t\t}\n-\n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tkevs, err := convertKEVulns(kevulns)\n+\t\t\tif err != nil {\n+\t\t\t\treturn err\n+\t\t\t}\n+\t\t\tif len(kevs) == 0 {\n+\t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = kevs\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +120,167 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func convertKEVulns(kevulns []kevulnmodels.KEVuln) ([]models.KEV, error) {\n+\tb, err := json.Marshal(kevulns)\n+\tif err != nil {\n+\t\treturn nil, err\n+\t}\n+\treturn convertKEVulnJSON(b)\n+}\n+\n+func convertKEVulnJSON(b []byte) ([]models.KEV, error) {\n+\tvar raw []map[string]interface{}\n+\tif err := json.Unmarshal(b, &amp;raw); err != nil {\n+\t\treturn nil, err\n+\t}\n+\n+\tkevs := make([]models.KEV, 0, len(raw))\n+\tfor _, r := range raw {\n+\t\tkev := models.KEV{\n+\t\t\tType:                       normalizeKEVType(getString(r, \"type\", \"source\")),\n+\t\t\tVendorProject:              getString(r, \"vendorProject\", \"vendor_project\", \"vendor\"),\n+\t\t\tProduct:                    getString(r, \"product\"),\n+\t\t\tVulnerabilityName:          getString(r, \"vulnerabilityName\", \"vulnerability_name\", \"name\"),\n+\t\t\tShortDescription:           getString(r, \"shortDescription\", \"short_description\", \"description\"),\n+\t\t\tRequiredAction:             getString(r, \"requiredAction\", \"required_action\"),\n+\t\t\tKnownRansomwareCampaignUse: getString(r, \"knownRansomwareCampaignUse\", \"known_ransomware_campaign_use\"),\n+\t\t\tDateAdded:                  getTime(r, \"dateAdded\", \"date_added\"),\n+\t\t}\n+\t\tif dueDate := getTime(r, \"dueDate\", \"due_date\"); !dueDate.IsZero() {\n+\t\t\tkev.DueDate = &amp;dueDate\n+\t\t}\n+\n+\t\tif cisa := getMap(r, \"cisa\"); len(cisa) &gt; 0 {\n+\t\t\tkev.Type = models.CISAKEVType\n+\t\t\tkev.CISA = &amp;models.CISAKEV{Note: getString(cisa, \"note\", \"notes\")}\n+\t\t} else if note := getString(r, \"note\", \"notes\"); note != \"\" {\n+\t\t\tkev.CISA = &amp;models.CISAKEV{Note: note}\n+\t\t}\n+\n+\t\tif vulncheck := getMap(r, \"vulncheck\", \"vulnCheck\"); len(vulncheck) &gt; 0 {\n+\t\t\tkev.Type = models.VulnCheckKEVType\n+\t\t\tkev.VulnCheck = convertVulnCheckKEV(vulncheck)\n+\t\t} else if xdbs := getSliceMap(r, \"xdb\", \"xDB\"); len(xdbs) &gt; 0 || len(getSliceMap(r, \"reportedExploitation\", \"reported_exploitation\")) &gt; 0 {\n+\t\t\tkev.Type = models.VulnCheckKEVType\n+\t\t\tkev.VulnCheck = convertVulnCheckKEV(r)\n+\t\t}\n+\n+\t\tif kev.Type == \"\" {\n+\t\t\tkev.Type = models.CISAKEVType\n+\t\t}\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs, nil\n+}\n+\n+func convertVulnCheckKEV(raw map[string]interface{}) *models.VulnCheckKEV {\n+\tv := &amp;models.VulnCheckKEV{}\n+\tfor _, xdb := range getSliceMap(raw, \"xdb\", \"xDB\") {\n+\t\tv.XDB = append(v.XDB, models.VulnCheckXDB{\n+\t\t\tXDBID:       getString(xdb, \"xdbID\", \"xdb_id\"),\n+\t\t\tXDBURL:      getString(xdb, \"xdbURL\", \"xdb_url\"),\n+\t\t\tDateAdded:   getTime(xdb, \"dateAdded\", \"date_added\"),\n+\t\t\tExploitType: getString(xdb, \"exploitType\", \"exploit_type\"),\n+\t\t\tCloneSSHURL: getString(xdb, \"cloneSSHURL\", \"clone_ssh_url\"),\n+\t\t})\n+\t}\n+\tfor _, exploitation := range getSliceMap(raw, \"reportedExploitation\", \"reported_exploitation\") {\n+\t\tv.ReportedExploitation = append(v.ReportedExploitation, models.VulnCheckReportedExploitation{\n+\t\t\tURL:       getString(exploitation, \"url\"),\n+\t\t\tDateAdded: getTime(exploitation, \"dateAdded\", \"date_added\"),\n+\t\t})\n+\t}\n+\treturn v\n+}\n+\n+func normalizeKEVType(s string) models.KEVType {\n+\ts = strings.ToLower(s)\n+\ts = strings.ReplaceAll(s, \"_\", \"\")\n+\ts = strings.ReplaceAll(s, \"-\", \"\")\n+\ts = strings.ReplaceAll(s, \" \", \"\")\n+\tswitch {\n+\tcase strings.Contains(s, \"vulncheck\"):\n+\t\treturn models.VulnCheckKEVType\n+\tcase strings.Contains(s, \"cisa\"):\n+\t\treturn models.CISAKEVType\n+\tdefault:\n+\t\treturn \"\"\n+\t}\n+}\n+\n+func getString(raw map[string]interface{}, keys ...string) string {\n+\tfor _, key := range keys {\n+\t\tif v, ok := raw[findKey(raw, key)]; ok {\n+\t\t\ts, _ := v.(string)\n+\t\t\treturn s\n+\t\t}\n+\t}\n+\treturn \"\"\n+}\n+\n+func getTime(raw map[string]interface{}, keys ...string) time.Time {\n+\ts := getString(raw, keys...)\n+\tif s == \"\" {\n+\t\treturn time.Time{}\n+\t}\n+\tfor _, layout := range []string{time.RFC3339Nano, time.RFC3339, \"2006-01-02\"} {\n+\t\tif t, err := time.Parse(layout, s); err == nil {\n+\t\t\treturn t\n+\t\t}\n+\t}\n+\treturn time.Time{}\n+}\n+\n+func getMap(raw map[string]interface{}, keys ...string) map[string]interface{} {\n+\tfor _, key := range keys {\n+\t\tif v, ok := raw[findKey(raw, key)]; ok {\n+\t\t\tif m, ok := v.(map[string]interface{}); ok {\n+\t\t\t\treturn m\n+\t\t\t}\n+\t\t}\n+\t}\n+\treturn nil\n+}\n+\n+func getSliceMap(raw map[string]interface{}, keys ...string) []map[string]interface{} {\n+\tfor _, key := range keys {\n+\t\tif v, ok := raw[findKey(raw, key)]; ok {\n+\t\t\tvs, ok := v.([]interface{})\n+\t\t\tif !ok {\n+\t\t\t\tcontinue\n+\t\t\t}\n+\t\t\tmaps := make([]map[string]interface{}, 0, len(vs))\n+\t\t\tfor _, e := range vs {\n+\t\t\t\tif m, ok := e.(map[string]interface{}); ok {\n+\t\t\t\t\tmaps = append(maps, m)\n+\t\t\t\t}\n+\t\t\t}\n+\t\t\treturn maps\n+\t\t}\n+\t}\n+\treturn nil\n+}\n+\n+func findKey(raw map[string]interface{}, key string) string {\n+\tif _, ok := raw[key]; ok {\n+\t\treturn key\n+\t}\n+\twant := canonicalKey(key)\n+\tfor k := range raw {\n+\t\tif canonicalKey(k) == want {\n+\t\t\treturn k\n+\t\t}\n+\t}\n+\treturn key\n+}\n+\n+func canonicalKey(s string) string {\n+\ts = strings.ToLower(s)\n+\ts = strings.ReplaceAll(s, \"_\", \"\")\n+\ts = strings.ReplaceAll(s, \"-\", \"\")\n+\treturn s\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/examples/config.kev.toml.example b/examples/config.kev.toml.example\nnew file mode 100644\nindex 0000000..1f80c58\n--- /dev/null\n+++ b/examples/config.kev.toml.example\n@@ -0,0 +1,35 @@\n+# Synthetic example configuration for KEV reporting.\n+# Replace all placeholder values before use. Do not copy production secrets here.\n+\n+[default]\n+user = \"scanner\"\n+keyPath = \"/home/scanner/.ssh/id_ed25519\"\n+scanMode = [\"fast-root\"]\n+\n+[servers.example-host]\n+host = \"192.0.2.10\"\n+port = \"22\"\n+\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-cve-dictionary.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/goval-dictionary.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\ndiff --git a/examples/scanresult-kev.json b/examples/scanresult-kev.json\nnew file mode 100644\nindex 0000000..c4f275f\n--- /dev/null\n+++ b/examples/scanresult-kev.json\n@@ -0,0 +1,74 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2026-07-02T00:00:00Z\",\n+  \"scanMode\": \"fast-root\",\n+  \"scannedVersion\": \"example\",\n+  \"scannedRevision\": \"example\",\n+  \"scannedBy\": \"scanner\",\n+  \"scannedVia\": \"remote\",\n+  \"reportedAt\": \"2026-07-02T00:00:00Z\",\n+  \"reportedVersion\": \"example\",\n+  \"reportedRevision\": \"example\",\n+  \"reportedBy\": \"scanner\",\n+  \"errors\": [],\n+  \"warnings\": [],\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic CISA KEV entry demonstrating the output shape.\",\n+          \"requiredAction\": \"Apply vendor instructions or discontinue use if mitigations are unavailable.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic documentation sample.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic VulnCheck KEV entry demonstrating the output shape.\",\n+          \"requiredAction\": \"Review exposure and patch affected systems.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.com/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+                \"exploitType\": \"initial-access\",\n+                \"cloneSSHURL\": \"git@example.com:placeholder/example.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/reports/synthetic-kev\",\n+                \"dateAdded\": \"2026-07-01T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"runningKernel\": {},\n+  \"packages\": {},\n+  \"config\": {\n+    \"scan\": {},\n+    \"report\": {}\n+  }\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..f17b095 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV CVEs.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -425,6 +433,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &lt; v.Mitigations[j].URL\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \n \t\tv.CveContents.Sort()\n \n@@ -434,9 +448,6 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n-\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..49566dd 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -267,6 +267,7 @@ type VulnInfo struct {\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n@@ -284,6 +285,58 @@ type Alert struct {\n \tTeam  string `json:\"team,omitempty\"`\n }\n \n+// KEVType is a known exploited vulnerability source.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is CISA Known Exploited Vulnerabilities Catalog.\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is VulnCheck Known Exploited Vulnerabilities.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has known exploited vulnerability information.\n+type KEV struct {\n+\tType                         KEVType       `json:\"type,omitempty\"`\n+\tVendorProject                string        `json:\"vendorProject,omitempty\"`\n+\tProduct                      string        `json:\"product,omitempty\"`\n+\tVulnerabilityName            string        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription             string        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction               string        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse   string        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                    time.Time     `json:\"dateAdded,omitempty\"`\n+\tDueDate                      *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                         *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                    *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV information.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV information.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB exploit information.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // GitHubSecurityAlerts is a list of GitHubSecurityAlert\n type GitHubSecurityAlerts []GitHubSecurityAlert\n \n@@ -910,24 +963,20 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data.\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a2dfbd0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-02T07:56:25.980571Z"}, {"uuid": "29a5d6d5-1a57-4ccb-8e74-be4f23c30d02", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/3eb909f055d3cfa93fbe5473801dfcfa", "content": "diff --git a/README.md b/README.md\nindex 57102d1..5e268cb 100644\n--- a/README.md\n+++ b/README.md\n@@ -181,6 +181,18 @@ For more information such as Installation, Tutorial, Usage, visit [vuls.io](http\n \n ----\n \n+## Configuration\n+\n+See [config.toml.example](./config.toml.example) for a ready-to-use configuration with KEV reporting enabled.\n+\n+```\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-kev.sqlite3\"\n+```\n+\n+----\n+\n ## Authors\n \n kotakanbe ([@kotakanbe](https://twitter.com/kotakanbe)) created vuls and [these fine people](https://github.com/future-architect/vuls/graphs/contributors) have contributed.\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..02e2958\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,37 @@\n+# vuls example configuration with KEV reporting enabled\n+# Copy to config.toml and adjust values for your environment\n+\n+[default]\n+port = \"22\"\n+\n+[servers.example]\n+host = \"192.0.2.10\"\n+user = \"scan-user\"\n+keyPath = \"/home/scan-user/.ssh/id_rsa\"\n+# keyPassword = \"your-ssh-key-passphrase-if-any\"\n+\n+# KEV (Known Exploited Vulnerabilities) configuration\n+# https://github.com/vulsio/go-kev\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-kev.sqlite3\"\n+# Or fetch via HTTP:\n+# type = \"http\"\n+# url = \"http://kev-dictionary.example.com:1328\"\n+\n+# Example notification configurations (redacted)\n+# [email]\n+# smtpAddr = \"smtp.example.com\"\n+# smtpPort = \"587\"\n+# user = \"vuls@example.com\"\n+# password = \"REPLACE_ME\"\n+# from = \"vuls@example.com\"\n+# to = [\"security@example.com\"]\n+#\n+# [slack]\n+# hookURL = \"https://hooks.slack.com/services/XXX/YYY/ZZZ\"\n+# channel = \"#vuls-alerts\"\n+#\n+# [chatwork]\n+# apiToken = \"REPLACE_ME\"\n+# room = \"123456789\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..0f7abff 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,27 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n-\t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\tif ok &amp;&amp; len(kevulns) &gt; 0 {\n+\t\t\t\tkevs := []models.KEV{}\n+\t\t\t\tfor _, k := range kevulns {\n+\t\t\t\t\tdueDate := k.DueDate\n+\t\t\t\t\tkevs = append(kevs, models.KEV{\n+\t\t\t\t\t\tType:                       models.CISAKEVType,\n+\t\t\t\t\t\tVendorProject:              k.VendorProject,\n+\t\t\t\t\t\tProduct:                    k.Product,\n+\t\t\t\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\t\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\t\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\t\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\t\t\t\tDateAdded:                  k.DateAdded,\n+\t\t\t\t\t\tDueDate:                    &amp;dueDate,\n+\t\t\t\t\t\tCISA: &amp;models.CISAKEV{\n+\t\t\t\t\t\t\tNote: k.Notes,\n+\t\t\t\t\t\t},\n+\t\t\t\t\t})\n+\t\t\t\t}\n+\t\t\t\tv.KEVs = kevs\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +117,25 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n+\t\t\tkevs := []models.KEV{}\n+\t\t\tfor _, k := range kevulns {\n+\t\t\t\tdueDate := k.DueDate\n+\t\t\t\tkevs = append(kevs, models.KEV{\n+\t\t\t\t\tType:                       models.CISAKEVType,\n+\t\t\t\t\tVendorProject:              k.VendorProject,\n+\t\t\t\t\tProduct:                    k.Product,\n+\t\t\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\t\t\tDateAdded:                  k.DateAdded,\n+\t\t\t\t\tDueDate:                    &amp;dueDate,\n+\t\t\t\t\tCISA: &amp;models.CISAKEV{\n+\t\t\t\t\t\tNote: k.Notes,\n+\t\t\t\t\t},\n \t\t\t\t})\n \t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = kevs\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..aa9b38a 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of kev cve\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -434,8 +442,11 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n \t\t})\n \t\tr.ScannedCves[k] = v\n \t}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..819b766 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -275,6 +275,7 @@ type VulnInfo struct {\n \tWindowsKBFixedIns    []string             `json:\"windowsKBFixedIns,omitempty\"`\n \tVulnType             string               `json:\"vulnType,omitempty\"`\n \tDiffStatus           DiffStatus           `json:\"diffStatus,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n }\n \n // Alert has CERT alert information\n@@ -910,30 +911,77 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\n \treturn strings.Join(s, \"/\")\n }\n \n+// KEVType is a type of KEV\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is a CISA KEV\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType is a VulnCheck KEV\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has KEV information\n+type KEV struct {\n+\tType                       KEVType   `json:\"type\"`\n+\tVendorProject              string    `json:\"vendorProject,omitempty\"`\n+\tProduct                    string    `json:\"product,omitempty\"`\n+\tVulnerabilityName          string    `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string    `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string    `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string    `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck KEV information\n+type VulnCheckKEV struct {\n+\tXDB                   []VulnCheckXDB                   `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB information\n+type VulnCheckXDB struct {\n+\tXDBID        string    `json:\"xdbId,omitempty\"`\n+\tXDBURL       string    `json:\"xdbUrl,omitempty\"`\n+\tDateAdded    time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType  string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL  string    `json:\"cloneSshUrl,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck ReportedExploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // Confidences is a list of Confidence\n type Confidences []Confidence\n \ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a2dfbd0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/testdata/sample_kev_scan.json b/testdata/sample_kev_scan.json\nnew file mode 100644\nindex 0000000..659846d\n--- /dev/null\n+++ b/testdata/sample_kev_scan.json\n@@ -0,0 +1,59 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2026-07-02T00:00:00Z\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"Example short description\",\n+          \"requiredAction\": \"Apply updates\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2024-01-01T00:00:00Z\",\n+          \"dueDate\": \"2024-01-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Example note\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability (VulnCheck)\",\n+          \"shortDescription\": \"Example VulnCheck description\",\n+          \"requiredAction\": \"Apply updates\",\n+          \"dateAdded\": \"2024-01-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbId\": \"12345\",\n+                \"xdbUrl\": \"https://example.com/xdb/12345\",\n+                \"dateAdded\": \"2024-01-02T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSshUrl\": \"git@example.com:exploit.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/exploit-report\",\n+                \"dateAdded\": \"2024-01-03T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"packages\": {},\n+  \"config\": {\n+    \"scan\": {},\n+    \"report\": {}\n+  }\n+}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-02T07:56:27.549893Z"}, {"uuid": "ee03fe56-40b9-4193-8f0e-d9435d6db650", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/fa8ea210e9085b7da922f98c03da7e13", "content": "diff --git a/README.md b/README.md\nindex 57102d1..bbdc559 100644\n--- a/README.md\n+++ b/README.md\n@@ -163,6 +163,7 @@ Vuls has some options to detect the vulnerabilities\n   - Vuls works well with Continuous Integration since tests can be run every day. This allows you to find vulnerabilities very quickly.\n - Auto-generation of configuration file template\n   - Auto-detection of servers set using CIDR, generate configuration file template\n+  - An example configuration can be found in `config.toml.example` which is ready to use for testing\n - Email and Slack notification is possible (supports Japanese language)\n - Scan result is viewable on accessory software, TUI Viewer in a terminal or Web UI ([VulsRepo](https://github.com/ishiDACo/vulsrepo)).\n \ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..98f0049\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,35 @@\n+# vuls production scanning configuration (Example)\n+# environment: prod\n+\n+[default]\n+port = \"22\"\n+\n+[servers.example-web01]\n+host        = \"192.0.2.10\"\n+port        = \"22\"\n+user        = \"vuls-scan\"\n+keyPath     = \"/root/.ssh/id_rsa_vuls\"\n+keyPassword = \"dummy-ssh-passphrase\"\n+\n+[servers.example-db01]\n+host        = \"192.0.2.11\"\n+port        = \"22\"\n+user        = \"vuls-scan\"\n+keyPath     = \"/root/.ssh/id_rsa_vuls\"\n+\n+[email]\n+smtpAddr = \"smtp.example.com\"\n+smtpPort = \"587\"\n+user     = \"vuls-reporter@example.com\"\n+password = \"dummy-email-password\"\n+from     = \"vuls-reporter@example.com\"\n+to       = [\"secops@example.com\"]\n+\n+[slack]\n+hookURL  = \"https://hooks.slack.com/services/DUMMY/DUMMY/DUMMY\"\n+authUser = \"vuls\"\n+channel  = \"#vuls-alerts\"\n+\n+[chatWork]\n+apiToken = \"dummy-chatwork-token\"\n+room     = \"123456789\"\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..29f93b6 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,6 +205,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n@@ -253,13 +254,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +264,18 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n+}\n+\n+// FormatKEVCveSummary returns a summary of KEV cves\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKevCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKevCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKevCve)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -434,8 +442,11 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n \t\t})\n \t\tr.ScannedCves[k] = v\n \t}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..017aa96 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -268,6 +268,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -284,6 +285,55 @@ type Alert struct {\n \tTeam  string `json:\"team,omitempty\"`\n }\n \n+// KEVType is a type of Known Exploited Vulnerabilities\n+type KEVType string\n+\n+const (\n+\tCISAKEVType      KEVType = \"cisa\"\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerabilities information\n+type KEV struct {\n+\tType                       KEVType\n+\tVendorProject              string\n+\tProduct                    string\n+\tVulnerabilityName          string\n+\tShortDescription           string\n+\tRequiredAction             string\n+\tKnownRansomwareCampaignUse string\n+\tDateAdded                  time.Time\n+\tDueDate                    *time.Time\n+\tCISA                       *CISAKEV\n+\tVulnCheck                  *VulnCheckKEV\n+}\n+\n+// CISAKEV has CISA KEV specific information\n+type CISAKEV struct {\n+\tNote string\n+}\n+\n+// VulnCheckKEV has VulnCheck KEV specific information\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB\n+\tReportedExploitation []VulnCheckReportedExploitation\n+}\n+\n+// VulnCheckXDB has XDB information\n+type VulnCheckXDB struct {\n+\tXDBID       string\n+\tXDBURL      string\n+\tDateAdded   time.Time\n+\tExploitType string\n+\tCloneSSHURL string\n+}\n+\n+// VulnCheckReportedExploitation has ReportedExploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string\n+\tDateAdded time.Time\n+}\n+\n // GitHubSecurityAlerts is a list of GitHubSecurityAlert\n type GitHubSecurityAlerts []GitHubSecurityAlert\n \n@@ -910,24 +960,20 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT, USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/sample-scan-result.json b/sample-scan-result.json\nnew file mode 100644\nindex 0000000..3c03d7b\n--- /dev/null\n+++ b/sample-scan-result.json\n@@ -0,0 +1,55 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"lang\": \"en\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2024-01-01T12:00:00Z\",\n+  \"scannedVersion\": \"0.1.0\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"Type\": \"cisa\",\n+          \"VendorProject\": \"Example Vendor\",\n+          \"Product\": \"Example Product\",\n+          \"VulnerabilityName\": \"Example Vulnerability\",\n+          \"ShortDescription\": \"An example vulnerability description for CISA KEV.\",\n+          \"RequiredAction\": \"Apply updates.\",\n+          \"KnownRansomwareCampaignUse\": \"Known\",\n+          \"DateAdded\": \"2024-01-01T00:00:00Z\",\n+          \"DueDate\": \"2024-02-01T00:00:00Z\",\n+          \"CISA\": {\n+            \"Note\": \"This is a synthetic CISA KEV entry.\"\n+          }\n+        },\n+        {\n+          \"Type\": \"vulncheck\",\n+          \"VendorProject\": \"Example Vendor\",\n+          \"Product\": \"Example Product\",\n+          \"VulnerabilityName\": \"Example Vulnerability\",\n+          \"ShortDescription\": \"An example vulnerability description for VulnCheck KEV.\",\n+          \"DateAdded\": \"2024-01-01T00:00:00Z\",\n+          \"VulnCheck\": {\n+            \"XDB\": [\n+              {\n+                \"XDBID\": \"XDB-123\",\n+                \"XDBURL\": \"https://example.com/xdb-123\",\n+                \"DateAdded\": \"2024-01-01T00:00:00Z\",\n+                \"ExploitType\": \"RCE\",\n+                \"CloneSSHURL\": \"git@example.com:exploit.git\"\n+              }\n+            ],\n+            \"ReportedExploitation\": [\n+              {\n+                \"URL\": \"https://example.com/report-123\",\n+                \"DateAdded\": \"2024-01-01T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\n\\ No newline at end of file\n", "creation_timestamp": "2026-07-02T07:56:27.593892Z"}, {"uuid": "98bf0cf2-3cbe-4414-872d-88fcd647e0c6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/bbec6aaeb587be341fb50426f818544e", "content": "diff --git a/README.md b/README.md\nindex 57102d1..f040157 100644\n--- a/README.md\n+++ b/README.md\n@@ -90,8 +90,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n   - [US-CERT](https://www.us-cert.gov/ncas/alerts)\n   - [JPCERT](http://www.jpcert.or.jp/at/2019.html)\n \n-- CISA(Cybersecurity &amp; Infrastructure Security Agency)\n-  - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+- KEV(Known Exploited Vulnerabilities)\n+  - [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+  - [VulnCheck KEV](https://vulncheck.com/kev)\n \n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n@@ -163,6 +164,7 @@ Vuls has some options to detect the vulnerabilities\n   - Vuls works well with Continuous Integration since tests can be run every day. This allows you to find vulnerabilities very quickly.\n - Auto-generation of configuration file template\n   - Auto-detection of servers set using CIDR, generate configuration file template\n+  - See [config.toml.example](config.toml.example) for a ready-to-use example configuration\n - Email and Slack notification is possible (supports Japanese language)\n - Scan result is viewable on accessory software, TUI Viewer in a terminal or Web UI ([VulsRepo](https://github.com/ishiDACo/vulsrepo)).\n \ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..00e3d6e\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,45 @@\n+# vuls example scanning configuration\n+# Copy this file to config.toml and edit it to match your environment.\n+\n+[default]\n+port = \"22\"\n+\n+[servers.host-one]\n+host        = \"192.168.1.10\"\n+port        = \"22\"\n+user        = \"vuls-user\"\n+keyPath     = \"/home/vuls/.ssh/id_rsa\"\n+keyPassword = \"your-ssh-key-passphrase\"\n+\n+[servers.host-two]\n+host        = \"192.168.1.20\"\n+port        = \"22\"\n+user        = \"vuls-user\"\n+keyPath     = \"/home/vuls/.ssh/id_rsa\"\n+\n+# KEV (Known Exploited Vulnerabilities) database\n+# Supports CISA and VulnCheck KEV sources.\n+# Use sqlite3 for local DB or http for API access.\n+#[kevuln]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-kev.sqlite3\"\n+\n+# Email notifications\n+#[email]\n+#smtpAddr = \"smtp.example.com\"\n+#smtpPort = \"587\"\n+#user     = \"vuls-reporter@example.com\"\n+#password = \"your-email-password\"\n+#from     = \"vuls-reporter@example.com\"\n+#to       = [\"security-team@example.com\"]\n+\n+# Slack notifications\n+#[slack]\n+#hookURL  = \"https://hooks.slack.com/services/YOUR/WEBHOOK/URL\"\n+#authUser = \"vuls\"\n+#channel  = \"#vuls-alerts\"\n+\n+# ChatWork notifications\n+#[chatWork]\n+#apiToken = \"your-chatwork-api-token\"\n+#room     = \"your-room-id\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..54ae492 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,26 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tif len(kevulns) == 0 {\n+\t\t\t\tcontinue\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tfor _, k := range kevulns {\n+\t\t\t\t\tv.KEVs = append(v.KEVs, models.KEV{\n+\t\t\t\t\t\tType:                       models.CISAKEVType,\n+\t\t\t\t\t\tVendorProject:              k.VendorProject,\n+\t\t\t\t\t\tProduct:                    k.Product,\n+\t\t\t\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\t\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\t\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\t\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\t\t\t\tDateAdded:                  k.DateAdded,\n+\t\t\t\t\t\tDueDate:                    &amp;k.DueDate,\n+\t\t\t\t\t\tCISA:                       &amp;models.CISAKEV{Note: k.Notes},\n+\t\t\t\t\t})\n+\t\t\t\t}\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +116,20 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n+\t\t\tfor _, k := range kevulns {\n+\t\t\t\tvuln.KEVs = append(vuln.KEVs, models.KEV{\n+\t\t\t\t\tType:                       models.CISAKEVType,\n+\t\t\t\t\tVendorProject:              k.VendorProject,\n+\t\t\t\t\tProduct:                    k.Product,\n+\t\t\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\t\t\tDateAdded:                  k.DateAdded,\n+\t\t\t\t\tDueDate:                    &amp;k.DueDate,\n+\t\t\t\t\tCISA:                       &amp;models.CISAKEV{Note: k.Notes},\n \t\t\t\t})\n \t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\ndiff --git a/examples/sample-kev-result.json b/examples/sample-kev-result.json\nnew file mode 100644\nindex 0000000..62e99fd\n--- /dev/null\n+++ b/examples/sample-kev-result.json\n@@ -0,0 +1,71 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2025-01-15T10:00:00Z\",\n+  \"runningKernel\": {\n+    \"release\": \"5.15.0-100-generic\"\n+  },\n+  \"packages\": {\n+    \"example-pkg\": {\n+      \"name\": \"example-pkg\",\n+      \"version\": \"1.0.0\",\n+      \"release\": \"1\"\n+    }\n+  },\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-pkg\",\n+          \"notFixedYet\": false\n+        }\n+      ],\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleVendor ExampleProduct contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2025-01-10T00:00:00Z\",\n+          \"dueDate\": \"2025-02-10T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"https://example.com/advisory\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleVendor ExampleProduct contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2025-01-08T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-12345\",\n+                \"xdbURL\": \"https://vulncheck.com/xdb/XDB-12345\",\n+                \"dateAdded\": \"2025-01-08T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.com:exploits/XDB-12345.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/exploitation-report\",\n+                \"dateAdded\": \"2025-01-09T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..ee593e4 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -253,13 +254,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +264,18 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n+}\n+\n+// FormatKEVCveSummary returns a summary of CVEs with KEV entries\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &gt; 0 {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -434,8 +442,11 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n \t\t})\n \t\tr.ScannedCves[k] = v\n \t}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..f6949f4 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -267,6 +267,7 @@ type VulnInfo struct {\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n@@ -910,24 +911,72 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// KEVType represents the source of KEV data\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the CISA KEV source\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is the VulnCheck KEV source\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                        KEVType       `json:\"type\"`\n+\tVendorProject               string        `json:\"vendorProject,omitempty\"`\n+\tProduct                     string        `json:\"product,omitempty\"`\n+\tVulnerabilityName           string        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription            string        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction              string        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse  string        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                   time.Time     `json:\"dateAdded\"`\n+\tDueDate                     *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                        *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                   *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV fields\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV fields\n+type VulnCheckKEV struct {\n+\tXDB                    []VulnCheckXDB                    `json:\"xdb,omitempty\"`\n+\tReportedExploitation   []VulnCheckReportedExploitation   `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded\"`\n+}\n+\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a44ae57 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -565,10 +565,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-02T07:56:27.984997Z"}, {"uuid": "c229c3e0-f563-43df-bfa3-4e56046c5510", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/6fcaf3467c8fa819c05c0c307f2b8933", "content": "diff --git a/README.md b/README.md\nindex 57102d1..df198f8 100644\n--- a/README.md\n+++ b/README.md\n@@ -156,6 +156,10 @@ Vuls has some options to detect the vulnerabilities\n \n - [Scan WordPress](https://vuls.io/docs/en/usage-scan-wordpress.html)\n \n+## Example Configuration\n+\n+See [config.toml.example](./config.toml.example) for a ready-to-use synthetic example configuration that enables KEV (Known Exploited Vulnerabilities) reporting and other features.\n+\n ## MISC\n \n - Nondestructive testing\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..b52360a\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,38 @@\n+# vuls example scanning configuration\n+# This is a synthetic example with placeholder values to demonstrate KEV setup.\n+[default]\n+port = \"22\"\n+\n+[servers.example-web]\n+host        = \"192.168.0.10\"\n+port        = \"22\"\n+user        = \"vuls-scan\"\n+keyPath     = \"/path/to/dummy/id_rsa\"\n+keyPassword = \"dummy-password\"\n+\n+[servers.example-db]\n+host        = \"192.168.0.20\"\n+port        = \"22\"\n+user        = \"vuls-scan\"\n+keyPath     = \"/path/to/dummy/id_rsa\"\n+\n+[email]\n+smtpAddr = \"smtp.example.com\"\n+smtpPort = \"587\"\n+user     = \"vuls-reporter@example.com\"\n+password = \"dummy-email-password\"\n+from     = \"vuls-reporter@example.com\"\n+to       = [\"secops@example.com\"]\n+\n+[slack]\n+hookURL  = \"https://hooks.slack.com/services/DUMMY/DUMMY/dummyToken\"\n+authUser = \"vuls\"\n+channel  = \"#vuls-alerts\"\n+\n+[chatWork]\n+apiToken = \"dummy_cw_token\"\n+room     = \"123456789\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-kev.sqlite3\"\n\\ No newline at end of file\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..158b026 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,19 +79,11 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n-\t\t\t\tnKEV++\n+\t\t\t\tif len(kevulns) &gt; 0 {\n+\t\t\t\t\tnKEV++\n+\t\t\t\t}\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t}\n@@ -108,17 +100,9 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n \t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\t\tnKEV++\n \t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n-\t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n \t}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..587f916 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,6 +205,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n@@ -253,13 +254,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +264,18 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n+}\n+\n+// FormatKEVCveSummary returns a summary of KEV cve\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKevCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKevCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKevCve)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -434,8 +442,11 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n \t\t})\n \t\tr.ScannedCves[k] = v\n \t}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..b19a059 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -275,6 +275,51 @@ type VulnInfo struct {\n \tWindowsKBFixedIns    []string             `json:\"windowsKBFixedIns,omitempty\"`\n \tVulnType             string               `json:\"vulnType,omitempty\"`\n \tDiffStatus           DiffStatus           `json:\"diffStatus,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n+}\n+\n+// KEVType is a type of KEV\n+type KEVType string\n+\n+const (\n+\tCISAKEVType      KEVType = \"cisa\"\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+type KEV struct {\n+\tType                       KEVType      `json:\"type,omitempty\"`\n+\tVendorProject              string       `json:\"vendorProject,omitempty\"`\n+\tProduct                    string       `json:\"product,omitempty\"`\n+\tVulnerabilityName          string       `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string       `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string       `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string       `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time    `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time   `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV     `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbId,omitempty\"`\n+\tXDBURL      string    `json:\"xdbUrl,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSshUrl,omitempty\"`\n+}\n+\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n }\n \n // Alert has CERT alert information\n@@ -910,24 +955,20 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT, USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..5b8697f 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -205,6 +205,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t}\n \t\t} else {\n \t\t\tcols = []interface{}{\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/sample-scan-result.json b/sample-scan-result.json\nnew file mode 100644\nindex 0000000..4399f3e\n--- /dev/null\n+++ b/sample-scan-result.json\n@@ -0,0 +1,116 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"20.04\",\n+  \"container\": {\n+    \"containerID\": \"\",\n+    \"name\": \"\",\n+    \"image\": \"\",\n+    \"type\": \"\",\n+    \"uuid\": \"\"\n+  },\n+  \"platform\": {\n+    \"name\": \"aws\",\n+    \"instanceID\": \"i-dummy1234567890\"\n+  },\n+  \"ipv4Addrs\": [\"192.168.0.10\"],\n+  \"scannedAt\": \"2023-10-27T10:00:00Z\",\n+  \"scanMode\": \"fast\",\n+  \"scannedVersion\": \"0.1.0\",\n+  \"scannedRevision\": \"deadbeef\",\n+  \"scannedBy\": \"vuls\",\n+  \"scannedVia\": \"ssh\",\n+  \"reportedAt\": \"2023-10-27T10:05:00Z\",\n+  \"reportedVersion\": \"0.1.0\",\n+  \"reportedRevision\": \"deadbeef\",\n+  \"reportedBy\": \"vuls\",\n+  \"errors\": [],\n+  \"warnings\": [],\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"confidences\": [\n+        {\n+          \"score\": 100,\n+          \"detectionMethod\": \"UbuntuAPIMatch\"\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"dummy-package\",\n+          \"notFixedYet\": false,\n+          \"fixState\": \"fixed\",\n+          \"fixedIn\": \"1.0-1ubuntu1\"\n+        }\n+      ],\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"dummyVendor\",\n+          \"product\": \"dummyProduct\",\n+          \"vulnerabilityName\": \"Dummy Vulnerability\",\n+          \"shortDescription\": \"This is a dummy KEV description for testing.\",\n+          \"requiredAction\": \"Apply updates.\",\n+          \"dateAdded\": \"2023-01-01T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"CISA dummy note.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"dummyVendor\",\n+          \"product\": \"dummyProduct\",\n+          \"vulnerabilityName\": \"Dummy Vulnerability from VulnCheck\",\n+          \"dateAdded\": \"2023-01-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbId\": \"XDB-0001\",\n+                \"xdbUrl\": \"https://example.com/xdb/0001\",\n+                \"dateAdded\": \"2023-01-02T00:00:00Z\",\n+                \"exploitType\": \"RCE\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/report/1\",\n+                \"dateAdded\": \"2023-01-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"runningKernel\": {\n+    \"release\": \"5.4.0-dummy\",\n+    \"version\": \"#1 SMP Dummy\",\n+    \"rebootRequired\": false\n+  },\n+  \"packages\": {\n+    \"dummy-package\": {\n+      \"name\": \"dummy-package\",\n+      \"version\": \"1.0\",\n+      \"release\": \"1ubuntu0\",\n+      \"newVersion\": \"1.0\",\n+      \"newRelease\": \"1ubuntu1\",\n+      \"arch\": \"amd64\",\n+      \"repository\": \"main\"\n+    }\n+  },\n+  \"config\": {\n+    \"scan\": {\n+      \"Servers\": {\n+        \"example-host\": {\n+          \"host\": \"192.168.0.10\",\n+          \"port\": \"22\",\n+          \"user\": \"vuls-scan\"\n+        }\n+      }\n+    },\n+    \"report\": {}\n+  }\n+}\n\\ No newline at end of file\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-02T07:56:28.026282Z"}, {"uuid": "7f0522ab-527b-469b-8193-eb56fc8f879c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/703d9e0d17f337cf723c959f1368f71d", "content": "diff --git a/README.md b/README.md\nindex 57102d1..e30b201 100644\n--- a/README.md\n+++ b/README.md\n@@ -93,6 +93,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n - CISA(Cybersecurity &amp; Infrastructure Security Agency)\n   - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n \n+- VulnCheck\n+  - [Known Exploited Vulnerabilities](https://vulncheck.com/kev)\n+\n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n \n@@ -179,6 +182,12 @@ Vuls has some options to detect the vulnerabilities\n For more information such as Installation, Tutorial, Usage, visit [vuls.io](https://vuls.io/)  \n [\u65e5\u672c\u8a9e\u7ffb\u8a33\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8](https://vuls.io/ja/)\n \n+## Example Configuration\n+\n+A redacted, ready-to-use starter config is available at [config.toml.example](config.toml.example). It includes the `[kevuln]` database section needed to populate the first-class `kevs` field in scan result JSON.\n+\n+The sample scan result at [sample/scanresult-kev.json](sample/scanresult-kev.json) shows the new `kevs` output shape with synthetic CISA and VulnCheck entries.\n+\n ----\n \n ## Authors\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..94ecbda\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,43 @@\n+# Redacted example configuration for enabling KEV reporting.\n+# Do not copy production secrets into this file.\n+\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\n+\n+[default]\n+port = \"22\"\n+user = \"vuls-scan\"\n+keyPath = \"/home/vuls-scan/.ssh/id_rsa\"\n+scanMode = [\"fast-root\"]\n+scanModules = [\"ospkg\"]\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.10\"\n+memo = \"Synthetic example host\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..a558177 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,19 +79,14 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n-\t\t\t\tnKEV++\n+\t\t\t\tif v.KEVs, err = kevulnsToKEVs(kevulns); err != nil {\n+\t\t\t\t\treturn err\n+\t\t\t\t}\n+\t\t\t\tif len(v.KEVs) &gt; 0 {\n+\t\t\t\t\tnKEV++\n+\t\t\t\t}\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t}\n@@ -108,16 +103,9 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tif vuln.KEVs, err = kevulnsToKEVs(kevulns); err != nil {\n+\t\t\t\treturn err\n \t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +115,17 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func kevulnsToKEVs(kevulns []kevulnmodels.KEVuln) (kevs []models.KEV, err error) {\n+\tbs, err := json.Marshal(kevulns)\n+\tif err != nil {\n+\t\treturn nil, xerrors.Errorf(\"Failed to marshal KEVuln. err: %w\", err)\n+\t}\n+\tif err := json.Unmarshal(bs, &amp;kevs); err != nil {\n+\t\treturn nil, xerrors.Errorf(\"Failed to unmarshal KEV. err: %w\", err)\n+\t}\n+\treturn kevs, nil\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..f17b095 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV CVEs.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -425,6 +433,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &lt; v.Mitigations[j].URL\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \n \t\tv.CveContents.Sort()\n \n@@ -434,9 +448,6 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n-\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..d3fe89b 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -263,6 +263,7 @@ type VulnInfo struct {\n \tAffectedPackages     PackageFixStatuses   `json:\"affectedPackages,omitempty\"`\n \tDistroAdvisories     DistroAdvisories     `json:\"distroAdvisories,omitempty\"` // for Amazon, RHEL, Fedora, FreeBSD, Microsoft\n \tCveContents          CveContents          `json:\"cveContents,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tExploits             []Exploit            `json:\"exploits,omitempty\"`\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n@@ -284,6 +285,57 @@ type Alert struct {\n \tTeam  string `json:\"team,omitempty\"`\n }\n \n+// KEVType is a Known Exploited Vulnerabilities source.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is a CISA Known Exploited Vulnerabilities entry.\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType is a VulnCheck Known Exploited Vulnerabilities entry.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerabilities information.\n+type KEV struct {\n+\tType                           KEVType        `json:\"type,omitempty\"`\n+\tVendorProject                  string         `json:\"vendorProject,omitempty\"`\n+\tProduct                        string         `json:\"product,omitempty\"`\n+\tVulnerabilityName              string         `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription               string         `json:\"shortDescription,omitempty\"`\n+\tRequiredAction                 string         `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse     string         `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                      time.Time      `json:\"dateAdded,omitempty\"`\n+\tDueDate                        *time.Time     `json:\"dueDate,omitempty\"`\n+\tCISA                           *CISAKEV       `json:\"cisa,omitempty\"`\n+\tVulnCheck                      *VulnCheckKEV  `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV information.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV information.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB exploit information.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // GitHubSecurityAlerts is a list of GitHubSecurityAlert\n type GitHubSecurityAlerts []GitHubSecurityAlert\n \n@@ -910,24 +962,20 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data.\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a2dfbd0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/sample/scanresult-kev.json b/sample/scanresult-kev.json\nnew file mode 100644\nindex 0000000..9b64181\n--- /dev/null\n+++ b/sample/scanresult-kev.json\n@@ -0,0 +1,73 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"confidences\": [\n+        {\n+          \"score\": 100,\n+          \"detectionMethod\": \"OvalMatch\"\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-package\",\n+          \"fixedIn\": \"1.0.1\"\n+        }\n+      ],\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Placeholder Vulnerability\",\n+          \"shortDescription\": \"Synthetic CISA KEV entry showing the JSON shape only.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-01-15T00:00:00Z\",\n+          \"dueDate\": \"2026-02-05T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic documentation sample; not a real CISA catalog entry.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Placeholder Vulnerability\",\n+          \"shortDescription\": \"Synthetic VulnCheck KEV entry showing XDB and reported exploitation data.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-01-16T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.com/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-01-16T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.com:example/xdb-000000.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/research/cve-0000-0000\",\n+                \"dateAdded\": \"2026-01-17T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"alertDict\": {\n+        \"jpcert\": null,\n+        \"uscert\": null\n+      },\n+      \"vulnType\": \"os\"\n+    }\n+  }\n+}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-02T07:56:28.137859Z"}, {"uuid": "703c69dc-0a75-4081-b932-7d867c9d60f4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/62a9c79da51c2158deaa3d7340b82216", "content": "diff --git a/README.md b/README.md\nindex 57102d1..5a5fb14 100644\n--- a/README.md\n+++ b/README.md\n@@ -191,6 +191,12 @@ see [vulsdoc](https://vuls.io/docs/en/how-to-contribute.html)\n \n ----\n \n+## Configuration Example\n+\n+A ready-to-use example configuration with KEV reporting enabled is available at [config.toml.example](./config.toml.example).\n+\n+----\n+\n ## Sponsors\n \n |  |  |\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..613c41b\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,69 @@\n+# Vuls config.toml example\n+# Copy to config.toml and edit for your environment\n+# DO NOT commit real credentials\n+\n+[slack]\n+hookURL      = \"https://hooks.slack.com/services/XXXXX/XXXXX/XXXXXXXXXXXXXXXXXXXXXXXX\"\n+channel      = \"#vuls\"\n+iconEmoji    = \":vuls:\"\n+authUser     = \"vuls-user\"\n+notifyUsers  = [\"@example\"]\n+\n+[email]\n+smtpAddr       = \"smtp.example.com\"\n+smtpPort       = \"587\"\n+user           = \"username\"\n+password       = \"password\"\n+from           = \"vuls@example.com\"\n+to             = [\"to@example.com\"]\n+cc             = [\"\"]\n+subjectPrefix  = \"[vuls]\"\n+\n+[chatwork]\n+apiToken  = \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\"\n+room      = \"12345678\"\n+\n+[default]\n+#port        = \"22\"\n+#user        = \"username\"\n+#keyPath     = \"/home/username/.ssh/id_rsa\"\n+#keyPassword = \"password\"\n+\n+# Known Exploited Vulnerabilities (CISA KEV / VulnCheck KEV)\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-kev.sqlite3\"\n+# type = \"http\"\n+# url = \"http://127.0.0.1:1328\"\n+\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-msfdb.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-cti.sqlite3\"\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.1\"\n+port = \"22\"\n+user = \"scanuser\"\n+keyPath = \"/home/scanuser/.ssh/id_rsa\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..cf185b0 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,28 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n-\t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\tif ok &amp;&amp; len(kevulns) &gt; 0 {\n+\t\t\t\tkevs := []models.KEV{}\n+\t\t\t\tfor _, kv := range kevulns {\n+\t\t\t\t\tdueDate := kv.DueDate\n+\t\t\t\t\tkev := models.KEV{\n+\t\t\t\t\t\tType:                       models.CISAKEVType,\n+\t\t\t\t\t\tVendorProject:              kv.VendorProject,\n+\t\t\t\t\t\tProduct:                    kv.Product,\n+\t\t\t\t\t\tVulnerabilityName:          kv.VulnerabilityName,\n+\t\t\t\t\t\tShortDescription:           kv.ShortDescription,\n+\t\t\t\t\t\tRequiredAction:             kv.RequiredAction,\n+\t\t\t\t\t\tKnownRansomwareCampaignUse: kv.KnownRansomwareCampaignUse,\n+\t\t\t\t\t\tDateAdded:                  kv.DateAdded,\n+\t\t\t\t\t\tDueDate:                    &amp;dueDate,\n+\t\t\t\t\t\tCISA: &amp;models.CISAKEV{\n+\t\t\t\t\t\t\tNote: kv.Notes,\n+\t\t\t\t\t\t},\n+\t\t\t\t\t}\n+\t\t\t\t\tkevs = append(kevs, kev)\n+\t\t\t\t}\n+\t\t\t\tv.KEVs = kevs\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +118,26 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tkevs := []models.KEV{}\n+\t\t\tfor _, kv := range kevulns {\n+\t\t\t\tdueDate := kv.DueDate\n+\t\t\t\tkev := models.KEV{\n+\t\t\t\t\tType:                       models.CISAKEVType,\n+\t\t\t\t\tVendorProject:              kv.VendorProject,\n+\t\t\t\t\tProduct:                    kv.Product,\n+\t\t\t\t\tVulnerabilityName:          kv.VulnerabilityName,\n+\t\t\t\t\tShortDescription:           kv.ShortDescription,\n+\t\t\t\t\tRequiredAction:             kv.RequiredAction,\n+\t\t\t\t\tKnownRansomwareCampaignUse: kv.KnownRansomwareCampaignUse,\n+\t\t\t\t\tDateAdded:                  kv.DateAdded,\n+\t\t\t\t\tDueDate:                    &amp;dueDate,\n+\t\t\t\t\tCISA: &amp;models.CISAKEV{\n+\t\t\t\t\t\tNote: kv.Notes,\n+\t\t\t\t\t},\n+\t\t\t\t}\n+\t\t\t\tkevs = append(kevs, kev)\n \t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = kevs\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..15076f9 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,6 +205,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n@@ -253,13 +254,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +264,18 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n+}\n+\n+// FormatKEVCveSummary returns a summary of KEV cves\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -425,6 +433,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &lt; v.Mitigations[j].URL\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \n \t\tv.CveContents.Sort()\n \ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..47bf9a1 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -256,6 +256,57 @@ type PackageFixStatus struct {\n \tFixedIn     string `json:\"fixedIn,omitempty\"`\n }\n \n+// KEVType is a type of KEV\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is CISA KEV\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType is VulnCheck KEV\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerabilities information\n+type KEV struct {\n+\tType                       KEVType   `json:\"type,omitempty\"`\n+\tVendorProject              string    `json:\"vendorProject,omitempty\"`\n+\tProduct                    string    `json:\"product,omitempty\"`\n+\tVulnerabilityName          string    `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string    `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string    `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string    `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"notes,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck KEV information\n+type VulnCheckKEV struct {\n+\tXDB                   []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation  []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck ReportedExploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // VulnInfo has a vulnerability information and unsecure packages\n type VulnInfo struct {\n \tCveID                string               `json:\"cveID,omitempty\"`\n@@ -268,6 +319,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -910,24 +962,21 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"cisa,omitempty\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..5b8697f 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -205,6 +205,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t}\n \t\t} else {\n \t\t\tcols = []interface{}{\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/testdata/kev_sample.json b/testdata/kev_sample.json\nnew file mode 100644\nindex 0000000..1754ae3\n--- /dev/null\n+++ b/testdata/kev_sample.json\n@@ -0,0 +1,54 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"Example short description\",\n+          \"requiredAction\": \"Apply updates\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2024-01-01T00:00:00Z\",\n+          \"dueDate\": \"2024-01-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"notes\": \"Example notes\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"Example short description\",\n+          \"requiredAction\": \"Apply updates\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2024-01-01T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XXXXX\",\n+                \"xdbURL\": \"https://example.com/xdb/XXXXX\",\n+                \"dateAdded\": \"2024-01-01T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.com:exploit.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/report\",\n+                \"dateAdded\": \"2024-01-01T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T08:17:40.549008Z"}, {"uuid": "cec6678e-9fdc-4df8-88eb-ce7b04261cd6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/9cac64c23654fa6897ab7f5e2db8c718", "content": "diff --git a/README.md b/README.md\nindex 57102d1..929c402 100644\n--- a/README.md\n+++ b/README.md\n@@ -90,8 +90,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n   - [US-CERT](https://www.us-cert.gov/ncas/alerts)\n   - [JPCERT](http://www.jpcert.or.jp/at/2019.html)\n \n-- CISA(Cybersecurity &amp; Infrastructure Security Agency)\n-  - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+- Known Exploited Vulnerabilities (KEV) \u2014 first-class field on scan results\n+  - [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+  - [VulnCheck KEV](https://vulncheck.com/)\n \n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n@@ -166,6 +167,10 @@ Vuls has some options to detect the vulnerabilities\n - Email and Slack notification is possible (supports Japanese language)\n - Scan result is viewable on accessory software, TUI Viewer in a terminal or Web UI ([VulsRepo](https://github.com/ishiDACo/vulsrepo)).\n \n+### Configuration\n+\n+See [`config.toml.example`](config.toml.example) for a ready-to-use example configuration with placeholder values. Copy it to `config.toml` and fill in your actual settings before scanning.\n+\n ----\n \n ## What Vuls Doesn't Do\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..e4b0f15\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,85 @@\n+# config.toml.example\n+#\n+# Example configuration for Vuls vulnerability scanner.\n+# Copy this file to config.toml and edit with your actual values.\n+#\n+# IMPORTANT: config.toml contains credentials and is gitignored.\n+# Never commit your real config.toml to version control.\n+\n+# -------------------------------------------------------\n+# Vulnerability Dictionary Sources\n+# -------------------------------------------------------\n+\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-msfdb.sqlite3\"\n+\n+# KEV (Known Exploited Vulnerabilities) \u2014 supports CISA and VulnCheck sources.\n+# KEV data is promoted to a first-class field on scan results (VulnInfo.KEVs).\n+[kevuln]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-cti.sqlite3\"\n+\n+# -------------------------------------------------------\n+# Notification (all optional)\n+# -------------------------------------------------------\n+\n+[slack]\n+hookURL = \"https://hooks.slack.com/services/YOUR/WEBHOOK/TOKEN\"\n+channel = \"#vuls-notifications\"\n+authUser = \"vuls\"\n+\n+[email]\n+smtpAddr = \"smtp.example.com\"\n+smtpPort = \"587\"\n+user = \"vuls@example.com\"\n+password = \"REPLACE_WITH_SMTP_PASSWORD\"\n+from = \"vuls@example.com\"\n+to = [\"admin@example.com\"]\n+\n+[chatwork]\n+room = \"12345678\"\n+apiToken = \"REPLACE_WITH_CHATWORK_API_TOKEN\"\n+\n+# -------------------------------------------------------\n+# Default Server Settings\n+# -------------------------------------------------------\n+\n+[default]\n+port = \"22\"\n+user = \"scan-user\"\n+keyPath = \"/home/scan-user/.ssh/id_rsa\"\n+scanMode = [\"fast\"]\n+\n+# -------------------------------------------------------\n+# Servers\n+# -------------------------------------------------------\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.1\"\n+port = \"22\"\n+user = \"scan-user\"\n+keyPath = \"/home/scan-user/.ssh/id_rsa\"\n+scanMode = [\"fast-root\"]\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..27776bb 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,14 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tif len(kevulns) == 0 {\n+\t\t\t\tcontinue\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tkevs := convertToKEVs(kevulns)\n+\t\t\t\tv.KEVs = append(v.KEVs, kevs...)\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +104,8 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tkevs := convertToKEVs(kevulns)\n+\t\t\tvuln.KEVs = append(vuln.KEVs, kevs...)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +115,31 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func convertToKEVs(kevulns []kevulnmodels.KEVuln) []models.KEV {\n+\tkevs := make([]models.KEV, 0, len(kevulns))\n+\tfor _, k := range kevulns {\n+\t\tkev := models.KEV{\n+\t\t\tType:                       models.CISAKEVType,\n+\t\t\tVendorProject:              k.VendorProject,\n+\t\t\tProduct:                    k.Product,\n+\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\tDateAdded:                  k.DateAdded,\n+\t\t\tCISA: &amp;models.CISAKEV{\n+\t\t\t\tNote: k.Notes,\n+\t\t\t},\n+\t\t}\n+\t\tif !k.DueDate.IsZero() {\n+\t\t\tdueDate := k.DueDate\n+\t\t\tkev.DueDate = &amp;dueDate\n+\t\t}\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..4735387 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -253,13 +254,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +264,18 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n+}\n+\n+// FormatKEVCveSummary returns a summary of CVEs that have KEV entries\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &gt; 0 {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,13 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/testdata/sample_kevs.json b/models/testdata/sample_kevs.json\nnew file mode 100644\nindex 0000000..77afb35\n--- /dev/null\n+++ b/models/testdata/sample_kevs.json\n@@ -0,0 +1,60 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleVendor ExampleProduct contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2024-01-15T00:00:00Z\",\n+          \"dueDate\": \"2024-02-05T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"https://example.com/security/advisory/2024-001\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleVendor ExampleProduct contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply mitigations per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2024-01-10T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"EXAMPLE-XDB-001\",\n+                \"xdbURL\": \"https://vulncheck.example.com/xdb/EXAMPLE-XDB-001\",\n+                \"dateAdded\": \"2024-01-11T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@github.com:example/poc-CVE-0000-0000.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/threat-report/2024-001\",\n+                \"dateAdded\": \"2024-01-12T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-package\",\n+          \"fixedIn\": \"2.0.1\"\n+        }\n+      ]\n+    }\n+  }\n+}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..368b766 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -268,6 +268,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -910,24 +911,74 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// KEVType represents the source of KEV data\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the CISA KEV source\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is the VulnCheck KEV source\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                        KEVType       `json:\"type\"`\n+\tVendorProject               string        `json:\"vendorProject\"`\n+\tProduct                     string        `json:\"product\"`\n+\tVulnerabilityName           string        `json:\"vulnerabilityName\"`\n+\tShortDescription            string        `json:\"shortDescription\"`\n+\tRequiredAction              string        `json:\"requiredAction\"`\n+\tKnownRansomwareCampaignUse  string        `json:\"knownRansomwareCampaignUse\"`\n+\tDateAdded                   time.Time     `json:\"dateAdded\"`\n+\tDueDate                     *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                        *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                   *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"note\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV information\n+type VulnCheckKEV struct {\n+\tXDB                   []VulnCheckXDB                   `json:\"xdb,omitempty\"`\n+\tReportedExploitation  []VulnCheckReportedExploitation  `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID\"`\n+\tXDBURL      string    `json:\"xdbURL\"`\n+\tDateAdded   time.Time `json:\"dateAdded\"`\n+\tExploitType string    `json:\"exploitType\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL\"`\n+}\n+\n+// VulnCheckReportedExploitation has reported exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url\"`\n+\tDateAdded time.Time `json:\"dateAdded\"`\n+}\n+\n+// AlertDict has target cve JPCERT and USCERT alert data.\n+// The CISA field is deprecated; KEV data should be stored in VulnInfo.KEVs instead.\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"cisa,omitempty\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..7683c56 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,8 +566,8 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n+\t\tfor _, kev := range vuln.KEVs {\n+\t\t\tdata = append(data, []string{fmt.Sprintf(\"KEV[%s]\", kev.Type), kev.VulnerabilityName})\n \t\t}\n \n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..3f73943 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,13 +812,13 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n+\t\tif len(vinfo.KEVs) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n+\t\t\t\t\"Known Exploited Vulnerabilities (KEV)\",\n+\t\t\t\t\"======================================\",\n \t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\t\tfor _, kev := range vinfo.KEVs {\n+\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s] %s - %s\", kev.Type, kev.VulnerabilityName, kev.ShortDescription))\n \t\t\t}\n \t\t}\n \n", "creation_timestamp": "2026-07-03T08:17:40.615495Z"}, {"uuid": "bb63257e-b749-471f-99b9-e93c89c47575", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/46a5076d08aa6171509738143b7ea178", "content": "diff --git a/README.md b/README.md\nindex 57102d1..a6927d6 100644\n--- a/README.md\n+++ b/README.md\n@@ -93,6 +93,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n - CISA(Cybersecurity &amp; Infrastructure Security Agency)\n   - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n \n+- VulnCheck\n+  - Known Exploited Vulnerabilities data\n+\n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n \n@@ -134,6 +137,19 @@ Vuls is a tool created to solve the problems listed above. It has the following\n - Next, issue a command on the scan target server to collect software information. Then send the result to Vuls Server via HTTP. You receive the scan results as JSON format.\n - No SSH needed, No Scanner needed. Only issuing Linux commands directory on the scan target server.\n \n+### KEV reporting\n+\n+Known Exploited Vulnerabilities data is reported in JSON output under each vulnerability's `kevs` field. Configure the `kevuln` database to enable CISA and VulnCheck KEV enrichment.\n+\n+- Ready-to-use placeholder config: [`config.toml.example`](config.toml.example)\n+- Synthetic KEV output sample: [`examples/kev-scan-result.json`](examples/kev-scan-result.json)\n+\n+```toml\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+```\n+\n ### **Dynamic** Analysis\n \n - It is possible to acquire the state of the server by connecting via SSH and executing the command.\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..7a06610\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,39 @@\n+# Synthetic example configuration for enabling KEV reporting.\n+# Replace placeholders with values for your environment. Do not commit live secrets.\n+\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\n+\n+[servers]\n+\n+[servers.example]\n+host = \"192.0.2.10\"\n+port = \"22\"\n+user = \"vuls\"\n+keyPath = \"/home/vuls/.ssh/id_ed25519\"\n+scanMode = [\"fast-root\"]\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..54d7491 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -78,19 +78,17 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\tif err := json.Unmarshal([]byte(res.json), &amp;kevulns); err != nil {\n \t\t\t\treturn err\n \t\t\t}\n-\n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tif len(kevulns) == 0 {\n+\t\t\t\tcontinue\n+\t\t\t}\n+\t\t\tkevs, err := convertKEVulns(kevulns)\n+\t\t\tif err != nil {\n+\t\t\t\treturn err\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tv.KEVs = kevs\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +106,12 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tkevs, err := convertKEVulns(kevulns)\n+\t\t\tif err != nil {\n+\t\t\t\treturn err\n \t\t\t}\n \n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = kevs\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +121,162 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func convertKEVulns(kevulns []kevulnmodels.KEVuln) ([]models.KEV, error) {\n+\tbs, err := json.Marshal(kevulns)\n+\tif err != nil {\n+\t\treturn nil, xerrors.Errorf(\"Failed to marshal KEVuln. err: %w\", err)\n+\t}\n+\n+\tvar entries []map[string]any\n+\tif err := json.Unmarshal(bs, &amp;entries); err != nil {\n+\t\treturn nil, xerrors.Errorf(\"Failed to unmarshal KEVuln. err: %w\", err)\n+\t}\n+\n+\tkevs := make([]models.KEV, 0, len(entries))\n+\tfor _, entry := range entries {\n+\t\tkev := models.KEV{\n+\t\t\tType:                       kevType(entry),\n+\t\t\tVendorProject:              stringValue(entry, \"vendorProject\", \"vendor_project\", \"VendorProject\"),\n+\t\t\tProduct:                    stringValue(entry, \"product\", \"Product\"),\n+\t\t\tVulnerabilityName:          stringValue(entry, \"vulnerabilityName\", \"vulnerability_name\", \"VulnerabilityName\"),\n+\t\t\tShortDescription:           stringValue(entry, \"shortDescription\", \"short_description\", \"ShortDescription\"),\n+\t\t\tRequiredAction:             stringValue(entry, \"requiredAction\", \"required_action\", \"RequiredAction\"),\n+\t\t\tKnownRansomwareCampaignUse: stringValue(entry, \"knownRansomwareCampaignUse\", \"known_ransomware_campaign_use\", \"KnownRansomwareCampaignUse\"),\n+\t\t\tDateAdded:                  timeValue(entry, \"dateAdded\", \"date_added\", \"DateAdded\"),\n+\t\t\tDueDate:                    timePtrValue(entry, \"dueDate\", \"due_date\", \"DueDate\"),\n+\t\t}\n+\n+\t\tif kev.Type == models.VulnCheckKEVType {\n+\t\t\tvulnCheck := nestedMap(entry, \"vulnCheck\", \"vulncheck\", \"VulnCheck\")\n+\t\t\tkev.VulnCheck = &amp;models.VulnCheckKEV{\n+\t\t\t\tXDB:                  vulnCheckXDBs(entry, vulnCheck),\n+\t\t\t\tReportedExploitation: vulnCheckReportedExploitations(entry, vulnCheck),\n+\t\t\t}\n+\t\t} else {\n+\t\t\tcisa := nestedMap(entry, \"cisa\", \"CISA\")\n+\t\t\tkev.CISA = &amp;models.CISAKEV{Note: firstStringValue(cisa, entry, \"note\", \"notes\", \"Note\", \"Notes\")}\n+\t\t}\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\n+\treturn kevs, nil\n+}\n+\n+func kevType(entry map[string]any) models.KEVType {\n+\tswitch stringValue(entry, \"type\", \"Type\") {\n+\tcase string(models.VulnCheckKEVType):\n+\t\treturn models.VulnCheckKEVType\n+\tcase string(models.CISAKEVType):\n+\t\treturn models.CISAKEVType\n+\t}\n+\tif nestedMap(entry, \"vulnCheck\", \"vulncheck\", \"VulnCheck\") != nil || arrayValue(entry, \"xdb\", \"XDB\", \"vulncheckXDB\", \"vulncheck_xdb\") != nil {\n+\t\treturn models.VulnCheckKEVType\n+\t}\n+\treturn models.CISAKEVType\n+}\n+\n+func vulnCheckXDBs(entry, vulnCheck map[string]any) []models.VulnCheckXDB {\n+\titems := firstArrayValue(vulnCheck, entry, \"xdb\", \"XDB\", \"vulncheckXDB\", \"vulncheck_xdb\")\n+\txdbs := make([]models.VulnCheckXDB, 0, len(items))\n+\tfor _, item := range items {\n+\t\tm, ok := item.(map[string]any)\n+\t\tif !ok {\n+\t\t\tcontinue\n+\t\t}\n+\t\txdbs = append(xdbs, models.VulnCheckXDB{\n+\t\t\tXDBID:       stringValue(m, \"xdbID\", \"xdb_id\", \"XDBID\"),\n+\t\t\tXDBURL:      stringValue(m, \"xdbURL\", \"xdb_url\", \"XDBURL\"),\n+\t\t\tDateAdded:   timeValue(m, \"dateAdded\", \"date_added\", \"DateAdded\"),\n+\t\t\tExploitType: stringValue(m, \"exploitType\", \"exploit_type\", \"ExploitType\"),\n+\t\t\tCloneSSHURL: stringValue(m, \"cloneSSHURL\", \"clone_ssh_url\", \"CloneSSHURL\"),\n+\t\t})\n+\t}\n+\treturn xdbs\n+}\n+\n+func vulnCheckReportedExploitations(entry, vulnCheck map[string]any) []models.VulnCheckReportedExploitation {\n+\titems := firstArrayValue(vulnCheck, entry, \"reportedExploitation\", \"reported_exploitation\", \"ReportedExploitation\", \"vulncheckReportedExploitation\", \"vulncheck_reported_exploitation\")\n+\treports := make([]models.VulnCheckReportedExploitation, 0, len(items))\n+\tfor _, item := range items {\n+\t\tm, ok := item.(map[string]any)\n+\t\tif !ok {\n+\t\t\tcontinue\n+\t\t}\n+\t\treports = append(reports, models.VulnCheckReportedExploitation{\n+\t\t\tURL:       stringValue(m, \"url\", \"URL\"),\n+\t\t\tDateAdded: timeValue(m, \"dateAdded\", \"date_added\", \"DateAdded\"),\n+\t\t})\n+\t}\n+\treturn reports\n+}\n+\n+func nestedMap(entry map[string]any, keys ...string) map[string]any {\n+\tfor _, key := range keys {\n+\t\tif v, ok := entry[key].(map[string]any); ok {\n+\t\t\treturn v\n+\t\t}\n+\t}\n+\treturn nil\n+}\n+\n+func firstStringValue(preferred, fallback map[string]any, keys ...string) string {\n+\tif s := stringValue(preferred, keys...); s != \"\" {\n+\t\treturn s\n+\t}\n+\treturn stringValue(fallback, keys...)\n+}\n+\n+func stringValue(entry map[string]any, keys ...string) string {\n+\tfor _, key := range keys {\n+\t\tif v, ok := entry[key].(string); ok {\n+\t\t\treturn v\n+\t\t}\n+\t}\n+\treturn \"\"\n+}\n+\n+func timePtrValue(entry map[string]any, keys ...string) *time.Time {\n+\tif t := timeValue(entry, keys...); !t.IsZero() {\n+\t\treturn &amp;t\n+\t}\n+\treturn nil\n+}\n+\n+func timeValue(entry map[string]any, keys ...string) time.Time {\n+\tfor _, key := range keys {\n+\t\tv, ok := entry[key]\n+\t\tif !ok {\n+\t\t\tcontinue\n+\t\t}\n+\t\ts, ok := v.(string)\n+\t\tif !ok || s == \"\" {\n+\t\t\tcontinue\n+\t\t}\n+\t\tfor _, layout := range []string{time.RFC3339, \"2006-01-02\", \"2006-01-02 15:04:05 -0700 MST\"} {\n+\t\t\tif t, err := time.Parse(layout, s); err == nil {\n+\t\t\t\treturn t\n+\t\t\t}\n+\t\t}\n+\t}\n+\treturn time.Time{}\n+}\n+\n+func firstArrayValue(preferred, fallback map[string]any, keys ...string) []any {\n+\tif a := arrayValue(preferred, keys...); a != nil {\n+\t\treturn a\n+\t}\n+\treturn arrayValue(fallback, keys...)\n+}\n+\n+func arrayValue(entry map[string]any, keys ...string) []any {\n+\tfor _, key := range keys {\n+\t\tif v, ok := entry[key].([]any); ok {\n+\t\t\treturn v\n+\t\t}\n+\t}\n+\treturn nil\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/examples/kev-scan-result.json b/examples/kev-scan-result.json\nnew file mode 100644\nindex 0000000..827b80c\n--- /dev/null\n+++ b/examples/kev-scan-result.json\n@@ -0,0 +1,62 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2026-07-03T00:00:00Z\",\n+  \"scanMode\": \"fast-root\",\n+  \"scannedVersion\": \"example\",\n+  \"scannedRevision\": \"example\",\n+  \"scannedBy\": \"example-user\",\n+  \"scannedVia\": \"ssh\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic KEV entry used to document the output shape.\",\n+          \"requiredAction\": \"Apply updates according to vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic sample only.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic VulnCheck KEV entry used to document the output shape.\",\n+          \"requiredAction\": \"Apply updates according to vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.invalid/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"example\",\n+                \"cloneSSHURL\": \"git@example.invalid:example/exploit.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.invalid/advisory/CVE-0000-0000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..11f6cbd 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of CVEs with KEV entries.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -425,6 +433,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &lt; v.Mitigations[j].URL\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \n \t\tv.CveContents.Sort()\n \ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..47af103 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -267,6 +267,7 @@ type VulnInfo struct {\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n@@ -284,6 +285,57 @@ type Alert struct {\n \tTeam  string `json:\"team,omitempty\"`\n }\n \n+// KEVType is the source of Known Exploited Vulnerability data.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the CISA KEV catalog source.\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType is the VulnCheck KEV source.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information.\n+type KEV struct {\n+\tType                         KEVType       `json:\"type,omitempty\"`\n+\tVendorProject                string        `json:\"vendorProject,omitempty\"`\n+\tProduct                      string        `json:\"product,omitempty\"`\n+\tVulnerabilityName            string        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription             string        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction               string        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse   string        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                    time.Time     `json:\"dateAdded,omitempty\"`\n+\tDueDate                      *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                         *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                    *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV data.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV data.\n+type VulnCheckKEV struct {\n+\tXDB                    []VulnCheckXDB                    `json:\"xdb,omitempty\"`\n+\tReportedExploitation   []VulnCheckReportedExploitation   `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database metadata.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation metadata.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // GitHubSecurityAlerts is a list of GitHubSecurityAlert\n type GitHubSecurityAlerts []GitHubSecurityAlert\n \n@@ -910,8 +962,9 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data.\n type AlertDict struct {\n+\t// CISA is retained for persisted result compatibility. KEV data is reported via VulnInfo.KEVs.\n \tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n@@ -919,15 +972,12 @@ type AlertDict struct {\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a2dfbd0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T08:17:56.042328Z"}, {"uuid": "18fe387b-e137-4e16-9b1c-1600df47133f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/a0a1feb0a2a6e9c839e7fef1a7627087", "content": "diff --git a/README.md b/README.md\nindex 57102d1..489c6e8 100644\n--- a/README.md\n+++ b/README.md\n@@ -152,6 +152,10 @@ Vuls has some options to detect the vulnerabilities\n - [Common Platform Enumeration (CPE) based Scan](https://vuls.io/docs/en/usage-scan-non-os-packages.html#cpe-scan)\n - [OWASP Dependency Check Integration](https://vuls.io/docs/en/usage-scan-non-os-packages.html#usage-integrate-with-owasp-dependency-check-to-automatic-update-when-the-libraries-are-updated-experimental)\n \n+## Configuration\n+\n+A ready-to-use example configuration with KEV reporting enabled is available in [config.toml.example](config.toml.example).\n+\n ## Scan WordPress core, themes, plugins\n \n - [Scan WordPress](https://vuls.io/docs/en/usage-scan-wordpress.html)\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..92a5456\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,31 @@\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-kev.sqlite3\"\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.1\"\n+port = \"22\"\n+user = \"dummyuser\"\n+keyPath = \"/path/to/id_rsa\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..4b90564 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,32 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n+\t\t\tvar kevs []models.KEV\n+\t\t\tfor _, k := range kevulns {\n+\t\t\t\tvar dueDate *time.Time\n+\t\t\t\tif !k.DueDate.IsZero() {\n+\t\t\t\t\tt := k.DueDate\n+\t\t\t\t\tdueDate = &amp;t\n+\t\t\t\t}\n+\t\t\t\tkevs = append(kevs, models.KEV{\n+\t\t\t\t\tType:                       models.CISAKEVType,\n+\t\t\t\t\tVendorProject:              k.VendorProject,\n+\t\t\t\t\tProduct:                    k.Product,\n+\t\t\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\t\t\tDateAdded:                  k.DateAdded,\n+\t\t\t\t\tDueDate:                    dueDate,\n+\t\t\t\t\tCISA: &amp;models.CISAKEV{\n+\t\t\t\t\t\tNote: k.Notes,\n+\t\t\t\t\t},\n \t\t\t\t})\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tv.KEVs = append(v.KEVs, kevs...)\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +122,30 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n+\t\t\tvar kevs []models.KEV\n+\t\t\tfor _, k := range kevulns {\n+\t\t\t\tvar dueDate *time.Time\n+\t\t\t\tif !k.DueDate.IsZero() {\n+\t\t\t\t\tt := k.DueDate\n+\t\t\t\t\tdueDate = &amp;t\n+\t\t\t\t}\n+\t\t\t\tkevs = append(kevs, models.KEV{\n+\t\t\t\t\tType:                       models.CISAKEVType,\n+\t\t\t\t\tVendorProject:              k.VendorProject,\n+\t\t\t\t\tProduct:                    k.Product,\n+\t\t\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\t\t\tDateAdded:                  k.DateAdded,\n+\t\t\t\t\tDueDate:                    dueDate,\n+\t\t\t\t\tCISA: &amp;models.CISAKEV{\n+\t\t\t\t\t\tNote: k.Notes,\n+\t\t\t\t\t},\n \t\t\t\t})\n \t\t\t}\n \n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = append(vuln.KEVs, kevs...)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..e83395d 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of kev cve\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -425,6 +433,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &lt; v.Mitigations[j].URL\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \n \t\tv.CveContents.Sort()\n \n@@ -434,9 +448,6 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n-\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/scanresults_test.go b/models/scanresults_test.go\nindex d429281..9466f55 100644\n--- a/models/scanresults_test.go\n+++ b/models/scanresults_test.go\n@@ -225,10 +225,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -288,10 +288,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -354,10 +354,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -417,10 +417,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..39f9d8a 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -256,6 +256,55 @@ type PackageFixStatus struct {\n \tFixedIn     string `json:\"fixedIn,omitempty\"`\n }\n \n+// KEVType is a type of KEV\n+type KEVType string\n+\n+const (\n+\tCISAKEVType      KEVType = \"cisa\"\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                       KEVType     `json:\"type\"`\n+\tVendorProject              string      `json:\"vendorProject,omitempty\"`\n+\tProduct                    string      `json:\"product,omitempty\"`\n+\tVulnerabilityName          string      `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string      `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string      `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string      `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time   `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time  `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV    `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA specific information\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck specific information\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck Reported Exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // VulnInfo has a vulnerability information and unsecure packages\n type VulnInfo struct {\n \tCveID                string               `json:\"cveID,omitempty\"`\n@@ -268,6 +317,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -910,24 +960,20 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT, USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a2dfbd0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/sample-kev.json b/sample-kev.json\nnew file mode 100644\nindex 0000000..ff5140a\n--- /dev/null\n+++ b/sample-kev.json\n@@ -0,0 +1,51 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"20.04\",\n+  \"scannedAt\": \"2026-07-03T00:00:00Z\",\n+  \"scanMode\": \"fast\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"This is a synthetic example of a Known Exploited Vulnerability.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-03T00:00:00Z\",\n+          \"dueDate\": \"2026-07-17T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Example CISA note.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vulnerabilityName\": \"VulnCheck Example\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-0000\",\n+                \"xdbURL\": \"https://example.com/xdb\",\n+                \"dateAdded\": \"2026-07-03T00:00:00Z\",\n+                \"exploitType\": \"Remote Code Execution\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/report\",\n+                \"dateAdded\": \"2026-07-03T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T08:17:56.095575Z"}, {"uuid": "5a9ef912-ba84-4c25-bef3-0684206e9d5e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/a84166475c3b2e942c23dc6ba643c0a5", "content": "diff --git a/README.md b/README.md\nindex 57102d1..e285e2d 100644\n--- a/README.md\n+++ b/README.md\n@@ -174,6 +174,11 @@ Vuls has some options to detect the vulnerabilities\n \n ----\n \n+## Quick Start\n+\n+Copy `config.toml.example` to `config.toml` and edit your server settings.\n+KEV (Known Exploited Vulnerabilities) reporting is enabled via the `[kevuln]` section.\n+\n ## Document\n \n For more information such as Installation, Tutorial, Usage, visit [vuls.io](https://vuls.io/)  \ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..8fc9a71\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,57 @@\n+# Example Vuls configuration with KEV reporting enabled\n+# Copy to config.toml and replace placeholder values\n+\n+[slack]\n+hookURL      = \"https://hooks.slack.com/services/PLACEHOLDER/PLACEHOLDER/PLACEHOLDER\"\n+channel      = \"#vuls\"\n+authUser     = \"vuls\"\n+#notifyUsers  = [\"@username\"]\n+\n+[email]\n+smtpAddr      = \"smtp.example.com\"\n+smtpPort      = \"587\"\n+user          = \"username\"\n+password      = \"password\"\n+from          = \"vuls@example.com\"\n+to            = [\"admin@example.com\"]\n+cc            = []\n+subjectPrefix = \"[vuls]\"\n+\n+[default]\n+#port        = \"22\"\n+#user        = \"vuls\"\n+#keyPath     = \"/home/user/.ssh/id_rsa\"\n+#keyPassword = \"PLACEHOLDER\"\n+\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-kev.sqlite3\"\n+\n+[servers]\n+\n+[servers.example-host]\n+host     = \"192.0.2.1\"\n+port     = \"22\"\n+user     = \"vuls\"\n+keyPath  = \"/home/user/.ssh/id_rsa\"\n+#keyPassword = \"PLACEHOLDER\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..3a49f83 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,9 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n-\t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\tif ok &amp;&amp; len(kevulns) &gt; 0 {\n+\t\t\t\tv.KEVs = convertKEVulns(kevulns)\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +99,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = convertKEVulns(kevulns)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +109,31 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func convertKEVulns(kevulns []kevulnmodels.KEVuln) []models.KEV {\n+\tkevs := []models.KEV{}\n+\tfor _, k := range kevulns {\n+\t\tkev := models.KEV{\n+\t\t\tType:                       models.CISAKEVType,\n+\t\t\tVendorProject:              k.VendorProject,\n+\t\t\tProduct:                    k.Product,\n+\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\tDateAdded:                  k.DateAdded,\n+\t\t}\n+\t\tif !k.DueDate.IsZero() {\n+\t\t\tkev.DueDate = &amp;k.DueDate\n+\t\t}\n+\t\tif k.Notes != \"\" {\n+\t\t\tkev.CISA = &amp;models.CISAKEV{Note: k.Notes}\n+\t\t}\n+\t\t// VulnCheck fields if present\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..cba5227 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV cve\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -434,8 +442,11 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n \t\t})\n \t\tr.ScannedCves[k] = v\n \t}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..73d2c4a 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -256,6 +256,57 @@ type PackageFixStatus struct {\n \tFixedIn     string `json:\"fixedIn,omitempty\"`\n }\n \n+// KEVType is type of KEV\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is CISA KEV\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType is VulnCheck KEV\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has KEV information\n+type KEV struct {\n+\tType                       KEVType    `json:\"type\"`\n+\tVendorProject              string     `json:\"vendorProject,omitempty\"`\n+\tProduct                    string     `json:\"product,omitempty\"`\n+\tVulnerabilityName          string     `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string     `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string     `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string     `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time  `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV   `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck KEV information\n+type VulnCheckKEV struct {\n+\tXDB                   []VulnCheckXDB                   `json:\"xdb,omitempty\"`\n+\tReportedExploitation  []VulnCheckReportedExploitation  `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck ReportedExploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // VulnInfo has a vulnerability information and unsecure packages\n type VulnInfo struct {\n \tCveID                string               `json:\"cveID,omitempty\"`\n@@ -275,6 +326,7 @@ type VulnInfo struct {\n \tWindowsKBFixedIns    []string             `json:\"windowsKBFixedIns,omitempty\"`\n \tVulnType             string               `json:\"vulnType,omitempty\"`\n \tDiffStatus           DiffStatus           `json:\"diffStatus,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n }\n \n // Alert has CERT alert information\n@@ -910,24 +962,20 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a44ae57 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -565,10 +565,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/sample_kev_scan.json b/sample_kev_scan.json\nnew file mode 100644\nindex 0000000..b14ebf3\n--- /dev/null\n+++ b/sample_kev_scan.json\n@@ -0,0 +1,54 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"Example vulnerability known to be exploited\",\n+          \"requiredAction\": \"Apply updates per vendor instructions\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2024-01-01T00:00:00Z\",\n+          \"dueDate\": \"2024-01-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Example note\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"Example vulnerability with VulnCheck data\",\n+          \"requiredAction\": \"Apply updates\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2024-01-01T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"12345\",\n+                \"xdbURL\": \"https://example.com/xdb/12345\",\n+                \"dateAdded\": \"2024-01-01T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.com:exploit.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/report\",\n+                \"dateAdded\": \"2024-01-01T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T08:17:56.148095Z"}, {"uuid": "66a98d57-f54d-4edb-a654-dbb1db4cb58c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/c7ccc3cf55257de703e13b60a791e672", "content": "diff --git a/README.md b/README.md\nindex 57102d1..79af520 100644\n--- a/README.md\n+++ b/README.md\n@@ -163,6 +163,7 @@ Vuls has some options to detect the vulnerabilities\n   - Vuls works well with Continuous Integration since tests can be run every day. This allows you to find vulnerabilities very quickly.\n - Auto-generation of configuration file template\n   - Auto-detection of servers set using CIDR, generate configuration file template\n+  - An example configuration is available at [`config.toml.example`](config.toml.example)\n - Email and Slack notification is possible (supports Japanese language)\n - Scan result is viewable on accessory software, TUI Viewer in a terminal or Web UI ([VulsRepo](https://github.com/ishiDACo/vulsrepo)).\n \ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..242b70b\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,86 @@\n+# Vuls - VULnerability Scanner\n+# Example configuration file\n+#\n+# Copy this file to config.toml and edit to match your environment.\n+# All values below are PLACEHOLDERS \u2014 replace them with real values.\n+\n+# Global settings\n+#httpProxy = \"http://proxy.example.com:8080\"\n+#resultsDir = \"/path/to/results\"\n+#debug = false\n+#debugSQL = false\n+#logToFile = false\n+#logDir = \"/var/log/vuls\"\n+\n+# Default settings inherited by all servers\n+[default]\n+port = \"22\"\n+#keyPath = \"/home/vuls/.ssh/id_rsa\"\n+\n+# Scan target servers\n+[servers.example-host]\n+host = \"192.0.2.1\"\n+user = \"vuls-user\"\n+port = \"22\"\n+scanMode = [\"fast\"]\n+#keyPath = \"/home/vuls/.ssh/id_rsa\"\n+#cpeNames = [\"cpe:/a:example:product:1.0\"]\n+#ignoreCves = [\"CVE-0000-0000\"]\n+\n+# Vulnerability dictionary databases\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-msfdb.sqlite3\"\n+\n+# KEV (Known Exploited Vulnerabilities) database\n+# Enable this to detect CVEs listed in the CISA/VulnCheck KEV catalogs.\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-cti.sqlite3\"\n+\n+# Notification settings (uncomment and configure as needed)\n+\n+#[slack]\n+#hookURL = \"https://hooks.slack.com/services/YOUR/WEBHOOK/URL\"\n+#channel = \"#vuls-notifications\"\n+#iconEmoji = \":ghost:\"\n+\n+#[email]\n+#smtpAddr = \"smtp.example.com\"\n+#smtpPort = \"587\"\n+#tlsMode = \"STARTTLS\"\n+#from = \"vuls@example.com\"\n+#to = [\"admin@example.com\"]\n+#user = \"vuls@example.com\"\n+#password = \"REPLACE_WITH_PASSWORD\"\n+\n+#[http]\n+#url = \"https://example.com/vuls-webhook\"\n+\n+#[chatWork]\n+#apiToken = \"REPLACE_WITH_TOKEN\"\n+#room = \"123456\"\n+\n+#[telegram]\n+#token = \"REPLACE_WITH_BOT_TOKEN\"\n+#chatID = \"REPLACE_WITH_CHAT_ID\"\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..1dd5b1f 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -253,13 +254,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +264,18 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n+}\n+\n+// FormatKEVCveSummary returns a summary of how many scanned CVEs have KEV entries\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &gt; 0 {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/testdata/sample_kev_result.json b/models/testdata/sample_kev_result.json\nnew file mode 100644\nindex 0000000..1f117d2\n--- /dev/null\n+++ b/models/testdata/sample_kev_result.json\n@@ -0,0 +1,61 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"serverName\": \"example-host\",\n+  \"family\": \"redhat\",\n+  \"release\": \"9\",\n+  \"scannedAt\": \"2026-07-01T00:00:00Z\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0001\": {\n+      \"cveID\": \"CVE-0000-0001\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleVendor ExampleProduct contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-01-15T00:00:00Z\",\n+          \"dueDate\": \"2026-02-05T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"https://example.com/advisory/0001\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleVendor ExampleProduct contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-01-10T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"abc123\",\n+                \"xdbURL\": \"https://vulncheck.example.com/xdb/abc123\",\n+                \"dateAdded\": \"2026-01-12T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.com:exploits/abc123.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/report/0001\",\n+                \"dateAdded\": \"2026-01-11T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-package\",\n+          \"fixedIn\": \"1.2.3-4.el9\"\n+        }\n+      ]\n+    }\n+  }\n+}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..10b126d 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -267,6 +267,7 @@ type VulnInfo struct {\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n@@ -910,6 +911,58 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n+// KEVType represents the source of a Known Exploited Vulnerability entry\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the CISA KEV catalog source\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is the VulnCheck KEV source\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                        KEVType       `json:\"type\"`\n+\tVendorProject               string        `json:\"vendorProject\"`\n+\tProduct                     string        `json:\"product\"`\n+\tVulnerabilityName           string        `json:\"vulnerabilityName\"`\n+\tShortDescription            string        `json:\"shortDescription\"`\n+\tRequiredAction              string        `json:\"requiredAction\"`\n+\tKnownRansomwareCampaignUse  string        `json:\"knownRansomwareCampaignUse\"`\n+\tDateAdded                   time.Time     `json:\"dateAdded\"`\n+\tDueDate                     *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                        *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                   *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV fields\n+type CISAKEV struct {\n+\tNote string `json:\"note\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV fields\n+type VulnCheckKEV struct {\n+\tXDB                    []VulnCheckXDB                    `json:\"xdb,omitempty\"`\n+\tReportedExploitation   []VulnCheckReportedExploitation   `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID\"`\n+\tXDBURL      string    `json:\"xdbURL\"`\n+\tDateAdded   time.Time `json:\"dateAdded\"`\n+\tExploitType string    `json:\"exploitType\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url\"`\n+\tDateAdded time.Time `json:\"dateAdded\"`\n+}\n+\n // AlertDict has target cve JPCERT, USCERT and CISA alert data\n type AlertDict struct {\n \tCISA   []Alert `json:\"cisa\"`\n@@ -919,15 +972,12 @@ type AlertDict struct {\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..72499b0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n", "creation_timestamp": "2026-07-03T08:17:56.317541Z"}, {"uuid": "28df6f8e-757f-4a9e-b45c-95996c125cdb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/3a30c7ece60ccc80744bb8f5a2346ffb", "content": "diff --git a/README.md b/README.md\nindex 57102d1..af155b0 100644\n--- a/README.md\n+++ b/README.md\n@@ -93,6 +93,10 @@ Vuls is a tool created to solve the problems listed above. It has the following\n - CISA(Cybersecurity &amp; Infrastructure Security Agency)\n   - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n \n+- Known Exploited Vulnerabilities(KEV)\n+  - CISA and VulnCheck KEV data is reported in the first-class `kevs` vulnerability field.\n+  - See `config.toml.example` for a redacted KEV-ready configuration and `examples/kev-scan-result.json` for a synthetic sample result.\n+\n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n \ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..318e764\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,39 @@\n+# Synthetic example configuration for enabling KEV reporting.\n+# Replace all placeholder values before use. Do not paste production secrets here.\n+\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.10\"\n+port = \"22\"\n+user = \"vuls-user\"\n+keyPath = \"/home/vuls-user/.ssh/id_rsa\"\n+scanMode = [\"fast-root\"]\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..ca79560 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -6,6 +6,7 @@ package detector\n import (\n \t\"encoding/json\"\n \t\"net/http\"\n+\t\"strings\"\n \t\"time\"\n \n \t\"github.com/cenkalti/backoff\"\n@@ -74,23 +75,14 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\treturn err\n \t\t}\n \t\tfor _, res := range responses {\n-\t\t\tkevulns := []kevulnmodels.KEVuln{}\n-\t\t\tif err := json.Unmarshal([]byte(res.json), &amp;kevulns); err != nil {\n+\t\t\tkevs, err := decodeKEVs([]byte(res.json))\n+\t\t\tif err != nil {\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n-\t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\tif ok &amp;&amp; len(kevs) &gt; 0 {\n+\t\t\t\tv.KEVs = kevs\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +100,12 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tkevs, err := convertKEVulns(kevulns)\n+\t\t\tif err != nil {\n+\t\t\t\treturn err\n \t\t\t}\n \n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = kevs\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +115,127 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func convertKEVulns(kevulns []kevulnmodels.KEVuln) ([]models.KEV, error) {\n+\tbs, err := json.Marshal(kevulns)\n+\tif err != nil {\n+\t\treturn nil, xerrors.Errorf(\"Failed to marshal KEVuln. err: %w\", err)\n+\t}\n+\treturn decodeKEVs(bs)\n+}\n+\n+func decodeKEVs(bs []byte) ([]models.KEV, error) {\n+\tvar raws []map[string]json.RawMessage\n+\tif err := json.Unmarshal(bs, &amp;raws); err != nil {\n+\t\treturn nil, xerrors.Errorf(\"Failed to unmarshal KEVuln. err: %w\", err)\n+\t}\n+\n+\tkevs := make([]models.KEV, 0, len(raws))\n+\tfor _, raw := range raws {\n+\t\tkev := models.KEV{\n+\t\t\tVendorProject:              rawString(raw, \"vendorProject\", \"VendorProject\", \"cisaVendorProject\", \"CISAVendorProject\"),\n+\t\t\tProduct:                    rawString(raw, \"product\", \"Product\", \"cisaProduct\", \"CISAProduct\"),\n+\t\t\tVulnerabilityName:          rawString(raw, \"vulnerabilityName\", \"VulnerabilityName\", \"cisaVulnerabilityName\", \"CISAVulnerabilityName\"),\n+\t\t\tShortDescription:           rawString(raw, \"shortDescription\", \"ShortDescription\", \"cisaShortDescription\", \"CISAShortDescription\"),\n+\t\t\tRequiredAction:             rawString(raw, \"requiredAction\", \"RequiredAction\", \"cisaRequiredAction\", \"CISARequiredAction\"),\n+\t\t\tKnownRansomwareCampaignUse: rawString(raw, \"knownRansomwareCampaignUse\", \"KnownRansomwareCampaignUse\", \"cisaKnownRansomwareCampaignUse\", \"CISAKnownRansomwareCampaignUse\"),\n+\t\t\tDateAdded:                  rawTime(raw, \"dateAdded\", \"DateAdded\", \"cisaDateAdded\", \"CISADateAdded\"),\n+\t\t\tDueDate:                    rawTimePtr(raw, \"dueDate\", \"DueDate\", \"cisaDueDate\", \"CISADueDate\"),\n+\t\t}\n+\n+\t\tif rawString(raw, \"type\", \"Type\", \"source\", \"Source\") == string(models.VulnCheckKEVType) || hasAnyRaw(raw, \"vulnCheck\", \"VulnCheck\", \"xdb\", \"XDB\", \"reportedExploitation\", \"ReportedExploitation\") {\n+\t\t\tkev.Type = models.VulnCheckKEVType\n+\t\t\tkev.VulnCheck = &amp;models.VulnCheckKEV{\n+\t\t\t\tXDB:                  decodeVulnCheckXDB(raw),\n+\t\t\t\tReportedExploitation: decodeVulnCheckReportedExploitation(raw),\n+\t\t\t}\n+\t\t} else {\n+\t\t\tkev.Type = models.CISAKEVType\n+\t\t\tkev.CISA = &amp;models.CISAKEV{Note: rawString(raw, \"note\", \"Note\", \"notes\", \"Notes\")}\n+\t\t}\n+\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs, nil\n+}\n+\n+func decodeVulnCheckXDB(raw map[string]json.RawMessage) []models.VulnCheckXDB {\n+\tvar xs []models.VulnCheckXDB\n+\tfor _, key := range []string{\"xdb\", \"XDB\"} {\n+\t\tif bs, ok := raw[key]; ok &amp;&amp; json.Unmarshal(bs, &amp;xs) == nil {\n+\t\t\treturn xs\n+\t\t}\n+\t}\n+\treturn nil\n+}\n+\n+func decodeVulnCheckReportedExploitation(raw map[string]json.RawMessage) []models.VulnCheckReportedExploitation {\n+\tvar res []models.VulnCheckReportedExploitation\n+\tfor _, key := range []string{\"reportedExploitation\", \"ReportedExploitation\"} {\n+\t\tif bs, ok := raw[key]; ok &amp;&amp; json.Unmarshal(bs, &amp;res) == nil {\n+\t\t\treturn res\n+\t\t}\n+\t}\n+\treturn nil\n+}\n+\n+func rawString(raw map[string]json.RawMessage, keys ...string) string {\n+\tfor _, key := range keys {\n+\t\tbs, ok := raw[key]\n+\t\tif !ok {\n+\t\t\tcontinue\n+\t\t}\n+\t\tvar s string\n+\t\tif err := json.Unmarshal(bs, &amp;s); err == nil {\n+\t\t\treturn s\n+\t\t}\n+\t}\n+\treturn \"\"\n+}\n+\n+func rawTime(raw map[string]json.RawMessage, keys ...string) time.Time {\n+\tif t := rawTimePtr(raw, keys...); t != nil {\n+\t\treturn *t\n+\t}\n+\treturn time.Time{}\n+}\n+\n+func rawTimePtr(raw map[string]json.RawMessage, keys ...string) *time.Time {\n+\tfor _, key := range keys {\n+\t\tbs, ok := raw[key]\n+\t\tif !ok || string(bs) == \"null\" {\n+\t\t\tcontinue\n+\t\t}\n+\t\tvar t time.Time\n+\t\tif err := json.Unmarshal(bs, &amp;t); err == nil {\n+\t\t\treturn &amp;t\n+\t\t}\n+\t\ts := rawString(raw, key)\n+\t\tif s == \"\" {\n+\t\t\tcontinue\n+\t\t}\n+\t\tfor _, layout := range []string{time.RFC3339, \"2006-01-02\"} {\n+\t\t\tif parsed, err := time.Parse(layout, s); err == nil {\n+\t\t\t\treturn &amp;parsed\n+\t\t\t}\n+\t\t}\n+\t}\n+\treturn nil\n+}\n+\n+func hasAnyRaw(raw map[string]json.RawMessage, keys ...string) bool {\n+\tfor _, key := range keys {\n+\t\tif _, ok := raw[key]; ok {\n+\t\t\treturn true\n+\t\t}\n+\t}\n+\tfor key := range raw {\n+\t\tif strings.Contains(strings.ToLower(key), \"vulncheck\") {\n+\t\t\treturn true\n+\t\t}\n+\t}\n+\treturn false\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/examples/kev-scan-result.json b/examples/kev-scan-result.json\nnew file mode 100644\nindex 0000000..a787db2\n--- /dev/null\n+++ b/examples/kev-scan-result.json\n@@ -0,0 +1,74 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2026-07-03T00:00:00Z\",\n+  \"scanMode\": \"fast-root\",\n+  \"scannedVersion\": \"example\",\n+  \"scannedRevision\": \"example\",\n+  \"scannedBy\": \"example-user\",\n+  \"scannedVia\": \"remote\",\n+  \"reportedAt\": \"2026-07-03T00:00:00Z\",\n+  \"reportedVersion\": \"example\",\n+  \"reportedRevision\": \"example\",\n+  \"reportedBy\": \"example-user\",\n+  \"errors\": [],\n+  \"warnings\": [],\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic example showing the CISA KEV output shape.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic sample only.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic example showing the VulnCheck KEV output shape.\",\n+          \"requiredAction\": \"Review exposure and apply updates.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.invalid/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"example\",\n+                \"cloneSSHURL\": \"ssh://example.invalid/repo.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.invalid/reports/CVE-0000-0000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"runningKernel\": {},\n+  \"packages\": {},\n+  \"config\": {\n+    \"scan\": {},\n+    \"report\": {}\n+  }\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..40ab335 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV cve.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -425,6 +433,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &lt; v.Mitigations[j].URL\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \n \t\tv.CveContents.Sort()\n \ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..deb144c 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -267,6 +267,7 @@ type VulnInfo struct {\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n@@ -284,6 +285,57 @@ type Alert struct {\n \tTeam  string `json:\"team,omitempty\"`\n }\n \n+// KEVType represents a known exploited vulnerability source.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is a CISA Known Exploited Vulnerabilities entry.\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType is a VulnCheck Known Exploited Vulnerabilities entry.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information.\n+type KEV struct {\n+\tType                       KEVType       `json:\"type,omitempty\"`\n+\tVendorProject              string        `json:\"vendorProject,omitempty\"`\n+\tProduct                    string        `json:\"product,omitempty\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV fields.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV fields.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // GitHubSecurityAlerts is a list of GitHubSecurityAlert\n type GitHubSecurityAlerts []GitHubSecurityAlert\n \n@@ -910,24 +962,21 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data.\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"-\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a2dfbd0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T08:17:56.523188Z"}, {"uuid": "3b4de5ef-7ae5-415d-9635-24e763ec8046", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/9984053117ed8ffe6f7aee7acf89067d", "content": "diff --git a/README.md b/README.md\nindex 57102d1..a86fcd4 100644\n--- a/README.md\n+++ b/README.md\n@@ -102,6 +102,29 @@ Vuls is a tool created to solve the problems listed above. It has the following\n - WordPress\n   - [wpscan](https://wpscan.com/api)\n \n+### Example Configuration\n+\n+To enable reporting and integrations like KEV (Known Exploited Vulnerabilities) or Slack alerts, use a configuration file (`config.toml`). Below is a synthetic example (`config.toml.example`):\n+\n+```toml\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.168.0.1\" # Placeholder IP\n+port = \"22\"\n+user = \"vuls\"\n+keyPath = \"/home/vuls/.ssh/id_rsa\"\n+\n+[kev]\n+type = \"cisa\" # Or \"vulncheck\"\n+url = \"https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json\"\n+\n+[slack]\n+hookURL = \"https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX\" # Placeholder webhook URL\n+channel = \"#vuls-alerts\"\n+authUser = \"vuls-bot\"\n+```\n+\n ### Scan mode\n \n [Fast Scan](https://vuls.io/docs/en/architecture-fast-scan.html)\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..f87a802\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,24 @@\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.168.0.1\" # Placeholder IP\n+port = \"22\"\n+user = \"vuls\"\n+keyPath = \"/home/vuls/.ssh/id_rsa\"\n+# KEV reporting can be enabled by configuring the KEV data source\n+[kev]\n+type = \"cisa\" # Or \"vulncheck\"\n+url = \"https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json\"\n+\n+[slack]\n+hookURL = \"https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX\" # Placeholder webhook URL\n+channel = \"#vuls-alerts\"\n+authUser = \"vuls-bot\"\n+\n+[email]\n+smtpServer = \"smtp.example.com\"\n+smtpPort = \"587\"\n+user = \"alerts@example.com\"\n+password = \"PLACEHOLDER_PASSWORD\" # Placeholder password\n+from = \"vuls@example.com\"\n+to = [\"admin@example.com\"]\n\\ No newline at end of file\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..ce5491b 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,21 +79,17 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n \t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tv, ok := r.ScannedCves[res.request.cveID]\n-\t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n-\t\t\t\tnKEV++\n+\t\t\t\tv, ok := r.ScannedCves[res.request.cveID]\n+\t\t\t\tif ok {\n+\t\t\t\t\tv.KEVs = append(v.KEVs, models.KEV{\n+\t\t\t\t\t\tType: models.CISAKEVType,\n+\t\t\t\t\t\tCISA: &amp;models.CISAKEV{},\n+\t\t\t\t\t})\n+\t\t\t\t\tnKEV++\n+\t\t\t\t}\n+\t\t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t\t}\n-\t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t}\n \t} else {\n \t\tfor cveID, vuln := range r.ScannedCves {\n@@ -108,16 +104,12 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n \t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n+\t\t\t\tvuln.KEVs = append(vuln.KEVs, models.KEV{\n+\t\t\t\t\tType: models.CISAKEVType,\n+\t\t\t\t\tCISA: &amp;models.CISAKEV{},\n \t\t\t\t})\n \t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..1f32424 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,9 +205,21 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV entries\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVs := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVs++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVs)\n+}\n+\n // FormatUpdatablePkgsSummary returns a summary of updatable packages\n func (r ScanResult) FormatUpdatablePkgsSummary() string {\n \tmode := r.Config.Scan.Servers[r.ServerName].Mode\n@@ -253,13 +265,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -434,8 +442,11 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n \t\t})\n \t\tr.ScannedCves[k] = v\n \t}\ndiff --git a/models/scanresults_kev_test.go b/models/scanresults_kev_test.go\nnew file mode 100644\nindex 0000000..0228761\n--- /dev/null\n+++ b/models/scanresults_kev_test.go\n@@ -0,0 +1,90 @@\n+package models\n+\n+import (\n+\t\"reflect\"\n+\t\"testing\"\n+\t\"time\"\n+)\n+\n+func TestScanResult_Sort_KEV(t *testing.T) {\n+\ttime1 := time.Date(2023, 1, 1, 0, 0, 0, 0, time.UTC)\n+\ttime2 := time.Date(2023, 2, 1, 0, 0, 0, 0, time.UTC)\n+\t\n+\ttests := []struct {\n+\t\tname     string\n+\t\tfields   ScanResult\n+\t\texpected ScanResult\n+\t}{\n+\t\t{\n+\t\t\tname: \"sort KEVs by Type and then VulnerabilityName\",\n+\t\t\tfields: ScanResult{\n+\t\t\t\tScannedCves: VulnInfos{\n+\t\t\t\t\t\"CVE-2023-0001\": VulnInfo{\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{\n+\t\t\t\t\t\t\t\tType:              VulnCheckKEVType,\n+\t\t\t\t\t\t\t\tVulnerabilityName: \"B Vuln\",\n+\t\t\t\t\t\t\t\tDateAdded:         time2,\n+\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t\t{\n+\t\t\t\t\t\t\t\tType:              CISAKEVType,\n+\t\t\t\t\t\t\t\tVulnerabilityName: \"C Vuln\",\n+\t\t\t\t\t\t\t\tDateAdded:         time1,\n+\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t\t{\n+\t\t\t\t\t\t\t\tType:              CISAKEVType,\n+\t\t\t\t\t\t\t\tVulnerabilityName: \"A Vuln\",\n+\t\t\t\t\t\t\t\tDateAdded:         time2,\n+\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t\t{\n+\t\t\t\t\t\t\t\tType:              VulnCheckKEVType,\n+\t\t\t\t\t\t\t\tVulnerabilityName: \"A Vuln\",\n+\t\t\t\t\t\t\t\tDateAdded:         time1,\n+\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t\texpected: ScanResult{\n+\t\t\t\tScannedCves: VulnInfos{\n+\t\t\t\t\t\"CVE-2023-0001\": VulnInfo{\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{\n+\t\t\t\t\t\t\t\tType:              CISAKEVType,\n+\t\t\t\t\t\t\t\tVulnerabilityName: \"A Vuln\",\n+\t\t\t\t\t\t\t\tDateAdded:         time2,\n+\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t\t{\n+\t\t\t\t\t\t\t\tType:              CISAKEVType,\n+\t\t\t\t\t\t\t\tVulnerabilityName: \"C Vuln\",\n+\t\t\t\t\t\t\t\tDateAdded:         time1,\n+\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t\t{\n+\t\t\t\t\t\t\t\tType:              VulnCheckKEVType,\n+\t\t\t\t\t\t\t\tVulnerabilityName: \"A Vuln\",\n+\t\t\t\t\t\t\t\tDateAdded:         time1,\n+\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t\t{\n+\t\t\t\t\t\t\t\tType:              VulnCheckKEVType,\n+\t\t\t\t\t\t\t\tVulnerabilityName: \"B Vuln\",\n+\t\t\t\t\t\t\t\tDateAdded:         time2,\n+\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t},\n+\t}\n+\tfor _, tt := range tests {\n+\t\tt.Run(tt.name, func(t *testing.T) {\n+\t\t\tr := &amp;ScanResult{\n+\t\t\t\tScannedCves: tt.fields.ScannedCves,\n+\t\t\t}\n+\t\t\tr.SortForJSONOutput()\n+\n+\t\t\tif !reflect.DeepEqual(r.ScannedCves, tt.expected.ScannedCves) {\n+\t\t\t\tt.Errorf(\"act %+v, want %+v\", r.ScannedCves, tt.expected.ScannedCves)\n+\t\t\t}\n+\t\t})\n+\t}\n+}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..c9d8ca0 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -275,6 +275,50 @@ type VulnInfo struct {\n \tWindowsKBFixedIns    []string             `json:\"windowsKBFixedIns,omitempty\"`\n \tVulnType             string               `json:\"vulnType,omitempty\"`\n \tDiffStatus           DiffStatus           `json:\"diffStatus,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n+}\n+\n+type KEVType string\n+\n+const (\n+\tCISAKEVType      KEVType = \"cisa\"\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+type KEV struct {\n+\tType                       KEVType\n+\tVendorProject              string\n+\tProduct                    string\n+\tVulnerabilityName          string\n+\tShortDescription           string\n+\tRequiredAction             string\n+\tKnownRansomwareCampaignUse string\n+\tDateAdded                  time.Time\n+\tDueDate                    *time.Time\n+\tCISA                       *CISAKEV\n+\tVulnCheck                  *VulnCheckKEV\n+}\n+\n+type CISAKEV struct {\n+\tNote string\n+}\n+\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB\n+\tReportedExploitation []VulnCheckReportedExploitation\n+}\n+\n+type VulnCheckXDB struct {\n+\tXDBID       string\n+\tXDBURL      string\n+\tDateAdded   time.Time\n+\tExploitType string\n+\tCloneSSHURL string\n+}\n+\n+type VulnCheckReportedExploitation struct {\n+\tURL       string\n+\tDateAdded time.Time\n }\n \n // Alert has CERT alert information\n@@ -910,7 +954,7 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n \tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n@@ -919,15 +963,12 @@ type AlertDict struct {\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..42490a6 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -205,6 +205,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t}\n \t\t} else {\n \t\t\tcols = []interface{}{\n@@ -565,8 +566,8 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n+\t\tfor _, alert := range vuln.AlertDict.USCERT {\n+\t\t\tdata = append(data, []string{\"USCERT Alert\", alert.URL})\n \t\t}\n \n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\ndiff --git a/sample_scan_result.json b/sample_scan_result.json\nnew file mode 100644\nindex 0000000..78c94f5\n--- /dev/null\n+++ b/sample_scan_result.json\n@@ -0,0 +1,44 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"20.04\",\n+  \"scannedAt\": \"2023-10-01T00:00:00Z\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"Type\": \"cisa\",\n+          \"VendorProject\": \"Example Vendor\",\n+          \"Product\": \"Example Product\",\n+          \"VulnerabilityName\": \"Example Vulnerability\",\n+          \"ShortDescription\": \"This is a synthetic example of a known exploited vulnerability.\",\n+          \"RequiredAction\": \"Apply updates.\",\n+          \"DateAdded\": \"2023-01-01T00:00:00Z\",\n+          \"CISA\": {\n+            \"Note\": \"This is a synthetic note for CISA.\"\n+          }\n+        },\n+        {\n+          \"Type\": \"vulncheck\",\n+          \"VendorProject\": \"Example Vendor 2\",\n+          \"Product\": \"Example Product 2\",\n+          \"VulnerabilityName\": \"Another Example Vulnerability\",\n+          \"ShortDescription\": \"Synthetic VulnCheck entry.\",\n+          \"DateAdded\": \"2023-02-01T00:00:00Z\",\n+          \"VulnCheck\": {\n+            \"XDB\": [\n+              {\n+                \"XDBID\": \"XDB-001\",\n+                \"XDBURL\": \"https://example.com/xdb/001\",\n+                \"DateAdded\": \"2023-02-01T00:00:00Z\",\n+                \"ExploitType\": \"RCE\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\n\\ No newline at end of file\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..aeae934 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,31 +812,8 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n-\t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"USCERT Alert\",\n-\t\t\t\t\"=============\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.USCERT {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.JPCERT) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"JPCERT Alert\",\n-\t\t\t\t\"=============\",\n-\t\t\t)\n+\t\t\turls := []string{}\n \t\t\tfor _, alert := range vinfo.AlertDict.JPCERT {\n \t\t\t\tif r.Lang == \"ja\" {\n \t\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n", "creation_timestamp": "2026-07-03T08:17:56.572379Z"}, {"uuid": "1a1a0db4-8dfc-4313-8aa6-eadcf3a3760a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/aaa8fd47fab376aaf8115fd9b646bb7e", "content": "diff --git a/README.md b/README.md\nindex 57102d1..40e26fa 100644\n--- a/README.md\n+++ b/README.md\n@@ -163,6 +163,7 @@ Vuls has some options to detect the vulnerabilities\n   - Vuls works well with Continuous Integration since tests can be run every day. This allows you to find vulnerabilities very quickly.\n - Auto-generation of configuration file template\n   - Auto-detection of servers set using CIDR, generate configuration file template\n+  - See `config.toml.example` for a ready-to-use configuration file with KEV reporting enabled (using placeholder values).\n - Email and Slack notification is possible (supports Japanese language)\n - Scan result is viewable on accessory software, TUI Viewer in a terminal or Web UI ([VulsRepo](https://github.com/ishiDACo/vulsrepo)).\n \ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..29837ca\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,51 @@\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-cti.sqlite3\"\n+\n+[servers]\n+[servers.example-host]\n+host    = \"192.0.2.1\"\n+port    = \"22\"\n+user    = \"scans\"\n+keyPath = \"/path/to/id_rsa\"\n+\n+[slack]\n+hookURL  = \"https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX\"\n+channel  = \"#vuls-alerts\"\n+authUser = \"vuls-bot\"\n+\n+[chatwork]\n+apiToken = \"PLACEHOLDER_CHATWORK_TOKEN\"\n+room     = \"000000\"\n+\n+[email]\n+smtpAddr = \"smtp.example.com\"\n+smtpPort = \"587\"\n+user     = \"vuls-alerts@example.com\"\n+password = \"PLACEHOLDER_SMTP_PASSWORD\"\n+from     = \"vuls-alerts@example.com\"\n+to       = [\"admin@example.com\"]\n\\ No newline at end of file\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..45792f3 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,6 +205,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV cve\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -428,6 +436,13 @@ func (r *ScanResult) SortForJSONOutput() {\n \n \t\tv.CveContents.Sort()\n \n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n+\n \t\tsort.Slice(v.AlertDict.USCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.USCERT[i].Title &lt; v.AlertDict.USCERT[j].Title\n \t\t})\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..3adba5e 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -275,6 +275,7 @@ type VulnInfo struct {\n \tWindowsKBFixedIns    []string             `json:\"windowsKBFixedIns,omitempty\"`\n \tVulnType             string               `json:\"vulnType,omitempty\"`\n \tDiffStatus           DiffStatus           `json:\"diffStatus,omitempty\"`\n+\tKEVs                 KEVs                 `json:\"kevs,omitempty\"`\n }\n \n // Alert has CERT alert information\n@@ -381,6 +382,58 @@ const (\n \tDiffMinus = DiffStatus(\"-\")\n )\n \n+// KEVType is KEV Type\n+type KEVType string\n+\n+const (\n+\tCISAKEVType      = KEVType(\"cisa\")\n+\tVulnCheckKEVType = KEVType(\"vulncheck\")\n+)\n+\n+// KEV has Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                       KEVType                        `json:\"type\"`\n+\tVendorProject              string                         `json:\"vendorProject,omitempty\"`\n+\tProduct                    string                         `json:\"product,omitempty\"`\n+\tVulnerabilityName          string                         `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string                         `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string                         `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string                         `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time                      `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time                     `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV                       `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV                  `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA specific KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck specific KEV information\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbId,omitempty\"`\n+\tXDBURL      string    `json:\"xdbUrl,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSshUrl,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck ReportedExploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n+// KEVs is a slice of KEV\n+type KEVs []KEV\n+\n // CveIDDiffFormat format CVE-ID for diff mode\n func (v VulnInfo) CveIDDiffFormat() string {\n \tif v.DiffStatus != \"\" {\n@@ -910,24 +963,21 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n+\tCISA   []Alert `json:\"cisa\"` // Deprecated: use KEVs instead\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..0d03611 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -205,6 +205,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t}\n \t\t} else {\n \t\t\tcols = []interface{}{\ndiff --git a/sample_scan_result.json b/sample_scan_result.json\nnew file mode 100644\nindex 0000000..667cf0d\n--- /dev/null\n+++ b/sample_scan_result.json\n@@ -0,0 +1,74 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"debian\",\n+  \"release\": \"12\",\n+  \"scannedAt\": \"2023-10-01T12:00:00Z\",\n+  \"scanMode\": \"fast\",\n+  \"scannedVersion\": \"0.1.0\",\n+  \"scannedBy\": \"vuls\",\n+  \"scannedVia\": \"local\",\n+  \"reportedAt\": \"2023-10-01T12:05:00Z\",\n+  \"reportedVersion\": \"0.1.0\",\n+  \"reportedBy\": \"vuls\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"This is an example vulnerability.\",\n+          \"requiredAction\": \"Apply updates.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2023-01-01T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Example note for CISA KEV\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"This is an example vulnerability.\",\n+          \"requiredAction\": \"Apply updates.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2023-01-01T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbId\": \"xdb-1234\",\n+                \"xdbUrl\": \"https://example.com/xdb/1234\",\n+                \"dateAdded\": \"2023-01-01T00:00:00Z\",\n+                \"exploitType\": \"RCE\",\n+                \"cloneSshUrl\": \"git@example.com:exploits/1234.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/report/1\",\n+                \"dateAdded\": \"2023-01-01T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"cveContents\": {\n+        \"nvd\": [\n+          {\n+            \"cveID\": \"CVE-0000-0000\",\n+            \"summary\": \"Example documentation CVE\",\n+            \"cvss2Score\": 5.0,\n+            \"cvss3Score\": 7.5,\n+            \"cvss3Severity\": \"HIGH\"\n+          }\n+        ]\n+      }\n+    }\n+  }\n+}\n\\ No newline at end of file\n", "creation_timestamp": "2026-07-03T08:17:56.684373Z"}, {"uuid": "8096753f-fdc7-4131-9912-ac9a2e10748a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/199316d49a6449d460ce00b50a033cac", "content": "diff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..0a93b76\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,105 @@\n+# Vuls - Example Configuration\n+#\n+# Copy this file to config.toml and customize for your environment.\n+# All secrets below are placeholders \u2014 replace them with real values.\n+#\n+# See https://vuls.io/docs/en/config.toml.html for full documentation.\n+\n+# --- Default Settings (inherited by all servers unless overridden) ---\n+[default]\n+port        = \"22\"\n+user        = \"vuls-scan-user\"\n+keyPath     = \"/home/vuls/.ssh/id_rsa\"\n+scanMode    = [\"fast\"]\n+scanModules = [\"ospkg\"]\n+\n+# --- Scan Target Servers ---\n+[servers]\n+\n+[servers.web-server-01]\n+host = \"192.0.2.10\"\n+# port, user, keyPath inherited from [default]\n+\n+[servers.db-server-01]\n+host     = \"192.0.2.20\"\n+scanMode = [\"fast-root\"]\n+# cpeNames = [\"cpe:/a:example:product:1.0\"]\n+# ignoreCves = [\"CVE-0000-0000\"]\n+\n+# --- Vulnerability Dictionary Databases ---\n+# Configure how Vuls fetches CVE/OVAL/exploit/KEV data.\n+# type can be \"sqlite3\", \"mysql\", \"postgres\", \"redis\", or \"http\".\n+\n+[cveDict]\n+type       = \"sqlite3\"\n+sqlite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type       = \"sqlite3\"\n+sqlite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type       = \"sqlite3\"\n+sqlite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploit]\n+type       = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type       = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-msfdb.sqlite3\"\n+\n+# --- KEV (Known Exploited Vulnerabilities) ---\n+# Enable KEV reporting via go-kev.\n+# Data from both CISA and VulnCheck KEV sources will populate\n+# the first-class \"kevs\" field on each vulnerability.\n+[kevuln]\n+type       = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-kev.sqlite3\"\n+# Alternatively, fetch via HTTP:\n+# type = \"http\"\n+# url  = \"http://localhost:1327\"\n+\n+[cti]\n+type       = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-cti.sqlite3\"\n+\n+# --- Reporting ---\n+\n+[slack]\n+hookURL     = \"https://hooks.slack.com/services/YOUR/WEBHOOK/URL\"\n+channel     = \"#vuls-notifications\"\n+iconEmoji   = \":ghost:\"\n+authUser    = \"vuls\"\n+# notifyUsers = [\"@admin\"]\n+\n+[email]\n+smtpAddr = \"smtp.example.com\"\n+smtpPort = \"587\"\n+tlsMode  = \"STARTTLS\"\n+user     = \"vuls@example.com\"\n+password = \"REPLACE_WITH_SMTP_PASSWORD\"\n+from     = \"vuls@example.com\"\n+to       = [\"admin@example.com\"]\n+# cc     = [\"team@example.com\"]\n+# subjectPrefix = \"[Vuls]\"\n+\n+[http]\n+url = \"http://localhost:11234\"\n+\n+# [chatwork]\n+# apiToken = \"REPLACE_WITH_CHATWORK_API_TOKEN\"\n+# room     = \"123456789\"\n+\n+# [telegram]\n+# token  = \"REPLACE_WITH_TELEGRAM_BOT_TOKEN\"\n+# chatID = \"123456789\"\n+\n+# [syslog]\n+# protocol = \"tcp\"\n+# host     = \"syslog.example.com\"\n+# port     = \"514\"\n+# severity = \"info\"\n+# facility = \"local0\"\n+# tag      = \"vuls\"\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..e378ebd 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of how many scanned CVEs have KEV entries\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &gt; 0 {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/testdata/sample_kevs_scan_result.json b/models/testdata/sample_kevs_scan_result.json\nnew file mode 100644\nindex 0000000..18243c3\n--- /dev/null\n+++ b/models/testdata/sample_kevs_scan_result.json\n@@ -0,0 +1,87 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"serverName\": \"example-host\",\n+  \"family\": \"centos\",\n+  \"release\": \"8\",\n+  \"scannedAt\": \"2026-07-01T00:00:00Z\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0001\": {\n+      \"cveID\": \"CVE-0000-0001\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleVendor ExampleProduct contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2025-01-15T00:00:00Z\",\n+          \"dueDate\": \"2025-02-05T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"https://example.com/advisory/2025-001\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleVendor ExampleProduct contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2025-01-10T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"00000000-0000-0000-0000-000000000001\",\n+                \"xdbURL\": \"https://vulncheck.com/xdb/00000000-0000-0000-0000-000000000001\",\n+                \"dateAdded\": \"2025-01-10T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.com:exploits/CVE-0000-0001.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/blog/exploitation-report-CVE-0000-0001\",\n+                \"dateAdded\": \"2025-01-12T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-package\",\n+          \"notFixedYet\": false,\n+          \"fixedIn\": \"1.2.4\"\n+        }\n+      ]\n+    },\n+    \"CVE-0000-0002\": {\n+      \"cveID\": \"CVE-0000-0002\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"AnotherVendor\",\n+          \"product\": \"AnotherProduct\",\n+          \"vulnerabilityName\": \"AnotherVendor AnotherProduct Privilege Escalation Vulnerability\",\n+          \"shortDescription\": \"AnotherVendor AnotherProduct contains a privilege escalation vulnerability.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2025-03-01T00:00:00Z\",\n+          \"dueDate\": \"2025-03-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"\"\n+          }\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"another-package\",\n+          \"notFixedYet\": true\n+        }\n+      ]\n+    }\n+  }\n+}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..1ac08ff 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -268,6 +268,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -910,24 +911,73 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n+// KEVType represents the source of KEV data\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the CISA KEV source\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is the VulnCheck KEV source\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                       KEVType       `json:\"type\"`\n+\tVendorProject              string        `json:\"vendorProject\"`\n+\tProduct                    string        `json:\"product\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName\"`\n+\tShortDescription           string        `json:\"shortDescription\"`\n+\tRequiredAction             string        `json:\"requiredAction\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV fields\n+type CISAKEV struct {\n+\tNote string `json:\"note\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV fields\n+type VulnCheckKEV struct {\n+\tXDB                    []VulnCheckXDB                    `json:\"xdb,omitempty\"`\n+\tReportedExploitation   []VulnCheckReportedExploitation   `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID\"`\n+\tXDBURL      string    `json:\"xdbURL\"`\n+\tDateAdded   time.Time `json:\"dateAdded\"`\n+\tExploitType string    `json:\"exploitType\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url\"`\n+\tDateAdded time.Time `json:\"dateAdded\"`\n+}\n+\n // AlertDict has target cve JPCERT, USCERT and CISA alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"cisa,omitempty\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\n", "creation_timestamp": "2026-07-03T09:17:39.962072Z"}, {"uuid": "44828a89-3e5c-4079-b7df-d7189337eb89", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/3075099748f6807f4709d1fee5720fcc", "content": "diff --git a/README.md b/README.md\nindex 57102d1..74e6e4d 100644\n--- a/README.md\n+++ b/README.md\n@@ -93,6 +93,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n - CISA(Cybersecurity &amp; Infrastructure Security Agency)\n   - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n \n+- VulnCheck\n+  - Known Exploited Vulnerabilities data via go-kev\n+\n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n \n@@ -179,6 +182,12 @@ Vuls has some options to detect the vulnerabilities\n For more information such as Installation, Tutorial, Usage, visit [vuls.io](https://vuls.io/)  \n [\u65e5\u672c\u8a9e\u7ffb\u8a33\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8](https://vuls.io/ja/)\n \n+### Example configuration\n+\n+A redacted, ready-to-use starter config is available at [`config.toml.example`](config.toml.example). It includes a `[kevuln]` section so CISA and VulnCheck KEV data can be reported in the `kevs` field of each vulnerability.\n+\n+To try KEV reporting with local SQLite dictionaries, update the placeholder server and path values, then run Vuls with that config. A synthetic scan-result sample showing the new `kevs` JSON shape is available at [`docs/sample-kev-scan-result.json`](docs/sample-kev-scan-result.json).\n+\n ----\n \n ## Authors\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..70628e0\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,42 @@\n+[default]\n+# Use placeholder values only. Do not copy secrets from a live config.toml into this file.\n+port               = \"22\"\n+user               = \"vuls\"\n+keyPath            = \"/home/vuls/.ssh/id_rsa\"\n+scanMode           = [\"fast-root\"]\n+\n+[servers]\n+\n+[servers.example-host]\n+host               = \"192.0.2.10\"\n+port               = \"22\"\n+user               = \"vuls\"\n+keyPath            = \"/home/vuls/.ssh/id_rsa\"\n+\n+[cveDict]\n+type               = \"sqlite3\"\n+sqlite3Path        = \"/var/lib/vuls/cve.sqlite3\"\n+\n+[ovalDict]\n+type               = \"sqlite3\"\n+sqlite3Path        = \"/var/lib/vuls/oval.sqlite3\"\n+\n+[gost]\n+type               = \"sqlite3\"\n+sqlite3Path        = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type               = \"sqlite3\"\n+sqlite3Path        = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type               = \"sqlite3\"\n+sqlite3Path        = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type               = \"sqlite3\"\n+sqlite3Path        = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type               = \"sqlite3\"\n+sqlite3Path        = \"/var/lib/vuls/go-cti.sqlite3\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..19e0c76 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -6,6 +6,8 @@ package detector\n import (\n \t\"encoding/json\"\n \t\"net/http\"\n+\t\"reflect\"\n+\t\"strings\"\n \t\"time\"\n \n \t\"github.com/cenkalti/backoff\"\n@@ -79,18 +81,9 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n-\t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\tif ok &amp;&amp; len(kevulns) &gt; 0 {\n+\t\t\t\tv.KEVs = append(v.KEVs, toKEVs(kevulns)...)\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +101,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = append(vuln.KEVs, toKEVs(kevulns)...)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +111,150 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func toKEVs(kevulns []kevulnmodels.KEVuln) (kevs []models.KEV) {\n+\tfor _, kevuln := range kevulns {\n+\t\tkevs = append(kevs, toKEV(kevuln))\n+\t}\n+\treturn kevs\n+}\n+\n+func toKEV(kevuln kevulnmodels.KEVuln) models.KEV {\n+\tv := reflect.ValueOf(kevuln)\n+\tkev := models.KEV{\n+\t\tType:                       kevType(v),\n+\t\tVendorProject:              stringField(v, \"VendorProject\"),\n+\t\tProduct:                    stringField(v, \"Product\"),\n+\t\tVulnerabilityName:          stringField(v, \"VulnerabilityName\"),\n+\t\tShortDescription:           stringField(v, \"ShortDescription\"),\n+\t\tRequiredAction:             stringField(v, \"RequiredAction\"),\n+\t\tKnownRansomwareCampaignUse: stringField(v, \"KnownRansomwareCampaignUse\"),\n+\t\tDateAdded:                  timeField(v, \"DateAdded\"),\n+\t\tDueDate:                    timePtrField(v, \"DueDate\"),\n+\t}\n+\n+\tif kev.Type == \"\" {\n+\t\tkev.Type = models.CISAKEVType\n+\t}\n+\tif kev.Type == models.CISAKEVType {\n+\t\tkev.CISA = &amp;models.CISAKEV{Note: stringField(v, \"Note\")}\n+\t}\n+\tif kev.Type == models.VulnCheckKEVType {\n+\t\tkev.VulnCheck = &amp;models.VulnCheckKEV{\n+\t\t\tXDB:                  vulnCheckXDBs(field(v, \"XDB\")),\n+\t\t\tReportedExploitation: reportedExploitations(field(v, \"ReportedExploitation\")),\n+\t\t}\n+\t}\n+\treturn kev\n+}\n+\n+func kevType(v reflect.Value) models.KEVType {\n+\ttypeName := strings.ToLower(stringField(v, \"Type\"))\n+\tif typeName == \"\" {\n+\t\ttypeName = strings.ToLower(stringField(v, \"Source\"))\n+\t}\n+\tswitch typeName {\n+\tcase string(models.VulnCheckKEVType):\n+\t\treturn models.VulnCheckKEVType\n+\tcase string(models.CISAKEVType):\n+\t\treturn models.CISAKEVType\n+\tdefault:\n+\t\tif len(vulnCheckXDBs(field(v, \"XDB\"))) &gt; 0 || len(reportedExploitations(field(v, \"ReportedExploitation\"))) &gt; 0 {\n+\t\t\treturn models.VulnCheckKEVType\n+\t\t}\n+\t\treturn models.CISAKEVType\n+\t}\n+}\n+\n+func vulnCheckXDBs(v reflect.Value) (xs []models.VulnCheckXDB) {\n+\tif !validSlice(v) {\n+\t\treturn nil\n+\t}\n+\tfor i := 0; i &lt; v.Len(); i++ {\n+\t\tx := indirect(v.Index(i))\n+\t\txs = append(xs, models.VulnCheckXDB{\n+\t\t\tXDBID:       stringField(x, \"XDBID\"),\n+\t\t\tXDBURL:      stringField(x, \"XDBURL\"),\n+\t\t\tDateAdded:   timeField(x, \"DateAdded\"),\n+\t\t\tExploitType: stringField(x, \"ExploitType\"),\n+\t\t\tCloneSSHURL: stringField(x, \"CloneSSHURL\"),\n+\t\t})\n+\t}\n+\treturn xs\n+}\n+\n+func reportedExploitations(v reflect.Value) (res []models.VulnCheckReportedExploitation) {\n+\tif !validSlice(v) {\n+\t\treturn nil\n+\t}\n+\tfor i := 0; i &lt; v.Len(); i++ {\n+\t\tre := indirect(v.Index(i))\n+\t\tres = append(res, models.VulnCheckReportedExploitation{\n+\t\t\tURL:       stringField(re, \"URL\"),\n+\t\t\tDateAdded: timeField(re, \"DateAdded\"),\n+\t\t})\n+\t}\n+\treturn res\n+}\n+\n+func validSlice(v reflect.Value) bool {\n+\treturn v.IsValid() &amp;&amp; v.Kind() == reflect.Slice\n+}\n+\n+func field(v reflect.Value, name string) reflect.Value {\n+\tv = indirect(v)\n+\tif !v.IsValid() || v.Kind() != reflect.Struct {\n+\t\treturn reflect.Value{}\n+\t}\n+\treturn v.FieldByName(name)\n+}\n+\n+func stringField(v reflect.Value, name string) string {\n+\tf := field(v, name)\n+\tif !f.IsValid() || f.Kind() != reflect.String {\n+\t\treturn \"\"\n+\t}\n+\treturn f.String()\n+}\n+\n+func timeField(v reflect.Value, name string) time.Time {\n+\tf := field(v, name)\n+\tif !f.IsValid() {\n+\t\treturn time.Time{}\n+\t}\n+\tif t, ok := f.Interface().(time.Time); ok {\n+\t\treturn t\n+\t}\n+\treturn time.Time{}\n+}\n+\n+func timePtrField(v reflect.Value, name string) *time.Time {\n+\tf := field(v, name)\n+\tif !f.IsValid() {\n+\t\treturn nil\n+\t}\n+\tf = indirect(f)\n+\tif !f.IsValid() {\n+\t\treturn nil\n+\t}\n+\tif t, ok := f.Interface().(time.Time); ok &amp;&amp; !t.IsZero() {\n+\t\treturn &amp;t\n+\t}\n+\treturn nil\n+}\n+\n+func indirect(v reflect.Value) reflect.Value {\n+\tif !v.IsValid() {\n+\t\treturn v\n+\t}\n+\tfor v.Kind() == reflect.Pointer || v.Kind() == reflect.Interface {\n+\t\tif v.IsNil() {\n+\t\t\treturn reflect.Value{}\n+\t\t}\n+\t\tv = v.Elem()\n+\t}\n+\treturn v\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/docs/sample-kev-scan-result.json b/docs/sample-kev-scan-result.json\nnew file mode 100644\nindex 0000000..0287206\n--- /dev/null\n+++ b/docs/sample-kev-scan-result.json\n@@ -0,0 +1,68 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2026-07-03T00:00:00Z\",\n+  \"scanMode\": \"fast-root\",\n+  \"scannedVersion\": \"example\",\n+  \"reportedAt\": \"2026-07-03T00:00:00Z\",\n+  \"reportedVersion\": \"example\",\n+  \"errors\": [],\n+  \"warnings\": [],\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic sample showing CISA KEV output shape.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic documentation sample.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic sample showing VulnCheck KEV output shape.\",\n+          \"requiredAction\": \"Review exposure and apply vendor remediation.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.com/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"example\",\n+                \"cloneSSHURL\": \"git@example.com:example/research.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/research/example-cve\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"packages\": {},\n+  \"config\": {\n+    \"scan\": {},\n+    \"report\": {}\n+  }\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..f8d997b 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of known exploited vulnerability CVEs.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -428,12 +436,20 @@ func (r *ScanResult) SortForJSONOutput() {\n \n \t\tv.CveContents.Sort()\n \n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n+\n \t\tsort.Slice(v.AlertDict.USCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.USCERT[i].Title &lt; v.AlertDict.USCERT[j].Title\n \t\t})\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n+\t\t// Keep old result JSON deterministic; new KEV data is stored in KEVs.\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n \t\t})\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..e4d21ac 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -263,6 +263,7 @@ type VulnInfo struct {\n \tAffectedPackages     PackageFixStatuses   `json:\"affectedPackages,omitempty\"`\n \tDistroAdvisories     DistroAdvisories     `json:\"distroAdvisories,omitempty\"` // for Amazon, RHEL, Fedora, FreeBSD, Microsoft\n \tCveContents          CveContents          `json:\"cveContents,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tExploits             []Exploit            `json:\"exploits,omitempty\"`\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n@@ -277,6 +278,58 @@ type VulnInfo struct {\n \tDiffStatus           DiffStatus           `json:\"diffStatus,omitempty\"`\n }\n \n+// KEVType identifies the known-exploited-vulnerability source.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is CISA Known Exploited Vulnerabilities Catalog data.\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is VulnCheck KEV data.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has known-exploited-vulnerability information.\n+type KEV struct {\n+\tType                       KEVType       `json:\"type\"`\n+\tVendorProject              string        `json:\"vendorProject,omitempty\"`\n+\tProduct                    string        `json:\"product,omitempty\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV fields.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV fields.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database metadata.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has reported exploitation references.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded\"`\n+}\n+\n // Alert has CERT alert information\n type Alert struct {\n \tURL   string `json:\"url,omitempty\"`\n@@ -910,8 +963,9 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data.\n type AlertDict struct {\n+\t// CISA is retained only for old result JSON compatibility. KEV data is stored in VulnInfo.KEVs.\n \tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n@@ -919,15 +973,12 @@ type AlertDict struct {\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a2dfbd0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T09:17:40.200411Z"}, {"uuid": "81d89c07-7feb-4071-9ed4-707513f71b7f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/f666a19a067f6738c8cec49aa43c1ddd", "content": "diff --git a/README.md b/README.md\nindex 57102d1..db9649e 100644\n--- a/README.md\n+++ b/README.md\n@@ -174,6 +174,10 @@ Vuls has some options to detect the vulnerabilities\n \n ----\n \n+## Configuration\n+\n+To use Vuls with KEV reporting and other features enabled, you can find a ready-to-use example configuration in [`config.toml.example`](config.toml.example).\n+\n ## Document\n \n For more information such as Installation, Tutorial, Usage, visit [vuls.io](https://vuls.io/)  \ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..081e4a3\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,26 @@\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-kev.sqlite3\"\n+\n+[servers]\n+[servers.example-host]\n+host = \"192.0.2.1\"\n+port = \"22\"\n+user = \"vuls\"\n+keyPath = \"/home/vuls/.ssh/id_rsa\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..bea14ff 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,31 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n+\t\t\tkevs := []models.KEV{}\n+\t\t\tfor _, k := range kevulns {\n+\t\t\t\tvar dueDate *time.Time\n+\t\t\t\tif !k.DueDate.IsZero() {\n+\t\t\t\t\tdueDate = &amp;k.DueDate\n+\t\t\t\t}\n+\t\t\t\tkevs = append(kevs, models.KEV{\n+\t\t\t\t\tType:                       models.CISAKEVType,\n+\t\t\t\t\tVendorProject:              k.VendorProject,\n+\t\t\t\t\tProduct:                    k.Product,\n+\t\t\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\t\t\tDateAdded:                  k.DateAdded,\n+\t\t\t\t\tDueDate:                    dueDate,\n+\t\t\t\t\tCISA: &amp;models.CISAKEV{\n+\t\t\t\t\t\tNote: k.Notes,\n+\t\t\t\t\t},\n \t\t\t\t})\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tv.KEVs = append(v.KEVs, kevs...)\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +121,29 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n+\t\t\tkevs := []models.KEV{}\n+\t\t\tfor _, k := range kevulns {\n+\t\t\t\tvar dueDate *time.Time\n+\t\t\t\tif !k.DueDate.IsZero() {\n+\t\t\t\t\tdueDate = &amp;k.DueDate\n+\t\t\t\t}\n+\t\t\t\tkevs = append(kevs, models.KEV{\n+\t\t\t\t\tType:                       models.CISAKEVType,\n+\t\t\t\t\tVendorProject:              k.VendorProject,\n+\t\t\t\t\tProduct:                    k.Product,\n+\t\t\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\t\t\tDateAdded:                  k.DateAdded,\n+\t\t\t\t\tDueDate:                    dueDate,\n+\t\t\t\t\tCISA: &amp;models.CISAKEV{\n+\t\t\t\t\t\tNote: k.Notes,\n+\t\t\t\t\t},\n \t\t\t\t})\n \t\t\t}\n \n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = append(vuln.KEVs, kevs...)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..204474e 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,9 +205,21 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV cve\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatUpdatablePkgsSummary returns a summary of updatable packages\n func (r ScanResult) FormatUpdatablePkgsSummary() string {\n \tmode := r.Config.Scan.Servers[r.ServerName].Mode\n@@ -253,13 +265,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..7d8c5a6 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -268,6 +268,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -910,7 +911,59 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// KEVType represents the source of the KEV\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is for CISA KEV\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is for VulnCheck KEV\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV represents Known Exploited Vulnerability\n+type KEV struct {\n+\tType                       KEVType       `json:\"type,omitempty\"`\n+\tVendorProject              string        `json:\"vendorProject,omitempty\"`\n+\tProduct                    string        `json:\"product,omitempty\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA specific KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck specific KEV information\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbid,omitempty\"`\n+\tXDBURL      string    `json:\"xdburl,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n+// AlertDict has target cve JPCERT, USCERT alert data\n type AlertDict struct {\n \tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n@@ -919,15 +972,12 @@ type AlertDict struct {\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..5b8697f 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -205,6 +205,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t}\n \t\t} else {\n \t\t\tcols = []interface{}{\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/sample-kev.json b/sample-kev.json\nnew file mode 100644\nindex 0000000..53637d8\n--- /dev/null\n+++ b/sample-kev.json\n@@ -0,0 +1,52 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"lang\": \"en\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"redhat\",\n+  \"release\": \"8\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability Name\",\n+          \"shortDescription\": \"This is a dummy description of the vulnerability.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2024-01-01T00:00:00Z\",\n+          \"dueDate\": \"2024-01-31T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Dummy note for CISA KEV\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability Name\",\n+          \"shortDescription\": \"Dummy VulnCheck description\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbid\": \"XDB-001\",\n+                \"xdburl\": \"https://example.com/xdb/001\",\n+                \"dateAdded\": \"2024-01-01T00:00:00Z\",\n+                \"exploitType\": \"RCE\",\n+                \"cloneSSHURL\": \"git@example.com:exploit/001.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/report/1\",\n+                \"dateAdded\": \"2024-01-01T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\n\\ No newline at end of file\ndiff --git a/tracking-issue-example.md b/tracking-issue-example.md\nnew file mode 100644\nindex 0000000..045c825\n--- /dev/null\n+++ b/tracking-issue-example.md\n@@ -0,0 +1,58 @@\n+# New KEV payload example\n+\n+Here is a synthetic example of the new `kevs` field populated on a vulnerability to show the structure:\n+\n+```json\n+{\n+  \"jsonVersion\": 1,\n+  \"lang\": \"en\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"redhat\",\n+  \"release\": \"8\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability Name\",\n+          \"shortDescription\": \"This is a dummy description of the vulnerability.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2024-01-01T00:00:00Z\",\n+          \"dueDate\": \"2024-01-31T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Dummy note for CISA KEV\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability Name\",\n+          \"shortDescription\": \"Dummy VulnCheck description\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbid\": \"XDB-001\",\n+                \"xdburl\": \"https://example.com/xdb/001\",\n+                \"dateAdded\": \"2024-01-01T00:00:00Z\",\n+                \"exploitType\": \"RCE\",\n+                \"cloneSSHURL\": \"git@example.com:exploit/001.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/report/1\",\n+                \"dateAdded\": \"2024-01-01T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\n+```\n\\ No newline at end of file\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T09:17:40.248802Z"}, {"uuid": "5f1c0cb6-3650-4661-9501-c077a97ff032", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/029f786b75cfa6f5421bde3e7cdf3d70", "content": "diff --git a/README.md b/README.md\nindex 57102d1..3339803 100644\n--- a/README.md\n+++ b/README.md\n@@ -179,6 +179,10 @@ Vuls has some options to detect the vulnerabilities\n For more information such as Installation, Tutorial, Usage, visit [vuls.io](https://vuls.io/)  \n [\u65e5\u672c\u8a9e\u7ffb\u8a33\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8](https://vuls.io/ja/)\n \n+### Example Configuration (KEV)\n+\n+A ready-to-use configuration with KEV reporting enabled is available at [config.toml.example](config.toml.example).\n+\n ----\n \n ## Authors\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..84b6af4\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,50 @@\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-kev.sqlite3\"\n+\n+[slack]\n+hookURL = \"https://hooks.slack.com/services/XXXX/XXXX/XXXX\"\n+channel = \"#vuls\"\n+authUser = \"vuls\"\n+\n+[email]\n+smtpAddr = \"smtp.example.com\"\n+smtpPort = \"587\"\n+user = \"username\"\n+password = \"password\"\n+from = \"from@example.com\"\n+to = [\"to@example.com\"]\n+subject = \"Vuls Report\"\n+\n+[default]\n+#port = \"22\"\n+#user = \"username\"\n+#keyPath = \"/home/username/.ssh/id_rsa\"\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.1\"\n+port = \"22\"\n+user = \"vuls-user\"\n+keyPath = \"/home/vuls-user/.ssh/id_rsa\"\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..a58e0e8 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV cve\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,14 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n+\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..8f4c09c 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -257,6 +257,57 @@ type PackageFixStatus struct {\n }\n \n // VulnInfo has a vulnerability information and unsecure packages\n+// KEVType is a type of KEV\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is a KEV type for CISA\n+\tCISAKEVType = KEVType(\"cisa\")\n+\t// VulnCheckKEVType is a KEV type for VulnCheck\n+\tVulnCheckKEVType = KEVType(\"vulncheck\")\n+)\n+\n+// KEV has Known Exploited Vulnerabilities information\n+type KEV struct {\n+\tType                       KEVType   `json:\"type,omitempty\"`\n+\tVendorProject              string    `json:\"vendorProject,omitempty\"`\n+\tProduct                    string    `json:\"product,omitempty\"`\n+\tVulnerabilityName          string    `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string    `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string    `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string    `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck KEV information\n+type VulnCheckKEV struct {\n+\tXDB                   []VulnCheckXDB                   `json:\"xdb,omitempty\"`\n+\tReportedExploitation  []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck Reported Exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n type VulnInfo struct {\n \tCveID                string               `json:\"cveID,omitempty\"`\n \tConfidences          Confidences          `json:\"confidences,omitempty\"`\n@@ -275,6 +326,7 @@ type VulnInfo struct {\n \tWindowsKBFixedIns    []string             `json:\"windowsKBFixedIns,omitempty\"`\n \tVulnType             string               `json:\"vulnType,omitempty\"`\n \tDiffStatus           DiffStatus           `json:\"diffStatus,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n }\n \n // Alert has CERT alert information\n@@ -910,24 +962,21 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT, USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"cisa,omitempty\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a2dfbd0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/testdata/kev_sample.json b/testdata/kev_sample.json\nnew file mode 100644\nindex 0000000..98a9122\n--- /dev/null\n+++ b/testdata/kev_sample.json\n@@ -0,0 +1,60 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"Example short description\",\n+          \"requiredAction\": \"Apply updates\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2024-01-01T00:00:00Z\",\n+          \"dueDate\": \"2024-01-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Example note\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"Example VulnCheck Vulnerability\",\n+          \"shortDescription\": \"VulnCheck example\",\n+          \"requiredAction\": \"Apply updates\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2024-02-01T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-12345\",\n+                \"xdbURL\": \"https://example.com/xdb/12345\",\n+                \"dateAdded\": \"2024-02-01T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.com:exploit.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/report\",\n+                \"dateAdded\": \"2024-02-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"packages\": {},\n+  \"runningKernel\": {\n+    \"release\": \"\",\n+    \"version\": \"\",\n+    \"rebootRequired\": false\n+  }\n+}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T09:17:40.297782Z"}, {"uuid": "b45cc578-82ad-4a6d-a479-3d2b03dc30a5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/2ca5547833c78045b7162aee0969873a", "content": "diff --git a/README.md b/README.md\nindex 57102d1..d1ca052 100644\n--- a/README.md\n+++ b/README.md\n@@ -168,6 +168,38 @@ Vuls has some options to detect the vulnerabilities\n \n ----\n \n+## Configuration\n+\n+To enable KEV reporting, ensure you have the `kevuln` configuration enabled. You can find an example configuration in `config.toml.example`:\n+\n+```toml\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/kevuln.sqlite3\"\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.1\"\n+port = \"22\"\n+user = \"vuls\"\n+keyPath = \"/path/to/id_rsa\"\n+```\n+\n+----\n+\n ## What Vuls Doesn't Do\n \n - Vuls doesn't update the vulnerable packages.\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..2afc1b6\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,23 @@\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/kevuln.sqlite3\"\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.1\"\n+port = \"22\"\n+user = \"vuls\"\n+keyPath = \"/path/to/id_rsa\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..158b026 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,19 +79,11 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n-\t\t\t\tnKEV++\n+\t\t\t\tif len(kevulns) &gt; 0 {\n+\t\t\t\t\tnKEV++\n+\t\t\t\t}\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t}\n@@ -108,17 +100,9 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n \t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\t\tnKEV++\n \t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n-\t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n \t}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..6a6c44d 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,6 +205,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKevCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKevCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKevCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -434,8 +442,11 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n \t\t})\n \t\tr.ScannedCves[k] = v\n \t}\ndiff --git a/models/scanresults_test.go b/models/scanresults_test.go\nindex d429281..c711c41 100644\n--- a/models/scanresults_test.go\n+++ b/models/scanresults_test.go\n@@ -225,10 +225,11 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -288,10 +289,11 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"a\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -354,10 +356,12 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"a\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -417,10 +421,12 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..8fb5c5f 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -269,6 +269,7 @@ type VulnInfo struct {\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n \tLibraryFixedIns      LibraryFixedIns      `json:\"libraryFixedIns,omitempty\"`\n@@ -910,24 +911,20 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\n@@ -1089,3 +1086,52 @@ var (\n \t// FortinetVendorProductMatch is a ranking how confident the CVE-ID was detected correctly\n \tFortinetVendorProductMatch = Confidence{10, FortinetVendorProductMatchStr, 9}\n )\n+\n+// KEVType is the type of KEV\n+type KEVType string\n+\n+const (\n+\tCISAKEVType      KEVType = \"cisa\"\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerabilities information\n+type KEV struct {\n+\tType                       KEVType\n+\tVendorProject              string\n+\tProduct                    string\n+\tVulnerabilityName          string\n+\tShortDescription           string\n+\tRequiredAction             string\n+\tKnownRansomwareCampaignUse string\n+\tDateAdded                  time.Time\n+\tDueDate                    *time.Time\n+\tCISA                       *CISAKEV\n+\tVulnCheck                  *VulnCheckKEV\n+}\n+\n+// CISAKEV has CISA specific KEV information\n+type CISAKEV struct {\n+\tNote string\n+}\n+\n+// VulnCheckKEV has VulnCheck specific KEV information\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB\n+\tReportedExploitation []VulnCheckReportedExploitation\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB information\n+type VulnCheckXDB struct {\n+\tXDBID       string\n+\tXDBURL      string\n+\tDateAdded   time.Time\n+\tExploitType string\n+\tCloneSSHURL string\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string\n+\tDateAdded time.Time\n+}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..5b8697f 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -205,6 +205,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t}\n \t\t} else {\n \t\t\tcols = []interface{}{\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/sample_kev.json b/sample_kev.json\nnew file mode 100644\nindex 0000000..d952861\n--- /dev/null\n+++ b/sample_kev.json\n@@ -0,0 +1,52 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"20.04\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"Type\": \"cisa\",\n+          \"VendorProject\": \"example-vendor\",\n+          \"Product\": \"example-product\",\n+          \"VulnerabilityName\": \"Example Vulnerability\",\n+          \"ShortDescription\": \"A synthetic example description.\",\n+          \"RequiredAction\": \"Apply updates per vendor instructions.\",\n+          \"KnownRansomwareCampaignUse\": \"Unknown\",\n+          \"DateAdded\": \"2023-01-01T00:00:00Z\",\n+          \"CISA\": {\n+            \"Note\": \"This is a synthetic CISA KEV example.\"\n+          }\n+        },\n+        {\n+          \"Type\": \"vulncheck\",\n+          \"VendorProject\": \"example-vendor\",\n+          \"Product\": \"example-product\",\n+          \"VulnerabilityName\": \"Example Vulnerability\",\n+          \"DateAdded\": \"2023-01-01T00:00:00Z\",\n+          \"VulnCheck\": {\n+            \"XDB\": [\n+              {\n+                \"XDBID\": \"XDB-123\",\n+                \"XDBURL\": \"https://example.com/xdb/123\",\n+                \"DateAdded\": \"2023-01-01T00:00:00Z\",\n+                \"ExploitType\": \"local\",\n+                \"CloneSSHURL\": \"git@example.com:repo.git\"\n+              }\n+            ],\n+            \"ReportedExploitation\": [\n+              {\n+                \"URL\": \"https://example.com/report/123\",\n+                \"DateAdded\": \"2023-01-01T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T09:17:40.528364Z"}, {"uuid": "fb8956fa-a6d9-4c06-b883-537f5e2007be", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/1a86b2724cc3b67e690684726598fafb", "content": "diff --git a/README.md b/README.md\nindex 57102d1..8927d55 100644\n--- a/README.md\n+++ b/README.md\n@@ -92,6 +92,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n \n - CISA(Cybersecurity &amp; Infrastructure Security Agency)\n   - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+  - KEV results are emitted in each vulnerability's `kevs` field when `[kevuln]` is configured.\n+\n+Example KEV configuration and output are available in `examples/config.toml.example` and `examples/scan-result-kev.json`. The example files are synthetic and use placeholder values only.\n \n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..bfcb1df 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -78,19 +78,14 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\tif err := json.Unmarshal([]byte(res.json), &amp;kevulns); err != nil {\n \t\t\t\treturn err\n \t\t\t}\n-\n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tkevs := convertKEVulns(kevulns)\n+\t\t\tif len(kevs) == 0 {\n+\t\t\t\tcontinue\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tv.KEVs = kevs\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -107,17 +102,12 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\tif len(kevulns) == 0 {\n \t\t\t\tcontinue\n \t\t\t}\n-\n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tkevs := convertKEVulns(kevulns)\n+\t\t\tif len(kevs) == 0 {\n+\t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = kevs\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +117,169 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func convertKEVulns(kevulns []kevulnmodels.KEVuln) []models.KEV {\n+\tkevs := make([]models.KEV, 0, len(kevulns))\n+\tfor _, kevuln := range kevulns {\n+\t\traw, err := json.Marshal(kevuln)\n+\t\tif err != nil {\n+\t\t\tlogging.Log.Debugf(\"Failed to marshal KEVuln. err: %+v\", err)\n+\t\t\tcontinue\n+\t\t}\n+\n+\t\tvar m map[string]json.RawMessage\n+\t\tif err := json.Unmarshal(raw, &amp;m); err != nil {\n+\t\t\tlogging.Log.Debugf(\"Failed to unmarshal KEVuln. err: %+v\", err)\n+\t\t\tcontinue\n+\t\t}\n+\n+\t\tkev := models.KEV{\n+\t\t\tType:                       parseKEVType(m),\n+\t\t\tVendorProject:              rawString(m, \"vendorProject\", \"vendor_project\"),\n+\t\t\tProduct:                    rawString(m, \"product\"),\n+\t\t\tVulnerabilityName:          rawString(m, \"vulnerabilityName\", \"vulnerability_name\"),\n+\t\t\tShortDescription:           rawString(m, \"shortDescription\", \"short_description\"),\n+\t\t\tRequiredAction:             rawString(m, \"requiredAction\", \"required_action\"),\n+\t\t\tKnownRansomwareCampaignUse: rawString(m, \"knownRansomwareCampaignUse\", \"known_ransomware_campaign_use\"),\n+\t\t\tDateAdded:                  rawTime(m, \"dateAdded\", \"date_added\"),\n+\t\t\tDueDate:                    rawTimePtr(m, \"dueDate\", \"due_date\"),\n+\t\t}\n+\t\tif note := rawString(m, \"note\", \"notes\"); note != \"\" {\n+\t\t\tkev.CISA = &amp;models.CISAKEV{Note: note}\n+\t\t}\n+\t\tif cisa := rawCISAKEV(m); cisa != nil {\n+\t\t\tkev.CISA = cisa\n+\t\t}\n+\t\tif vulncheck := rawVulnCheckKEV(m); vulncheck != nil {\n+\t\t\tkev.VulnCheck = vulncheck\n+\t\t}\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs\n+}\n+\n+func parseKEVType(m map[string]json.RawMessage) models.KEVType {\n+\tsource := rawString(m, \"type\", \"source\", \"kevType\", \"kev_type\")\n+\tswitch source {\n+\tcase string(models.VulnCheckKEVType), \"VulnCheck\", \"vulnCheck\":\n+\t\treturn models.VulnCheckKEVType\n+\tcase string(models.CISAKEVType), \"CISA\":\n+\t\treturn models.CISAKEVType\n+\t}\n+\tif _, ok := m[\"vulncheck\"]; ok {\n+\t\treturn models.VulnCheckKEVType\n+\t}\n+\tif _, ok := m[\"vulnCheck\"]; ok {\n+\t\treturn models.VulnCheckKEVType\n+\t}\n+\tif _, ok := m[\"xdb\"]; ok {\n+\t\treturn models.VulnCheckKEVType\n+\t}\n+\tif _, ok := m[\"reportedExploitation\"]; ok {\n+\t\treturn models.VulnCheckKEVType\n+\t}\n+\tif _, ok := m[\"reported_exploitation\"]; ok {\n+\t\treturn models.VulnCheckKEVType\n+\t}\n+\treturn models.CISAKEVType\n+}\n+\n+func rawCISAKEV(m map[string]json.RawMessage) *models.CISAKEV {\n+\tvar nested map[string]json.RawMessage\n+\tif !rawObject(m, &amp;nested, \"cisa\", \"CISA\") {\n+\t\treturn nil\n+\t}\n+\treturn &amp;models.CISAKEV{Note: rawString(nested, \"note\", \"notes\")}\n+}\n+\n+func rawVulnCheckKEV(m map[string]json.RawMessage) *models.VulnCheckKEV {\n+\tvar nested map[string]json.RawMessage\n+\tif rawObject(m, &amp;nested, \"vulncheck\", \"vulnCheck\", \"VulnCheck\") {\n+\t\tm = nested\n+\t}\n+\n+\tv := &amp;models.VulnCheckKEV{}\n+\tfor _, raw := range rawArray(m, \"xdb\", \"XDB\") {\n+\t\tvar x map[string]json.RawMessage\n+\t\tif err := json.Unmarshal(raw, &amp;x); err != nil {\n+\t\t\tcontinue\n+\t\t}\n+\t\tv.XDB = append(v.XDB, models.VulnCheckXDB{\n+\t\t\tXDBID:       rawString(x, \"xdbID\", \"xdb_id\", \"id\"),\n+\t\t\tXDBURL:      rawString(x, \"xdbURL\", \"xdb_url\", \"url\"),\n+\t\t\tDateAdded:   rawTime(x, \"dateAdded\", \"date_added\"),\n+\t\t\tExploitType: rawString(x, \"exploitType\", \"exploit_type\"),\n+\t\t\tCloneSSHURL: rawString(x, \"cloneSSHURL\", \"clone_ssh_url\"),\n+\t\t})\n+\t}\n+\tfor _, raw := range rawArray(m, \"reportedExploitation\", \"reported_exploitation\") {\n+\t\tvar e map[string]json.RawMessage\n+\t\tif err := json.Unmarshal(raw, &amp;e); err != nil {\n+\t\t\tcontinue\n+\t\t}\n+\t\tv.ReportedExploitation = append(v.ReportedExploitation, models.VulnCheckReportedExploitation{\n+\t\t\tURL:       rawString(e, \"url\", \"URL\"),\n+\t\t\tDateAdded: rawTime(e, \"dateAdded\", \"date_added\"),\n+\t\t})\n+\t}\n+\tif len(v.XDB) == 0 &amp;&amp; len(v.ReportedExploitation) == 0 {\n+\t\treturn nil\n+\t}\n+\treturn v\n+}\n+\n+func rawString(m map[string]json.RawMessage, keys ...string) string {\n+\tfor _, key := range keys {\n+\t\tif raw, ok := m[key]; ok {\n+\t\t\tvar s string\n+\t\t\tif err := json.Unmarshal(raw, &amp;s); err == nil {\n+\t\t\t\treturn s\n+\t\t\t}\n+\t\t}\n+\t}\n+\treturn \"\"\n+}\n+\n+func rawTime(m map[string]json.RawMessage, keys ...string) time.Time {\n+\tif t := rawTimePtr(m, keys...); t != nil {\n+\t\treturn *t\n+\t}\n+\treturn time.Time{}\n+}\n+\n+func rawTimePtr(m map[string]json.RawMessage, keys ...string) *time.Time {\n+\ts := rawString(m, keys...)\n+\tif s == \"\" {\n+\t\treturn nil\n+\t}\n+\tfor _, layout := range []string{time.RFC3339, \"2006-01-02\"} {\n+\t\tif t, err := time.Parse(layout, s); err == nil {\n+\t\t\treturn &amp;t\n+\t\t}\n+\t}\n+\treturn nil\n+}\n+\n+func rawObject(m map[string]json.RawMessage, dst *map[string]json.RawMessage, keys ...string) bool {\n+\tfor _, key := range keys {\n+\t\tif raw, ok := m[key]; ok {\n+\t\t\treturn json.Unmarshal(raw, dst) == nil\n+\t\t}\n+\t}\n+\treturn false\n+}\n+\n+func rawArray(m map[string]json.RawMessage, keys ...string) []json.RawMessage {\n+\tfor _, key := range keys {\n+\t\tif raw, ok := m[key]; ok {\n+\t\t\tvar a []json.RawMessage\n+\t\t\tif err := json.Unmarshal(raw, &amp;a); err == nil {\n+\t\t\t\treturn a\n+\t\t\t}\n+\t\t}\n+\t}\n+\treturn nil\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/examples/config.toml.example b/examples/config.toml.example\nnew file mode 100644\nindex 0000000..f361b2c\n--- /dev/null\n+++ b/examples/config.toml.example\n@@ -0,0 +1,39 @@\n+# Synthetic example configuration for enabling KEV reporting.\n+# Replace placeholder values with paths and hosts owned by your environment.\n+\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"example.invalid\"\n+port = \"22\"\n+user = \"vuls\"\n+keyPath = \"/home/vuls/.ssh/id_ed25519\"\n+scanMode = [\"fast-root\"]\ndiff --git a/examples/scan-result-kev.json b/examples/scan-result-kev.json\nnew file mode 100644\nindex 0000000..d2488e5\n--- /dev/null\n+++ b/examples/scan-result-kev.json\n@@ -0,0 +1,61 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2026-07-03T00:00:00Z\",\n+  \"scanMode\": \"fast-root\",\n+  \"reportedAt\": \"2026-07-03T00:00:00Z\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Example Vulnerability\",\n+          \"shortDescription\": \"Synthetic CISA KEV entry showing the JSON shape only.\",\n+          \"requiredAction\": \"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-03T00:00:00Z\",\n+          \"dueDate\": \"2026-07-24T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic documentation sample. Not a real vulnerability record.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Example Vulnerability\",\n+          \"shortDescription\": \"Synthetic VulnCheck KEV entry showing exploit metadata shape only.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-03T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"00000000-0000-0000-0000-000000000000\",\n+                \"xdbURL\": \"https://example.invalid/xdb/00000000-0000-0000-0000-000000000000\",\n+                \"dateAdded\": \"2026-07-03T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.invalid:example/exploit.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.invalid/report/example-kev\",\n+                \"dateAdded\": \"2026-07-03T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"packages\": {},\n+  \"errors\": [],\n+  \"warnings\": []\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..bb1420b 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of known exploited vulnerability cves.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -425,6 +433,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &lt; v.Mitigations[j].URL\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \n \t\tv.CveContents.Sort()\n \n@@ -434,9 +448,6 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n-\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..a62f77a 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -263,6 +263,7 @@ type VulnInfo struct {\n \tAffectedPackages     PackageFixStatuses   `json:\"affectedPackages,omitempty\"`\n \tDistroAdvisories     DistroAdvisories     `json:\"distroAdvisories,omitempty\"` // for Amazon, RHEL, Fedora, FreeBSD, Microsoft\n \tCveContents          CveContents          `json:\"cveContents,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tExploits             []Exploit            `json:\"exploits,omitempty\"`\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n@@ -284,6 +285,58 @@ type Alert struct {\n \tTeam  string `json:\"team,omitempty\"`\n }\n \n+// KEVType identifies the source catalog for a known exploited vulnerability.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the CISA Known Exploited Vulnerabilities catalog.\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is the VulnCheck Known Exploited Vulnerabilities catalog.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has known exploited vulnerability information.\n+type KEV struct {\n+\tType                         KEVType        `json:\"type,omitempty\"`\n+\tVendorProject                string         `json:\"vendorProject,omitempty\"`\n+\tProduct                      string         `json:\"product,omitempty\"`\n+\tVulnerabilityName            string         `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription             string         `json:\"shortDescription,omitempty\"`\n+\tRequiredAction               string         `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse   string         `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                    time.Time      `json:\"dateAdded,omitempty\"`\n+\tDueDate                      *time.Time     `json:\"dueDate,omitempty\"`\n+\tCISA                         *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                    *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV data.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV data.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database metadata.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation metadata.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // GitHubSecurityAlerts is a list of GitHubSecurityAlert\n type GitHubSecurityAlerts []GitHubSecurityAlert\n \n@@ -910,7 +963,8 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data.\n+// CISA is retained only for reading legacy result JSON; new KEV data lives in KEVs.\n type AlertDict struct {\n \tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n@@ -919,15 +973,12 @@ type AlertDict struct {\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a2dfbd0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T09:17:40.577983Z"}, {"uuid": "3b9df8c7-0605-4da5-b256-40bf68b91aba", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/190809bee26e981bcbcf1805f36ccce1", "content": "diff --git a/README.md b/README.md\nindex 57102d1..d3c91a3 100644\n--- a/README.md\n+++ b/README.md\n@@ -200,6 +200,10 @@ see [vulsdoc](https://vuls.io/docs/en/how-to-contribute.html)\n \n ----\n \n+## Example Configuration\n+\n+An example configuration with KEV (Known Exploited Vulnerabilities) support enabled is available at [config.toml.example](./config.toml.example).\n+\n ## License\n \n Please see [LICENSE](https://github.com/future-architect/vuls/blob/master/LICENSE).\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..f6628fd\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,35 @@\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-cti.sqlite3\"\n+\n+[servers]\n+\n+[servers.localhost]\n+host = \"localhost\"\n+port = \"22\"\n+user = \"your-ssh-user\"\n+keyPath = \"/path/to/private_key\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..9a79033 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,28 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n+\t\t\tkevs := []models.KEV{}\n+\t\t\tfor _, kv := range kevulns {\n+\t\t\t\tdue := kv.DueDate\n+\t\t\t\tkevs = append(kevs, models.KEV{\n+\t\t\t\t\tType:                       models.CISAKEVType,\n+\t\t\t\t\tVendorProject:              kv.VendorProject,\n+\t\t\t\t\tProduct:                    kv.Product,\n+\t\t\t\t\tVulnerabilityName:          kv.VulnerabilityName,\n+\t\t\t\t\tShortDescription:           kv.ShortDescription,\n+\t\t\t\t\tRequiredAction:             kv.RequiredAction,\n+\t\t\t\t\tKnownRansomwareCampaignUse: kv.KnownRansomwareCampaignUse,\n+\t\t\t\t\tDateAdded:                  kv.DateAdded,\n+\t\t\t\t\tDueDate:                    &amp;due,\n+\t\t\t\t\tCISA: &amp;models.CISAKEV{\n+\t\t\t\t\t\tNote: kv.Notes,\n+\t\t\t\t\t},\n \t\t\t\t})\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n-\t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\tif ok &amp;&amp; len(kevs) &gt; 0 {\n+\t\t\t\tv.KEVs = kevs\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +118,26 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n+\t\t\tkevs := []models.KEV{}\n+\t\t\tfor _, kv := range kevulns {\n+\t\t\t\tdue := kv.DueDate\n+\t\t\t\tkevs = append(kevs, models.KEV{\n+\t\t\t\t\tType:                       models.CISAKEVType,\n+\t\t\t\t\tVendorProject:              kv.VendorProject,\n+\t\t\t\t\tProduct:                    kv.Product,\n+\t\t\t\t\tVulnerabilityName:          kv.VulnerabilityName,\n+\t\t\t\t\tShortDescription:           kv.ShortDescription,\n+\t\t\t\t\tRequiredAction:             kv.RequiredAction,\n+\t\t\t\t\tKnownRansomwareCampaignUse: kv.KnownRansomwareCampaignUse,\n+\t\t\t\t\tDateAdded:                  kv.DateAdded,\n+\t\t\t\t\tDueDate:                    &amp;due,\n+\t\t\t\t\tCISA: &amp;models.CISAKEV{\n+\t\t\t\t\t\tNote: kv.Notes,\n+\t\t\t\t\t},\n \t\t\t\t})\n \t\t\t}\n \n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = kevs\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..0191530 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,6 +205,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV vulns\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/testdata/kev_sample.json b/models/testdata/kev_sample.json\nnew file mode 100644\nindex 0000000..208780a\n--- /dev/null\n+++ b/models/testdata/kev_sample.json\n@@ -0,0 +1,56 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"Example short description\",\n+          \"requiredAction\": \"Apply updates\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2024-01-01T00:00:00Z\",\n+          \"dueDate\": \"2024-01-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Example note\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"Example short description\",\n+          \"requiredAction\": \"Apply updates\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2024-01-01T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"12345\",\n+                \"xdbURL\": \"https://example.com/xdb/12345\",\n+                \"dateAdded\": \"2024-01-01T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.com:exploit.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/report\",\n+                \"dateAdded\": \"2024-01-01T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"packages\": {},\n+  \"scannedAt\": \"2024-01-01T00:00:00Z\"\n+}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..63e6bd8 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -268,6 +268,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -910,24 +911,72 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// KEVType is a type of KEV\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is CISA KEV\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType is VulnCheck KEV\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has KEV information\n+type KEV struct {\n+\tType                        KEVType   `json:\"type,omitempty\"`\n+\tVendorProject               string    `json:\"vendorProject,omitempty\"`\n+\tProduct                     string    `json:\"product,omitempty\"`\n+\tVulnerabilityName           string    `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription            string    `json:\"shortDescription,omitempty\"`\n+\tRequiredAction              string    `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse  string    `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                   time.Time `json:\"dateAdded,omitempty\"`\n+\tDueDate                     *time.Time `json:\"dueDate,omitempty\"`\n+\tCISA                        *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                   *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck KEV information\n+type VulnCheckKEV struct {\n+\tXDB                   []VulnCheckXDB                   `json:\"xdb,omitempty\"`\n+\tReportedExploitation  []VulnCheckReportedExploitation  `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck ReportedExploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"cisa,omitempty\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..5b8697f 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -205,6 +205,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t}\n \t\t} else {\n \t\t\tcols = []interface{}{\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T10:08:45.520020Z"}, {"uuid": "b8c6ca6a-5701-4d1e-b81e-2cb1ecda9868", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/5d2e53ff8ddbe757758dde9baf303147", "content": "diff --git a/README.md b/README.md\nindex 57102d1..639b234 100644\n--- a/README.md\n+++ b/README.md\n@@ -90,8 +90,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n   - [US-CERT](https://www.us-cert.gov/ncas/alerts)\n   - [JPCERT](http://www.jpcert.or.jp/at/2019.html)\n \n-- CISA(Cybersecurity &amp; Infrastructure Security Agency)\n-  - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+- Known Exploited Vulnerabilities (KEV)\n+  - [CISA KEV](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+  - VulnCheck KEV\n \n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n@@ -174,6 +175,12 @@ Vuls has some options to detect the vulnerabilities\n \n ----\n \n+## Configuration Example\n+\n+For a ready-to-use example configuration, see [config.toml.example](config.toml.example).\n+\n+----\n+\n ## Document\n \n For more information such as Installation, Tutorial, Usage, visit [vuls.io](https://vuls.io/)  \ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..c5975e5\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,38 @@\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[msf]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-kev.sqlite3\"\n+\n+[servers]\n+\n+[servers.example-server]\n+host = \"192.168.0.1\"\n+port = \"22\"\n+user = \"vuls\"\n+keyPath = \"/home/vuls/.ssh/id_rsa\"\n+# SSH passphrase removed for security\n+\n+# Slack configuration with dummy token\n+[slack]\n+hookURL = \"https://hooks.slack.com/services/DUMMY/TOKEN/HERE\"\n+channel = \"#general\"\n+authUser = \"vuls\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..fd1d20d 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,8 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n \t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tv, ok := r.ScannedCves[res.request.cveID]\n-\t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tv.KEVs = convertKEVulns(kevulns)\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +98,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = convertKEVulns(kevulns)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +108,46 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func convertKEVulns(kevulns []kevulnmodels.KEVuln) []models.KEV {\n+\tvar kevs []models.KEV\n+\tfor _, k := range kevulns {\n+\t\tkev := models.KEV{\n+\t\t\tType:                       models.KEVType(k.Type),\n+\t\t\tVendorProject:              k.VendorProject,\n+\t\t\tProduct:                    k.Product,\n+\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\tDateAdded:                  k.DateAdded,\n+\t\t\tDueDate:                    k.DueDate,\n+\t\t}\n+\t\tif k.CISA != nil {\n+\t\t\tkev.CISA = &amp;models.CISAKEV{Note: k.CISA.Note}\n+\t\t}\n+\t\tif k.VulnCheck != nil {\n+\t\t\tkev.VulnCheck = &amp;models.VulnCheckKEV{}\n+\t\t\tfor _, xdb := range k.VulnCheck.XDB {\n+\t\t\t\tkev.VulnCheck.XDB = append(kev.VulnCheck.XDB, models.VulnCheckXDB{\n+\t\t\t\t\tXDBID:       xdb.XDBID,\n+\t\t\t\t\tXDBURL:      xdb.XDBURL,\n+\t\t\t\t\tDateAdded:   xdb.DateAdded,\n+\t\t\t\t\tExploitType: xdb.ExploitType,\n+\t\t\t\t\tCloneSSHURL: xdb.CloneSSHURL,\n+\t\t\t\t})\n+\t\t\t}\n+\t\t\tfor _, re := range k.VulnCheck.ReportedExploitation {\n+\t\t\t\tkev.VulnCheck.ReportedExploitation = append(kev.VulnCheck.ReportedExploitation, models.VulnCheckReportedExploitation{\n+\t\t\t\t\tURL:       re.URL,\n+\t\t\t\t\tDateAdded: re.DateAdded,\n+\t\t\t\t})\n+\t\t\t}\n+\t\t}\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..0343249 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,11 +197,12 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n@@ -253,13 +254,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +264,18 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n+}\n+\n+// FormatKEVCveSummary returns a summary of KEV\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -434,8 +442,11 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n \t\t})\n \t\tr.ScannedCves[k] = v\n \t}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..f7ef01c 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -12,6 +12,50 @@ import (\n \texploitmodels \"github.com/vulsio/go-exploitdb/models\"\n )\n \n+type KEVType string\n+\n+const (\n+\tCISAKEVType      KEVType = \"cisa\"\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+type KEV struct {\n+\tType                       KEVType    `json:\"type\"`\n+\tVendorProject              string     `json:\"vendorProject,omitempty\"`\n+\tProduct                    string     `json:\"product,omitempty\"`\n+\tVulnerabilityName          string     `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string     `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string     `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string     `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time  `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time `json:\"dueDate,omitempty\"`\n+\n+\tCISA      *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbid,omitempty\"`\n+\tXDBURL      string    `json:\"xdburl,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSshUrl,omitempty\"`\n+}\n+\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // VulnInfos has a map of VulnInfo\n // Key: CveID\n type VulnInfos map[string]VulnInfo\n@@ -268,6 +312,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -919,15 +964,12 @@ type AlertDict struct {\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..8b13a95 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -201,6 +201,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatServerName(),\n \t\t\t\tr.ScannedCves.FormatCveSummary(),\n \t\t\t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/sample_scan_result.json b/sample_scan_result.json\nnew file mode 100644\nindex 0000000..e7579fe\n--- /dev/null\n+++ b/sample_scan_result.json\n@@ -0,0 +1,78 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"dummy-uuid\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"debian\",\n+  \"release\": \"11.0\",\n+  \"container\": {\n+    \"containerID\": \"\",\n+    \"name\": \"\",\n+    \"image\": \"\",\n+    \"type\": \"\",\n+    \"uuid\": \"\"\n+  },\n+  \"platform\": {\n+    \"name\": \"\",\n+    \"instanceID\": \"\"\n+  },\n+  \"scannedAt\": \"2026-07-03T10:00:00Z\",\n+  \"scanMode\": \"fast\",\n+  \"scannedVersion\": \"v0.0.0\",\n+  \"scannedRevision\": \"0000000\",\n+  \"scannedBy\": \"vuls\",\n+  \"scannedVia\": \"ssh\",\n+  \"reportedAt\": \"2026-07-03T10:05:00Z\",\n+  \"reportedVersion\": \"v0.0.0\",\n+  \"reportedRevision\": \"0000000\",\n+  \"reportedBy\": \"vuls\",\n+  \"errors\": [],\n+  \"warnings\": [],\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"A documentation example vulnerability.\",\n+          \"requiredAction\": \"Apply updates.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-03T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Documentation note.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"dateAdded\": \"2026-07-03T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbid\": \"XDB-123\",\n+                \"xdburl\": \"https://example.com/exploit/123\",\n+                \"dateAdded\": \"2026-07-03T00:00:00Z\",\n+                \"exploitType\": \"Remote Code Execution\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"runningKernel\": {\n+    \"release\": \"5.10.0\",\n+    \"version\": \"#1 SMP Debian 5.10.0-dummy\",\n+    \"rebootRequired\": false\n+  },\n+  \"packages\": {},\n+  \"config\": {\n+    \"scan\": {},\n+    \"report\": {}\n+  }\n+}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T10:08:45.814457Z"}, {"uuid": "349e67ed-3456-4deb-a00c-9128824e22fe", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/f3ba6e1e2507e088bc63b94906ba5a45", "content": "diff --git a/README.md b/README.md\nindex 57102d1..272e2b4 100644\n--- a/README.md\n+++ b/README.md\n@@ -92,6 +92,7 @@ Vuls is a tool created to solve the problems listed above. It has the following\n \n - CISA(Cybersecurity &amp; Infrastructure Security Agency)\n   - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+  - KEV matches are emitted in each vulnerability's `kevs` field.\n \n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n@@ -166,6 +167,12 @@ Vuls has some options to detect the vulnerabilities\n - Email and Slack notification is possible (supports Japanese language)\n - Scan result is viewable on accessory software, TUI Viewer in a terminal or Web UI ([VulsRepo](https://github.com/ishiDACo/vulsrepo)).\n \n+## KEV Reporting Example\n+\n+Use `examples/config.toml.example` as a redacted starting point for enabling the `kevuln` database. Replace every placeholder path, host, and SSH value before use; do not copy secrets from a live `config.toml`.\n+\n+`examples/kev-scan-result.json` shows a synthetic scan result with the first-class `scannedCves..kevs` field populated for both CISA and VulnCheck sources.\n+\n ----\n \n ## What Vuls Doesn't Do\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..f6f7006 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -6,6 +6,7 @@ package detector\n import (\n \t\"encoding/json\"\n \t\"net/http\"\n+\t\"strings\"\n \t\"time\"\n \n \t\"github.com/cenkalti/backoff\"\n@@ -79,21 +80,17 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tkevs, err := convertKEVulns(kevulns)\n+\t\t\tif err != nil {\n+\t\t\t\treturn err\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n-\t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\tif ok &amp;&amp; len(kevs) &gt; 0 {\n+\t\t\t\tv.KEVs = append(v.KEVs, kevs...)\n \t\t\t\tnKEV++\n+\t\t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t\t}\n-\t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t}\n \t} else {\n \t\tfor cveID, vuln := range r.ScannedCves {\n@@ -108,16 +105,12 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tkevs, err := convertKEVulns(kevulns)\n+\t\t\tif err != nil {\n+\t\t\t\treturn err\n \t\t\t}\n \n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = append(vuln.KEVs, kevs...)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +120,159 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func convertKEVulns(kevulns []kevulnmodels.KEVuln) ([]models.KEV, error) {\n+\tkevs := make([]models.KEV, 0, len(kevulns))\n+\tfor _, kevuln := range kevulns {\n+\t\traw, err := json.Marshal(kevuln)\n+\t\tif err != nil {\n+\t\t\treturn nil, err\n+\t\t}\n+\n+\t\tm := map[string]interface{}{}\n+\t\tif err := json.Unmarshal(raw, &amp;m); err != nil {\n+\t\t\treturn nil, err\n+\t\t}\n+\n+\t\tkev := models.KEV{\n+\t\t\tType:                       kevType(m),\n+\t\t\tVendorProject:              stringValue(m, \"vendorProject\", \"vendor_project\", \"VendorProject\"),\n+\t\t\tProduct:                    stringValue(m, \"product\", \"Product\"),\n+\t\t\tVulnerabilityName:          stringValue(m, \"vulnerabilityName\", \"vulnerability_name\", \"VulnerabilityName\"),\n+\t\t\tShortDescription:           stringValue(m, \"shortDescription\", \"short_description\", \"ShortDescription\"),\n+\t\t\tRequiredAction:             stringValue(m, \"requiredAction\", \"required_action\", \"RequiredAction\"),\n+\t\t\tKnownRansomwareCampaignUse: stringValue(m, \"knownRansomwareCampaignUse\", \"known_ransomware_campaign_use\", \"KnownRansomwareCampaignUse\"),\n+\t\t}\n+\n+\t\tif t, ok := timeValue(m, \"dateAdded\", \"date_added\", \"DateAdded\"); ok {\n+\t\t\tkev.DateAdded = t\n+\t\t}\n+\t\tif t, ok := timeValue(m, \"dueDate\", \"due_date\", \"DueDate\"); ok {\n+\t\t\tkev.DueDate = &amp;t\n+\t\t}\n+\n+\t\tnote := stringValue(m, \"note\", \"notes\", \"Note\", \"Notes\")\n+\t\tif kev.Type == models.CISAKEVType || note != \"\" {\n+\t\t\tkev.CISA = &amp;models.CISAKEV{Note: note}\n+\t\t}\n+\n+\t\tvulncheck := convertVulnCheckKEV(m)\n+\t\tif kev.Type == models.VulnCheckKEVType || len(vulncheck.XDB) &gt; 0 || len(vulncheck.ReportedExploitation) &gt; 0 {\n+\t\t\tkev.VulnCheck = &amp;vulncheck\n+\t\t}\n+\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs, nil\n+}\n+\n+func kevType(m map[string]interface{}) models.KEVType {\n+\tsource := strings.ToLower(stringValue(m, \"type\", \"source\", \"kevType\", \"KEVType\"))\n+\tif source == string(models.VulnCheckKEVType) || source == \"vuln_check\" || source == \"vuln-check\" {\n+\t\treturn models.VulnCheckKEVType\n+\t}\n+\tif hasAny(m, \"vulncheck\", \"vulnCheck\", \"VulnCheck\", \"xdb\", \"XDB\", \"reportedExploitation\", \"ReportedExploitation\") {\n+\t\treturn models.VulnCheckKEVType\n+\t}\n+\treturn models.CISAKEVType\n+}\n+\n+func convertVulnCheckKEV(m map[string]interface{}) models.VulnCheckKEV {\n+\tif nested, ok := mapValue(m, \"vulncheck\", \"vulnCheck\", \"VulnCheck\"); ok {\n+\t\tm = nested\n+\t}\n+\n+\tv := models.VulnCheckKEV{}\n+\tfor _, xdb := range mapSliceValue(m, \"xdb\", \"XDB\") {\n+\t\tentry := models.VulnCheckXDB{\n+\t\t\tXDBID:       stringValue(xdb, \"xdbID\", \"xdbId\", \"XDBID\", \"id\"),\n+\t\t\tXDBURL:      stringValue(xdb, \"xdbURL\", \"xdbUrl\", \"XDBURL\", \"url\"),\n+\t\t\tExploitType: stringValue(xdb, \"exploitType\", \"ExploitType\"),\n+\t\t\tCloneSSHURL: stringValue(xdb, \"cloneSSHURL\", \"cloneSSHUrl\", \"CloneSSHURL\"),\n+\t\t}\n+\t\tif t, ok := timeValue(xdb, \"dateAdded\", \"DateAdded\"); ok {\n+\t\t\tentry.DateAdded = t\n+\t\t}\n+\t\tv.XDB = append(v.XDB, entry)\n+\t}\n+\n+\tfor _, reported := range mapSliceValue(m, \"reportedExploitation\", \"ReportedExploitation\") {\n+\t\tentry := models.VulnCheckReportedExploitation{\n+\t\t\tURL: stringValue(reported, \"url\", \"URL\"),\n+\t\t}\n+\t\tif t, ok := timeValue(reported, \"dateAdded\", \"DateAdded\"); ok {\n+\t\t\tentry.DateAdded = t\n+\t\t}\n+\t\tv.ReportedExploitation = append(v.ReportedExploitation, entry)\n+\t}\n+\treturn v\n+}\n+\n+func stringValue(m map[string]interface{}, keys ...string) string {\n+\tfor _, key := range keys {\n+\t\tif v, ok := m[key]; ok {\n+\t\t\ts, ok := v.(string)\n+\t\t\tif ok {\n+\t\t\t\treturn s\n+\t\t\t}\n+\t\t}\n+\t}\n+\treturn \"\"\n+}\n+\n+func timeValue(m map[string]interface{}, keys ...string) (time.Time, bool) {\n+\tfor _, key := range keys {\n+\t\tv, ok := m[key]\n+\t\tif !ok || v == nil {\n+\t\t\tcontinue\n+\t\t}\n+\t\ts, ok := v.(string)\n+\t\tif !ok || s == \"\" {\n+\t\t\tcontinue\n+\t\t}\n+\t\tfor _, layout := range []string{time.RFC3339Nano, time.RFC3339, \"2006-01-02\"} {\n+\t\t\tif t, err := time.Parse(layout, s); err == nil &amp;&amp; !t.IsZero() {\n+\t\t\t\treturn t, true\n+\t\t\t}\n+\t\t}\n+\t}\n+\treturn time.Time{}, false\n+}\n+\n+func hasAny(m map[string]interface{}, keys ...string) bool {\n+\tfor _, key := range keys {\n+\t\tif _, ok := m[key]; ok {\n+\t\t\treturn true\n+\t\t}\n+\t}\n+\treturn false\n+}\n+\n+func mapValue(m map[string]interface{}, keys ...string) (map[string]interface{}, bool) {\n+\tfor _, key := range keys {\n+\t\tif v, ok := m[key].(map[string]interface{}); ok {\n+\t\t\treturn v, true\n+\t\t}\n+\t}\n+\treturn nil, false\n+}\n+\n+func mapSliceValue(m map[string]interface{}, keys ...string) []map[string]interface{} {\n+\tfor _, key := range keys {\n+\t\tvs, ok := m[key].([]interface{})\n+\t\tif !ok {\n+\t\t\tcontinue\n+\t\t}\n+\t\tmaps := make([]map[string]interface{}, 0, len(vs))\n+\t\tfor _, v := range vs {\n+\t\t\tif mv, ok := v.(map[string]interface{}); ok {\n+\t\t\t\tmaps = append(maps, mv)\n+\t\t\t}\n+\t\t}\n+\t\treturn maps\n+\t}\n+\treturn nil\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/examples/config.toml.example b/examples/config.toml.example\nnew file mode 100644\nindex 0000000..86971f1\n--- /dev/null\n+++ b/examples/config.toml.example\n@@ -0,0 +1,39 @@\n+# Synthetic Vuls configuration example with KEV reporting enabled.\n+# Replace all placeholder values before use. Do not copy secrets from a live config.\n+\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"example-host\"\n+port = \"22\"\n+user = \"vuls-scan-user\"\n+keyPath = \"/home/vuls/.ssh/id_ed25519\"\n+scanMode = [\"fast-root\"]\ndiff --git a/examples/kev-scan-result.json b/examples/kev-scan-result.json\nnew file mode 100644\nindex 0000000..6bcb0b5\n--- /dev/null\n+++ b/examples/kev-scan-result.json\n@@ -0,0 +1,68 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"24.04\",\n+  \"scannedAt\": \"2026-07-03T00:00:00Z\",\n+  \"scanMode\": \"fast-root\",\n+  \"scannedVersion\": \"example\",\n+  \"reportedAt\": \"2026-07-03T00:05:00Z\",\n+  \"reportedVersion\": \"example\",\n+  \"errors\": [],\n+  \"warnings\": [],\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Placeholder Vulnerability\",\n+          \"shortDescription\": \"Synthetic CISA KEV entry used only to document the output shape.\",\n+          \"requiredAction\": \"Apply the vendor-provided remediation or discontinue use of the product if unavailable.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Placeholder note for documentation.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Placeholder Vulnerability\",\n+          \"shortDescription\": \"Synthetic VulnCheck KEV entry used only to document the output shape.\",\n+          \"requiredAction\": \"Review exposure and prioritize remediation.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.com/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.com:placeholder/xdb-000000.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/reports/CVE-0000-0000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"packages\": {},\n+  \"config\": {\n+    \"scan\": {},\n+    \"report\": {}\n+  }\n+}\ndiff --git a/models/kev_test.go b/models/kev_test.go\nnew file mode 100644\nindex 0000000..f90aa77\n--- /dev/null\n+++ b/models/kev_test.go\n@@ -0,0 +1,64 @@\n+package models\n+\n+import \"testing\"\n+\n+func TestScanResult_FormatKEVCveSummary(t *testing.T) {\n+\tr := ScanResult{\n+\t\tScannedCves: VulnInfos{\n+\t\t\t\"CVE-0000-0001\": {KEVs: []KEV{{Type: CISAKEVType}}},\n+\t\t\t\"CVE-0000-0002\": {KEVs: []KEV{{Type: CISAKEVType}, {Type: VulnCheckKEVType}}},\n+\t\t\t\"CVE-0000-0003\": {},\n+\t\t},\n+\t}\n+\n+\tif got, want := r.FormatKEVCveSummary(), \"2 kevs\"; got != want {\n+\t\tt.Fatalf(\"FormatKEVCveSummary() = %q, want %q\", got, want)\n+\t}\n+}\n+\n+func TestScanResult_SortForJSONOutputSortsKEVs(t *testing.T) {\n+\tr := ScanResult{\n+\t\tScannedCves: VulnInfos{\n+\t\t\t\"CVE-0000-0001\": {\n+\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"z\"},\n+\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t},\n+\t}\n+\n+\tr.SortForJSONOutput()\n+\n+\tkevs := r.ScannedCves[\"CVE-0000-0001\"].KEVs\n+\twants := []KEV{\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"z\"},\n+\t}\n+\tfor i, want := range wants {\n+\t\tif kevs[i] != want {\n+\t\t\tt.Fatalf(\"KEVs[%d] = %+v, want %+v\", i, kevs[i], want)\n+\t\t}\n+\t}\n+}\n+\n+func TestAlertDictIgnoresCISAForGenericAlertSummary(t *testing.T) {\n+\talerts := AlertDict{CISA: []Alert{{Title: \"old KEV alert\"}}}\n+\tif !alerts.IsEmpty() {\n+\t\tt.Fatal(\"AlertDict with only CISA alerts should be empty\")\n+\t}\n+\tif got := alerts.FormatSource(); got != \"\" {\n+\t\tt.Fatalf(\"FormatSource() = %q, want empty\", got)\n+\t}\n+\n+\tr := ScanResult{\n+\t\tScannedCves: VulnInfos{\n+\t\t\t\"CVE-0000-0001\": {AlertDict: alerts},\n+\t\t},\n+\t}\n+\tif got, want := r.FormatAlertSummary(), \"uscert: 0, jpcert: 0 alerts\"; got != want {\n+\t\tt.Fatalf(\"FormatAlertSummary() = %q, want %q\", got, want)\n+\t}\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..2c3a9d6 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,11 +197,12 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n@@ -229,6 +230,17 @@ func (r ScanResult) FormatUpdatablePkgsSummary() string {\n \t\tnUpdatable)\n }\n \n+// FormatKEVCveSummary returns a summary of CVEs with KEV entries.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatExploitCveSummary returns a summary of exploit cve\n func (r ScanResult) FormatExploitCveSummary() string {\n \tnExploitCve := 0\n@@ -253,13 +265,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -427,6 +435,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\t})\n \n \t\tv.CveContents.Sort()\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \n \t\tsort.Slice(v.AlertDict.USCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.USCERT[i].Title &lt; v.AlertDict.USCERT[j].Title\n@@ -434,9 +448,6 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n-\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..fa14939 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -263,6 +263,7 @@ type VulnInfo struct {\n \tAffectedPackages     PackageFixStatuses   `json:\"affectedPackages,omitempty\"`\n \tDistroAdvisories     DistroAdvisories     `json:\"distroAdvisories,omitempty\"` // for Amazon, RHEL, Fedora, FreeBSD, Microsoft\n \tCveContents          CveContents          `json:\"cveContents,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tExploits             []Exploit            `json:\"exploits,omitempty\"`\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n@@ -284,6 +285,58 @@ type Alert struct {\n \tTeam  string `json:\"team,omitempty\"`\n }\n \n+// KEVType identifies the Known Exploited Vulnerabilities source.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the CISA KEV catalog source.\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is the VulnCheck KEV source.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has CISA/VulnCheck Known Exploited Vulnerabilities information.\n+type KEV struct {\n+\tType                          KEVType       `json:\"type,omitempty\"`\n+\tVendorProject                 string        `json:\"vendorProject,omitempty\"`\n+\tProduct                       string        `json:\"product,omitempty\"`\n+\tVulnerabilityName             string        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription              string        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction                string        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse    string        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                     time.Time     `json:\"dateAdded,omitempty\"`\n+\tDueDate                       *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                          *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                     *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV information.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV information.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // GitHubSecurityAlerts is a list of GitHubSecurityAlert\n type GitHubSecurityAlerts []GitHubSecurityAlert\n \n@@ -910,7 +963,7 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data.\n type AlertDict struct {\n \tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n@@ -919,15 +972,12 @@ type AlertDict struct {\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..703e9c8 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -202,6 +202,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.ScannedCves.FormatCveSummary(),\n \t\t\t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T10:08:49.857510Z"}, {"uuid": "13b7cb64-2235-4304-b61d-6972544e3bbe", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/8f8042ec67e33300de60ea3c6c0e4e47", "content": "diff --git a/.gitignore b/.gitignore\nindex 7f21d1e..71b4c8d 100644\n--- a/.gitignore\n+++ b/.gitignore\n@@ -4,6 +4,7 @@\n *.sqlite3*\n *.db\n *.toml\n+!config.toml.example\n tags\n .gitmodules\n coverage.out\ndiff --git a/README.md b/README.md\nindex 57102d1..b4cdeee 100644\n--- a/README.md\n+++ b/README.md\n@@ -93,6 +93,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n - CISA(Cybersecurity &amp; Infrastructure Security Agency)\n   - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n \n+- VulnCheck\n+  - Known Exploited Vulnerabilities data\n+\n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n \n@@ -179,6 +182,11 @@ Vuls has some options to detect the vulnerabilities\n For more information such as Installation, Tutorial, Usage, visit [vuls.io](https://vuls.io/)  \n [\u65e5\u672c\u8a9e\u7ffb\u8a33\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8](https://vuls.io/ja/)\n \n+## Examples\n+\n+- [`config.toml.example`](config.toml.example) is a synthetic ready-to-use configuration template, including the `[kevuln]` database section needed to report CISA and VulnCheck KEV data. Replace placeholder hosts, paths, and accounts with your own values before use.\n+- [`docs/sample-kev-scan-result.json`](docs/sample-kev-scan-result.json) shows the new first-class `kevs` field in scan results. It is synthetic documentation data and does not contain production inventory.\n+\n ----\n \n ## Authors\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..98c9564\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,46 @@\n+# Synthetic, ready-to-use example. Do not paste production credentials here.\n+\n+resultsDir = \"/var/lib/vuls/results\"\n+logDir = \"/var/log/vuls\"\n+debug = false\n+debugSQL = false\n+lang = \"en\"\n+\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-cve-dictionary.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/goval-dictionary.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\n+\n+[default]\n+user = \"vuls\"\n+port = \"22\"\n+keyPath = \"/home/vuls/.ssh/id_ed25519\"\n+scanMode = [\"fast-root\"]\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.10\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..84ad4d3 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -6,6 +6,7 @@ package detector\n import (\n \t\"encoding/json\"\n \t\"net/http\"\n+\t\"strings\"\n \t\"time\"\n \n \t\"github.com/cenkalti/backoff\"\n@@ -74,23 +75,18 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\treturn err\n \t\t}\n \t\tfor _, res := range responses {\n-\t\t\tkevulns := []kevulnmodels.KEVuln{}\n-\t\t\tif err := json.Unmarshal([]byte(res.json), &amp;kevulns); err != nil {\n+\t\t\tkevs, err := kevulnsToKEVs([]byte(res.json))\n+\t\t\tif err != nil {\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tif len(kevs) == 0 {\n+\t\t\t\tcontinue\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tv.KEVs = append(v.KEVs, kevs...)\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +104,19 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tbs, err := json.Marshal(kevulns)\n+\t\t\tif err != nil {\n+\t\t\t\treturn err\n+\t\t\t}\n+\t\t\tkevs, err := kevulnsToKEVs(bs)\n+\t\t\tif err != nil {\n+\t\t\t\treturn err\n+\t\t\t}\n+\t\t\tif len(kevs) == 0 {\n+\t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = append(vuln.KEVs, kevs...)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +126,139 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func kevulnsToKEVs(bs []byte) ([]models.KEV, error) {\n+\tvar raws []map[string]interface{}\n+\tif err := json.Unmarshal(bs, &amp;raws); err != nil {\n+\t\treturn nil, err\n+\t}\n+\n+\tkevs := make([]models.KEV, 0, len(raws))\n+\tfor _, raw := range raws {\n+\t\tkevType := models.KEVType(firstString(raw, \"type\", \"kevType\", \"source\"))\n+\t\tif kevType == \"\" {\n+\t\t\tkevType = models.CISAKEVType\n+\t\t}\n+\t\tif strings.Contains(strings.ToLower(string(kevType)), \"vulncheck\") {\n+\t\t\tkevType = models.VulnCheckKEVType\n+\t\t} else if strings.Contains(strings.ToLower(string(kevType)), \"cisa\") {\n+\t\t\tkevType = models.CISAKEVType\n+\t\t}\n+\n+\t\tkev := models.KEV{\n+\t\t\tType:                       kevType,\n+\t\t\tVendorProject:              firstString(raw, \"vendorProject\", \"vendor_project\", \"vendor\"),\n+\t\t\tProduct:                    firstString(raw, \"product\"),\n+\t\t\tVulnerabilityName:          firstString(raw, \"vulnerabilityName\", \"vulnerability_name\", \"name\"),\n+\t\t\tShortDescription:           firstString(raw, \"shortDescription\", \"short_description\"),\n+\t\t\tRequiredAction:             firstString(raw, \"requiredAction\", \"required_action\"),\n+\t\t\tKnownRansomwareCampaignUse: firstString(raw, \"knownRansomwareCampaignUse\", \"known_ransomware_campaign_use\"),\n+\t\t\tDateAdded:                  firstTime(raw, \"dateAdded\", \"date_added\"),\n+\t\t\tDueDate:                    firstTimePtr(raw, \"dueDate\", \"due_date\"),\n+\t\t}\n+\n+\t\tif note := firstString(raw, \"note\", \"notes\"); note != \"\" || kev.Type == models.CISAKEVType {\n+\t\t\tkev.CISA = &amp;models.CISAKEV{Note: note}\n+\t\t}\n+\t\tif vc := vulnCheckKEV(raw); vc != nil || kev.Type == models.VulnCheckKEVType {\n+\t\t\tkev.VulnCheck = vc\n+\t\t\tif kev.VulnCheck == nil {\n+\t\t\t\tkev.VulnCheck = &amp;models.VulnCheckKEV{}\n+\t\t\t}\n+\t\t}\n+\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs, nil\n+}\n+\n+func vulnCheckKEV(raw map[string]interface{}) *models.VulnCheckKEV {\n+\tvc := &amp;models.VulnCheckKEV{\n+\t\tXDB:                  vulnCheckXDBs(raw),\n+\t\tReportedExploitation: vulnCheckReportedExploitations(raw),\n+\t}\n+\tif len(vc.XDB) == 0 &amp;&amp; len(vc.ReportedExploitation) == 0 {\n+\t\treturn nil\n+\t}\n+\treturn vc\n+}\n+\n+func vulnCheckXDBs(raw map[string]interface{}) []models.VulnCheckXDB {\n+\tvar xs []models.VulnCheckXDB\n+\tfor _, m := range firstMapSlice(raw, \"xdb\", \"XDB\") {\n+\t\txs = append(xs, models.VulnCheckXDB{\n+\t\t\tXDBID:       firstString(m, \"xdbID\", \"xdb_id\", \"id\"),\n+\t\t\tXDBURL:      firstString(m, \"xdbURL\", \"xdb_url\", \"url\"),\n+\t\t\tDateAdded:   firstTime(m, \"dateAdded\", \"date_added\"),\n+\t\t\tExploitType: firstString(m, \"exploitType\", \"exploit_type\"),\n+\t\t\tCloneSSHURL: firstString(m, \"cloneSSHURL\", \"clone_ssh_url\"),\n+\t\t})\n+\t}\n+\treturn xs\n+}\n+\n+func vulnCheckReportedExploitations(raw map[string]interface{}) []models.VulnCheckReportedExploitation {\n+\tvar rs []models.VulnCheckReportedExploitation\n+\tfor _, m := range firstMapSlice(raw, \"reportedExploitation\", \"reported_exploitation\") {\n+\t\trs = append(rs, models.VulnCheckReportedExploitation{\n+\t\t\tURL:       firstString(m, \"url\"),\n+\t\t\tDateAdded: firstTime(m, \"dateAdded\", \"date_added\"),\n+\t\t})\n+\t}\n+\treturn rs\n+}\n+\n+func firstString(m map[string]interface{}, keys ...string) string {\n+\tfor _, key := range keys {\n+\t\tif v, ok := m[key]; ok {\n+\t\t\tif s, ok := v.(string); ok {\n+\t\t\t\treturn s\n+\t\t\t}\n+\t\t}\n+\t}\n+\treturn \"\"\n+}\n+\n+func firstTime(m map[string]interface{}, keys ...string) time.Time {\n+\tif t := firstTimePtr(m, keys...); t != nil {\n+\t\treturn *t\n+\t}\n+\treturn time.Time{}\n+}\n+\n+func firstTimePtr(m map[string]interface{}, keys ...string) *time.Time {\n+\tfor _, key := range keys {\n+\t\tif v, ok := m[key]; ok {\n+\t\t\tif s, ok := v.(string); ok &amp;&amp; s != \"\" {\n+\t\t\t\tfor _, layout := range []string{time.RFC3339, \"2006-01-02\"} {\n+\t\t\t\t\tif t, err := time.Parse(layout, s); err == nil {\n+\t\t\t\t\t\treturn &amp;t\n+\t\t\t\t\t}\n+\t\t\t\t}\n+\t\t\t}\n+\t\t}\n+\t}\n+\treturn nil\n+}\n+\n+func firstMapSlice(m map[string]interface{}, keys ...string) []map[string]interface{} {\n+\tfor _, key := range keys {\n+\t\tif v, ok := m[key]; ok {\n+\t\t\titems, ok := v.([]interface{})\n+\t\t\tif !ok {\n+\t\t\t\tcontinue\n+\t\t\t}\n+\t\t\tms := make([]map[string]interface{}, 0, len(items))\n+\t\t\tfor _, item := range items {\n+\t\t\t\tif im, ok := item.(map[string]interface{}); ok {\n+\t\t\t\t\tms = append(ms, im)\n+\t\t\t\t}\n+\t\t\t}\n+\t\t\treturn ms\n+\t\t}\n+\t}\n+\treturn nil\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/docs/sample-kev-scan-result.json b/docs/sample-kev-scan-result.json\nnew file mode 100644\nindex 0000000..69ec982\n--- /dev/null\n+++ b/docs/sample-kev-scan-result.json\n@@ -0,0 +1,78 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2026-07-03T00:00:00Z\",\n+  \"scanMode\": \"fast-root\",\n+  \"scannedVersion\": \"example\",\n+  \"scannedRevision\": \"example\",\n+  \"scannedBy\": \"example-user\",\n+  \"scannedVia\": \"remote\",\n+  \"reportedAt\": \"2026-07-03T00:00:00Z\",\n+  \"reportedVersion\": \"example\",\n+  \"reportedRevision\": \"example\",\n+  \"reportedBy\": \"example-user\",\n+  \"errors\": [],\n+  \"warnings\": [],\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic example KEV entry for documentation.\",\n+          \"requiredAction\": \"Apply vendor updates per your change-management process.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic sample only.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic VulnCheck KEV entry for documentation.\",\n+          \"requiredAction\": \"Review exploitability and patch exposure.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.com/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.com:example/xdb-000000.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/research/cve-0000-0000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"alertDict\": {\n+        \"jpcert\": null,\n+        \"uscert\": null\n+      }\n+    }\n+  },\n+  \"runningKernel\": {},\n+  \"packages\": {},\n+  \"config\": {\n+    \"scan\": {},\n+    \"report\": {}\n+  }\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..2c1b30b 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of known exploited vulnerability CVEs.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -425,6 +433,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &lt; v.Mitigations[j].URL\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \n \t\tv.CveContents.Sort()\n \ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..54de59d 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -263,6 +263,7 @@ type VulnInfo struct {\n \tAffectedPackages     PackageFixStatuses   `json:\"affectedPackages,omitempty\"`\n \tDistroAdvisories     DistroAdvisories     `json:\"distroAdvisories,omitempty\"` // for Amazon, RHEL, Fedora, FreeBSD, Microsoft\n \tCveContents          CveContents          `json:\"cveContents,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tExploits             []Exploit            `json:\"exploits,omitempty\"`\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n@@ -284,6 +285,57 @@ type Alert struct {\n \tTeam  string `json:\"team,omitempty\"`\n }\n \n+// KEVType is a known exploited vulnerability data source.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType identifies CISA KEV catalog entries.\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType identifies VulnCheck KEV entries.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has known exploited vulnerability information.\n+type KEV struct {\n+\tType                         KEVType        `json:\"type,omitempty\"`\n+\tVendorProject                string         `json:\"vendorProject,omitempty\"`\n+\tProduct                      string         `json:\"product,omitempty\"`\n+\tVulnerabilityName            string         `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription             string         `json:\"shortDescription,omitempty\"`\n+\tRequiredAction               string         `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse   string         `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                    time.Time      `json:\"dateAdded,omitempty\"`\n+\tDueDate                      *time.Time     `json:\"dueDate,omitempty\"`\n+\tCISA                         *CISAKEV       `json:\"cisa,omitempty\"`\n+\tVulnCheck                    *VulnCheckKEV  `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV information.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV information.\n+type VulnCheckKEV struct {\n+\tXDB                     []VulnCheckXDB                     `json:\"xdb,omitempty\"`\n+\tReportedExploitation    []VulnCheckReportedExploitation    `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // GitHubSecurityAlerts is a list of GitHubSecurityAlert\n type GitHubSecurityAlerts []GitHubSecurityAlert\n \n@@ -910,24 +962,21 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data.\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"-\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..e3aef8f 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,8 +566,8 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n+\t\tfor _, kev := range vuln.KEVs {\n+\t\t\tdata = append(data, []string{fmt.Sprintf(\"KEV (%s)\", kev.Type), kev.VulnerabilityName})\n \t\t}\n \n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..1cf62c3 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,13 +812,13 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n+\t\tif len(vinfo.KEVs) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n+\t\t\t\t\"Known Exploited Vulnerabilities\",\n+\t\t\t\t\"===============================\",\n \t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\t\tfor _, kev := range vinfo.KEVs {\n+\t\t\t\tlines = append(lines, fmt.Sprintf(\"* %s: %s\", kev.Type, kev.VulnerabilityName))\n \t\t\t}\n \t\t}\n \n", "creation_timestamp": "2026-07-03T10:08:46.344944Z"}, {"uuid": "5fbf7d7c-b49b-4e11-8d3f-2cdd34013fa8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/26f7e5ce83cd4e74af340d4d498cf168", "content": "diff --git a/README.md b/README.md\nindex 57102d1..74e7dc3 100644\n--- a/README.md\n+++ b/README.md\n@@ -90,8 +90,12 @@ Vuls is a tool created to solve the problems listed above. It has the following\n   - [US-CERT](https://www.us-cert.gov/ncas/alerts)\n   - [JPCERT](http://www.jpcert.or.jp/at/2019.html)\n \n-- CISA(Cybersecurity &amp; Infrastructure Security Agency)\n-  - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+- KEV(Known Exploited Vulnerabilities)\n+  - [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+  - VulnCheck KEV\n+\n+## Example Configuration\n+See `config.toml.example` for a ready-to-use example configuration with KEV reporting enabled.\n \n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..d29980c\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,33 @@\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[msf]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-msfdb.sqlite3\"\n+\n+[kev]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-kev.sqlite3\"\n+\n+[servers]\n+\n+[servers.example-host]\n+host         = \"192.168.0.1\"\n+port         = \"22\"\n+user         = \"ubuntu\"\n+keyPath      = \"/path/to/id_rsa\"\n+# SSH key passphrase (dummy value)\n+keyPassphrase = \"\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..4196d4b 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -90,7 +90,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\t// Kev alerts has been moved to KEV model. Leftover to be cleaned up fully later if needed.\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -117,7 +117,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\t})\n \t\t\t}\n \n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\t// Kev alerts has been moved to KEV model. Leftover to be cleaned up fully later if needed.\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..2054905 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,9 +205,21 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n+// FormatKEVCveSummary returns a summary of kevs\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKevCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &gt; 0 {\n+\t\t\tnKevCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKevCve)\n+}\n+\n // FormatUpdatablePkgsSummary returns a summary of updatable packages\n func (r ScanResult) FormatUpdatablePkgsSummary() string {\n \tmode := r.Config.Scan.Servers[r.ServerName].Mode\n@@ -253,13 +265,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -434,8 +442,11 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n \t\t})\n \t\tr.ScannedCves[k] = v\n \t}\ndiff --git a/models/scanresults_test.go b/models/scanresults_test.go\nindex d429281..777f7c0 100644\n--- a/models/scanresults_test.go\n+++ b/models/scanresults_test.go\n@@ -225,10 +225,6 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -288,10 +284,6 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -354,10 +346,6 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -417,10 +405,6 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..fd02a8b 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -275,6 +275,7 @@ type VulnInfo struct {\n \tWindowsKBFixedIns    []string             `json:\"windowsKBFixedIns,omitempty\"`\n \tVulnType             string               `json:\"vulnType,omitempty\"`\n \tDiffStatus           DiffStatus           `json:\"diffStatus,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n }\n \n // Alert has CERT alert information\n@@ -910,30 +911,77 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\n \treturn strings.Join(s, \"/\")\n }\n \n+// KEVType is the type for Known Exploited Vulnerabilities\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is for CISA KEV\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType is for VulnCheck KEV\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV represents Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                       KEVType                   `json:\"type,omitempty\"`\n+\tVendorProject              string                    `json:\"vendorProject,omitempty\"`\n+\tProduct                    string                    `json:\"product,omitempty\"`\n+\tVulnerabilityName          string                    `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string                    `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string                    `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string                    `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time                 `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time                `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV                  `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV             `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA specific fields\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck specific fields\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has XDB information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has reported exploitation\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // Confidences is a list of Confidence\n type Confidences []Confidence\n \ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..77f20b4 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -565,8 +565,8 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n+\t\tfor _, alert := range vuln.AlertDict.JPCERT {\n+\t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\n \n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\ndiff --git a/sample_scanresult.json b/sample_scanresult.json\nnew file mode 100644\nindex 0000000..aeb2b91\n--- /dev/null\n+++ b/sample_scanresult.json\n@@ -0,0 +1,66 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"20.04\",\n+  \"container\": {\n+    \"containerID\": \"\",\n+    \"name\": \"\",\n+    \"image\": \"\",\n+    \"type\": \"\",\n+    \"uuid\": \"\"\n+  },\n+  \"platform\": {\n+    \"name\": \"\",\n+    \"instanceID\": \"\"\n+  },\n+  \"scannedAt\": \"2023-01-01T00:00:00Z\",\n+  \"scanMode\": \"fast\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"A simulated vulnerability for demonstration.\",\n+          \"requiredAction\": \"Apply updates.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2023-01-01T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Update to the latest version.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"dateAdded\": \"2023-01-01T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/report\",\n+                \"dateAdded\": \"2023-01-01T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"runningKernel\": {\n+    \"release\": \"5.4.0-0-generic\",\n+    \"version\": \"#1 SMP xxxxxxxx\",\n+    \"rebootRequired\": false\n+  },\n+  \"packages\": {},\n+  \"config\": {\n+    \"scan\": {},\n+    \"report\": {}\n+  }\n+}\ndiff --git a/tracking_issue_example.md b/tracking_issue_example.md\nnew file mode 100644\nindex 0000000..37e0394\n--- /dev/null\n+++ b/tracking_issue_example.md\n@@ -0,0 +1,52 @@\n+# Example of the new KEV output\n+\n+Here is a redacted example of how the new KEV structure looks in the JSON scan result:\n+\n+```json\n+{\n+  \"jsonVersion\": 1,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"20.04\",\n+  \"scannedAt\": \"2023-01-01T00:00:00Z\",\n+  \"scanMode\": \"fast\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"A simulated vulnerability for demonstration.\",\n+          \"requiredAction\": \"Apply updates.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2023-01-01T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Update to the latest version.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"dateAdded\": \"2023-01-01T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/report\",\n+                \"dateAdded\": \"2023-01-01T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"packages\": {}\n+}\n+```\n\\ No newline at end of file\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T10:08:50.057921Z"}, {"uuid": "c2eb007c-1673-4638-8fe6-a6cd13805759", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/9844d7936b555fac05bfdb0f938157fb", "content": "diff --git a/README.md b/README.md\nindex 57102d1..e29f66f 100644\n--- a/README.md\n+++ b/README.md\n@@ -174,6 +174,12 @@ Vuls has some options to detect the vulnerabilities\n \n ----\n \n+## Configuration Example\n+\n+See [`config.toml.example`](config.toml.example) for a ready-to-use synthetic configuration with KEV reporting enabled.\n+\n+----\n+\n ## Document\n \n For more information such as Installation, Tutorial, Usage, visit [vuls.io](https://vuls.io/)  \ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..f1e4ac0\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,23 @@\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/kev.sqlite3\"\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.1\"\n+port = \"22\"\n+user = \"vuls-user\"\n+keyPath = \"/path/to/id_rsa\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..14717c0 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,19 +79,11 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n-\t\t\t\tnKEV++\n+\t\t\t\tif len(kevulns) &gt; 0 {\n+\t\t\t\t\tnKEV++\n+\t\t\t\t}\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t}\n@@ -108,16 +100,6 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\ndiff --git a/main.go b/main.go\nnew file mode 100644\nindex 0000000..793922d\n--- /dev/null\n+++ b/main.go\n@@ -0,0 +1,15 @@\n+package main\n+\n+import (\n+\t\"fmt\"\n+\t\"reflect\"\n+\tkevulnmodels \"github.com/vulsio/go-kev/models\"\n+)\n+\n+func main() {\n+\tv := kevulnmodels.KEVuln{}\n+\tt := reflect.TypeOf(v)\n+\tfor i := 0; i &lt; t.NumField(); i++ {\n+\t\tfmt.Printf(\"%s %s\\n\", t.Field(i).Name, t.Field(i).Type.Name())\n+\t}\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..0ebc170 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,11 +197,12 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n@@ -229,6 +230,17 @@ func (r ScanResult) FormatUpdatablePkgsSummary() string {\n \t\tnUpdatable)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV cve\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKevCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKevCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKevCve)\n+}\n+\n // FormatExploitCveSummary returns a summary of exploit cve\n func (r ScanResult) FormatExploitCveSummary() string {\n \tnExploitCve := 0\n@@ -253,13 +265,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -434,8 +442,11 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n \t\t})\n \t\tr.ScannedCves[k] = v\n \t}\ndiff --git a/models/scanresults_test.go b/models/scanresults_test.go\nindex d429281..f5a1ae0 100644\n--- a/models/scanresults_test.go\n+++ b/models/scanresults_test.go\n@@ -225,10 +225,6 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -288,10 +284,6 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -354,10 +346,6 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -417,10 +405,6 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -535,6 +519,33 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t},\n \t\t\t},\n \t\t},\n+\t\t{\n+\t\t\tname: \"sort KEVs by Type and VulnerabilityName\",\n+\t\t\tfields: fields{\n+\t\t\t\tScannedCves: VulnInfos{\n+\t\t\t\t\t\"CVE-2014-3591\": VulnInfo{\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t\texpected: fields{\n+\t\t\t\tScannedCves: VulnInfos{\n+\t\t\t\t\t\"CVE-2014-3591\": VulnInfo{\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t},\n \t}\n \tfor _, tt := range tests {\n \t\tt.Run(tt.name, func(t *testing.T) {\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..3caf2fe 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -275,6 +275,7 @@ type VulnInfo struct {\n \tWindowsKBFixedIns    []string             `json:\"windowsKBFixedIns,omitempty\"`\n \tVulnType             string               `json:\"vulnType,omitempty\"`\n \tDiffStatus           DiffStatus           `json:\"diffStatus,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n }\n \n // Alert has CERT alert information\n@@ -910,30 +911,69 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\n \treturn strings.Join(s, \"/\")\n }\n \n+type KEVType string\n+\n+const (\n+\tCISAKEVType      KEVType = \"cisa\"\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+type KEV struct {\n+\tType                       KEVType        `json:\"type\"`\n+\tVendorProject              string         `json:\"vendorProject,omitempty\"`\n+\tProduct                    string         `json:\"product,omitempty\"`\n+\tVulnerabilityName          string         `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string         `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string         `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string         `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time      `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time     `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV       `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV  `json:\"vulncheck,omitempty\"`\n+}\n+\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbid,omitempty\"`\n+\tXDBURL      string    `json:\"xdburl,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // Confidences is a list of Confidence\n type Confidences []Confidence\n \ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..703e9c8 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -202,6 +202,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.ScannedCves.FormatCveSummary(),\n \t\t\t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/sample_kev_result.json b/sample_kev_result.json\nnew file mode 100644\nindex 0000000..0033179\n--- /dev/null\n+++ b/sample_kev_result.json\n@@ -0,0 +1,52 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"20.04\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"This is a placeholder description for a CISA KEV.\",\n+          \"requiredAction\": \"Apply updates.\",\n+          \"dateAdded\": \"2024-01-01T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Example note.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"This is a placeholder description for a VulnCheck KEV.\",\n+          \"requiredAction\": \"Apply updates.\",\n+          \"dateAdded\": \"2024-01-01T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbid\": \"12345\",\n+                \"xdburl\": \"https://example.com/xdb/12345\",\n+                \"dateAdded\": \"2024-01-01T00:00:00Z\",\n+                \"exploitType\": \"RCE\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/report/12345\",\n+                \"dateAdded\": \"2024-01-01T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T13:58:59.458817Z"}, {"uuid": "cffc5292-3084-4cf3-a694-9e973221007a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/7ec901bccc83dbd40e07a4554fa0a703", "content": "diff --git a/.gitignore b/.gitignore\nindex 7f21d1e..71b4c8d 100644\n--- a/.gitignore\n+++ b/.gitignore\n@@ -4,6 +4,7 @@\n *.sqlite3*\n *.db\n *.toml\n+!config.toml.example\n tags\n .gitmodules\n coverage.out\ndiff --git a/README.md b/README.md\nindex 57102d1..b42291d 100644\n--- a/README.md\n+++ b/README.md\n@@ -90,8 +90,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n   - [US-CERT](https://www.us-cert.gov/ncas/alerts)\n   - [JPCERT](http://www.jpcert.or.jp/at/2019.html)\n \n-- CISA(Cybersecurity &amp; Infrastructure Security Agency)\n-  - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+- Known Exploited Vulnerabilities (KEV)\n+  - [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+  - [VulnCheck KEV](https://vulncheck.com/)\n \n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n@@ -156,6 +157,10 @@ Vuls has some options to detect the vulnerabilities\n \n - [Scan WordPress](https://vuls.io/docs/en/usage-scan-wordpress.html)\n \n+## Configuration\n+\n+An example configuration file is provided at [`config.toml.example`](config.toml.example). Copy it to `config.toml` and edit to match your environment.\n+\n ## MISC\n \n - Nondestructive testing\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..c4f3659\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,96 @@\n+# Vuls example configuration\n+# See https://vuls.io/docs/en/config.toml.html for details\n+#\n+# Copy this file to config.toml and edit to match your environment.\n+# All values below are PLACEHOLDER/SYNTHETIC \u2014 replace with real values.\n+\n+# https://vuls.io/docs/en/config.toml.html#database-section\n+[cveDict]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/cve.sqlite3\"\n+#url = \"\"\n+\n+[ovalDict]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/oval.sqlite3\"\n+#url = \"\"\n+\n+[gost]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/gost.sqlite3\"\n+#url = \"\"\n+\n+[exploit]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+#url = \"\"\n+\n+[metasploit]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-msfdb.sqlite3\"\n+#url = \"\"\n+\n+# Known Exploited Vulnerabilities (CISA KEV / VulnCheck KEV)\n+[kevuln]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-kev.sqlite3\"\n+#url = \"\"\n+\n+[cti]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-cti.sqlite3\"\n+#url = \"\"\n+\n+# https://vuls.io/docs/en/config.toml.html#slack-section\n+#[slack]\n+#hookURL      = \"https://hooks.slack.com/services/xxx/yyy/zzz\"\n+#channel      = \"#channel-name\"\n+#iconEmoji    = \":ghost:\"\n+#authUser     = \"username\"\n+#notifyUsers  = [\"@username\"]\n+\n+# https://vuls.io/docs/en/config.toml.html#email-section\n+#[email]\n+#smtpAddr              = \"smtp.example.com\"\n+#smtpPort              = \"587\"\n+#tlsMode               = \"STARTTLS\"\n+#tlsInsecureSkipVerify = false\n+#user                  = \"username\"\n+#password              = \"password\"\n+#from                  = \"from@example.com\"\n+#to                    = [\"to@example.com\"]\n+#cc                    = [\"cc@example.com\"]\n+#subjectPrefix         = \"[vuls]\"\n+\n+# https://vuls.io/docs/en/config.toml.html#http-section\n+#[http]\n+#url = \"http://localhost:11234\"\n+\n+# https://vuls.io/docs/en/config.toml.html#syslog-section\n+#[syslog]\n+#protocol    = \"tcp\"\n+#host        = \"localhost\"\n+#port        = \"514\"\n+#tag         = \"vuls\"\n+#facility    = \"local0\"\n+#severity    = \"alert\"\n+#verbose     = false\n+\n+# https://vuls.io/docs/en/config.toml.html#default-section\n+[default]\n+#port        = \"22\"\n+#user        = \"username\"\n+#keyPath     = \"/home/username/.ssh/id_rsa\"\n+#scanMode    = [\"fast\"]\n+#scanModules = [\"ospkg\", \"lockfile\"]\n+\n+# https://vuls.io/docs/en/config.toml.html#servers-section\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.1\"\n+#port = \"22\"\n+#user = \"scan-user\"\n+#keyPath = \"/home/username/.ssh/id_rsa\"\n+#scanMode = [\"fast\"]\n+#scanModules = [\"ospkg\", \"lockfile\"]\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..1ac0757 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,13 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tif len(kevulns) == 0 {\n+\t\t\t\tcontinue\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tv.KEVs = kevulnsToKEVs(kevulns)\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +103,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = kevulnsToKEVs(kevulns)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -243,3 +229,26 @@ func newKEVulnDB(cnf config.VulnDictInterface) (kevulndb.DB, error) {\n \t}\n \treturn driver, nil\n }\n+\n+func kevulnsToKEVs(kevulns []kevulnmodels.KEVuln) []models.KEV {\n+\tkevs := make([]models.KEV, 0, len(kevulns))\n+\tfor _, k := range kevulns {\n+\t\tkev := models.KEV{\n+\t\t\tType:                       models.CISAKEVType,\n+\t\t\tVendorProject:              k.VendorProject,\n+\t\t\tProduct:                    k.Product,\n+\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\tDateAdded:                  k.DateAdded,\n+\t\t\tCISA:                       &amp;models.CISAKEV{Note: k.Notes},\n+\t\t}\n+\t\tif !k.DueDate.IsZero() {\n+\t\t\tdueDate := k.DueDate\n+\t\t\tkev.DueDate = &amp;dueDate\n+\t\t}\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs\n+}\ndiff --git a/examples/sample_scan_result_with_kevs.json b/examples/sample_scan_result_with_kevs.json\nnew file mode 100644\nindex 0000000..8a0c814\n--- /dev/null\n+++ b/examples/sample_scan_result_with_kevs.json\n@@ -0,0 +1,100 @@\n+{\n+    \"jsonVersion\": 4,\n+    \"lang\": \"en\",\n+    \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+    \"serverName\": \"example-host\",\n+    \"family\": \"ubuntu\",\n+    \"release\": \"22.04\",\n+    \"container\": {\n+        \"containerID\": \"\",\n+        \"name\": \"\",\n+        \"image\": \"\",\n+        \"type\": \"\",\n+        \"uuid\": \"\"\n+    },\n+    \"platform\": {\n+        \"name\": \"\",\n+        \"instanceID\": \"\"\n+    },\n+    \"scannedAt\": \"2026-01-01T00:00:00Z\",\n+    \"scanMode\": \"fast\",\n+    \"scannedCves\": {\n+        \"CVE-0000-0000\": {\n+            \"cveID\": \"CVE-0000-0000\",\n+            \"confidences\": [\n+                {\n+                    \"score\": 100,\n+                    \"detectionMethod\": \"OvalMatch\"\n+                }\n+            ],\n+            \"affectedPackages\": [\n+                {\n+                    \"name\": \"example-package\",\n+                    \"fixedIn\": \"1.2.4\"\n+                }\n+            ],\n+            \"kevs\": [\n+                {\n+                    \"type\": \"cisa\",\n+                    \"vendorProject\": \"Example Vendor\",\n+                    \"product\": \"Example Product\",\n+                    \"vulnerabilityName\": \"Example Vendor Example Product Buffer Overflow Vulnerability\",\n+                    \"shortDescription\": \"Example Product contains a buffer overflow vulnerability that allows remote code execution.\",\n+                    \"requiredAction\": \"Apply updates per vendor instructions.\",\n+                    \"knownRansomwareCampaignUse\": \"Unknown\",\n+                    \"dateAdded\": \"2025-06-15T00:00:00Z\",\n+                    \"dueDate\": \"2025-07-06T00:00:00Z\",\n+                    \"cisa\": {\n+                        \"note\": \"\"\n+                    }\n+                },\n+                {\n+                    \"type\": \"vulncheck\",\n+                    \"vendorProject\": \"Example Vendor\",\n+                    \"product\": \"Example Product\",\n+                    \"vulnerabilityName\": \"Example Vendor Example Product Buffer Overflow Vulnerability\",\n+                    \"shortDescription\": \"Example Product contains a buffer overflow vulnerability that allows remote code execution.\",\n+                    \"requiredAction\": \"Apply updates per vendor instructions.\",\n+                    \"knownRansomwareCampaignUse\": \"Unknown\",\n+                    \"dateAdded\": \"2025-06-10T00:00:00Z\",\n+                    \"vulnCheck\": {\n+                        \"xdb\": [\n+                            {\n+                                \"xdbID\": \"XDB-0000-0000\",\n+                                \"xdbURL\": \"https://example.com/xdb/0000-0000\",\n+                                \"dateAdded\": \"2025-06-10T00:00:00Z\",\n+                                \"exploitType\": \"poc\",\n+                                \"cloneSSHURL\": \"git@example.com:exploits/example.git\"\n+                            }\n+                        ],\n+                        \"reportedExploitation\": [\n+                            {\n+                                \"url\": \"https://example.com/report/0000-0000\",\n+                                \"dateAdded\": \"2025-06-12T00:00:00Z\"\n+                            }\n+                        ]\n+                    }\n+                }\n+            ],\n+            \"alertDict\": {\n+                \"cisa\": null,\n+                \"jpcert\": null,\n+                \"uscert\": null\n+            },\n+            \"cveContents\": {}\n+        }\n+    },\n+    \"runningKernel\": {\n+        \"release\": \"5.15.0-100-generic\",\n+        \"version\": \"\",\n+        \"rebootRequired\": false\n+    },\n+    \"packages\": {\n+        \"example-package\": {\n+            \"name\": \"example-package\",\n+            \"version\": \"1.2.3\",\n+            \"release\": \"\",\n+            \"newVersion\": \"1.2.4\"\n+        }\n+    }\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..b4c943a 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of CVEs with KEV entries\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..f64dd7d 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -267,6 +267,7 @@ type VulnInfo struct {\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n@@ -910,6 +911,58 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n+// KEVType represents the source of a Known Exploited Vulnerability entry\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the KEV source type for CISA\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is the KEV source type for VulnCheck\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                        KEVType       `json:\"type\"`\n+\tVendorProject               string        `json:\"vendorProject\"`\n+\tProduct                     string        `json:\"product\"`\n+\tVulnerabilityName           string        `json:\"vulnerabilityName\"`\n+\tShortDescription            string        `json:\"shortDescription\"`\n+\tRequiredAction              string        `json:\"requiredAction\"`\n+\tKnownRansomwareCampaignUse  string        `json:\"knownRansomwareCampaignUse\"`\n+\tDateAdded                   time.Time     `json:\"dateAdded\"`\n+\tDueDate                     *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                        *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                   *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"note\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV information\n+type VulnCheckKEV struct {\n+\tXDB                   []VulnCheckXDB                   `json:\"xdb,omitempty\"`\n+\tReportedExploitation  []VulnCheckReportedExploitation   `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID\"`\n+\tXDBURL      string    `json:\"xdbURL\"`\n+\tDateAdded   time.Time `json:\"dateAdded\"`\n+\tExploitType string    `json:\"exploitType\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url\"`\n+\tDateAdded time.Time `json:\"dateAdded\"`\n+}\n+\n // AlertDict has target cve JPCERT, USCERT and CISA alert data\n type AlertDict struct {\n \tCISA   []Alert `json:\"cisa\"`\n@@ -919,15 +972,12 @@ type AlertDict struct {\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..e3aef8f 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,8 +566,8 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n+\t\tfor _, kev := range vuln.KEVs {\n+\t\t\tdata = append(data, []string{fmt.Sprintf(\"KEV (%s)\", kev.Type), kev.VulnerabilityName})\n \t\t}\n \n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..dcd70d3 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,13 +812,13 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n+\t\tif len(vinfo.KEVs) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n+\t\t\t\t\"Known Exploited Vulnerabilities\",\n+\t\t\t\t\"================================\",\n \t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\t\tfor _, kev := range vinfo.KEVs {\n+\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s] %s - %s\", kev.Type, kev.VulnerabilityName, kev.ShortDescription))\n \t\t\t}\n \t\t}\n \n", "creation_timestamp": "2026-07-03T11:02:08.181724Z"}, {"uuid": "118183af-276c-4d51-97f4-231939670779", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/a6bd8011051e8d1a91a6edf40b5bf622", "content": "diff --git a/.gitignore b/.gitignore\nindex 7f21d1e..71b4c8d 100644\n--- a/.gitignore\n+++ b/.gitignore\n@@ -4,6 +4,7 @@\n *.sqlite3*\n *.db\n *.toml\n+!config.toml.example\n tags\n .gitmodules\n coverage.out\ndiff --git a/README.md b/README.md\nindex 57102d1..60ca4ed 100644\n--- a/README.md\n+++ b/README.md\n@@ -90,8 +90,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n   - [US-CERT](https://www.us-cert.gov/ncas/alerts)\n   - [JPCERT](http://www.jpcert.or.jp/at/2019.html)\n \n-- CISA(Cybersecurity &amp; Infrastructure Security Agency)\n-  - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+- Known Exploited Vulnerabilities\n+  - [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+  - VulnCheck KEV data via go-kev\n \n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n@@ -139,6 +140,14 @@ Vuls is a tool created to solve the problems listed above. It has the following\n - It is possible to acquire the state of the server by connecting via SSH and executing the command.\n - Vuls warns when the scan target server was updated the kernel etc. but not restarting it.\n \n+### Example Configuration\n+\n+Use `config.toml.example` as a ready-to-use starting point for scan and report configuration, including KEV reporting through the `[kevuln]` database section.\n+\n+The example uses placeholder hosts and paths only. Do not publish or copy values from a live `config.toml`; put real credentials and internal host details only in your local, gitignored configuration.\n+\n+Sample JSON output with first-class `kevs` data is available at `docs/sample-kev-scan-result.json`.\n+\n ### Scan vulnerabilities of non-OS-packages\n \n - Libraries of programming language\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..a5e249c\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,43 @@\n+# Example Vuls configuration with KEV reporting enabled.\n+# Replace all placeholder values before use. Do not copy production secrets here.\n+\n+[default]\n+user = \"vuls\"\n+port = \"22\"\n+keyPath = \"/home/vuls/.ssh/id_rsa\"\n+scanMode = [\"fast-root\"]\n+scanModules = [\"ospkg\"]\n+\n+[servers]\n+\n+[servers.example-web]\n+host = \"203.0.113.10\"\n+scanMode = [\"fast-root\"]\n+\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..cc5de05 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -6,6 +6,8 @@ package detector\n import (\n \t\"encoding/json\"\n \t\"net/http\"\n+\t\"reflect\"\n+\t\"strings\"\n \t\"time\"\n \n \t\"github.com/cenkalti/backoff\"\n@@ -79,18 +81,9 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n-\t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\tif ok &amp;&amp; len(kevulns) &gt; 0 {\n+\t\t\t\tv.KEVs = convertKEVulnsToModel(kevulns)\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +101,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = convertKEVulnsToModel(kevulns)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +111,202 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func convertKEVulnsToModel(kevulns []kevulnmodels.KEVuln) (kevs []models.KEV) {\n+\tfor _, kevuln := range kevulns {\n+\t\tv := reflect.ValueOf(kevuln)\n+\t\tif v.Kind() == reflect.Ptr {\n+\t\t\tv = v.Elem()\n+\t\t}\n+\t\tif !v.IsValid() || v.Kind() != reflect.Struct {\n+\t\t\tcontinue\n+\t\t}\n+\n+\t\tbefore := len(kevs)\n+\t\tkevs = appendKEVsFromField(kevs, v, models.CISAKEVType, \"CISA\", \"CISAs\", \"Cisa\", \"Cisas\")\n+\t\tkevs = appendKEVsFromField(kevs, v, models.VulnCheckKEVType, \"VulnCheck\", \"VulnChecks\", \"Vulncheck\", \"Vulnchecks\")\n+\t\tif len(kevs) == before {\n+\t\t\tkevs = append(kevs, kevFromValue(v, models.KEVType(strings.ToLower(stringField(v, \"Type\", \"Source\")))))\n+\t\t}\n+\t}\n+\treturn kevs\n+}\n+\n+func appendKEVsFromField(kevs []models.KEV, v reflect.Value, kevType models.KEVType, names ...string) []models.KEV {\n+\tfor _, name := range names {\n+\t\tfield := fieldByName(v, name)\n+\t\tif !field.IsValid() {\n+\t\t\tcontinue\n+\t\t}\n+\t\tif field.Kind() == reflect.Ptr {\n+\t\t\tif field.IsNil() {\n+\t\t\t\treturn kevs\n+\t\t\t}\n+\t\t\tfield = field.Elem()\n+\t\t}\n+\t\tif field.Kind() == reflect.Slice {\n+\t\t\tfor i := 0; i &lt; field.Len(); i++ {\n+\t\t\t\titem := field.Index(i)\n+\t\t\t\tif item.Kind() == reflect.Ptr {\n+\t\t\t\t\tif item.IsNil() {\n+\t\t\t\t\t\tcontinue\n+\t\t\t\t\t}\n+\t\t\t\t\titem = item.Elem()\n+\t\t\t\t}\n+\t\t\t\tif item.Kind() == reflect.Struct {\n+\t\t\t\t\tkevs = append(kevs, kevFromValue(item, kevType))\n+\t\t\t\t}\n+\t\t\t}\n+\t\t\treturn kevs\n+\t\t}\n+\t\tif field.Kind() == reflect.Struct {\n+\t\t\treturn append(kevs, kevFromValue(field, kevType))\n+\t\t}\n+\t}\n+\treturn kevs\n+}\n+\n+func kevFromValue(v reflect.Value, kevType models.KEVType) models.KEV {\n+\tkev := models.KEV{\n+\t\tType:                       kevType,\n+\t\tVendorProject:              stringField(v, \"VendorProject\", \"Vendor\"),\n+\t\tProduct:                    stringField(v, \"Product\"),\n+\t\tVulnerabilityName:          stringField(v, \"VulnerabilityName\", \"Name\"),\n+\t\tShortDescription:           stringField(v, \"ShortDescription\", \"Description\"),\n+\t\tRequiredAction:             stringField(v, \"RequiredAction\"),\n+\t\tKnownRansomwareCampaignUse: stringField(v, \"KnownRansomwareCampaignUse\", \"RansomwareCampaignUse\"),\n+\t\tDateAdded:                  timeField(v, \"DateAdded\"),\n+\t\tDueDate:                    timePtrField(v, \"DueDate\"),\n+\t}\n+\tif kev.Type == \"\" {\n+\t\tkev.Type = models.CISAKEVType\n+\t}\n+\tif kev.Type == models.CISAKEVType {\n+\t\tkev.CISA = &amp;models.CISAKEV{Note: stringField(v, \"Note\", \"Notes\")}\n+\t}\n+\tif kev.Type == models.VulnCheckKEVType {\n+\t\tkev.VulnCheck = vulnCheckKEVFromValue(v)\n+\t}\n+\treturn kev\n+}\n+\n+func stringField(v reflect.Value, names ...string) string {\n+\tfor _, name := range names {\n+\t\tfield := fieldByName(v, name)\n+\t\tif field.IsValid() &amp;&amp; field.Kind() == reflect.String {\n+\t\t\treturn field.String()\n+\t\t}\n+\t}\n+\treturn \"\"\n+}\n+\n+func timeField(v reflect.Value, names ...string) time.Time {\n+\tfor _, name := range names {\n+\t\tfield := fieldByName(v, name)\n+\t\tif !field.IsValid() {\n+\t\t\tcontinue\n+\t\t}\n+\t\tif t, ok := field.Interface().(time.Time); ok {\n+\t\t\treturn t\n+\t\t}\n+\t\tif field.Kind() == reflect.Ptr &amp;&amp; !field.IsNil() {\n+\t\t\tif t, ok := field.Interface().(*time.Time); ok {\n+\t\t\t\treturn *t\n+\t\t\t}\n+\t\t}\n+\t}\n+\treturn time.Time{}\n+}\n+\n+func timePtrField(v reflect.Value, names ...string) *time.Time {\n+\tfor _, name := range names {\n+\t\tfield := fieldByName(v, name)\n+\t\tif !field.IsValid() {\n+\t\t\tcontinue\n+\t\t}\n+\t\tif t, ok := field.Interface().(time.Time); ok &amp;&amp; !t.IsZero() {\n+\t\t\treturn &amp;t\n+\t\t}\n+\t\tif field.Kind() == reflect.Ptr &amp;&amp; !field.IsNil() {\n+\t\t\tif t, ok := field.Interface().(*time.Time); ok {\n+\t\t\t\treturn t\n+\t\t\t}\n+\t\t}\n+\t}\n+\treturn nil\n+}\n+\n+func fieldByName(v reflect.Value, name string) reflect.Value {\n+\tfield := v.FieldByName(name)\n+\tif field.IsValid() &amp;&amp; field.CanInterface() {\n+\t\treturn field\n+\t}\n+\treturn reflect.Value{}\n+}\n+\n+func vulnCheckKEVFromValue(v reflect.Value) *models.VulnCheckKEV {\n+\treturn &amp;models.VulnCheckKEV{\n+\t\tXDB:                  vulnCheckXDBsField(v, \"XDB\", \"XDBs\", \"Xdb\", \"Xdbs\"),\n+\t\tReportedExploitation: vulnCheckReportedExploitationField(v, \"ReportedExploitation\", \"ReportedExploitations\"),\n+\t}\n+}\n+\n+func vulnCheckXDBsField(v reflect.Value, names ...string) (xdbs []models.VulnCheckXDB) {\n+\tfor _, name := range names {\n+\t\tfield := fieldByName(v, name)\n+\t\tif !field.IsValid() || field.Kind() != reflect.Slice {\n+\t\t\tcontinue\n+\t\t}\n+\t\tfor i := 0; i &lt; field.Len(); i++ {\n+\t\t\titem := field.Index(i)\n+\t\t\tif item.Kind() == reflect.Ptr {\n+\t\t\t\tif item.IsNil() {\n+\t\t\t\t\tcontinue\n+\t\t\t\t}\n+\t\t\t\titem = item.Elem()\n+\t\t\t}\n+\t\t\tif item.Kind() != reflect.Struct {\n+\t\t\t\tcontinue\n+\t\t\t}\n+\t\t\txdbs = append(xdbs, models.VulnCheckXDB{\n+\t\t\t\tXDBID:       stringField(item, \"XDBID\", \"XdbID\", \"ID\"),\n+\t\t\t\tXDBURL:      stringField(item, \"XDBURL\", \"XdbURL\", \"URL\"),\n+\t\t\t\tDateAdded:   timeField(item, \"DateAdded\"),\n+\t\t\t\tExploitType: stringField(item, \"ExploitType\"),\n+\t\t\t\tCloneSSHURL: stringField(item, \"CloneSSHURL\", \"CloneSshURL\"),\n+\t\t\t})\n+\t\t}\n+\t\treturn xdbs\n+\t}\n+\treturn xdbs\n+}\n+\n+func vulnCheckReportedExploitationField(v reflect.Value, names ...string) (reported []models.VulnCheckReportedExploitation) {\n+\tfor _, name := range names {\n+\t\tfield := fieldByName(v, name)\n+\t\tif !field.IsValid() || field.Kind() != reflect.Slice {\n+\t\t\tcontinue\n+\t\t}\n+\t\tfor i := 0; i &lt; field.Len(); i++ {\n+\t\t\titem := field.Index(i)\n+\t\t\tif item.Kind() == reflect.Ptr {\n+\t\t\t\tif item.IsNil() {\n+\t\t\t\t\tcontinue\n+\t\t\t\t}\n+\t\t\t\titem = item.Elem()\n+\t\t\t}\n+\t\t\tif item.Kind() != reflect.Struct {\n+\t\t\t\tcontinue\n+\t\t\t}\n+\t\t\treported = append(reported, models.VulnCheckReportedExploitation{\n+\t\t\t\tURL:       stringField(item, \"URL\"),\n+\t\t\t\tDateAdded: timeField(item, \"DateAdded\"),\n+\t\t\t})\n+\t\t}\n+\t\treturn reported\n+\t}\n+\treturn reported\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/docs/sample-kev-scan-result.json b/docs/sample-kev-scan-result.json\nnew file mode 100644\nindex 0000000..ce3e81f\n--- /dev/null\n+++ b/docs/sample-kev-scan-result.json\n@@ -0,0 +1,79 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2026-07-03T00:00:00Z\",\n+  \"scanMode\": \"fast-root\",\n+  \"scannedVersion\": \"example\",\n+  \"scannedRevision\": \"example\",\n+  \"scannedBy\": \"example-user\",\n+  \"scannedVia\": \"remote\",\n+  \"reportedAt\": \"2026-07-03T00:00:00Z\",\n+  \"reportedVersion\": \"example\",\n+  \"reportedRevision\": \"example\",\n+  \"reportedBy\": \"example-user\",\n+  \"errors\": [],\n+  \"warnings\": [],\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Placeholder Vulnerability\",\n+          \"shortDescription\": \"Synthetic example showing the first-class KEV JSON shape.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic sample only.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Placeholder Vulnerability\",\n+          \"shortDescription\": \"Synthetic VulnCheck KEV example.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.com/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.com:example/xdb-000000.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/reports/CVE-0000-0000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-package\",\n+          \"fixedIn\": \"1.2.3\"\n+        }\n+      ]\n+    }\n+  },\n+  \"packages\": {},\n+  \"config\": {\n+    \"scan\": {},\n+    \"report\": {}\n+  }\n+}\ndiff --git a/docs/tracking-issue-kev-example.md b/docs/tracking-issue-kev-example.md\nnew file mode 100644\nindex 0000000..236caae\n--- /dev/null\n+++ b/docs/tracking-issue-kev-example.md\n@@ -0,0 +1,54 @@\n+# Tracking Issue KEV Example\n+\n+This is a redacted, synthetic example for reviewers. It intentionally avoids real scan output, internal hostnames, IP addresses, package inventories, account names, UUIDs, and secrets.\n+\n+See `docs/sample-kev-scan-result.json` for a complete sample scan result with `scannedCves[].kevs` populated from both CISA and VulnCheck-style KEV sources.\n+\n+Minimal shape:\n+\n+```json\n+{\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Placeholder Vulnerability\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic sample only.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Placeholder Vulnerability\",\n+          \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.com/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.com:example/xdb-000000.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/reports/CVE-0000-0000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\n+```\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..5b480f8 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV CVEs.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -425,6 +433,24 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &lt; v.Mitigations[j].URL\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n+\t\tfor idx, kev := range v.KEVs {\n+\t\t\tif kev.VulnCheck == nil {\n+\t\t\t\tcontinue\n+\t\t\t}\n+\t\t\tsort.Slice(kev.VulnCheck.XDB, func(i, j int) bool {\n+\t\t\t\treturn kev.VulnCheck.XDB[i].XDBID &lt; kev.VulnCheck.XDB[j].XDBID\n+\t\t\t})\n+\t\t\tsort.Slice(kev.VulnCheck.ReportedExploitation, func(i, j int) bool {\n+\t\t\t\treturn kev.VulnCheck.ReportedExploitation[i].URL &lt; kev.VulnCheck.ReportedExploitation[j].URL\n+\t\t\t})\n+\t\t\tv.KEVs[idx] = kev\n+\t\t}\n \n \t\tv.CveContents.Sort()\n \ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..1e8cc1d 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -263,6 +263,7 @@ type VulnInfo struct {\n \tAffectedPackages     PackageFixStatuses   `json:\"affectedPackages,omitempty\"`\n \tDistroAdvisories     DistroAdvisories     `json:\"distroAdvisories,omitempty\"` // for Amazon, RHEL, Fedora, FreeBSD, Microsoft\n \tCveContents          CveContents          `json:\"cveContents,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tExploits             []Exploit            `json:\"exploits,omitempty\"`\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n@@ -284,6 +285,58 @@ type Alert struct {\n \tTeam  string `json:\"team,omitempty\"`\n }\n \n+// KEVType represents a Known Exploited Vulnerability data source.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is CISA Known Exploited Vulnerabilities Catalog data.\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is VulnCheck Known Exploited Vulnerabilities data.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information.\n+type KEV struct {\n+\tType                          KEVType      `json:\"type\"`\n+\tVendorProject                 string       `json:\"vendorProject,omitempty\"`\n+\tProduct                       string       `json:\"product,omitempty\"`\n+\tVulnerabilityName             string       `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription              string       `json:\"shortDescription,omitempty\"`\n+\tRequiredAction                string       `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse    string       `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                     time.Time     `json:\"dateAdded\"`\n+\tDueDate                       *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                          *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                     *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV fields.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV fields.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database metadata.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation metadata.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded\"`\n+}\n+\n // GitHubSecurityAlerts is a list of GitHubSecurityAlert\n type GitHubSecurityAlerts []GitHubSecurityAlert\n \n@@ -910,24 +963,21 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data.\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"cisa\"` // Deprecated: KEV data is available in VulnInfo.KEVs.\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..1279a6b 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -201,10 +201,11 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatServerName(),\n \t\t\t\tr.ScannedCves.FormatCveSummary(),\n \t\t\t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n-\t\t\t\tr.FormatUpdatablePkgsSummary(),\n-\t\t\t\tr.FormatExploitCveSummary(),\n-\t\t\t\tr.FormatMetasploitCveSummary(),\n-\t\t\t\tr.FormatAlertSummary(),\n+\t\t\t\t\tr.FormatUpdatablePkgsSummary(),\n+\t\t\t\t\tr.FormatExploitCveSummary(),\n+\t\t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\t\tr.FormatKEVCveSummary(),\n+\t\t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n \t\t\tcols = []interface{}{\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T11:02:08.227919Z"}, {"uuid": "3631c98a-cc3d-4d07-91dc-ce94e6a9692e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/57ae9af6e08c3da9be5c2d009fd02c78", "content": "diff --git a/README.md b/README.md\nindex 57102d1..4abdfdc 100644\n--- a/README.md\n+++ b/README.md\n@@ -93,6 +93,11 @@ Vuls is a tool created to solve the problems listed above. It has the following\n - CISA(Cybersecurity &amp; Infrastructure Security Agency)\n   - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n \n+- VulnCheck\n+  - Known Exploited Vulnerabilities\n+\n+KEV reporting can be enabled with the `kevuln` database. A redacted, ready-to-use example is available at [examples/config-kev.toml.example](examples/config-kev.toml.example), and a synthetic scan result showing the `kevs` JSON field is available at [examples/kev-scan-result.json](examples/kev-scan-result.json).\n+\n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n \ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..f2b2244 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -6,6 +6,7 @@ package detector\n import (\n \t\"encoding/json\"\n \t\"net/http\"\n+\t\"reflect\"\n \t\"time\"\n \n \t\"github.com/cenkalti/backoff\"\n@@ -78,19 +79,13 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\tif err := json.Unmarshal([]byte(res.json), &amp;kevulns); err != nil {\n \t\t\t\treturn err\n \t\t\t}\n-\n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tif len(kevulns) == 0 {\n+\t\t\t\tcontinue\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tv.KEVs = kevulnsToKEVs(kevulns)\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +103,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = kevulnsToKEVs(kevulns)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +113,154 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func kevulnsToKEVs(kevulns []kevulnmodels.KEVuln) (kevs []models.KEV) {\n+\tfor _, kevuln := range kevulns {\n+\t\tkevType := models.KEVType(firstStringField(kevuln, \"Type\", \"Source\", \"KEVType\"))\n+\t\tif kevType == \"\" {\n+\t\t\tif hasField(kevuln, \"XDB\") || hasField(kevuln, \"XDBs\") || hasField(kevuln, \"ReportedExploitation\") {\n+\t\t\t\tkevType = models.VulnCheckKEVType\n+\t\t\t} else {\n+\t\t\t\tkevType = models.CISAKEVType\n+\t\t\t}\n+\t\t}\n+\n+\t\tkev := models.KEV{\n+\t\t\tType:                       kevType,\n+\t\t\tVendorProject:              stringField(kevuln, \"VendorProject\"),\n+\t\t\tProduct:                    stringField(kevuln, \"Product\"),\n+\t\t\tVulnerabilityName:          stringField(kevuln, \"VulnerabilityName\"),\n+\t\t\tShortDescription:           stringField(kevuln, \"ShortDescription\"),\n+\t\t\tRequiredAction:             stringField(kevuln, \"RequiredAction\"),\n+\t\t\tKnownRansomwareCampaignUse: stringField(kevuln, \"KnownRansomwareCampaignUse\"),\n+\t\t\tDateAdded:                  timeField(kevuln, \"DateAdded\"),\n+\t\t\tDueDate:                    timePtrField(kevuln, \"DueDate\"),\n+\t\t}\n+\n+\t\tswitch kevType {\n+\t\tcase models.VulnCheckKEVType:\n+\t\t\tkev.VulnCheck = &amp;models.VulnCheckKEV{\n+\t\t\t\tXDB:                  vulnCheckXDBs(kevuln),\n+\t\t\t\tReportedExploitation: vulnCheckReportedExploitations(kevuln),\n+\t\t\t}\n+\t\tdefault:\n+\t\t\tkev.CISA = &amp;models.CISAKEV{\n+\t\t\t\tNote: firstStringField(kevuln, \"Note\", \"Notes\"),\n+\t\t\t}\n+\t\t}\n+\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs\n+}\n+\n+func vulnCheckXDBs(v any) (xdbs []models.VulnCheckXDB) {\n+\tfor _, item := range sliceField(v, \"XDB\", \"XDBs\") {\n+\t\txdbs = append(xdbs, models.VulnCheckXDB{\n+\t\t\tXDBID:       firstStringField(item, \"XDBID\", \"ID\"),\n+\t\t\tXDBURL:      firstStringField(item, \"XDBURL\", \"URL\"),\n+\t\t\tDateAdded:   timeField(item, \"DateAdded\"),\n+\t\t\tExploitType: stringField(item, \"ExploitType\"),\n+\t\t\tCloneSSHURL: stringField(item, \"CloneSSHURL\"),\n+\t\t})\n+\t}\n+\treturn xdbs\n+}\n+\n+func vulnCheckReportedExploitations(v any) (reported []models.VulnCheckReportedExploitation) {\n+\tfor _, item := range sliceField(v, \"ReportedExploitation\", \"ReportedExploitations\") {\n+\t\treported = append(reported, models.VulnCheckReportedExploitation{\n+\t\t\tURL:       stringField(item, \"URL\"),\n+\t\t\tDateAdded: timeField(item, \"DateAdded\"),\n+\t\t})\n+\t}\n+\treturn reported\n+}\n+\n+func sliceField(v any, names ...string) (values []any) {\n+\tfor _, name := range names {\n+\t\tf := reflectField(v, name)\n+\t\tif !f.IsValid() || f.Kind() != reflect.Slice {\n+\t\t\tcontinue\n+\t\t}\n+\t\tfor i := 0; i &lt; f.Len(); i++ {\n+\t\t\tvalues = append(values, f.Index(i).Interface())\n+\t\t}\n+\t\treturn values\n+\t}\n+\treturn nil\n+}\n+\n+func firstStringField(v any, names ...string) string {\n+\tfor _, name := range names {\n+\t\tif s := stringField(v, name); s != \"\" {\n+\t\t\treturn s\n+\t\t}\n+\t}\n+\treturn \"\"\n+}\n+\n+func stringField(v any, name string) string {\n+\tf := reflectField(v, name)\n+\tif !f.IsValid() || f.Kind() != reflect.String {\n+\t\treturn \"\"\n+\t}\n+\treturn f.String()\n+}\n+\n+func timeField(v any, name string) time.Time {\n+\tf := reflectField(v, name)\n+\tif !f.IsValid() {\n+\t\treturn time.Time{}\n+\t}\n+\tif t, ok := f.Interface().(time.Time); ok {\n+\t\treturn t\n+\t}\n+\tif f.Kind() == reflect.Ptr &amp;&amp; !f.IsNil() {\n+\t\tif t, ok := f.Interface().(*time.Time); ok {\n+\t\t\treturn *t\n+\t\t}\n+\t}\n+\treturn time.Time{}\n+}\n+\n+func timePtrField(v any, name string) *time.Time {\n+\tf := reflectField(v, name)\n+\tif !f.IsValid() {\n+\t\treturn nil\n+\t}\n+\tif t, ok := f.Interface().(time.Time); ok &amp;&amp; !t.IsZero() {\n+\t\treturn &amp;t\n+\t}\n+\tif f.Kind() == reflect.Ptr &amp;&amp; !f.IsNil() {\n+\t\tif t, ok := f.Interface().(*time.Time); ok {\n+\t\t\treturn t\n+\t\t}\n+\t}\n+\treturn nil\n+}\n+\n+func hasField(v any, name string) bool {\n+\treturn reflectField(v, name).IsValid()\n+}\n+\n+func reflectField(v any, name string) reflect.Value {\n+\trv := reflect.ValueOf(v)\n+\tif rv.Kind() == reflect.Ptr {\n+\t\tif rv.IsNil() {\n+\t\t\treturn reflect.Value{}\n+\t\t}\n+\t\trv = rv.Elem()\n+\t}\n+\tif rv.Kind() != reflect.Struct {\n+\t\treturn reflect.Value{}\n+\t}\n+\tf := rv.FieldByName(name)\n+\tif !f.IsValid() || !f.CanInterface() {\n+\t\treturn reflect.Value{}\n+\t}\n+\treturn f\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/examples/config-kev.toml.example b/examples/config-kev.toml.example\nnew file mode 100644\nindex 0000000..191df7a\n--- /dev/null\n+++ b/examples/config-kev.toml.example\n@@ -0,0 +1,37 @@\n+# Synthetic example configuration for enabling KEV reporting.\n+# Do not paste production secrets into tracked configuration files.\n+\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\n+\n+[servers.example-host]\n+host = \"192.0.2.10\"\n+port = \"22\"\n+user = \"vuls-scan\"\n+keyPath = \"/home/vuls/.ssh/id_ed25519\"\n+scanMode = [\"fast-root\"]\ndiff --git a/examples/kev-scan-result.json b/examples/kev-scan-result.json\nnew file mode 100644\nindex 0000000..2df80ce\n--- /dev/null\n+++ b/examples/kev-scan-result.json\n@@ -0,0 +1,74 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2026-07-03T00:00:00Z\",\n+  \"scanMode\": \"fast-root\",\n+  \"scannedVersion\": \"example\",\n+  \"reportedAt\": \"2026-07-03T00:00:00Z\",\n+  \"reportedVersion\": \"example\",\n+  \"errors\": [],\n+  \"warnings\": [],\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-package\",\n+          \"fixedIn\": \"1.2.3\"\n+        }\n+      ],\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic KEV sample for documentation.\",\n+          \"requiredAction\": \"Apply updates according to vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic example only.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic VulnCheck KEV sample for documentation.\",\n+          \"requiredAction\": \"Review exploitation evidence and apply mitigations.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.invalid/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.invalid:example/xdb-000000.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.invalid/reports/CVE-0000-0000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"packages\": {},\n+  \"config\": {\n+    \"scan\": {},\n+    \"report\": {}\n+  }\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..9519116 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV CVEs.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -422,6 +430,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Metasploits, func(i, j int) bool {\n \t\t\treturn v.Metasploits[i].Name &lt; v.Metasploits[j].Name\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &lt; v.Mitigations[j].URL\n \t\t})\n@@ -434,9 +448,6 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n-\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..f0f2436 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -265,6 +265,7 @@ type VulnInfo struct {\n \tCveContents          CveContents          `json:\"cveContents,omitempty\"`\n \tExploits             []Exploit            `json:\"exploits,omitempty\"`\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n@@ -284,6 +285,58 @@ type Alert struct {\n \tTeam  string `json:\"team,omitempty\"`\n }\n \n+// KEVType is a Known Exploited Vulnerability source.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is CISA Known Exploited Vulnerabilities Catalog.\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is VulnCheck Known Exploited Vulnerabilities.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information.\n+type KEV struct {\n+\tType                          KEVType        `json:\"type\"`\n+\tVendorProject                 string         `json:\"vendorProject,omitempty\"`\n+\tProduct                       string         `json:\"product,omitempty\"`\n+\tVulnerabilityName             string         `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription              string         `json:\"shortDescription,omitempty\"`\n+\tRequiredAction                string         `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse    string         `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                     time.Time      `json:\"dateAdded\"`\n+\tDueDate                       *time.Time     `json:\"dueDate,omitempty\"`\n+\tCISA                          *CISAKEV       `json:\"cisa,omitempty\"`\n+\tVulnCheck                     *VulnCheckKEV  `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV information.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV information.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded\"`\n+}\n+\n // GitHubSecurityAlerts is a list of GitHubSecurityAlert\n type GitHubSecurityAlerts []GitHubSecurityAlert\n \n@@ -910,7 +963,7 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data.\n type AlertDict struct {\n \tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n@@ -919,15 +972,12 @@ type AlertDict struct {\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..7683c56 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,8 +566,8 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n+\t\tfor _, kev := range vuln.KEVs {\n+\t\t\tdata = append(data, []string{fmt.Sprintf(\"KEV[%s]\", kev.Type), kev.VulnerabilityName})\n \t\t}\n \n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..e0ebd8b 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,13 +812,13 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n+\t\tif len(vinfo.KEVs) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n+\t\t\t\t\"Known Exploited Vulnerabilities\",\n+\t\t\t\t\"================================\",\n \t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\t\tfor _, kev := range vinfo.KEVs {\n+\t\t\t\tlines = append(lines, fmt.Sprintf(\"* %s: %s\", kev.Type, kev.VulnerabilityName))\n \t\t\t}\n \t\t}\n \n", "creation_timestamp": "2026-07-03T11:02:08.269453Z"}, {"uuid": "be184255-1506-4586-85d6-1055b64da1a5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/df1e1e43dbf278208eea1c9669afe2fd", "content": "diff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..10cae55\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,46 @@\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-msfdb.sqlite3\"\n+\n+[servers]\n+\n+[servers.example-host]\n+host         = \"192.168.0.1\"\n+port         = \"22\"\n+user         = \"example-user\"\n+keyPath      = \"/path/to/.ssh/id_rsa\"\n+# SSH passphrase must be redacted in examples\n+keyPassphrase = \"REDACTED\"\n+\n+[slack]\n+hookURL      = \"https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX\"\n+channel      = \"#vuls\"\n+authUser     = \"vuls\"\n+\n+[email]\n+smtpServer   = \"smtp.example.com\"\n+smtpPort     = \"587\"\n+user         = \"user@example.com\"\n+password     = \"REDACTED\"\n+from         = \"from@example.com\"\n+to           = [\"to@example.com\"]\n+\n+[chatWork]\n+apiToken     = \"REDACTED\"\n+roomID       = \"123456\"\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..5ee9915 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,6 +205,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n@@ -253,13 +254,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +264,18 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n+}\n+\n+// FormatKEVCveSummary returns a summary of KEV cves\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &gt; 0 {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -434,8 +442,11 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n \t\t})\n \t\tr.ScannedCves[k] = v\n \t}\ndiff --git a/models/scanresults_kev_test.go b/models/scanresults_kev_test.go\nnew file mode 100644\nindex 0000000..56eb96c\n--- /dev/null\n+++ b/models/scanresults_kev_test.go\n@@ -0,0 +1,81 @@\n+package models\n+\n+import (\n+\t\"reflect\"\n+\t\"testing\"\n+)\n+\n+func TestScanResult_Sort_KEV(t *testing.T) {\n+\ttype fields struct {\n+\t\tScannedCves VulnInfos\n+\t}\n+\ttests := []struct {\n+\t\tname     string\n+\t\tfields   fields\n+\t\texpected fields\n+\t}{\n+\t\t{\n+\t\t\tname: \"already asc KEV\",\n+\t\t\tfields: fields{\n+\t\t\t\tScannedCves: VulnInfos{\n+\t\t\t\t\t\"CVE-2014-3591\": VulnInfo{\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t\texpected: fields{\n+\t\t\t\tScannedCves: VulnInfos{\n+\t\t\t\t\t\"CVE-2014-3591\": VulnInfo{\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t},\n+\t\t{\n+\t\t\tname: \"sort KEV\",\n+\t\t\tfields: fields{\n+\t\t\t\tScannedCves: VulnInfos{\n+\t\t\t\t\t\"CVE-2014-3591\": VulnInfo{\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"c\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t\texpected: fields{\n+\t\t\t\tScannedCves: VulnInfos{\n+\t\t\t\t\t\"CVE-2014-3591\": VulnInfo{\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"c\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t},\n+\t}\n+\tfor _, tt := range tests {\n+\t\tt.Run(tt.name, func(t *testing.T) {\n+\t\t\tr := &amp;ScanResult{\n+\t\t\t\tScannedCves: tt.fields.ScannedCves,\n+\t\t\t}\n+\t\t\tr.SortForJSONOutput()\n+\t\t\tif !reflect.DeepEqual(r.ScannedCves, tt.expected.ScannedCves) {\n+\t\t\t\tt.Errorf(\"act %+v, want %+v\", r.ScannedCves, tt.expected.ScannedCves)\n+\t\t\t}\n+\t\t})\n+\t}\n+}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..305d3dc 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -270,6 +270,7 @@ type VulnInfo struct {\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n \tLibraryFixedIns      LibraryFixedIns      `json:\"libraryFixedIns,omitempty\"`\n \tWindowsKBFixedIns    []string             `json:\"windowsKBFixedIns,omitempty\"`\n@@ -910,6 +911,57 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n+// KEVType is a type of Known Exploited Vulnerability\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType :\n+\tCISAKEVType = KEVType(\"cisa\")\n+\t// VulnCheckKEVType :\n+\tVulnCheckKEVType = KEVType(\"vulncheck\")\n+)\n+\n+// KEV has Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                       KEVType\n+\tVendorProject              string\n+\tProduct                    string\n+\tVulnerabilityName          string\n+\tShortDescription           string\n+\tRequiredAction             string\n+\tKnownRansomwareCampaignUse string\n+\tDateAdded                  time.Time\n+\tDueDate                    *time.Time\n+\tCISA                       *CISAKEV\n+\tVulnCheck                  *VulnCheckKEV\n+}\n+\n+// CISAKEV :\n+type CISAKEV struct {\n+\tNote string\n+}\n+\n+// VulnCheckKEV :\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB\n+\tReportedExploitation []VulnCheckReportedExploitation\n+}\n+\n+// VulnCheckXDB :\n+type VulnCheckXDB struct {\n+\tXDBID       string\n+\tXDBURL      string\n+\tDateAdded   time.Time\n+\tExploitType string\n+\tCloneSSHURL string\n+}\n+\n+// VulnCheckReportedExploitation :\n+type VulnCheckReportedExploitation struct {\n+\tURL       string\n+\tDateAdded time.Time\n+}\n+\n // AlertDict has target cve JPCERT, USCERT and CISA alert data\n type AlertDict struct {\n \tCISA   []Alert `json:\"cisa\"`\n@@ -919,15 +971,12 @@ type AlertDict struct {\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..5b8697f 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -205,6 +205,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t}\n \t\t} else {\n \t\t\tcols = []interface{}{\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/sample_scan_result_with_kev.json b/sample_scan_result_with_kev.json\nnew file mode 100644\nindex 0000000..c625a80\n--- /dev/null\n+++ b/sample_scan_result_with_kev.json\n@@ -0,0 +1,119 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"container\": {\n+    \"containerID\": \"\",\n+    \"name\": \"\",\n+    \"image\": \"\",\n+    \"type\": \"\",\n+    \"uuid\": \"\"\n+  },\n+  \"platform\": {\n+    \"name\": \"\",\n+    \"instanceID\": \"\"\n+  },\n+  \"scannedAt\": \"2023-01-01T00:00:00Z\",\n+  \"scanMode\": \"fast\",\n+  \"scannedVersion\": \"1.0.0\",\n+  \"scannedRevision\": \"abcdef123456\",\n+  \"scannedBy\": \"vuls\",\n+  \"scannedVia\": \"ssh\",\n+  \"reportedAt\": \"2023-01-01T00:00:00Z\",\n+  \"reportedVersion\": \"1.0.0\",\n+  \"reportedRevision\": \"abcdef123456\",\n+  \"reportedBy\": \"vuls\",\n+  \"errors\": [],\n+  \"warnings\": [],\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"confidences\": [\n+        {\n+          \"score\": 100,\n+          \"detectionMethod\": \"UbuntuAPIMatch\"\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-package\",\n+          \"notFixedYet\": false,\n+          \"fixedIn\": \"1.2.3\"\n+        }\n+      ],\n+      \"cveContents\": {\n+        \"nvd\": [\n+          {\n+            \"cvss3Score\": 9.8,\n+            \"cvss3Vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n+            \"cvss3Severity\": \"CRITICAL\"\n+          }\n+        ]\n+      },\n+      \"kevs\": [\n+        {\n+          \"Type\": \"cisa\",\n+          \"VendorProject\": \"Example Vendor\",\n+          \"Product\": \"Example Product\",\n+          \"VulnerabilityName\": \"Example Vulnerability Name\",\n+          \"ShortDescription\": \"A synthetic short description of a known exploited vulnerability.\",\n+          \"RequiredAction\": \"Apply updates.\",\n+          \"KnownRansomwareCampaignUse\": \"Unknown\",\n+          \"DateAdded\": \"2023-01-01T00:00:00Z\",\n+          \"CISA\": {\n+            \"Note\": \"See CISA documentation for more details.\"\n+          }\n+        },\n+        {\n+          \"Type\": \"vulncheck\",\n+          \"VendorProject\": \"Example Vendor\",\n+          \"Product\": \"Example Product\",\n+          \"VulnerabilityName\": \"Example Vulnerability Name\",\n+          \"ShortDescription\": \"VulnCheck short description.\",\n+          \"RequiredAction\": \"Update immediately.\",\n+          \"DateAdded\": \"2023-01-02T00:00:00Z\",\n+          \"VulnCheck\": {\n+            \"XDB\": [\n+              {\n+                \"XDBID\": \"XDB-123\",\n+                \"XDBURL\": \"https://example.com/xdb/123\",\n+                \"DateAdded\": \"2023-01-02T00:00:00Z\",\n+                \"ExploitType\": \"RCE\",\n+                \"CloneSSHURL\": \"git@example.com:xdb/123.git\"\n+              }\n+            ],\n+            \"ReportedExploitation\": [\n+              {\n+                \"URL\": \"https://example.com/news/123\",\n+                \"DateAdded\": \"2023-01-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"runningKernel\": {\n+    \"release\": \"5.15.0-generic\",\n+    \"version\": \"#1 SMP Wed Jan 1 00:00:00 UTC 2023\",\n+    \"rebootRequired\": false\n+  },\n+  \"packages\": {\n+    \"example-package\": {\n+      \"name\": \"example-package\",\n+      \"version\": \"1.2.2\",\n+      \"release\": \"\",\n+      \"newVersion\": \"1.2.3\",\n+      \"newRelease\": \"\",\n+      \"arch\": \"amd64\",\n+      \"repository\": \"main\"\n+    }\n+  },\n+  \"config\": {\n+    \"scan\": {},\n+    \"report\": {}\n+  }\n+}\n", "creation_timestamp": "2026-07-03T11:02:08.795970Z"}, {"uuid": "b2b22cf7-6194-4f66-8807-e6472171d030", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/f145985a4b35b87128c866345bfe7acf", "content": "diff --git a/README.md b/README.md\nindex 57102d1..6c8f31b 100644\n--- a/README.md\n+++ b/README.md\n@@ -198,6 +198,18 @@ see [vulsdoc](https://vuls.io/docs/en/how-to-contribute.html)\n |  | Tines is no-code automation for security teams. Build powerful, reliable workflows without a development team. |\n |  | SAKURA internet Inc. is an Internet company founded in 1996. We provide cloud computing services such as \"Sakura's Shared Server\", \"Sakura's VPS\", and \"Sakura's Cloud\" to meet the needs of a wide range of customers, from individuals and corporations to the education and public sectors, using its own data centers in Japan. Based on the philosophy of \"changing what you want to do into what you can do,\" we offer DX solutions for all fields.  |\n \n+## Example Configuration\n+```toml\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.1\"\n+port = \"22\"\n+user = \"vuls\"\n+keyPath = \"/home/vuls/.ssh/id_rsa\"\n+# Placeholder config, do not use real values here\n+```\n+\n ----\n \n ## License\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..35c0d58\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,8 @@\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.1\"\n+port = \"22\"\n+user = \"vuls\"\n+keyPath = \"/home/vuls/.ssh/id_rsa\"\n+# Placeholder config, do not use real values here\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..0d372ed 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,11 +197,12 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n@@ -229,6 +230,17 @@ func (r ScanResult) FormatUpdatablePkgsSummary() string {\n \t\tnUpdatable)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV cve\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKevCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKevCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKevCve)\n+}\n+\n // FormatExploitCveSummary returns a summary of exploit cve\n func (r ScanResult) FormatExploitCveSummary() string {\n \tnExploitCve := 0\n@@ -253,13 +265,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/scanresults_kev_test.go b/models/scanresults_kev_test.go\nnew file mode 100644\nindex 0000000..560467c\n--- /dev/null\n+++ b/models/scanresults_kev_test.go\n@@ -0,0 +1,56 @@\n+package models\n+\n+import (\n+\t\"reflect\"\n+\t\"testing\"\n+)\n+\n+func TestScanResult_Sort_KEV(t *testing.T) {\n+\ttype fields struct {\n+\t\tScannedCves VulnInfos\n+\t}\n+\ttests := []struct {\n+\t\tname     string\n+\t\tfields   fields\n+\t\texpected fields\n+\t}{\n+\t\t{\n+\t\t\tname: \"sort KEVs by Type then VulnerabilityName\",\n+\t\t\tfields: fields{\n+\t\t\t\tScannedCves: VulnInfos{\n+\t\t\t\t\t\"CVE-2014-3591\": VulnInfo{\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"B\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"C\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"A\"},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t\texpected: fields{\n+\t\t\t\tScannedCves: VulnInfos{\n+\t\t\t\t\t\"CVE-2014-3591\": VulnInfo{\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"A\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"C\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"B\"},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t},\n+\t}\n+\n+\tfor _, tt := range tests {\n+\t\tt.Run(tt.name, func(t *testing.T) {\n+\t\t\tr := &amp;ScanResult{\n+\t\t\t\tScannedCves: tt.fields.ScannedCves,\n+\t\t\t}\n+\t\t\tr.SortForJSONOutput()\n+\n+\t\t\tif !reflect.DeepEqual(r.ScannedCves, tt.expected.ScannedCves) {\n+\t\t\t\tt.Errorf(\"act %+v, want %+v\", r.ScannedCves, tt.expected.ScannedCves)\n+\t\t\t}\n+\t\t})\n+\t}\n+}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..18dd791 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -256,6 +256,55 @@ type PackageFixStatus struct {\n \tFixedIn     string `json:\"fixedIn,omitempty\"`\n }\n \n+// KEVType string type for KEV\n+type KEVType string\n+\n+const (\n+\tCISAKEVType      KEVType = \"cisa\"\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerabilities information\n+type KEV struct {\n+\tType                       KEVType        `json:\"type\"`\n+\tVendorProject              string         `json:\"vendorProject,omitempty\"`\n+\tProduct                    string         `json:\"product,omitempty\"`\n+\tVulnerabilityName          string         `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string         `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string         `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string         `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time      `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time     `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV       `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV  `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA specific KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck specific KEV information\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck ReportedExploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // VulnInfo has a vulnerability information and unsecure packages\n type VulnInfo struct {\n \tCveID                string               `json:\"cveID,omitempty\"`\n@@ -268,6 +317,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -910,24 +960,21 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"cisa\"` // deprecated KEV path, kept for test compilation\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..703e9c8 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -202,6 +202,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.ScannedCves.FormatCveSummary(),\n \t\t\t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/sample_kev.json b/sample_kev.json\nnew file mode 100644\nindex 0000000..91bc019\n--- /dev/null\n+++ b/sample_kev.json\n@@ -0,0 +1,40 @@\n+{\n+  \"serverName\": \"example-host\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"A synthetic example KEV.\",\n+          \"requiredAction\": \"Apply updates.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2023-01-01T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"This is a placeholder.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"A synthetic example VulnCheck KEV.\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-0001\",\n+                \"xdbURL\": \"https://example.com/xdb/0001\",\n+                \"dateAdded\": \"2023-01-01T00:00:00Z\",\n+                \"exploitType\": \"RCE\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\n", "creation_timestamp": "2026-07-03T11:02:08.887676Z"}, {"uuid": "c0c79bc1-d798-484c-99bf-ed9606d2ab01", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/88135e96f59eabd8dd9d7c9793afed51", "content": "diff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..0636817\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,93 @@\n+# Vuls - VULnerability Scanner\n+# Example configuration file\n+# See https://vuls.io/docs/en/config.toml.html for full documentation\n+#\n+# Copy this file to config.toml and edit to match your environment.\n+# All values below are PLACEHOLDERS \u2014 replace them with your own settings.\n+\n+# https://vuls.io/docs/en/config.toml.html#database-section\n+[cveDict]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/cve.sqlite3\"\n+#url = \"\"\n+\n+[ovalDict]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/oval.sqlite3\"\n+#url = \"\"\n+\n+[gost]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/gost.sqlite3\"\n+#url = \"\"\n+\n+[exploit]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+#url = \"\"\n+\n+[metasploit]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-msfdb.sqlite3\"\n+#url = \"\"\n+\n+# KEV (Known Exploited Vulnerabilities) database\n+# Enable this section to activate KEV reporting with the new first-class\n+# kevs field on each vulnerability. Supports CISA and VulnCheck sources.\n+[kevuln]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-kev.sqlite3\"\n+#url = \"\"\n+\n+[cti]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-cti.sqlite3\"\n+#url = \"\"\n+\n+# https://vuls.io/docs/en/config.toml.html#slack-section\n+#[slack]\n+#hookURL      = \"https://hooks.slack.com/services/REPLACE/WITH/YOUR_WEBHOOK\"\n+#channel      = \"#your-channel\"\n+#iconEmoji    = \":ghost:\"\n+#authUser     = \"your-username\"\n+#notifyUsers  = [\"@your-username\"]\n+\n+# https://vuls.io/docs/en/config.toml.html#email-section\n+#[email]\n+#smtpAddr              = \"smtp.example.com\"\n+#smtpPort              = \"587\"\n+#tlsMode               = \"STARTTLS\"\n+#tlsInsecureSkipVerify = false\n+#user                  = \"your-username\"\n+#password              = \"REPLACE_WITH_YOUR_PASSWORD\"\n+#from                  = \"vuls@example.com\"\n+#to                    = [\"recipient@example.com\"]\n+#cc                    = [\"cc@example.com\"]\n+#subjectPrefix         = \"[vuls]\"\n+\n+# https://vuls.io/docs/en/config.toml.html#chatwork-section\n+#[chatwork]\n+#room     = \"your-room-id\"\n+#apiToken = \"REPLACE_WITH_YOUR_API_TOKEN\"\n+\n+# https://vuls.io/docs/en/config.toml.html#telegram-section\n+#[telegram]\n+#chatID = \"your-chat-id\"\n+#token  = \"REPLACE_WITH_YOUR_TOKEN\"\n+\n+# https://vuls.io/docs/en/config.toml.html#default-section\n+[default]\n+#port     = \"22\"\n+#user     = \"your-scan-user\"\n+#keyPath  = \"/home/your-user/.ssh/id_rsa\"\n+#scanMode = [\"fast\"]\n+\n+# https://vuls.io/docs/en/config.toml.html#servers-section\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.1\"\n+#port = \"22\"\n+#user = \"your-scan-user\"\n+#keyPath = \"/home/your-user/.ssh/id_rsa\"\n+#scanMode = [\"fast\"]\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..e61277e 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,13 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tif len(kevulns) == 0 {\n+\t\t\t\tcontinue\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tv.KEVs = convertToKEVs(kevulns)\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +103,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = convertToKEVs(kevulns)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -243,3 +229,25 @@ func newKEVulnDB(cnf config.VulnDictInterface) (kevulndb.DB, error) {\n \t}\n \treturn driver, nil\n }\n+\n+func convertToKEVs(kevulns []kevulnmodels.KEVuln) []models.KEV {\n+\tkevs := make([]models.KEV, 0, len(kevulns))\n+\tfor _, k := range kevulns {\n+\t\tkev := models.KEV{\n+\t\t\tType:                       models.CISAKEVType,\n+\t\t\tVendorProject:              k.VendorProject,\n+\t\t\tProduct:                    k.Product,\n+\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\tDateAdded:                  k.DateAdded,\n+\t\t\tDueDate:                    &amp;k.DueDate,\n+\t\t\tCISA: &amp;models.CISAKEV{\n+\t\t\t\tNote: k.Notes,\n+\t\t\t},\n+\t\t}\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..a825df3 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of CVEs with KEV entries\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &gt; 0 {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/testdata/sample_kev_scan_result.json b/models/testdata/sample_kev_scan_result.json\nnew file mode 100644\nindex 0000000..bda0486\n--- /dev/null\n+++ b/models/testdata/sample_kev_scan_result.json\n@@ -0,0 +1,79 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"debian\",\n+  \"release\": \"12\",\n+  \"scannedAt\": \"2026-07-01T00:00:00Z\",\n+  \"scanMode\": \"fast\",\n+  \"reportedAt\": \"2026-07-01T00:01:00Z\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vendor Example Product Buffer Overflow Vulnerability\",\n+          \"shortDescription\": \"Example Product contains a buffer overflow vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-01-15T00:00:00Z\",\n+          \"dueDate\": \"2026-02-05T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vendor Example Product Buffer Overflow Vulnerability\",\n+          \"shortDescription\": \"Example Product contains a buffer overflow vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-01-10T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"00000000-0000-0000-0000-000000000001\",\n+                \"xdbURL\": \"https://vulncheck.com/xdb/example-000001\",\n+                \"dateAdded\": \"2026-01-11T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.com:exploits/example-000001.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/exploitation-report-1\",\n+                \"dateAdded\": \"2026-01-12T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"confidences\": [\n+        {\n+          \"score\": 100,\n+          \"detectionMethod\": \"OvalMatch\"\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-package\",\n+          \"fixedIn\": \"2.0.0-1\"\n+        }\n+      ]\n+    }\n+  },\n+  \"packages\": {\n+    \"example-package\": {\n+      \"name\": \"example-package\",\n+      \"version\": \"1.0.0-1\",\n+      \"release\": \"\",\n+      \"newVersion\": \"2.0.0-1\"\n+    }\n+  }\n+}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..5d28a1b 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -268,6 +268,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -910,6 +911,58 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n+// KEVType represents the source of Known Exploited Vulnerability data\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the KEV type for CISA\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is the KEV type for VulnCheck\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                       KEVType    `json:\"type\"`\n+\tVendorProject              string     `json:\"vendorProject\"`\n+\tProduct                    string     `json:\"product\"`\n+\tVulnerabilityName          string     `json:\"vulnerabilityName\"`\n+\tShortDescription           string     `json:\"shortDescription\"`\n+\tRequiredAction             string     `json:\"requiredAction\"`\n+\tKnownRansomwareCampaignUse string     `json:\"knownRansomwareCampaignUse\"`\n+\tDateAdded                  time.Time  `json:\"dateAdded\"`\n+\tDueDate                    *time.Time `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV   `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV fields\n+type CISAKEV struct {\n+\tNote string `json:\"note\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV fields\n+type VulnCheckKEV struct {\n+\tXDB                    []VulnCheckXDB                    `json:\"xdb,omitempty\"`\n+\tReportedExploitation   []VulnCheckReportedExploitation   `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database entry information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID\"`\n+\tXDBURL      string    `json:\"xdbURL\"`\n+\tDateAdded   time.Time `json:\"dateAdded\"`\n+\tExploitType string    `json:\"exploitType\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url\"`\n+\tDateAdded time.Time `json:\"dateAdded\"`\n+}\n+\n // AlertDict has target cve JPCERT, USCERT and CISA alert data\n type AlertDict struct {\n \tCISA   []Alert `json:\"cisa\"`\n@@ -925,9 +978,6 @@ func (a AlertDict) IsEmpty() bool {\n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a2dfbd0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..6d88910 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,13 +812,13 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n+\t\tif len(vinfo.KEVs) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n+\t\t\t\t\"KEV (Known Exploited Vulnerabilities)\",\n+\t\t\t\t\"======================================\",\n \t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\t\tfor _, kev := range vinfo.KEVs {\n+\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s] %s - %s\", kev.Type, kev.VulnerabilityName, kev.ShortDescription))\n \t\t\t}\n \t\t}\n \n", "creation_timestamp": "2026-07-03T11:56:22.776130Z"}, {"uuid": "f10283c9-5954-481a-a111-f13385fdd37e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/f45240060c9849a0d4402335b63d2880", "content": "diff --git a/README.md b/README.md\nindex 57102d1..2eb4e62 100644\n--- a/README.md\n+++ b/README.md\n@@ -179,6 +179,10 @@ Vuls has some options to detect the vulnerabilities\n For more information such as Installation, Tutorial, Usage, visit [vuls.io](https://vuls.io/)  \n [\u65e5\u672c\u8a9e\u7ffb\u8a33\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8](https://vuls.io/ja/)\n \n+### Configuration\n+\n+A ready-to-use example configuration demonstrating KEV reporting (among other standard features) is available at [config.toml.example](config.toml.example). You can use this as a starting point for your own configuration.\n+\n ----\n \n ## Authors\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..1e039c9\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,40 @@\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+[kev]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-kev.sqlite3\"\n+\n+[servers]\n+[servers.example-host]\n+host = \"192.168.0.x\"\n+port = \"22\"\n+user = \"scan-user\"\n+keyPath = \"/home/scan-user/.ssh/id_rsa\"\n+# passPhrase = \"REDACTED\"\n+\n+[slack]\n+hookURL = \"https://hooks.slack.com/services/REDACTED\"\n+channel = \"#vuls-alerts\"\n+authUser = \"vuls\"\n+\n+[email]\n+smtpServer = \"smtp.example.com\"\n+smtpPort = \"587\"\n+user = \"vuls@example.com\"\n+# password = \"REDACTED\"\n+from = \"vuls@example.com\"\n+to = [\"security-team@example.com\"]\n+\n+[chatWork]\n+apiToken = \"REDACTED\"\n+roomId = \"REDACTED\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..e441bc5 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,19 +79,13 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n \t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\t\tnKEV++\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n-\t\t\t\tnKEV++\n+\t\t\t\t// CISA alerts are no longer populated here\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t}\n@@ -108,17 +102,10 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n \t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\t\tnKEV++\n \t\t\t}\n \n-\t\t\tvuln.AlertDict.CISA = alerts\n-\t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n \t}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..d6ed380 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,9 +205,21 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV cves\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatUpdatablePkgsSummary returns a summary of updatable packages\n func (r ScanResult) FormatUpdatablePkgsSummary() string {\n \tmode := r.Config.Scan.Servers[r.ServerName].Mode\n@@ -253,13 +265,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -434,8 +442,11 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n \t\t})\n \t\tr.ScannedCves[k] = v\n \t}\ndiff --git a/models/scanresults_test.go b/models/scanresults_test.go\nindex d429281..f2e7595 100644\n--- a/models/scanresults_test.go\n+++ b/models/scanresults_test.go\n@@ -225,10 +225,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -288,10 +288,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -354,10 +354,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -417,10 +417,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..361e086 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -268,6 +268,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -910,24 +911,20 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT, USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\n@@ -1089,3 +1086,46 @@ var (\n \t// FortinetVendorProductMatch is a ranking how confident the CVE-ID was detected correctly\n \tFortinetVendorProductMatch = Confidence{10, FortinetVendorProductMatchStr, 9}\n )\n+\n+type KEVType string\n+\n+const (\n+\tCISAKEVType      KEVType = \"cisa\"\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+type KEV struct {\n+\tType                       KEVType       `json:\"type,omitempty\"`\n+\tVendorProject              string        `json:\"vendorProject,omitempty\"`\n+\tProduct                    string        `json:\"product,omitempty\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbId,omitempty\"`\n+\tXDBURL      string    `json:\"xdbUrl,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSshUrl,omitempty\"`\n+}\n+\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a44ae57 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -565,10 +565,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/testdata/docs/sample-scan-result.json b/testdata/docs/sample-scan-result.json\nnew file mode 100644\nindex 0000000..24b00fa\n--- /dev/null\n+++ b/testdata/docs/sample-scan-result.json\n@@ -0,0 +1,50 @@\n+{\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability Name\",\n+          \"shortDescription\": \"A synthetic example description.\",\n+          \"requiredAction\": \"Apply updates.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2023-01-01T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Example note\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability Name\",\n+          \"shortDescription\": \"A synthetic example description.\",\n+          \"dateAdded\": \"2023-01-01T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbId\": \"XDB-123\",\n+                \"xdbUrl\": \"https://example.com/xdb/123\",\n+                \"dateAdded\": \"2023-01-01T00:00:00Z\",\n+                \"exploitType\": \"local\",\n+                \"cloneSshUrl\": \"git@github.com:example/repo.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/report/456\",\n+                \"dateAdded\": \"2023-01-01T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..a7e412b 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,13 +812,17 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n+\t\tif len(vinfo.KEVs) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n+\t\t\t\t\"KEVs\",\n \t\t\t\t\"===========\",\n \t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\t\tfor _, kev := range vinfo.KEVs {\n+\t\t\t\tif kev.CISA != nil {\n+\t\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s - %s] %s (CISA)\", kev.VendorProject, kev.Product, kev.ShortDescription))\n+\t\t\t\t} else if kev.VulnCheck != nil {\n+\t\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s - %s] %s (VulnCheck)\", kev.VendorProject, kev.Product, kev.VulnerabilityName))\n+\t\t\t\t}\n \t\t\t}\n \t\t}\n \n", "creation_timestamp": "2026-07-03T11:56:22.817017Z"}, {"uuid": "a67781c1-ec68-48ce-ab6d-f8b207a1f9e5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/f56534a66ac682c1f84fc247e9749b6b", "content": "diff --git a/README.md b/README.md\nindex 57102d1..9589863 100644\n--- a/README.md\n+++ b/README.md\n@@ -179,6 +179,8 @@ Vuls has some options to detect the vulnerabilities\n For more information such as Installation, Tutorial, Usage, visit [vuls.io](https://vuls.io/)  \n [\u65e5\u672c\u8a9e\u7ffb\u8a33\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8](https://vuls.io/ja/)\n \n+An example configuration demonstrating the newly added CISA/VulnCheck KEV (Known Exploited Vulnerabilities) integration can be found in `config.toml.example`.\n+\n ----\n \n ## Authors\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..7bd9ef0\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,22 @@\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+[kev]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/kev.sqlite3\"\n+\n+[servers]\n+[servers.example-host]\n+host         = \"192.168.0.1\"\n+port         = \"22\"\n+user         = \"scans\"\n+keyPath      = \"/path/to/key\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..1e8df75 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,8 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n-\t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\tif ok &amp;&amp; len(kevulns) &gt; 0 {\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,17 +98,9 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n \t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\t\tnKEV++\n \t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n-\t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n \t}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..ed650af 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,6 +205,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n@@ -240,6 +241,17 @@ func (r ScanResult) FormatExploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d poc\", nExploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV cves\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVs := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &gt; 0 {\n+\t\t\tnKEVs++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVs)\n+}\n+\n // FormatMetasploitCveSummary returns a summary of exploit cve\n func (r ScanResult) FormatMetasploitCveSummary() string {\n \tnMetasploitCve := 0\n@@ -253,13 +265,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,13 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\t\t\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..6946de3 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -275,6 +275,7 @@ type VulnInfo struct {\n \tWindowsKBFixedIns    []string             `json:\"windowsKBFixedIns,omitempty\"`\n \tVulnType             string               `json:\"vulnType,omitempty\"`\n \tDiffStatus           DiffStatus           `json:\"diffStatus,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n }\n \n // Alert has CERT alert information\n@@ -381,6 +382,49 @@ const (\n \tDiffMinus = DiffStatus(\"-\")\n )\n \n+type KEVType string\n+\n+const (\n+\tCISAKEVType      KEVType = \"cisa\"\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+type KEV struct {\n+\tType                       KEVType      `json:\"type,omitempty\"`\n+\tVendorProject              string       `json:\"vendorProject,omitempty\"`\n+\tProduct                    string       `json:\"product,omitempty\"`\n+\tVulnerabilityName          string       `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string       `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string       `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string       `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time    `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time   `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV     `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbid,omitempty\"`\n+\tXDBURL      string    `json:\"xdburl,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // CveIDDiffFormat format CVE-ID for diff mode\n func (v VulnInfo) CveIDDiffFormat() string {\n \tif v.DiffStatus != \"\" {\n@@ -919,15 +963,12 @@ type AlertDict struct {\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..77f20b4 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -565,8 +565,8 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n+\t\tfor _, alert := range vuln.AlertDict.JPCERT {\n+\t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\n \n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\ndiff --git a/sample_scan_result.json b/sample_scan_result.json\nnew file mode 100644\nindex 0000000..632fdff\n--- /dev/null\n+++ b/sample_scan_result.json\n@@ -0,0 +1,70 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"20.04\",\n+  \"scannedAt\": \"2026-07-03T12:00:00Z\",\n+  \"scanMode\": \"fast\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"confidences\": [\n+        {\n+          \"score\": 100,\n+          \"detectionMethod\": \"OvalMatch\"\n+        }\n+      ],\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"This is a synthetic example of a known exploited vulnerability.\",\n+          \"requiredAction\": \"Apply updates.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2026-01-01T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Example note\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"Another synthetic example.\",\n+          \"requiredAction\": \"Patch immediately.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-01-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbid\": \"12345\",\n+                \"xdburl\": \"https://example.com/xdb/12345\",\n+                \"dateAdded\": \"2026-01-02T00:00:00Z\",\n+                \"exploitType\": \"Remote Code Execution\",\n+                \"cloneSSHURL\": \"git@example.com:exploits/12345.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/report\",\n+                \"dateAdded\": \"2026-01-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"packages\": {\n+    \"example-pkg\": {\n+      \"name\": \"example-pkg\",\n+      \"version\": \"1.0.0\",\n+      \"release\": \"1\"\n+    }\n+  }\n+}\n\\ No newline at end of file\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T11:56:22.859002Z"}, {"uuid": "59447a23-b836-4211-baf1-fe2cc456fc5b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/190d7a736a97a8fb6472018ca9b1c043", "content": "diff --git a/README.md b/README.md\nindex 57102d1..52d4069 100644\n--- a/README.md\n+++ b/README.md\n@@ -90,8 +90,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n   - [US-CERT](https://www.us-cert.gov/ncas/alerts)\n   - [JPCERT](http://www.jpcert.or.jp/at/2019.html)\n \n-- CISA(Cybersecurity &amp; Infrastructure Security Agency)\n-  - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+- Known Exploited Vulnerabilities\n+  - [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+  - VulnCheck KEV data, when available from the configured go-kev database\n \n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n@@ -179,6 +180,11 @@ Vuls has some options to detect the vulnerabilities\n For more information such as Installation, Tutorial, Usage, visit [vuls.io](https://vuls.io/)  \n [\u65e5\u672c\u8a9e\u7ffb\u8a33\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8](https://vuls.io/ja/)\n \n+## Examples\n+\n+- `config.toml.example` is a synthetic ready-to-use baseline that enables KEV lookups through the `[kevuln]` database section. Replace the placeholder host, SSH user, and database paths with local values before running Vuls.\n+- `docs/samples/kev-scan-result.json` shows the first-class `scannedCves[].kevs` JSON shape with CISA and VulnCheck entries. It uses dummy infrastructure and CVE values only.\n+\n ----\n \n ## Authors\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..0a5ec47\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,42 @@\n+# Synthetic example configuration. Do not put live credentials in this file.\n+\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\n+\n+[default]\n+port = \"22\"\n+user = \"vuls-scan\"\n+keyPath = \"/home/vuls-scan/.ssh/id_rsa\"\n+scanMode = [\"fast-root\"]\n+scanModules = [\"ospkg\", \"port\"]\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.10\"\n+memo = \"Synthetic example host\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..f817efe 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,20 +79,16 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tif len(kevulns) == 0 {\n+\t\t\t\tcontinue\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n-\t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n-\t\t\t\tnKEV++\n+\t\t\tif !ok {\n+\t\t\t\tcontinue\n \t\t\t}\n+\t\t\tv.KEVs = append(v.KEVs, convertCISAKEVs(kevulns)...)\n+\t\t\tnKEV++\n \t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t}\n \t} else {\n@@ -108,16 +104,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = append(vuln.KEVs, convertCISAKEVs(kevulns)...)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +114,30 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func convertCISAKEVs(kevulns []kevulnmodels.KEVuln) []models.KEV {\n+\tkevs := make([]models.KEV, 0, len(kevulns))\n+\tfor _, kevuln := range kevulns {\n+\t\tvar dueDate *time.Time\n+\t\tif !kevuln.DueDate.IsZero() {\n+\t\t\tdueDate = &amp;kevuln.DueDate\n+\t\t}\n+\n+\t\tkevs = append(kevs, models.KEV{\n+\t\t\tType:                       models.CISAKEVType,\n+\t\t\tVendorProject:              kevuln.VendorProject,\n+\t\t\tProduct:                    kevuln.Product,\n+\t\t\tVulnerabilityName:          kevuln.VulnerabilityName,\n+\t\t\tShortDescription:           kevuln.ShortDescription,\n+\t\t\tRequiredAction:             kevuln.RequiredAction,\n+\t\t\tKnownRansomwareCampaignUse: kevuln.KnownRansomwareCampaignUse,\n+\t\t\tDateAdded:                  kevuln.DateAdded,\n+\t\t\tDueDate:                    dueDate,\n+\t\t\tCISA:                       &amp;models.CISAKEV{Note: kevuln.Notes},\n+\t\t})\n+\t}\n+\treturn kevs\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/docs/samples/kev-scan-result.json b/docs/samples/kev-scan-result.json\nnew file mode 100644\nindex 0000000..26c8b47\n--- /dev/null\n+++ b/docs/samples/kev-scan-result.json\n@@ -0,0 +1,78 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2026-07-03T00:00:00Z\",\n+  \"scanMode\": \"fast-root\",\n+  \"scannedVersion\": \"example\",\n+  \"scannedRevision\": \"example\",\n+  \"scannedBy\": \"example-user\",\n+  \"reportedAt\": \"2026-07-03T00:00:00Z\",\n+  \"reportedVersion\": \"example\",\n+  \"reportedRevision\": \"example\",\n+  \"reportedBy\": \"example-user\",\n+  \"errors\": [],\n+  \"warnings\": [],\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic CISA KEV entry showing the first-class kevs field.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-15T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic example only.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic VulnCheck KEV entry showing source-specific details.\",\n+          \"requiredAction\": \"Review exploit intelligence and remediate.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.invalid/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.invalid:example/xdb-000000.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.invalid/reports/CVE-0000-0000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-package\",\n+          \"fixedIn\": \"1.0.1\"\n+        }\n+      ]\n+    }\n+  },\n+  \"packages\": {},\n+  \"config\": {\n+    \"scan\": {},\n+    \"report\": {}\n+  }\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..11f6cbd 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of CVEs with KEV entries.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -425,6 +433,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &lt; v.Mitigations[j].URL\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \n \t\tv.CveContents.Sort()\n \ndiff --git a/models/scanresults_kev_test.go b/models/scanresults_kev_test.go\nnew file mode 100644\nindex 0000000..a072605\n--- /dev/null\n+++ b/models/scanresults_kev_test.go\n@@ -0,0 +1,57 @@\n+package models\n+\n+import \"testing\"\n+\n+func TestScanResult_FormatKEVCveSummary(t *testing.T) {\n+\tr := ScanResult{ScannedCves: VulnInfos{\n+\t\t\"CVE-0000-0001\": {KEVs: []KEV{{Type: CISAKEVType}}},\n+\t\t\"CVE-0000-0002\": {KEVs: []KEV{{Type: CISAKEVType}, {Type: VulnCheckKEVType}}},\n+\t\t\"CVE-0000-0003\": {},\n+\t}}\n+\n+\tif got, want := r.FormatKEVCveSummary(), \"2 kevs\"; got != want {\n+\t\tt.Errorf(\"FormatKEVCveSummary() = %q, want %q\", got, want)\n+\t}\n+}\n+\n+func TestScanResult_SortForJSONOutputKEVs(t *testing.T) {\n+\tr := ScanResult{ScannedCves: VulnInfos{\n+\t\t\"CVE-0000-0001\": {\n+\t\t\tKEVs: []KEV{\n+\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"Beta\"},\n+\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"Zulu\"},\n+\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"Alpha\"},\n+\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"Alpha\"},\n+\t\t\t},\n+\t\t},\n+\t}}\n+\n+\tr.SortForJSONOutput()\n+\tgot := r.ScannedCves[\"CVE-0000-0001\"].KEVs\n+\twant := []KEV{\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"Alpha\"},\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"Zulu\"},\n+\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"Alpha\"},\n+\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"Beta\"},\n+\t}\n+\n+\tif len(got) != len(want) {\n+\t\tt.Fatalf(\"len(KEVs) = %d, want %d\", len(got), len(want))\n+\t}\n+\tfor i := range want {\n+\t\tif got[i] != want[i] {\n+\t\t\tt.Errorf(\"KEVs[%d] = %+v, want %+v\", i, got[i], want[i])\n+\t\t}\n+\t}\n+}\n+\n+func TestAlertDictIgnoresDeprecatedCISA(t *testing.T) {\n+\ta := AlertDict{CISA: []Alert{{Title: \"Known Exploited Vulnerabilities Catalog\"}}}\n+\n+\tif !a.IsEmpty() {\n+\t\tt.Error(\"IsEmpty() = false, want true for deprecated CISA-only alerts\")\n+\t}\n+\tif got := a.FormatSource(); got != \"\" {\n+\t\tt.Errorf(\"FormatSource() = %q, want empty string for deprecated CISA-only alerts\", got)\n+\t}\n+}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..fe3bffd 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -263,6 +263,7 @@ type VulnInfo struct {\n \tAffectedPackages     PackageFixStatuses   `json:\"affectedPackages,omitempty\"`\n \tDistroAdvisories     DistroAdvisories     `json:\"distroAdvisories,omitempty\"` // for Amazon, RHEL, Fedora, FreeBSD, Microsoft\n \tCveContents          CveContents          `json:\"cveContents,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tExploits             []Exploit            `json:\"exploits,omitempty\"`\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n@@ -284,6 +285,58 @@ type Alert struct {\n \tTeam  string `json:\"team,omitempty\"`\n }\n \n+// KEVType identifies the source of known exploited vulnerability data.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is CISA Known Exploited Vulnerabilities Catalog data.\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is VulnCheck Known Exploited Vulnerabilities data.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has known exploited vulnerability information.\n+type KEV struct {\n+\tType                       KEVType       `json:\"type,omitempty\"`\n+\tVendorProject              string        `json:\"vendorProject,omitempty\"`\n+\tProduct                    string        `json:\"product,omitempty\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV fields.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV fields.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // GitHubSecurityAlerts is a list of GitHubSecurityAlert\n type GitHubSecurityAlerts []GitHubSecurityAlert\n \n@@ -910,24 +963,21 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data.\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"cisa,omitempty\"` // Deprecated: KEV data is stored in VulnInfo.KEVs.\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a2dfbd0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T11:56:22.982793Z"}, {"uuid": "cbca7865-8e31-49ac-bc9b-0ad05f63bb86", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/484a9dcca9b91f1bd72b8993542c7531", "content": "diff --git a/README.md b/README.md\nindex 57102d1..6f8d5a7 100644\n--- a/README.md\n+++ b/README.md\n@@ -93,6 +93,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n - CISA(Cybersecurity &amp; Infrastructure Security Agency)\n   - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n \n+- Known Exploited Vulnerabilities\n+  - Configure `[kevuln]` to report KEV data as first-class `kevs` entries on each vulnerability. See [`config.toml.example`](config.toml.example) for a redacted SQLite setup and [`sample-kev-scan-result.json`](sample-kev-scan-result.json) for the JSON output shape.\n+\n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n \ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..1e75763\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,42 @@\n+# Synthetic Vuls configuration showing KEV reporting.\n+# Replace every placeholder before use. Do not paste production secrets here.\n+\n+resultsDir = \"/var/lib/vuls/results\"\n+lang = \"en\"\n+\n+[default]\n+user = \"vuls-scan\"\n+port = \"22\"\n+keyPath = \"/home/vuls-scan/.ssh/id_ed25519\"\n+scanMode = [\"fast-root\"]\n+\n+[servers.example-host]\n+host = \"192.0.2.10\"\n+\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-cve-dictionary.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/goval-dictionary.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..2e3e19e 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -6,6 +6,7 @@ package detector\n import (\n \t\"encoding/json\"\n \t\"net/http\"\n+\t\"strings\"\n \t\"time\"\n \n \t\"github.com/cenkalti/backoff\"\n@@ -79,19 +80,12 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n-\t\t\t\tnKEV++\n+\t\t\t\tv.KEVs = toKEVs(res.request.cveID, kevulns)\n+\t\t\t\tif len(v.KEVs) &gt; 0 {\n+\t\t\t\t\tnKEV++\n+\t\t\t\t}\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t}\n@@ -108,16 +102,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = toKEVs(cveID, kevulns)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +112,144 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func toKEVs(cveID string, kevulns []kevulnmodels.KEVuln) (kevs []models.KEV) {\n+\tfor _, kevuln := range kevulns {\n+\t\tb, err := json.Marshal(kevuln)\n+\t\tif err != nil {\n+\t\t\tcontinue\n+\t\t}\n+\t\tm := map[string]any{}\n+\t\tif err := json.Unmarshal(b, &amp;m); err != nil {\n+\t\t\tcontinue\n+\t\t}\n+\n+\t\tkevType := models.CISAKEVType\n+\t\tif source := strings.ToLower(stringValue(m, \"type\", \"Type\", \"source\", \"Source\")); strings.Contains(source, \"vulncheck\") {\n+\t\t\tkevType = models.VulnCheckKEVType\n+\t\t}\n+\t\tif _, ok := value(m, \"vulncheck\", \"VulnCheck\", \"xdb\", \"XDB\", \"reportedExploitation\", \"ReportedExploitation\", \"reported_exploitation\"); ok {\n+\t\t\tkevType = models.VulnCheckKEVType\n+\t\t}\n+\n+\t\tkev := models.KEV{\n+\t\t\tType:                           kevType,\n+\t\t\tVendorProject:                  stringValue(m, \"vendorProject\", \"VendorProject\", \"vendor_project\"),\n+\t\t\tProduct:                        stringValue(m, \"product\", \"Product\"),\n+\t\t\tVulnerabilityName:              stringValue(m, \"vulnerabilityName\", \"VulnerabilityName\", \"vulnerability_name\", \"name\", \"Name\", \"cveID\", \"CveID\", \"cve_id\", \"CVEID\"),\n+\t\t\tShortDescription:               stringValue(m, \"shortDescription\", \"ShortDescription\", \"short_description\", \"description\", \"Description\"),\n+\t\t\tRequiredAction:                 stringValue(m, \"requiredAction\", \"RequiredAction\", \"required_action\"),\n+\t\t\tKnownRansomwareCampaignUse:     stringValue(m, \"knownRansomwareCampaignUse\", \"KnownRansomwareCampaignUse\", \"known_ransomware_campaign_use\"),\n+\t\t\tDateAdded:                      timeValue(m, \"dateAdded\", \"DateAdded\", \"date_added\"),\n+\t\t\tDueDate:                        timePtrValue(m, \"dueDate\", \"DueDate\", \"due_date\"),\n+\t\t}\n+\t\tif kev.VulnerabilityName == \"\" {\n+\t\t\tkev.VulnerabilityName = cveID\n+\t\t}\n+\n+\t\tswitch kev.Type {\n+\t\tcase models.VulnCheckKEVType:\n+\t\t\tkev.VulnCheck = &amp;models.VulnCheckKEV{\n+\t\t\t\tXDB:                  vulnCheckXDBs(m),\n+\t\t\t\tReportedExploitation: vulnCheckReportedExploitations(m),\n+\t\t\t}\n+\t\tdefault:\n+\t\t\tkev.CISA = &amp;models.CISAKEV{Note: stringValue(m, \"note\", \"Note\", \"notes\", \"Notes\")}\n+\t\t}\n+\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs\n+}\n+\n+func value(m map[string]any, keys ...string) (any, bool) {\n+\tfor _, key := range keys {\n+\t\tif v, ok := m[key]; ok {\n+\t\t\treturn v, true\n+\t\t}\n+\t}\n+\treturn nil, false\n+}\n+\n+func stringValue(m map[string]any, keys ...string) string {\n+\tv, ok := value(m, keys...)\n+\tif !ok || v == nil {\n+\t\treturn \"\"\n+\t}\n+\ts, ok := v.(string)\n+\tif !ok {\n+\t\treturn \"\"\n+\t}\n+\treturn s\n+}\n+\n+func timeValue(m map[string]any, keys ...string) time.Time {\n+\ts := stringValue(m, keys...)\n+\tif s == \"\" {\n+\t\treturn time.Time{}\n+\t}\n+\tfor _, layout := range []string{time.RFC3339, \"2006-01-02\"} {\n+\t\tif t, err := time.Parse(layout, s); err == nil {\n+\t\t\treturn t\n+\t\t}\n+\t}\n+\treturn time.Time{}\n+}\n+\n+func timePtrValue(m map[string]any, keys ...string) *time.Time {\n+\tt := timeValue(m, keys...)\n+\tif t.IsZero() {\n+\t\treturn nil\n+\t}\n+\treturn &amp;t\n+}\n+\n+func vulnCheckXDBs(m map[string]any) (xdbs []models.VulnCheckXDB) {\n+\tv, ok := value(m, \"xdb\", \"XDB\")\n+\tif !ok {\n+\t\treturn nil\n+\t}\n+\titems, ok := v.([]any)\n+\tif !ok {\n+\t\treturn nil\n+\t}\n+\tfor _, item := range items {\n+\t\txdb, ok := item.(map[string]any)\n+\t\tif !ok {\n+\t\t\tcontinue\n+\t\t}\n+\t\txdbs = append(xdbs, models.VulnCheckXDB{\n+\t\t\tXDBID:       stringValue(xdb, \"xdbID\", \"XDBID\", \"xdb_id\"),\n+\t\t\tXDBURL:      stringValue(xdb, \"xdbURL\", \"XDBURL\", \"xdb_url\"),\n+\t\t\tDateAdded:   timeValue(xdb, \"dateAdded\", \"DateAdded\", \"date_added\"),\n+\t\t\tExploitType: stringValue(xdb, \"exploitType\", \"ExploitType\", \"exploit_type\"),\n+\t\t\tCloneSSHURL: stringValue(xdb, \"cloneSSHURL\", \"CloneSSHURL\", \"clone_ssh_url\"),\n+\t\t})\n+\t}\n+\treturn xdbs\n+}\n+\n+func vulnCheckReportedExploitations(m map[string]any) (reported []models.VulnCheckReportedExploitation) {\n+\tv, ok := value(m, \"reportedExploitation\", \"ReportedExploitation\", \"reported_exploitation\")\n+\tif !ok {\n+\t\treturn nil\n+\t}\n+\titems, ok := v.([]any)\n+\tif !ok {\n+\t\treturn nil\n+\t}\n+\tfor _, item := range items {\n+\t\texploitation, ok := item.(map[string]any)\n+\t\tif !ok {\n+\t\t\tcontinue\n+\t\t}\n+\t\treported = append(reported, models.VulnCheckReportedExploitation{\n+\t\t\tURL:       stringValue(exploitation, \"url\", \"URL\"),\n+\t\t\tDateAdded: timeValue(exploitation, \"dateAdded\", \"DateAdded\", \"date_added\"),\n+\t\t})\n+\t}\n+\treturn reported\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..ac3f157 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV CVEs.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -425,6 +433,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &lt; v.Mitigations[j].URL\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \n \t\tv.CveContents.Sort()\n \ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..568cfe7 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -267,6 +267,7 @@ type VulnInfo struct {\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n@@ -284,6 +285,57 @@ type Alert struct {\n \tTeam  string `json:\"team,omitempty\"`\n }\n \n+// KEVType identifies the Known Exploited Vulnerabilities data source.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType identifies CISA KEV catalog entries.\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType identifies VulnCheck KEV entries.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerabilities information.\n+type KEV struct {\n+\tType                           KEVType        `json:\"type,omitempty\"`\n+\tVendorProject                  string         `json:\"vendorProject,omitempty\"`\n+\tProduct                        string         `json:\"product,omitempty\"`\n+\tVulnerabilityName              string         `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription               string         `json:\"shortDescription,omitempty\"`\n+\tRequiredAction                 string         `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse     string         `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                      time.Time      `json:\"dateAdded,omitempty\"`\n+\tDueDate                        *time.Time     `json:\"dueDate,omitempty\"`\n+\tCISA                           *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                      *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV information.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV information.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB exploit information.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // GitHubSecurityAlerts is a list of GitHubSecurityAlert\n type GitHubSecurityAlerts []GitHubSecurityAlert\n \n@@ -910,24 +962,22 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data.\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\t// Deprecated: CISA KEV data is reported through VulnInfo.KEVs.\n+\tCISA   []Alert `json:\"-\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a2dfbd0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/sample-kev-scan-result.json b/sample-kev-scan-result.json\nnew file mode 100644\nindex 0000000..66b7dd0\n--- /dev/null\n+++ b/sample-kev-scan-result.json\n@@ -0,0 +1,55 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Placeholder Vulnerability\",\n+          \"shortDescription\": \"Synthetic KEV entry for documentation only.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Placeholder CISA KEV details.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Placeholder Vulnerability\",\n+          \"shortDescription\": \"Synthetic VulnCheck KEV entry for documentation only.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.com/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.com:placeholder/example.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/reports/CVE-0000-0000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T11:56:23.137580Z"}, {"uuid": "1a94859a-5e66-4d79-8c29-d5dcd4ec4f9c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/b75fdb5a46217507f18d02cb97cefad8", "content": "diff --git a/README.md b/README.md\nindex 57102d1..79af520 100644\n--- a/README.md\n+++ b/README.md\n@@ -163,6 +163,7 @@ Vuls has some options to detect the vulnerabilities\n   - Vuls works well with Continuous Integration since tests can be run every day. This allows you to find vulnerabilities very quickly.\n - Auto-generation of configuration file template\n   - Auto-detection of servers set using CIDR, generate configuration file template\n+  - An example configuration is available at [`config.toml.example`](config.toml.example)\n - Email and Slack notification is possible (supports Japanese language)\n - Scan result is viewable on accessory software, TUI Viewer in a terminal or Web UI ([VulsRepo](https://github.com/ishiDACo/vulsrepo)).\n \ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..8953e57\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,83 @@\n+# Vuls - Vulnerability Scanner\n+# Example configuration file\n+# Copy this file to config.toml and edit to match your environment.\n+# See https://vuls.io/docs/ for full documentation.\n+\n+version = \"v2\"\n+\n+# ----- Default settings inherited by all servers -----\n+[default]\n+port = \"22\"\n+user = \"vuls-user\"\n+keyPath = \"/home/vuls-user/.ssh/id_rsa\"\n+scanMode = [\"fast\"]\n+scanModules = [\"ospkg\"]\n+\n+# ----- Vulnerability dictionary data sources -----\n+\n+# NVD / JVN CVE dictionary (go-cve-dictionary)\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/cve.sqlite3\"\n+\n+# OVAL definitions (goval-dictionary)\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/oval.sqlite3\"\n+\n+# Security tracker / RHSA / MS-KBs (gost)\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/gost.sqlite3\"\n+\n+# Exploit PoC database (go-exploitdb)\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+# Metasploit module database (go-msfdb)\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-msfdb.sqlite3\"\n+\n+# CISA Known Exploited Vulnerabilities (go-kev)\n+# Enables first-class KEV reporting on scanned CVEs.\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-kev.sqlite3\"\n+\n+# Cyber Threat Intelligence (go-cti)\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-cti.sqlite3\"\n+\n+# ----- Notification / reporting targets -----\n+\n+# [slack]\n+# hookURL = \"https://hooks.slack.com/services/YOUR/WEBHOOK/URL\"\n+# channel = \"#vuls-alerts\"\n+# authUser = \"vuls\"\n+# notifyUsers = [\"@admin\"]\n+\n+# [email]\n+# smtpAddr = \"smtp.example.com\"\n+# smtpPort = \"587\"\n+# tlsMode = \"STARTTLS\"\n+# user = \"notification@example.com\"\n+# password = \"REPLACE_ME\"\n+# from = \"vuls@example.com\"\n+# to = [\"admin@example.com\"]\n+# subjectPrefix = \"[Vuls]\"\n+\n+# ----- Target servers -----\n+\n+[servers.example-host]\n+host = \"192.0.2.1\"\n+port = \"22\"\n+user = \"scan-user\"\n+keyPath = \"/home/scan-user/.ssh/id_rsa\"\n+scanMode = [\"fast-root\"]\n+scanModules = [\"ospkg\", \"lockfile\"]\n+# cpeNames = [\"cpe:/a:example:product\"]\n+# ignoreCves = [\"CVE-0000-0000\"]\n+# lockfiles = [\"/app/package-lock.json\"]\ndiff --git a/contrib/sample_kevs_scan_result.json b/contrib/sample_kevs_scan_result.json\nnew file mode 100644\nindex 0000000..8fa2dce\n--- /dev/null\n+++ b/contrib/sample_kevs_scan_result.json\n@@ -0,0 +1,60 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleVendor ExampleProduct contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2024-01-15T00:00:00Z\",\n+          \"dueDate\": \"2024-02-05T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"https://example.com/advisory/CVE-0000-0000\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleVendor ExampleProduct contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2024-01-10T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"PLACEHOLDER-XDB-001\",\n+                \"xdbURL\": \"https://vulncheck.com/xdb/PLACEHOLDER-XDB-001\",\n+                \"dateAdded\": \"2024-01-10T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.com:exploits/placeholder.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/reports/exploitation-of-CVE-0000-0000\",\n+                \"dateAdded\": \"2024-01-12T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-package\",\n+          \"fixedIn\": \"1.2.4\"\n+        }\n+      ]\n+    }\n+  }\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..b4c943a 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of CVEs with KEV entries\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..07feb09 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -267,6 +267,7 @@ type VulnInfo struct {\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n@@ -910,6 +911,58 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n+// KEVType represents the source of KEV data\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the CISA KEV source\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is the VulnCheck KEV source\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                        KEVType       `json:\"type\"`\n+\tVendorProject               string        `json:\"vendorProject\"`\n+\tProduct                     string        `json:\"product\"`\n+\tVulnerabilityName           string        `json:\"vulnerabilityName\"`\n+\tShortDescription            string        `json:\"shortDescription\"`\n+\tRequiredAction              string        `json:\"requiredAction\"`\n+\tKnownRansomwareCampaignUse  string        `json:\"knownRansomwareCampaignUse\"`\n+\tDateAdded                   time.Time     `json:\"dateAdded\"`\n+\tDueDate                     *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                        *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                   *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV fields\n+type CISAKEV struct {\n+\tNote string `json:\"note\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV fields\n+type VulnCheckKEV struct {\n+\tXDB                   []VulnCheckXDB                   `json:\"xdb,omitempty\"`\n+\tReportedExploitation  []VulnCheckReportedExploitation  `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID\"`\n+\tXDBURL      string    `json:\"xdbURL\"`\n+\tDateAdded   time.Time `json:\"dateAdded\"`\n+\tExploitType string    `json:\"exploitType\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url\"`\n+\tDateAdded time.Time `json:\"dateAdded\"`\n+}\n+\n // AlertDict has target cve JPCERT, USCERT and CISA alert data\n type AlertDict struct {\n \tCISA   []Alert `json:\"cisa\"`\n@@ -919,15 +972,12 @@ type AlertDict struct {\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\n", "creation_timestamp": "2026-07-03T11:56:23.174473Z"}, {"uuid": "5f013841-e83e-42c8-b3bc-e044d644eb54", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/608a53c578f797641dd83c9e000c5ac7", "content": "diff --git a/README.md b/README.md\nindex 57102d1..037c91c 100644\n--- a/README.md\n+++ b/README.md\n@@ -156,6 +156,12 @@ Vuls has some options to detect the vulnerabilities\n \n - [Scan WordPress](https://vuls.io/docs/en/usage-scan-wordpress.html)\n \n+## Configuration Example\n+\n+An example configuration file is provided in the repository. You can use it as a starting point, especially if you want to enable KEV (Known Exploited Vulnerabilities) reporting.\n+\n+See [`config.toml.example`](config.toml.example) for a ready-to-use template with placeholder values.\n+\n ## MISC\n \n - Nondestructive testing\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..f6d609b\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,46 @@\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-kev.sqlite3\"\n+\n+[slack]\n+hookURL = \"https://hooks.slack.com/services/EXAMPLE/WEBHOOK/URL\"\n+channel = \"#example-channel\"\n+authUser = \"Example User\"\n+\n+[chatwork]\n+apiToken = \"example-chatwork-api-token\"\n+room = 123456\n+\n+[email]\n+smtpServer = \"smtp.example.com\"\n+smtpPort = \"587\"\n+user = \"user@example.com\"\n+password = \"example-smtp-password\"\n+from = \"vuls@example.com\"\n+to = [\"admin@example.com\"]\n+\n+[servers.example-host]\n+host = \"192.168.0.100\"\n+port = \"22\"\n+user = \"scan-user\"\n+keyPath = \"/path/to/example.key\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..158b026 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,19 +79,11 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n-\t\t\t\tnKEV++\n+\t\t\t\tif len(kevulns) &gt; 0 {\n+\t\t\t\t\tnKEV++\n+\t\t\t\t}\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t}\n@@ -108,17 +100,9 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n \t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\t\tnKEV++\n \t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n-\t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n \t}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..d6db2f4 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,6 +205,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n@@ -240,6 +241,17 @@ func (r ScanResult) FormatExploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d poc\", nExploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV entries\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKevs := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKevs++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKevs)\n+}\n+\n // FormatMetasploitCveSummary returns a summary of exploit cve\n func (r ScanResult) FormatMetasploitCveSummary() string {\n \tnMetasploitCve := 0\n@@ -253,13 +265,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -425,6 +433,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &lt; v.Mitigations[j].URL\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \n \t\tv.CveContents.Sort()\n \n@@ -434,9 +448,6 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n-\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..5dd8818 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -268,6 +268,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -910,24 +911,70 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n+// KEVType represents the type of KEV source\n+type KEVType string\n+\n+const (\n+\tCISAKEVType      KEVType = \"cisa\"\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV holds Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                       KEVType        `json:\"type\"`\n+\tVendorProject              string         `json:\"vendorProject,omitempty\"`\n+\tProduct                    string         `json:\"product,omitempty\"`\n+\tVulnerabilityName          string         `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string         `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string         `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string         `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time      `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time     `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV       `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV  `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV holds CISA specific KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV holds VulnCheck specific KEV information\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB holds VulnCheck XDB information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation holds VulnCheck reported exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // AlertDict has target cve JPCERT, USCERT and CISA alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"-\"` // Deprecated: use KEVs instead\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/print_kev.go b/print_kev.go\nnew file mode 100644\nindex 0000000..a04fe8c\n--- /dev/null\n+++ b/print_kev.go\n@@ -0,0 +1,16 @@\n+package main\n+\n+import (\n+\t\"fmt\"\n+\t\"reflect\"\n+\tkevulnmodels \"github.com/vulsio/go-kev/models\"\n+)\n+\n+func main() {\n+\tvar k kevulnmodels.KEVuln\n+\tt := reflect.TypeOf(k)\n+\tfor i := 0; i &lt; t.NumField(); i++ {\n+\t\tfield := t.Field(i)\n+\t\tfmt.Printf(\"%s %s\\n\", field.Name, field.Type)\n+\t}\n+}\n\\ No newline at end of file\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..44f4fec 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -205,6 +205,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t}\n \t\t} else {\n \t\t\tcols = []interface{}{\n@@ -565,8 +566,8 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n+\t\tfor _, kev := range vuln.KEVs {\n+\t\t\tdata = append(data, []string{\"KEV\", fmt.Sprintf(\"[%s] %s\", kev.Type, kev.VulnerabilityName)})\n \t\t}\n \n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\ndiff --git a/sample_kev_scan_result.json b/sample_kev_scan_result.json\nnew file mode 100644\nindex 0000000..da3aa5e\n--- /dev/null\n+++ b/sample_kev_scan_result.json\n@@ -0,0 +1,49 @@\n+{\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"20.04\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"A documentation example vulnerability.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2023-01-01T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Example CISA note\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"dateAdded\": \"2023-01-01T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbId\": \"12345\",\n+                \"xdbUrl\": \"https://example.com/xdb/12345\",\n+                \"dateAdded\": \"2023-01-01T00:00:00Z\",\n+                \"exploitType\": \"local\",\n+                \"cloneSshUrl\": \"git@example.com:exploit/12345.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/news/12345\",\n+                \"dateAdded\": \"2023-01-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..f9f3903 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,13 +812,13 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n+\t\tif len(vinfo.KEVs) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n+\t\t\t\t\"Known Exploited Vulnerabilities\",\n+\t\t\t\t\"===============================\",\n \t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\t\tfor _, kev := range vinfo.KEVs {\n+\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s] %s\", kev.Type, kev.VulnerabilityName))\n \t\t\t}\n \t\t}\n \n", "creation_timestamp": "2026-07-03T13:58:59.548245Z"}, {"uuid": "77121693-9d2a-479a-a385-b675617d9dbe", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/da18a0bee32e73af645c07de0f2a81d9", "content": "diff --git a/README.md b/README.md\nindex 57102d1..7002259 100644\n--- a/README.md\n+++ b/README.md\n@@ -90,8 +90,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n   - [US-CERT](https://www.us-cert.gov/ncas/alerts)\n   - [JPCERT](http://www.jpcert.or.jp/at/2019.html)\n \n-- CISA(Cybersecurity &amp; Infrastructure Security Agency)\n-  - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+- CISA / VulnCheck KEV (Known Exploited Vulnerabilities)\n+  - [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+  - [VulnCheck KEV](https://vulncheck.com/)\n \n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n@@ -168,6 +169,10 @@ Vuls has some options to detect the vulnerabilities\n \n ----\n \n+## Configuration\n+\n+An example configuration file is available at [`config.toml.example`](config.toml.example). Copy it to `config.toml` and edit to match your environment. To enable KEV (Known Exploited Vulnerabilities) reporting, configure the `[kevuln]` section to point to a populated [go-kev](https://github.com/vulsio/go-kev) database.\n+\n ## What Vuls Doesn't Do\n \n - Vuls doesn't update the vulnerable packages.\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..44cba28\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,110 @@\n+# Vuls - Example Configuration File\n+#\n+# Copy this file to config.toml and edit to match your environment.\n+# See https://vuls.io/docs/en/config.toml.html for full documentation.\n+#\n+# WARNING: Replace all placeholder values with your actual settings.\n+# Do NOT commit config.toml with real credentials to version control.\n+\n+# ----- Global Settings -----\n+\n+#httpProxy = \"http://proxy.example.com:8080\"\n+#resultsDir = \"/path/to/results\"\n+\n+# ----- Default Server Settings -----\n+# These settings are inherited by all [servers.*] sections unless overridden.\n+\n+[default]\n+port = \"22\"\n+user = \"scan-user\"\n+keyPath = \"/home/scan-user/.ssh/id_rsa\"\n+#keyPassword = \"REPLACE_WITH_SSH_KEY_PASSPHRASE\"\n+\n+# ----- Scan Target Servers -----\n+\n+[servers]\n+\n+[servers.web-server-01]\n+host = \"192.0.2.1\"\n+#port = \"22\"\n+#user = \"scan-user\"\n+#scanMode = [\"fast\"]\n+\n+[servers.db-server-01]\n+host = \"192.0.2.2\"\n+#cpeNames = [\"cpe:/a:example:product:1.0\"]\n+#ignoreCves = [\"CVE-0000-0000\"]\n+\n+# ----- Container Scanning -----\n+# Uncomment to scan containers on a host.\n+#[servers.web-server-01.containers]\n+#includes = [\"container-name\"]\n+#excludes = []\n+\n+# ----- Vulnerability Dictionary Databases -----\n+# Configure connections to vulnerability data sources.\n+# Supported types: \"sqlite3\", \"mysql\", \"postgres\", \"redis\", \"http\"\n+\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-msfdb.sqlite3\"\n+\n+# ----- KEV (Known Exploited Vulnerabilities) -----\n+# Enable CISA/VulnCheck KEV detection by pointing to the go-kev database.\n+# Download and populate with: go-kev fetch --dbpath /path/to/go-kev.sqlite3\n+\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-cti.sqlite3\"\n+\n+# ----- Notification: Slack -----\n+# Uncomment and configure to send reports to Slack.\n+\n+#[slack]\n+#hookURL = \"https://hooks.slack.com/services/REPLACE/WITH/WEBHOOK_TOKEN\"\n+#channel = \"#vuls-notifications\"\n+#authUser = \"vuls\"\n+\n+# ----- Notification: Email -----\n+# Uncomment and configure to send reports by email.\n+\n+#[email]\n+#smtpAddr = \"smtp.example.com\"\n+#smtpPort = \"587\"\n+#user = \"vuls@example.com\"\n+#password = \"REPLACE_WITH_SMTP_PASSWORD\"\n+#from = \"vuls@example.com\"\n+#to = [\"admin@example.com\"]\n+\n+# ----- Notification: ChatWork -----\n+# Uncomment and configure to send reports to ChatWork.\n+\n+#[chatWork]\n+#apiToken = \"REPLACE_WITH_CHATWORK_API_TOKEN\"\n+#room = \"123456\"\n+\n+# ----- Notification: HTTP Webhook -----\n+# Uncomment and configure to POST reports to an HTTP endpoint.\n+\n+#[http]\n+#url = \"https://endpoint.example.com/vuls\"\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..a825df3 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of CVEs with KEV entries\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &gt; 0 {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/testdata/sample_kevs.json b/models/testdata/sample_kevs.json\nnew file mode 100644\nindex 0000000..6b1d2fc\n--- /dev/null\n+++ b/models/testdata/sample_kevs.json\n@@ -0,0 +1,86 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"serverName\": \"example-host\",\n+  \"family\": \"centos\",\n+  \"release\": \"8\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0001\": {\n+      \"cveID\": \"CVE-0000-0001\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleVendor ExampleProduct contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2023-01-15T00:00:00Z\",\n+          \"dueDate\": \"2023-02-05T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"https://example.com/advisory/2023-001\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleVendor ExampleProduct contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2023-01-10T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"a1b2c3d4\",\n+                \"xdbURL\": \"https://vulncheck.com/xdb/a1b2c3d4\",\n+                \"dateAdded\": \"2023-01-10T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.com:exploits/CVE-0000-0001.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/threat-report/2023-001\",\n+                \"dateAdded\": \"2023-01-12T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-lib\",\n+          \"notFixedYet\": false,\n+          \"fixedIn\": \"2.0.1-1.el8\"\n+        }\n+      ]\n+    },\n+    \"CVE-0000-0002\": {\n+      \"cveID\": \"CVE-0000-0002\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"AnotherVendor\",\n+          \"product\": \"AnotherProduct\",\n+          \"vulnerabilityName\": \"AnotherVendor AnotherProduct Privilege Escalation Vulnerability\",\n+          \"shortDescription\": \"AnotherVendor AnotherProduct contains a privilege escalation vulnerability.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2023-03-01T00:00:00Z\",\n+          \"dueDate\": \"2023-03-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"\"\n+          }\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"another-pkg\",\n+          \"notFixedYet\": true\n+        }\n+      ]\n+    }\n+  }\n+}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..d880885 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -268,6 +268,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -910,7 +911,59 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// KEVType represents the source of a KEV entry\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the CISA KEV source\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is the VulnCheck KEV source\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                        KEVType       `json:\"type\"`\n+\tVendorProject               string        `json:\"vendorProject\"`\n+\tProduct                     string        `json:\"product\"`\n+\tVulnerabilityName           string        `json:\"vulnerabilityName\"`\n+\tShortDescription            string        `json:\"shortDescription\"`\n+\tRequiredAction              string        `json:\"requiredAction\"`\n+\tKnownRansomwareCampaignUse  string        `json:\"knownRansomwareCampaignUse\"`\n+\tDateAdded                   time.Time     `json:\"dateAdded\"`\n+\tDueDate                     *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                        *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                   *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV fields\n+type CISAKEV struct {\n+\tNote string `json:\"note\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV fields\n+type VulnCheckKEV struct {\n+\tXDB                   []VulnCheckXDB                   `json:\"xdb,omitempty\"`\n+\tReportedExploitation  []VulnCheckReportedExploitation  `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID\"`\n+\tXDBURL      string    `json:\"xdbURL\"`\n+\tDateAdded   time.Time `json:\"dateAdded\"`\n+\tExploitType string    `json:\"exploitType\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url\"`\n+\tDateAdded time.Time `json:\"dateAdded\"`\n+}\n+\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n \tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n@@ -919,15 +972,12 @@ type AlertDict struct {\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..72499b0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n", "creation_timestamp": "2026-07-03T13:03:17.249664Z"}, {"uuid": "d81ba637-7322-41a4-8f22-aec4a1ea92b7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/d8794c44f94cc6c78cd7afd249df8a0f", "content": "diff --git a/.gitignore b/.gitignore\nindex 7f21d1e..71b4c8d 100644\n--- a/.gitignore\n+++ b/.gitignore\n@@ -4,6 +4,7 @@\n *.sqlite3*\n *.db\n *.toml\n+!config.toml.example\n tags\n .gitmodules\n coverage.out\ndiff --git a/README.md b/README.md\nindex 57102d1..cfcb9f8 100644\n--- a/README.md\n+++ b/README.md\n@@ -93,6 +93,21 @@ Vuls is a tool created to solve the problems listed above. It has the following\n - CISA(Cybersecurity &amp; Infrastructure Security Agency)\n   - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n \n+- VulnCheck\n+  - Known Exploited Vulnerabilities data\n+\n+### KEV Reporting\n+\n+Known Exploited Vulnerability data is reported on each vulnerability under the `kevs` JSON field. Configure the KEV database with the `[kevuln]` section; see `config.toml.example` for a redacted, ready-to-use starting point with placeholder paths and hosts.\n+\n+```toml\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+```\n+\n+See `sample-kev-scan-result.json` for a synthetic scan result showing both CISA and VulnCheck KEV entries. The sample intentionally uses documentation-only placeholder values.\n+\n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n \ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..0f448cc\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,40 @@\n+# Synthetic example configuration for enabling KEV reporting.\n+# Replace all placeholder values before use. Do not put production secrets in\n+# files committed to source control.\n+\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.10\"\n+port = \"22\"\n+user = \"vuls-scan\"\n+keyPath = \"/home/vuls/.ssh/id_ed25519\"\n+scanMode = [\"fast-root\"]\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..826fb88 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -5,7 +5,9 @@ package detector\n \n import (\n \t\"encoding/json\"\n+\t\"fmt\"\n \t\"net/http\"\n+\t\"strings\"\n \t\"time\"\n \n \t\"github.com/cenkalti/backoff\"\n@@ -78,20 +80,17 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\tif err := json.Unmarshal([]byte(res.json), &amp;kevulns); err != nil {\n \t\t\t\treturn err\n \t\t\t}\n-\n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tkevs, err := toKEVs(kevulns)\n+\t\t\tif err != nil {\n+\t\t\t\treturn err\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n-\t\t\t\tnKEV++\n+\t\t\t\tv.KEVs = kevs\n+\t\t\t\tif len(kevs) &gt; 0 {\n+\t\t\t\t\tnKEV++\n+\t\t\t\t}\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t}\n@@ -108,16 +107,12 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tkevs, err := toKEVs(kevulns)\n+\t\t\tif err != nil {\n+\t\t\t\treturn err\n \t\t\t}\n \n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = kevs\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +122,147 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func toKEVs(kevulns []kevulnmodels.KEVuln) ([]models.KEV, error) {\n+\tb, err := json.Marshal(kevulns)\n+\tif err != nil {\n+\t\treturn nil, xerrors.Errorf(\"Failed to marshal KEVuln. err: %w\", err)\n+\t}\n+\n+\tvar raws []map[string]interface{}\n+\tif err := json.Unmarshal(b, &amp;raws); err != nil {\n+\t\treturn nil, xerrors.Errorf(\"Failed to unmarshal KEVuln. err: %w\", err)\n+\t}\n+\n+\tkevs := make([]models.KEV, 0, len(raws))\n+\tfor _, raw := range raws {\n+\t\tkev := models.KEV{\n+\t\t\tType:                       kevType(raw),\n+\t\t\tVendorProject:              firstString(raw, \"vendorProject\", \"vendor_project\", \"vendor\"),\n+\t\t\tProduct:                    firstString(raw, \"product\"),\n+\t\t\tVulnerabilityName:          firstString(raw, \"vulnerabilityName\", \"vulnerability_name\", \"name\"),\n+\t\t\tShortDescription:           firstString(raw, \"shortDescription\", \"short_description\", \"description\"),\n+\t\t\tRequiredAction:             firstString(raw, \"requiredAction\", \"required_action\"),\n+\t\t\tKnownRansomwareCampaignUse: firstString(raw, \"knownRansomwareCampaignUse\", \"known_ransomware_campaign_use\"),\n+\t\t\tDateAdded:                  firstTime(raw, \"dateAdded\", \"date_added\"),\n+\t\t}\n+\t\tif dueDate := firstTime(raw, \"dueDate\", \"due_date\"); !dueDate.IsZero() {\n+\t\t\tkev.DueDate = &amp;dueDate\n+\t\t}\n+\n+\t\tif cisaRaw := firstMap(raw, \"cisa\", \"CISA\"); cisaRaw != nil {\n+\t\t\tkev.CISA = &amp;models.CISAKEV{Note: firstString(cisaRaw, \"note\")}\n+\t\t} else if kev.Type == models.CISAKEVType || kev.Type == \"\" {\n+\t\t\tkev.Type = models.CISAKEVType\n+\t\t\tkev.CISA = &amp;models.CISAKEV{Note: firstString(raw, \"note\")}\n+\t\t}\n+\n+\t\tif vulnCheckRaw := firstMap(raw, \"vulncheck\", \"vulnCheck\", \"VulnCheck\"); vulnCheckRaw != nil {\n+\t\t\tkev.VulnCheck = &amp;models.VulnCheckKEV{\n+\t\t\t\tXDB:                  vulnCheckXDBs(vulnCheckRaw),\n+\t\t\t\tReportedExploitation: vulnCheckReportedExploitations(vulnCheckRaw),\n+\t\t\t}\n+\t\t}\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs, nil\n+}\n+\n+func kevType(raw map[string]interface{}) models.KEVType {\n+\tsource := strings.ToLower(firstString(raw, \"type\", \"kevType\", \"kev_type\", \"source\"))\n+\tswitch source {\n+\tcase string(models.VulnCheckKEVType):\n+\t\treturn models.VulnCheckKEVType\n+\tcase string(models.CISAKEVType), \"\":\n+\t\treturn models.CISAKEVType\n+\tdefault:\n+\t\treturn models.KEVType(source)\n+\t}\n+}\n+\n+func vulnCheckXDBs(raw map[string]interface{}) []models.VulnCheckXDB {\n+\txdbs := []models.VulnCheckXDB{}\n+\tfor _, rawXDB := range firstMaps(raw, \"xdb\", \"XDB\") {\n+\t\txdbs = append(xdbs, models.VulnCheckXDB{\n+\t\t\tXDBID:       firstString(rawXDB, \"xdbID\", \"xdb_id\", \"id\"),\n+\t\t\tXDBURL:      firstString(rawXDB, \"xdbURL\", \"xdb_url\", \"url\"),\n+\t\t\tDateAdded:   firstTime(rawXDB, \"dateAdded\", \"date_added\"),\n+\t\t\tExploitType: firstString(rawXDB, \"exploitType\", \"exploit_type\"),\n+\t\t\tCloneSSHURL: firstString(rawXDB, \"cloneSSHURL\", \"clone_ssh_url\"),\n+\t\t})\n+\t}\n+\treturn xdbs\n+}\n+\n+func vulnCheckReportedExploitations(raw map[string]interface{}) []models.VulnCheckReportedExploitation {\n+\texploitations := []models.VulnCheckReportedExploitation{}\n+\tfor _, exploitation := range firstMaps(raw, \"reportedExploitation\", \"reported_exploitation\", \"reportedExploitations\", \"reported_exploitations\") {\n+\t\texploitations = append(exploitations, models.VulnCheckReportedExploitation{\n+\t\t\tURL:       firstString(exploitation, \"url\"),\n+\t\t\tDateAdded: firstTime(exploitation, \"dateAdded\", \"date_added\"),\n+\t\t})\n+\t}\n+\treturn exploitations\n+}\n+\n+func firstString(raw map[string]interface{}, keys ...string) string {\n+\tfor _, key := range keys {\n+\t\tif v, ok := raw[key]; ok {\n+\t\t\tswitch t := v.(type) {\n+\t\t\tcase string:\n+\t\t\t\treturn t\n+\t\t\tcase fmt.Stringer:\n+\t\t\t\treturn t.String()\n+\t\t\t}\n+\t\t}\n+\t}\n+\treturn \"\"\n+}\n+\n+func firstTime(raw map[string]interface{}, keys ...string) time.Time {\n+\tfor _, key := range keys {\n+\t\tv, ok := raw[key]\n+\t\tif !ok {\n+\t\t\tcontinue\n+\t\t}\n+\t\ts, ok := v.(string)\n+\t\tif !ok || s == \"\" {\n+\t\t\tcontinue\n+\t\t}\n+\t\tfor _, layout := range []string{time.RFC3339Nano, time.RFC3339, \"2006-01-02\"} {\n+\t\t\tif t, err := time.Parse(layout, s); err == nil {\n+\t\t\t\treturn t\n+\t\t\t}\n+\t\t}\n+\t}\n+\treturn time.Time{}\n+}\n+\n+func firstMap(raw map[string]interface{}, keys ...string) map[string]interface{} {\n+\tfor _, key := range keys {\n+\t\tif v, ok := raw[key].(map[string]interface{}); ok {\n+\t\t\treturn v\n+\t\t}\n+\t}\n+\treturn nil\n+}\n+\n+func firstMaps(raw map[string]interface{}, keys ...string) []map[string]interface{} {\n+\tfor _, key := range keys {\n+\t\tvs, ok := raw[key].([]interface{})\n+\t\tif !ok {\n+\t\t\tcontinue\n+\t\t}\n+\t\tmaps := make([]map[string]interface{}, 0, len(vs))\n+\t\tfor _, v := range vs {\n+\t\t\tif m, ok := v.(map[string]interface{}); ok {\n+\t\t\t\tmaps = append(maps, m)\n+\t\t\t}\n+\t\t}\n+\t\treturn maps\n+\t}\n+\treturn nil\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..37772bf 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of CVEs with KEV entries.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -422,6 +430,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Metasploits, func(i, j int) bool {\n \t\t\treturn v.Metasploits[i].Name &lt; v.Metasploits[j].Name\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &lt; v.Mitigations[j].URL\n \t\t})\ndiff --git a/models/scanresults_kev_test.go b/models/scanresults_kev_test.go\nnew file mode 100644\nindex 0000000..ad60165\n--- /dev/null\n+++ b/models/scanresults_kev_test.go\n@@ -0,0 +1,47 @@\n+package models\n+\n+import \"testing\"\n+\n+func TestScanResult_FormatKEVCveSummary(t *testing.T) {\n+\tr := ScanResult{\n+\t\tScannedCves: VulnInfos{\n+\t\t\t\"CVE-0000-0001\": {KEVs: []KEV{{Type: CISAKEVType}}},\n+\t\t\t\"CVE-0000-0002\": {},\n+\t\t\t\"CVE-0000-0003\": {KEVs: []KEV{{Type: VulnCheckKEVType}}},\n+\t\t},\n+\t}\n+\n+\tif got, want := r.FormatKEVCveSummary(), \"2 kevs\"; got != want {\n+\t\tt.Fatalf(\"FormatKEVCveSummary() = %q, want %q\", got, want)\n+\t}\n+}\n+\n+func TestScanResult_SortForJSONOutputSortsKEVs(t *testing.T) {\n+\tr := ScanResult{\n+\t\tScannedCves: VulnInfos{\n+\t\t\t\"CVE-0000-0001\": {\n+\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"beta\"},\n+\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"beta\"},\n+\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"alpha\"},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t},\n+\t}\n+\n+\tr.SortForJSONOutput()\n+\tgot := r.ScannedCves[\"CVE-0000-0001\"].KEVs\n+\twant := []KEV{\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"alpha\"},\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"beta\"},\n+\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"beta\"},\n+\t}\n+\tif len(got) != len(want) {\n+\t\tt.Fatalf(\"len(KEVs) = %d, want %d\", len(got), len(want))\n+\t}\n+\tfor i := range want {\n+\t\tif got[i] != want[i] {\n+\t\t\tt.Fatalf(\"KEVs[%d] = %+v, want %+v\", i, got[i], want[i])\n+\t\t}\n+\t}\n+}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..cb2fe5d 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -265,6 +265,7 @@ type VulnInfo struct {\n \tCveContents          CveContents          `json:\"cveContents,omitempty\"`\n \tExploits             []Exploit            `json:\"exploits,omitempty\"`\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n@@ -277,6 +278,58 @@ type VulnInfo struct {\n \tDiffStatus           DiffStatus           `json:\"diffStatus,omitempty\"`\n }\n \n+// KEVType is a Known Exploited Vulnerability source.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is CISA Known Exploited Vulnerabilities Catalog data.\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is VulnCheck KEV data.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information.\n+type KEV struct {\n+\tType                       KEVType       `json:\"type,omitempty\"`\n+\tVendorProject              string        `json:\"vendorProject,omitempty\"`\n+\tProduct                    string        `json:\"product,omitempty\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV fields.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV fields.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database details.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation details.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // Alert has CERT alert information\n type Alert struct {\n \tURL   string `json:\"url,omitempty\"`\n@@ -910,24 +963,21 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data.\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"-\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a2dfbd0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/sample-kev-scan-result.json b/sample-kev-scan-result.json\nnew file mode 100644\nindex 0000000..b5f064b\n--- /dev/null\n+++ b/sample-kev-scan-result.json\n@@ -0,0 +1,71 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2026-07-03T00:00:00Z\",\n+  \"scanMode\": \"fast-root\",\n+  \"scannedVersion\": \"example\",\n+  \"scannedRevision\": \"example\",\n+  \"scannedBy\": \"example-user\",\n+  \"scannedVia\": \"ssh\",\n+  \"reportedAt\": \"2026-07-03T00:00:00Z\",\n+  \"reportedVersion\": \"example\",\n+  \"reportedRevision\": \"example\",\n+  \"reportedBy\": \"example-user\",\n+  \"errors\": [],\n+  \"warnings\": [],\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic KEV example for documentation.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic example; not a real KEV catalog entry.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic VulnCheck KEV example for documentation.\",\n+          \"requiredAction\": \"Review exposure and prioritize remediation.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.invalid/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"example\",\n+                \"cloneSSHURL\": \"git@example.invalid:example/exploit.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.invalid/reports/CVE-0000-0000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"runningKernel\": {},\n+  \"packages\": {},\n+  \"config\": {}\n+}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T13:03:17.373783Z"}, {"uuid": "9f2c4e8c-f1e6-4155-ba42-5f14f718fae9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/a929211bccdff25dbc6d5d56104f7d57", "content": "diff --git a/README.md b/README.md\nindex 57102d1..bc31e7b 100644\n--- a/README.md\n+++ b/README.md\n@@ -166,6 +166,42 @@ Vuls has some options to detect the vulnerabilities\n - Email and Slack notification is possible (supports Japanese language)\n - Scan result is viewable on accessory software, TUI Viewer in a terminal or Web UI ([VulsRepo](https://github.com/ishiDACo/vulsrepo)).\n \n+## Example Configuration\n+\n+Vuls requires a configuration file (`config.toml`) to specify the SQLite paths and scan targets. Below is a synthetic example with placeholder values showing how to enable KEV reporting:\n+\n+```toml\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[kev]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-kev.sqlite3\"\n+\n+[servers]\n+\n+[servers.example-host]\n+host        = \"192.168.1.100\"\n+port        = \"22\"\n+user        = \"scanuser\"\n+keyPath     = \"/home/scanuser/.ssh/id_rsa\"\n+# SSH passphrase must not be real\n+# passPhrase  = \"REDACTED\"\n+```\n+\n ----\n \n ## What Vuls Doesn't Do\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..d631bbe\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,46 @@\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[kev]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-kev.sqlite3\"\n+\n+[servers]\n+\n+[servers.example-host]\n+host         = \"192.168.1.100\"\n+port        = \"22\"\n+user        = \"scanuser\"\n+keyPath     = \"/home/scanuser/.ssh/id_rsa\"\n+# SSH passphrase must not be real\n+# passPhrase  = \"REDACTED\"\n+\n+[slack]\n+hookURL      = \"https://hooks.slack.com/services/REDACTED\"\n+channel      = \"#vuls\"\n+authUser     = \"vuls-scanner\"\n+\n+[email]\n+smtpServer   = \"smtp.example.com\"\n+smtpPort     = \"587\"\n+user         = \"REDACTED\"\n+password     = \"REDACTED\"\n+from         = \"vuls@example.com\"\n+to           = [\"security@example.com\"]\n+\n+[chatwork]\n+apiToken     = \"REDACTED\"\n+roomID       = \"123456\"\n\\ No newline at end of file\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..f0230da 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,8 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +98,6 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..d9bc151 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,6 +205,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV cve\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKevCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKevCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKevCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -425,6 +433,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &lt; v.Mitigations[j].URL\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \n \t\tv.CveContents.Sort()\n \n@@ -434,9 +448,6 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n-\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/scanresults_test.go b/models/scanresults_test.go\nindex d429281..9466f55 100644\n--- a/models/scanresults_test.go\n+++ b/models/scanresults_test.go\n@@ -225,10 +225,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -288,10 +288,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -354,10 +354,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -417,10 +417,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..3dffb1f 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -268,6 +268,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -910,24 +911,72 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n+// KEVType is the source of the KEV data\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is for CISA Known Exploited Vulnerabilities\n+\tCISAKEVType = \"cisa\"\n+\t// VulnCheckKEVType is for VulnCheck Known Exploited Vulnerabilities\n+\tVulnCheckKEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                       KEVType    `json:\"type,omitempty\"`\n+\tVendorProject              string     `json:\"vendorProject,omitempty\"`\n+\tProduct                    string     `json:\"product,omitempty\"`\n+\tVulnerabilityName          string     `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string     `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string     `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string     `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time  `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time `json:\"dueDate,omitempty\"`\n+\n+\tCISA      *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA specific KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck specific KEV information\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // AlertDict has target cve JPCERT, USCERT and CISA alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..2cf2ffe 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -205,6 +205,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t}\n \t\t} else {\n \t\t\tcols = []interface{}{\n@@ -565,8 +566,12 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n+\t\tfor _, kev := range vuln.KEVs {\n+\t\t\tif kev.Type == models.CISAKEVType {\n+\t\t\t\tdata = append(data, []string{\"CISA KEV\", kev.VulnerabilityName})\n+\t\t\t} else if kev.Type == models.VulnCheckKEVType {\n+\t\t\t\tdata = append(data, []string{\"VulnCheck KEV\", kev.VulnerabilityName})\n+\t\t\t}\n \t\t}\n \n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\ndiff --git a/sample_scan_result.json b/sample_scan_result.json\nnew file mode 100644\nindex 0000000..66db934\n--- /dev/null\n+++ b/sample_scan_result.json\n@@ -0,0 +1,58 @@\n+{\n+    \"jsonVersion\": 1,\n+    \"lang\": \"en\",\n+    \"serverName\": \"example-host\",\n+    \"family\": \"ubuntu\",\n+    \"release\": \"22.04\",\n+    \"scannedAt\": \"2023-10-01T12:00:00Z\",\n+    \"scanMode\": \"fast\",\n+    \"scannedCves\": {\n+        \"CVE-0000-0000\": {\n+            \"cveID\": \"CVE-0000-0000\",\n+            \"confidences\": [\n+                {\n+                    \"score\": 100,\n+                    \"detectionMethod\": \"OVALMatch\"\n+                }\n+            ],\n+            \"affectedPackages\": [\n+                {\n+                    \"name\": \"example-package\",\n+                    \"notFixedYet\": false,\n+                    \"fixedIn\": \"1.2.3\"\n+                }\n+            ],\n+            \"cveContents\": {\n+                \"nvd\": [\n+                    {\n+                        \"type\": \"nvd\",\n+                        \"cveID\": \"CVE-0000-0000\",\n+                        \"title\": \"Example Vulnerability\",\n+                        \"summary\": \"This is a synthetic CVE entry to demonstrate KEV formatting.\",\n+                        \"cvss3Score\": 9.8,\n+                        \"cvss3Severity\": \"CRITICAL\"\n+                    }\n+                ]\n+            },\n+            \"kevs\": [\n+                {\n+                    \"type\": \"cisa\",\n+                    \"vendorProject\": \"Example Vendor\",\n+                    \"product\": \"Example Product\",\n+                    \"vulnerabilityName\": \"CVE-0000-0000 Example Vulnerability\",\n+                    \"shortDescription\": \"Synthetic description of the vulnerability.\",\n+                    \"requiredAction\": \"Apply updates.\",\n+                    \"dateAdded\": \"2023-10-02T00:00:00Z\"\n+                },\n+                {\n+                    \"type\": \"vulncheck\",\n+                    \"vendorProject\": \"Example Vendor\",\n+                    \"product\": \"Example Product\",\n+                    \"vulnerabilityName\": \"CVE-0000-0000 Example Vulnerability\",\n+                    \"shortDescription\": \"Synthetic VulnCheck entry for demonstration.\",\n+                    \"dateAdded\": \"2023-10-02T00:00:00Z\"\n+                }\n+            ]\n+        }\n+    }\n+}\n\\ No newline at end of file\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..03579124 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,13 +812,17 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n+\t\tif len(vinfo.KEVs) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n+\t\t\t\t\"Known Exploited Vulnerabilities\",\n+\t\t\t\t\"===============================\",\n \t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\t\tfor _, kev := range vinfo.KEVs {\n+\t\t\t\tif kev.Type == models.CISAKEVType {\n+\t\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [CISA] %s\", kev.VulnerabilityName))\n+\t\t\t\t} else if kev.Type == models.VulnCheckKEVType {\n+\t\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [VulnCheck] %s\", kev.VulnerabilityName))\n+\t\t\t\t}\n \t\t\t}\n \t\t}\n \n", "creation_timestamp": "2026-07-03T13:03:17.529016Z"}, {"uuid": "4f8a73e1-da12-4a43-a772-b1aa9a4cada3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/5bef9b5cf33ef6695b96af1fc4ba1037", "content": "diff --git a/.gitignore b/.gitignore\nindex 7f21d1e..cfed7e3 100644\n--- a/.gitignore\n+++ b/.gitignore\n@@ -4,6 +4,9 @@\n *.sqlite3*\n *.db\n *.toml\n+!*.toml.example\n+!docs/\n+!docs/**\n tags\n .gitmodules\n coverage.out\ndiff --git a/README.md b/README.md\nindex 57102d1..35d54c5 100644\n--- a/README.md\n+++ b/README.md\n@@ -93,6 +93,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n - CISA(Cybersecurity &amp; Infrastructure Security Agency)\n   - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n \n+- VulnCheck\n+  - Known Exploited Vulnerabilities data via go-kev\n+\n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n \n@@ -179,6 +182,11 @@ Vuls has some options to detect the vulnerabilities\n For more information such as Installation, Tutorial, Usage, visit [vuls.io](https://vuls.io/)  \n [\u65e5\u672c\u8a9e\u7ffb\u8a33\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8](https://vuls.io/ja/)\n \n+## Examples\n+\n+- `config.toml.example` is a redacted ready-to-use starting point that enables KEV reporting through the `[kevuln]` go-kev database section.\n+- `docs/kev-sample-scan-result.json` shows a synthetic scan result with the first-class `kevs` vulnerability field populated for both CISA and VulnCheck sources.\n+\n ----\n \n ## Authors\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..f71d355\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,38 @@\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\n+\n+[default]\n+scanMode = [\"fast\"]\n+user = \"vuls\"\n+keyPath = \"/home/vuls/.ssh/id_ed25519\"\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.10\"\n+port = \"22\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..8673031 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -4,6 +4,7 @@\n package detector\n \n import (\n+\t\"bytes\"\n \t\"encoding/json\"\n \t\"net/http\"\n \t\"time\"\n@@ -78,20 +79,17 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\tif err := json.Unmarshal([]byte(res.json), &amp;kevulns); err != nil {\n \t\t\t\treturn err\n \t\t\t}\n-\n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tkevs, err := convertKEVulns(kevulns)\n+\t\t\tif err != nil {\n+\t\t\t\treturn err\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n-\t\t\t\tnKEV++\n+\t\t\t\tv.KEVs = kevs\n+\t\t\t\tif len(kevs) &gt; 0 {\n+\t\t\t\t\tnKEV++\n+\t\t\t\t}\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t}\n@@ -108,17 +106,15 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tkevs, err := convertKEVulns(kevulns)\n+\t\t\tif err != nil {\n+\t\t\t\treturn err\n \t\t\t}\n \n-\t\t\tvuln.AlertDict.CISA = alerts\n-\t\t\tnKEV++\n+\t\t\tvuln.KEVs = kevs\n+\t\t\tif len(kevs) &gt; 0 {\n+\t\t\t\tnKEV++\n+\t\t\t}\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n \t}\n@@ -127,6 +123,144 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func convertKEVulns(kevulns []kevulnmodels.KEVuln) ([]models.KEV, error) {\n+\tb, err := json.Marshal(kevulns)\n+\tif err != nil {\n+\t\treturn nil, err\n+\t}\n+\n+\tvar records []map[string]json.RawMessage\n+\tif err := json.Unmarshal(b, &amp;records); err != nil {\n+\t\treturn nil, err\n+\t}\n+\n+\tvar kevs []models.KEV\n+\tfor _, record := range records {\n+\t\tcisaKEVs, err := parseCISAKEVs(record)\n+\t\tif err != nil {\n+\t\t\treturn nil, err\n+\t\t}\n+\t\tkevs = append(kevs, cisaKEVs...)\n+\n+\t\tvulnCheckKEVs, err := parseVulnCheckKEVs(record)\n+\t\tif err != nil {\n+\t\t\treturn nil, err\n+\t\t}\n+\t\tkevs = append(kevs, vulnCheckKEVs...)\n+\t}\n+\treturn kevs, nil\n+}\n+\n+func parseCISAKEVs(record map[string]json.RawMessage) ([]models.KEV, error) {\n+\titems, err := rawJSONItems(record, \"cisa\", \"CISA\")\n+\tif err != nil {\n+\t\treturn nil, err\n+\t}\n+\n+\tvar kevs []models.KEV\n+\tfor _, item := range items {\n+\t\tvar cisa struct {\n+\t\t\tVendorProject              string     `json:\"vendorProject\"`\n+\t\t\tProduct                    string     `json:\"product\"`\n+\t\t\tVulnerabilityName          string     `json:\"vulnerabilityName\"`\n+\t\t\tShortDescription           string     `json:\"shortDescription\"`\n+\t\t\tRequiredAction             string     `json:\"requiredAction\"`\n+\t\t\tKnownRansomwareCampaignUse string     `json:\"knownRansomwareCampaignUse\"`\n+\t\t\tDateAdded                  time.Time  `json:\"dateAdded\"`\n+\t\t\tDueDate                    *time.Time `json:\"dueDate\"`\n+\t\t\tNote                       string     `json:\"note\"`\n+\t\t\tNotes                      string     `json:\"notes\"`\n+\t\t}\n+\t\tif err := json.Unmarshal(item, &amp;cisa); err != nil {\n+\t\t\treturn nil, err\n+\t\t}\n+\n+\t\tnote := cisa.Note\n+\t\tif note == \"\" {\n+\t\t\tnote = cisa.Notes\n+\t\t}\n+\t\tkevs = append(kevs, models.KEV{\n+\t\t\tType:                       models.CISAKEVType,\n+\t\t\tVendorProject:              cisa.VendorProject,\n+\t\t\tProduct:                    cisa.Product,\n+\t\t\tVulnerabilityName:          cisa.VulnerabilityName,\n+\t\t\tShortDescription:           cisa.ShortDescription,\n+\t\t\tRequiredAction:             cisa.RequiredAction,\n+\t\t\tKnownRansomwareCampaignUse: cisa.KnownRansomwareCampaignUse,\n+\t\t\tDateAdded:                  cisa.DateAdded,\n+\t\t\tDueDate:                    cisa.DueDate,\n+\t\t\tCISA: &amp;models.CISAKEV{\n+\t\t\t\tNote: note,\n+\t\t\t},\n+\t\t})\n+\t}\n+\treturn kevs, nil\n+}\n+\n+func parseVulnCheckKEVs(record map[string]json.RawMessage) ([]models.KEV, error) {\n+\titems, err := rawJSONItems(record, \"vulncheck\", \"vulnCheck\", \"VulnCheck\")\n+\tif err != nil {\n+\t\treturn nil, err\n+\t}\n+\n+\tvar kevs []models.KEV\n+\tfor _, item := range items {\n+\t\tvar vulnCheck struct {\n+\t\t\tVendorProject              string                                      `json:\"vendorProject\"`\n+\t\t\tProduct                    string                                      `json:\"product\"`\n+\t\t\tVulnerabilityName          string                                      `json:\"vulnerabilityName\"`\n+\t\t\tShortDescription           string                                      `json:\"shortDescription\"`\n+\t\t\tRequiredAction             string                                      `json:\"requiredAction\"`\n+\t\t\tKnownRansomwareCampaignUse string                                      `json:\"knownRansomwareCampaignUse\"`\n+\t\t\tDateAdded                  time.Time                                   `json:\"dateAdded\"`\n+\t\t\tDueDate                    *time.Time                                  `json:\"dueDate\"`\n+\t\t\tXDB                        []models.VulnCheckXDB                  `json:\"xdb\"`\n+\t\t\tReportedExploitation       []models.VulnCheckReportedExploitation `json:\"reportedExploitation\"`\n+\t\t}\n+\t\tif err := json.Unmarshal(item, &amp;vulnCheck); err != nil {\n+\t\t\treturn nil, err\n+\t\t}\n+\n+\t\tkevs = append(kevs, models.KEV{\n+\t\t\tType:                       models.VulnCheckKEVType,\n+\t\t\tVendorProject:              vulnCheck.VendorProject,\n+\t\t\tProduct:                    vulnCheck.Product,\n+\t\t\tVulnerabilityName:          vulnCheck.VulnerabilityName,\n+\t\t\tShortDescription:           vulnCheck.ShortDescription,\n+\t\t\tRequiredAction:             vulnCheck.RequiredAction,\n+\t\t\tKnownRansomwareCampaignUse: vulnCheck.KnownRansomwareCampaignUse,\n+\t\t\tDateAdded:                  vulnCheck.DateAdded,\n+\t\t\tDueDate:                    vulnCheck.DueDate,\n+\t\t\tVulnCheck: &amp;models.VulnCheckKEV{\n+\t\t\t\tXDB:                  vulnCheck.XDB,\n+\t\t\t\tReportedExploitation: vulnCheck.ReportedExploitation,\n+\t\t\t},\n+\t\t})\n+\t}\n+\treturn kevs, nil\n+}\n+\n+func rawJSONItems(record map[string]json.RawMessage, keys ...string) ([]json.RawMessage, error) {\n+\tfor _, key := range keys {\n+\t\traw, ok := record[key]\n+\t\tif !ok || bytes.Equal(bytes.TrimSpace(raw), []byte(\"null\")) {\n+\t\t\tcontinue\n+\t\t}\n+\n+\t\tswitch bytes.TrimSpace(raw)[0] {\n+\t\tcase '[':\n+\t\t\tvar items []json.RawMessage\n+\t\t\tif err := json.Unmarshal(raw, &amp;items); err != nil {\n+\t\t\t\treturn nil, err\n+\t\t\t}\n+\t\t\treturn items, nil\n+\t\tcase '{':\n+\t\t\treturn []json.RawMessage{raw}, nil\n+\t\t}\n+\t}\n+\treturn nil, nil\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/docs/kev-sample-scan-result.json b/docs/kev-sample-scan-result.json\nnew file mode 100644\nindex 0000000..a0db61b\n--- /dev/null\n+++ b/docs/kev-sample-scan-result.json\n@@ -0,0 +1,68 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"ipv4Addrs\": [\n+    \"192.0.2.10\"\n+  ],\n+  \"scannedAt\": \"2026-07-03T00:00:00Z\",\n+  \"scanMode\": \"fast\",\n+  \"scannedVersion\": \"example\",\n+  \"scannedRevision\": \"example\",\n+  \"scannedBy\": \"example-user\",\n+  \"scannedVia\": \"ssh\",\n+  \"packages\": {},\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic example showing CISA KEV output shape.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-01-02T00:00:00Z\",\n+          \"dueDate\": \"2026-01-23T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic example only.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic example showing VulnCheck KEV output shape.\",\n+          \"requiredAction\": \"Review exploitability and remediate.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-01-03T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.invalid/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-01-03T00:00:00Z\",\n+                \"exploitType\": \"proof-of-concept\",\n+                \"cloneSSHURL\": \"git@example.invalid:research/example-poc.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.invalid/research/example-exploitation-report\",\n+                \"dateAdded\": \"2026-01-04T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"errors\": [],\n+  \"warnings\": []\n+}\ndiff --git a/models/kev_test.go b/models/kev_test.go\nnew file mode 100644\nindex 0000000..f1fd3e2\n--- /dev/null\n+++ b/models/kev_test.go\n@@ -0,0 +1,56 @@\n+package models\n+\n+import \"testing\"\n+\n+func TestScanResult_FormatKEVCveSummary(t *testing.T) {\n+\tr := ScanResult{\n+\t\tScannedCves: VulnInfos{\n+\t\t\t\"CVE-0000-0001\": {KEVs: []KEV{{Type: CISAKEVType}}},\n+\t\t\t\"CVE-0000-0002\": {KEVs: []KEV{{Type: CISAKEVType}, {Type: VulnCheckKEVType}}},\n+\t\t\t\"CVE-0000-0003\": {},\n+\t\t},\n+\t}\n+\n+\tif got, want := r.FormatKEVCveSummary(), \"2 kevs\"; got != want {\n+\t\tt.Fatalf(\"FormatKEVCveSummary() = %q, want %q\", got, want)\n+\t}\n+}\n+\n+func TestScanResult_SortForJSONOutputKEVs(t *testing.T) {\n+\tr := ScanResult{\n+\t\tScannedCves: VulnInfos{\n+\t\t\t\"CVE-0000-0001\": {\n+\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"z vulnerability\"},\n+\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"z vulnerability\"},\n+\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a vulnerability\"},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t},\n+\t}\n+\n+\tr.SortForJSONOutput()\n+\n+\tgot := r.ScannedCves[\"CVE-0000-0001\"].KEVs\n+\twant := []KEV{\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"a vulnerability\"},\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"z vulnerability\"},\n+\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"z vulnerability\"},\n+\t}\n+\tfor i := range want {\n+\t\tif got[i] != want[i] {\n+\t\t\tt.Fatalf(\"KEVs[%d] = %#v, want %#v\", i, got[i], want[i])\n+\t\t}\n+\t}\n+}\n+\n+func TestAlertDictIgnoresCISAAlerts(t *testing.T) {\n+\ta := AlertDict{CISA: []Alert{{Title: \"KEV\"}}}\n+\n+\tif !a.IsEmpty() {\n+\t\tt.Fatal(\"AlertDict with only CISA alerts should be empty\")\n+\t}\n+\tif got := a.FormatSource(); got != \"\" {\n+\t\tt.Fatalf(\"FormatSource() = %q, want empty string\", got)\n+\t}\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..d022023 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of known exploited CVEs.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -425,6 +433,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &lt; v.Mitigations[j].URL\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \n \t\tv.CveContents.Sort()\n \ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..ec0912e 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -266,6 +266,7 @@ type VulnInfo struct {\n \tExploits             []Exploit            `json:\"exploits,omitempty\"`\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n@@ -284,6 +285,57 @@ type Alert struct {\n \tTeam  string `json:\"team,omitempty\"`\n }\n \n+// KEVType is a Known Exploited Vulnerability source.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is CISA Known Exploited Vulnerabilities Catalog data.\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType is VulnCheck Known Exploited Vulnerabilities data.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information.\n+type KEV struct {\n+\tType                         KEVType       `json:\"type,omitempty\"`\n+\tVendorProject                string        `json:\"vendorProject,omitempty\"`\n+\tProduct                      string        `json:\"product,omitempty\"`\n+\tVulnerabilityName            string        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription             string        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction               string        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse   string        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                    time.Time     `json:\"dateAdded,omitempty\"`\n+\tDueDate                      *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                         *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                    *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has source-specific CISA KEV information.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has source-specific VulnCheck KEV information.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation evidence.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // GitHubSecurityAlerts is a list of GitHubSecurityAlert\n type GitHubSecurityAlerts []GitHubSecurityAlert\n \n@@ -910,24 +962,21 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data.\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"-\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a2dfbd0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T13:03:17.575738Z"}, {"uuid": "3fdaefd2-be71-4969-bde4-32990a92f0e7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/cd48414ef8c8ff6e5690c044e2e019f9", "content": "diff --git a/README.md b/README.md\nindex 57102d1..a25469e 100644\n--- a/README.md\n+++ b/README.md\n@@ -179,6 +179,11 @@ Vuls has some options to detect the vulnerabilities\n For more information such as Installation, Tutorial, Usage, visit [vuls.io](https://vuls.io/)  \n [\u65e5\u672c\u8a9e\u7ffb\u8a33\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8](https://vuls.io/ja/)\n \n+### Example Configuration\n+\n+To see a ready-to-use example configuration for Vuls (including how to enable KEV reporting), check out [config.toml.example](config.toml.example).\n+For a sample scan result with the new KEV data, see [sample_scan_result_with_kev.json](sample_scan_result_with_kev.json).\n+\n ----\n \n ## Authors\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..a4c08fd\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,27 @@\n+[servers]\n+[servers.example-host]\n+host     = \"192.0.2.1\"\n+port     = \"22\"\n+user     = \"vuls\"\n+keyPath  = \"/root/.ssh/id_rsa\"\n+# SSH passphrase must be set securely, e.g. via environment variable, do not hardcode it here.\n+\n+[email]\n+smtpAddr = \"smtp.example.com\"\n+smtpPort = \"587\"\n+user = \"user@example.com\"\n+# Password should be redacted or fetched from env\n+password = \"REDACTED\"\n+\n+[slack]\n+hookURL = \"https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX\"\n+channel = \"#vuls-alerts\"\n+authUser = \"vuls-bot\"\n+\n+[chatwork]\n+apiToken = \"REDACTED\"\n+room = \"123456789\"\n+\n+[kev]\n+type = \"cisa\" # Or \"vulncheck\"\n+url = \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\"\n\\ No newline at end of file\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..4e10a68 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,19 +79,15 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n-\t\t\t\tnKEV++\n+\t\t\t\tif len(kevulns) &gt; 0 {\n+\t\t\t\t\tv.KEVs = append(v.KEVs, models.KEV{\n+\t\t\t\t\t\tType:              models.CISAKEVType,\n+\t\t\t\t\t\tVulnerabilityName: \"Known Exploited Vulnerabilities Catalog\",\n+\t\t\t\t\t})\n+\t\t\t\t\tnKEV++\n+\t\t\t\t}\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t}\n@@ -108,17 +104,13 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n \t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n+\t\t\t\tvuln.KEVs = append(vuln.KEVs, models.KEV{\n+\t\t\t\t\tType:              models.CISAKEVType,\n+\t\t\t\t\tVulnerabilityName: \"Known Exploited Vulnerabilities Catalog\",\n \t\t\t\t})\n+\t\t\t\tnKEV++\n \t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n-\t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n \t}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..53fe9d7 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,6 +205,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n@@ -253,13 +254,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +264,18 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n+}\n+\n+// FormatKEVCveSummary returns a summary of KEV entries\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tkevCnt := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &gt; 0 {\n+\t\t\tkevCnt++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", kevCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..230106d 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -268,6 +268,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -910,30 +911,78 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"-\"` // Deprecated: KEVs are used instead\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\n \treturn strings.Join(s, \"/\")\n }\n \n+// KEVType is the source of the KEV\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType ...\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType ...\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV ...\n+type KEV struct {\n+\tType                       KEVType                    `json:\"type\"`\n+\tVendorProject              string                     `json:\"vendorProject,omitempty\"`\n+\tProduct                    string                     `json:\"product,omitempty\"`\n+\tVulnerabilityName          string                     `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string                     `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string                     `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string                     `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time                  `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time                 `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV                   `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV              `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV ...\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV ...\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB ...\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation ...\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // Confidences is a list of Confidence\n type Confidences []Confidence\n \ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a44ae57 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -565,10 +565,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/sample_scan_result_with_kev.json b/sample_scan_result_with_kev.json\nnew file mode 100644\nindex 0000000..165d985\n--- /dev/null\n+++ b/sample_scan_result_with_kev.json\n@@ -0,0 +1,35 @@\n+{\n+    \"jsonVersion\": 1,\n+    \"lang\": \"en\",\n+    \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+    \"serverName\": \"example-host\",\n+    \"family\": \"ubuntu\",\n+    \"release\": \"20.04\",\n+    \"container\": {\n+        \"containerID\": \"\",\n+        \"name\": \"\",\n+        \"image\": \"\",\n+        \"type\": \"\",\n+        \"uuid\": \"\"\n+    },\n+    \"platform\": {\n+        \"name\": \"\",\n+        \"instanceID\": \"\"\n+    },\n+    \"scannedCves\": {\n+        \"CVE-0000-0000\": {\n+            \"cveID\": \"CVE-0000-0000\",\n+            \"kevs\": [\n+                {\n+                    \"type\": \"cisa\",\n+                    \"vulnerabilityName\": \"Known Exploited Vulnerabilities Catalog\",\n+                    \"dateAdded\": \"2024-01-01T00:00:00Z\"\n+                }\n+            ],\n+            \"alertDict\": {\n+                \"jpcert\": [],\n+                \"uscert\": []\n+            }\n+        }\n+    }\n+}\n\\ No newline at end of file\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T13:03:17.706632Z"}, {"uuid": "11f96e9f-bfc1-4681-8d35-77aee9296569", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/2d94c296cf6eeb05efdc99f1ea7d8dd7", "content": "diff --git a/README.md b/README.md\nindex 57102d1..1bfd4fc 100644\n--- a/README.md\n+++ b/README.md\n@@ -90,8 +90,10 @@ Vuls is a tool created to solve the problems listed above. It has the following\n   - [US-CERT](https://www.us-cert.gov/ncas/alerts)\n   - [JPCERT](http://www.jpcert.or.jp/at/2019.html)\n \n-- CISA(Cybersecurity &amp; Infrastructure Security Agency)\n-  - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+- Known Exploited Vulnerabilities (KEV)\n+  - [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+  - VulnCheck KEV\n+  - See [config.toml.example](./config.toml.example) for enabling KEV reporting\n \n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..dbeef57\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,17 @@\n+[servers]\n+\n+[servers.example-host]\n+host = \"example.com\"\n+port = \"22\"\n+user = \"scanuser\"\n+keyPath = \"/path/to/private_key\"\n+\n+# Enable Known Exploited Vulnerabilities (KEV) detection\n+# Supports CISA KEV and VulnCheck KEV sources via go-kev\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-kev.sqlite3\"\n+\n+# Or use HTTP server mode:\n+# type = \"http\"\n+# url  = \"http://127.0.0.1:1328\"\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..efc951b 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV cve\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..0eb94d9 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -268,6 +268,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -912,28 +913,76 @@ type Mitigation struct {\n \n // AlertDict has target cve JPCERT, USCERT and CISA alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n-\tJPCERT []Alert `json:\"jpcert\"`\n-\tUSCERT []Alert `json:\"uscert\"`\n+\tCISA   []Alert `json:\"cisa,omitempty\"`\n+\tJPCERT []Alert `json:\"jpcert,omitempty\"`\n+\tUSCERT []Alert `json:\"uscert,omitempty\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\n \treturn strings.Join(s, \"/\")\n }\n \n+// KEVType is a type of KEV\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is CISA KEV\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType is VulnCheck KEV\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerabilities information\n+type KEV struct {\n+\tType                       KEVType   `json:\"type,omitempty\"`\n+\tVendorProject              string    `json:\"vendorProject,omitempty\"`\n+\tProduct                    string    `json:\"product,omitempty\"`\n+\tVulnerabilityName          string    `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string    `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string    `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string    `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck KEV information\n+type VulnCheckKEV struct {\n+\tXDB                   []VulnCheckXDB                   `json:\"xdb,omitempty\"`\n+\tReportedExploitation  []VulnCheckReportedExploitation  `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbId,omitempty\"`\n+\tXDBURL      string    `json:\"xdbUrl,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSshUrl,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck ReportedExploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // Confidences is a list of Confidence\n type Confidences []Confidence\n \ndiff --git a/testdata/kev_sample.json b/testdata/kev_sample.json\nnew file mode 100644\nindex 0000000..dae9ac4\n--- /dev/null\n+++ b/testdata/kev_sample.json\n@@ -0,0 +1,53 @@\n+{\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"Example short description\",\n+          \"requiredAction\": \"Apply updates per vendor instructions\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2024-01-01T00:00:00Z\",\n+          \"dueDate\": \"2024-01-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Example CISA note\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"Example Vulnerability (VulnCheck)\",\n+          \"shortDescription\": \"Example VulnCheck description\",\n+          \"requiredAction\": \"\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2024-01-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbId\": \"XXXXX\",\n+                \"xdbUrl\": \"https://example.com/xdb/XXXXX\",\n+                \"dateAdded\": \"2024-01-02T00:00:00Z\",\n+                \"exploitType\": \"Remote Code Execution\",\n+                \"cloneSshUrl\": \"\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/report\",\n+                \"dateAdded\": \"2024-01-03T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\n", "creation_timestamp": "2026-07-03T13:03:17.745700Z"}, {"uuid": "b035ce76-d769-40cb-94a7-e171f8f09903", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/6604d828eb432686206cac7c3d646642", "content": "diff --git a/README.md b/README.md\nindex 57102d1..2b5c2ef 100644\n--- a/README.md\n+++ b/README.md\n@@ -90,8 +90,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n   - [US-CERT](https://www.us-cert.gov/ncas/alerts)\n   - [JPCERT](http://www.jpcert.or.jp/at/2019.html)\n \n-- CISA(Cybersecurity &amp; Infrastructure Security Agency)\n-  - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+- Known Exploited Vulnerabilities (KEV)\n+  - [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+  - [VulnCheck KEV](https://vulncheck.com/)\n \n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n@@ -156,6 +157,10 @@ Vuls has some options to detect the vulnerabilities\n \n - [Scan WordPress](https://vuls.io/docs/en/usage-scan-wordpress.html)\n \n+## Configuration\n+\n+See [config.toml.example](config.toml.example) for an example configuration file with all supported sections, including KEV (Known Exploited Vulnerabilities) database settings.\n+\n ## MISC\n \n - Nondestructive testing\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..55b2455\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,51 @@\n+# Vuls example configuration file\n+# Copy this file to config.toml and edit for your environment.\n+# All values shown here are placeholders \u2014 replace them with your own.\n+\n+[default]\n+port = \"22\"\n+user = \"scan-user\"\n+keyPath = \"/home/scan-user/.ssh/id_rsa\"\n+\n+# --- Vulnerability dictionary databases ---\n+\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-msfdb.sqlite3\"\n+\n+# Known Exploited Vulnerabilities (KEV) database\n+# Supports both CISA and VulnCheck KEV sources.\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-cti.sqlite3\"\n+\n+# --- Scan targets ---\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.1\"\n+port = \"22\"\n+user = \"scan-user\"\n+keyPath = \"/home/scan-user/.ssh/id_rsa\"\n+scanMode = [\"fast\"]\ndiff --git a/contrib/sample_kev_scan_result.json b/contrib/sample_kev_scan_result.json\nnew file mode 100644\nindex 0000000..99b18a8\n--- /dev/null\n+++ b/contrib/sample_kev_scan_result.json\n@@ -0,0 +1,69 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"serverName\": \"example-host\",\n+  \"family\": \"redhat\",\n+  \"release\": \"9\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleVendor ExampleProduct contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2024-01-15T00:00:00Z\",\n+          \"dueDate\": \"2024-02-05T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"https://example.com/advisory/2024-001\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleVendor ExampleProduct contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2024-01-10T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"VCXDB-0000\",\n+                \"xdbURL\": \"https://example.com/xdb/VCXDB-0000\",\n+                \"dateAdded\": \"2024-01-10T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.com:exploits/VCXDB-0000.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/exploitation-report/2024-001\",\n+                \"dateAdded\": \"2024-01-12T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-package\",\n+          \"fixedIn\": \"1.2.4\"\n+        }\n+      ]\n+    }\n+  },\n+  \"packages\": {\n+    \"example-package\": {\n+      \"name\": \"example-package\",\n+      \"version\": \"1.2.3\",\n+      \"release\": \"1.el9\",\n+      \"newVersion\": \"1.2.4\",\n+      \"newRelease\": \"1.el9\"\n+    }\n+  }\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..7a2a2ea 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -253,13 +254,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +264,18 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n+}\n+\n+// FormatKEVCveSummary returns a summary of CVEs that have KEV entries\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &gt; 0 {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..372d70e 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -267,6 +267,7 @@ type VulnInfo struct {\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n@@ -910,6 +911,57 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n+// KEVType represents the source of a KEV entry\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the CISA KEV source\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType is the VulnCheck KEV source\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                        KEVType       `json:\"type\"`\n+\tVendorProject               string        `json:\"vendorProject\"`\n+\tProduct                     string        `json:\"product\"`\n+\tVulnerabilityName           string        `json:\"vulnerabilityName\"`\n+\tShortDescription            string        `json:\"shortDescription\"`\n+\tRequiredAction              string        `json:\"requiredAction\"`\n+\tKnownRansomwareCampaignUse  string        `json:\"knownRansomwareCampaignUse\"`\n+\tDateAdded                   time.Time     `json:\"dateAdded\"`\n+\tDueDate                     *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                        *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                   *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV fields\n+type CISAKEV struct {\n+\tNote string `json:\"note\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV fields\n+type VulnCheckKEV struct {\n+\tXDB                   []VulnCheckXDB                   `json:\"xdb,omitempty\"`\n+\tReportedExploitation  []VulnCheckReportedExploitation  `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID\"`\n+\tXDBURL      string    `json:\"xdbURL\"`\n+\tDateAdded   time.Time `json:\"dateAdded\"`\n+\tExploitType string    `json:\"exploitType\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url\"`\n+\tDateAdded time.Time `json:\"dateAdded\"`\n+}\n+\n // AlertDict has target cve JPCERT, USCERT and CISA alert data\n type AlertDict struct {\n \tCISA   []Alert `json:\"cisa\"`\n@@ -919,15 +971,12 @@ type AlertDict struct {\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..72499b0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n", "creation_timestamp": "2026-07-03T13:03:18.117139Z"}, {"uuid": "a473c807-ca25-4d86-bbb1-1ef13c0ea9ad", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/d9b8f24889b3110c3908a843182fa033", "content": "diff --git a/.gitignore b/.gitignore\nindex 7f21d1e..71b4c8d 100644\n--- a/.gitignore\n+++ b/.gitignore\n@@ -4,6 +4,7 @@\n *.sqlite3*\n *.db\n *.toml\n+!config.toml.example\n tags\n .gitmodules\n coverage.out\ndiff --git a/README.md b/README.md\nindex 57102d1..1903162 100644\n--- a/README.md\n+++ b/README.md\n@@ -93,6 +93,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n - CISA(Cybersecurity &amp; Infrastructure Security Agency)\n   - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n \n+- VulnCheck\n+  - KEV information is reported in the first-class `kevs` field when go-kev is configured.\n+\n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n \n@@ -179,6 +182,10 @@ Vuls has some options to detect the vulnerabilities\n For more information such as Installation, Tutorial, Usage, visit [vuls.io](https://vuls.io/)  \n [\u65e5\u672c\u8a9e\u7ffb\u8a33\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8](https://vuls.io/ja/)\n \n+## Example Configuration\n+\n+Use [`config.toml.example`](config.toml.example) as a synthetic, ready-to-edit starting point for enabling KEV enrichment via go-kev. It includes a `[kevuln]` section and placeholder scan target values only. A synthetic scan result showing the new `kevs` output shape is available at [`docs/samples/scan-result-kev.json`](docs/samples/scan-result-kev.json).\n+\n ----\n \n ## Authors\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..bb04b2d\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,44 @@\n+# Example Vuls configuration for local scanning with KEV enrichment enabled.\n+# Replace paths and host details with values for your environment. Do not put\n+# production secrets in this file.\n+\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\n+\n+[default]\n+port = \"22\"\n+user = \"vuls-scan\"\n+keyPath = \"/home/vuls-scan/.ssh/id_ed25519\"\n+scanMode = [\"fast-root\"]\n+scanModules = [\"ospkg\"]\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.10\"\n+memo = \"Synthetic example host\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..c7d4920 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -6,6 +6,7 @@ package detector\n import (\n \t\"encoding/json\"\n \t\"net/http\"\n+\t\"reflect\"\n \t\"time\"\n \n \t\"github.com/cenkalti/backoff\"\n@@ -78,19 +79,13 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\tif err := json.Unmarshal([]byte(res.json), &amp;kevulns); err != nil {\n \t\t\t\treturn err\n \t\t\t}\n-\n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tif len(kevulns) == 0 {\n+\t\t\t\tcontinue\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tv.KEVs = append(v.KEVs, toKEVs(kevulns)...)\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +103,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = append(vuln.KEVs, toKEVs(kevulns)...)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +113,46 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func toKEVs(kevulns []kevulnmodels.KEVuln) []models.KEV {\n+\tkevs := make([]models.KEV, 0, len(kevulns))\n+\tfor _, kevuln := range kevulns {\n+\t\tb, err := json.Marshal(kevuln)\n+\t\tif err != nil {\n+\t\t\tcontinue\n+\t\t}\n+\n+\t\tkev := models.KEV{Type: models.CISAKEVType, CISA: &amp;models.CISAKEV{}}\n+\t\tif err := json.Unmarshal(b, &amp;kev); err != nil {\n+\t\t\tcontinue\n+\t\t}\n+\t\tif kev.CISA == nil {\n+\t\t\tkev.CISA = &amp;models.CISAKEV{}\n+\t\t}\n+\t\tif note := kevulnStringField(kevuln, \"Notes\"); note != \"\" {\n+\t\t\tkev.CISA.Note = note\n+\t\t} else if note := kevulnStringField(kevuln, \"Note\"); note != \"\" {\n+\t\t\tkev.CISA.Note = note\n+\t\t}\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs\n+}\n+\n+func kevulnStringField(kevuln kevulnmodels.KEVuln, name string) string {\n+\tv := reflect.ValueOf(kevuln)\n+\tif v.Kind() == reflect.Ptr {\n+\t\tv = v.Elem()\n+\t}\n+\tif v.Kind() != reflect.Struct {\n+\t\treturn \"\"\n+\t}\n+\tf := v.FieldByName(name)\n+\tif !f.IsValid() || f.Kind() != reflect.String {\n+\t\treturn \"\"\n+\t}\n+\treturn f.String()\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/docs/samples/scan-result-kev.json b/docs/samples/scan-result-kev.json\nnew file mode 100644\nindex 0000000..cea3296\n--- /dev/null\n+++ b/docs/samples/scan-result-kev.json\n@@ -0,0 +1,78 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"ipv4Addrs\": [\n+    \"192.0.2.10\"\n+  ],\n+  \"scannedAt\": \"2026-07-03T00:00:00Z\",\n+  \"scanMode\": \"fast-root\",\n+  \"scannedVersion\": \"vuls-example\",\n+  \"scannedRevision\": \"example\",\n+  \"scannedBy\": \"example-user\",\n+  \"scannedVia\": \"ssh\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic CISA KEV entry demonstrating the scan result shape.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic sample only.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic VulnCheck KEV entry demonstrating VulnCheck-specific data.\",\n+          \"requiredAction\": \"Review exposure and apply mitigations.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.com/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"proof-of-concept\",\n+                \"cloneSSHURL\": \"git@example.com:example/exploit.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/reports/cve-0000-0000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-package\",\n+          \"fixedIn\": \"1.2.3\"\n+        }\n+      ]\n+    }\n+  },\n+  \"packages\": {\n+    \"example-package\": {\n+      \"name\": \"example-package\",\n+      \"version\": \"1.2.2\",\n+      \"newVersion\": \"1.2.3\"\n+    }\n+  }\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..d45dcf1 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV cve.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -422,6 +430,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Metasploits, func(i, j int) bool {\n \t\t\treturn v.Metasploits[i].Name &lt; v.Metasploits[j].Name\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &lt; v.Mitigations[j].URL\n \t\t})\ndiff --git a/models/scanresults_kev_test.go b/models/scanresults_kev_test.go\nnew file mode 100644\nindex 0000000..db006c8\n--- /dev/null\n+++ b/models/scanresults_kev_test.go\n@@ -0,0 +1,78 @@\n+package models\n+\n+import \"testing\"\n+\n+func TestScanResult_FormatKEVCveSummary(t *testing.T) {\n+\ttests := []struct {\n+\t\tname     string\n+\t\tin       ScanResult\n+\t\texpected string\n+\t}{\n+\t\t{\n+\t\t\tname:     \"no KEVs\",\n+\t\t\tin:       ScanResult{ScannedCves: VulnInfos{\"CVE-0000-0000\": {}}},\n+\t\t\texpected: \"0 kevs\",\n+\t\t},\n+\t\t{\n+\t\t\tname: \"counts CVEs with KEVs\",\n+\t\t\tin: ScanResult{ScannedCves: VulnInfos{\n+\t\t\t\t\"CVE-0000-0000\": {KEVs: []KEV{{Type: CISAKEVType}}},\n+\t\t\t\t\"CVE-0000-0001\": {KEVs: []KEV{{Type: CISAKEVType}, {Type: VulnCheckKEVType}}},\n+\t\t\t\t\"CVE-0000-0002\": {},\n+\t\t\t}},\n+\t\t\texpected: \"2 kevs\",\n+\t\t},\n+\t}\n+\n+\tfor _, tt := range tests {\n+\t\tt.Run(tt.name, func(t *testing.T) {\n+\t\t\tif actual := tt.in.FormatKEVCveSummary(); actual != tt.expected {\n+\t\t\t\tt.Errorf(\"expected %q, actual %q\", tt.expected, actual)\n+\t\t\t}\n+\t\t})\n+\t}\n+}\n+\n+func TestScanResult_SortForJSONOutputKEVs(t *testing.T) {\n+\tr := ScanResult{ScannedCves: VulnInfos{\n+\t\t\"CVE-0000-0000\": {\n+\t\t\tKEVs: []KEV{\n+\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t},\n+\t\t},\n+\t}}\n+\n+\tr.SortForJSONOutput()\n+\n+\tactual := r.ScannedCves[\"CVE-0000-0000\"].KEVs\n+\texpected := []KEV{\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n+\t}\n+\tif len(actual) != len(expected) {\n+\t\tt.Fatalf(\"expected %d KEVs, actual %d\", len(expected), len(actual))\n+\t}\n+\tfor i := range expected {\n+\t\tif actual[i] != expected[i] {\n+\t\t\tt.Errorf(\"[%d] expected %+v, actual %+v\", i, expected[i], actual[i])\n+\t\t}\n+\t}\n+}\n+\n+func TestAlertDictIgnoresCISAForGenericAlerts(t *testing.T) {\n+\ta := AlertDict{CISA: []Alert{{Title: \"legacy cisa\"}}}\n+\tif !a.IsEmpty() {\n+\t\tt.Error(\"expected CISA-only AlertDict to be empty\")\n+\t}\n+\tif actual := a.FormatSource(); actual != \"\" {\n+\t\tt.Errorf(\"expected empty source, actual %q\", actual)\n+\t}\n+\n+\tr := ScanResult{ScannedCves: VulnInfos{\"CVE-0000-0000\": {AlertDict: a}}}\n+\tif actual := r.FormatAlertSummary(); actual != \"uscert: 0, jpcert: 0 alerts\" {\n+\t\tt.Errorf(\"expected CISA to be omitted from alert summary, actual %q\", actual)\n+\t}\n+}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..c4b1837 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -265,6 +265,7 @@ type VulnInfo struct {\n \tCveContents          CveContents          `json:\"cveContents,omitempty\"`\n \tExploits             []Exploit            `json:\"exploits,omitempty\"`\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n@@ -277,6 +278,57 @@ type VulnInfo struct {\n \tDiffStatus           DiffStatus           `json:\"diffStatus,omitempty\"`\n }\n \n+// KEVType is the KEV data source.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the CISA Known Exploited Vulnerabilities Catalog source.\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType is the VulnCheck KEV source.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has known exploited vulnerability information.\n+type KEV struct {\n+\tType                       KEVType       `json:\"type,omitempty\"`\n+\tVendorProject              string        `json:\"vendorProject,omitempty\"`\n+\tProduct                    string        `json:\"product,omitempty\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV information.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV information.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // Alert has CERT alert information\n type Alert struct {\n \tURL   string `json:\"url,omitempty\"`\n@@ -910,24 +962,21 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"-\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..9028e88 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,8 +566,12 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n+\t\tfor _, kev := range vuln.KEVs {\n+\t\t\tsource := \"KEV\"\n+\t\t\tif kev.Type != \"\" {\n+\t\t\t\tsource = fmt.Sprintf(\"%s KEV\", strings.ToUpper(string(kev.Type)))\n+\t\t\t}\n+\t\t\tdata = append(data, []string{source, kev.VulnerabilityName})\n \t\t}\n \n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..5d3cfb3 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,13 +812,17 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n+\t\tif len(vinfo.KEVs) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n+\t\t\t\t\"KEV\",\n+\t\t\t\t\"===\",\n \t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\t\tfor _, kev := range vinfo.KEVs {\n+\t\t\t\tif kev.Type == \"\" {\n+\t\t\t\t\tlines = append(lines, fmt.Sprintf(\"* %s\", kev.VulnerabilityName))\n+\t\t\t\t\tcontinue\n+\t\t\t\t}\n+\t\t\t\tlines = append(lines, fmt.Sprintf(\"* %s: %s\", strings.ToUpper(string(kev.Type)), kev.VulnerabilityName))\n \t\t\t}\n \t\t}\n \n", "creation_timestamp": "2026-07-03T13:58:58.973230Z"}, {"uuid": "d0937713-e77e-4a11-89ab-cc0f9545b3f9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/dd541a57c8f684b638968555b7378547", "content": "diff --git a/README.md b/README.md\nindex 57102d1..d370b9c 100644\n--- a/README.md\n+++ b/README.md\n@@ -90,8 +90,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n   - [US-CERT](https://www.us-cert.gov/ncas/alerts)\n   - [JPCERT](http://www.jpcert.or.jp/at/2019.html)\n \n-- CISA(Cybersecurity &amp; Infrastructure Security Agency)\n-  - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+- Known Exploited Vulnerabilities (KEV)\n+  - [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+  - [VulnCheck KEV](https://vulncheck.com/)\n \n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n@@ -163,6 +164,7 @@ Vuls has some options to detect the vulnerabilities\n   - Vuls works well with Continuous Integration since tests can be run every day. This allows you to find vulnerabilities very quickly.\n - Auto-generation of configuration file template\n   - Auto-detection of servers set using CIDR, generate configuration file template\n+  - An example configuration is available at [`config.toml.example`](config.toml.example)\n - Email and Slack notification is possible (supports Japanese language)\n - Scan result is viewable on accessory software, TUI Viewer in a terminal or Web UI ([VulsRepo](https://github.com/ishiDACo/vulsrepo)).\n \ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..f5234a0\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,100 @@\n+# config.toml.example \u2014 Vuls example configuration\n+#\n+# Copy this file to config.toml and edit as needed:\n+#   cp config.toml.example config.toml\n+#\n+# All credential values below are placeholders \u2014 replace them with real values.\n+# NEVER commit config.toml with real secrets to version control.\n+# See https://vuls.io/docs/en/config.toml.html for full documentation.\n+\n+# ============================================================================\n+# Vulnerability Dictionary Databases\n+# ============================================================================\n+# Each supports type = \"sqlite3\" | \"mysql\" | \"postgres\" | \"redis\" | \"http\"\n+\n+[cveDict]\n+type        = \"sqlite3\"\n+sqlite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type        = \"sqlite3\"\n+sqlite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type        = \"sqlite3\"\n+sqlite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploit]\n+type        = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type        = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-msfdb.sqlite3\"\n+\n+# Known Exploited Vulnerabilities (KEV) \u2014 CISA &amp; VulnCheck support\n+[kevuln]\n+type        = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-kev.sqlite3\"\n+\n+[cti]\n+type        = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-cti.sqlite3\"\n+\n+# ============================================================================\n+# Notifications (all optional \u2014 uncomment to enable)\n+# ============================================================================\n+\n+#[slack]\n+#hookURL     = \"https://hooks.slack.com/services/xxx/yyy/zzz\"\n+#channel     = \"#vuls-alerts\"\n+#iconEmoji   = \":ghost:\"\n+#authUser    = \"vuls-bot\"\n+\n+#[email]\n+#smtpAddr    = \"smtp.example.com\"\n+#smtpPort    = \"587\"\n+#tlsMode     = \"STARTTLS\"\n+#user        = \"vuls-notifier@example.com\"\n+#password    = \"PLACEHOLDER_SMTP_PASSWORD\"\n+#from        = \"vuls-notifier@example.com\"\n+#to          = [\"security@example.com\"]\n+\n+#[chatwork]\n+#room        = \"123456789\"\n+#apiToken    = \"PLACEHOLDER_CHATWORK_TOKEN\"\n+\n+#[http]\n+#url = \"http://localhost:11234\"\n+\n+#[syslog]\n+#protocol = \"tcp\"\n+#host     = \"localhost\"\n+#port     = \"514\"\n+#tag      = \"vuls\"\n+#facility = \"local0\"\n+#severity = \"alert\"\n+\n+# ============================================================================\n+# Default Settings (inherited by all servers unless overridden)\n+# ============================================================================\n+[default]\n+port        = \"22\"\n+user        = \"vuls-scan-user\"\n+keyPath     = \"/home/vuls-scan-user/.ssh/id_rsa\"\n+scanMode    = [\"fast\"]\n+scanModules = [\"ospkg\", \"lockfile\"]\n+\n+# ============================================================================\n+# Servers\n+# ============================================================================\n+[servers]\n+\n+[servers.web-server-01]\n+host = \"192.168.1.10\"\n+#scanMode    = [\"fast-root\"]\n+#scanModules = [\"ospkg\", \"wordpress\", \"lockfile\", \"port\"]\n+\n+[servers.db-server-01]\n+host = \"192.168.1.20\"\n+user = \"dbadmin\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..0ba9880 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,15 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tif len(kevulns) == 0 {\n+\t\t\t\tcontinue\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tfor _, kv := range kevulns {\n+\t\t\t\t\tv.KEVs = append(v.KEVs, convertKEVuln(kv))\n+\t\t\t\t}\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +105,9 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tfor _, kv := range kevulns {\n+\t\t\t\tvuln.KEVs = append(vuln.KEVs, convertKEVuln(kv))\n \t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -226,6 +216,26 @@ func httpGetKEVuln(url string, req kevulnRequest, resChan chan&lt;- kevulnResponse,\n \t}\n }\n \n+func convertKEVuln(kv kevulnmodels.KEVuln) models.KEV {\n+\tvar dueDate *time.Time\n+\tif !kv.DueDate.IsZero() {\n+\t\td := kv.DueDate\n+\t\tdueDate = &amp;d\n+\t}\n+\treturn models.KEV{\n+\t\tType:                       models.CISAKEVType,\n+\t\tVendorProject:              kv.VendorProject,\n+\t\tProduct:                    kv.Product,\n+\t\tVulnerabilityName:          kv.VulnerabilityName,\n+\t\tShortDescription:           kv.ShortDescription,\n+\t\tRequiredAction:             kv.RequiredAction,\n+\t\tKnownRansomwareCampaignUse: kv.KnownRansomwareCampaignUse,\n+\t\tDateAdded:                  kv.DateAdded,\n+\t\tDueDate:                    dueDate,\n+\t\tCISA:                       &amp;models.CISAKEV{Note: kv.Notes},\n+\t}\n+}\n+\n func newKEVulnDB(cnf config.VulnDictInterface) (kevulndb.DB, error) {\n \tif cnf.IsFetchViaHTTP() {\n \t\treturn nil, nil\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..e378ebd 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of how many scanned CVEs have KEV entries\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &gt; 0 {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/testdata/sample_kevs.json b/models/testdata/sample_kevs.json\nnew file mode 100644\nindex 0000000..cc3b108\n--- /dev/null\n+++ b/models/testdata/sample_kevs.json\n@@ -0,0 +1,60 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"serverName\": \"example-host\",\n+  \"family\": \"redhat\",\n+  \"release\": \"9\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleVendor ExampleProduct contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2024-01-15T00:00:00Z\",\n+          \"dueDate\": \"2024-02-05T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"https://example.com/security/advisory-0000-0000\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleVendor ExampleProduct contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2024-01-10T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"a1b2c3d4-0000-0000-0000-000000000000\",\n+                \"xdbURL\": \"https://vulncheck.com/xdb/a1b2c3d4-0000-0000-0000-000000000000\",\n+                \"dateAdded\": \"2024-01-10T00:00:00Z\",\n+                \"exploitType\": \"poc\",\n+                \"cloneSSHURL\": \"git@example.com:exploits/CVE-0000-0000.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/threat-intel/report-001\",\n+                \"dateAdded\": \"2024-01-12T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-package\",\n+          \"fixedIn\": \"1.2.4\"\n+        }\n+      ]\n+    }\n+  }\n+}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..7a4dc79 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -268,6 +268,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -910,24 +911,73 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n+// KEVType represents the source of a KEV entry\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the CISA KEV source\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is the VulnCheck KEV source\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                       KEVType       `json:\"type\"`\n+\tVendorProject              string        `json:\"vendorProject\"`\n+\tProduct                    string        `json:\"product\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName\"`\n+\tShortDescription           string        `json:\"shortDescription\"`\n+\tRequiredAction             string        `json:\"requiredAction\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV fields\n+type CISAKEV struct {\n+\tNote string `json:\"note\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV fields\n+type VulnCheckKEV struct {\n+\tXDB                   []VulnCheckXDB                   `json:\"xdb,omitempty\"`\n+\tReportedExploitation  []VulnCheckReportedExploitation  `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has exploit database cross-reference information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID\"`\n+\tXDBURL      string    `json:\"xdbURL\"`\n+\tDateAdded   time.Time `json:\"dateAdded\"`\n+\tExploitType string    `json:\"exploitType\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL\"`\n+}\n+\n+// VulnCheckReportedExploitation has reported exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url\"`\n+\tDateAdded time.Time `json:\"dateAdded\"`\n+}\n+\n // AlertDict has target cve JPCERT, USCERT and CISA alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"cisa,omitempty\"` // Deprecated: Use VulnInfo.KEVs instead\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..e3aef8f 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,8 +566,8 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n+\t\tfor _, kev := range vuln.KEVs {\n+\t\t\tdata = append(data, []string{fmt.Sprintf(\"KEV (%s)\", kev.Type), kev.VulnerabilityName})\n \t\t}\n \n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..3f73943 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,13 +812,13 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n+\t\tif len(vinfo.KEVs) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n+\t\t\t\t\"Known Exploited Vulnerabilities (KEV)\",\n+\t\t\t\t\"======================================\",\n \t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\t\tfor _, kev := range vinfo.KEVs {\n+\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s] %s - %s\", kev.Type, kev.VulnerabilityName, kev.ShortDescription))\n \t\t\t}\n \t\t}\n \n", "creation_timestamp": "2026-07-03T13:58:59.178020Z"}, {"uuid": "ac408b21-9a74-4aca-8186-387b5776dc7d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/7def034150953153f6f155d1e252231e", "content": "diff --git a/README.md b/README.md\nindex 57102d1..8895bb0 100644\n--- a/README.md\n+++ b/README.md\n@@ -93,6 +93,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n - CISA(Cybersecurity &amp; Infrastructure Security Agency)\n   - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n \n+- VulnCheck\n+  - Known Exploited Vulnerabilities data through go-kev\n+\n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n \n@@ -179,6 +182,16 @@ Vuls has some options to detect the vulnerabilities\n For more information such as Installation, Tutorial, Usage, visit [vuls.io](https://vuls.io/)  \n [\u65e5\u672c\u8a9e\u7ffb\u8a33\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8](https://vuls.io/ja/)\n \n+## Example Configuration\n+\n+A ready-to-use synthetic configuration is available at [examples/config.toml.example](examples/config.toml.example). It includes KEV reporting through the `[kevuln]` database section and uses placeholder hosts and credentials only.\n+\n+Do not publish a live `config.toml`; use the example as a template and replace placeholders in your local, untracked configuration.\n+\n+## Example KEV Output\n+\n+A redacted sample scan result showing the first-class `kevs` field is available at [examples/scanresult-kev.json](examples/scanresult-kev.json).\n+\n ----\n \n ## Authors\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..1b958f2 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -6,6 +6,7 @@ package detector\n import (\n \t\"encoding/json\"\n \t\"net/http\"\n+\t\"reflect\"\n \t\"time\"\n \n \t\"github.com/cenkalti/backoff\"\n@@ -78,19 +79,13 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\tif err := json.Unmarshal([]byte(res.json), &amp;kevulns); err != nil {\n \t\t\t\treturn err\n \t\t\t}\n-\n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tif len(kevulns) == 0 {\n+\t\t\t\tcontinue\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tv.KEVs = append(v.KEVs, convertKEVulns(kevulns)...)\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +103,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = append(vuln.KEVs, convertKEVulns(kevulns)...)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +113,145 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func convertKEVulns(kevulns []kevulnmodels.KEVuln) (kevs []models.KEV) {\n+\tfor _, kevuln := range kevulns {\n+\t\tv := reflect.ValueOf(kevuln)\n+\t\tkevType := models.KEVType(fieldString(v, \"Type\"))\n+\t\tif kevType == \"\" {\n+\t\t\tkevType = models.CISAKEVType\n+\t\t}\n+\n+\t\tkev := models.KEV{\n+\t\t\tType:                       kevType,\n+\t\t\tVendorProject:              fieldString(v, \"VendorProject\"),\n+\t\t\tProduct:                    fieldString(v, \"Product\"),\n+\t\t\tVulnerabilityName:          fieldString(v, \"VulnerabilityName\"),\n+\t\t\tShortDescription:           fieldString(v, \"ShortDescription\"),\n+\t\t\tRequiredAction:             fieldString(v, \"RequiredAction\"),\n+\t\t\tKnownRansomwareCampaignUse: fieldString(v, \"KnownRansomwareCampaignUse\"),\n+\t\t\tDateAdded:                  fieldTime(v, \"DateAdded\"),\n+\t\t\tDueDate:                    fieldTimePtr(v, \"DueDate\"),\n+\t\t}\n+\t\tif kev.Type == models.VulnCheckKEVType {\n+\t\t\tkev.VulnCheck = &amp;models.VulnCheckKEV{\n+\t\t\t\tXDB:                  convertVulnCheckXDBs(field(v, \"XDB\")),\n+\t\t\t\tReportedExploitation: convertVulnCheckReportedExploitations(field(v, \"ReportedExploitation\")),\n+\t\t\t}\n+\t\t} else {\n+\t\t\tkev.CISA = &amp;models.CISAKEV{\n+\t\t\t\tNote: firstNonEmpty(fieldString(v, \"Note\"), fieldString(v, \"Notes\")),\n+\t\t\t}\n+\t\t}\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs\n+}\n+\n+func convertVulnCheckXDBs(v reflect.Value) (xdbs []models.VulnCheckXDB) {\n+\tfor i := 0; i &lt; sliceLen(v); i++ {\n+\t\txdb := sliceIndex(v, i)\n+\t\txdbs = append(xdbs, models.VulnCheckXDB{\n+\t\t\tXDBID:       fieldString(xdb, \"XDBID\"),\n+\t\t\tXDBURL:      fieldString(xdb, \"XDBURL\"),\n+\t\t\tDateAdded:   fieldTime(xdb, \"DateAdded\"),\n+\t\t\tExploitType: fieldString(xdb, \"ExploitType\"),\n+\t\t\tCloneSSHURL: fieldString(xdb, \"CloneSSHURL\"),\n+\t\t})\n+\t}\n+\treturn xdbs\n+}\n+\n+func convertVulnCheckReportedExploitations(v reflect.Value) (reported []models.VulnCheckReportedExploitation) {\n+\tfor i := 0; i &lt; sliceLen(v); i++ {\n+\t\texploitation := sliceIndex(v, i)\n+\t\treported = append(reported, models.VulnCheckReportedExploitation{\n+\t\t\tURL:       fieldString(exploitation, \"URL\"),\n+\t\t\tDateAdded: fieldTime(exploitation, \"DateAdded\"),\n+\t\t})\n+\t}\n+\treturn reported\n+}\n+\n+func field(v reflect.Value, name string) reflect.Value {\n+\tv = deref(v)\n+\tif !v.IsValid() || v.Kind() != reflect.Struct {\n+\t\treturn reflect.Value{}\n+\t}\n+\treturn v.FieldByName(name)\n+}\n+\n+func fieldString(v reflect.Value, name string) string {\n+\tf := deref(field(v, name))\n+\tif !f.IsValid() || !f.CanInterface() {\n+\t\treturn \"\"\n+\t}\n+\tif f.Kind() == reflect.String {\n+\t\treturn f.String()\n+\t}\n+\treturn \"\"\n+}\n+\n+func fieldTime(v reflect.Value, name string) time.Time {\n+\tf := deref(field(v, name))\n+\tif !f.IsValid() || !f.CanInterface() {\n+\t\treturn time.Time{}\n+\t}\n+\tif t, ok := f.Interface().(time.Time); ok {\n+\t\treturn t\n+\t}\n+\treturn time.Time{}\n+}\n+\n+func fieldTimePtr(v reflect.Value, name string) *time.Time {\n+\tf := field(v, name)\n+\tif !f.IsValid() || !f.CanInterface() {\n+\t\treturn nil\n+\t}\n+\tif t, ok := f.Interface().(*time.Time); ok {\n+\t\treturn t\n+\t}\n+\tt := fieldTime(v, name)\n+\tif t.IsZero() {\n+\t\treturn nil\n+\t}\n+\treturn &amp;t\n+}\n+\n+func sliceLen(v reflect.Value) int {\n+\tv = deref(v)\n+\tif !v.IsValid() || v.Kind() != reflect.Slice {\n+\t\treturn 0\n+\t}\n+\treturn v.Len()\n+}\n+\n+func sliceIndex(v reflect.Value, i int) reflect.Value {\n+\tv = deref(v)\n+\tif !v.IsValid() || v.Kind() != reflect.Slice || i &gt;= v.Len() {\n+\t\treturn reflect.Value{}\n+\t}\n+\treturn v.Index(i)\n+}\n+\n+func deref(v reflect.Value) reflect.Value {\n+\tfor v.IsValid() &amp;&amp; v.Kind() == reflect.Ptr {\n+\t\tif v.IsNil() {\n+\t\t\treturn reflect.Value{}\n+\t\t}\n+\t\tv = v.Elem()\n+\t}\n+\treturn v\n+}\n+\n+func firstNonEmpty(values ...string) string {\n+\tfor _, value := range values {\n+\t\tif value != \"\" {\n+\t\t\treturn value\n+\t\t}\n+\t}\n+\treturn \"\"\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/examples/config.toml.example b/examples/config.toml.example\nnew file mode 100644\nindex 0000000..bc3e6bd\n--- /dev/null\n+++ b/examples/config.toml.example\n@@ -0,0 +1,49 @@\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.10\"\n+port = \"22\"\n+user = \"vuls\"\n+keyPath = \"/home/vuls/.ssh/id_rsa\"\n+scanMode = [\"fast-root\"]\n+\n+#[slack]\n+#hookURL = \"https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX\"\n+#channel = \"#vuls-alerts\"\n+#authUser = \"vuls\"\n+\n+#[smtp]\n+#smtpAddr = \"smtp.example.com\"\n+#smtpPort = \"587\"\n+#user = \"vuls@example.com\"\n+#password = \"replace-with-local-secret\"\n+#from = \"vuls@example.com\"\n+#to = [\"security@example.com\"]\ndiff --git a/examples/scanresult-kev.json b/examples/scanresult-kev.json\nnew file mode 100644\nindex 0000000..f4d5227\n--- /dev/null\n+++ b/examples/scanresult-kev.json\n@@ -0,0 +1,62 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2026-07-03T00:00:00Z\",\n+  \"reportedAt\": \"2026-07-03T00:00:00Z\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic example showing CISA KEV metadata on a vulnerability.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic sample only.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic example showing VulnCheck KEV metadata on a vulnerability.\",\n+          \"requiredAction\": \"Review exposure and apply mitigations.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.com/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"synthetic\",\n+                \"cloneSSHURL\": \"git@example.com:example/synthetic-exploit.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/reports/synthetic-exploitation\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"runningKernel\": {},\n+  \"packages\": {},\n+  \"errors\": [],\n+  \"warnings\": []\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..1fd54ec 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV cve\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -427,6 +435,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\t})\n \n \t\tv.CveContents.Sort()\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \n \t\tsort.Slice(v.AlertDict.USCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.USCERT[i].Title &lt; v.AlertDict.USCERT[j].Title\n@@ -434,9 +448,6 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n-\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..08bf592 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -263,6 +263,7 @@ type VulnInfo struct {\n \tAffectedPackages     PackageFixStatuses   `json:\"affectedPackages,omitempty\"`\n \tDistroAdvisories     DistroAdvisories     `json:\"distroAdvisories,omitempty\"` // for Amazon, RHEL, Fedora, FreeBSD, Microsoft\n \tCveContents          CveContents          `json:\"cveContents,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tExploits             []Exploit            `json:\"exploits,omitempty\"`\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n@@ -284,6 +285,58 @@ type Alert struct {\n \tTeam  string `json:\"team,omitempty\"`\n }\n \n+// KEVType identifies a Known Exploited Vulnerability source.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType means CISA Known Exploited Vulnerabilities Catalog.\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType means VulnCheck Known Exploited Vulnerabilities.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information.\n+type KEV struct {\n+\tType                           KEVType       `json:\"type,omitempty\"`\n+\tVendorProject                  string        `json:\"vendorProject,omitempty\"`\n+\tProduct                        string        `json:\"product,omitempty\"`\n+\tVulnerabilityName              string        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription               string        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction                 string        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse     string        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                      time.Time     `json:\"dateAdded,omitempty\"`\n+\tDueDate                        *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                           *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                      *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV data.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV data.\n+type VulnCheckKEV struct {\n+\tXDB                      []VulnCheckXDB                      `json:\"xdb,omitempty\"`\n+\tReportedExploitation     []VulnCheckReportedExploitation     `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB exploit metadata.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation metadata.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // GitHubSecurityAlerts is a list of GitHubSecurityAlert\n type GitHubSecurityAlerts []GitHubSecurityAlert\n \n@@ -910,24 +963,21 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"cisa,omitempty\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a2dfbd0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T13:58:59.277695Z"}, {"uuid": "5343974e-bb4f-48b1-aaa1-65346693ef04", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/fff6c2cf8c3e60af2fbf92c9b50bab40", "content": "diff --git a/README.md b/README.md\nindex 57102d1..d92dd9f 100644\n--- a/README.md\n+++ b/README.md\n@@ -90,8 +90,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n   - [US-CERT](https://www.us-cert.gov/ncas/alerts)\n   - [JPCERT](http://www.jpcert.or.jp/at/2019.html)\n \n-- CISA(Cybersecurity &amp; Infrastructure Security Agency)\n-  - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+- KEV(Known Exploited Vulnerabilities)\n+  - [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+  - [VulnCheck KEV](https://vulncheck.com/)\n \n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n@@ -163,6 +164,7 @@ Vuls has some options to detect the vulnerabilities\n   - Vuls works well with Continuous Integration since tests can be run every day. This allows you to find vulnerabilities very quickly.\n - Auto-generation of configuration file template\n   - Auto-detection of servers set using CIDR, generate configuration file template\n+  - See [config.toml.example](config.toml.example) for a ready-to-use example\n - Email and Slack notification is possible (supports Japanese language)\n - Scan result is viewable on accessory software, TUI Viewer in a terminal or Web UI ([VulsRepo](https://github.com/ishiDACo/vulsrepo)).\n \ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..6a832fd\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,107 @@\n+# Vuls example configuration\n+# https://vuls.io/docs/en/config.toml.html\n+#\n+# This is a SYNTHETIC example with placeholder values only.\n+# Copy this file to config.toml and adjust values for your environment.\n+\n+# ----- Vulnerability Dictionary Databases -----\n+\n+[cveDict]\n+#type        = \"sqlite3\"\n+#sqlite3Path = \"/path/to/cve.sqlite3\"\n+#url         = \"\"\n+\n+[ovalDict]\n+#type        = \"sqlite3\"\n+#sqlite3Path = \"/path/to/oval.sqlite3\"\n+#url         = \"\"\n+\n+[gost]\n+#type        = \"sqlite3\"\n+#sqlite3Path = \"/path/to/gost.sqlite3\"\n+#url         = \"\"\n+\n+[exploit]\n+#type        = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+#url         = \"\"\n+\n+[metasploit]\n+#type        = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-msfdb.sqlite3\"\n+#url         = \"\"\n+\n+# ----- KEV (Known Exploited Vulnerabilities) -----\n+# Enable this section to enrich scan results with CISA/VulnCheck KEV data.\n+# The KEV data is stored in a local go-kev database or fetched via HTTP.\n+[kevuln]\n+type        = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-kev.sqlite3\"\n+#url        = \"\"\n+\n+[cti]\n+#type        = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-cti.sqlite3\"\n+#url         = \"\"\n+\n+# ----- Notification / Output Channels -----\n+\n+#[slack]\n+#hookURL      = \"https://hooks.slack.com/services/xxx/yyy/zzz\"\n+#channel      = \"#vuls-notifications\"\n+#iconEmoji    = \":ghost:\"\n+#authUser     = \"vuls-bot\"\n+#notifyUsers  = [\"@security-team\"]\n+\n+#[email]\n+#smtpAddr              = \"smtp.example.com\"\n+#smtpPort              = \"587\"\n+#tlsMode               = \"STARTTLS\"\n+#tlsInsecureSkipVerify = false\n+#user                  = \"vuls@example.com\"\n+#password              = \"REPLACE_WITH_SMTP_PASSWORD\"\n+#from                  = \"vuls@example.com\"\n+#to                    = [\"security-team@example.com\"]\n+#cc                    = [\"ops@example.com\"]\n+#subjectPrefix         = \"[vuls]\"\n+\n+#[http]\n+#url = \"http://localhost:11234\"\n+\n+#[syslog]\n+#protocol = \"tcp\"\n+#host     = \"localhost\"\n+#port     = \"514\"\n+#tag      = \"vuls\"\n+#facility = \"local0\"\n+#severity = \"alert\"\n+#verbose  = false\n+\n+#[chatwork]\n+#room     = \"REPLACE_WITH_ROOM_ID\"\n+#apiToken = \"REPLACE_WITH_API_TOKEN\"\n+\n+#[telegram]\n+#chatID = \"REPLACE_WITH_CHAT_ID\"\n+#token  = \"REPLACE_WITH_BOT_TOKEN\"\n+\n+# ----- Default Settings -----\n+\n+[default]\n+#port        = \"22\"\n+#user        = \"vuls-scan-user\"\n+#keyPath     = \"/home/vuls/.ssh/id_rsa\"\n+#scanMode    = [\"fast\"]\n+#scanModules = [\"ospkg\", \"lockfile\"]\n+\n+# ----- Servers -----\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.168.0.100\"\n+#port = \"22\"\n+#user = \"scan-user\"\n+#keyPath = \"/home/vuls/.ssh/id_rsa\"\n+#scanMode = [\"fast\"]\n+#scanModules = [\"ospkg\", \"lockfile\"]\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..ec9b7eb 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV cves\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &gt; 0 {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/testdata/sample_kev_scan_result.json b/models/testdata/sample_kev_scan_result.json\nnew file mode 100644\nindex 0000000..2a82115\n--- /dev/null\n+++ b/models/testdata/sample_kev_scan_result.json\n@@ -0,0 +1,75 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleVendor ExampleProduct contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2024-01-15T00:00:00Z\",\n+          \"dueDate\": \"2024-02-05T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"https://example.com/advisory/2024-001\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleVendor ExampleProduct contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2024-01-10T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-0000001\",\n+                \"xdbURL\": \"https://vulncheck.com/xdb/XDB-0000001\",\n+                \"dateAdded\": \"2024-01-12T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.com:exploits/CVE-0000-0000.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/threat-report/2024-001\",\n+                \"dateAdded\": \"2024-01-11T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"confidences\": [\n+        {\n+          \"score\": 100,\n+          \"detectionMethod\": \"OvalMatch\"\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-package\",\n+          \"fixedIn\": \"1.2.4\"\n+        }\n+      ]\n+    }\n+  },\n+  \"packages\": {\n+    \"example-package\": {\n+      \"name\": \"example-package\",\n+      \"version\": \"1.2.3\",\n+      \"release\": \"1\",\n+      \"newVersion\": \"1.2.4\",\n+      \"newRelease\": \"1\"\n+    }\n+  }\n+}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..47bb831 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -268,6 +268,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -910,6 +911,57 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n+// KEVType represents the source of a KEV entry\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the CISA KEV source\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType is the VulnCheck KEV source\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                       KEVType       `json:\"type\"`\n+\tVendorProject              string        `json:\"vendorProject\"`\n+\tProduct                    string        `json:\"product\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName\"`\n+\tShortDescription           string        `json:\"shortDescription\"`\n+\tRequiredAction             string        `json:\"requiredAction\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"note\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV information\n+type VulnCheckKEV struct {\n+\tXDB                   []VulnCheckXDB                   `json:\"xdb,omitempty\"`\n+\tReportedExploitation  []VulnCheckReportedExploitation  `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID\"`\n+\tXDBURL      string    `json:\"xdbURL\"`\n+\tDateAdded   time.Time `json:\"dateAdded\"`\n+\tExploitType string    `json:\"exploitType\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url\"`\n+\tDateAdded time.Time `json:\"dateAdded\"`\n+}\n+\n // AlertDict has target cve JPCERT, USCERT and CISA alert data\n type AlertDict struct {\n \tCISA   []Alert `json:\"cisa\"`\n@@ -919,15 +971,12 @@ type AlertDict struct {\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a2dfbd0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T13:58:59.324923Z"}, {"uuid": "aec6ebdf-c100-4665-ab7d-bec81694afb2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/d2ab3d88ce082add4d2f647500416db6", "content": "diff --git a/README.md b/README.md\nindex 57102d1..64cb817 100644\n--- a/README.md\n+++ b/README.md\n@@ -179,6 +179,8 @@ Vuls has some options to detect the vulnerabilities\n For more information such as Installation, Tutorial, Usage, visit [vuls.io](https://vuls.io/)  \n [\u65e5\u672c\u8a9e\u7ffb\u8a33\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8](https://vuls.io/ja/)\n \n+Please see `config.toml.example` in this repository for a basic configuration template, including KEV reporting support.\n+\n ----\n \n ## Authors\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..50d8d29\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,30 @@\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-cti.sqlite3\"\n+\n+[servers]\n+[servers.example-host]\n+host     = \"192.168.0.1\"\n+port     = \"22\"\n+user     = \"vuls\"\n+keyPath  = \"/home/vuls/.ssh/id_rsa\"\n\\ No newline at end of file\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..fc8354d 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -88,15 +88,15 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\t})\n \t\t\t}\n \n+\t\t\t// Removed old CISA alert logic\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t}\n \t} else {\n-\t\tfor cveID, vuln := range r.ScannedCves {\n+\t\tfor cveID := range r.ScannedCves {\n \t\t\tif cveID == \"\" {\n \t\t\t\tcontinue\n \t\t\t}\n@@ -108,18 +108,12 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\t// Removed old CISA alert logic\n+\t\t\tv, ok := r.ScannedCves[cveID]\n+\t\t\tif ok {\n+\t\t\t\tnKEV++\n \t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n-\t\t\tnKEV++\n-\t\t\tr.ScannedCves[cveID] = vuln\n+\t\t\tr.ScannedCves[cveID] = v\n \t\t}\n \t}\n \ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..d477284 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,6 +205,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n@@ -229,6 +230,17 @@ func (r ScanResult) FormatUpdatablePkgsSummary() string {\n \t\tnUpdatable)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV cves\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKevs := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &gt; 0 {\n+\t\t\tnKevs++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKevs)\n+}\n+\n // FormatExploitCveSummary returns a summary of exploit cve\n func (r ScanResult) FormatExploitCveSummary() string {\n \tnExploitCve := 0\n@@ -253,13 +265,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -425,6 +433,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &lt; v.Mitigations[j].URL\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \n \t\tv.CveContents.Sort()\n \n@@ -434,9 +448,6 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n-\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/scanresults_test.go b/models/scanresults_test.go\nindex d429281..777f7c0 100644\n--- a/models/scanresults_test.go\n+++ b/models/scanresults_test.go\n@@ -225,10 +225,6 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -288,10 +284,6 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -354,10 +346,6 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -417,10 +405,6 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..914e95d 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -275,6 +275,7 @@ type VulnInfo struct {\n \tWindowsKBFixedIns    []string             `json:\"windowsKBFixedIns,omitempty\"`\n \tVulnType             string               `json:\"vulnType,omitempty\"`\n \tDiffStatus           DiffStatus           `json:\"diffStatus,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n }\n \n // Alert has CERT alert information\n@@ -910,24 +911,69 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// KEVType represents the type of KEV source\n+type KEVType string\n+\n+const (\n+\tCISAKEVType      KEVType = \"cisa\"\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV represents Known Exploited Vulnerabilities information\n+type KEV struct {\n+\tType                       KEVType        `json:\"type\"`\n+\tVendorProject              string         `json:\"vendorProject,omitempty\"`\n+\tProduct                    string         `json:\"product,omitempty\"`\n+\tVulnerabilityName          string         `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string         `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string         `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string         `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time      `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time     `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV       `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV  `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA specific KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck specific KEV information\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbId,omitempty\"`\n+\tXDBURL      string    `json:\"xdbUrl,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSshUrl,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..5b8697f 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -205,6 +205,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t}\n \t\t} else {\n \t\t\tcols = []interface{}{\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/sample_kev_scan.json b/sample_kev_scan.json\nnew file mode 100644\nindex 0000000..e8f6bf9\n--- /dev/null\n+++ b/sample_kev_scan.json\n@@ -0,0 +1,41 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"lang\": \"en\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"An example KEV entry for demonstration.\",\n+          \"requiredAction\": \"Apply updates.\",\n+          \"dateAdded\": \"2023-01-01T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Example note\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"dateAdded\": \"2023-01-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/exploit\",\n+                \"dateAdded\": \"2023-01-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\n\\ No newline at end of file\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T13:58:59.364316Z"}, {"uuid": "11f3e9ca-9b77-471b-8297-e7f210684421", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/8db92cfc100b085460ff792fc928a618", "content": "diff --git a/README.md b/README.md\nindex 57102d1..7f913af 100644\n--- a/README.md\n+++ b/README.md\n@@ -191,6 +191,12 @@ see [vulsdoc](https://vuls.io/docs/en/how-to-contribute.html)\n \n ----\n \n+## Configuration Example\n+\n+An example `config.toml` with KEV reporting enabled is available at [config.toml.example](config.toml.example).\n+\n+----\n+\n ## Sponsors\n \n |  |  |\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..390b8b1\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,49 @@\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-metasploitdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-kev.sqlite3\"\n+\n+[slack]\n+hookURL = \"https://hooks.slack.com/services/XXX/YYY/ZZZ\"\n+channel = \"#vuls\"\n+authUser = \"vuls\"\n+\n+[email]\n+smtpAddr = \"smtp.example.com\"\n+smtpPort = \"587\"\n+user = \"username\"\n+password = \"password\"\n+from = \"vuls@example.com\"\n+to = [\"recipient@example.com\"]\n+subject = \"Vuls Report\"\n+\n+[chatwork]\n+apiKey = \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\"\n+room = \"12345678\"\n+\n+[servers]\n+\n+[servers.localhost]\n+host = \"localhost\"\n+port = \"local\"\n+# user = \"vuls-user\"\n+# keyPath = \"/home/user/.ssh/id_rsa\"\ndiff --git a/kev_sample.json b/kev_sample.json\nnew file mode 100644\nindex 0000000..522988a\n--- /dev/null\n+++ b/kev_sample.json\n@@ -0,0 +1,57 @@\n+{\n+  \"jsonVersion\": 2,\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"Example vulnerability description\",\n+          \"requiredAction\": \"Apply updates per vendor instructions\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2024-01-01T00:00:00Z\",\n+          \"dueDate\": \"2024-01-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Example note\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"Example vulnerability description\",\n+          \"requiredAction\": \"Apply updates\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2024-01-02T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-1234\",\n+                \"xdbURL\": \"https://example.com/xdb/1234\",\n+                \"dateAdded\": \"2024-01-02T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.com:exploit.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/report\",\n+                \"dateAdded\": \"2024-01-03T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"packages\": {},\n+  \"scannedAt\": \"2024-01-01T00:00:00Z\",\n+  \"reportedAt\": \"2024-01-01T00:00:00Z\"\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..efc951b 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV cve\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..56b6d08 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -275,6 +275,58 @@ type VulnInfo struct {\n \tWindowsKBFixedIns    []string             `json:\"windowsKBFixedIns,omitempty\"`\n \tVulnType             string               `json:\"vulnType,omitempty\"`\n \tDiffStatus           DiffStatus           `json:\"diffStatus,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n+}\n+\n+// KEVType is a type of KEV\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is CISA KEV\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType is VulnCheck KEV\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has KEV information\n+type KEV struct {\n+\tType                       KEVType   `json:\"type,omitempty\"`\n+\tVendorProject              string    `json:\"vendorProject,omitempty\"`\n+\tProduct                    string    `json:\"product,omitempty\"`\n+\tVulnerabilityName          string    `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string    `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string    `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string    `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck KEV information\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB information\n+type VulnCheckXDB struct {\n+\tXDBID         string    `json:\"xdbID,omitempty\"`\n+\tXDBURL        string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded     time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType   string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL   string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n }\n \n // Alert has CERT alert information\n@@ -919,15 +971,12 @@ type AlertDict struct {\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..72499b0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n", "creation_timestamp": "2026-07-03T13:58:59.413935Z"}, {"uuid": "62c47bbf-39a2-4b0c-8324-7a3d8e84467f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/77b8eb1ad9e5cee7e0dbc57ab67e8813", "content": "diff --git a/README.md b/README.md\nindex 57102d1..15714f0 100644\n--- a/README.md\n+++ b/README.md\n@@ -90,8 +90,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n   - [US-CERT](https://www.us-cert.gov/ncas/alerts)\n   - [JPCERT](http://www.jpcert.or.jp/at/2019.html)\n \n-- CISA(Cybersecurity &amp; Infrastructure Security Agency)\n-  - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+- Known Exploited Vulnerabilities (KEV)\n+  - [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+  - [VulnCheck KEV](https://vulncheck.com/)\n \n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n@@ -174,6 +175,13 @@ Vuls has some options to detect the vulnerabilities\n \n ----\n \n+## Configuration\n+\n+An example configuration file is provided at [`config.toml.example`](config.toml.example).\n+Copy it to `config.toml` and edit to match your environment.\n+\n+A sample scan result demonstrating the KEV (Known Exploited Vulnerabilities) output is available at [`contrib/sample-kev-scan-result.json`](contrib/sample-kev-scan-result.json).\n+\n ## Document\n \n For more information such as Installation, Tutorial, Usage, visit [vuls.io](https://vuls.io/)  \ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..8e4fd3e\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,87 @@\n+# Vuls - VULnerability Scanner\n+# Example configuration file\n+#\n+# Copy this file to config.toml and edit to match your environment.\n+# See https://vuls.io/docs/en/config.toml.html for full documentation.\n+\n+# --- Vulnerability Dictionary Databases ---\n+\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-msfdb.sqlite3\"\n+\n+# KEV (Known Exploited Vulnerabilities) database\n+# Supports both CISA and VulnCheck KEV sources.\n+# Data is fetched from go-kev and promoted to first-class KEV fields\n+# on each vulnerability (the \"kevs\" field in scan results).\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-kev.sqlite3\"\n+# Alternative: fetch via HTTP from a go-kev server\n+# type = \"http\"\n+# url = \"http://localhost:1327\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-cti.sqlite3\"\n+\n+# --- Notification Targets (uncomment to enable) ---\n+\n+# [slack]\n+# hookURL = \"https://hooks.slack.com/services/xxx\"\n+# channel = \"#vuls-notification\"\n+# authUser = \"vuls\"\n+# iconEmoji = \":ghost:\"\n+# notifyUsers = [\"@user1\"]\n+\n+# [email]\n+# smtpAddr = \"smtp.example.com\"\n+# smtpPort = \"587\"\n+# tlsMode = \"STARTTLS\"\n+# user = \"vuls@example.com\"\n+# password = \"secret\"\n+# from = \"vuls@example.com\"\n+# to = [\"admin@example.com\"]\n+# subjectPrefix = \"[Vuls]\"\n+\n+# --- Default Server Settings ---\n+\n+[default]\n+port = \"22\"\n+user = \"vuls-user\"\n+keyPath = \"/home/vuls/.ssh/id_rsa\"\n+scanMode = [\"fast\"]\n+\n+# --- Servers ---\n+\n+[servers]\n+\n+[servers.web-server-01]\n+host = \"192.168.1.10\"\n+port = \"22\"\n+user = \"admin\"\n+keyPath = \"/home/vuls/.ssh/id_rsa\"\n+scanMode = [\"fast-root\"]\n+\n+[servers.db-server-01]\n+host = \"192.168.1.20\"\n+port = \"22\"\n+user = \"admin\"\n+keyPath = \"/home/vuls/.ssh/id_rsa\"\n+scanMode = [\"fast\"]\ndiff --git a/contrib/sample-kev-scan-result.json b/contrib/sample-kev-scan-result.json\nnew file mode 100644\nindex 0000000..84b0b3e\n--- /dev/null\n+++ b/contrib/sample-kev-scan-result.json\n@@ -0,0 +1,59 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vendor Example Product Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"Example Product contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2024-01-15T00:00:00Z\",\n+          \"dueDate\": \"2024-02-05T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"https://example.com/security/advisory-2024-001\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vendor Example Product Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"Example Product contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply mitigations per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2024-01-10T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-0000001\",\n+                \"xdbURL\": \"https://vulncheck.com/xdb/XDB-0000001\",\n+                \"dateAdded\": \"2024-01-10T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.com:exploits/CVE-0000-0000.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/threat-report-2024\",\n+                \"dateAdded\": \"2024-01-12T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"alertDict\": {\n+        \"cisa\": null,\n+        \"jpcert\": null,\n+        \"uscert\": null\n+      }\n+    }\n+  }\n+}\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..7d2793a 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,13 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tif len(kevulns) == 0 {\n+\t\t\t\tcontinue\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tv.KEVs = convertKEVulns(kevulns)\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +103,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = convertKEVulns(kevulns)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +113,31 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func convertKEVulns(kevulns []kevulnmodels.KEVuln) []models.KEV {\n+\tkevs := make([]models.KEV, 0, len(kevulns))\n+\tfor _, k := range kevulns {\n+\t\tkev := models.KEV{\n+\t\t\tType:                       models.CISAKEVType,\n+\t\t\tVendorProject:              k.VendorProject,\n+\t\t\tProduct:                    k.Product,\n+\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\tDateAdded:                  k.DateAdded,\n+\t\t\tCISA: &amp;models.CISAKEV{\n+\t\t\t\tNote: k.Notes,\n+\t\t\t},\n+\t\t}\n+\t\tif !k.DueDate.IsZero() {\n+\t\t\tdueDate := k.DueDate\n+\t\t\tkev.DueDate = &amp;dueDate\n+\t\t}\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..8dff901 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of CVEs with KEV entries\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\t\tsort.SliceStable(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..71b15c9 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -267,6 +267,7 @@ type VulnInfo struct {\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n@@ -910,6 +911,57 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n+// KEVType represents the source of a KEV entry\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the KEV type for CISA Known Exploited Vulnerabilities\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType is the KEV type for VulnCheck Known Exploited Vulnerabilities\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                       KEVType      `json:\"type\"`\n+\tVendorProject              string       `json:\"vendorProject\"`\n+\tProduct                    string       `json:\"product\"`\n+\tVulnerabilityName          string       `json:\"vulnerabilityName\"`\n+\tShortDescription           string       `json:\"shortDescription\"`\n+\tRequiredAction             string       `json:\"requiredAction\"`\n+\tKnownRansomwareCampaignUse string       `json:\"knownRansomwareCampaignUse\"`\n+\tDateAdded                  time.Time    `json:\"dateAdded\"`\n+\tDueDate                    *time.Time   `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV     `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"note\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV information\n+type VulnCheckKEV struct {\n+\tXDB                   []VulnCheckXDB                   `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID\"`\n+\tXDBURL      string    `json:\"xdbURL\"`\n+\tDateAdded   time.Time `json:\"dateAdded\"`\n+\tExploitType string    `json:\"exploitType\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url\"`\n+\tDateAdded time.Time `json:\"dateAdded\"`\n+}\n+\n // AlertDict has target cve JPCERT, USCERT and CISA alert data\n type AlertDict struct {\n \tCISA   []Alert `json:\"cisa\"`\n@@ -919,15 +971,12 @@ type AlertDict struct {\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..e3aef8f 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,8 +566,8 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n+\t\tfor _, kev := range vuln.KEVs {\n+\t\t\tdata = append(data, []string{fmt.Sprintf(\"KEV (%s)\", kev.Type), kev.VulnerabilityName})\n \t\t}\n \n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..dcd70d3 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,13 +812,13 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n+\t\tif len(vinfo.KEVs) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n+\t\t\t\t\"Known Exploited Vulnerabilities\",\n+\t\t\t\t\"================================\",\n \t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\t\tfor _, kev := range vinfo.KEVs {\n+\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s] %s - %s\", kev.Type, kev.VulnerabilityName, kev.ShortDescription))\n \t\t\t}\n \t\t}\n \n", "creation_timestamp": "2026-07-03T15:14:58.610188Z"}, {"uuid": "3bb1555b-3d15-47f2-8775-cd36fde5c6ed", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/f1cdb10bf413a796b61ebd49200001b6", "content": "diff --git a/README.md b/README.md\nindex 57102d1..1f2116e 100644\n--- a/README.md\n+++ b/README.md\n@@ -93,6 +93,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n - CISA(Cybersecurity &amp; Infrastructure Security Agency)\n   - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n \n+- VulnCheck\n+  - Known Exploited Vulnerabilities data through go-kev\n+\n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n \n@@ -179,6 +182,12 @@ Vuls has some options to detect the vulnerabilities\n For more information such as Installation, Tutorial, Usage, visit [vuls.io](https://vuls.io/)  \n [\u65e5\u672c\u8a9e\u7ffb\u8a33\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8](https://vuls.io/ja/)\n \n+### Example Configuration\n+\n+Use `examples/config.toml.example` as a redacted starting point for enabling database-backed reporting, including KEV enrichment via the `[kevuln]` section. The example uses placeholder hosts and paths only; do not publish values from a live `config.toml` because it may contain credentials.\n+\n+A synthetic scan-result sample showing the first-class `kevs` field is available at `examples/kev-scan-result.json`.\n+\n ----\n \n ## Authors\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..80b3d08 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -6,6 +6,7 @@ package detector\n import (\n \t\"encoding/json\"\n \t\"net/http\"\n+\t\"strings\"\n \t\"time\"\n \n \t\"github.com/cenkalti/backoff\"\n@@ -17,7 +18,6 @@ import (\n \t\"github.com/future-architect/vuls/models\"\n \t\"github.com/future-architect/vuls/util\"\n \tkevulndb \"github.com/vulsio/go-kev/db\"\n-\tkevulnmodels \"github.com/vulsio/go-kev/models\"\n \tkevulnlog \"github.com/vulsio/go-kev/utils\"\n )\n \n@@ -74,23 +74,18 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\treturn err\n \t\t}\n \t\tfor _, res := range responses {\n-\t\t\tkevulns := []kevulnmodels.KEVuln{}\n+\t\t\tkevulns := []map[string]json.RawMessage{}\n \t\t\tif err := json.Unmarshal([]byte(res.json), &amp;kevulns); err != nil {\n \t\t\t\treturn err\n \t\t\t}\n-\n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tkevs, err := convertKEVulns(kevulns)\n+\t\t\tif err != nil {\n+\t\t\t\treturn err\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n-\t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\tif ok &amp;&amp; len(kevs) &gt; 0 {\n+\t\t\t\tv.KEVs = kevs\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +103,12 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tkevs, err := convertKEVulns(kevulns)\n+\t\t\tif err != nil {\n+\t\t\t\treturn err\n \t\t\t}\n \n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = kevs\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +118,132 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func convertKEVulns(src any) ([]models.KEV, error) {\n+\tb, err := json.Marshal(src)\n+\tif err != nil {\n+\t\treturn nil, err\n+\t}\n+\tvar raws []map[string]json.RawMessage\n+\tif err := json.Unmarshal(b, &amp;raws); err != nil {\n+\t\treturn nil, err\n+\t}\n+\n+\tkevs := make([]models.KEV, 0, len(raws))\n+\tfor _, raw := range raws {\n+\t\tkev := models.KEV{\n+\t\t\tType:                       kevType(raw),\n+\t\t\tVendorProject:              rawString(raw, \"vendorProject\", \"vendor_project\", \"VendorProject\"),\n+\t\t\tProduct:                    rawString(raw, \"product\", \"Product\"),\n+\t\t\tVulnerabilityName:          rawString(raw, \"vulnerabilityName\", \"vulnerability_name\", \"VulnerabilityName\"),\n+\t\t\tShortDescription:           rawString(raw, \"shortDescription\", \"short_description\", \"ShortDescription\"),\n+\t\t\tRequiredAction:             rawString(raw, \"requiredAction\", \"required_action\", \"RequiredAction\"),\n+\t\t\tKnownRansomwareCampaignUse: rawString(raw, \"knownRansomwareCampaignUse\", \"known_ransomware_campaign_use\", \"KnownRansomwareCampaignUse\"),\n+\t\t\tDateAdded:                  rawTime(raw, \"dateAdded\", \"date_added\", \"DateAdded\"),\n+\t\t}\n+\t\tif dueDate := rawTime(raw, \"dueDate\", \"due_date\", \"DueDate\"); !dueDate.IsZero() {\n+\t\t\tkev.DueDate = &amp;dueDate\n+\t\t}\n+\n+\t\tswitch kev.Type {\n+\t\tcase models.VulnCheckKEVType:\n+\t\t\tkev.VulnCheck = &amp;models.VulnCheckKEV{\n+\t\t\t\tXDB:                  vulnCheckXDB(raw),\n+\t\t\t\tReportedExploitation: vulnCheckReportedExploitation(raw),\n+\t\t\t}\n+\t\tdefault:\n+\t\t\tkev.Type = models.CISAKEVType\n+\t\t\tkev.CISA = &amp;models.CISAKEV{Note: rawString(raw, \"note\", \"notes\", \"Note\", \"Notes\")}\n+\t\t}\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs, nil\n+}\n+\n+func kevType(raw map[string]json.RawMessage) models.KEVType {\n+\tt := strings.ToLower(rawString(raw, \"type\", \"source\", \"Type\", \"Source\"))\n+\tswitch t {\n+\tcase string(models.VulnCheckKEVType):\n+\t\treturn models.VulnCheckKEVType\n+\t}\n+\tif _, ok := raw[\"xdb\"]; ok {\n+\t\treturn models.VulnCheckKEVType\n+\t}\n+\tif _, ok := raw[\"reportedExploitation\"]; ok {\n+\t\treturn models.VulnCheckKEVType\n+\t}\n+\tif _, ok := raw[\"reported_exploitation\"]; ok {\n+\t\treturn models.VulnCheckKEVType\n+\t}\n+\treturn models.CISAKEVType\n+}\n+\n+func vulnCheckXDB(raw map[string]json.RawMessage) []models.VulnCheckXDB {\n+\tvar xs []map[string]json.RawMessage\n+\tif !rawValue(raw, &amp;xs, \"xdb\", \"XDB\") {\n+\t\treturn nil\n+\t}\n+\tres := make([]models.VulnCheckXDB, 0, len(xs))\n+\tfor _, x := range xs {\n+\t\tres = append(res, models.VulnCheckXDB{\n+\t\t\tXDBID:       rawString(x, \"xdbID\", \"xdb_id\", \"XDBID\"),\n+\t\t\tXDBURL:      rawString(x, \"xdbURL\", \"xdb_url\", \"XDBURL\"),\n+\t\t\tDateAdded:   rawTime(x, \"dateAdded\", \"date_added\", \"DateAdded\"),\n+\t\t\tExploitType: rawString(x, \"exploitType\", \"exploit_type\", \"ExploitType\"),\n+\t\t\tCloneSSHURL: rawString(x, \"cloneSSHURL\", \"clone_ssh_url\", \"CloneSSHURL\"),\n+\t\t})\n+\t}\n+\treturn res\n+}\n+\n+func vulnCheckReportedExploitation(raw map[string]json.RawMessage) []models.VulnCheckReportedExploitation {\n+\tvar xs []map[string]json.RawMessage\n+\tif !rawValue(raw, &amp;xs, \"reportedExploitation\", \"reported_exploitation\", \"ReportedExploitation\") {\n+\t\treturn nil\n+\t}\n+\tres := make([]models.VulnCheckReportedExploitation, 0, len(xs))\n+\tfor _, x := range xs {\n+\t\tres = append(res, models.VulnCheckReportedExploitation{\n+\t\t\tURL:       rawString(x, \"url\", \"URL\"),\n+\t\t\tDateAdded: rawTime(x, \"dateAdded\", \"date_added\", \"DateAdded\"),\n+\t\t})\n+\t}\n+\treturn res\n+}\n+\n+func rawString(raw map[string]json.RawMessage, keys ...string) string {\n+\tvar s string\n+\tif rawValue(raw, &amp;s, keys...) {\n+\t\treturn s\n+\t}\n+\treturn \"\"\n+}\n+\n+func rawTime(raw map[string]json.RawMessage, keys ...string) time.Time {\n+\ts := rawString(raw, keys...)\n+\tif s == \"\" {\n+\t\treturn time.Time{}\n+\t}\n+\tfor _, layout := range []string{time.RFC3339Nano, time.RFC3339, \"2006-01-02\"} {\n+\t\tif t, err := time.Parse(layout, s); err == nil {\n+\t\t\treturn t\n+\t\t}\n+\t}\n+\treturn time.Time{}\n+}\n+\n+func rawValue(raw map[string]json.RawMessage, v any, keys ...string) bool {\n+\tfor _, key := range keys {\n+\t\tb, ok := raw[key]\n+\t\tif !ok || len(b) == 0 || string(b) == \"null\" {\n+\t\t\tcontinue\n+\t\t}\n+\t\tif err := json.Unmarshal(b, v); err == nil {\n+\t\t\treturn true\n+\t\t}\n+\t}\n+\treturn false\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/examples/config.toml.example b/examples/config.toml.example\nnew file mode 100644\nindex 0000000..83118f3\n--- /dev/null\n+++ b/examples/config.toml.example\n@@ -0,0 +1,39 @@\n+# Synthetic example configuration for enabling KEV enrichment.\n+# Do not copy secrets from a live config.toml into this file.\n+\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.10\"\n+port = \"22\"\n+user = \"vuls\"\n+keyPath = \"/home/vuls/.ssh/id_rsa\"\n+scanMode = [\"fast-root\"]\ndiff --git a/examples/kev-scan-result.json b/examples/kev-scan-result.json\nnew file mode 100644\nindex 0000000..03cf142\n--- /dev/null\n+++ b/examples/kev-scan-result.json\n@@ -0,0 +1,78 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2026-07-03T00:00:00Z\",\n+  \"scanMode\": \"fast-root\",\n+  \"scannedVersion\": \"example\",\n+  \"scannedRevision\": \"example\",\n+  \"reportedAt\": \"2026-07-03T00:00:00Z\",\n+  \"reportedVersion\": \"example\",\n+  \"reportedRevision\": \"example\",\n+  \"errors\": [],\n+  \"warnings\": [],\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic CISA KEV entry for documentation.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic example; not sourced from production results.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic VulnCheck KEV entry for documentation.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.com/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.com:example/xdb-000000.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/reports/example-exploitation\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-package\",\n+          \"fixedIn\": \"1.0.1\"\n+        }\n+      ]\n+    }\n+  },\n+  \"packages\": {\n+    \"example-package\": {\n+      \"name\": \"example-package\",\n+      \"version\": \"1.0.0\",\n+      \"newVersion\": \"1.0.1\"\n+    }\n+  }\n+}\ndiff --git a/models/kev_test.go b/models/kev_test.go\nnew file mode 100644\nindex 0000000..a2e170c\n--- /dev/null\n+++ b/models/kev_test.go\n@@ -0,0 +1,48 @@\n+package models\n+\n+import \"testing\"\n+\n+func TestScanResult_SortForJSONOutput_KEVs(t *testing.T) {\n+\tr := ScanResult{\n+\t\tScannedCves: VulnInfos{\n+\t\t\t\"CVE-0000-0000\": {\n+\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"beta\"},\n+\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"beta\"},\n+\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"alpha\"},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t},\n+\t}\n+\n+\tr.SortForJSONOutput()\n+\n+\tgot := r.ScannedCves[\"CVE-0000-0000\"].KEVs\n+\twant := []KEV{\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"alpha\"},\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"beta\"},\n+\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"beta\"},\n+\t}\n+\tif len(got) != len(want) {\n+\t\tt.Fatalf(\"got %d KEVs, want %d\", len(got), len(want))\n+\t}\n+\tfor i := range want {\n+\t\tif got[i] != want[i] {\n+\t\t\tt.Errorf(\"got KEVs[%d] = %+v, want %+v\", i, got[i], want[i])\n+\t\t}\n+\t}\n+}\n+\n+func TestScanResult_FormatKEVCveSummary(t *testing.T) {\n+\tr := ScanResult{\n+\t\tScannedCves: VulnInfos{\n+\t\t\t\"CVE-0000-0001\": {KEVs: []KEV{{Type: CISAKEVType}}},\n+\t\t\t\"CVE-0000-0002\": {KEVs: []KEV{{Type: CISAKEVType}, {Type: VulnCheckKEVType}}},\n+\t\t\t\"CVE-0000-0003\": {},\n+\t\t},\n+\t}\n+\n+\tif got, want := r.FormatKEVCveSummary(), \"2 kevs\"; got != want {\n+\t\tt.Errorf(\"got %q, want %q\", got, want)\n+\t}\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..ac3f157 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV CVEs.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -425,6 +433,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &lt; v.Mitigations[j].URL\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \n \t\tv.CveContents.Sort()\n \ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..e090f64 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -267,6 +267,7 @@ type VulnInfo struct {\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n@@ -910,24 +911,73 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// KEVType is a known exploited vulnerability source.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is CISA Known Exploited Vulnerabilities Catalog.\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType is VulnCheck KEV.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has known exploited vulnerability information.\n+type KEV struct {\n+\tType                          KEVType        `json:\"type,omitempty\"`\n+\tVendorProject                 string         `json:\"vendorProject,omitempty\"`\n+\tProduct                       string         `json:\"product,omitempty\"`\n+\tVulnerabilityName             string         `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription              string         `json:\"shortDescription,omitempty\"`\n+\tRequiredAction                string         `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse    string         `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                     time.Time      `json:\"dateAdded,omitempty\"`\n+\tDueDate                       *time.Time     `json:\"dueDate,omitempty\"`\n+\tCISA                          *CISAKEV       `json:\"cisa,omitempty\"`\n+\tVulnCheck                     *VulnCheckKEV  `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV information.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV information.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB exploit information.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n+// AlertDict has target cve JPCERT and USCERT alert data.\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\t// CISA is deprecated. KEV data is reported through VulnInfo.KEVs.\n+\tCISA   []Alert `json:\"-\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..4ad6455 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,8 +566,8 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n+\t\tfor _, kev := range vuln.KEVs {\n+\t\t\tdata = append(data, []string{fmt.Sprintf(\"%s KEV\", strings.ToUpper(string(kev.Type))), kev.VulnerabilityName})\n \t\t}\n \n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n@@ -616,7 +617,7 @@ No CVE-IDs are found in updatable packages.\n }\n \n func formatCsvList(r models.ScanResult, path string) error {\n-\tdata := [][]string{{\"CVE-ID\", \"CVSS\", \"Attack\", \"PoC\", \"CERT\", \"Fixed\", \"NVD\"}}\n+\tdata := [][]string{{\"CVE-ID\", \"CVSS\", \"Attack\", \"PoC\", \"KEV\", \"CERT\", \"Fixed\", \"NVD\"}}\n \tfor _, vinfo := range r.ScannedCves.ToSortedSlice() {\n \t\tmax := vinfo.MaxCvssScore().Value.Score\n \n@@ -637,6 +638,7 @@ func formatCsvList(r models.ScanResult, path string) error {\n \t\t\tfmt.Sprintf(\"%4.1f\", max),\n \t\t\tvinfo.AttackVector(),\n \t\t\texploits,\n+\t\t\tfmt.Sprintf(\"%t\", len(vinfo.KEVs) &gt; 0),\n \t\t\tvinfo.AlertDict.FormatSource(),\n \t\t\tvinfo.PatchStatus(r.Packages),\n \t\t\tlink,\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..7b4c278 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,13 +812,13 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n+\t\tif len(vinfo.KEVs) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n+\t\t\t\t\"KEV\",\n+\t\t\t\t\"===\",\n \t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\t\tfor _, kev := range vinfo.KEVs {\n+\t\t\t\tlines = append(lines, fmt.Sprintf(\"* %s: %s\", strings.ToUpper(string(kev.Type)), kev.VulnerabilityName))\n \t\t\t}\n \t\t}\n \n", "creation_timestamp": "2026-07-03T15:14:58.712974Z"}, {"uuid": "9502ac19-1d59-4c6b-8f83-4d9ddeb5aac8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/715187891d31dbc85c22921d3f7b0317", "content": "diff --git a/README.md b/README.md\nindex 57102d1..5262391 100644\n--- a/README.md\n+++ b/README.md\n@@ -93,6 +93,11 @@ Vuls is a tool created to solve the problems listed above. It has the following\n - CISA(Cybersecurity &amp; Infrastructure Security Agency)\n   - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n \n+- VulnCheck\n+  - Known Exploited Vulnerabilities\n+\n+&gt; **Note**: To enable CISA and VulnCheck KEV reporting, see the [config.toml.example](config.toml.example) file for a complete sample configuration.\n+\n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n \ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..adfac66\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,43 @@\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+[kev]\n+# Enable KEV (Known Exploited Vulnerabilities) reporting\n+cisa = true\n+vulncheck = true\n+\n+[servers]\n+[servers.example-server]\n+host = \"192.168.1.100\" # Placeholder IP\n+port = \"22\"\n+user = \"vuls-user\"\n+sshConfigPath = \"/path/to/.ssh/config\"\n+keyPath = \"/path/to/.ssh/id_rsa\"\n+# SSH passphrase must be redacted/omitted or use a placeholder\n+# keyPassphrase = \"PLACEHOLDER_PASSPHRASE\"\n+\n+[email]\n+smtpServer = \"smtp.example.com\"\n+smtpPort = \"587\"\n+user = \"smtp-user\"\n+# password = \"PLACEHOLDER_SMTP_PASSWORD\"\n+from = \"vuls@example.com\"\n+to = [\"security-team@example.com\"]\n+\n+[slack]\n+hookURL = \"https://hooks.slack.com/services/PLACEHOLDER/WEBHOOK/URL\"\n+channel = \"#vuls-alerts\"\n+authUser = \"vuls-bot\"\n+\n+[chatwork]\n+apiToken = \"PLACEHOLDER_CHATWORK_TOKEN\"\n+room = \"123456\"\n\\ No newline at end of file\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..c29c8e6 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,17 +197,29 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV cves\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatUpdatablePkgsSummary returns a summary of updatable packages\n func (r ScanResult) FormatUpdatablePkgsSummary() string {\n \tmode := r.Config.Scan.Servers[r.ServerName].Mode\n@@ -253,13 +265,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/scanresults_kev_test.go b/models/scanresults_kev_test.go\nnew file mode 100644\nindex 0000000..e10605c\n--- /dev/null\n+++ b/models/scanresults_kev_test.go\n@@ -0,0 +1,51 @@\n+package models\n+\n+import (\n+\t\"reflect\"\n+\t\"testing\"\n+)\n+\n+func TestScanResult_Sort_KEV(t *testing.T) {\n+\ttests := []struct {\n+\t\tname     string\n+\t\tfields   ScanResult\n+\t\texpected ScanResult\n+\t}{\n+\t\t{\n+\t\t\tname: \"sort KEVs by Type then VulnerabilityName\",\n+\t\t\tfields: ScanResult{\n+\t\t\t\tScannedCves: VulnInfos{\n+\t\t\t\t\t\"CVE-2023-0001\": VulnInfo{\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"B VulnCheck\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"Z CISA\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"A VulnCheck\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"A CISA\"},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t\texpected: ScanResult{\n+\t\t\t\tScannedCves: VulnInfos{\n+\t\t\t\t\t\"CVE-2023-0001\": VulnInfo{\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"A CISA\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"Z CISA\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"A VulnCheck\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"B VulnCheck\"},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t},\n+\t}\n+\tfor _, tt := range tests {\n+\t\tt.Run(tt.name, func(t *testing.T) {\n+\t\t\tr := &amp;tt.fields\n+\t\t\tr.SortForJSONOutput()\n+\t\t\tif !reflect.DeepEqual(r.ScannedCves, tt.expected.ScannedCves) {\n+\t\t\t\tt.Errorf(\"act %+v, want %+v\", r.ScannedCves, tt.expected.ScannedCves)\n+\t\t\t}\n+\t\t})\n+\t}\n+}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..4c7b3a1 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -275,6 +275,7 @@ type VulnInfo struct {\n \tWindowsKBFixedIns    []string             `json:\"windowsKBFixedIns,omitempty\"`\n \tVulnType             string               `json:\"vulnType,omitempty\"`\n \tDiffStatus           DiffStatus           `json:\"diffStatus,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n }\n \n // Alert has CERT alert information\n@@ -882,6 +883,55 @@ func (p DistroAdvisory) Format() string {\n \treturn strings.Join(buf, \"\\n\")\n }\n \n+// KEVType represents the source of the Known Exploited Vulnerability data\n+type KEVType string\n+\n+const (\n+\tCISAKEVType      KEVType = \"cisa\"\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                       KEVType        `json:\"type\"`\n+\tVendorProject              string         `json:\"vendorProject,omitempty\"`\n+\tProduct                    string         `json:\"product,omitempty\"`\n+\tVulnerabilityName          string         `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string         `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string         `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string         `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time      `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time     `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV       `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV  `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA specific KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck specific KEV information\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck Reported Exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // Exploit :\n type Exploit struct {\n \tExploitType  exploitmodels.ExploitType `json:\"exploitType\"`\n@@ -910,24 +960,21 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"cisa\"` // Retained for compatibility with tests\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..460b5dd 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -202,6 +202,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.ScannedCves.FormatCveSummary(),\n \t\t\t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n@@ -565,8 +566,12 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n+\t\tfor _, kev := range vuln.KEVs {\n+\t\t\tif kev.Type == models.CISAKEVType &amp;&amp; kev.CISA != nil {\n+\t\t\t\tdata = append(data, []string{\"CISA KEV\", fmt.Sprintf(\"%s (Action: %s, Due: %s)\", kev.VulnerabilityName, kev.RequiredAction, kev.DueDate.Format(\"2006-01-02\"))})\n+\t\t\t} else if kev.Type == models.VulnCheckKEVType &amp;&amp; kev.VulnCheck != nil {\n+\t\t\t\tdata = append(data, []string{\"VulnCheck KEV\", kev.VulnerabilityName})\n+\t\t\t}\n \t\t}\n \n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\ndiff --git a/sample_kev_scan.json b/sample_kev_scan.json\nnew file mode 100644\nindex 0000000..4e765d0\n--- /dev/null\n+++ b/sample_kev_scan.json\n@@ -0,0 +1,38 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"20.04\",\n+  \"scannedAt\": \"2026-07-03T12:00:00Z\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vulnerabilityName\": \"Example KEV Vulnerability\",\n+          \"shortDescription\": \"A synthetic example of a known exploited vulnerability.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"dueDate\": \"2026-08-01T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"This is a placeholder CISA note.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vulnerabilityName\": \"Example KEV Vulnerability\",\n+          \"vulncheck\": {\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/report/1\",\n+                \"dateAdded\": \"2026-07-01T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\n", "creation_timestamp": "2026-07-03T15:14:58.960107Z"}, {"uuid": "71ae7d0b-70f9-4bb6-8ce7-e94ecbd41d31", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/3e72b3c9227027b891536a54bffaac83", "content": "diff --git a/README.md b/README.md\nindex 57102d1..4698ff1 100644\n--- a/README.md\n+++ b/README.md\n@@ -163,6 +163,7 @@ Vuls has some options to detect the vulnerabilities\n   - Vuls works well with Continuous Integration since tests can be run every day. This allows you to find vulnerabilities very quickly.\n - Auto-generation of configuration file template\n   - Auto-detection of servers set using CIDR, generate configuration file template\n+  - See `config.toml.example` in the repository for a synthetic placeholder configuration with KEVs support.\n - Email and Slack notification is possible (supports Japanese language)\n - Scan result is viewable on accessory software, TUI Viewer in a terminal or Web UI ([VulsRepo](https://github.com/ishiDACo/vulsrepo)).\n \ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..7a67843\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,37 @@\n+[default]\n+# This is a synthetic redacted example configuration for Vuls with KEV reporting enabled\n+# Only placeholder values are used in this configuration.\n+\n+cveDict = { type = \"sqlite3\", SQLite3Path = \"/path/to/cve.sqlite3\" }\n+ovalDict = { type = \"sqlite3\", SQLite3Path = \"/path/to/oval.sqlite3\" }\n+gostDict = { type = \"sqlite3\", SQLite3Path = \"/path/to/gost.sqlite3\" }\n+exploitDict = { type = \"sqlite3\", SQLite3Path = \"/path/to/go-exploitdb.sqlite3\" }\n+msfDict = { type = \"sqlite3\", SQLite3Path = \"/path/to/go-msfdb.sqlite3\" }\n+kevDict = { type = \"sqlite3\", SQLite3Path = \"/path/to/go-kev.sqlite3\" } # Enable KEV data here\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.168.0.1\"\n+port = \"22\"\n+user = \"vuls\"\n+sshConfigPath = \"/home/vuls/.ssh/config\"\n+keyPath = \"/home/vuls/.ssh/id_rsa\"\n+# passphrase = \"PLACEHOLDER_PASSPHRASE\" # Redacted\n+\n+[slack]\n+hookURL = \"https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX\" # Redacted\n+channel = \"#vuls\"\n+authUser = \"vuls-bot\"\n+\n+[chatwork]\n+apiToken = \"PLACEHOLDER_CHATWORK_TOKEN\" # Redacted\n+room = \"12345678\"\n+\n+[email]\n+smtpServer = \"smtp.example.com\"\n+smtpPort = \"587\"\n+user = \"alert@example.com\"\n+# password = \"PLACEHOLDER_SMTP_PASSWORD\" # Redacted\n+from = \"vuls@example.com\"\n+to = [\"admin@example.com\"]\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..c78b3f0 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,26 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tvar dueDate *time.Time\n+\t\t\t\tif !kevulns[0].DueDate.IsZero() {\n+\t\t\t\t\tdueDate = &amp;kevulns[0].DueDate\n+\t\t\t\t}\n+\t\t\t\tv.KEVs = append(v.KEVs, models.KEV{\n+\t\t\t\t\tType:                       models.CISAKEVType,\n+\t\t\t\t\tVendorProject:              kevulns[0].VendorProject,\n+\t\t\t\t\tProduct:                    kevulns[0].Product,\n+\t\t\t\t\tVulnerabilityName:          kevulns[0].VulnerabilityName,\n+\t\t\t\t\tShortDescription:           kevulns[0].ShortDescription,\n+\t\t\t\t\tRequiredAction:             kevulns[0].RequiredAction,\n+\t\t\t\t\tKnownRansomwareCampaignUse: kevulns[0].KnownRansomwareCampaignUse,\n+\t\t\t\t\tDateAdded:                  kevulns[0].DateAdded,\n+\t\t\t\t\tDueDate:                    dueDate,\n+\t\t\t\t\tCISA: &amp;models.CISAKEV{\n+\t\t\t\t\t\tNote: kevulns[0].Notes,\n+\t\t\t\t\t},\n+\t\t\t\t})\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +116,24 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tvar dueDate *time.Time\n+\t\t\tif !kevulns[0].DueDate.IsZero() {\n+\t\t\t\tdueDate = &amp;kevulns[0].DueDate\n \t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = append(vuln.KEVs, models.KEV{\n+\t\t\t\tType:                       models.CISAKEVType,\n+\t\t\t\tVendorProject:              kevulns[0].VendorProject,\n+\t\t\t\tProduct:                    kevulns[0].Product,\n+\t\t\t\tVulnerabilityName:          kevulns[0].VulnerabilityName,\n+\t\t\t\tShortDescription:           kevulns[0].ShortDescription,\n+\t\t\t\tRequiredAction:             kevulns[0].RequiredAction,\n+\t\t\t\tKnownRansomwareCampaignUse: kevulns[0].KnownRansomwareCampaignUse,\n+\t\t\t\tDateAdded:                  kevulns[0].DateAdded,\n+\t\t\t\tDueDate:                    dueDate,\n+\t\t\t\tCISA: &amp;models.CISAKEV{\n+\t\t\t\t\tNote: kevulns[0].Notes,\n+\t\t\t\t},\n+\t\t\t})\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\ndiff --git a/docs/example-scan-result.json b/docs/example-scan-result.json\nnew file mode 100644\nindex 0000000..920deb4\n--- /dev/null\n+++ b/docs/example-scan-result.json\n@@ -0,0 +1,63 @@\n+{\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"20.04\",\n+  \"container\": {},\n+  \"platform\": {\n+    \"Name\": \"\"\n+  },\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"confidences\": [\n+        {\n+          \"score\": 100,\n+          \"detectionMethod\": \"ChangelogExactMatch\"\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-package\",\n+          \"notFixedYet\": false,\n+          \"fixedIn\": \"1.2.3-1\"\n+        }\n+      ],\n+      \"cveContents\": {\n+        \"nvd\": [\n+          {\n+            \"type\": \"nvd\",\n+            \"cveID\": \"CVE-0000-0000\",\n+            \"title\": \"Example Vulnerability\",\n+            \"summary\": \"This is an example vulnerability for demonstration purposes.\",\n+            \"cvss3Score\": 9.8,\n+            \"cvss3Vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n+            \"cvss3Severity\": \"CRITICAL\"\n+          }\n+        ]\n+      },\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"This is an example CISA KEV entry.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2024-01-01T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Example note.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"This is an example VulnCheck KEV entry.\",\n+          \"dateAdded\": \"2024-01-02T00:00:00Z\"\n+        }\n+      ]\n+    }\n+  }\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..4d8b76b 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,6 +205,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEVs\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tkevCnt := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &gt; 0 {\n+\t\t\tkevCnt++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", kevCnt)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/scanresults_kev_test.go b/models/scanresults_kev_test.go\nnew file mode 100644\nindex 0000000..46517f8\n--- /dev/null\n+++ b/models/scanresults_kev_test.go\n@@ -0,0 +1,95 @@\n+package models\n+\n+import (\n+\t\"reflect\"\n+\t\"testing\"\n+)\n+\n+func TestScanResult_FormatKEVCveSummary(t *testing.T) {\n+\ttests := []struct {\n+\t\tname string\n+\t\tr    ScanResult\n+\t\twant string\n+\t}{\n+\t\t{\n+\t\t\tname: \"no kevs\",\n+\t\t\tr: ScanResult{\n+\t\t\t\tScannedCves: VulnInfos{\n+\t\t\t\t\t\"CVE-1\": VulnInfo{},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t\twant: \"0 kevs\",\n+\t\t},\n+\t\t{\n+\t\t\tname: \"some kevs\",\n+\t\t\tr: ScanResult{\n+\t\t\t\tScannedCves: VulnInfos{\n+\t\t\t\t\t\"CVE-1\": VulnInfo{\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t},\n+\t\t\t\t\t\"CVE-2\": VulnInfo{\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t},\n+\t\t\t\t\t\"CVE-3\": VulnInfo{},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t\twant: \"2 kevs\",\n+\t\t},\n+\t}\n+\tfor _, tt := range tests {\n+\t\tt.Run(tt.name, func(t *testing.T) {\n+\t\t\tif got := tt.r.FormatKEVCveSummary(); got != tt.want {\n+\t\t\t\tt.Errorf(\"ScanResult.FormatKEVCveSummary() = %v, want %v\", got, tt.want)\n+\t\t\t}\n+\t\t})\n+\t}\n+}\n+\n+func TestScanResult_Sort_KEV(t *testing.T) {\n+\ttests := []struct {\n+\t\tname     string\n+\t\tfields   ScanResult\n+\t\texpected ScanResult\n+\t}{\n+\t\t{\n+\t\t\tname: \"sort KEVs by Type and VulnerabilityName\",\n+\t\t\tfields: ScanResult{\n+\t\t\t\tScannedCves: VulnInfos{\n+\t\t\t\t\t\"CVE-2014-3591\": VulnInfo{\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"B\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"B\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"A\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"A\"},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t\texpected: ScanResult{\n+\t\t\t\tScannedCves: VulnInfos{\n+\t\t\t\t\t\"CVE-2014-3591\": VulnInfo{\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"A\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"B\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"A\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"B\"},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t},\n+\t}\n+\tfor _, tt := range tests {\n+\t\tt.Run(tt.name, func(t *testing.T) {\n+\t\t\tr := tt.fields\n+\t\t\tr.SortForJSONOutput()\n+\t\t\tif !reflect.DeepEqual(r.ScannedCves, tt.expected.ScannedCves) {\n+\t\t\t\tt.Errorf(\"act %+v, want %+v\", r.ScannedCves, tt.expected.ScannedCves)\n+\t\t\t}\n+\t\t})\n+\t}\n+}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..241cd4c 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -268,6 +268,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -910,24 +911,66 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n+// KEVType is the type of KEV\n+type KEVType string\n+\n+const (\n+\tCISAKEVType      KEVType = \"cisa\"\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV represents Known Exploited Vulnerabilities information\n+type KEV struct {\n+\tType                       KEVType                        `json:\"type\"`\n+\tVendorProject              string                         `json:\"vendorProject,omitempty\"`\n+\tProduct                    string                         `json:\"product,omitempty\"`\n+\tVulnerabilityName          string                         `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string                         `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string                         `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string                         `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time                      `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time                     `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV                       `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV                  `json:\"vulncheck,omitempty\"`\n+}\n+\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbid,omitempty\"`\n+\tXDBURL      string    `json:\"xdburl,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // AlertDict has target cve JPCERT, USCERT and CISA alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"-\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..5b8697f 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -205,6 +205,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t}\n \t\t} else {\n \t\t\tcols = []interface{}{\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/test_kev.go b/test_kev.go\nnew file mode 100644\nindex 0000000..415dfba\n--- /dev/null\n+++ b/test_kev.go\n@@ -0,0 +1,15 @@\n+package main\n+\n+import (\n+\t\"fmt\"\n+\t\"reflect\"\n+\n+\tkevulnmodels \"github.com/vulsio/go-kev/models\"\n+)\n+\n+func main() {\n+\tt := reflect.TypeOf(kevulnmodels.KEVuln{})\n+\tfor i := 0; i &lt; t.NumField(); i++ {\n+\t\tfmt.Printf(\"Field: %s (%v)\\n\", t.Field(i).Name, t.Field(i).Type)\n+\t}\n+}\ndiff --git a/test_kev2.go b/test_kev2.go\nnew file mode 100644\nindex 0000000..e78b8d3\n--- /dev/null\n+++ b/test_kev2.go\n@@ -0,0 +1,42 @@\n+package main\n+\n+import (\n+\t\"fmt\"\n+\t\"go/ast\"\n+\t\"go/parser\"\n+\t\"go/token\"\n+\t\"os\"\n+\t\"path/filepath\"\n+)\n+\n+func main() {\n+\tgopath := os.Getenv(\"GOPATH\")\n+\tif gopath == \"\" {\n+\t\tgopath = \"/root/go\"\n+\t}\n+\terr := filepath.Walk(gopath+\"/pkg/mod/github.com/vulsio/go-kev@v0.1.4-0.20240318121733-b3386e67d3fb/models\", func(path string, info os.FileInfo, err error) error {\n+\t\tif err != nil {\n+\t\t\treturn err\n+\t\t}\n+\t\tif !info.IsDir() &amp;&amp; filepath.Ext(path) == \".go\" {\n+\t\t\tfset := token.NewFileSet()\n+\t\t\tf, err := parser.ParseFile(fset, path, nil, 0)\n+\t\t\tif err != nil {\n+\t\t\t\treturn err\n+\t\t\t}\n+\t\t\tfor _, decl := range f.Decls {\n+\t\t\t\tif gen, ok := decl.(*ast.GenDecl); ok &amp;&amp; gen.Tok == token.TYPE {\n+\t\t\t\t\tfor _, spec := range gen.Specs {\n+\t\t\t\t\t\tif typeSpec, ok := spec.(*ast.TypeSpec); ok {\n+\t\t\t\t\t\t\tfmt.Printf(\"Found Type: %s\\n\", typeSpec.Name.Name)\n+\t\t\t\t\t\t}\n+\t\t\t\t\t}\n+\t\t\t\t}\n+\t\t\t}\n+\t\t}\n+\t\treturn nil\n+\t})\n+\tif err != nil {\n+\t\tfmt.Println(\"Error:\", err)\n+\t}\n+}\n", "creation_timestamp": "2026-07-03T15:14:59.115947Z"}, {"uuid": "23cb816c-8870-4ee1-be40-1cde5242a744", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/58deef2a32dde82375b4ad31f234dea0", "content": "diff --git a/README.md b/README.md\nindex 57102d1..71b5fe3 100644\n--- a/README.md\n+++ b/README.md\n@@ -93,6 +93,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n - CISA(Cybersecurity &amp; Infrastructure Security Agency)\n   - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n \n+- VulnCheck\n+  - Known Exploited Vulnerabilities data\n+\n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n \n@@ -179,6 +182,12 @@ Vuls has some options to detect the vulnerabilities\n For more information such as Installation, Tutorial, Usage, visit [vuls.io](https://vuls.io/)  \n [\u65e5\u672c\u8a9e\u7ffb\u8a33\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8](https://vuls.io/ja/)\n \n+## Example Configuration\n+\n+Use `config.toml.example` as a synthetic starting point for enabling KEV reporting via `go-kev`. It includes a `[kevuln]` SQLite configuration and placeholder scan target values only; replace paths, users, and hosts before use.\n+\n+`sample-scan-result-kev.json` shows the new `scannedCves.*.kevs` output shape for CISA and VulnCheck KEV entries with redacted sample data.\n+\n ----\n \n ## Authors\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..5e9d067\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,42 @@\n+# Synthetic Vuls configuration with KEV reporting enabled.\n+# Copy to config.toml and replace all placeholder paths and hosts before use.\n+\n+resultsDir = \"/var/lib/vuls/results\"\n+lang = \"en\"\n+\n+[default]\n+port = \"22\"\n+user = \"vuls\"\n+keyPath = \"/home/vuls/.ssh/id_rsa\"\n+scanMode = [\"fast-root\"]\n+\n+[servers.example-host]\n+host = \"192.0.2.10\"\n+\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-cve-dictionary.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/goval-dictionary.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..c84d57d 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -78,22 +78,16 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\tif err := json.Unmarshal([]byte(res.json), &amp;kevulns); err != nil {\n \t\t\t\treturn err\n \t\t\t}\n-\n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tif len(kevulns) == 0 {\n+\t\t\t\tcontinue\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tv.KEVs = append(v.KEVs, convertKEVulnsToModel(kevulns)...)\n \t\t\t\tnKEV++\n+\t\t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t\t}\n-\t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t}\n \t} else {\n \t\tfor cveID, vuln := range r.ScannedCves {\n@@ -108,16 +102,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = append(vuln.KEVs, convertKEVulnsToModel(kevulns)...)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +112,59 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func convertKEVulnsToModel(kevulns []kevulnmodels.KEVuln) (kevs []models.KEV) {\n+\tfor _, kevuln := range kevulns {\n+\t\tbs, err := json.Marshal(kevuln)\n+\t\tif err != nil {\n+\t\t\tcontinue\n+\t\t}\n+\n+\t\tvar raw struct {\n+\t\t\tType                       models.KEVType       `json:\"type,omitempty\"`\n+\t\t\tVendorProject              string               `json:\"vendorProject,omitempty\"`\n+\t\t\tProduct                    string               `json:\"product,omitempty\"`\n+\t\t\tVulnerabilityName          string               `json:\"vulnerabilityName,omitempty\"`\n+\t\t\tShortDescription           string               `json:\"shortDescription,omitempty\"`\n+\t\t\tRequiredAction             string               `json:\"requiredAction,omitempty\"`\n+\t\t\tKnownRansomwareCampaignUse string               `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\t\t\tDateAdded                  time.Time            `json:\"dateAdded,omitempty\"`\n+\t\t\tDueDate                    *time.Time           `json:\"dueDate,omitempty\"`\n+\t\t\tNotes                      string               `json:\"notes,omitempty\"`\n+\t\t\tNote                       string               `json:\"note,omitempty\"`\n+\t\t\tCISA                       *models.CISAKEV      `json:\"cisa,omitempty\"`\n+\t\t\tVulnCheck                  *models.VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+\t\t}\n+\t\tif err := json.Unmarshal(bs, &amp;raw); err != nil {\n+\t\t\tcontinue\n+\t\t}\n+\n+\t\tkev := models.KEV{\n+\t\t\tType:                       raw.Type,\n+\t\t\tVendorProject:              raw.VendorProject,\n+\t\t\tProduct:                    raw.Product,\n+\t\t\tVulnerabilityName:          raw.VulnerabilityName,\n+\t\t\tShortDescription:           raw.ShortDescription,\n+\t\t\tRequiredAction:             raw.RequiredAction,\n+\t\t\tKnownRansomwareCampaignUse: raw.KnownRansomwareCampaignUse,\n+\t\t\tDateAdded:                  raw.DateAdded,\n+\t\t\tDueDate:                    raw.DueDate,\n+\t\t\tCISA:                       raw.CISA,\n+\t\t\tVulnCheck:                  raw.VulnCheck,\n+\t\t}\n+\t\tif kev.Type == \"\" {\n+\t\t\tkev.Type = models.CISAKEVType\n+\t\t}\n+\t\tif kev.CISA == nil &amp;&amp; kev.Type == models.CISAKEVType {\n+\t\t\tkev.CISA = &amp;models.CISAKEV{Note: raw.Note}\n+\t\t\tif kev.CISA.Note == \"\" {\n+\t\t\t\tkev.CISA.Note = raw.Notes\n+\t\t\t}\n+\t\t}\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..80359c6 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,11 +197,12 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n@@ -229,6 +230,17 @@ func (r ScanResult) FormatUpdatablePkgsSummary() string {\n \t\tnUpdatable)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV CVEs.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatExploitCveSummary returns a summary of exploit cve\n func (r ScanResult) FormatExploitCveSummary() string {\n \tnExploitCve := 0\n@@ -253,13 +265,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -425,6 +433,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &lt; v.Mitigations[j].URL\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \n \t\tv.CveContents.Sort()\n \n@@ -434,9 +448,6 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n-\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/scanresults_kev_test.go b/models/scanresults_kev_test.go\nnew file mode 100644\nindex 0000000..8aa7c35\n--- /dev/null\n+++ b/models/scanresults_kev_test.go\n@@ -0,0 +1,73 @@\n+package models\n+\n+import \"testing\"\n+\n+func TestScanResult_FormatKEVCveSummary(t *testing.T) {\n+\tr := ScanResult{\n+\t\tScannedCves: VulnInfos{\n+\t\t\t\"CVE-0000-0001\": {CveID: \"CVE-0000-0001\", KEVs: []KEV{{Type: CISAKEVType}}},\n+\t\t\t\"CVE-0000-0002\": {CveID: \"CVE-0000-0002\", KEVs: []KEV{{Type: CISAKEVType}, {Type: VulnCheckKEVType}}},\n+\t\t\t\"CVE-0000-0003\": {CveID: \"CVE-0000-0003\"},\n+\t\t},\n+\t}\n+\n+\tif got, want := r.FormatKEVCveSummary(), \"2 kevs\"; got != want {\n+\t\tt.Fatalf(\"FormatKEVCveSummary() = %q, want %q\", got, want)\n+\t}\n+}\n+\n+func TestScanResult_SortForJSONOutputKEVs(t *testing.T) {\n+\tr := ScanResult{\n+\t\tScannedCves: VulnInfos{\n+\t\t\t\"CVE-0000-0001\": {\n+\t\t\t\tCveID: \"CVE-0000-0001\",\n+\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t},\n+\t}\n+\n+\tr.SortForJSONOutput()\n+\n+\tgot := r.ScannedCves[\"CVE-0000-0001\"].KEVs\n+\twant := []KEV{\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n+\t}\n+\tif len(got) != len(want) {\n+\t\tt.Fatalf(\"len(KEVs) = %d, want %d\", len(got), len(want))\n+\t}\n+\tfor i := range want {\n+\t\tif got[i] != want[i] {\n+\t\t\tt.Fatalf(\"KEVs[%d] = %+v, want %+v\", i, got[i], want[i])\n+\t\t}\n+\t}\n+}\n+\n+func TestScanResult_FormatAlertSummaryIgnoresLegacyCISA(t *testing.T) {\n+\tr := ScanResult{\n+\t\tScannedCves: VulnInfos{\n+\t\t\t\"CVE-0000-0001\": {\n+\t\t\t\tAlertDict: AlertDict{\n+\t\t\t\t\tCISA:   []Alert{{Title: \"legacy cisa\"}},\n+\t\t\t\t\tUSCERT: []Alert{{Title: \"uscert\"}},\n+\t\t\t\t\tJPCERT: []Alert{{Title: \"jpcert\"}},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t},\n+\t}\n+\n+\tif got, want := r.FormatAlertSummary(), \"uscert: 1, jpcert: 1 alerts\"; got != want {\n+\t\tt.Fatalf(\"FormatAlertSummary() = %q, want %q\", got, want)\n+\t}\n+\tif got, want := r.ScannedCves[\"CVE-0000-0001\"].AlertDict.FormatSource(), \"CERT\"; got != want {\n+\t\tt.Fatalf(\"FormatSource() = %q, want %q\", got, want)\n+\t}\n+\tif r.ScannedCves[\"CVE-0000-0001\"].AlertDict.IsEmpty() {\n+\t\tt.Fatal(\"IsEmpty() = true, want false\")\n+\t}\n+}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..b4986cf 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -263,6 +263,7 @@ type VulnInfo struct {\n \tAffectedPackages     PackageFixStatuses   `json:\"affectedPackages,omitempty\"`\n \tDistroAdvisories     DistroAdvisories     `json:\"distroAdvisories,omitempty\"` // for Amazon, RHEL, Fedora, FreeBSD, Microsoft\n \tCveContents          CveContents          `json:\"cveContents,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tExploits             []Exploit            `json:\"exploits,omitempty\"`\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n@@ -277,6 +278,58 @@ type VulnInfo struct {\n \tDiffStatus           DiffStatus           `json:\"diffStatus,omitempty\"`\n }\n \n+// KEVType is a Known Exploited Vulnerabilities source.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the CISA KEV catalog source.\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is the VulnCheck KEV source.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerabilities information.\n+type KEV struct {\n+\tType                       KEVType       `json:\"type,omitempty\"`\n+\tVendorProject              string        `json:\"vendorProject,omitempty\"`\n+\tProduct                    string        `json:\"product,omitempty\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV information.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV information.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB exploit information.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation evidence.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // Alert has CERT alert information\n type Alert struct {\n \tURL   string `json:\"url,omitempty\"`\n@@ -910,24 +963,22 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data.\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\t// CISA is kept only for reading legacy JSON. KEV data is reported via VulnInfo.KEVs.\n+\tCISA   []Alert `json:\"-\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..703e9c8 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -202,6 +202,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.ScannedCves.FormatCveSummary(),\n \t\t\t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/sample-scan-result-kev.json b/sample-scan-result-kev.json\nnew file mode 100644\nindex 0000000..02b7457\n--- /dev/null\n+++ b/sample-scan-result-kev.json\n@@ -0,0 +1,76 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"ipv4Addrs\": [\"192.0.2.10\"],\n+  \"scannedAt\": \"2026-07-03T00:00:00Z\",\n+  \"scanMode\": \"fast-root\",\n+  \"scannedVersion\": \"example\",\n+  \"reportedAt\": \"2026-07-03T00:00:00Z\",\n+  \"reportedVersion\": \"example\",\n+  \"errors\": [],\n+  \"warnings\": [],\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic KEV entry showing the CISA shape in scan output.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic sample only.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic KEV entry showing the VulnCheck shape in scan output.\",\n+          \"requiredAction\": \"Review exploitation evidence and prioritize remediation.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.com/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.com:example/exploit.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/reports/CVE-0000-0000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-package\",\n+          \"fixedIn\": \"1.0.1\"\n+        }\n+      ],\n+      \"alertDict\": {}\n+    }\n+  },\n+  \"packages\": {},\n+  \"config\": {\n+    \"scan\": {},\n+    \"report\": {}\n+  }\n+}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T15:14:59.202666Z"}, {"uuid": "51ba6a6e-3e74-4c41-858a-0d7ee0af1c26", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/77743de9a95f031f0aa2257e8135c535", "content": "diff --git a/README.md b/README.md\nindex 57102d1..a624799 100644\n--- a/README.md\n+++ b/README.md\n@@ -181,6 +181,10 @@ For more information such as Installation, Tutorial, Usage, visit [vuls.io](http\n \n ----\n \n+## Configuration Example\n+\n+An example configuration file with KEV reporting enabled and dummy values has been added to the repository as `config.toml.example`. You can copy it to `config.toml` and adjust to your environment.\n+\n ## Authors\n \n kotakanbe ([@kotakanbe](https://twitter.com/kotakanbe)) created vuls and [these fine people](https://github.com/future-architect/vuls/graphs/contributors) have contributed.\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..b6c3acc\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,30 @@\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-msfdb.sqlite3\"\n+\n+[kev]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-kev.sqlite3\"\n+\n+[servers]\n+[servers.example-host]\n+host     = \"192.0.2.1\"\n+port     = \"22\"\n+user     = \"user\"\n+keyPath  = \"/path/to/.ssh/id_rsa\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..9d831b0 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -90,7 +90,6 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -117,7 +116,6 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\t})\n \t\t\t}\n \n-\t\t\tvuln.AlertDict.CISA = alerts\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..8fa653a 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,9 +205,21 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n+// FormatKEVCveSummary returns a summary of kev cve\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatUpdatablePkgsSummary returns a summary of updatable packages\n func (r ScanResult) FormatUpdatablePkgsSummary() string {\n \tmode := r.Config.Scan.Servers[r.ServerName].Mode\n@@ -253,13 +265,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -434,8 +442,11 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n \t\t})\n \t\tr.ScannedCves[k] = v\n \t}\ndiff --git a/models/scanresults_test.go b/models/scanresults_test.go\nindex d429281..388beb5 100644\n--- a/models/scanresults_test.go\n+++ b/models/scanresults_test.go\n@@ -225,10 +225,11 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"c\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -288,10 +289,11 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"c\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -354,10 +356,6 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -417,10 +415,6 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..a30818a 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -268,6 +268,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -910,24 +911,63 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+type KEVType string\n+\n+const (\n+\tCISAKEVType      KEVType = \"cisa\"\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url\"`\n+\tDateAdded time.Time `json:\"dateAdded\"`\n+}\n+\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID\"`\n+\tXDBURL      string    `json:\"xdbURL\"`\n+\tDateAdded   time.Time `json:\"dateAdded\"`\n+\tExploitType string    `json:\"exploitType\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL\"`\n+}\n+\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation\"`\n+}\n+\n+type CISAKEV struct {\n+\tNote string `json:\"note\"`\n+}\n+\n+type KEV struct {\n+\tType                       KEVType       `json:\"type\"`\n+\tVendorProject              string        `json:\"vendorProject\"`\n+\tProduct                    string        `json:\"product\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName\"`\n+\tShortDescription           string        `json:\"shortDescription\"`\n+\tRequiredAction             string        `json:\"requiredAction\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// AlertDict has target cve JPCERT, USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a44ae57 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -565,10 +565,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/sample_scan_result.json b/sample_scan_result.json\nnew file mode 100644\nindex 0000000..5b69cb3\n--- /dev/null\n+++ b/sample_scan_result.json\n@@ -0,0 +1,52 @@\n+{\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"20.04\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"This is a synthetic example of a Known Exploited Vulnerability.\",\n+          \"requiredAction\": \"Update to the latest version.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2023-01-01T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Apply updates per vendor instructions.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"This is a synthetic example of a Known Exploited Vulnerability from VulnCheck.\",\n+          \"requiredAction\": \"Update to the latest version.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2023-01-01T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-0000\",\n+                \"xdbURL\": \"https://example.com/xdb/0000\",\n+                \"dateAdded\": \"2023-01-01T00:00:00Z\",\n+                \"exploitType\": \"Remote Code Execution\",\n+                \"cloneSSHURL\": \"git@example.com:exploits/0000.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/report/1\",\n+                \"dateAdded\": \"2023-01-01T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..e3fa34c 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,20 +812,10 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n-\t\t\t\t\"=============\",\n+\t\t\t\t\"===========\",\n \t\t\t)\n \t\t\tfor _, alert := range vinfo.AlertDict.USCERT {\n \t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n", "creation_timestamp": "2026-07-03T16:13:56.245737Z"}, {"uuid": "2b633224-011d-4d39-8b3b-2b81ea036ec7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/504f5f6a1b1af59e2d91cbfde103380b", "content": "diff --git a/README.md b/README.md\nindex 57102d1..8a59f80 100644\n--- a/README.md\n+++ b/README.md\n@@ -92,6 +92,7 @@ Vuls is a tool created to solve the problems listed above. It has the following\n \n - CISA(Cybersecurity &amp; Infrastructure Security Agency)\n   - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+  - CISA and VulnCheck KEV findings are emitted in scan results as first-class `kevs` entries. See `config.toml.example` for a synthetic KEV-enabled configuration and `sample-kev-scan-result.json` for redacted JSON output.\n \n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..cbc8d4c\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,43 @@\n+# Synthetic example configuration for KEV reporting.\n+# Replace paths and hosts with values for your environment before use.\n+\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\n+\n+[default]\n+scanMode = [\"fast-root\"]\n+user = \"example-user\"\n+keyPath = \"/home/vuls/.ssh/id_rsa\"\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.10\"\n+port = \"22\"\n+user = \"example-user\"\n+keyPath = \"/home/vuls/.ssh/id_rsa\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..84b8af3 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -6,6 +6,8 @@ package detector\n import (\n \t\"encoding/json\"\n \t\"net/http\"\n+\t\"reflect\"\n+\t\"strings\"\n \t\"time\"\n \n \t\"github.com/cenkalti/backoff\"\n@@ -79,19 +81,12 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n-\t\t\t\tnKEV++\n+\t\t\t\tv.KEVs = append(v.KEVs, convertKEVulns(kevulns)...)\n+\t\t\t\tif len(kevulns) &gt; 0 {\n+\t\t\t\t\tnKEV++\n+\t\t\t\t}\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t}\n@@ -108,16 +103,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = append(vuln.KEVs, convertKEVulns(kevulns)...)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +113,104 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func convertKEVulns(kevulns []kevulnmodels.KEVuln) (kevs []models.KEV) {\n+\tfor _, kevuln := range kevulns {\n+\t\tkevs = append(kevs, convertKEVuln(kevuln))\n+\t}\n+\treturn kevs\n+}\n+\n+func convertKEVuln(kevuln kevulnmodels.KEVuln) models.KEV {\n+\tv := reflect.ValueOf(kevuln)\n+\tkev := models.KEV{\n+\t\tType:                       kevType(v),\n+\t\tVendorProject:              stringField(v, \"VendorProject\"),\n+\t\tProduct:                    stringField(v, \"Product\"),\n+\t\tVulnerabilityName:          stringField(v, \"VulnerabilityName\"),\n+\t\tShortDescription:           stringField(v, \"ShortDescription\"),\n+\t\tRequiredAction:             stringField(v, \"RequiredAction\"),\n+\t\tKnownRansomwareCampaignUse: stringField(v, \"KnownRansomwareCampaignUse\"),\n+\t\tDateAdded:                  timeField(v, \"DateAdded\"),\n+\t\tDueDate:                    timePtrField(v, \"DueDate\"),\n+\t}\n+\tswitch kev.Type {\n+\tcase models.VulnCheckKEVType:\n+\t\tkev.VulnCheck = vulnCheckKEV(v)\n+\tdefault:\n+\t\tkev.CISA = &amp;models.CISAKEV{Note: stringField(v, \"Notes\", \"Note\")}\n+\t}\n+\treturn kev\n+}\n+\n+func kevType(v reflect.Value) models.KEVType {\n+\tif s := stringField(v, \"Type\", \"Source\"); strings.EqualFold(s, string(models.VulnCheckKEVType)) {\n+\t\treturn models.VulnCheckKEVType\n+\t}\n+\treturn models.CISAKEVType\n+}\n+\n+func stringField(v reflect.Value, names ...string) string {\n+\tfor _, name := range names {\n+\t\tf := v.FieldByName(name)\n+\t\tif f.IsValid() &amp;&amp; f.Kind() == reflect.String {\n+\t\t\treturn f.String()\n+\t\t}\n+\t}\n+\treturn \"\"\n+}\n+\n+func vulnCheckKEV(v reflect.Value) *models.VulnCheckKEV {\n+\tvulnCheck := &amp;models.VulnCheckKEV{}\n+\tsetJSONField(v, &amp;vulnCheck.XDB, \"XDB\", \"Xdb\")\n+\tsetJSONField(v, &amp;vulnCheck.ReportedExploitation, \"ReportedExploitation\")\n+\treturn vulnCheck\n+}\n+\n+func setJSONField(v reflect.Value, dst interface{}, names ...string) {\n+\tfor _, name := range names {\n+\t\tf := v.FieldByName(name)\n+\t\tif !f.IsValid() || f.IsZero() {\n+\t\t\tcontinue\n+\t\t}\n+\t\tb, err := json.Marshal(f.Interface())\n+\t\tif err != nil {\n+\t\t\treturn\n+\t\t}\n+\t\t_ = json.Unmarshal(b, dst)\n+\t\treturn\n+\t}\n+}\n+\n+func timeField(v reflect.Value, name string) time.Time {\n+\tf := v.FieldByName(name)\n+\tif f.IsValid() &amp;&amp; f.Type() == reflect.TypeOf(time.Time{}) {\n+\t\treturn f.Interface().(time.Time)\n+\t}\n+\treturn time.Time{}\n+}\n+\n+func timePtrField(v reflect.Value, name string) *time.Time {\n+\tf := v.FieldByName(name)\n+\tif !f.IsValid() {\n+\t\treturn nil\n+\t}\n+\tif f.Type() == reflect.TypeOf(time.Time{}) {\n+\t\tt := f.Interface().(time.Time)\n+\t\tif t.IsZero() {\n+\t\t\treturn nil\n+\t\t}\n+\t\treturn &amp;t\n+\t}\n+\tif f.Type() == reflect.TypeOf((*time.Time)(nil)) &amp;&amp; !f.IsNil() {\n+\t\tt := f.Interface().(*time.Time)\n+\t\tif t.IsZero() {\n+\t\t\treturn nil\n+\t\t}\n+\t\treturn t\n+\t}\n+\treturn nil\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..b2fd6aa 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,11 +197,12 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV CVEs.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -425,6 +433,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &lt; v.Mitigations[j].URL\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \n \t\tv.CveContents.Sort()\n \ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..17f9807 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -266,6 +266,7 @@ type VulnInfo struct {\n \tExploits             []Exploit            `json:\"exploits,omitempty\"`\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n@@ -277,6 +278,58 @@ type VulnInfo struct {\n \tDiffStatus           DiffStatus           `json:\"diffStatus,omitempty\"`\n }\n \n+// KEVType represents a known-exploited-vulnerability source.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the CISA Known Exploited Vulnerabilities Catalog.\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is the VulnCheck KEV source.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information.\n+type KEV struct {\n+\tType                         KEVType       `json:\"type\"`\n+\tVendorProject                string        `json:\"vendorProject,omitempty\"`\n+\tProduct                      string        `json:\"product,omitempty\"`\n+\tVulnerabilityName            string        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription             string        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction               string        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse   string        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                    time.Time     `json:\"dateAdded\"`\n+\tDueDate                      *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                         *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                    *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV fields.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV fields.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database details.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck exploitation reports.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded\"`\n+}\n+\n // Alert has CERT alert information\n type Alert struct {\n \tURL   string `json:\"url,omitempty\"`\n@@ -910,24 +963,21 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data.\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"-\"` // Deprecated: KEV data is emitted through VulnInfo.KEVs.\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..703e9c8 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -202,6 +202,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.ScannedCves.FormatCveSummary(),\n \t\t\t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/sample-kev-scan-result.json b/sample-kev-scan-result.json\nnew file mode 100644\nindex 0000000..7196c8f\n--- /dev/null\n+++ b/sample-kev-scan-result.json\n@@ -0,0 +1,64 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2026-07-03T00:00:00Z\",\n+  \"scanMode\": \"fast-root\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-package\",\n+          \"fixedIn\": \"1.2.3-1\"\n+        }\n+      ],\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Improper Input Validation Vulnerability\",\n+          \"shortDescription\": \"Synthetic KEV entry showing the JSON output shape.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic sample only; not a real CISA KEV record.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Improper Input Validation Vulnerability\",\n+          \"shortDescription\": \"Synthetic VulnCheck KEV entry showing source-specific details.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.invalid/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"proof-of-concept\",\n+                \"cloneSSHURL\": \"git@example.invalid:example/repository.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.invalid/reports/CVE-0000-0000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T16:13:56.280049Z"}, {"uuid": "d99666ba-c595-442c-8b43-d7c5ef0f662a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/240a938921e979843d92a47b28d7cc51", "content": "diff --git a/README.md b/README.md\nindex 57102d1..33c9883 100644\n--- a/README.md\n+++ b/README.md\n@@ -90,8 +90,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n   - [US-CERT](https://www.us-cert.gov/ncas/alerts)\n   - [JPCERT](http://www.jpcert.or.jp/at/2019.html)\n \n-- CISA(Cybersecurity &amp; Infrastructure Security Agency)\n-  - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+- KEV (Known Exploited Vulnerabilities)\n+  - [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+  - [VulnCheck KEV](https://vulncheck.com/)\n \n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n@@ -174,6 +175,13 @@ Vuls has some options to detect the vulnerabilities\n \n ----\n \n+## Configuration\n+\n+An example configuration file is available at [examples/config.toml.example](examples/config.toml.example).\n+Copy it to `config.toml` and edit for your environment.\n+\n+A sample scan result showing the KEV (Known Exploited Vulnerabilities) field structure is available at [examples/sample-scan-result-with-kevs.json](examples/sample-scan-result-with-kevs.json).\n+\n ## Document\n \n For more information such as Installation, Tutorial, Usage, visit [vuls.io](https://vuls.io/)  \ndiff --git a/examples/config.toml.example b/examples/config.toml.example\nnew file mode 100644\nindex 0000000..bc0f2c8\n--- /dev/null\n+++ b/examples/config.toml.example\n@@ -0,0 +1,50 @@\n+# Vuls example configuration\n+# Copy this file to config.toml and edit it for your environment.\n+\n+# Version must be \"v2\"\n+version = \"v2\"\n+\n+# [cveDict]\n+# type = \"sqlite3\"\n+# sqlite3Path = \"/path/to/cve.sqlite3\"\n+\n+# [ovalDict]\n+# type = \"sqlite3\"\n+# sqlite3Path = \"/path/to/oval.sqlite3\"\n+\n+# [gost]\n+# type = \"sqlite3\"\n+# sqlite3Path = \"/path/to/gost.sqlite3\"\n+\n+# [exploit]\n+# type = \"sqlite3\"\n+# sqlite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+# [metasploit]\n+# type = \"sqlite3\"\n+# sqlite3Path = \"/path/to/go-msfdb.sqlite3\"\n+\n+# KEV (Known Exploited Vulnerabilities) configuration\n+# Supports CISA and VulnCheck KEV sources.\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-kev.sqlite3\"\n+\n+# [cti]\n+# type = \"sqlite3\"\n+# sqlite3Path = \"/path/to/go-cti.sqlite3\"\n+\n+# Default settings applied to all servers unless overridden\n+[default]\n+# port = \"22\"\n+# user = \"vuls\"\n+# keyPath = \"/home/vuls/.ssh/id_rsa\"\n+\n+# Define scan targets\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.168.0.10\"\n+port = \"22\"\n+user = \"vuls\"\n+keyPath = \"/home/vuls/.ssh/id_rsa\"\ndiff --git a/examples/sample-scan-result-with-kevs.json b/examples/sample-scan-result-with-kevs.json\nnew file mode 100644\nindex 0000000..af00ae3\n--- /dev/null\n+++ b/examples/sample-scan-result-with-kevs.json\n@@ -0,0 +1,88 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"debian\",\n+  \"release\": \"12\",\n+  \"scannedAt\": \"2026-07-01T00:00:00Z\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"confidences\": [\n+        {\n+          \"score\": 100,\n+          \"detectionMethod\": \"OvalMatch\"\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-pkg\",\n+          \"fixedIn\": \"1.2.4\"\n+        }\n+      ],\n+      \"cveContents\": {\n+        \"nvd\": [\n+          {\n+            \"cvss3Score\": 9.8,\n+            \"cvss3Severity\": \"CRITICAL\",\n+            \"summary\": \"This is a synthetic example vulnerability for documentation purposes.\"\n+          }\n+        ]\n+      },\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleProduct contains a remote code execution vulnerability that allows an attacker to execute arbitrary code.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-01-15T00:00:00Z\",\n+          \"dueDate\": \"2026-02-05T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"https://www.example.com/security/advisory-0000\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleProduct contains a remote code execution vulnerability.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2026-01-10T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-0000001\",\n+                \"xdbURL\": \"https://vulncheck.com/xdb/XDB-0000001\",\n+                \"dateAdded\": \"2026-01-11T00:00:00Z\",\n+                \"exploitType\": \"poc\",\n+                \"cloneSSHURL\": \"git@github.com:example/poc-CVE-0000-0000.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://www.example.com/threat-intel/exploitation-report\",\n+                \"dateAdded\": \"2026-01-12T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"alertDict\": {}\n+    }\n+  },\n+  \"packages\": {\n+    \"example-pkg\": {\n+      \"name\": \"example-pkg\",\n+      \"version\": \"1.2.3\",\n+      \"release\": \"1\",\n+      \"newVersion\": \"1.2.4\",\n+      \"newRelease\": \"1\"\n+    }\n+  }\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..a825df3 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of CVEs with KEV entries\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &gt; 0 {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..5867efd 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -268,6 +268,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -910,6 +911,58 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n+// KEVType represents the source of a Known Exploited Vulnerability entry\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the CISA KEV source\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is the VulnCheck KEV source\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                        KEVType       `json:\"type\"`\n+\tVendorProject               string        `json:\"vendorProject\"`\n+\tProduct                     string        `json:\"product\"`\n+\tVulnerabilityName           string        `json:\"vulnerabilityName\"`\n+\tShortDescription            string        `json:\"shortDescription\"`\n+\tRequiredAction              string        `json:\"requiredAction\"`\n+\tKnownRansomwareCampaignUse  string        `json:\"knownRansomwareCampaignUse\"`\n+\tDateAdded                   time.Time     `json:\"dateAdded\"`\n+\tDueDate                     *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                        *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                   *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV fields\n+type CISAKEV struct {\n+\tNote string `json:\"note\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV fields\n+type VulnCheckKEV struct {\n+\tXDB                    []VulnCheckXDB                    `json:\"xdb,omitempty\"`\n+\tReportedExploitation   []VulnCheckReportedExploitation   `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID\"`\n+\tXDBURL      string    `json:\"xdbURL\"`\n+\tDateAdded   time.Time `json:\"dateAdded\"`\n+\tExploitType string    `json:\"exploitType\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url\"`\n+\tDateAdded time.Time `json:\"dateAdded\"`\n+}\n+\n // AlertDict has target cve JPCERT, USCERT and CISA alert data\n type AlertDict struct {\n \tCISA   []Alert `json:\"cisa\"`\n@@ -919,15 +972,12 @@ type AlertDict struct {\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a2dfbd0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T16:13:56.329203Z"}, {"uuid": "9065ddc8-1ac8-4e84-89a9-0c9a1a8109ae", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/ded65725c2033d8f9b196376c2a0f647", "content": "diff --git a/README.md b/README.md\nindex 57102d1..8e1c800 100644\n--- a/README.md\n+++ b/README.md\n@@ -181,6 +181,20 @@ For more information such as Installation, Tutorial, Usage, visit [vuls.io](http\n \n ----\n \n+## Configuration Example (KEV)\n+\n+Vuls supports Known Exploited Vulnerabilities (KEV) reporting via CISA and VulnCheck.\n+\n+See [config.toml.example](config.toml.example) for a ready-to-use configuration:\n+\n+```toml\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-kev.sqlite3\"\n+```\n+\n+----\n+\n ## Authors\n \n kotakanbe ([@kotakanbe](https://twitter.com/kotakanbe)) created vuls and [these fine people](https://github.com/future-architect/vuls/graphs/contributors) have contributed.\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..24d8f96\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,72 @@\n+# Vuls configuration example with KEV reporting enabled\n+# Copy to config.toml and edit values for your environment\n+# DO NOT commit real credentials\n+\n+[default]\n+# Example server (replace with your actual servers)\n+# [servers.example-host]\n+# host = \"example-host.example.com\"\n+# port = \"22\"\n+# user = \"scanuser\"\n+# keyPath = \"/path/to/private_key\"\n+\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+# Enable Known Exploited Vulnerabilities (KEV) reporting\n+# Supports CISA KEV and VulnCheck KEV sources\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-kev.sqlite3\"\n+# Alternatively, fetch via HTTP:\n+# type = \"http\"\n+# url = \"http://localhost:1325\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-cti.sqlite3\"\n+\n+[slack]\n+hookURL = \"https://hooks.slack.com/services/REDACTED/REDACTED/REDACTED\"\n+channel = \"#vuls\"\n+authUser = \"vuls\"\n+notifyUsers = []\n+\n+[mail]\n+smtpAddr = \"smtp.example.com\"\n+smtpPort = \"587\"\n+user = \"vuls@example.com\"\n+password = \"REDACTED\"\n+from = \"vuls@example.com\"\n+to = [\"admin@example.com\"]\n+subjectPrefix = \"[vuls]\"\n+\n+[chatwork]\n+apiKey = \"REDACTED\"\n+room = \"123456\"\n+notifyUsers = []\n+\n+[syslog]\n+protocol = \"udp\"\n+host = \"localhost\"\n+port = \"514\"\n+tag = \"vuls\"\n+facility = \"local0\"\n+severity = \"notice\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..12bc5a7 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,13 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n-\t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\tif ok &amp;&amp; len(kevulns) &gt; 0 {\n+\t\t\t\t// TODO: map kevulnmodels.KEVuln fields to models.KEV\n+\t\t\t\tv.KEVs = []models.KEV{{\n+\t\t\t\t\tType:              models.CISAKEVType,\n+\t\t\t\t\tVulnerabilityName: res.request.cveID,\n+\t\t\t\t}}\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +103,11 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\t// TODO: map kevulnmodels.KEVuln fields to models.KEV\n+\t\t\tvuln.KEVs = []models.KEV{{\n+\t\t\t\tType:              models.CISAKEVType,\n+\t\t\t\tVulnerabilityName: cveID,\n+\t\t\t}}\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..97b8a21 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,6 +205,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n@@ -253,13 +254,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +264,18 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n+}\n+\n+// FormatKEVCveSummary returns a summary of KEV cve\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..c8bfbc3 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -256,6 +256,57 @@ type PackageFixStatus struct {\n \tFixedIn     string `json:\"fixedIn,omitempty\"`\n }\n \n+// KEVType is the type of KEV\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is CISA KEV\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType is VulnCheck KEV\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerabilities information\n+type KEV struct {\n+\tType                       KEVType   `json:\"type,omitempty\"`\n+\tVendorProject              string    `json:\"vendorProject,omitempty\"`\n+\tProduct                    string    `json:\"product,omitempty\"`\n+\tVulnerabilityName          string    `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string    `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string    `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string    `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck KEV information\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB information\n+type VulnCheckXDB struct {\n+\tXDBID         string    `json:\"xdbID,omitempty\"`\n+\tXDBURL        string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded     time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType   string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL   string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck Reported Exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // VulnInfo has a vulnerability information and unsecure packages\n type VulnInfo struct {\n \tCveID                string               `json:\"cveID,omitempty\"`\n@@ -275,6 +326,7 @@ type VulnInfo struct {\n \tWindowsKBFixedIns    []string             `json:\"windowsKBFixedIns,omitempty\"`\n \tVulnType             string               `json:\"vulnType,omitempty\"`\n \tDiffStatus           DiffStatus           `json:\"diffStatus,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n }\n \n // Alert has CERT alert information\n@@ -912,22 +964,19 @@ type Mitigation struct {\n \n // AlertDict has target cve JPCERT, USCERT and CISA alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n-\tJPCERT []Alert `json:\"jpcert\"`\n-\tUSCERT []Alert `json:\"uscert\"`\n+\tCISA   []Alert `json:\"cisa,omitempty\"`\n+\tJPCERT []Alert `json:\"jpcert,omitempty\"`\n+\tUSCERT []Alert `json:\"uscert,omitempty\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..5b8697f 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -205,6 +205,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t}\n \t\t} else {\n \t\t\tcols = []interface{}{\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/sample_kev_scan.json b/sample_kev_scan.json\nnew file mode 100644\nindex 0000000..c307089\n--- /dev/null\n+++ b/sample_kev_scan.json\n@@ -0,0 +1,60 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"Example short description for KEV entry.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2024-01-01T00:00:00Z\",\n+          \"dueDate\": \"2024-01-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Example CISA note\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"Example Vulnerability (VulnCheck)\",\n+          \"shortDescription\": \"Example VulnCheck KEV entry.\",\n+          \"requiredAction\": \"Apply mitigations.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2024-01-02T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"12345\",\n+                \"xdbURL\": \"https://example.com/xdb/12345\",\n+                \"dateAdded\": \"2024-01-02T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.com:exploit.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/exploit-report\",\n+                \"dateAdded\": \"2024-01-03T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"cveContents\": {}\n+    }\n+  },\n+  \"packages\": {},\n+  \"config\": {\n+    \"scan\": {},\n+    \"report\": {}\n+  }\n+}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T16:13:56.370952Z"}, {"uuid": "42851af6-ad46-490c-8995-ccbaf27ece12", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/7c92d7b7db6d06f43c128170047b4ccc", "content": "diff --git a/README.md b/README.md\nindex 57102d1..7b5a448 100644\n--- a/README.md\n+++ b/README.md\n@@ -90,8 +90,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n   - [US-CERT](https://www.us-cert.gov/ncas/alerts)\n   - [JPCERT](http://www.jpcert.or.jp/at/2019.html)\n \n-- CISA(Cybersecurity &amp; Infrastructure Security Agency)\n+- CISA(Cybersecurity &amp; Infrastructure Security Agency) &amp; VulnCheck\n   - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+  - Vuls now reports KEV status as a first-class field. For a sample configuration on how to enable this (and redact credentials), see [config.toml.example](config.toml.example).\n \n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..a359d10\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,49 @@\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/usr/share/vuls-data/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/usr/share/vuls-data/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/usr/share/vuls-data/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/usr/share/vuls-data/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/usr/share/vuls-data/go-msfdb.sqlite3\"\n+\n+[kev]\n+type = \"sqlite3\"\n+SQLite3Path = \"/usr/share/vuls-data/go-kev.sqlite3\"\n+\n+[slack]\n+hookURL = \"https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX\"\n+channel = \"#vuls-alerts\"\n+authUser = \"vuls\"\n+\n+[chatwork]\n+apiToken = \"dummy_chatwork_token\"\n+room = \"123456789\"\n+\n+[email]\n+smtpServer = \"smtp.example.com\"\n+smtpPort = \"587\"\n+user = \"vuls-scanner@example.com\"\n+password = \"dummy_smtp_password\"\n+from = \"vuls-scanner@example.com\"\n+to = [\"security-team@example.com\"]\n+\n+[servers]\n+\n+[servers.example-prod-web]\n+host = \"10.0.0.10\"\n+port = \"22\"\n+user = \"vuls\"\n+keyPath = \"/home/vuls/.ssh/id_rsa\"\n+passphrase = \"dummy_ssh_passphrase\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..7dd91de 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,20 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\t// Convert kevulns to KEVs\n+\t\t\t\tfor _, kev := range kevulns {\n+\t\t\t\t\tv.KEVs = append(v.KEVs, models.KEV{\n+\t\t\t\t\t\tType:              models.CISAKEVType,\n+\t\t\t\t\t\tVulnerabilityName: kev.VulnerabilityName,\n+\t\t\t\t\t\tVendorProject:     kev.VendorProject,\n+\t\t\t\t\t\tProduct:           kev.Product,\n+\t\t\t\t\t\tShortDescription:  kev.ShortDescription,\n+\t\t\t\t\t\tRequiredAction:    kev.RequiredAction,\n+\t\t\t\t\t\tDateAdded:         kev.DateAdded,\n+\t\t\t\t\t})\n+\t\t\t\t}\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +110,19 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n+\t\t\t// Convert kevulns to KEVs\n+\t\t\tfor _, kev := range kevulns {\n+\t\t\t\tvuln.KEVs = append(vuln.KEVs, models.KEV{\n+\t\t\t\t\tType:              models.CISAKEVType,\n+\t\t\t\t\tVulnerabilityName: kev.VulnerabilityName,\n+\t\t\t\t\tVendorProject:     kev.VendorProject,\n+\t\t\t\t\tProduct:           kev.Product,\n+\t\t\t\t\tShortDescription:  kev.ShortDescription,\n+\t\t\t\t\tRequiredAction:    kev.RequiredAction,\n+\t\t\t\t\tDateAdded:         kev.DateAdded,\n \t\t\t\t})\n \t\t\t}\n \n-\t\t\tvuln.AlertDict.CISA = alerts\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..3a94737 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,6 +205,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n@@ -253,13 +254,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +264,18 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n+}\n+\n+// FormatKEVCveSummary returns a summary of kev cve\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVs := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &gt; 0 {\n+\t\t\tnKEVs++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVs)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -434,8 +442,11 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n \t\t})\n \t\tr.ScannedCves[k] = v\n \t}\ndiff --git a/models/scanresults_test.go b/models/scanresults_test.go\nindex d429281..4d65fa0 100644\n--- a/models/scanresults_test.go\n+++ b/models/scanresults_test.go\n@@ -225,10 +225,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -288,10 +288,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -354,11 +354,20 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\t\tJPCERT: []Alert{\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t},\n \t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n \t\t\t},\n@@ -417,10 +426,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..6af8496 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -256,6 +256,57 @@ type PackageFixStatus struct {\n \tFixedIn     string `json:\"fixedIn,omitempty\"`\n }\n \n+// KEVType is the type of KEV source\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is for CISA KEV\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType is for VulnCheck KEV\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV is Known Exploited Vulnerabilities information\n+type KEV struct {\n+\tType                       KEVType       `json:\"type\"`\n+\tVendorProject              string        `json:\"vendorProject\"`\n+\tProduct                    string        `json:\"product\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName\"`\n+\tShortDescription           string        `json:\"shortDescription\"`\n+\tRequiredAction             string        `json:\"requiredAction\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA specific fields\n+type CISAKEV struct {\n+\tNote string `json:\"note\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck specific fields\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB fields\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbid\"`\n+\tXDBURL      string    `json:\"xdburl\"`\n+\tDateAdded   time.Time `json:\"dateAdded\"`\n+\tExploitType string    `json:\"exploitType\"`\n+\tCloneSSHURL string    `json:\"cloneSshUrl\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation fields\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url\"`\n+\tDateAdded time.Time `json:\"dateAdded\"`\n+}\n+\n // VulnInfo has a vulnerability information and unsecure packages\n type VulnInfo struct {\n \tCveID                string               `json:\"cveID,omitempty\"`\n@@ -267,6 +318,7 @@ type VulnInfo struct {\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n@@ -910,24 +962,20 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT, USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..5b8697f 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -205,6 +205,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t}\n \t\t} else {\n \t\t\tcols = []interface{}{\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/sample-kev-scan.json b/sample-kev-scan.json\nnew file mode 100644\nindex 0000000..f305661\n--- /dev/null\n+++ b/sample-kev-scan.json\n@@ -0,0 +1,81 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"example-uuid\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"20.04\",\n+  \"container\": {\n+    \"containerID\": \"\",\n+    \"name\": \"\",\n+    \"image\": \"\",\n+    \"type\": \"\",\n+    \"uuid\": \"\"\n+  },\n+  \"platform\": {\n+    \"name\": \"\",\n+    \"instanceID\": \"\"\n+  },\n+  \"scannedAt\": \"2023-10-25T10:00:00Z\",\n+  \"scanMode\": \"fast\",\n+  \"scannedVersion\": \"v0.22.0\",\n+  \"scannedRevision\": \"1234567\",\n+  \"scannedBy\": \"vuls\",\n+  \"scannedVia\": \"local\",\n+  \"reportedAt\": \"2023-10-25T10:05:00Z\",\n+  \"reportedVersion\": \"v0.22.0\",\n+  \"reportedRevision\": \"1234567\",\n+  \"reportedBy\": \"vuls\",\n+  \"errors\": [],\n+  \"warnings\": [],\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"confidences\": [\n+        {\n+          \"score\": 100,\n+          \"detectionMethod\": \"UbuntuAPIMatch\"\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-pkg\",\n+          \"notFixedYet\": false,\n+          \"fixState\": \"fixed\",\n+          \"fixedIn\": \"1.0.1-1ubuntu1\"\n+        }\n+      ],\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"This is a synthetic KEV example.\",\n+          \"requiredAction\": \"Apply updates.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2023-10-01T00:00:00Z\"\n+        }\n+      ]\n+    }\n+  },\n+  \"runningKernel\": {\n+    \"release\": \"5.4.0-150-generic\",\n+    \"version\": \"#167-Ubuntu SMP\",\n+    \"rebootRequired\": false\n+  },\n+  \"packages\": {\n+    \"example-pkg\": {\n+      \"name\": \"example-pkg\",\n+      \"version\": \"1.0.0-1ubuntu1\",\n+      \"release\": \"\",\n+      \"newVersion\": \"1.0.1-1ubuntu1\",\n+      \"newRelease\": \"\",\n+      \"repository\": \"example-repo\"\n+    }\n+  },\n+  \"config\": {\n+    \"scan\": {},\n+    \"report\": {}\n+  }\n+}\ndiff --git a/tracking-issue-example.md b/tracking-issue-example.md\nnew file mode 100644\nindex 0000000..36e6f65\n--- /dev/null\n+++ b/tracking-issue-example.md\n@@ -0,0 +1,30 @@\n+# Example Scan Result for Tracking Issue\n+\n+To demonstrate the new `kevs` field, here is a synthetic/redacted sample output. \n+Note: Real scan output containing internal infrastructure inventory and credentials has been intentionally avoided to prevent leaking sensitive data.\n+\n+```json\n+{\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"20.04\",\n+  \"scannedAt\": \"2023-10-25T10:00:00Z\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"This is a synthetic KEV example.\",\n+          \"requiredAction\": \"Apply updates.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2023-10-01T00:00:00Z\"\n+        }\n+      ]\n+    }\n+  }\n+}\n+```\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T16:13:56.467451Z"}, {"uuid": "82886f6d-58c1-417e-abb6-c9c62148584b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/8d21adfc1a51e3a6fcff46f87fd9a7a6", "content": "diff --git a/README.md b/README.md\nindex 57102d1..cb9223d 100644\n--- a/README.md\n+++ b/README.md\n@@ -181,6 +181,20 @@ For more information such as Installation, Tutorial, Usage, visit [vuls.io](http\n \n ----\n \n+## KEV Configuration Example\n+\n+To enable Known Exploited Vulnerabilities (CISA / VulnCheck) reporting, add a `[kevuln]` section to your `config.toml`:\n+\n+```toml\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"go-kev.sqlite3\"\n+```\n+\n+See [config.toml.example](./config.toml.example) for a complete example configuration.\n+\n+----\n+\n ## Authors\n \n kotakanbe ([@kotakanbe](https://twitter.com/kotakanbe)) created vuls and [these fine people](https://github.com/future-architect/vuls/graphs/contributors) have contributed.\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..3a1c8fa\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,53 @@\n+[cvedb]\n+type = \"sqlite3\"\n+sqlite3Path = \"cve.sqlite3\"\n+\n+[ovaldb]\n+type = \"sqlite3\"\n+sqlite3Path = \"oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"go-cti.sqlite3\"\n+\n+[slack]\n+hookURL = \"https://hooks.slack.com/services/XXXXXXXXX/XXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXXXX\"\n+channel = \"#vuls\"\n+authUser = \"vuls\"\n+\n+[email]\n+smtpAddr = \"smtp.example.com\"\n+smtpPort = \"587\"\n+user = \"username\"\n+password = \"password\"\n+from = \"vuls@example.com\"\n+to = [\"to@example.com\"]\n+\n+[default]\n+#port = \"22\"\n+#user = \"scanuser\"\n+#keyPath = \"/home/scanuser/.ssh/id_rsa\"\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"example-host\"\n+port = \"22\"\n+user = \"scanuser\"\n+keyPath = \"/home/scanuser/.ssh/id_rsa\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..2291981 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,27 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n-\t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\tif ok &amp;&amp; len(kevulns) &gt; 0 {\n+\t\t\t\tkevs := make([]models.KEV, 0, len(kevulns))\n+\t\t\t\tfor _, k := range kevulns {\n+\t\t\t\t\tdueDate := k.DueDate\n+\t\t\t\t\tkevs = append(kevs, models.KEV{\n+\t\t\t\t\t\tType:                       models.CISAKEVType,\n+\t\t\t\t\t\tVendorProject:              k.VendorProject,\n+\t\t\t\t\t\tProduct:                    k.Product,\n+\t\t\t\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\t\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\t\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\t\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\t\t\t\tDateAdded:                  k.DateAdded,\n+\t\t\t\t\t\tDueDate:                    &amp;dueDate,\n+\t\t\t\t\t\tCISA: &amp;models.CISAKEV{\n+\t\t\t\t\t\t\tNote: k.Notes,\n+\t\t\t\t\t\t},\n+\t\t\t\t\t})\n+\t\t\t\t}\n+\t\t\t\tv.KEVs = kevs\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +117,25 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n+\t\t\tkevs := make([]models.KEV, 0, len(kevulns))\n+\t\t\tfor _, k := range kevulns {\n+\t\t\t\tdueDate := k.DueDate\n+\t\t\t\tkevs = append(kevs, models.KEV{\n+\t\t\t\t\tType:                       models.CISAKEVType,\n+\t\t\t\t\tVendorProject:              k.VendorProject,\n+\t\t\t\t\tProduct:                    k.Product,\n+\t\t\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\t\t\tDateAdded:                  k.DateAdded,\n+\t\t\t\t\tDueDate:                    &amp;dueDate,\n+\t\t\t\t\tCISA: &amp;models.CISAKEV{\n+\t\t\t\t\t\tNote: k.Notes,\n+\t\t\t\t\t},\n \t\t\t\t})\n \t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = kevs\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\ndiff --git a/kev_sample.json b/kev_sample.json\nnew file mode 100644\nindex 0000000..9edb2ae\n--- /dev/null\n+++ b/kev_sample.json\n@@ -0,0 +1,54 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"Example short description\",\n+          \"requiredAction\": \"Apply updates\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2024-01-01T00:00:00Z\",\n+          \"dueDate\": \"2024-01-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"notes\": \"Example notes\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"Example short description\",\n+          \"requiredAction\": \"Apply updates\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2024-01-01T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbId\": \"XXXXX\",\n+                \"xdbUrl\": \"https://example.com/xdb/XXXXX\",\n+                \"dateAdded\": \"2024-01-02T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSshUrl\": \"git@example.com:exploit.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/report\",\n+                \"dateAdded\": \"2024-01-03T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..947a0f3 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,6 +205,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n@@ -253,13 +254,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +264,18 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n+}\n+\n+// FormatKEVCveSummary returns a summary of KEV\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..407aebe 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -268,6 +268,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -910,24 +911,73 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// KEVType is a type of KEV\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is a KEV type for CISA\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType is a KEV type for VulnCheck\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerabilities information\n+type KEV struct {\n+\tType                       KEVType   `json:\"type,omitempty\"`\n+\tVendorProject              string    `json:\"vendorProject,omitempty\"`\n+\tProduct                    string    `json:\"product,omitempty\"`\n+\tVulnerabilityName          string    `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string    `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string    `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string    `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"notes,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck KEV information\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbId,omitempty\"`\n+\tXDBURL      string    `json:\"xdbUrl,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSshUrl,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck Reported Exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n+// AlertDict has target cve JPCERT and USCERT alert data\n+// CISA field is kept for backward compatibility with old scan results, but KEV information is now stored in VulnInfo.KEVs.\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"cisa,omitempty\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..5b8697f 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -205,6 +205,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t}\n \t\t} else {\n \t\t\tcols = []interface{}{\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T16:13:56.564851Z"}, {"uuid": "3e26ce22-5967-40c7-9789-3f9e84561288", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/9ff8c711a2f4c24c5652683284a7312b", "content": "diff --git a/README.md b/README.md\nindex 57102d1..2a63602 100644\n--- a/README.md\n+++ b/README.md\n@@ -172,6 +172,10 @@ Vuls has some options to detect the vulnerabilities\n \n - Vuls doesn't update the vulnerable packages.\n \n+## Example Configuration\n+\n+A ready-to-use synthetic example configuration is available in [config.toml.example](config.toml.example) showing how to set up KEV reporting and other Vuls settings.\n+\n ----\n \n ## Document\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..c837c47\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,29 @@\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-msfdb.sqlite3\"\n+\n+[kev]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-kev.sqlite3\"\n+\n+[servers.example-host]\n+host = \"192.168.0.1\"\n+port = \"22\"\n+user = \"vuls\"\n+keyPath = \"/path/to/id_rsa\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..9d831b0 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -90,7 +90,6 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -117,7 +116,6 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\t})\n \t\t\t}\n \n-\t\t\tvuln.AlertDict.CISA = alerts\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..4e82317 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,6 +205,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV cve\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVs := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &gt; 0 {\n+\t\t\tnKEVs++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVs)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -434,8 +442,11 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n \t\t})\n \t\tr.ScannedCves[k] = v\n \t}\ndiff --git a/models/scanresults_test.go b/models/scanresults_test.go\nindex d429281..f2e7595 100644\n--- a/models/scanresults_test.go\n+++ b/models/scanresults_test.go\n@@ -225,10 +225,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -288,10 +288,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -354,10 +354,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -417,10 +417,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..b34ff9e 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -268,6 +268,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -912,22 +913,18 @@ type Mitigation struct {\n \n // AlertDict has target cve JPCERT, USCERT and CISA alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\n@@ -1089,3 +1086,55 @@ var (\n \t// FortinetVendorProductMatch is a ranking how confident the CVE-ID was detected correctly\n \tFortinetVendorProductMatch = Confidence{10, FortinetVendorProductMatchStr, 9}\n )\n+\n+// KEVType is a type of KEV source\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the type for CISA KEV\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is the type for VulnCheck KEV\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV contains Known Exploited Vulnerabilities info\n+type KEV struct {\n+\tType                       KEVType       `json:\"type\"`\n+\tVendorProject              string        `json:\"vendorProject,omitempty\"`\n+\tProduct                    string        `json:\"product,omitempty\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV holds CISA-specific KEV info\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV holds VulnCheck-specific KEV info\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB holds VulnCheck XDB details\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation holds reported exploitation details\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..5b8697f 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -205,6 +205,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t}\n \t\t} else {\n \t\t\tcols = []interface{}{\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/sample_kev.json b/sample_kev.json\nnew file mode 100644\nindex 0000000..b709ba6\n--- /dev/null\n+++ b/sample_kev.json\n@@ -0,0 +1,52 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"20.04\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"example-vendor\",\n+          \"product\": \"example-product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"This is a synthetic example KEV entry for demonstration.\",\n+          \"requiredAction\": \"Apply updates.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2023-01-01T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Example note\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"example-vendor\",\n+          \"product\": \"example-product\",\n+          \"vulnerabilityName\": \"Example Vulnerability (VulnCheck)\",\n+          \"dateAdded\": \"2023-01-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-0000\",\n+                \"xdbURL\": \"https://example.com/xdb/0000\",\n+                \"dateAdded\": \"2023-01-02T00:00:00Z\",\n+                \"exploitType\": \"local\",\n+                \"cloneSSHURL\": \"git@github.com:example/xdb.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/report/1\",\n+                \"dateAdded\": \"2023-01-03T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T16:13:56.615026Z"}, {"uuid": "6d7e2c0d-fcf0-41e1-8701-009d3376bd37", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/5116c24aa6ce2802bcd6f240a04d70a7", "content": "diff --git a/README.md b/README.md\nindex 57102d1..2f19ec3 100644\n--- a/README.md\n+++ b/README.md\n@@ -90,8 +90,11 @@ Vuls is a tool created to solve the problems listed above. It has the following\n   - [US-CERT](https://www.us-cert.gov/ncas/alerts)\n   - [JPCERT](http://www.jpcert.or.jp/at/2019.html)\n \n-- CISA(Cybersecurity &amp; Infrastructure Security Agency)\n+- Known Exploited Vulnerabilities\n   - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+  - [VulnCheck Known Exploited Vulnerabilities](https://vulncheck.com/kev)\n+  - Enable KEV enrichment with the synthetic example in [examples/config-kev.toml.example](examples/config-kev.toml.example)\n+  - See [examples/scan-result-kev.json](examples/scan-result-kev.json) for the `kevs` JSON field shape\n \n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..ae0ce6a 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -6,6 +6,7 @@ package detector\n import (\n \t\"encoding/json\"\n \t\"net/http\"\n+\t\"strings\"\n \t\"time\"\n \n \t\"github.com/cenkalti/backoff\"\n@@ -60,6 +61,18 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t}()\n \n \tnKEV := 0\n+\tsetKEVs := func(vuln models.VulnInfo, kevulns []kevulnmodels.KEVuln) (models.VulnInfo, bool, error) {\n+\t\tkevs, err := convertKEVulns(kevulns)\n+\t\tif err != nil {\n+\t\t\treturn vuln, false, err\n+\t\t}\n+\t\tif len(kevs) == 0 {\n+\t\t\treturn vuln, false, nil\n+\t\t}\n+\t\tvuln.KEVs = kevs\n+\t\treturn vuln, true, nil\n+\t}\n+\n \tif client.driver == nil {\n \t\tvar cveIDs []string\n \t\tfor cveID := range r.ScannedCves {\n@@ -79,19 +92,15 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n-\t\t\t\tnKEV++\n+\t\t\t\tv, detected, err := setKEVs(v, kevulns)\n+\t\t\t\tif err != nil {\n+\t\t\t\t\treturn err\n+\t\t\t\t}\n+\t\t\t\tif detected {\n+\t\t\t\t\tnKEV++\n+\t\t\t\t}\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t}\n@@ -108,17 +117,13 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tvuln, detected, err := setKEVs(vuln, kevulns)\n+\t\t\tif err != nil {\n+\t\t\t\treturn err\n+\t\t\t}\n+\t\t\tif detected {\n+\t\t\t\tnKEV++\n \t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n-\t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n \t}\n@@ -127,6 +132,128 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func convertKEVulns(kevulns []kevulnmodels.KEVuln) ([]models.KEV, error) {\n+\tkevs := make([]models.KEV, 0, len(kevulns))\n+\tfor _, kevuln := range kevulns {\n+\t\tb, err := json.Marshal(kevuln)\n+\t\tif err != nil {\n+\t\t\treturn nil, err\n+\t\t}\n+\n+\t\tvar raw map[string]interface{}\n+\t\tif err := json.Unmarshal(b, &amp;raw); err != nil {\n+\t\t\treturn nil, err\n+\t\t}\n+\n+\t\tkevType := models.KEVType(strings.ToLower(firstString(raw, \"type\", \"kevType\", \"source\")))\n+\t\tif kevType == \"\" {\n+\t\t\tif _, ok := raw[\"vulncheck\"]; ok {\n+\t\t\t\tkevType = models.VulnCheckKEVType\n+\t\t\t} else if _, ok := raw[\"xdb\"]; ok {\n+\t\t\t\tkevType = models.VulnCheckKEVType\n+\t\t\t} else {\n+\t\t\t\tkevType = models.CISAKEVType\n+\t\t\t}\n+\t\t}\n+\n+\t\tkev := models.KEV{\n+\t\t\tType:                       kevType,\n+\t\t\tVendorProject:              firstString(raw, \"vendorProject\", \"vendor_project\", \"vendor\"),\n+\t\t\tProduct:                    firstString(raw, \"product\"),\n+\t\t\tVulnerabilityName:          firstString(raw, \"vulnerabilityName\", \"vulnerability_name\", \"name\"),\n+\t\t\tShortDescription:           firstString(raw, \"shortDescription\", \"short_description\", \"description\"),\n+\t\t\tRequiredAction:             firstString(raw, \"requiredAction\", \"required_action\"),\n+\t\t\tKnownRansomwareCampaignUse: firstString(raw, \"knownRansomwareCampaignUse\", \"known_ransomware_campaign_use\"),\n+\t\t\tDateAdded:                  firstTime(raw, \"dateAdded\", \"date_added\"),\n+\t\t}\n+\n+\t\tif dueDate := firstTime(raw, \"dueDate\", \"due_date\"); !dueDate.IsZero() {\n+\t\t\tkev.DueDate = &amp;dueDate\n+\t\t}\n+\n+\t\tswitch kev.Type {\n+\t\tcase models.VulnCheckKEVType:\n+\t\t\tkev.VulnCheck = &amp;models.VulnCheckKEV{\n+\t\t\t\tXDB:                  vulnCheckXDBs(raw),\n+\t\t\t\tReportedExploitation: vulnCheckReportedExploitations(raw),\n+\t\t\t}\n+\t\tdefault:\n+\t\t\tkev.Type = models.CISAKEVType\n+\t\t\tkev.CISA = &amp;models.CISAKEV{Note: firstString(raw, \"note\", \"notes\")}\n+\t\t}\n+\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs, nil\n+}\n+\n+func firstString(m map[string]interface{}, keys ...string) string {\n+\tfor _, key := range keys {\n+\t\tif v, ok := m[key]; ok {\n+\t\t\tif s, ok := v.(string); ok {\n+\t\t\t\treturn s\n+\t\t\t}\n+\t\t}\n+\t}\n+\treturn \"\"\n+}\n+\n+func firstTime(m map[string]interface{}, keys ...string) time.Time {\n+\tfor _, key := range keys {\n+\t\tif v, ok := m[key]; ok {\n+\t\t\tif s, ok := v.(string); ok &amp;&amp; s != \"\" {\n+\t\t\t\tif t, err := time.Parse(time.RFC3339, s); err == nil {\n+\t\t\t\t\treturn t\n+\t\t\t\t}\n+\t\t\t\tif t, err := time.Parse(\"2006-01-02\", s); err == nil {\n+\t\t\t\t\treturn t\n+\t\t\t\t}\n+\t\t\t}\n+\t\t}\n+\t}\n+\treturn time.Time{}\n+}\n+\n+func objects(raw map[string]interface{}, keys ...string) []map[string]interface{} {\n+\tfor _, key := range keys {\n+\t\tif vs, ok := raw[key].([]interface{}); ok {\n+\t\t\tobjs := make([]map[string]interface{}, 0, len(vs))\n+\t\t\tfor _, v := range vs {\n+\t\t\t\tif obj, ok := v.(map[string]interface{}); ok {\n+\t\t\t\t\tobjs = append(objs, obj)\n+\t\t\t\t}\n+\t\t\t}\n+\t\t\treturn objs\n+\t\t}\n+\t}\n+\treturn nil\n+}\n+\n+func vulnCheckXDBs(raw map[string]interface{}) []models.VulnCheckXDB {\n+\txdbs := []models.VulnCheckXDB{}\n+\tfor _, obj := range objects(raw, \"xdb\", \"xDB\", \"XDB\") {\n+\t\txdbs = append(xdbs, models.VulnCheckXDB{\n+\t\t\tXDBID:       firstString(obj, \"xdbID\", \"xdb_id\", \"id\"),\n+\t\t\tXDBURL:      firstString(obj, \"xdbURL\", \"xdb_url\", \"url\"),\n+\t\t\tDateAdded:   firstTime(obj, \"dateAdded\", \"date_added\"),\n+\t\t\tExploitType: firstString(obj, \"exploitType\", \"exploit_type\"),\n+\t\t\tCloneSSHURL: firstString(obj, \"cloneSSHURL\", \"clone_ssh_url\"),\n+\t\t})\n+\t}\n+\treturn xdbs\n+}\n+\n+func vulnCheckReportedExploitations(raw map[string]interface{}) []models.VulnCheckReportedExploitation {\n+\treported := []models.VulnCheckReportedExploitation{}\n+\tfor _, obj := range objects(raw, \"reportedExploitation\", \"reported_exploitation\") {\n+\t\treported = append(reported, models.VulnCheckReportedExploitation{\n+\t\t\tURL:       firstString(obj, \"url\"),\n+\t\t\tDateAdded: firstTime(obj, \"dateAdded\", \"date_added\"),\n+\t\t})\n+\t}\n+\treturn reported\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/examples/config-kev.toml.example b/examples/config-kev.toml.example\nnew file mode 100644\nindex 0000000..1ec02d3\n--- /dev/null\n+++ b/examples/config-kev.toml.example\n@@ -0,0 +1,35 @@\n+# Synthetic example configuration for enabling KEV enrichment.\n+# Replace all placeholder hosts, users, and paths before use.\n+\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-cve-dictionary.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/goval-dictionary.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[default]\n+scanMode = [\"fast-root\"]\n+\n+[servers.example-host]\n+host = \"192.0.2.10\"\n+port = \"22\"\n+user = \"vuls\"\n+keyPath = \"/home/vuls/.ssh/id_rsa\"\ndiff --git a/examples/scan-result-kev.json b/examples/scan-result-kev.json\nnew file mode 100644\nindex 0000000..f7ec040\n--- /dev/null\n+++ b/examples/scan-result-kev.json\n@@ -0,0 +1,68 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2026-07-03T00:00:00Z\",\n+  \"scannedVersion\": \"example\",\n+  \"reportedAt\": \"2026-07-03T00:00:00Z\",\n+  \"reportedVersion\": \"example\",\n+  \"errors\": [],\n+  \"warnings\": [],\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic CISA KEV entry for documentation.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic example only.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic VulnCheck KEV entry for documentation.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.invalid/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"example\",\n+                \"cloneSSHURL\": \"ssh://example.invalid/repo.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.invalid/advisory/CVE-0000-0000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"runningKernel\": {},\n+  \"packages\": {},\n+  \"config\": {\n+    \"scan\": {},\n+    \"report\": {}\n+  }\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..dd33cbf 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV cves.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -425,6 +433,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &lt; v.Mitigations[j].URL\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \n \t\tv.CveContents.Sort()\n \ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..ed570d2 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -267,6 +267,7 @@ type VulnInfo struct {\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n@@ -284,6 +285,58 @@ type Alert struct {\n \tTeam  string `json:\"team,omitempty\"`\n }\n \n+// KEVType identifies the source of Known Exploited Vulnerability data.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is CISA Known Exploited Vulnerabilities Catalog data.\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is VulnCheck Known Exploited Vulnerabilities data.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information.\n+type KEV struct {\n+\tType                       KEVType       `json:\"type\"`\n+\tVendorProject              string        `json:\"vendorProject\"`\n+\tProduct                    string        `json:\"product\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName\"`\n+\tShortDescription           string        `json:\"shortDescription\"`\n+\tRequiredAction             string        `json:\"requiredAction\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV data.\n+type CISAKEV struct {\n+\tNote string `json:\"note\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV data.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database references.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID\"`\n+\tXDBURL      string    `json:\"xdbURL\"`\n+\tDateAdded   time.Time `json:\"dateAdded\"`\n+\tExploitType string    `json:\"exploitType\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation references.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url\"`\n+\tDateAdded time.Time `json:\"dateAdded\"`\n+}\n+\n // GitHubSecurityAlerts is a list of GitHubSecurityAlert\n type GitHubSecurityAlerts []GitHubSecurityAlert\n \n@@ -910,24 +963,21 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data.\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"-\"` // Deprecated: CISA KEV data is exposed through VulnInfo.KEVs.\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a2dfbd0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T16:13:56.757087Z"}, {"uuid": "2f4e113a-48f8-4015-83fe-eba2404aecd3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/1e0a754850c82ee68e54156b9adf3464", "content": "diff --git a/README.md b/README.md\nindex 57102d1..951c807 100644\n--- a/README.md\n+++ b/README.md\n@@ -93,6 +93,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n - CISA(Cybersecurity &amp; Infrastructure Security Agency)\n   - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n \n+- KEV(Known Exploited Vulnerabilities)\n+  - Configure `[kevuln]` in `config.toml` to include KEV data in scan results as first-class `kevs` entries. See [`config.toml.example`](config.toml.example) for a redacted, ready-to-use example and [`examples/sample-kev-scan-result.json`](examples/sample-kev-scan-result.json) for sample output.\n+\n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n \ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..5c3e92b\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,34 @@\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\n+\n+[servers.example-host]\n+host = \"192.0.2.10\"\n+port = \"22\"\n+user = \"vuls\"\n+keyPath = \"/home/vuls/.ssh/id_rsa\"\n+scanMode = [\"fast-root\"]\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..2f39024 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -78,19 +78,13 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\tif err := json.Unmarshal([]byte(res.json), &amp;kevulns); err != nil {\n \t\t\t\treturn err\n \t\t\t}\n-\n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tif len(kevulns) == 0 {\n+\t\t\t\tcontinue\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tv.KEVs = append(v.KEVs, convertKEVulns(kevulns)...)\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +102,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = append(vuln.KEVs, convertKEVulns(kevulns)...)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +112,25 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func convertKEVulns(kevulns []kevulnmodels.KEVuln) (kevs []models.KEV) {\n+\tfor _, kevuln := range kevulns {\n+\t\tdueDate := kevuln.DueDate\n+\t\tkevs = append(kevs, models.KEV{\n+\t\t\tType:                       models.CISAKEVType,\n+\t\t\tVendorProject:              kevuln.VendorProject,\n+\t\t\tProduct:                    kevuln.Product,\n+\t\t\tVulnerabilityName:          kevuln.VulnerabilityName,\n+\t\t\tShortDescription:           kevuln.ShortDescription,\n+\t\t\tRequiredAction:             kevuln.RequiredAction,\n+\t\t\tKnownRansomwareCampaignUse: kevuln.KnownRansomwareCampaignUse,\n+\t\t\tDateAdded:                  kevuln.DateAdded,\n+\t\t\tDueDate:                    &amp;dueDate,\n+\t\t\tCISA:                       &amp;models.CISAKEV{Note: kevuln.Notes},\n+\t\t})\n+\t}\n+\treturn kevs\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/examples/sample-kev-scan-result.json b/examples/sample-kev-scan-result.json\nnew file mode 100644\nindex 0000000..bc4474c\n--- /dev/null\n+++ b/examples/sample-kev-scan-result.json\n@@ -0,0 +1,67 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2026-07-03T00:00:00Z\",\n+  \"scanMode\": \"fast-root\",\n+  \"scannedVersion\": \"v0.0.0-example\",\n+  \"reportedAt\": \"2026-07-03T00:00:00Z\",\n+  \"reportedVersion\": \"v0.0.0-example\",\n+  \"errors\": [],\n+  \"warnings\": [],\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Placeholder Vulnerability\",\n+          \"shortDescription\": \"Synthetic example of a CISA KEV entry in scan output.\",\n+          \"requiredAction\": \"Apply vendor instructions or discontinue use of the product if mitigations are unavailable.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic documentation sample. Do not treat this as a real vulnerability record.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Placeholder Vulnerability\",\n+          \"shortDescription\": \"Synthetic example of a VulnCheck KEV entry in scan output.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.com/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"infoleak\",\n+                \"cloneSSHURL\": \"git@example.com:example/xdb-000000.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/reports/cve-0000-0000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"packages\": {},\n+  \"config\": {\n+    \"scan\": {},\n+    \"report\": {}\n+  }\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..f17b095 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV CVEs.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -425,6 +433,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &lt; v.Mitigations[j].URL\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \n \t\tv.CveContents.Sort()\n \n@@ -434,9 +448,6 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n-\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..517865b 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -267,6 +267,7 @@ type VulnInfo struct {\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n@@ -284,6 +285,57 @@ type Alert struct {\n \tTeam  string `json:\"team,omitempty\"`\n }\n \n+// KEVType is a Known Exploited Vulnerability source type.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the CISA KEV catalog source type.\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType is the VulnCheck KEV source type.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information.\n+type KEV struct {\n+\tType                       KEVType       `json:\"type,omitempty\"`\n+\tVendorProject              string        `json:\"vendorProject,omitempty\"`\n+\tProduct                    string        `json:\"product,omitempty\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV fields.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV fields.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database fields.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation fields.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // GitHubSecurityAlerts is a list of GitHubSecurityAlert\n type GitHubSecurityAlerts []GitHubSecurityAlert\n \n@@ -910,7 +962,7 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n \tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n@@ -919,15 +971,12 @@ type AlertDict struct {\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a2dfbd0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T17:33:43.378082Z"}, {"uuid": "d642ad66-47eb-4784-b55a-8987e5a88acd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/c94020aa27eaa93d3f5b7e89d19f5ba9", "content": "diff --git a/README.md b/README.md\nindex 57102d1..09df112 100644\n--- a/README.md\n+++ b/README.md\n@@ -174,6 +174,25 @@ Vuls has some options to detect the vulnerabilities\n \n ----\n \n+## Config Example\n+\n+A ready-to-use example with KEV reporting enabled is available at [config.toml.example](config.toml.example):\n+\n+```toml\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[servers.example-host]\n+host = \"192.0.2.1\"\n+user = \"scanuser\"\n+keyPath = \"/home/scanuser/.ssh/id_rsa\"\n+```\n+\n+See [vuls.io](https://vuls.io/) for full configuration documentation.\n+\n+----\n+\n ## Document\n \n For more information such as Installation, Tutorial, Usage, visit [vuls.io](https://vuls.io/)  \ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..d9705d1\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,57 @@\n+# Vuls configuration example with KEV reporting enabled\n+# Copy to config.toml and edit for your environment\n+\n+[default]\n+#port = \"22\"\n+#user = \"vuls\"\n+#keyPath = \"/home/youruser/.ssh/id_rsa\"\n+\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+# Enable KEV (Known Exploited Vulnerabilities) reporting\n+# Supports CISA KEV and VulnCheck KEV\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.1\"\n+port = \"22\"\n+user = \"scanuser\"\n+keyPath = \"/home/scanuser/.ssh/id_rsa\"\n+# keyPassword = \"your-passphrase-here\"  # if encrypted, use --ask-key-password or VULS_SSH_KEY_PASSWORD\n+\n+# Optional: CPE names for scanning non-OS packages\n+# cpeNames = [\n+#   \"cpe:/a:apache:http_server:2.4.0\",\n+# ]\n+\n+# Optional: Ignore specific CVEs\n+# ignoreCves = [\"CVE-0000-0000\"]\n+\n+# Optional: Ignore packages by regex\n+# ignorePkgsRegexp = [\"^kernel-.*\"]\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..61e835d 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV cve\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -428,6 +436,13 @@ func (r *ScanResult) SortForJSONOutput() {\n \n \t\tv.CveContents.Sort()\n \n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n+\n \t\tsort.Slice(v.AlertDict.USCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.USCERT[i].Title &lt; v.AlertDict.USCERT[j].Title\n \t\t})\ndiff --git a/models/testdata/kev_sample.json b/models/testdata/kev_sample.json\nnew file mode 100644\nindex 0000000..7de50bc\n--- /dev/null\n+++ b/models/testdata/kev_sample.json\n@@ -0,0 +1,61 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2025-01-01T00:00:00Z\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"Example short description for KEV entry.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2024-01-01T00:00:00Z\",\n+          \"dueDate\": \"2024-01-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Example CISA note\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"Example VulnCheck Entry\",\n+          \"shortDescription\": \"Example VulnCheck KEV.\",\n+          \"requiredAction\": \"Apply updates.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2024-02-01T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbId\": \"XDB-EXAMPLE\",\n+                \"xdbUrl\": \"https://example.com/xdb/EXAMPLE\",\n+                \"dateAdded\": \"2024-02-01T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSshUrl\": \"git@example.com:exploit.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/report\",\n+                \"dateAdded\": \"2024-02-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"packages\": {},\n+  \"runningKernel\": {\n+    \"release\": \"\",\n+    \"version\": \"\",\n+    \"rebootRequired\": false\n+  }\n+}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..21b0101 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -257,6 +257,57 @@ type PackageFixStatus struct {\n }\n \n // VulnInfo has a vulnerability information and unsecure packages\n+// KEVType is the type of KEV source\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is CISA KEV\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType is VulnCheck KEV\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                       KEVType   `json:\"type,omitempty\"`\n+\tVendorProject              string    `json:\"vendorProject,omitempty\"`\n+\tProduct                    string    `json:\"product,omitempty\"`\n+\tVulnerabilityName          string    `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string    `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string    `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string    `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA KEV specific information\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck KEV specific information\n+type VulnCheckKEV struct {\n+\tXDB                   []VulnCheckXDB                   `json:\"xdb,omitempty\"`\n+\tReportedExploitation  []VulnCheckReportedExploitation  `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbId,omitempty\"`\n+\tXDBURL      string    `json:\"xdbUrl,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSshUrl,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck Reported Exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n type VulnInfo struct {\n \tCveID                string               `json:\"cveID,omitempty\"`\n \tConfidences          Confidences          `json:\"confidences,omitempty\"`\n@@ -275,6 +326,7 @@ type VulnInfo struct {\n \tWindowsKBFixedIns    []string             `json:\"windowsKBFixedIns,omitempty\"`\n \tVulnType             string               `json:\"vulnType,omitempty\"`\n \tDiffStatus           DiffStatus           `json:\"diffStatus,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n }\n \n // Alert has CERT alert information\n@@ -910,24 +962,21 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n-\tJPCERT []Alert `json:\"jpcert\"`\n-\tUSCERT []Alert `json:\"uscert\"`\n+\tCISA   []Alert `json:\"cisa,omitempty\"`\n+\tJPCERT []Alert `json:\"jpcert,omitempty\"`\n+\tUSCERT []Alert `json:\"uscert,omitempty\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\n", "creation_timestamp": "2026-07-03T17:33:44.001900Z"}, {"uuid": "7e6f9194-4582-412e-8118-78bb47dc09fa", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/3e873813bbc4615be1b5984942c4fdf1", "content": "diff --git a/README.md b/README.md\nindex 57102d1..5d3254d 100644\n--- a/README.md\n+++ b/README.md\n@@ -38,6 +38,7 @@ Vuls is a tool created to solve the problems listed above. It has the following\n - Informs users of the servers that are affected.\n - Vulnerability detection is done automatically to prevent any oversight.\n - A report is generated on a regular basis using CRON or other methods. to manage vulnerability.\n+- Supports CISA and VulnCheck KEV (Known Exploited Vulnerabilities) reporting. See `config.toml.example` and `sample_kev.json` for details.\n \n ![Vuls-Motivation](img/vuls-motivation.png)\n \ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..0699949\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,25 @@\n+[cisa]\n+url = \"https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json\"\n+\n+[vulncheck]\n+url = \"https://api.vulncheck.com/v3/index/kev\"\n+api_key = \"YOUR_VULNCHECK_API_KEY_HERE\"\n+\n+[slack]\n+hookURL = \"https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX\"\n+\n+[chatwork]\n+apiToken = \"YOUR_CHATWORK_TOKEN_HERE\"\n+\n+[email]\n+smtpServer = \"smtp.example.com\"\n+smtpPort = \"587\"\n+user = \"user@example.com\"\n+password = \"YOUR_SMTP_PASSWORD_HERE\"\n+\n+[servers]\n+[servers.example-host]\n+host = \"192.168.1.100\"\n+port = \"22\"\n+user = \"vuls\"\n+sshKeyPath = \"/home/vuls/.ssh/id_rsa\"\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..ca07743 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,6 +205,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n@@ -253,13 +254,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +264,18 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n+}\n+\n+// FormatKEVCveSummary returns a summary of KEV cves\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &gt; 0 {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,14 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type == v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t})\n+\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/scanresults_kev_test.go b/models/scanresults_kev_test.go\nnew file mode 100644\nindex 0000000..28b0df6\n--- /dev/null\n+++ b/models/scanresults_kev_test.go\n@@ -0,0 +1,51 @@\n+package models\n+\n+import (\n+\t\"reflect\"\n+\t\"testing\"\n+)\n+\n+func TestScanResult_Sort_KEV(t *testing.T) {\n+\ttests := []struct {\n+\t\tname     string\n+\t\tfields   ScanResult\n+\t\texpected ScanResult\n+\t}{\n+\t\t{\n+\t\t\tname: \"sort KEVs by Type then VulnerabilityName\",\n+\t\t\tfields: ScanResult{\n+\t\t\t\tScannedCves: VulnInfos{\n+\t\t\t\t\t\"CVE-2023-1234\": VulnInfo{\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"B-Vuln\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"D-Vuln\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"C-Vuln\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"A-Vuln\"},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t\texpected: ScanResult{\n+\t\t\t\tScannedCves: VulnInfos{\n+\t\t\t\t\t\"CVE-2023-1234\": VulnInfo{\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"C-Vuln\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"D-Vuln\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"A-Vuln\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"B-Vuln\"},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t},\n+\t}\n+\tfor _, tt := range tests {\n+\t\tt.Run(tt.name, func(t *testing.T) {\n+\t\t\tr := &amp;tt.fields\n+\t\t\tr.SortForJSONOutput()\n+\t\t\tif !reflect.DeepEqual(*r, tt.expected) {\n+\t\t\t\tt.Errorf(\"SortForJSONOutput() KEVs got = %v, want %v\", r.ScannedCves[\"CVE-2023-1234\"].KEVs, tt.expected.ScannedCves[\"CVE-2023-1234\"].KEVs)\n+\t\t\t}\n+\t\t})\n+\t}\n+}\n\\ No newline at end of file\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..cc5c33c 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -268,6 +268,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -910,30 +911,77 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"cisa,omitempty\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\n \treturn strings.Join(s, \"/\")\n }\n \n+// KEVType represents the source of the KEV data\n+type KEVType string\n+\n+const (\n+\tCISAKEVType      KEVType = \"cisa\"\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV represents Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                       KEVType    `json:\"type\"`\n+\tVendorProject              string     `json:\"vendorProject,omitempty\"`\n+\tProduct                    string     `json:\"product,omitempty\"`\n+\tVulnerabilityName          string     `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string     `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string     `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string     `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time  `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time `json:\"dueDate,omitempty\"`\n+\n+\tCISA      *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV contains CISA specific KEV fields\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV contains VulnCheck specific KEV fields\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB represents VulnCheck XDB information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbId,omitempty\"`\n+\tXDBURL      string    `json:\"xdbUrl,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSshUrl,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation represents reported exploitation data\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // Confidences is a list of Confidence\n type Confidences []Confidence\n \ndiff --git a/sample_kev.json b/sample_kev.json\nnew file mode 100644\nindex 0000000..2731b47\n--- /dev/null\n+++ b/sample_kev.json\n@@ -0,0 +1,34 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"lang\": \"en\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"This is a redacted synthetic example KEV.\",\n+          \"requiredAction\": \"Apply updates.\",\n+          \"cisa\": {\n+            \"note\": \"Example note\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vulnerabilityName\": \"Example Vulnerability 2\",\n+          \"vulncheck\": {\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/exploit\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\n", "creation_timestamp": "2026-07-03T17:33:43.917584Z"}, {"uuid": "4f2803a8-bb5f-452e-b12d-a16d480c1ad4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/d74141e60ebe789520c0d3ab1529089e", "content": "diff --git a/.gitignore b/.gitignore\nindex 7f21d1e..71b4c8d 100644\n--- a/.gitignore\n+++ b/.gitignore\n@@ -4,6 +4,7 @@\n *.sqlite3*\n *.db\n *.toml\n+!config.toml.example\n tags\n .gitmodules\n coverage.out\ndiff --git a/README.md b/README.md\nindex 57102d1..05ee71a 100644\n--- a/README.md\n+++ b/README.md\n@@ -93,6 +93,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n - CISA(Cybersecurity &amp; Infrastructure Security Agency)\n   - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n \n+- VulnCheck\n+  - Known Exploited Vulnerabilities data through the KEV database configuration\n+\n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n \n@@ -163,6 +166,10 @@ Vuls has some options to detect the vulnerabilities\n   - Vuls works well with Continuous Integration since tests can be run every day. This allows you to find vulnerabilities very quickly.\n - Auto-generation of configuration file template\n   - Auto-detection of servers set using CIDR, generate configuration file template\n+- Ready-to-use example configuration\n+  - See [config.toml.example](config.toml.example) for a redacted setup that enables KEV reporting with the `[kevuln]` database section.\n+- KEV scan result sample\n+  - See [docs/sample-kev-scan-result.json](docs/sample-kev-scan-result.json) for a synthetic scan result showing the first-class `kevs` field.\n - Email and Slack notification is possible (supports Japanese language)\n - Scan result is viewable on accessory software, TUI Viewer in a terminal or Web UI ([VulsRepo](https://github.com/ishiDACo/vulsrepo)).\n \ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..147c600\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,38 @@\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\n+\n+[default]\n+scanMode = [\"fast\"]\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.10\"\n+port = \"22\"\n+user = \"vuls\"\n+keyPath = \"/home/vuls/.ssh/id_ed25519\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..c91d439 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -6,6 +6,7 @@ package detector\n import (\n \t\"encoding/json\"\n \t\"net/http\"\n+\t\"strings\"\n \t\"time\"\n \n \t\"github.com/cenkalti/backoff\"\n@@ -79,18 +80,9 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n-\t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\tif ok &amp;&amp; len(kevulns) &gt; 0 {\n+\t\t\t\tv.KEVs = append(v.KEVs, convertKEVulns(kevulns)...)\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +100,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = append(vuln.KEVs, convertKEVulns(kevulns)...)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +110,127 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func convertKEVulns(kevulns []kevulnmodels.KEVuln) []models.KEV {\n+\tbs, err := json.Marshal(kevulns)\n+\tif err != nil {\n+\t\treturn nil\n+\t}\n+\n+\tvar raws []map[string]interface{}\n+\tif err := json.Unmarshal(bs, &amp;raws); err != nil {\n+\t\treturn nil\n+\t}\n+\n+\tkevs := make([]models.KEV, 0, len(raws))\n+\tfor _, raw := range raws {\n+\t\tkev := models.KEV{\n+\t\t\tType:                       kevType(raw),\n+\t\t\tVendorProject:              stringValue(raw, \"vendorProject\", \"vendor_project\", \"vendor\"),\n+\t\t\tProduct:                    stringValue(raw, \"product\"),\n+\t\t\tVulnerabilityName:          stringValue(raw, \"vulnerabilityName\", \"vulnerability_name\"),\n+\t\t\tShortDescription:           stringValue(raw, \"shortDescription\", \"short_description\"),\n+\t\t\tRequiredAction:             stringValue(raw, \"requiredAction\", \"required_action\"),\n+\t\t\tKnownRansomwareCampaignUse: stringValue(raw, \"knownRansomwareCampaignUse\", \"known_ransomware_campaign_use\"),\n+\t\t\tDateAdded:                  timeValue(raw, \"dateAdded\", \"date_added\"),\n+\t\t}\n+\n+\t\tif dueDate := timeValue(raw, \"dueDate\", \"due_date\"); !dueDate.IsZero() {\n+\t\t\tkev.DueDate = &amp;dueDate\n+\t\t}\n+\n+\t\tswitch kev.Type {\n+\t\tcase models.VulnCheckKEVType:\n+\t\t\tkev.VulnCheck = &amp;models.VulnCheckKEV{\n+\t\t\t\tXDB:                  vulnCheckXDBs(raw),\n+\t\t\t\tReportedExploitation: vulnCheckReportedExploitation(raw),\n+\t\t\t}\n+\t\tdefault:\n+\t\t\tkev.Type = models.CISAKEVType\n+\t\t\tkev.CISA = &amp;models.CISAKEV{Note: stringValue(raw, \"note\", \"notes\")}\n+\t\t}\n+\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\n+\treturn kevs\n+}\n+\n+func kevType(raw map[string]interface{}) models.KEVType {\n+\ttypeName := strings.ToLower(stringValue(raw, \"type\", \"source\"))\n+\tif strings.Contains(typeName, \"vulncheck\") {\n+\t\treturn models.VulnCheckKEVType\n+\t}\n+\treturn models.CISAKEVType\n+}\n+\n+func stringValue(raw map[string]interface{}, keys ...string) string {\n+\tfor _, key := range keys {\n+\t\tif v, ok := raw[key]; ok {\n+\t\t\tif s, ok := v.(string); ok {\n+\t\t\t\treturn s\n+\t\t\t}\n+\t\t}\n+\t}\n+\treturn \"\"\n+}\n+\n+func timeValue(raw map[string]interface{}, keys ...string) time.Time {\n+\ts := stringValue(raw, keys...)\n+\tif s == \"\" {\n+\t\treturn time.Time{}\n+\t}\n+\tfor _, layout := range []string{time.RFC3339Nano, time.RFC3339, \"2006-01-02\"} {\n+\t\tif t, err := time.Parse(layout, s); err == nil {\n+\t\t\treturn t\n+\t\t}\n+\t}\n+\treturn time.Time{}\n+}\n+\n+func vulnCheckXDBs(raw map[string]interface{}) []models.VulnCheckXDB {\n+\tentries, ok := raw[\"xdb\"].([]interface{})\n+\tif !ok {\n+\t\treturn nil\n+\t}\n+\txdbs := make([]models.VulnCheckXDB, 0, len(entries))\n+\tfor _, entry := range entries {\n+\t\txdb, ok := entry.(map[string]interface{})\n+\t\tif !ok {\n+\t\t\tcontinue\n+\t\t}\n+\t\txdbs = append(xdbs, models.VulnCheckXDB{\n+\t\t\tXDBID:       stringValue(xdb, \"xdbID\", \"xdb_id\"),\n+\t\t\tXDBURL:      stringValue(xdb, \"xdbURL\", \"xdb_url\"),\n+\t\t\tDateAdded:   timeValue(xdb, \"dateAdded\", \"date_added\"),\n+\t\t\tExploitType: stringValue(xdb, \"exploitType\", \"exploit_type\"),\n+\t\t\tCloneSSHURL: stringValue(xdb, \"cloneSSHURL\", \"clone_ssh_url\"),\n+\t\t})\n+\t}\n+\treturn xdbs\n+}\n+\n+func vulnCheckReportedExploitation(raw map[string]interface{}) []models.VulnCheckReportedExploitation {\n+\tentries, ok := raw[\"reportedExploitation\"].([]interface{})\n+\tif !ok {\n+\t\tentries, ok = raw[\"reported_exploitation\"].([]interface{})\n+\t}\n+\tif !ok {\n+\t\treturn nil\n+\t}\n+\treports := make([]models.VulnCheckReportedExploitation, 0, len(entries))\n+\tfor _, entry := range entries {\n+\t\treport, ok := entry.(map[string]interface{})\n+\t\tif !ok {\n+\t\t\tcontinue\n+\t\t}\n+\t\treports = append(reports, models.VulnCheckReportedExploitation{\n+\t\t\tURL:       stringValue(report, \"url\"),\n+\t\t\tDateAdded: timeValue(report, \"dateAdded\", \"date_added\"),\n+\t\t})\n+\t}\n+\treturn reports\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/docs/sample-kev-scan-result.json b/docs/sample-kev-scan-result.json\nnew file mode 100644\nindex 0000000..39b2ad4\n--- /dev/null\n+++ b/docs/sample-kev-scan-result.json\n@@ -0,0 +1,75 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2026-07-03T00:00:00Z\",\n+  \"scanMode\": \"fast\",\n+  \"scannedVersion\": \"example\",\n+  \"reportedAt\": \"2026-07-03T00:00:00Z\",\n+  \"reportedVersion\": \"example\",\n+  \"errors\": [],\n+  \"warnings\": [],\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-package\",\n+          \"fixedIn\": \"1.2.3-1\"\n+        }\n+      ],\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic sample showing the CISA KEV JSON shape.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic documentation sample only.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic sample showing the VulnCheck KEV JSON shape.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.com/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"example\",\n+                \"cloneSSHURL\": \"git@example.com:example/repository.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/research/example-report\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"packages\": {\n+    \"example-package\": {\n+      \"name\": \"example-package\",\n+      \"version\": \"1.2.2\",\n+      \"release\": \"1\"\n+    }\n+  }\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..2765dec 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV cve\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -422,6 +430,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Metasploits, func(i, j int) bool {\n \t\t\treturn v.Metasploits[i].Name &lt; v.Metasploits[j].Name\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &lt; v.Mitigations[j].URL\n \t\t})\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..69f547c 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -265,6 +265,7 @@ type VulnInfo struct {\n \tCveContents          CveContents          `json:\"cveContents,omitempty\"`\n \tExploits             []Exploit            `json:\"exploits,omitempty\"`\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n@@ -284,6 +285,58 @@ type Alert struct {\n \tTeam  string `json:\"team,omitempty\"`\n }\n \n+// KEVType is the source of a Known Exploited Vulnerability entry.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is CISA Known Exploited Vulnerabilities Catalog.\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is VulnCheck KEV data.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information.\n+type KEV struct {\n+\tType                         KEVType        `json:\"type\"`\n+\tVendorProject                string         `json:\"vendorProject,omitempty\"`\n+\tProduct                      string         `json:\"product,omitempty\"`\n+\tVulnerabilityName            string         `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription             string         `json:\"shortDescription,omitempty\"`\n+\tRequiredAction               string         `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse   string         `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                    time.Time      `json:\"dateAdded\"`\n+\tDueDate                      *time.Time     `json:\"dueDate,omitempty\"`\n+\tCISA                         *CISAKEV       `json:\"cisa,omitempty\"`\n+\tVulnCheck                    *VulnCheckKEV  `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV fields.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV fields.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB exploit details.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation details.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded\"`\n+}\n+\n // GitHubSecurityAlerts is a list of GitHubSecurityAlert\n type GitHubSecurityAlerts []GitHubSecurityAlert\n \n@@ -910,24 +963,21 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"cisa\"` // Deprecated: KEV data is reported through VulnInfo.KEVs.\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a2dfbd0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T18:57:42.762779Z"}, {"uuid": "011da890-8917-4e65-8caf-c14c0545f737", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/3a5f8614d50f92694800139aa56ad1f4", "content": "diff --git a/README.md b/README.md\nindex 57102d1..96eb820 100644\n--- a/README.md\n+++ b/README.md\n@@ -90,8 +90,10 @@ Vuls is a tool created to solve the problems listed above. It has the following\n   - [US-CERT](https://www.us-cert.gov/ncas/alerts)\n   - [JPCERT](http://www.jpcert.or.jp/at/2019.html)\n \n-- CISA(Cybersecurity &amp; Infrastructure Security Agency)\n-  - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+- Known Exploited Vulnerabilities (KEV)\n+  - [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+  - [VulnCheck KEV](https://vulncheck.com/)\n+  - KEV data is promoted to a first-class field (`kevs`) on each vulnerability\n \n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n@@ -156,6 +158,13 @@ Vuls has some options to detect the vulnerabilities\n \n - [Scan WordPress](https://vuls.io/docs/en/usage-scan-wordpress.html)\n \n+### Example Configuration\n+\n+An example configuration file is provided at [`config.toml.example`](config.toml.example).\n+Copy it to `config.toml` and edit to match your environment.\n+\n+A sample scan result demonstrating the KEV output format is available at [`examples/sample_scan_result.json`](examples/sample_scan_result.json).\n+\n ## MISC\n \n - Nondestructive testing\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..8e3caa5\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,60 @@\n+# Vuls - Example Configuration\n+#\n+# Copy this file to config.toml and edit to match your environment.\n+# All credentials and host information below are placeholders.\n+# See https://vuls.io/docs/en/config.toml.html for full documentation.\n+\n+# [default]\n+# port = \"22\"\n+# user = \"scan-user\"\n+# keyPath = \"/home/scan-user/.ssh/id_rsa\"\n+\n+# --- Vulnerability Databases ---\n+\n+# CVE dictionary (go-cve-dictionary)\n+# [cveDict]\n+# type = \"sqlite3\"\n+# SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+# OVAL dictionary (goval-dictionary)\n+# [ovalDict]\n+# type = \"sqlite3\"\n+# SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+# Security tracker (gost)\n+# [gost]\n+# type = \"sqlite3\"\n+# SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+# Exploit database (go-exploitdb)\n+# [exploit]\n+# type = \"sqlite3\"\n+# SQLite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+# Metasploit database (go-msfdb)\n+# [metasploit]\n+# type = \"sqlite3\"\n+# SQLite3Path = \"/path/to/go-msfdb.sqlite3\"\n+\n+# Known Exploited Vulnerabilities (go-kev)\n+# Enables detection of CISA KEV catalog entries for scanned CVEs.\n+[kevuln]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-kev.sqlite3\"\n+\n+# Cyber Threat Intelligence (go-cti)\n+# [cti]\n+# type = \"sqlite3\"\n+# SQLite3Path = \"/path/to/go-cti.sqlite3\"\n+\n+# --- Scan Targets ---\n+\n+# Example server definition\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.1\"\n+port = \"22\"\n+user = \"scan-user\"\n+keyPath = \"/home/scan-user/.ssh/id_rsa\"\n+scanMode = [\"fast\"]\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..f5cc2f7 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,13 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tif len(kevulns) == 0 {\n+\t\t\t\tcontinue\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tv.KEVs = convertToKEVs(kevulns)\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +103,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = convertToKEVs(kevulns)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +113,31 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func convertToKEVs(kevulns []kevulnmodels.KEVuln) []models.KEV {\n+\tkevs := make([]models.KEV, 0, len(kevulns))\n+\tfor _, k := range kevulns {\n+\t\tkev := models.KEV{\n+\t\t\tType:                       models.CISAKEVType,\n+\t\t\tVendorProject:              k.VendorProject,\n+\t\t\tProduct:                    k.Product,\n+\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\tDateAdded:                  k.DateAdded,\n+\t\t\tCISA: &amp;models.CISAKEV{\n+\t\t\t\tNote: k.Notes,\n+\t\t\t},\n+\t\t}\n+\t\tif !k.DueDate.IsZero() {\n+\t\t\tdueDate := k.DueDate\n+\t\t\tkev.DueDate = &amp;dueDate\n+\t\t}\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/examples/sample_scan_result.json b/examples/sample_scan_result.json\nnew file mode 100644\nindex 0000000..6244295\n--- /dev/null\n+++ b/examples/sample_scan_result.json\n@@ -0,0 +1,79 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2026-07-01T00:00:00Z\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"confidences\": [\n+        {\n+          \"score\": 100,\n+          \"detectionMethod\": \"OvalMatch\"\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-pkg\",\n+          \"fixedIn\": \"1.2.4\"\n+        }\n+      ],\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"Example Product contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply mitigations per vendor instructions or discontinue use of the product.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-01-15T00:00:00Z\",\n+          \"dueDate\": \"2026-02-05T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"Example Product contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply mitigations per vendor instructions or discontinue use of the product.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-01-10T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-0000-0000\",\n+                \"xdbURL\": \"https://vulncheck.com/xdb/example\",\n+                \"dateAdded\": \"2026-01-10T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.com:exploits/example.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/exploitation-report\",\n+                \"dateAdded\": \"2026-01-12T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"alertDict\": {}\n+    }\n+  },\n+  \"packages\": {\n+    \"example-pkg\": {\n+      \"name\": \"example-pkg\",\n+      \"version\": \"1.2.3\",\n+      \"release\": \"1\",\n+      \"newVersion\": \"1.2.4\",\n+      \"newRelease\": \"1\"\n+    }\n+  }\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..38bd72f 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -253,13 +254,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +264,18 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n+}\n+\n+// FormatKEVCveSummary returns a summary of how many scanned CVEs have KEV entries\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &gt; 0 {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -428,14 +436,20 @@ func (r *ScanResult) SortForJSONOutput() {\n \n \t\tv.CveContents.Sort()\n \n+\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n+\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n+\t\t})\n \t\tsort.Slice(v.AlertDict.USCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.USCERT[i].Title &lt; v.AlertDict.USCERT[j].Title\n \t\t})\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n \t\t})\n \t\tr.ScannedCves[k] = v\n \t}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..65cc858 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -268,6 +268,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -910,6 +911,58 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n+// KEVType represents the source of KEV data\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the CISA Known Exploited Vulnerabilities source\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is the VulnCheck Known Exploited Vulnerabilities source\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                        KEVType       `json:\"type\"`\n+\tVendorProject               string        `json:\"vendorProject\"`\n+\tProduct                     string        `json:\"product\"`\n+\tVulnerabilityName           string        `json:\"vulnerabilityName\"`\n+\tShortDescription            string        `json:\"shortDescription\"`\n+\tRequiredAction              string        `json:\"requiredAction\"`\n+\tKnownRansomwareCampaignUse  string        `json:\"knownRansomwareCampaignUse\"`\n+\tDateAdded                   time.Time     `json:\"dateAdded\"`\n+\tDueDate                     *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                        *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                   *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV data\n+type CISAKEV struct {\n+\tNote string `json:\"note\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV data\n+type VulnCheckKEV struct {\n+\tXDB                    []VulnCheckXDB                    `json:\"xdb,omitempty\"`\n+\tReportedExploitation   []VulnCheckReportedExploitation   `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database entry data\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID\"`\n+\tXDBURL      string    `json:\"xdbURL\"`\n+\tDateAdded   time.Time `json:\"dateAdded\"`\n+\tExploitType string    `json:\"exploitType\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation data\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url\"`\n+\tDateAdded time.Time `json:\"dateAdded\"`\n+}\n+\n // AlertDict has target cve JPCERT, USCERT and CISA alert data\n type AlertDict struct {\n \tCISA   []Alert `json:\"cisa\"`\n@@ -919,15 +972,12 @@ type AlertDict struct {\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a2dfbd0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T18:57:43.011080Z"}, {"uuid": "3d7ef1a2-02df-4219-b826-4995c52fbdc7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/874861435fb07dffe5d8f4c6a466f8b2", "content": "diff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..453ee19\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,27 @@\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-kev.sqlite3\"\n+\n+[servers]\n+\n+[servers.example-host]\n+host     = \"192.168.0.1\"\n+port     = \"22\"\n+user     = \"scan-user\"\n+keyPath  = \"/path/to/id_rsa\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..ce3d6df 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,23 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tfor _, kev := range kevulns {\n+\t\t\t\t\tdueDate := kev.DueDate\n+\t\t\t\t\tv.KEVs = append(v.KEVs, models.KEV{\n+\t\t\t\t\t\tType:                       models.CISAKEVType,\n+\t\t\t\t\t\tVendorProject:              kev.VendorProject,\n+\t\t\t\t\t\tProduct:                    kev.Product,\n+\t\t\t\t\t\tVulnerabilityName:          kev.VulnerabilityName,\n+\t\t\t\t\t\tShortDescription:           kev.ShortDescription,\n+\t\t\t\t\t\tRequiredAction:             kev.RequiredAction,\n+\t\t\t\t\t\tKnownRansomwareCampaignUse: kev.KnownRansomwareCampaignUse,\n+\t\t\t\t\t\tDateAdded:                  kev.DateAdded,\n+\t\t\t\t\t\tDueDate:                    &amp;dueDate,\n+\t\t\t\t\t\tCISA:                       &amp;models.CISAKEV{Note: kev.Notes},\n+\t\t\t\t\t})\n+\t\t\t\t}\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +113,21 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n+\t\t\tfor _, kev := range kevulns {\n+\t\t\t\tdueDate := kev.DueDate\n+\t\t\t\tvuln.KEVs = append(vuln.KEVs, models.KEV{\n+\t\t\t\t\tType:                       models.CISAKEVType,\n+\t\t\t\t\tVendorProject:              kev.VendorProject,\n+\t\t\t\t\tProduct:                    kev.Product,\n+\t\t\t\t\tVulnerabilityName:          kev.VulnerabilityName,\n+\t\t\t\t\tShortDescription:           kev.ShortDescription,\n+\t\t\t\t\tRequiredAction:             kev.RequiredAction,\n+\t\t\t\t\tKnownRansomwareCampaignUse: kev.KnownRansomwareCampaignUse,\n+\t\t\t\t\tDateAdded:                  kev.DateAdded,\n+\t\t\t\t\tDueDate:                    &amp;dueDate,\n+\t\t\t\t\tCISA:                       &amp;models.CISAKEV{Note: kev.Notes},\n \t\t\t\t})\n \t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..ab98f72 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,6 +205,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n@@ -229,6 +230,17 @@ func (r ScanResult) FormatUpdatablePkgsSummary() string {\n \t\tnUpdatable)\n }\n \n+// FormatKEVCveSummary returns a summary of kev cve\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKevCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKevCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKevCve)\n+}\n+\n // FormatExploitCveSummary returns a summary of exploit cve\n func (r ScanResult) FormatExploitCveSummary() string {\n \tnExploitCve := 0\n@@ -253,13 +265,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -428,6 +436,13 @@ func (r *ScanResult) SortForJSONOutput() {\n \n \t\tv.CveContents.Sort()\n \n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n+\n \t\tsort.Slice(v.AlertDict.USCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.USCERT[i].Title &lt; v.AlertDict.USCERT[j].Title\n \t\t})\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..92d6ac2 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -267,6 +267,7 @@ type VulnInfo struct {\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n@@ -910,24 +911,65 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+type KEVType string\n+\n+const (\n+\tCISAKEVType      KEVType = \"cisa\"\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+type KEV struct {\n+\tType                       KEVType    `json:\"type,omitempty\"`\n+\tVendorProject              string     `json:\"vendorProject,omitempty\"`\n+\tProduct                    string     `json:\"product,omitempty\"`\n+\tVulnerabilityName          string     `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string     `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string     `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string     `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time  `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time `json:\"dueDate,omitempty\"`\n+\n+\tCISA      *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"cisa,omitempty\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a44ae57 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -565,10 +565,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/sample_kev_result.json b/sample_kev_result.json\nnew file mode 100644\nindex 0000000..4958d55\n--- /dev/null\n+++ b/sample_kev_result.json\n@@ -0,0 +1,25 @@\n+{\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"A synthetic description for this example KEV.\",\n+          \"requiredAction\": \"Apply updates.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2023-01-01T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic CISA note\"\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\n\\ No newline at end of file\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T18:57:43.058264Z"}, {"uuid": "ee3c48c3-5b15-4246-832a-dd5f6354d6f0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/6e8cef1c78ef74c3726a2b22ca3a9535", "content": "diff --git a/README.md b/README.md\nindex 57102d1..fbe206f 100644\n--- a/README.md\n+++ b/README.md\n@@ -181,6 +181,27 @@ For more information such as Installation, Tutorial, Usage, visit [vuls.io](http\n \n ----\n \n+## Example Configuration\n+\n+Vuls requires a `config.toml` file to specify scanning targets and reporting options. To enable KEV (Known Exploited Vulnerabilities) reporting, add a `[kevuln]` section to your config.\n+\n+Here is a synthetic example `config.toml.example` demonstrating a basic configuration with KEV enabled:\n+\n+```toml\n+[kevuln]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/kevuln.sqlite3\"\n+\n+[servers]\n+[servers.example-host]\n+host = \"192.168.0.100\"\n+port = \"22\"\n+user = \"dummyuser\"\n+keyPath = \"/path/to/dummy_rsa\"\n+```\n+\n+----\n+\n ## Authors\n \n kotakanbe ([@kotakanbe](https://twitter.com/kotakanbe)) created vuls and [these fine people](https://github.com/future-architect/vuls/graphs/contributors) have contributed.\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..eb464e4\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,10 @@\n+[kevuln]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/kevuln.sqlite3\"\n+\n+[servers]\n+[servers.example-host]\n+host = \"192.168.0.100\"\n+port = \"22\"\n+user = \"dummyuser\"\n+keyPath = \"/path/to/dummy_rsa\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..f0230da 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,8 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +98,6 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..0599295 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,6 +205,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of kev cve\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEV := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &gt; 0 {\n+\t\t\tnKEV++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEV)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..82a1b24 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -267,6 +267,7 @@ type VulnInfo struct {\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n@@ -284,6 +285,57 @@ type Alert struct {\n \tTeam  string `json:\"team,omitempty\"`\n }\n \n+// KEVType represents the source of the KEV\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is for CISA KEV\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType is for VulnCheck KEV\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                       KEVType        `json:\"type,omitempty\"`\n+\tVendorProject              string         `json:\"vendorProject,omitempty\"`\n+\tProduct                    string         `json:\"product,omitempty\"`\n+\tVulnerabilityName          string         `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string         `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string         `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string         `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time      `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time     `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV       `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV  `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA specific KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck specific KEV information\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbid,omitempty\"`\n+\tXDBURL      string    `json:\"xdburl,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSshUrl,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // GitHubSecurityAlerts is a list of GitHubSecurityAlert\n type GitHubSecurityAlerts []GitHubSecurityAlert\n \n@@ -910,24 +962,21 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT, USCERT\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"cisa\"` // deprecated: use KEV for CISA alerts\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a44ae57 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -565,10 +565,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/sample-scan-result.json b/sample-scan-result.json\nnew file mode 100644\nindex 0000000..1424a97\n--- /dev/null\n+++ b/sample-scan-result.json\n@@ -0,0 +1,88 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"20.04\",\n+  \"container\": {\n+    \"containerID\": \"\",\n+    \"name\": \"\",\n+    \"image\": \"\",\n+    \"type\": \"\",\n+    \"uuid\": \"\"\n+  },\n+  \"platform\": {\n+    \"name\": \"\",\n+    \"instanceID\": \"\"\n+  },\n+  \"scannedAt\": \"2026-07-03T12:00:00Z\",\n+  \"scanMode\": \"fast\",\n+  \"scannedVersion\": \"0.20.0\",\n+  \"scannedRevision\": \"abcdef1\",\n+  \"scannedBy\": \"vuls\",\n+  \"scannedVia\": \"local\",\n+  \"reportedAt\": \"2026-07-03T12:00:00Z\",\n+  \"reportedVersion\": \"0.20.0\",\n+  \"reportedRevision\": \"abcdef1\",\n+  \"reportedBy\": \"vuls\",\n+  \"errors\": [],\n+  \"warnings\": [],\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"This is a placeholder vulnerability.\",\n+          \"requiredAction\": \"Update to the latest version.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-03T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Example note for CISA KEV\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability 2\",\n+          \"shortDescription\": \"This is another placeholder vulnerability.\",\n+          \"requiredAction\": \"Update to the latest version.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2026-07-03T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbid\": \"XDB-001\",\n+                \"xdburl\": \"https://example.com/xdb/001\",\n+                \"dateAdded\": \"2026-07-03T00:00:00Z\",\n+                \"exploitType\": \"Remote Code Execution\",\n+                \"cloneSshUrl\": \"git@example.com:exploits/001.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/report/1\",\n+                \"dateAdded\": \"2026-07-03T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"runningKernel\": {\n+    \"release\": \"5.4.0-100-generic\",\n+    \"version\": \"1\",\n+    \"rebootRequired\": false\n+  },\n+  \"packages\": {},\n+  \"config\": {\n+    \"scan\": {},\n+    \"report\": {}\n+  }\n+}\n\\ No newline at end of file\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..89fce60 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,21 +812,12 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"USCERT Alert\",\n-\t\t\t\t\"=============\",\n-\t\t\t)\n+\t\t\tcontent.Data = append(content.Data,\n+\t\t\t\t[]string{\n+\t\t\t\t\t\"USCERT Alert\",\n+\t\t\t\t\t\"\",\n+\t\t\t\t})\n \t\t\tfor _, alert := range vinfo.AlertDict.USCERT {\n \t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n \t\t\t}\n", "creation_timestamp": "2026-07-03T18:57:42.463662Z"}, {"uuid": "b1160821-9c87-46d6-8bf3-da6ce21ebda7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/1263fa8ea1c9d2bdbbb4410ed0273673", "content": "diff --git a/.gitignore b/.gitignore\nindex 7f21d1e..71b4c8d 100644\n--- a/.gitignore\n+++ b/.gitignore\n@@ -4,6 +4,7 @@\n *.sqlite3*\n *.db\n *.toml\n+!config.toml.example\n tags\n .gitmodules\n coverage.out\ndiff --git a/README.md b/README.md\nindex 57102d1..c8a5ae7 100644\n--- a/README.md\n+++ b/README.md\n@@ -93,6 +93,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n - CISA(Cybersecurity &amp; Infrastructure Security Agency)\n   - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n \n+- VulnCheck\n+  - Known Exploited Vulnerabilities data through go-kev\n+\n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n \n@@ -166,6 +169,18 @@ Vuls has some options to detect the vulnerabilities\n - Email and Slack notification is possible (supports Japanese language)\n - Scan result is viewable on accessory software, TUI Viewer in a terminal or Web UI ([VulsRepo](https://github.com/ishiDACo/vulsrepo)).\n \n+## KEV Reporting Example\n+\n+Use `config.toml.example` as a redacted starting point for enabling KEV reporting with go-kev. The KEV database is configured with the `[kevuln]` section:\n+\n+```toml\n+[kevuln]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+```\n+\n+The report JSON exposes KEV information on each vulnerability under `scannedCves..kevs`. See `sample-kev-result.json` for a synthetic redacted scan result containing both CISA and VulnCheck KEV entries.\n+\n ----\n \n ## What Vuls Doesn't Do\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..ed5b6b5\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,36 @@\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+SQLite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.10\"\n+port = \"22\"\n+user = \"vuls\"\n+keyPath = \"/home/vuls/.ssh/id_ed25519\"\n+scanMode = [\"fast-root\"]\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..45568db 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -5,7 +5,10 @@ package detector\n \n import (\n \t\"encoding/json\"\n+\t\"fmt\"\n \t\"net/http\"\n+\t\"reflect\"\n+\t\"strings\"\n \t\"time\"\n \n \t\"github.com/cenkalti/backoff\"\n@@ -79,18 +82,9 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n-\t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\tif ok &amp;&amp; len(kevulns) &gt; 0 {\n+\t\t\t\tv.KEVs = append(v.KEVs, convertKEVulns(kevulns)...)\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +102,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = append(vuln.KEVs, convertKEVulns(kevulns)...)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +112,181 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func convertKEVulns(kevulns []kevulnmodels.KEVuln) []models.KEV {\n+\tkevs := make([]models.KEV, 0, len(kevulns))\n+\tfor _, kevuln := range kevulns {\n+\t\tv := reflect.ValueOf(kevuln)\n+\t\tkevs = append(kevs, models.KEV{\n+\t\t\tType:                       toKEVType(stringField(v, \"Type\", \"Source\")),\n+\t\t\tVendorProject:              stringField(v, \"VendorProject\", \"Vendor\", \"Project\"),\n+\t\t\tProduct:                    stringField(v, \"Product\"),\n+\t\t\tVulnerabilityName:          stringField(v, \"VulnerabilityName\", \"Name\"),\n+\t\t\tShortDescription:           stringField(v, \"ShortDescription\", \"Description\"),\n+\t\t\tRequiredAction:             stringField(v, \"RequiredAction\"),\n+\t\t\tKnownRansomwareCampaignUse: stringField(v, \"KnownRansomwareCampaignUse\"),\n+\t\t\tDateAdded:                  timeField(v, \"DateAdded\"),\n+\t\t\tDueDate:                    timePtrField(v, \"DueDate\"),\n+\t\t\tCISA:                       cisaKEVField(v),\n+\t\t\tVulnCheck:                  vulnCheckKEVField(v),\n+\t\t})\n+\t}\n+\treturn kevs\n+}\n+\n+func toKEVType(source string) models.KEVType {\n+\tswitch strings.ToLower(source) {\n+\tcase string(models.VulnCheckKEVType):\n+\t\treturn models.VulnCheckKEVType\n+\tdefault:\n+\t\treturn models.CISAKEVType\n+\t}\n+}\n+\n+func stringField(v reflect.Value, names ...string) string {\n+\tfor _, name := range names {\n+\t\tf := fieldByName(v, name)\n+\t\tif f.IsValid() {\n+\t\t\tswitch f.Kind() {\n+\t\t\tcase reflect.String:\n+\t\t\t\treturn f.String()\n+\t\t\tcase reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:\n+\t\t\t\treturn fmt.Sprint(f.Int())\n+\t\t\tcase reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64:\n+\t\t\t\treturn fmt.Sprint(f.Uint())\n+\t\t\t}\n+\t\t}\n+\t}\n+\treturn \"\"\n+}\n+\n+func timeField(v reflect.Value, names ...string) time.Time {\n+\tfor _, name := range names {\n+\t\tf := fieldByName(v, name)\n+\t\tif f.IsValid() &amp;&amp; f.Type() == reflect.TypeOf(time.Time{}) {\n+\t\t\treturn f.Interface().(time.Time)\n+\t\t}\n+\t}\n+\treturn time.Time{}\n+}\n+\n+func timePtrField(v reflect.Value, names ...string) *time.Time {\n+\tfor _, name := range names {\n+\t\tf := fieldByName(v, name)\n+\t\tif !f.IsValid() {\n+\t\t\tcontinue\n+\t\t}\n+\t\tif f.Type() == reflect.TypeOf(time.Time{}) {\n+\t\t\tt := f.Interface().(time.Time)\n+\t\t\treturn &amp;t\n+\t\t}\n+\t\tif f.Type() == reflect.TypeOf((*time.Time)(nil)) &amp;&amp; !f.IsNil() {\n+\t\t\tt := f.Interface().(*time.Time)\n+\t\t\treturn t\n+\t\t}\n+\t}\n+\treturn nil\n+}\n+\n+func cisaKEVField(v reflect.Value) *models.CISAKEV {\n+\tf := fieldByName(v, \"CISA\", \"Cisa\")\n+\tif !f.IsValid() {\n+\t\treturn nil\n+\t}\n+\tif f.Kind() == reflect.Pointer {\n+\t\tif f.IsNil() {\n+\t\t\treturn nil\n+\t\t}\n+\t\tf = f.Elem()\n+\t}\n+\treturn &amp;models.CISAKEV{Note: stringField(f, \"Note\")}\n+}\n+\n+func vulnCheckKEVField(v reflect.Value) *models.VulnCheckKEV {\n+\tf := fieldByName(v, \"VulnCheck\", \"Vulncheck\")\n+\tif !f.IsValid() {\n+\t\treturn nil\n+\t}\n+\tif f.Kind() == reflect.Pointer {\n+\t\tif f.IsNil() {\n+\t\t\treturn nil\n+\t\t}\n+\t\tf = f.Elem()\n+\t}\n+\treturn &amp;models.VulnCheckKEV{\n+\t\tXDB:                  vulnCheckXDBField(f),\n+\t\tReportedExploitation: vulnCheckReportedExploitationField(f),\n+\t}\n+}\n+\n+func vulnCheckXDBField(v reflect.Value) []models.VulnCheckXDB {\n+\tf := fieldByName(v, \"XDB\", \"Xdb\")\n+\tif !f.IsValid() || f.Kind() != reflect.Slice {\n+\t\treturn nil\n+\t}\n+\txdbs := make([]models.VulnCheckXDB, 0, f.Len())\n+\tfor i := 0; i &lt; f.Len(); i++ {\n+\t\titem := f.Index(i)\n+\t\tif item.Kind() == reflect.Pointer {\n+\t\t\tif item.IsNil() {\n+\t\t\t\tcontinue\n+\t\t\t}\n+\t\t\titem = item.Elem()\n+\t\t}\n+\t\txdbs = append(xdbs, models.VulnCheckXDB{\n+\t\t\tXDBID:       stringField(item, \"XDBID\", \"XdbID\", \"ID\"),\n+\t\t\tXDBURL:      stringField(item, \"XDBURL\", \"XdbURL\", \"URL\"),\n+\t\t\tDateAdded:   timeField(item, \"DateAdded\"),\n+\t\t\tExploitType: stringField(item, \"ExploitType\"),\n+\t\t\tCloneSSHURL: stringField(item, \"CloneSSHURL\"),\n+\t\t})\n+\t}\n+\treturn xdbs\n+}\n+\n+func vulnCheckReportedExploitationField(v reflect.Value) []models.VulnCheckReportedExploitation {\n+\tf := fieldByName(v, \"ReportedExploitation\")\n+\tif !f.IsValid() || f.Kind() != reflect.Slice {\n+\t\treturn nil\n+\t}\n+\texploitations := make([]models.VulnCheckReportedExploitation, 0, f.Len())\n+\tfor i := 0; i &lt; f.Len(); i++ {\n+\t\titem := f.Index(i)\n+\t\tif item.Kind() == reflect.Pointer {\n+\t\t\tif item.IsNil() {\n+\t\t\t\tcontinue\n+\t\t\t}\n+\t\t\titem = item.Elem()\n+\t\t}\n+\t\texploitations = append(exploitations, models.VulnCheckReportedExploitation{\n+\t\t\tURL:       stringField(item, \"URL\"),\n+\t\t\tDateAdded: timeField(item, \"DateAdded\"),\n+\t\t})\n+\t}\n+\treturn exploitations\n+}\n+\n+func fieldByName(v reflect.Value, names ...string) reflect.Value {\n+\tif !v.IsValid() {\n+\t\treturn reflect.Value{}\n+\t}\n+\tif v.Kind() == reflect.Pointer {\n+\t\tif v.IsNil() {\n+\t\t\treturn reflect.Value{}\n+\t\t}\n+\t\tv = v.Elem()\n+\t}\n+\tif v.Kind() != reflect.Struct {\n+\t\treturn reflect.Value{}\n+\t}\n+\tfor _, name := range names {\n+\t\tf := v.FieldByName(name)\n+\t\tif f.IsValid() &amp;&amp; f.CanInterface() {\n+\t\t\treturn f\n+\t\t}\n+\t}\n+\treturn reflect.Value{}\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/models/kev_test.go b/models/kev_test.go\nnew file mode 100644\nindex 0000000..651dcc1\n--- /dev/null\n+++ b/models/kev_test.go\n@@ -0,0 +1,92 @@\n+package models\n+\n+import \"testing\"\n+\n+func TestScanResult_FormatKEVCveSummary(t *testing.T) {\n+\ttests := []struct {\n+\t\tname string\n+\t\tr    ScanResult\n+\t\twant string\n+\t}{\n+\t\t{\n+\t\t\tname: \"counts cves with kev entries\",\n+\t\t\tr: ScanResult{ScannedCves: VulnInfos{\n+\t\t\t\t\"CVE-0000-0001\": {KEVs: []KEV{{Type: CISAKEVType}, {Type: VulnCheckKEVType}}},\n+\t\t\t\t\"CVE-0000-0002\": {},\n+\t\t\t\t\"CVE-0000-0003\": {KEVs: []KEV{{Type: CISAKEVType}}},\n+\t\t\t}},\n+\t\t\twant: \"2 kevs\",\n+\t\t},\n+\t\t{\n+\t\t\tname: \"empty\",\n+\t\t\tr:    ScanResult{ScannedCves: VulnInfos{}},\n+\t\t\twant: \"0 kevs\",\n+\t\t},\n+\t}\n+\n+\tfor _, tt := range tests {\n+\t\tt.Run(tt.name, func(t *testing.T) {\n+\t\t\tif got := tt.r.FormatKEVCveSummary(); got != tt.want {\n+\t\t\t\tt.Errorf(\"FormatKEVCveSummary() = %q, want %q\", got, tt.want)\n+\t\t\t}\n+\t\t})\n+\t}\n+}\n+\n+func TestScanResult_FormatAlertSummaryExcludesCISA(t *testing.T) {\n+\tr := ScanResult{ScannedCves: VulnInfos{\n+\t\t\"CVE-0000-0001\": {AlertDict: AlertDict{\n+\t\t\tCISA:   []Alert{{Title: \"old kev alert\"}},\n+\t\t\tUSCERT: []Alert{{Title: \"uscert-1\"}},\n+\t\t\tJPCERT: []Alert{{Title: \"jpcert-1\"}, {Title: \"jpcert-2\"}},\n+\t\t}},\n+\t}}\n+\n+\tif got, want := r.FormatAlertSummary(), \"uscert: 1, jpcert: 2 alerts\"; got != want {\n+\t\tt.Errorf(\"FormatAlertSummary() = %q, want %q\", got, want)\n+\t}\n+}\n+\n+func TestAlertDict_CISAIgnoredForGenericAlertState(t *testing.T) {\n+\ta := AlertDict{CISA: []Alert{{Title: \"old kev alert\"}}}\n+\n+\tif !a.IsEmpty() {\n+\t\tt.Errorf(\"IsEmpty() = false, want true for CISA-only alert dict\")\n+\t}\n+\tif got := a.FormatSource(); got != \"\" {\n+\t\tt.Errorf(\"FormatSource() = %q, want empty source for CISA-only alert dict\", got)\n+\t}\n+\n+\ta.USCERT = []Alert{{Title: \"uscert\"}}\n+\tif a.IsEmpty() {\n+\t\tt.Errorf(\"IsEmpty() = true, want false for CERT alert dict\")\n+\t}\n+\tif got, want := a.FormatSource(), \"CERT\"; got != want {\n+\t\tt.Errorf(\"FormatSource() = %q, want %q\", got, want)\n+\t}\n+}\n+\n+func TestScanResult_SortForJSONOutputSortsKEVs(t *testing.T) {\n+\tr := ScanResult{ScannedCves: VulnInfos{\n+\t\t\"CVE-0000-0001\": {KEVs: []KEV{\n+\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n+\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"a\"},\n+\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t}},\n+\t}}\n+\n+\tr.SortForJSONOutput()\n+\tgot := r.ScannedCves[\"CVE-0000-0001\"].KEVs\n+\twant := []KEV{\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"a\"},\n+\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n+\t}\n+\tfor i := range want {\n+\t\tif got[i] != want[i] {\n+\t\t\tt.Fatalf(\"KEVs[%d] = %+v, want %+v\", i, got[i], want[i])\n+\t\t}\n+\t}\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..6cf2b38 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,11 +197,12 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n@@ -229,6 +230,17 @@ func (r ScanResult) FormatUpdatablePkgsSummary() string {\n \t\tnUpdatable)\n }\n \n+// FormatKEVCveSummary returns a summary of CVEs with KEV entries.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatExploitCveSummary returns a summary of exploit cve\n func (r ScanResult) FormatExploitCveSummary() string {\n \tnExploitCve := 0\n@@ -253,13 +265,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -425,6 +433,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &lt; v.Mitigations[j].URL\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \n \t\tv.CveContents.Sort()\n \ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..6a3df97 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -267,6 +267,7 @@ type VulnInfo struct {\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n@@ -284,6 +285,57 @@ type Alert struct {\n \tTeam  string `json:\"team,omitempty\"`\n }\n \n+// KEVType is a known exploited vulnerability source.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType represents CISA KEV catalog entries.\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType represents VulnCheck KEV entries.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has known exploited vulnerability information.\n+type KEV struct {\n+\tType                       KEVType       `json:\"type,omitempty\"`\n+\tVendorProject              string        `json:\"vendorProject,omitempty\"`\n+\tProduct                    string        `json:\"product,omitempty\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV information.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV information.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // GitHubSecurityAlerts is a list of GitHubSecurityAlert\n type GitHubSecurityAlerts []GitHubSecurityAlert\n \n@@ -910,7 +962,7 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n \tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n@@ -919,15 +971,12 @@ type AlertDict struct {\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..3aa23ae 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -202,6 +202,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.ScannedCves.FormatCveSummary(),\n \t\t\t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n@@ -565,8 +566,29 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n+\t\tfor _, kev := range vuln.KEVs {\n+\t\t\tsource := \"KEV\"\n+\t\t\tswitch kev.Type {\n+\t\t\tcase models.CISAKEVType:\n+\t\t\t\tsource = \"CISA KEV\"\n+\t\t\tcase models.VulnCheckKEVType:\n+\t\t\t\tsource = \"VulnCheck KEV\"\n+\t\t\t}\n+\t\t\tif kev.CISA != nil &amp;&amp; kev.CISA.Note != \"\" {\n+\t\t\t\tdata = append(data, []string{source, kev.CISA.Note})\n+\t\t\t}\n+\t\t\tif kev.VulnCheck != nil {\n+\t\t\t\tfor _, xdb := range kev.VulnCheck.XDB {\n+\t\t\t\t\tif xdb.XDBURL != \"\" {\n+\t\t\t\t\t\tdata = append(data, []string{source, xdb.XDBURL})\n+\t\t\t\t\t}\n+\t\t\t\t}\n+\t\t\t\tfor _, exploitation := range kev.VulnCheck.ReportedExploitation {\n+\t\t\t\t\tif exploitation.URL != \"\" {\n+\t\t\t\t\t\tdata = append(data, []string{source, exploitation.URL})\n+\t\t\t\t\t}\n+\t\t\t\t}\n+\t\t\t}\n \t\t}\n \n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\ndiff --git a/sample-kev-result.json b/sample-kev-result.json\nnew file mode 100644\nindex 0000000..005e83b\n--- /dev/null\n+++ b/sample-kev-result.json\n@@ -0,0 +1,58 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2026-07-03T00:00:00Z\",\n+  \"scannedVersion\": \"vuls-example\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic sample showing the first-class KEV JSON shape.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic sample showing VulnCheck KEV details.\",\n+          \"requiredAction\": \"Review exploitation evidence and remediate.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.invalid/vulncheck/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"proof-of-concept\",\n+                \"cloneSSHURL\": \"git@example.invalid:example/research.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.invalid/advisory/CVE-0000-0000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T18:57:42.582633Z"}, {"uuid": "20ad02a8-1e9c-43b0-a321-7aa8a800d988", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/1d6d41fdd53938b91dafcdc1a56d2f91", "content": "diff --git a/README.md b/README.md\nindex 57102d1..4449ee4 100644\n--- a/README.md\n+++ b/README.md\n@@ -156,6 +156,10 @@ Vuls has some options to detect the vulnerabilities\n \n - [Scan WordPress](https://vuls.io/docs/en/usage-scan-wordpress.html)\n \n+## Configuration\n+\n+A ready-to-use example configuration is provided in the repository. See [config.toml.example](config.toml.example) for a starting point, including how to enable CISA/VulnCheck KEV reporting.\n+\n ## MISC\n \n - Nondestructive testing\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..894027c\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,27 @@\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploitTensor]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[servers]\n+[servers.example-server]\n+host = \"192.0.2.1\"\n+port = \"22\"\n+user = \"scan-user\"\n+keyPath = \"/path/to/.ssh/id_rsa\"\n+# sshPassphrase = \"\" # intentionally redacted\n+\n+# KEV configuration\n+[kev]\n+enabled = true\n\\ No newline at end of file\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..934ffa7 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,9 +205,21 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV cve\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKevCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKevCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKevCve)\n+}\n+\n // FormatUpdatablePkgsSummary returns a summary of updatable packages\n func (r ScanResult) FormatUpdatablePkgsSummary() string {\n \tmode := r.Config.Scan.Servers[r.ServerName].Mode\n@@ -257,9 +269,6 @@ func (r ScanResult) FormatAlertSummary() string {\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +276,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -434,8 +443,11 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n \t\t})\n \t\tr.ScannedCves[k] = v\n \t}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..19143b9 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -275,6 +275,59 @@ type VulnInfo struct {\n \tWindowsKBFixedIns    []string             `json:\"windowsKBFixedIns,omitempty\"`\n \tVulnType             string               `json:\"vulnType,omitempty\"`\n \tDiffStatus           DiffStatus           `json:\"diffStatus,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n+}\n+\n+// KEVType represents the type of KEV source\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the type for CISA KEV\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is the type for VulnCheck KEV\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV represents Known Exploited Vulnerabilities information\n+type KEV struct {\n+\tType                       KEVType      `json:\"type\"`\n+\tVendorProject              string       `json:\"vendorProject,omitempty\"`\n+\tProduct                    string       `json:\"product,omitempty\"`\n+\tVulnerabilityName          string       `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string       `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string       `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string       `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time    `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time   `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV     `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has specific information for CISA KEV\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has specific information for VulnCheck KEV\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbId,omitempty\"`\n+\tXDBURL      string    `json:\"xdbUrl,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSshUrl,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck Reported Exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n }\n \n // Alert has CERT alert information\n@@ -910,24 +963,20 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT, USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..5b8697f 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -205,6 +205,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t}\n \t\t} else {\n \t\t\tcols = []interface{}{\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/sample_kev.json b/sample_kev.json\nnew file mode 100644\nindex 0000000..f829e91\n--- /dev/null\n+++ b/sample_kev.json\n@@ -0,0 +1,54 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2026-07-03T12:00:00Z\",\n+  \"scanMode\": \"fast\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"example-vendor\",\n+          \"product\": \"example-product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"This is a redacted example of a CISA KEV.\",\n+          \"requiredAction\": \"Apply updates.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2026-07-03T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Example note\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"example-vendor\",\n+          \"product\": \"example-product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"This is a redacted example of a VulnCheck KEV.\",\n+          \"dateAdded\": \"2026-07-03T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbId\": \"XDB-0000\",\n+                \"xdbUrl\": \"https://example.com/xdb/0000\",\n+                \"dateAdded\": \"2026-07-03T00:00:00Z\",\n+                \"exploitType\": \"RCE\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/report/0000\",\n+                \"dateAdded\": \"2026-07-03T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\n\\ No newline at end of file\ndiff --git a/tracking_issue_sample.md b/tracking_issue_sample.md\nnew file mode 100644\nindex 0000000..61220f0\n--- /dev/null\n+++ b/tracking_issue_sample.md\n@@ -0,0 +1,60 @@\n+# KEV Reporting Implementation\n+\n+Here is a synthetic, redacted sample of the new scan result format showing the `kevs` field populated, as requested for the tracking issue.\n+\n+```json\n+{\n+  \"jsonVersion\": 1,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2026-07-03T12:00:00Z\",\n+  \"scanMode\": \"fast\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"example-vendor\",\n+          \"product\": \"example-product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"This is a redacted example of a CISA KEV.\",\n+          \"requiredAction\": \"Apply updates.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2026-07-03T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Example note\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"example-vendor\",\n+          \"product\": \"example-product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"This is a redacted example of a VulnCheck KEV.\",\n+          \"dateAdded\": \"2026-07-03T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbId\": \"XDB-0000\",\n+                \"xdbUrl\": \"https://example.com/xdb/0000\",\n+                \"dateAdded\": \"2026-07-03T00:00:00Z\",\n+                \"exploitType\": \"RCE\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/report/0000\",\n+                \"dateAdded\": \"2026-07-03T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\n+```\n\\ No newline at end of file\n", "creation_timestamp": "2026-07-03T18:57:43.254243Z"}, {"uuid": "3819982c-c7cc-418e-8147-048d2e2ec275", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/a262637f0b6614e6fc25dbfb9f74b4fd", "content": "diff --git a/README.md b/README.md\nindex 57102d1..eb603ab 100644\n--- a/README.md\n+++ b/README.md\n@@ -90,8 +90,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n   - [US-CERT](https://www.us-cert.gov/ncas/alerts)\n   - [JPCERT](http://www.jpcert.or.jp/at/2019.html)\n \n-- CISA(Cybersecurity &amp; Infrastructure Security Agency)\n-  - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+- Known Exploited Vulnerabilities\n+  - [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+  - [VulnCheck KEV](https://vulncheck.com/kev)\n \n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n@@ -179,6 +180,11 @@ Vuls has some options to detect the vulnerabilities\n For more information such as Installation, Tutorial, Usage, visit [vuls.io](https://vuls.io/)  \n [\u65e5\u672c\u8a9e\u7ffb\u8a33\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8](https://vuls.io/ja/)\n \n+### Examples\n+\n+- `examples/config.toml.example` is a synthetic, ready-to-edit configuration that enables KEV reporting with the `[kevuln]` dictionary.\n+- `examples/kev-scan-result.sample.json` shows the new first-class `kevs` scan result field with synthetic CISA and VulnCheck entries.\n+\n ----\n \n ## Authors\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..34a2ca1 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -6,6 +6,7 @@ package detector\n import (\n \t\"encoding/json\"\n \t\"net/http\"\n+\t\"strings\"\n \t\"time\"\n \n \t\"github.com/cenkalti/backoff\"\n@@ -74,23 +75,17 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\treturn err\n \t\t}\n \t\tfor _, res := range responses {\n-\t\t\tkevulns := []kevulnmodels.KEVuln{}\n-\t\t\tif err := json.Unmarshal([]byte(res.json), &amp;kevulns); err != nil {\n+\t\t\tkevs, err := convertKEVulnJSON([]byte(res.json))\n+\t\t\tif err != nil {\n \t\t\t\treturn err\n \t\t\t}\n-\n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tif len(kevs) == 0 {\n+\t\t\t\tcontinue\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tv.KEVs = kevs\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +103,12 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tkevs, err := convertKEVulns(kevulns)\n+\t\t\tif err != nil {\n+\t\t\t\treturn err\n \t\t\t}\n \n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = kevs\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +118,95 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+type kevulnJSON struct {\n+\tType                       models.KEVType `json:\"type\"`\n+\tVendorProject              string         `json:\"vendorProject\"`\n+\tProduct                    string         `json:\"product\"`\n+\tVulnerabilityName          string         `json:\"vulnerabilityName\"`\n+\tShortDescription           string         `json:\"shortDescription\"`\n+\tRequiredAction             string         `json:\"requiredAction\"`\n+\tKnownRansomwareCampaignUse string         `json:\"knownRansomwareCampaignUse\"`\n+\tDateAdded                  time.Time      `json:\"dateAdded\"`\n+\tDueDate                    *time.Time     `json:\"dueDate\"`\n+\tNote                       string         `json:\"note\"`\n+\tNotes                      string         `json:\"notes\"`\n+\tCISA                       *models.CISAKEV `json:\"cisa\"`\n+\tVulnCheck                  *struct {\n+\t\tXDB                  []models.VulnCheckXDB                  `json:\"xdb\"`\n+\t\tReportedExploitation []models.VulnCheckReportedExploitation `json:\"reportedExploitation\"`\n+\t} `json:\"vulncheck\"`\n+\tXDB                  []models.VulnCheckXDB                  `json:\"xdb\"`\n+\tReportedExploitation []models.VulnCheckReportedExploitation `json:\"reportedExploitation\"`\n+}\n+\n+func convertKEVulns(kevulns []kevulnmodels.KEVuln) ([]models.KEV, error) {\n+\tbs, err := json.Marshal(kevulns)\n+\tif err != nil {\n+\t\treturn nil, err\n+\t}\n+\treturn convertKEVulnJSON(bs)\n+}\n+\n+func convertKEVulnJSON(bs []byte) ([]models.KEV, error) {\n+\tvar kevulns []kevulnJSON\n+\tif err := json.Unmarshal(bs, &amp;kevulns); err != nil {\n+\t\treturn nil, err\n+\t}\n+\n+\tkevs := make([]models.KEV, 0, len(kevulns))\n+\tfor _, kevuln := range kevulns {\n+\t\tkevType := kevuln.Type\n+\t\tif kevType == \"\" {\n+\t\t\tkevType = models.CISAKEVType\n+\t\t}\n+\n+\t\tkev := models.KEV{\n+\t\t\tType:                       kevType,\n+\t\t\tVendorProject:              kevuln.VendorProject,\n+\t\t\tProduct:                    kevuln.Product,\n+\t\t\tVulnerabilityName:          kevuln.VulnerabilityName,\n+\t\t\tShortDescription:           kevuln.ShortDescription,\n+\t\t\tRequiredAction:             kevuln.RequiredAction,\n+\t\t\tKnownRansomwareCampaignUse: kevuln.KnownRansomwareCampaignUse,\n+\t\t\tDateAdded:                  kevuln.DateAdded,\n+\t\t\tDueDate:                    kevuln.DueDate,\n+\t\t}\n+\n+\t\tswitch kevType {\n+\t\tcase models.CISAKEVType:\n+\t\t\tif kevuln.CISA != nil {\n+\t\t\t\tkev.CISA = kevuln.CISA\n+\t\t\t} else if note := firstNonEmpty(kevuln.Note, kevuln.Notes); note != \"\" {\n+\t\t\t\tkev.CISA = &amp;models.CISAKEV{Note: note}\n+\t\t\t}\n+\t\tcase models.VulnCheckKEVType:\n+\t\t\tkev.VulnCheck = &amp;models.VulnCheckKEV{}\n+\t\t\tif kevuln.VulnCheck != nil {\n+\t\t\t\tkev.VulnCheck.XDB = kevuln.VulnCheck.XDB\n+\t\t\t\tkev.VulnCheck.ReportedExploitation = kevuln.VulnCheck.ReportedExploitation\n+\t\t\t}\n+\t\t\tif len(kevuln.XDB) &gt; 0 {\n+\t\t\t\tkev.VulnCheck.XDB = kevuln.XDB\n+\t\t\t}\n+\t\t\tif len(kevuln.ReportedExploitation) &gt; 0 {\n+\t\t\t\tkev.VulnCheck.ReportedExploitation = kevuln.ReportedExploitation\n+\t\t\t}\n+\t\t}\n+\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs, nil\n+}\n+\n+func firstNonEmpty(values ...string) string {\n+\tfor _, value := range values {\n+\t\tif strings.TrimSpace(value) != \"\" {\n+\t\t\treturn value\n+\t\t}\n+\t}\n+\treturn \"\"\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/examples/config.toml.example b/examples/config.toml.example\nnew file mode 100644\nindex 0000000..c4e1c93\n--- /dev/null\n+++ b/examples/config.toml.example\n@@ -0,0 +1,43 @@\n+# Synthetic Vuls configuration example with KEV reporting enabled.\n+# Replace all placeholder paths, hosts, and credentials before use.\n+\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\n+\n+[default]\n+port = \"22\"\n+user = \"replace-me\"\n+keyPath = \"/path/to/id_rsa\"\n+scanMode = [\"fast-root\"]\n+scanModules = [\"ospkg\"]\n+\n+[servers]\n+\n+[servers.example-web]\n+host = \"192.0.2.10\"\n+memo = \"Synthetic example target\"\ndiff --git a/examples/kev-scan-result.sample.json b/examples/kev-scan-result.sample.json\nnew file mode 100644\nindex 0000000..46414a7\n--- /dev/null\n+++ b/examples/kev-scan-result.sample.json\n@@ -0,0 +1,76 @@\n+{\n+  \"jsonVersion\": 0,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2026-07-03T00:00:00Z\",\n+  \"scanMode\": \"fast-root\",\n+  \"scannedVersion\": \"vuls-example\",\n+  \"scannedRevision\": \"example\",\n+  \"scannedBy\": \"example\",\n+  \"reportedAt\": \"2026-07-03T00:00:00Z\",\n+  \"reportedVersion\": \"vuls-example\",\n+  \"reportedRevision\": \"example\",\n+  \"reportedBy\": \"vuls-report\",\n+  \"errors\": [],\n+  \"warnings\": [],\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Command Injection Vulnerability\",\n+          \"shortDescription\": \"This synthetic CVE demonstrates the first-class KEV JSON field.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic sample only. Do not treat as real vulnerability intelligence.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Command Injection Vulnerability\",\n+          \"shortDescription\": \"This synthetic entry demonstrates VulnCheck-specific KEV data.\",\n+          \"requiredAction\": \"Review exploitation evidence and patch affected systems.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.invalid/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.invalid:research/example-xdb.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.invalid/reports/example-exploitation\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"alertDict\": {\n+        \"jpcert\": [],\n+        \"uscert\": []\n+      }\n+    }\n+  },\n+  \"packages\": {},\n+  \"config\": {\n+    \"scan\": {},\n+    \"report\": {}\n+  }\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..40ab335 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV cve.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -425,6 +433,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &lt; v.Mitigations[j].URL\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \n \t\tv.CveContents.Sort()\n \ndiff --git a/models/scanresults_kev_test.go b/models/scanresults_kev_test.go\nnew file mode 100644\nindex 0000000..62e934b\n--- /dev/null\n+++ b/models/scanresults_kev_test.go\n@@ -0,0 +1,62 @@\n+package models\n+\n+import (\n+\t\"reflect\"\n+\t\"testing\"\n+)\n+\n+func TestScanResult_FormatKEVCveSummary(t *testing.T) {\n+\ttests := []struct {\n+\t\tname string\n+\t\tr    ScanResult\n+\t\twant string\n+\t}{\n+\t\t{\n+\t\t\tname: \"no kev\",\n+\t\t\tr: ScanResult{ScannedCves: VulnInfos{\n+\t\t\t\t\"CVE-0000-0001\": {CveID: \"CVE-0000-0001\"},\n+\t\t\t}},\n+\t\t\twant: \"0 kevs\",\n+\t\t},\n+\t\t{\n+\t\t\tname: \"count cves with kev entries\",\n+\t\t\tr: ScanResult{ScannedCves: VulnInfos{\n+\t\t\t\t\"CVE-0000-0001\": {CveID: \"CVE-0000-0001\", KEVs: []KEV{{Type: CISAKEVType}}},\n+\t\t\t\t\"CVE-0000-0002\": {CveID: \"CVE-0000-0002\", KEVs: []KEV{{Type: CISAKEVType}, {Type: VulnCheckKEVType}}},\n+\t\t\t\t\"CVE-0000-0003\": {CveID: \"CVE-0000-0003\"},\n+\t\t\t}},\n+\t\t\twant: \"2 kevs\",\n+\t\t},\n+\t}\n+\n+\tfor _, tt := range tests {\n+\t\tt.Run(tt.name, func(t *testing.T) {\n+\t\t\tif got := tt.r.FormatKEVCveSummary(); got != tt.want {\n+\t\t\t\tt.Errorf(\"got %q, want %q\", got, tt.want)\n+\t\t\t}\n+\t\t})\n+\t}\n+}\n+\n+func TestScanResult_SortForJSONOutputKEVs(t *testing.T) {\n+\tr := &amp;ScanResult{ScannedCves: VulnInfos{\n+\t\t\"CVE-0000-0001\": {\n+\t\t\tKEVs: []KEV{\n+\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"Beta\"},\n+\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"Gamma\"},\n+\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"Alpha\"},\n+\t\t\t},\n+\t\t},\n+\t}}\n+\n+\tr.SortForJSONOutput()\n+\n+\twant := []KEV{\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"Alpha\"},\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"Gamma\"},\n+\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"Beta\"},\n+\t}\n+\tif got := r.ScannedCves[\"CVE-0000-0001\"].KEVs; !reflect.DeepEqual(got, want) {\n+\t\tt.Errorf(\"got %+v, want %+v\", got, want)\n+\t}\n+}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..feefdba 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -267,6 +267,7 @@ type VulnInfo struct {\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n@@ -284,6 +285,58 @@ type Alert struct {\n \tTeam  string `json:\"team,omitempty\"`\n }\n \n+// KEVType is a source of Known Exploited Vulnerability data.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is CISA Known Exploited Vulnerabilities Catalog data.\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is VulnCheck KEV data.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information.\n+type KEV struct {\n+\tType                       KEVType       `json:\"type,omitempty\"`\n+\tVendorProject              string        `json:\"vendorProject,omitempty\"`\n+\tProduct                    string        `json:\"product,omitempty\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV fields.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV fields.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB information.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // GitHubSecurityAlerts is a list of GitHubSecurityAlert\n type GitHubSecurityAlerts []GitHubSecurityAlert\n \n@@ -910,7 +963,7 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data.\n type AlertDict struct {\n \tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n@@ -919,15 +972,12 @@ type AlertDict struct {\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a2dfbd0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..25b4125 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,13 +812,34 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n+\t\tif len(vinfo.KEVs) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n+\t\t\t\t\"Known Exploited Vulnerabilities\",\n+\t\t\t\t\"==============================\",\n \t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\t\tfor _, kev := range vinfo.KEVs {\n+\t\t\t\tname := kev.VulnerabilityName\n+\t\t\t\tif name == \"\" {\n+\t\t\t\t\tname = strings.TrimSpace(strings.Join([]string{kev.VendorProject, kev.Product}, \" \"))\n+\t\t\t\t}\n+\t\t\t\tif name == \"\" {\n+\t\t\t\t\tname = string(kev.Type)\n+\t\t\t\t}\n+\t\t\t\tlines = append(lines, fmt.Sprintf(\"* %s (%s)\", name, kev.Type))\n+\t\t\t\tif kev.ShortDescription != \"\" {\n+\t\t\t\t\tlines = append(lines, fmt.Sprintf(\"  * %s\", kev.ShortDescription))\n+\t\t\t\t}\n+\t\t\t\tif kev.CISA != nil &amp;&amp; kev.CISA.Note != \"\" {\n+\t\t\t\t\tlines = append(lines, fmt.Sprintf(\"  * Note: %s\", kev.CISA.Note))\n+\t\t\t\t}\n+\t\t\t\tif kev.VulnCheck != nil {\n+\t\t\t\t\tfor _, xdb := range kev.VulnCheck.XDB {\n+\t\t\t\t\t\tlines = append(lines, fmt.Sprintf(\"  * XDB: %s\", xdb.XDBURL))\n+\t\t\t\t\t}\n+\t\t\t\t\tfor _, exploitation := range kev.VulnCheck.ReportedExploitation {\n+\t\t\t\t\t\tlines = append(lines, fmt.Sprintf(\"  * Reported exploitation: %s\", exploitation.URL))\n+\t\t\t\t\t}\n+\t\t\t\t}\n \t\t\t}\n \t\t}\n \n", "creation_timestamp": "2026-07-03T19:06:02.174742Z"}, {"uuid": "02f80f3d-aaa3-47c3-82ca-54521a8ae907", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/32cbe5adf225c9aa5d6f20627f90f8a9", "content": "diff --git a/README.md b/README.md\nindex 57102d1..988f811 100644\n--- a/README.md\n+++ b/README.md\n@@ -93,6 +93,11 @@ Vuls is a tool created to solve the problems listed above. It has the following\n - CISA(Cybersecurity &amp; Infrastructure Security Agency)\n   - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n \n+- Known Exploited Vulnerabilities (KEV)\n+  - Configure `[kevuln]` to populate the first-class `scannedCves[].kevs` field from CISA and VulnCheck KEV data.\n+  - A redacted starter config is available at [`config.toml.example`](config.toml.example).\n+  - A synthetic scan output sample is available at [`sample-kev-scan-result.json`](sample-kev-scan-result.json).\n+\n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n \ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..379614d\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,16 @@\n+# Synthetic example configuration for enabling KEV reporting.\n+# Do not copy secrets from a live config.toml into this file.\n+\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+# For a go-kev HTTP server instead, use:\n+# type = \"http\"\n+# url = \"http://127.0.0.1:1326\"\n+\n+[servers.example-host]\n+host = \"192.0.2.10\"\n+port = \"22\"\n+user = \"vuls\"\n+keyPath = \"/home/vuls/.ssh/id_ed25519\"\n+scanMode = [\"fast-root\"]\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..e10d410 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -6,6 +6,7 @@ package detector\n import (\n \t\"encoding/json\"\n \t\"net/http\"\n+\t\"strings\"\n \t\"time\"\n \n \t\"github.com/cenkalti/backoff\"\n@@ -79,18 +80,15 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n-\t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\tif ok &amp;&amp; len(kevulns) &gt; 0 {\n+\t\t\t\tfor _, kevuln := range kevulns {\n+\t\t\t\t\tkev, err := convertKEVuln(kevuln)\n+\t\t\t\t\tif err != nil {\n+\t\t\t\t\t\treturn err\n+\t\t\t\t\t}\n+\t\t\t\t\tv.KEVs = append(v.KEVs, kev)\n+\t\t\t\t}\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +106,13 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tfor _, kevuln := range kevulns {\n+\t\t\t\tkev, err := convertKEVuln(kevuln)\n+\t\t\t\tif err != nil {\n+\t\t\t\t\treturn err\n+\t\t\t\t}\n+\t\t\t\tvuln.KEVs = append(vuln.KEVs, kev)\n \t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +122,171 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+type kevulnJSON struct {\n+\tType                         string                              `json:\"type\"`\n+\tVendorProject                string                              `json:\"vendorProject\"`\n+\tVendorProjectSnake           string                              `json:\"vendor_project\"`\n+\tProduct                      string                              `json:\"product\"`\n+\tVulnerabilityName            string                              `json:\"vulnerabilityName\"`\n+\tVulnerabilityNameSnake       string                              `json:\"vulnerability_name\"`\n+\tShortDescription             string                              `json:\"shortDescription\"`\n+\tShortDescriptionSnake        string                              `json:\"short_description\"`\n+\tRequiredAction               string                              `json:\"requiredAction\"`\n+\tRequiredActionSnake          string                              `json:\"required_action\"`\n+\tKnownRansomwareCampaignUse   string                              `json:\"knownRansomwareCampaignUse\"`\n+\tKnownRansomwareCampaignSnake string                              `json:\"known_ransomware_campaign_use\"`\n+\tDateAdded                    kevulnTime                          `json:\"dateAdded\"`\n+\tDateAddedSnake               kevulnTime                          `json:\"date_added\"`\n+\tDueDate                      *kevulnTime                         `json:\"dueDate\"`\n+\tDueDateSnake                 *kevulnTime                         `json:\"due_date\"`\n+\tNotes                        string                              `json:\"notes\"`\n+\tNotesSingular                string                              `json:\"note\"`\n+\tXDB                          []vulnCheckXDBJSON                  `json:\"xdb\"`\n+\tReportedExploitation         []vulnCheckReportedExploitationJSON `json:\"reportedExploitation\"`\n+\tReportedExploitationSnake    []vulnCheckReportedExploitationJSON `json:\"reported_exploitation\"`\n+}\n+\n+type vulnCheckXDBJSON struct {\n+\tXDBID          string    `json:\"xdb_id\"`\n+\tXDBIDCamel     string    `json:\"xdbID\"`\n+\tXDBURL         string    `json:\"xdb_url\"`\n+\tXDBURLCamel    string    `json:\"xdbURL\"`\n+\tDateAdded      kevulnTime `json:\"date_added\"`\n+\tDateAddedCamel kevulnTime `json:\"dateAdded\"`\n+\tExploitType    string    `json:\"exploit_type\"`\n+\tCloneSSHURL    string    `json:\"clone_ssh_url\"`\n+}\n+\n+type vulnCheckReportedExploitationJSON struct {\n+\tURL            string    `json:\"url\"`\n+\tDateAdded      kevulnTime `json:\"date_added\"`\n+\tDateAddedCamel kevulnTime `json:\"dateAdded\"`\n+}\n+\n+type kevulnTime struct {\n+\ttime.Time\n+}\n+\n+func (t *kevulnTime) UnmarshalJSON(bs []byte) error {\n+\tif string(bs) == \"null\" {\n+\t\treturn nil\n+\t}\n+\n+\tvar s string\n+\tif err := json.Unmarshal(bs, &amp;s); err != nil {\n+\t\treturn err\n+\t}\n+\tif s == \"\" {\n+\t\treturn nil\n+\t}\n+\n+\tfor _, layout := range []string{time.RFC3339, \"2006-01-02\"} {\n+\t\tparsed, err := time.Parse(layout, s)\n+\t\tif err == nil {\n+\t\t\tt.Time = parsed\n+\t\t\treturn nil\n+\t\t}\n+\t}\n+\treturn xerrors.Errorf(\"Failed to parse KEV date: %s\", s)\n+}\n+\n+func convertKEVuln(kevuln kevulnmodels.KEVuln) (models.KEV, error) {\n+\tbs, err := json.Marshal(kevuln)\n+\tif err != nil {\n+\t\treturn models.KEV{}, err\n+\t}\n+\n+\tvar src kevulnJSON\n+\tif err := json.Unmarshal(bs, &amp;src); err != nil {\n+\t\treturn models.KEV{}, err\n+\t}\n+\n+\treportedSrc := src.ReportedExploitation\n+\tif len(reportedSrc) == 0 {\n+\t\treportedSrc = src.ReportedExploitationSnake\n+\t}\n+\n+\tkevType := models.KEVType(src.Type)\n+\tif kevType == \"\" {\n+\t\tif len(src.XDB) &gt; 0 || len(reportedSrc) &gt; 0 {\n+\t\t\tkevType = models.VulnCheckKEVType\n+\t\t} else {\n+\t\t\tkevType = models.CISAKEVType\n+\t\t}\n+\t}\n+\n+\tkev := models.KEV{\n+\t\tType:                       kevType,\n+\t\tVendorProject:              firstNonEmpty(src.VendorProject, src.VendorProjectSnake),\n+\t\tProduct:                    src.Product,\n+\t\tVulnerabilityName:          firstNonEmpty(src.VulnerabilityName, src.VulnerabilityNameSnake),\n+\t\tShortDescription:           firstNonEmpty(src.ShortDescription, src.ShortDescriptionSnake),\n+\t\tRequiredAction:             firstNonEmpty(src.RequiredAction, src.RequiredActionSnake),\n+\t\tKnownRansomwareCampaignUse: firstNonEmpty(src.KnownRansomwareCampaignUse, src.KnownRansomwareCampaignSnake),\n+\t\tDateAdded:                  firstNonZeroKEVTime(src.DateAdded, src.DateAddedSnake),\n+\t\tDueDate:                    firstNonNilKEVTime(src.DueDate, src.DueDateSnake),\n+\t}\n+\n+\tnote := firstNonEmpty(src.Notes, src.NotesSingular)\n+\tif kev.Type == models.CISAKEVType || note != \"\" {\n+\t\tkev.CISA = &amp;models.CISAKEV{Note: note}\n+\t}\n+\n+\txdbs := make([]models.VulnCheckXDB, 0, len(src.XDB))\n+\tfor _, xdb := range src.XDB {\n+\t\txdbs = append(xdbs, models.VulnCheckXDB{\n+\t\t\tXDBID:       firstNonEmpty(xdb.XDBID, xdb.XDBIDCamel),\n+\t\t\tXDBURL:      firstNonEmpty(xdb.XDBURL, xdb.XDBURLCamel),\n+\t\t\tDateAdded:   firstNonZeroKEVTime(xdb.DateAdded, xdb.DateAddedCamel),\n+\t\t\tExploitType: xdb.ExploitType,\n+\t\t\tCloneSSHURL: xdb.CloneSSHURL,\n+\t\t})\n+\t}\n+\n+\treported := make([]models.VulnCheckReportedExploitation, 0, len(reportedSrc))\n+\tfor _, exploitation := range reportedSrc {\n+\t\treported = append(reported, models.VulnCheckReportedExploitation{\n+\t\t\tURL:       exploitation.URL,\n+\t\t\tDateAdded: firstNonZeroKEVTime(exploitation.DateAdded, exploitation.DateAddedCamel),\n+\t\t})\n+\t}\n+\tif kev.Type == models.VulnCheckKEVType || len(xdbs) &gt; 0 || len(reported) &gt; 0 {\n+\t\tkev.VulnCheck = &amp;models.VulnCheckKEV{\n+\t\t\tXDB:                  xdbs,\n+\t\t\tReportedExploitation: reported,\n+\t\t}\n+\t}\n+\n+\treturn kev, nil\n+}\n+\n+func firstNonEmpty(ss ...string) string {\n+\tfor _, s := range ss {\n+\t\tif s = strings.TrimSpace(s); s != \"\" {\n+\t\t\treturn s\n+\t\t}\n+\t}\n+\treturn \"\"\n+}\n+\n+func firstNonZeroKEVTime(ts ...kevulnTime) time.Time {\n+\tfor _, t := range ts {\n+\t\tif !t.IsZero() {\n+\t\t\treturn t.Time\n+\t\t}\n+\t}\n+\treturn time.Time{}\n+}\n+\n+func firstNonNilKEVTime(ts ...*kevulnTime) *time.Time {\n+\tfor _, t := range ts {\n+\t\tif t != nil &amp;&amp; !t.IsZero() {\n+\t\t\treturn &amp;t.Time\n+\t\t}\n+\t}\n+\treturn nil\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..ac20e82 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of cves with KEV entries\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -422,6 +430,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Metasploits, func(i, j int) bool {\n \t\t\treturn v.Metasploits[i].Name &lt; v.Metasploits[j].Name\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &lt; v.Mitigations[j].URL\n \t\t})\n@@ -434,9 +448,6 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n-\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..a0aa6c2 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -265,6 +265,7 @@ type VulnInfo struct {\n \tCveContents          CveContents          `json:\"cveContents,omitempty\"`\n \tExploits             []Exploit            `json:\"exploits,omitempty\"`\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n@@ -277,6 +278,57 @@ type VulnInfo struct {\n \tDiffStatus           DiffStatus           `json:\"diffStatus,omitempty\"`\n }\n \n+// KEVType is the source of a Known Exploited Vulnerability record.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is CISA's Known Exploited Vulnerabilities catalog.\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType is VulnCheck's Known Exploited Vulnerabilities catalog.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information.\n+type KEV struct {\n+\tType                         KEVType        `json:\"type,omitempty\"`\n+\tVendorProject                string         `json:\"vendorProject,omitempty\"`\n+\tProduct                      string         `json:\"product,omitempty\"`\n+\tVulnerabilityName            string         `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription             string         `json:\"shortDescription,omitempty\"`\n+\tRequiredAction               string         `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse   string         `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                    time.Time      `json:\"dateAdded,omitempty\"`\n+\tDueDate                      *time.Time     `json:\"dueDate,omitempty\"`\n+\tCISA                         *CISAKEV       `json:\"cisa,omitempty\"`\n+\tVulnCheck                    *VulnCheckKEV  `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific Known Exploited Vulnerability information.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific Known Exploited Vulnerability information.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck exploitation report information.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // Alert has CERT alert information\n type Alert struct {\n \tURL   string `json:\"url,omitempty\"`\n@@ -910,7 +962,7 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n \tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n@@ -919,15 +971,12 @@ type AlertDict struct {\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..1ad0af2 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,8 +566,8 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n+\t\tfor _, kev := range vuln.KEVs {\n+\t\t\tdata = append(data, []string{fmt.Sprintf(\"KEV(%s)\", kev.Type), kev.VulnerabilityName})\n \t\t}\n \n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\ndiff --git a/sample-kev-scan-result.json b/sample-kev-scan-result.json\nnew file mode 100644\nindex 0000000..fe6d1b2\n--- /dev/null\n+++ b/sample-kev-scan-result.json\n@@ -0,0 +1,80 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2026-07-03T00:00:00Z\",\n+  \"scanMode\": \"fast-root\",\n+  \"scannedVersion\": \"vuls-example\",\n+  \"scannedRevision\": \"example\",\n+  \"scannedBy\": \"example-user\",\n+  \"scannedVia\": \"ssh\",\n+  \"reportedAt\": \"2026-07-03T00:00:00Z\",\n+  \"reportedVersion\": \"vuls-example\",\n+  \"reportedRevision\": \"example\",\n+  \"reportedBy\": \"example-user\",\n+  \"errors\": [],\n+  \"warnings\": [],\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-package\",\n+          \"fixedIn\": \"1.2.3-1\"\n+        }\n+      ],\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic sample showing the first-class KEV JSON shape.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic example only.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic VulnCheck KEV sample.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.com/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"example\",\n+                \"cloneSSHURL\": \"git@example.com:placeholder/example.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/reports/CVE-0000-0000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"runningKernel\": {},\n+  \"packages\": {},\n+  \"config\": {\n+    \"scan\": {},\n+    \"report\": {}\n+  }\n+}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..1cf62c3 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,13 +812,13 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n+\t\tif len(vinfo.KEVs) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n+\t\t\t\t\"Known Exploited Vulnerabilities\",\n+\t\t\t\t\"===============================\",\n \t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\t\tfor _, kev := range vinfo.KEVs {\n+\t\t\t\tlines = append(lines, fmt.Sprintf(\"* %s: %s\", kev.Type, kev.VulnerabilityName))\n \t\t\t}\n \t\t}\n \n", "creation_timestamp": "2026-07-03T19:06:02.583908Z"}, {"uuid": "f157ebf2-c463-4d47-85c5-e06c2b3e5633", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/edb8327123689f5bf0eff030839250a6", "content": "diff --git a/README.md b/README.md\nindex 57102d1..88130bd 100644\n--- a/README.md\n+++ b/README.md\n@@ -156,6 +156,19 @@ Vuls has some options to detect the vulnerabilities\n \n - [Scan WordPress](https://vuls.io/docs/en/usage-scan-wordpress.html)\n \n+## Quick Start Configuration\n+\n+An example configuration file is provided at [`config.toml.example`](config.toml.example).\n+Copy it and edit to match your environment:\n+\n+```bash\n+cp config.toml.example config.toml\n+# Edit config.toml with your server details and database paths\n+```\n+\n+The example includes sections for all supported vulnerability databases\n+(including KEV via `[kevuln]`), notification channels, and server targets.\n+\n ## MISC\n \n - Nondestructive testing\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..a6ca55a\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,127 @@\n+# Vuls configuration file example\n+# See https://vuls.io/docs/en/config.toml.html for full documentation.\n+# Copy this file to config.toml and edit to match your environment.\n+# All values shown here are placeholders \u2014 replace them with your own.\n+\n+# https://vuls.io/docs/en/config.toml.html#database-section\n+[cveDict]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/cve.sqlite3\"\n+#url = \"\"\n+\n+[ovalDict]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/oval.sqlite3\"\n+#url = \"\"\n+\n+[gost]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/gost.sqlite3\"\n+#url = \"\"\n+\n+[exploit]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+#url = \"\"\n+\n+[metasploit]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-msfdb.sqlite3\"\n+#url = \"\"\n+\n+# Known Exploited Vulnerabilities (KEV) database\n+# Supports CISA and VulnCheck KEV sources.\n+[kevuln]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-kev.sqlite3\"\n+#url = \"\"\n+\n+[cti]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-cti.sqlite3\"\n+#url = \"\"\n+\n+# https://vuls.io/docs/en/config.toml.html#slack-section\n+#[slack]\n+#hookURL      = \"https://hooks.slack.com/services/xxx/yyy/zzz\"\n+#channel      = \"#vuls-notifications\"\n+#iconEmoji    = \":ghost:\"\n+#authUser     = \"vuls-user\"\n+#notifyUsers  = [\"@admin\"]\n+\n+# https://vuls.io/docs/en/config.toml.html#email-section\n+#[email]\n+#smtpAddr              = \"smtp.example.com\"\n+#smtpPort              = \"587\"\n+#tlsMode               = \"STARTTLS\"\n+#tlsInsecureSkipVerify = false\n+#user                  = \"vuls-user\"\n+#password              = \"REPLACE_ME\"\n+#from                  = \"vuls@example.com\"\n+#to                    = [\"admin@example.com\"]\n+#cc                    = [\"security-team@example.com\"]\n+#subjectPrefix         = \"[vuls]\"\n+\n+# https://vuls.io/docs/en/config.toml.html#http-section\n+#[http]\n+#url = \"http://localhost:11234\"\n+\n+# https://vuls.io/docs/en/config.toml.html#syslog-section\n+#[syslog]\n+#protocol    = \"tcp\"\n+#host        = \"localhost\"\n+#port        = \"514\"\n+#tag         = \"vuls\"\n+#facility    = \"local0\"\n+#severity    = \"alert\"\n+#verbose     = false\n+\n+# https://vuls.io/docs/en/usage-report.html#example-put-results-in-s3-bucket\n+#[aws]\n+#region     = \"us-east-1\"\n+#profile    = \"default\"\n+#s3Bucket   = \"my-vuls-bucket\"\n+#s3ResultsDir = \"/vuls-results\"\n+\n+# https://vuls.io/docs/en/usage-report.html#example-put-results-in-azure-blob-storage\n+#[azure]\n+#accountName   = \"myaccount\"\n+#accountKey    = \"REPLACE_ME\"\n+#containerName = \"vuls\"\n+\n+# https://vuls.io/docs/en/config.toml.html#chatwork-section\n+#[chatwork]\n+#room     = \"123456789\"\n+#apiToken = \"REPLACE_ME\"\n+\n+# https://vuls.io/docs/en/config.toml.html#googlechat-section\n+#[googlechat]\n+#webHookURL = \"https://chat.googleapis.com/v1/spaces/xxx/messages?key=yyy&amp;token=zzz\"\n+\n+# https://vuls.io/docs/en/config.toml.html#telegram-section\n+#[telegram]\n+#chatID = \"123456789\"\n+#token  = \"REPLACE_ME\"\n+\n+#[wpscan]\n+#token = \"REPLACE_ME\"\n+#detectInactive = false\n+\n+# https://vuls.io/docs/en/config.toml.html#default-section\n+[default]\n+#port       = \"22\"\n+#user       = \"vuls-user\"\n+#keyPath    = \"/home/vuls-user/.ssh/id_rsa\"\n+#scanMode   = [\"fast\"]\n+#scanModules = [\"ospkg\", \"lockfile\"]\n+\n+# https://vuls.io/docs/en/config.toml.html#servers-section\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.168.0.100\"\n+#port = \"22\"\n+#user = \"vuls-user\"\n+#keyPath = \"/home/vuls-user/.ssh/id_rsa\"\n+#scanMode = [\"fast\"]\n+#scanModules = [\"ospkg\", \"lockfile\"]\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..0ad1daf 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of how many scanned CVEs have KEV entries\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &gt; 0 {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -428,6 +436,13 @@ func (r *ScanResult) SortForJSONOutput() {\n \n \t\tv.CveContents.Sort()\n \n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n+\n \t\tsort.Slice(v.AlertDict.USCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.USCERT[i].Title &lt; v.AlertDict.USCERT[j].Title\n \t\t})\ndiff --git a/models/testdata/sample_kev_scan_result.json b/models/testdata/sample_kev_scan_result.json\nnew file mode 100644\nindex 0000000..8e69ab5\n--- /dev/null\n+++ b/models/testdata/sample_kev_scan_result.json\n@@ -0,0 +1,58 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleVendor ExampleProduct contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2024-01-15T00:00:00Z\",\n+          \"dueDate\": \"2024-02-05T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"https://example.com/advisory/CVE-0000-0000\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleVendor ExampleProduct contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2024-01-10T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"a1b2c3d4\",\n+                \"xdbURL\": \"https://vulncheck.com/xdb/a1b2c3d4\",\n+                \"dateAdded\": \"2024-01-10T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.com:exploits/CVE-0000-0000.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/blog/exploitation-report\",\n+                \"dateAdded\": \"2024-01-12T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"alertDict\": {\n+        \"jpcert\": [],\n+        \"uscert\": []\n+      }\n+    }\n+  }\n+}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..31b6cb0 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -267,6 +267,7 @@ type VulnInfo struct {\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n@@ -910,6 +911,58 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n+// KEVType represents the source of a KEV entry\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the CISA KEV source type\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is the VulnCheck KEV source type\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                       KEVType       `json:\"type\"`\n+\tVendorProject              string        `json:\"vendorProject\"`\n+\tProduct                    string        `json:\"product\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName\"`\n+\tShortDescription           string        `json:\"shortDescription\"`\n+\tRequiredAction             string        `json:\"requiredAction\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"note\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV information\n+type VulnCheckKEV struct {\n+\tXDB                    []VulnCheckXDB                    `json:\"xdb,omitempty\"`\n+\tReportedExploitation   []VulnCheckReportedExploitation   `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID\"`\n+\tXDBURL      string    `json:\"xdbURL\"`\n+\tDateAdded   time.Time `json:\"dateAdded\"`\n+\tExploitType string    `json:\"exploitType\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url\"`\n+\tDateAdded time.Time `json:\"dateAdded\"`\n+}\n+\n // AlertDict has target cve JPCERT, USCERT and CISA alert data\n type AlertDict struct {\n \tCISA   []Alert `json:\"cisa\"`\n@@ -919,15 +972,12 @@ type AlertDict struct {\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a2dfbd0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T19:06:02.629055Z"}, {"uuid": "4ceb75c1-6c1f-427e-ad6b-e9ec180638e6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/a6241cbe404d730bd5c5b72bf9dea20c", "content": "diff --git a/README.md b/README.md\nindex 57102d1..ed94f63 100644\n--- a/README.md\n+++ b/README.md\n@@ -163,6 +163,7 @@ Vuls has some options to detect the vulnerabilities\n   - Vuls works well with Continuous Integration since tests can be run every day. This allows you to find vulnerabilities very quickly.\n - Auto-generation of configuration file template\n   - Auto-detection of servers set using CIDR, generate configuration file template\n+  - Check out the example configuration at [config.toml.example](config.toml.example) for a ready-to-use template including the new KEV reporting setup.\n - Email and Slack notification is possible (supports Japanese language)\n - Scan result is viewable on accessory software, TUI Viewer in a terminal or Web UI ([VulsRepo](https://github.com/ishiDACo/vulsrepo)).\n \ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..46346bb\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,50 @@\n+[servers]\n+\n+[servers.example-host]\n+host     = \"192.168.0.100\"\n+port     = \"22\"\n+user     = \"scanuser\"\n+keyPath  = \"/home/scanuser/.ssh/id_rsa\"\n+# SSH key passphrase (REDACTED)\n+# passPhrase = \"PLACEHOLDER\"\n+\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/opt/vuls/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/opt/vuls/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/opt/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/opt/vuls/go-exploitdb.sqlite3\"\n+\n+[kev]\n+# Enable KEV reporting\n+cisa = true\n+vulncheck = true\n+\n+[email]\n+smtpServer = \"smtp.example.com\"\n+smtpPort = \"587\"\n+user = \"user@example.com\"\n+# SMTP Password (REDACTED)\n+# password = \"PLACEHOLDER\"\n+from = \"vuls@example.com\"\n+to = [\"security@example.com\"]\n+\n+[slack]\n+# Slack Webhook URL (REDACTED)\n+hookURL = \"https://hooks.slack.com/services/PLACEHOLDER/PLACEHOLDER/PLACEHOLDER\"\n+channel = \"#security-alerts\"\n+authUser = \"Vuls Reporter\"\n+\n+[chatwork]\n+# ChatWork API Token (REDACTED)\n+apiToken = \"PLACEHOLDER\"\n+room = \"12345678\"\n\\ No newline at end of file\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..9d83a1c 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,9 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n+\t\t\t// removed CISA alert population\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +99,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\t// removed CISA alert population\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..1322df2 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,6 +205,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary counts how many scanned CVEs have KEV entries\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tkevCnt := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &gt; 0 {\n+\t\t\tkevCnt++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", kevCnt)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -434,8 +442,11 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n \t\t})\n \t\tr.ScannedCves[k] = v\n \t}\ndiff --git a/models/scanresults_test.go b/models/scanresults_test.go\nindex d429281..8e44906 100644\n--- a/models/scanresults_test.go\n+++ b/models/scanresults_test.go\n@@ -225,10 +225,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: \"cisa\", VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: \"cisa\", VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -288,10 +288,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: \"cisa\", VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: \"cisa\", VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -354,10 +354,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: \"cisa\", VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t\t{Type: \"cisa\", VulnerabilityName: \"a\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -417,10 +417,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: \"cisa\", VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: \"cisa\", VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..9a1080d 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -268,6 +268,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -910,24 +911,63 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+type KEVType string\n+\n+const (\n+\tCISAKEVType      KEVType = \"cisa\"\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+type KEV struct {\n+\tType                       KEVType       `json:\"type,omitempty\"`\n+\tVendorProject              string        `json:\"vendorProject,omitempty\"`\n+\tProduct                    string        `json:\"product,omitempty\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbId,omitempty\"`\n+\tXDBURL      string    `json:\"xdbUrl,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSshUrl,omitempty\"`\n+}\n+\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..3ef1e93 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -205,6 +205,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t}\n \t\t} else {\n \t\t\tcols = []interface{}{\n@@ -565,8 +566,10 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n+\t\tfor _, kev := range vuln.KEVs {\n+\t\t\tif kev.Type == models.CISAKEVType &amp;&amp; kev.CISA != nil &amp;&amp; kev.RequiredAction != \"\" {\n+\t\t\t\tdata = append(data, []string{\"CISA KEV Action\", kev.RequiredAction})\n+\t\t\t}\n \t\t}\n \n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\ndiff --git a/sample-kev.json b/sample-kev.json\nnew file mode 100644\nindex 0000000..84ee5a3\n--- /dev/null\n+++ b/sample-kev.json\n@@ -0,0 +1,55 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"20.04\",\n+  \"scannedAt\": \"2026-07-03T12:00:00Z\",\n+  \"scanMode\": \"fast\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"This is a synthetic example of a CISA KEV entry.\",\n+          \"requiredAction\": \"Update to version 2.0\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2026-01-01T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Example note\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"This is a synthetic example of a VulnCheck KEV entry.\",\n+          \"dateAdded\": \"2026-01-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbId\": \"XDB-1234\",\n+                \"xdbUrl\": \"https://example.com/xdb-1234\",\n+                \"dateAdded\": \"2026-01-02T00:00:00Z\",\n+                \"exploitType\": \"RCE\",\n+                \"cloneSshUrl\": \"git@github.com:example/exploit.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/report\",\n+                \"dateAdded\": \"2026-01-03T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\n\\ No newline at end of file\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..0022a02 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,13 +812,17 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n+\t\tif len(vinfo.KEVs) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n+\t\t\t\t\"KEV\",\n+\t\t\t\t\"===\",\n \t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\t\tfor _, kev := range vinfo.KEVs {\n+\t\t\t\tif kev.Type == models.CISAKEVType &amp;&amp; kev.RequiredAction != \"\" {\n+\t\t\t\t\tlines = append(lines, fmt.Sprintf(\"* CISA: %s (%s)\", kev.VulnerabilityName, kev.RequiredAction))\n+\t\t\t\t} else {\n+\t\t\t\t\tlines = append(lines, fmt.Sprintf(\"* %s: %s\", kev.Type, kev.VulnerabilityName))\n+\t\t\t\t}\n \t\t\t}\n \t\t}\n \n", "creation_timestamp": "2026-07-03T19:06:02.711698Z"}, {"uuid": "2a0ed065-baa8-4da8-98f2-3395563a775d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/e1377505bf5141a914f66b48333b45d4", "content": "diff --git a/README.md b/README.md\nindex 57102d1..c7ec129 100644\n--- a/README.md\n+++ b/README.md\n@@ -93,6 +93,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n - CISA(Cybersecurity &amp; Infrastructure Security Agency)\n   - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n \n+- VulnCheck\n+  - Known Exploited Vulnerabilities data from go-kev\n+\n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n \n@@ -166,6 +169,12 @@ Vuls has some options to detect the vulnerabilities\n - Email and Slack notification is possible (supports Japanese language)\n - Scan result is viewable on accessory software, TUI Viewer in a terminal or Web UI ([VulsRepo](https://github.com/ishiDACo/vulsrepo)).\n \n+### Example Configuration\n+\n+Use `config.toml.example` as a redacted starting point for enabling KEV reporting through the `go-kev` database. The example intentionally uses documentation-only placeholders; replace hosts, credentials, notification settings, and `kevuln.sqlite3Path` with values from your own environment.\n+\n+`sample-kev-scan-result.json` shows the new synthetic `scannedCves[].kevs` output shape for CISA and VulnCheck KEV entries.\n+\n ----\n \n ## What Vuls Doesn't Do\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..72d18b1\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,27 @@\n+# Synthetic Vuls configuration example. Replace every placeholder before use.\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.10\"\n+port = \"22\"\n+user = \"vuls\"\n+keyPath = \"/home/vuls/.ssh/id_ed25519\"\n+scanMode = [\"fast-root\"]\n+\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[slack]\n+hookURL = \"https://hooks.slack.com/services/REPLACE/ME/PLACEHOLDER\"\n+channel = \"#vuls-alerts\"\n+authUser = \"vuls\"\n+\n+[email]\n+smtpAddr = \"smtp.example.com\"\n+smtpPort = \"587\"\n+user = \"vuls@example.com\"\n+password = \"REPLACE_ME\"\n+from = \"vuls@example.com\"\n+to = [\"security@example.com\"]\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..dad458b 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -6,6 +6,7 @@ package detector\n import (\n \t\"encoding/json\"\n \t\"net/http\"\n+\t\"strings\"\n \t\"time\"\n \n \t\"github.com/cenkalti/backoff\"\n@@ -79,19 +80,12 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n-\t\t\t\tnKEV++\n+\t\t\t\tv.KEVs = kevulnsToKEVs(kevulns)\n+\t\t\t\tif len(v.KEVs) &gt; 0 {\n+\t\t\t\t\tnKEV++\n+\t\t\t\t}\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t}\n@@ -108,16 +102,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = kevulnsToKEVs(kevulns)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +112,163 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func kevulnsToKEVs(kevulns []kevulnmodels.KEVuln) []models.KEV {\n+\tkevs := make([]models.KEV, 0, len(kevulns))\n+\tfor _, kevuln := range kevulns {\n+\t\tb, err := json.Marshal(kevuln)\n+\t\tif err != nil {\n+\t\t\tcontinue\n+\t\t}\n+\n+\t\tvar raw map[string]interface{}\n+\t\tif err := json.Unmarshal(b, &amp;raw); err != nil {\n+\t\t\tcontinue\n+\t\t}\n+\n+\t\tkev := models.KEV{\n+\t\t\tType:                       kevType(raw),\n+\t\t\tVendorProject:              stringValue(raw, \"vendorProject\", \"vendor_project\", \"vendor\", \"project\"),\n+\t\t\tProduct:                    stringValue(raw, \"product\"),\n+\t\t\tVulnerabilityName:          stringValue(raw, \"vulnerabilityName\", \"vulnerability_name\"),\n+\t\t\tShortDescription:           stringValue(raw, \"shortDescription\", \"short_description\"),\n+\t\t\tRequiredAction:             stringValue(raw, \"requiredAction\", \"required_action\"),\n+\t\t\tKnownRansomwareCampaignUse: stringValue(raw, \"knownRansomwareCampaignUse\", \"known_ransomware_campaign_use\"),\n+\t\t\tDateAdded:                  timeValue(raw, \"dateAdded\", \"date_added\"),\n+\t\t}\n+\t\tif dueDate := timeValue(raw, \"dueDate\", \"due_date\"); !dueDate.IsZero() {\n+\t\t\tkev.DueDate = &amp;dueDate\n+\t\t}\n+\n+\t\tswitch kev.Type {\n+\t\tcase models.VulnCheckKEVType:\n+\t\t\tkev.VulnCheck = vulnCheckKEV(raw)\n+\t\tdefault:\n+\t\t\tkev.CISA = &amp;models.CISAKEV{Note: stringValue(raw, \"note\", \"notes\")}\n+\t\t}\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs\n+}\n+\n+func kevType(raw map[string]interface{}) models.KEVType {\n+\tsource := strings.ToLower(stringValue(raw, \"type\", \"source\"))\n+\tswitch source {\n+\tcase string(models.VulnCheckKEVType), \"vuln_check\", \"vuln-check\":\n+\t\treturn models.VulnCheckKEVType\n+\tdefault:\n+\t\tif _, ok := normalizedValue(raw, \"xdb\"); ok {\n+\t\t\treturn models.VulnCheckKEVType\n+\t\t}\n+\t\tif _, ok := normalizedValue(raw, \"reportedExploitation\"); ok {\n+\t\t\treturn models.VulnCheckKEVType\n+\t\t}\n+\t\treturn models.CISAKEVType\n+\t}\n+}\n+\n+func vulnCheckKEV(raw map[string]interface{}) *models.VulnCheckKEV {\n+\treturn &amp;models.VulnCheckKEV{\n+\t\tXDB:                  vulnCheckXDBs(raw),\n+\t\tReportedExploitation: vulnCheckReportedExploitations(raw),\n+\t}\n+}\n+\n+func vulnCheckXDBs(raw map[string]interface{}) []models.VulnCheckXDB {\n+\titems, ok := normalizedSlice(raw, \"xdb\")\n+\tif !ok {\n+\t\treturn nil\n+\t}\n+\n+\txdbs := make([]models.VulnCheckXDB, 0, len(items))\n+\tfor _, item := range items {\n+\t\tm, ok := item.(map[string]interface{})\n+\t\tif !ok {\n+\t\t\tcontinue\n+\t\t}\n+\t\txdbs = append(xdbs, models.VulnCheckXDB{\n+\t\t\tXDBID:       stringValue(m, \"xdbID\", \"xdb_id\"),\n+\t\t\tXDBURL:      stringValue(m, \"xdbURL\", \"xdb_url\"),\n+\t\t\tDateAdded:   timeValue(m, \"dateAdded\", \"date_added\"),\n+\t\t\tExploitType: stringValue(m, \"exploitType\", \"exploit_type\"),\n+\t\t\tCloneSSHURL: stringValue(m, \"cloneSSHURL\", \"clone_ssh_url\"),\n+\t\t})\n+\t}\n+\treturn xdbs\n+}\n+\n+func vulnCheckReportedExploitations(raw map[string]interface{}) []models.VulnCheckReportedExploitation {\n+\titems, ok := normalizedSlice(raw, \"reportedExploitation\", \"reported_exploitation\")\n+\tif !ok {\n+\t\treturn nil\n+\t}\n+\n+\treported := make([]models.VulnCheckReportedExploitation, 0, len(items))\n+\tfor _, item := range items {\n+\t\tm, ok := item.(map[string]interface{})\n+\t\tif !ok {\n+\t\t\tcontinue\n+\t\t}\n+\t\treported = append(reported, models.VulnCheckReportedExploitation{\n+\t\t\tURL:       stringValue(m, \"url\"),\n+\t\t\tDateAdded: timeValue(m, \"dateAdded\", \"date_added\"),\n+\t\t})\n+\t}\n+\treturn reported\n+}\n+\n+func stringValue(raw map[string]interface{}, keys ...string) string {\n+\tv, ok := normalizedValue(raw, keys...)\n+\tif !ok || v == nil {\n+\t\treturn \"\"\n+\t}\n+\tif s, ok := v.(string); ok {\n+\t\treturn s\n+\t}\n+\treturn \"\"\n+}\n+\n+func timeValue(raw map[string]interface{}, keys ...string) time.Time {\n+\tv, ok := normalizedValue(raw, keys...)\n+\tif !ok || v == nil {\n+\t\treturn time.Time{}\n+\t}\n+\ts, ok := v.(string)\n+\tif !ok || s == \"\" {\n+\t\treturn time.Time{}\n+\t}\n+\tfor _, layout := range []string{time.RFC3339Nano, \"2006-01-02\"} {\n+\t\tif t, err := time.Parse(layout, s); err == nil {\n+\t\t\treturn t\n+\t\t}\n+\t}\n+\treturn time.Time{}\n+}\n+\n+func normalizedSlice(raw map[string]interface{}, keys ...string) ([]interface{}, bool) {\n+\tv, ok := normalizedValue(raw, keys...)\n+\tif !ok {\n+\t\treturn nil, false\n+\t}\n+\titems, ok := v.([]interface{})\n+\treturn items, ok\n+}\n+\n+func normalizedValue(raw map[string]interface{}, keys ...string) (interface{}, bool) {\n+\tfor _, key := range keys {\n+\t\tnormalizedKey := normalizeKey(key)\n+\t\tfor rawKey, value := range raw {\n+\t\t\tif normalizeKey(rawKey) == normalizedKey {\n+\t\t\t\treturn value, true\n+\t\t\t}\n+\t\t}\n+\t}\n+\treturn nil, false\n+}\n+\n+func normalizeKey(key string) string {\n+\treturn strings.NewReplacer(\"_\", \"\", \"-\", \"\").Replace(strings.ToLower(key))\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..26ade4e 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of CVEs with KEV entries.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -427,6 +435,15 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\t})\n \n \t\tv.CveContents.Sort()\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\tif v.KEVs[i].VulnerabilityName != v.KEVs[j].VulnerabilityName {\n+\t\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].DateAdded.Before(v.KEVs[j].DateAdded)\n+\t\t})\n \n \t\tsort.Slice(v.AlertDict.USCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.USCERT[i].Title &lt; v.AlertDict.USCERT[j].Title\n@@ -434,9 +451,6 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n-\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..18a911c 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -266,6 +266,7 @@ type VulnInfo struct {\n \tExploits             []Exploit            `json:\"exploits,omitempty\"`\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n@@ -277,6 +278,58 @@ type VulnInfo struct {\n \tDiffStatus           DiffStatus           `json:\"diffStatus,omitempty\"`\n }\n \n+// KEVType is the source of Known Exploited Vulnerability data.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType represents CISA Known Exploited Vulnerabilities Catalog data.\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType represents VulnCheck KEV data.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information.\n+type KEV struct {\n+\tType                         KEVType        `json:\"type\"`\n+\tVendorProject                string         `json:\"vendorProject\"`\n+\tProduct                      string         `json:\"product\"`\n+\tVulnerabilityName            string         `json:\"vulnerabilityName\"`\n+\tShortDescription             string         `json:\"shortDescription\"`\n+\tRequiredAction               string         `json:\"requiredAction\"`\n+\tKnownRansomwareCampaignUse   string         `json:\"knownRansomwareCampaignUse\"`\n+\tDateAdded                    time.Time      `json:\"dateAdded\"`\n+\tDueDate                      *time.Time     `json:\"dueDate,omitempty\"`\n+\tCISA                         *CISAKEV       `json:\"cisa,omitempty\"`\n+\tVulnCheck                    *VulnCheckKEV  `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV fields.\n+type CISAKEV struct {\n+\tNote string `json:\"note\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV fields.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB exploit details.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID\"`\n+\tXDBURL      string    `json:\"xdbURL\"`\n+\tDateAdded   time.Time `json:\"dateAdded\"`\n+\tExploitType string    `json:\"exploitType\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck exploitation report details.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url\"`\n+\tDateAdded time.Time `json:\"dateAdded\"`\n+}\n+\n // Alert has CERT alert information\n type Alert struct {\n \tURL   string `json:\"url,omitempty\"`\n@@ -910,7 +963,7 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data.\n type AlertDict struct {\n \tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n@@ -919,15 +972,12 @@ type AlertDict struct {\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a2dfbd0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/sample-kev-scan-result.json b/sample-kev-scan-result.json\nnew file mode 100644\nindex 0000000..dbc1ad4\n--- /dev/null\n+++ b/sample-kev-scan-result.json\n@@ -0,0 +1,74 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2026-07-03T00:00:00Z\",\n+  \"scanMode\": \"fast-root\",\n+  \"scannedVersion\": \"vuls-example\",\n+  \"scannedRevision\": \"example\",\n+  \"scannedBy\": \"vuls\",\n+  \"scannedVia\": \"ssh\",\n+  \"reportedAt\": \"2026-07-03T00:00:00Z\",\n+  \"reportedVersion\": \"vuls-example\",\n+  \"reportedRevision\": \"example\",\n+  \"reportedBy\": \"vuls\",\n+  \"errors\": [],\n+  \"warnings\": [],\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Placeholder Vulnerability\",\n+          \"shortDescription\": \"Synthetic KEV entry used only to demonstrate the JSON output shape.\",\n+          \"requiredAction\": \"Apply vendor updates or mitigations.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic sample; not real CISA KEV data.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Placeholder Vulnerability\",\n+          \"shortDescription\": \"Synthetic VulnCheck KEV entry used only to demonstrate the JSON output shape.\",\n+          \"requiredAction\": \"Apply vendor updates or mitigations.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.com/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"placeholder\",\n+                \"cloneSSHURL\": \"git@example.com:placeholder/exploit.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/reports/placeholder-exploitation\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"runningKernel\": {},\n+  \"packages\": {},\n+  \"config\": {\n+    \"scan\": {},\n+    \"report\": {}\n+  }\n+}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T19:59:58.265762Z"}, {"uuid": "7b3f29c3-e86f-4bdb-8bb8-8a65531bcbf1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/76d748192ce39ec6cc96891680151c0b", "content": "diff --git a/README.md b/README.md\nindex 57102d1..8958f90 100644\n--- a/README.md\n+++ b/README.md\n@@ -156,6 +156,60 @@ Vuls has some options to detect the vulnerabilities\n \n - [Scan WordPress](https://vuls.io/docs/en/usage-scan-wordpress.html)\n \n+## Example Configuration\n+\n+To enable KEV (Known Exploited Vulnerabilities) reporting and other features, here is a ready-to-use example configuration (with placeholder secrets) that reflects a valid setup. You can also find this in `config.toml.example`.\n+\n+```toml\n+[servers]\n+[servers.example-host]\n+host        = \"192.168.1.10\"\n+port        = \"22\"\n+user        = \"scans\"\n+keyPath     = \"/home/scans/.ssh/id_rsa\"\n+# Redacted: passphrase for SSH key\n+\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/usr/share/vuls-data/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/usr/share/vuls-data/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/usr/share/vuls-data/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/usr/share/vuls-data/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/usr/share/vuls-data/go-msfdb.sqlite3\"\n+\n+[kev]\n+type = \"sqlite3\"\n+SQLite3Path = \"/usr/share/vuls-data/go-kev.sqlite3\"\n+\n+[slack]\n+hookURL     = \"https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX\"\n+channel     = \"#vuls-alerts\"\n+authUser    = \"vuls\"\n+# Redacted: webhook token\n+\n+[email]\n+smtpServer = \"smtp.example.com\"\n+smtpPort = \"587\"\n+user = \"vuls-report\"\n+# Redacted: smtp account password\n+\n+[chatwork]\n+apiToken = \"dummy-chatwork-token\"\n+room = \"123456\"\n+```\n+\n ## MISC\n \n - Nondestructive testing\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..44e4a82\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,47 @@\n+[servers]\n+[servers.example-host]\n+host         = \"192.168.1.10\"\n+port        = \"22\"\n+user        = \"scans\"\n+keyPath     = \"/home/scans/.ssh/id_rsa\"\n+# Redacted: passphrase for SSH key\n+\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/usr/share/vuls-data/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/usr/share/vuls-data/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/usr/share/vuls-data/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/usr/share/vuls-data/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/usr/share/vuls-data/go-msfdb.sqlite3\"\n+\n+[kev]\n+type = \"sqlite3\"\n+SQLite3Path = \"/usr/share/vuls-data/go-kev.sqlite3\"\n+\n+[slack]\n+hookURL      = \"https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX\"\n+channel      = \"#vuls-alerts\"\n+authUser     = \"vuls\"\n+# Redacted: webhook token\n+\n+[email]\n+smtpServer = \"smtp.example.com\"\n+smtpPort = \"587\"\n+user = \"vuls-report\"\n+# Redacted: smtp account password\n+\n+[chatwork]\n+apiToken = \"dummy-chatwork-token\"\n+room = \"123456\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..f75ae7a 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,19 +79,30 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n-\t\t\t\tnKEV++\n+\t\t\t\tif len(kevulns) &gt; 0 {\n+\t\t\t\t\tfor _, kev := range kevulns {\n+\t\t\t\t\t\tvar dueDate *time.Time\n+\t\t\t\t\t\tif !kev.DueDate.IsZero() {\n+\t\t\t\t\t\t\tt := kev.DueDate\n+\t\t\t\t\t\t\tdueDate = &amp;t\n+\t\t\t\t\t\t}\n+\t\t\t\t\t\tv.KEVs = append(v.KEVs, models.KEV{\n+\t\t\t\t\t\t\tType:                       models.CISAKEVType,\n+\t\t\t\t\t\t\tVendorProject:              kev.VendorProject,\n+\t\t\t\t\t\t\tProduct:                    kev.Product,\n+\t\t\t\t\t\t\tVulnerabilityName:          kev.VulnerabilityName,\n+\t\t\t\t\t\t\tShortDescription:           kev.ShortDescription,\n+\t\t\t\t\t\t\tRequiredAction:             kev.RequiredAction,\n+\t\t\t\t\t\t\tKnownRansomwareCampaignUse: kev.KnownRansomwareCampaignUse,\n+\t\t\t\t\t\t\tDateAdded:                  kev.DateAdded,\n+\t\t\t\t\t\t\tDueDate:                    dueDate,\n+\t\t\t\t\t\t\tCISA:                       &amp;models.CISAKEV{Note: kev.Notes},\n+\t\t\t\t\t\t})\n+\t\t\t\t\t}\n+\t\t\t\t\tnKEV++\n+\t\t\t\t}\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t}\n@@ -108,17 +119,29 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n \t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\t\tfor _, kev := range kevulns {\n+\t\t\t\t\tvar dueDate *time.Time\n+\t\t\t\t\tif !kev.DueDate.IsZero() {\n+\t\t\t\t\t\tt := kev.DueDate\n+\t\t\t\t\t\tdueDate = &amp;t\n+\t\t\t\t\t}\n+\t\t\t\t\tvuln.KEVs = append(vuln.KEVs, models.KEV{\n+\t\t\t\t\t\tType:                       models.CISAKEVType,\n+\t\t\t\t\t\tVendorProject:              kev.VendorProject,\n+\t\t\t\t\t\tProduct:                    kev.Product,\n+\t\t\t\t\t\tVulnerabilityName:          kev.VulnerabilityName,\n+\t\t\t\t\t\tShortDescription:           kev.ShortDescription,\n+\t\t\t\t\t\tRequiredAction:             kev.RequiredAction,\n+\t\t\t\t\t\tKnownRansomwareCampaignUse: kev.KnownRansomwareCampaignUse,\n+\t\t\t\t\t\tDateAdded:                  kev.DateAdded,\n+\t\t\t\t\t\tDueDate:                    dueDate,\n+\t\t\t\t\t\tCISA:                       &amp;models.CISAKEV{Note: kev.Notes},\n+\t\t\t\t\t})\n+\t\t\t\t}\n+\t\t\t\tnKEV++\n \t\t\t}\n \n-\t\t\tvuln.AlertDict.CISA = alerts\n-\t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n \t}\ndiff --git a/example_kev.json b/example_kev.json\nnew file mode 100644\nindex 0000000..d460254\n--- /dev/null\n+++ b/example_kev.json\n@@ -0,0 +1,124 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"dummy-uuid\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"redhat\",\n+  \"release\": \"8\",\n+  \"container\": {\n+    \"containerID\": \"\",\n+    \"name\": \"\",\n+    \"image\": \"\",\n+    \"type\": \"\",\n+    \"uuid\": \"\"\n+  },\n+  \"platform\": {\n+    \"name\": \"\",\n+    \"instanceID\": \"\"\n+  },\n+  \"scannedAt\": \"2023-10-27T10:00:00Z\",\n+  \"scanMode\": \"fast\",\n+  \"scannedVersion\": \"v0.24.0\",\n+  \"scannedRevision\": \"abcdef123456\",\n+  \"scannedBy\": \"vuls\",\n+  \"scannedVia\": \"ssh\",\n+  \"reportedAt\": \"2023-10-27T10:05:00Z\",\n+  \"reportedVersion\": \"v0.24.0\",\n+  \"reportedRevision\": \"abcdef123456\",\n+  \"reportedBy\": \"vuls\",\n+  \"errors\": [],\n+  \"warnings\": [],\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"confidences\": [\n+        {\n+          \"score\": 100,\n+          \"detectionMethod\": \"OvalMatch\"\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-package\",\n+          \"notFixedYet\": false,\n+          \"fixState\": \"fixed\",\n+          \"fixedIn\": \"1.0.1\"\n+        }\n+      ],\n+      \"cveContents\": {\n+        \"nvd\": [\n+          {\n+            \"type\": \"nvd\",\n+            \"cveID\": \"CVE-0000-0000\",\n+            \"title\": \"Example Vulnerability\",\n+            \"summary\": \"This is a synthetic vulnerability for demonstration purposes.\",\n+            \"cvss3Score\": 9.8,\n+            \"cvss3Severity\": \"CRITICAL\"\n+          }\n+        ]\n+      },\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Project\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability Name\",\n+          \"shortDescription\": \"This is a short description of the KEV.\",\n+          \"requiredAction\": \"Apply updates.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2023-10-27T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"CISA specific note here.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Project\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability Name\",\n+          \"shortDescription\": \"This is a short description of the KEV.\",\n+          \"requiredAction\": \"Apply updates.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2023-10-27T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-0001\",\n+                \"xdbURL\": \"https://example.com/xdb/1\",\n+                \"dateAdded\": \"2023-10-27T00:00:00Z\",\n+                \"exploitType\": \"Remote Code Execution\",\n+                \"cloneSSHURL\": \"git@example.com:xdb/1.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/report/1\",\n+                \"dateAdded\": \"2023-10-27T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"runningKernel\": {\n+    \"release\": \"4.18.0-348.el8.x86_64\",\n+    \"version\": \"#1 SMP\",\n+    \"rebootRequired\": false\n+  },\n+  \"packages\": {\n+    \"example-package\": {\n+      \"name\": \"example-package\",\n+      \"version\": \"1.0.0\",\n+      \"release\": \"1.el8\",\n+      \"newVersion\": \"1.0.1\",\n+      \"newRelease\": \"1.el8\",\n+      \"arch\": \"x86_64\",\n+      \"repository\": \"baseos\"\n+    }\n+  },\n+  \"config\": {\n+    \"scan\": {},\n+    \"report\": {}\n+  }\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..d18827f 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,6 +205,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n@@ -240,6 +241,17 @@ func (r ScanResult) FormatExploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d poc\", nExploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of kev cve\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatMetasploitCveSummary returns a summary of exploit cve\n func (r ScanResult) FormatMetasploitCveSummary() string {\n \tnMetasploitCve := 0\n@@ -253,13 +265,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -434,8 +442,11 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n \t\t})\n \t\tr.ScannedCves[k] = v\n \t}\ndiff --git a/models/scanresults_test.go b/models/scanresults_test.go\nindex d429281..05eba56 100644\n--- a/models/scanresults_test.go\n+++ b/models/scanresults_test.go\n@@ -225,10 +225,6 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -288,10 +284,6 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -354,10 +346,12 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -417,10 +411,12 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..2e2f73d 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -275,6 +275,59 @@ type VulnInfo struct {\n \tWindowsKBFixedIns    []string             `json:\"windowsKBFixedIns,omitempty\"`\n \tVulnType             string               `json:\"vulnType,omitempty\"`\n \tDiffStatus           DiffStatus           `json:\"diffStatus,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n+}\n+\n+// KEVType represents the source of the KEV\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is for CISA KEV\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is for VulnCheck KEV\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerabilities information\n+type KEV struct {\n+\tType                       KEVType        `json:\"type,omitempty\"`\n+\tVendorProject              string         `json:\"vendorProject,omitempty\"`\n+\tProduct                    string         `json:\"product,omitempty\"`\n+\tVulnerabilityName          string         `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string         `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string         `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string         `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time      `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time     `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV       `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV  `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA specific KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck specific KEV information\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n }\n \n // Alert has CERT alert information\n@@ -910,24 +963,20 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..62931a4 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -205,6 +205,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t}\n \t\t} else {\n \t\t\tcols = []interface{}{\n@@ -565,8 +566,8 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n+\t\tfor _, kev := range vuln.KEVs {\n+\t\t\tdata = append(data, []string{fmt.Sprintf(\"%s KEV\", strings.ToUpper(string(kev.Type))), kev.ShortDescription})\n \t\t}\n \n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..eb82eb3 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,13 +812,13 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n+\t\tif len(vinfo.KEVs) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n+\t\t\t\t\"Known Exploited Vulnerabilities\",\n+\t\t\t\t\"===============================\",\n \t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\t\tfor _, kev := range vinfo.KEVs {\n+\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s] %s: %s\", strings.ToUpper(string(kev.Type)), kev.VulnerabilityName, kev.ShortDescription))\n \t\t\t}\n \t\t}\n \n", "creation_timestamp": "2026-07-03T19:59:57.720381Z"}, {"uuid": "3004a053-486b-4e18-9264-06c1b4a6b620", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/7441af25e3886838841ba9b7fc838d84", "content": "diff --git a/.gitignore b/.gitignore\nindex 7f21d1e..71b4c8d 100644\n--- a/.gitignore\n+++ b/.gitignore\n@@ -4,6 +4,7 @@\n *.sqlite3*\n *.db\n *.toml\n+!config.toml.example\n tags\n .gitmodules\n coverage.out\ndiff --git a/README.md b/README.md\nindex 57102d1..c15dc62 100644\n--- a/README.md\n+++ b/README.md\n@@ -93,6 +93,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n - CISA(Cybersecurity &amp; Infrastructure Security Agency)\n   - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n \n+- VulnCheck\n+  - Known Exploited Vulnerabilities data via go-kev\n+\n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n \n@@ -179,6 +182,22 @@ Vuls has some options to detect the vulnerabilities\n For more information such as Installation, Tutorial, Usage, visit [vuls.io](https://vuls.io/)  \n [\u65e5\u672c\u8a9e\u7ffb\u8a33\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8](https://vuls.io/ja/)\n \n+## Example Configuration\n+\n+A synthetic, ready-to-use example is available at [config.toml.example](config.toml.example). It includes a `[kevuln]` section so KEV data can be loaded from go-kev:\n+\n+```toml\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+```\n+\n+The example uses placeholder hosts and paths only. Do not publish or derive examples from a live `config.toml` that contains credentials.\n+\n+## KEV Output Sample\n+\n+Sample JSON showing the first-class `kevs` vulnerability field is available at [examples/kev-scan-result.sample.json](examples/kev-scan-result.sample.json). The sample is synthetic and contains no production hosts, IPs, package inventory, account names, or UUIDs.\n+\n ----\n \n ## Authors\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..fb6a87e\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,42 @@\n+# Synthetic example configuration. Do not copy production secrets into this file.\n+\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\n+\n+[default]\n+port = \"22\"\n+user = \"vuls\"\n+keyPath = \"/home/vuls/.ssh/id_rsa\"\n+scanMode = [\"fast-root\"]\n+scanModules = [\"ospkg\"]\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.10\"\n+memo = \"Synthetic example host\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..ef4fdd1 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -6,6 +6,7 @@ package detector\n import (\n \t\"encoding/json\"\n \t\"net/http\"\n+\t\"strings\"\n \t\"time\"\n \n \t\"github.com/cenkalti/backoff\"\n@@ -17,7 +18,6 @@ import (\n \t\"github.com/future-architect/vuls/models\"\n \t\"github.com/future-architect/vuls/util\"\n \tkevulndb \"github.com/vulsio/go-kev/db\"\n-\tkevulnmodels \"github.com/vulsio/go-kev/models\"\n \tkevulnlog \"github.com/vulsio/go-kev/utils\"\n )\n \n@@ -74,23 +74,14 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\treturn err\n \t\t}\n \t\tfor _, res := range responses {\n-\t\t\tkevulns := []kevulnmodels.KEVuln{}\n+\t\t\tvar kevulns []map[string]interface{}\n \t\t\tif err := json.Unmarshal([]byte(res.json), &amp;kevulns); err != nil {\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n-\t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\tif ok &amp;&amp; len(kevulns) &gt; 0 {\n+\t\t\t\tv.KEVs = append(v.KEVs, buildKEVs(kevulns)...)\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +99,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = append(vuln.KEVs, buildKEVs(kevulns)...)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +109,155 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func buildKEVs(kevulns interface{}) []models.KEV {\n+\tbs, err := json.Marshal(kevulns)\n+\tif err != nil {\n+\t\treturn nil\n+\t}\n+\n+\tvar raws []map[string]interface{}\n+\tif err := json.Unmarshal(bs, &amp;raws); err != nil {\n+\t\treturn nil\n+\t}\n+\n+\tkevs := make([]models.KEV, 0, len(raws))\n+\tfor _, raw := range raws {\n+\t\tkevType := models.KEVType(strValue(raw, \"type\", \"source\"))\n+\t\tif kevType == \"\" {\n+\t\t\tkevType = models.CISAKEVType\n+\t\t}\n+\n+\t\tkev := models.KEV{\n+\t\t\tType:                       kevType,\n+\t\t\tVendorProject:              strValue(raw, \"vendorProject\", \"vendor_project\"),\n+\t\t\tProduct:                    strValue(raw, \"product\"),\n+\t\t\tVulnerabilityName:          strValue(raw, \"vulnerabilityName\", \"vulnerability_name\"),\n+\t\t\tShortDescription:           strValue(raw, \"shortDescription\", \"short_description\"),\n+\t\t\tRequiredAction:             strValue(raw, \"requiredAction\", \"required_action\"),\n+\t\t\tKnownRansomwareCampaignUse: strValue(raw, \"knownRansomwareCampaignUse\", \"known_ransomware_campaign_use\"),\n+\t\t\tDateAdded:                  timeValue(raw, \"dateAdded\", \"date_added\"),\n+\t\t\tDueDate:                    timePtrValue(raw, \"dueDate\", \"due_date\"),\n+\t\t}\n+\n+\t\tswitch kev.Type {\n+\t\tcase models.VulnCheckKEVType:\n+\t\t\tkev.VulnCheck = &amp;models.VulnCheckKEV{\n+\t\t\t\tXDB:                  vulnCheckXDBs(raw),\n+\t\t\t\tReportedExploitation: vulnCheckReportedExploitations(raw),\n+\t\t\t}\n+\t\tdefault:\n+\t\t\tkev.Type = models.CISAKEVType\n+\t\t\tkev.CISA = &amp;models.CISAKEV{Note: strValue(raw, \"note\", \"notes\")}\n+\t\t}\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs\n+}\n+\n+func vulnCheckXDBs(raw map[string]interface{}) []models.VulnCheckXDB {\n+\tvar xdbs []models.VulnCheckXDB\n+\tfor _, rawXDB := range mapSliceValue(raw, \"xdb\") {\n+\t\txdbs = append(xdbs, models.VulnCheckXDB{\n+\t\t\tXDBID:       strValue(rawXDB, \"xdbID\", \"xdb_id\"),\n+\t\t\tXDBURL:      strValue(rawXDB, \"xdbURL\", \"xdb_url\"),\n+\t\t\tDateAdded:   timeValue(rawXDB, \"dateAdded\", \"date_added\"),\n+\t\t\tExploitType: strValue(rawXDB, \"exploitType\", \"exploit_type\"),\n+\t\t\tCloneSSHURL: strValue(rawXDB, \"cloneSSHURL\", \"clone_ssh_url\"),\n+\t\t})\n+\t}\n+\treturn xdbs\n+}\n+\n+func vulnCheckReportedExploitations(raw map[string]interface{}) []models.VulnCheckReportedExploitation {\n+\tvar reported []models.VulnCheckReportedExploitation\n+\tfor _, rawReported := range mapSliceValue(raw, \"reportedExploitation\", \"reported_exploitation\") {\n+\t\treported = append(reported, models.VulnCheckReportedExploitation{\n+\t\t\tURL:       strValue(rawReported, \"url\"),\n+\t\t\tDateAdded: timeValue(rawReported, \"dateAdded\", \"date_added\"),\n+\t\t})\n+\t}\n+\treturn reported\n+}\n+\n+func mapSliceValue(raw map[string]interface{}, keys ...string) []map[string]interface{} {\n+\tvalue, ok := valueForKeys(raw, keys...)\n+\tif !ok {\n+\t\treturn nil\n+\t}\n+\n+\titems, ok := value.([]interface{})\n+\tif !ok {\n+\t\treturn nil\n+\t}\n+\n+\tmaps := make([]map[string]interface{}, 0, len(items))\n+\tfor _, item := range items {\n+\t\tm, ok := item.(map[string]interface{})\n+\t\tif ok {\n+\t\t\tmaps = append(maps, m)\n+\t\t}\n+\t}\n+\treturn maps\n+}\n+\n+func strValue(raw map[string]interface{}, keys ...string) string {\n+\tvalue, ok := valueForKeys(raw, keys...)\n+\tif !ok || value == nil {\n+\t\treturn \"\"\n+\t}\n+\tif s, ok := value.(string); ok {\n+\t\treturn s\n+\t}\n+\treturn \"\"\n+}\n+\n+func timePtrValue(raw map[string]interface{}, keys ...string) *time.Time {\n+\tt := timeValue(raw, keys...)\n+\tif t.IsZero() {\n+\t\treturn nil\n+\t}\n+\treturn &amp;t\n+}\n+\n+func timeValue(raw map[string]interface{}, keys ...string) time.Time {\n+\tvalue, ok := valueForKeys(raw, keys...)\n+\tif !ok {\n+\t\treturn time.Time{}\n+\t}\n+\ts, ok := value.(string)\n+\tif !ok || s == \"\" {\n+\t\treturn time.Time{}\n+\t}\n+\n+\tfor _, layout := range []string{time.RFC3339, \"2006-01-02\"} {\n+\t\tif t, err := time.Parse(layout, s); err == nil {\n+\t\t\treturn t\n+\t\t}\n+\t}\n+\treturn time.Time{}\n+}\n+\n+func valueForKeys(raw map[string]interface{}, keys ...string) (interface{}, bool) {\n+\tfor _, key := range keys {\n+\t\tif value, ok := raw[key]; ok {\n+\t\t\treturn value, true\n+\t\t}\n+\t}\n+\n+\tfor rawKey, value := range raw {\n+\t\tfor _, key := range keys {\n+\t\t\tif normalizeJSONKey(rawKey) == normalizeJSONKey(key) {\n+\t\t\t\treturn value, true\n+\t\t\t}\n+\t\t}\n+\t}\n+\treturn nil, false\n+}\n+\n+func normalizeJSONKey(key string) string {\n+\treturn strings.NewReplacer(\"_\", \"\", \"-\", \"\").Replace(strings.ToLower(key))\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/examples/kev-scan-result.sample.json b/examples/kev-scan-result.sample.json\nnew file mode 100644\nindex 0000000..ed175e9\n--- /dev/null\n+++ b/examples/kev-scan-result.sample.json\n@@ -0,0 +1,57 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2026-07-03T00:00:00Z\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Placeholder Vulnerability\",\n+          \"shortDescription\": \"Synthetic CISA KEV entry used to demonstrate the JSON shape.\",\n+          \"requiredAction\": \"Apply vendor instructions or discontinue use of the product if mitigations are unavailable.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic sample only.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Placeholder Vulnerability\",\n+          \"shortDescription\": \"Synthetic VulnCheck KEV entry used to demonstrate the JSON shape.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.com/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"proof-of-concept\",\n+                \"cloneSSHURL\": \"git@example.com:example/example-poc.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/reports/CVE-0000-0000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"errors\": [],\n+  \"warnings\": []\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..8b014d6 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of known exploited vulnerability cves.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -425,6 +433,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &lt; v.Mitigations[j].URL\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \n \t\tv.CveContents.Sort()\n \ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..4c0c3d3 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -267,6 +267,7 @@ type VulnInfo struct {\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n@@ -277,6 +278,58 @@ type VulnInfo struct {\n \tDiffStatus           DiffStatus           `json:\"diffStatus,omitempty\"`\n }\n \n+// KEVType identifies the source of Known Exploited Vulnerability data.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is CISA Known Exploited Vulnerabilities Catalog data.\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is VulnCheck Known Exploited Vulnerabilities data.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information.\n+type KEV struct {\n+\tType                       KEVType       `json:\"type\"`\n+\tVendorProject              string        `json:\"vendorProject,omitempty\"`\n+\tProduct                    string        `json:\"product,omitempty\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV fields.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV fields.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded\"`\n+}\n+\n // Alert has CERT alert information\n type Alert struct {\n \tURL   string `json:\"url,omitempty\"`\n@@ -910,8 +963,9 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data.\n type AlertDict struct {\n+\t// CISA is kept for compatibility with older result JSON. New KEV data is stored in VulnInfo.KEVs.\n \tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n@@ -919,15 +973,12 @@ type AlertDict struct {\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a2dfbd0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T19:59:57.880860Z"}, {"uuid": "34265ab4-cba9-4c05-891b-3d3507435626", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/b7e36c67e202fbe3b259063dea159faa", "content": "diff --git a/README.md b/README.md\nindex 57102d1..9cd2b99 100644\n--- a/README.md\n+++ b/README.md\n@@ -181,6 +181,24 @@ For more information such as Installation, Tutorial, Usage, visit [vuls.io](http\n \n ----\n \n+## Example Configuration\n+\n+A ready-to-use example configuration is provided in `config.toml.example`. This includes settings for KEV (Known Exploited Vulnerabilities) reporting:\n+\n+```toml\n+[servers]\n+\n+[servers.localhost]\n+host = \"localhost\"\n+port = \"local\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-kev.sqlite3\"\n+```\n+\n+----\n+\n ## Authors\n \n kotakanbe ([@kotakanbe](https://twitter.com/kotakanbe)) created vuls and [these fine people](https://github.com/future-architect/vuls/graphs/contributors) have contributed.\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..7060ef9\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,9 @@\n+[servers]\n+\n+[servers.localhost]\n+host = \"localhost\"\n+port = \"local\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-kev.sqlite3\"\n\\ No newline at end of file\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..f17927c 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -59,7 +59,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t}\n \t}()\n \n-\tnKEV := 0\n+\tvar nKEV int\n \tif client.driver == nil {\n \t\tvar cveIDs []string\n \t\tfor cveID := range r.ScannedCves {\n@@ -79,21 +79,37 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tif len(kevulns) == 0 {\n+\t\t\t\tcontinue\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tvar kevs []models.KEV\n+\t\t\t\tfor _, kev := range kevulns {\n+\t\t\t\t\tdueDate := kev.DueDate\n+\t\t\t\t\tvar dueDatePtr *time.Time\n+\t\t\t\t\tif !dueDate.IsZero() {\n+\t\t\t\t\t\tdueDatePtr = &amp;dueDate\n+\t\t\t\t\t}\n+\t\t\t\t\tk := models.KEV{\n+\t\t\t\t\t\tType:                       models.CISAKEVType,\n+\t\t\t\t\t\tVendorProject:              kev.VendorProject,\n+\t\t\t\t\t\tProduct:                    kev.Product,\n+\t\t\t\t\t\tVulnerabilityName:          kev.VulnerabilityName,\n+\t\t\t\t\t\tShortDescription:           kev.ShortDescription,\n+\t\t\t\t\t\tRequiredAction:             kev.RequiredAction,\n+\t\t\t\t\t\tKnownRansomwareCampaignUse: kev.KnownRansomwareCampaignUse,\n+\t\t\t\t\t\tDateAdded:                  kev.DateAdded,\n+\t\t\t\t\t\tDueDate:                    dueDatePtr,\n+\t\t\t\t\t\tCISA:                       &amp;models.CISAKEV{Note: kev.Notes},\n+\t\t\t\t\t}\n+\t\t\t\t\tkevs = append(kevs, k)\n+\t\t\t\t}\n+\t\t\t\tv.KEVs = kevs\n \t\t\t\tnKEV++\n+\t\t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t\t}\n-\t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t}\n \t} else {\n \t\tfor cveID, vuln := range r.ScannedCves {\n@@ -108,16 +124,28 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tvar kevs []models.KEV\n+\t\t\tfor _, kev := range kevulns {\n+\t\t\t\tdueDate := kev.DueDate\n+\t\t\t\tvar dueDatePtr *time.Time\n+\t\t\t\tif !dueDate.IsZero() {\n+\t\t\t\t\tdueDatePtr = &amp;dueDate\n+\t\t\t\t}\n+\t\t\t\tk := models.KEV{\n+\t\t\t\t\tType:                       models.CISAKEVType,\n+\t\t\t\t\tVendorProject:              kev.VendorProject,\n+\t\t\t\t\tProduct:                    kev.Product,\n+\t\t\t\t\tVulnerabilityName:          kev.VulnerabilityName,\n+\t\t\t\t\tShortDescription:           kev.ShortDescription,\n+\t\t\t\t\tRequiredAction:             kev.RequiredAction,\n+\t\t\t\t\tKnownRansomwareCampaignUse: kev.KnownRansomwareCampaignUse,\n+\t\t\t\t\tDateAdded:                  kev.DateAdded,\n+\t\t\t\t\tDueDate:                    dueDatePtr,\n+\t\t\t\t\tCISA:                       &amp;models.CISAKEV{Note: kev.Notes},\n+\t\t\t\t}\n+\t\t\t\tkevs = append(kevs, k)\n \t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = kevs\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..eafbdd0 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,6 +205,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEVs\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVs := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &gt; 0 {\n+\t\t\tnKEVs++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVs)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/scanresults_kev_test.go b/models/scanresults_kev_test.go\nnew file mode 100644\nindex 0000000..d0823b4\n--- /dev/null\n+++ b/models/scanresults_kev_test.go\n@@ -0,0 +1,66 @@\n+package models\n+\n+import (\n+\t\"reflect\"\n+\t\"testing\"\n+)\n+\n+func TestScanResult_Sort_KEV(t *testing.T) {\n+\ttests := []struct {\n+\t\tname string\n+\t\tin   ScanResult\n+\t\twant ScanResult\n+\t}{\n+\t\t{\n+\t\t\tname: \"sort KEVs\",\n+\t\t\tin: ScanResult{\n+\t\t\t\tScannedCves: VulnInfos{\n+\t\t\t\t\t\"CVE-2021-1234\": {\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{\n+\t\t\t\t\t\t\t\tType:              VulnCheckKEVType,\n+\t\t\t\t\t\t\t\tVulnerabilityName: \"B\",\n+\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t\t{\n+\t\t\t\t\t\t\t\tType:              CISAKEVType,\n+\t\t\t\t\t\t\t\tVulnerabilityName: \"C\",\n+\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t\t{\n+\t\t\t\t\t\t\t\tType:              CISAKEVType,\n+\t\t\t\t\t\t\t\tVulnerabilityName: \"A\",\n+\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t\twant: ScanResult{\n+\t\t\t\tScannedCves: VulnInfos{\n+\t\t\t\t\t\"CVE-2021-1234\": {\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{\n+\t\t\t\t\t\t\t\tType:              CISAKEVType,\n+\t\t\t\t\t\t\t\tVulnerabilityName: \"A\",\n+\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t\t{\n+\t\t\t\t\t\t\t\tType:              CISAKEVType,\n+\t\t\t\t\t\t\t\tVulnerabilityName: \"C\",\n+\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t\t{\n+\t\t\t\t\t\t\t\tType:              VulnCheckKEVType,\n+\t\t\t\t\t\t\t\tVulnerabilityName: \"B\",\n+\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t},\n+\t}\n+\tfor _, tt := range tests {\n+\t\tt.Run(tt.name, func(t *testing.T) {\n+\t\t\ttt.in.SortForJSONOutput()\n+\t\t\tif !reflect.DeepEqual(tt.in, tt.want) {\n+\t\t\t\tt.Errorf(\"ScanResult.SortForJSONOutput() = %v, want %v\", tt.in, tt.want)\n+\t\t\t}\n+\t\t})\n+\t}\n+}\n\\ No newline at end of file\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..294120d 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -267,6 +267,7 @@ type VulnInfo struct {\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n@@ -910,7 +911,7 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n \tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n@@ -919,15 +920,12 @@ type AlertDict struct {\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\n@@ -1089,3 +1087,56 @@ var (\n \t// FortinetVendorProductMatch is a ranking how confident the CVE-ID was detected correctly\n \tFortinetVendorProductMatch = Confidence{10, FortinetVendorProductMatchStr, 9}\n )\n+\n+// KEVType is the type of Known Exploited Vulnerability catalog\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is CISA KEV\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType is VulnCheck KEV\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerabilities information\n+type KEV struct {\n+\tType                       KEVType    `json:\"type\"`\n+\tVendorProject              string     `json:\"vendorProject,omitempty\"`\n+\tProduct                    string     `json:\"product,omitempty\"`\n+\tVulnerabilityName          string     `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string     `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string     `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string     `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time  `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time `json:\"dueDate,omitempty\"`\n+\n+\tCISA      *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA specific KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck specific KEV information\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck Reported Exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..5b8697f 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -205,6 +205,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t}\n \t\t} else {\n \t\t\tcols = []interface{}{\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/sample_kev_result.json b/sample_kev_result.json\nnew file mode 100644\nindex 0000000..4e20ce2\n--- /dev/null\n+++ b/sample_kev_result.json\n@@ -0,0 +1,88 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"dummy-uuid-1234\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"20.04\",\n+  \"container\": {\n+    \"containerID\": \"\",\n+    \"name\": \"\",\n+    \"image\": \"\",\n+    \"type\": \"\",\n+    \"uuid\": \"\"\n+  },\n+  \"platform\": {\n+    \"name\": \"\",\n+    \"instanceID\": \"\"\n+  },\n+  \"scannedAt\": \"2026-07-03T12:00:00Z\",\n+  \"scanMode\": \"fast\",\n+  \"scannedVersion\": \"v0.0.0\",\n+  \"scannedRevision\": \"xxxxxxx\",\n+  \"scannedBy\": \"vuls\",\n+  \"scannedVia\": \"local\",\n+  \"reportedAt\": \"2026-07-03T12:00:00Z\",\n+  \"reportedVersion\": \"v0.0.0\",\n+  \"reportedRevision\": \"xxxxxxx\",\n+  \"reportedBy\": \"vuls\",\n+  \"errors\": [],\n+  \"warnings\": [],\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"This is a dummy CISA KEV entry.\",\n+          \"requiredAction\": \"Apply updates.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-01-01T00:00:00Z\",\n+          \"dueDate\": \"2026-02-01T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Example note.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"This is a dummy VulnCheck KEV entry.\",\n+          \"requiredAction\": \"Apply updates.\",\n+          \"dateAdded\": \"2026-01-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"123\",\n+                \"xdbURL\": \"https://example.com/xdb/123\",\n+                \"dateAdded\": \"2026-01-02T00:00:00Z\",\n+                \"exploitType\": \"RCE\",\n+                \"cloneSSHURL\": \"git@example.com:foo/bar.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/report\",\n+                \"dateAdded\": \"2026-01-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"runningKernel\": {\n+    \"release\": \"5.4.0\",\n+    \"version\": \"#1 SMP\",\n+    \"rebootRequired\": false\n+  },\n+  \"packages\": {},\n+  \"config\": {\n+    \"scan\": {},\n+    \"report\": {}\n+  }\n+}\n\\ No newline at end of file\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T19:59:58.194112Z"}, {"uuid": "24d9095f-026f-4998-9c6e-84c887091310", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/16aba41dff863585e350598e5834544b", "content": "diff --git a/README.md b/README.md\nindex 57102d1..ea70768 100644\n--- a/README.md\n+++ b/README.md\n@@ -90,8 +90,11 @@ Vuls is a tool created to solve the problems listed above. It has the following\n   - [US-CERT](https://www.us-cert.gov/ncas/alerts)\n   - [JPCERT](http://www.jpcert.or.jp/at/2019.html)\n \n-- CISA(Cybersecurity &amp; Infrastructure Security Agency)\n-  - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+- Known Exploited Vulnerabilities\n+  - [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+  - VulnCheck KEV data in JSON output\n+  - Example KEV-enabled config: [config.toml.example](config.toml.example)\n+  - Example KEV scan output: [docs/sample-kev-scan-result.json](docs/sample-kev-scan-result.json)\n \n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..0424fe9\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,40 @@\n+# Synthetic example configuration for enabling KEV reporting.\n+# Do not paste production credentials here; replace placeholder values locally.\n+\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\n+\n+[servers.example-host]\n+host = \"example-host\"\n+port = \"22\"\n+user = \"vuls\"\n+keyPath = \"/home/vuls/.ssh/id_rsa\"\n+scanMode = [\"fast-root\"]\n+\n+[servers.example-host.optional]\n+environment = \"example\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..de279a7 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,9 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n-\t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\tif ok &amp;&amp; len(kevulns) &gt; 0 {\n+\t\t\t\tv.KEVs = append(v.KEVs, toKEVs(kevulns)...)\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +99,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = append(vuln.KEVs, toKEVs(kevulns)...)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +109,31 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func toKEVs(kevulns []kevulnmodels.KEVuln) (kevs []models.KEV) {\n+\tfor _, kevuln := range kevulns {\n+\t\tvar dueDate *time.Time\n+\t\tif !kevuln.DueDate.IsZero() {\n+\t\t\td := kevuln.DueDate\n+\t\t\tdueDate = &amp;d\n+\t\t}\n+\t\tkevs = append(kevs, models.KEV{\n+\t\t\tType:                       models.CISAKEVType,\n+\t\t\tVendorProject:              kevuln.VendorProject,\n+\t\t\tProduct:                    kevuln.Product,\n+\t\t\tVulnerabilityName:          kevuln.VulnerabilityName,\n+\t\t\tShortDescription:           kevuln.ShortDescription,\n+\t\t\tRequiredAction:             kevuln.RequiredAction,\n+\t\t\tKnownRansomwareCampaignUse: kevuln.KnownRansomwareCampaignUse,\n+\t\t\tDateAdded:                  kevuln.DateAdded,\n+\t\t\tDueDate:                    dueDate,\n+\t\t\tCISA: &amp;models.CISAKEV{\n+\t\t\t\tNote: kevuln.Notes,\n+\t\t\t},\n+\t\t})\n+\t}\n+\treturn kevs\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/docs/kev-tracking-issue-example.md b/docs/kev-tracking-issue-example.md\nnew file mode 100644\nindex 0000000..2d38665\n--- /dev/null\n+++ b/docs/kev-tracking-issue-example.md\n@@ -0,0 +1,56 @@\n+# KEV JSON Example\n+\n+This is a synthetic, redacted example for the tracking issue. It demonstrates the new `scannedCves[].kevs` field without exposing production scan data.\n+\n+```json\n+{\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic CISA KEV entry used to demonstrate JSON output.\",\n+          \"requiredAction\": \"Apply the vendor-provided update or mitigation.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic example only.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic VulnCheck KEV entry used to demonstrate JSON output.\",\n+          \"requiredAction\": \"Review exploitation evidence and prioritize remediation.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.invalid/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.invalid:example/xdb-000000.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.invalid/reports/example-exploitation\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\n+```\ndiff --git a/docs/sample-kev-scan-result.json b/docs/sample-kev-scan-result.json\nnew file mode 100644\nindex 0000000..44a741d\n--- /dev/null\n+++ b/docs/sample-kev-scan-result.json\n@@ -0,0 +1,76 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2026-07-03T00:00:00Z\",\n+  \"scanMode\": \"fast-root\",\n+  \"scannedVersion\": \"example\",\n+  \"scannedRevision\": \"example\",\n+  \"scannedBy\": \"vuls\",\n+  \"scannedVia\": \"remote\",\n+  \"reportedAt\": \"2026-07-03T00:00:00Z\",\n+  \"reportedVersion\": \"example\",\n+  \"reportedRevision\": \"example\",\n+  \"reportedBy\": \"vuls\",\n+  \"errors\": [],\n+  \"warnings\": [],\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-package\",\n+          \"fixedIn\": \"1.2.3-4\"\n+        }\n+      ],\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic CISA KEV entry used to demonstrate JSON output.\",\n+          \"requiredAction\": \"Apply the vendor-provided update or mitigation.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic example only.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic VulnCheck KEV entry used to demonstrate JSON output.\",\n+          \"requiredAction\": \"Review exploitation evidence and prioritize remediation.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.invalid/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.invalid:example/xdb-000000.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.invalid/reports/example-exploitation\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"runningKernel\": {},\n+  \"packages\": {}\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..19f0080 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,11 +197,12 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n@@ -229,6 +230,17 @@ func (r ScanResult) FormatUpdatablePkgsSummary() string {\n \t\tnUpdatable)\n }\n \n+// FormatKEVCveSummary returns a summary of CVEs with KEV entries.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatExploitCveSummary returns a summary of exploit cve\n func (r ScanResult) FormatExploitCveSummary() string {\n \tnExploitCve := 0\n@@ -253,13 +265,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -425,6 +433,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &lt; v.Mitigations[j].URL\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \n \t\tv.CveContents.Sort()\n \n@@ -434,9 +448,6 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n-\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/scanresults_kev_test.go b/models/scanresults_kev_test.go\nnew file mode 100644\nindex 0000000..2d522ef\n--- /dev/null\n+++ b/models/scanresults_kev_test.go\n@@ -0,0 +1,51 @@\n+package models\n+\n+import \"testing\"\n+\n+func TestScanResult_FormatKEVCveSummary(t *testing.T) {\n+\tr := ScanResult{\n+\t\tScannedCves: VulnInfos{\n+\t\t\t\"CVE-0000-0001\": {KEVs: []KEV{{Type: CISAKEVType}}},\n+\t\t\t\"CVE-0000-0002\": {},\n+\t\t\t\"CVE-0000-0003\": {KEVs: []KEV{{Type: VulnCheckKEVType}, {Type: CISAKEVType}}},\n+\t\t},\n+\t}\n+\n+\tif got, want := r.FormatKEVCveSummary(), \"2 kevs\"; got != want {\n+\t\tt.Errorf(\"FormatKEVCveSummary() = %q, want %q\", got, want)\n+\t}\n+}\n+\n+func TestScanResult_SortForJSONOutput_KEVs(t *testing.T) {\n+\tr := ScanResult{\n+\t\tScannedCves: VulnInfos{\n+\t\t\t\"CVE-0000-0001\": {\n+\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"B VulnCheck\"},\n+\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"B CISA\"},\n+\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"A CISA\"},\n+\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"A VulnCheck\"},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t},\n+\t}\n+\n+\tr.SortForJSONOutput()\n+\n+\tgot := r.ScannedCves[\"CVE-0000-0001\"].KEVs\n+\twant := []KEV{\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"A CISA\"},\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"B CISA\"},\n+\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"A VulnCheck\"},\n+\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"B VulnCheck\"},\n+\t}\n+\n+\tif len(got) != len(want) {\n+\t\tt.Fatalf(\"len(KEVs) = %d, want %d\", len(got), len(want))\n+\t}\n+\tfor i := range want {\n+\t\tif got[i].Type != want[i].Type || got[i].VulnerabilityName != want[i].VulnerabilityName {\n+\t\t\tt.Errorf(\"KEVs[%d] = %+v, want %+v\", i, got[i], want[i])\n+\t\t}\n+\t}\n+}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..4c36aef 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -266,6 +266,7 @@ type VulnInfo struct {\n \tExploits             []Exploit            `json:\"exploits,omitempty\"`\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n@@ -284,6 +285,57 @@ type Alert struct {\n \tTeam  string `json:\"team,omitempty\"`\n }\n \n+// KEVType is a Known Exploited Vulnerabilities source.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType identifies CISA KEV catalog entries.\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType identifies VulnCheck KEV entries.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerabilities information.\n+type KEV struct {\n+\tType                       KEVType       `json:\"type,omitempty\"`\n+\tVendorProject              string        `json:\"vendorProject,omitempty\"`\n+\tProduct                    string        `json:\"product,omitempty\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV fields.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV fields.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB exploit metadata.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported-exploitation metadata.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // GitHubSecurityAlerts is a list of GitHubSecurityAlert\n type GitHubSecurityAlerts []GitHubSecurityAlert\n \n@@ -910,8 +962,9 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data.\n type AlertDict struct {\n+\t// Deprecated: KEV data is stored in VulnInfo.KEVs.\n \tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n@@ -919,15 +972,12 @@ type AlertDict struct {\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..049998e 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -202,6 +202,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.ScannedCves.FormatCveSummary(),\n \t\t\t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n@@ -565,8 +566,8 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n+\t\tfor _, kev := range vuln.KEVs {\n+\t\t\tdata = append(data, []string{fmt.Sprintf(\"%s KEV\", strings.ToUpper(string(kev.Type))), kev.VulnerabilityName})\n \t\t}\n \n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..56e127b 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,13 +812,13 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n+\t\tif len(vinfo.KEVs) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n+\t\t\t\t\"Known Exploited Vulnerabilities\",\n+\t\t\t\t\"================================\",\n \t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\t\tfor _, kev := range vinfo.KEVs {\n+\t\t\t\tlines = append(lines, fmt.Sprintf(\"* %s: %s\", strings.ToUpper(string(kev.Type)), kev.VulnerabilityName))\n \t\t\t}\n \t\t}\n \n", "creation_timestamp": "2026-07-03T21:02:38.701406Z"}, {"uuid": "a2dc4e54-a8d8-4568-ab92-2ddfddce1f43", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/ef0e195314daa1371520d4c4f6f6370a", "content": "diff --git a/.gitignore b/.gitignore\nindex 7f21d1e..71b4c8d 100644\n--- a/.gitignore\n+++ b/.gitignore\n@@ -4,6 +4,7 @@\n *.sqlite3*\n *.db\n *.toml\n+!config.toml.example\n tags\n .gitmodules\n coverage.out\ndiff --git a/README.md b/README.md\nindex 57102d1..99b39ac 100644\n--- a/README.md\n+++ b/README.md\n@@ -93,6 +93,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n - CISA(Cybersecurity &amp; Infrastructure Security Agency)\n   - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n \n+- VulnCheck\n+  - [Known Exploited Vulnerabilities](https://vulncheck.com/kev)\n+\n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n \n@@ -179,6 +182,20 @@ Vuls has some options to detect the vulnerabilities\n For more information such as Installation, Tutorial, Usage, visit [vuls.io](https://vuls.io/)  \n [\u65e5\u672c\u8a9e\u7ffb\u8a33\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8](https://vuls.io/ja/)\n \n+## Example Configuration\n+\n+A synthetic, redacted KEV-enabled configuration is available at [config.toml.example](config.toml.example). It uses placeholder hosts and paths only; do not publish or copy production `config.toml` values into examples or documentation.\n+\n+The KEV data source is configured with the `kevuln` section, for example:\n+\n+```toml\n+[kevuln]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-kev.sqlite3\"\n+```\n+\n+A synthetic scan result showing the new `kevs` JSON field is available at [examples/scan-result-kev.json](examples/scan-result-kev.json).\n+\n ----\n \n ## Authors\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..6261b94\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,40 @@\n+# Synthetic example only. Do not paste production hostnames, IPs, tokens, or secrets here.\n+\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-cve-dictionary.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/goval-dictionary.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-cti.sqlite3\"\n+\n+[default]\n+scanMode = [\"fast-root\"]\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"example-host.local\"\n+user = \"vuls-user\"\n+port = \"22\"\n+keyPath = \"/home/vuls-user/.ssh/id_ed25519\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..46dd7fc 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -6,6 +6,7 @@ package detector\n import (\n \t\"encoding/json\"\n \t\"net/http\"\n+\t\"strings\"\n \t\"time\"\n \n \t\"github.com/cenkalti/backoff\"\n@@ -74,24 +75,17 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\treturn err\n \t\t}\n \t\tfor _, res := range responses {\n-\t\t\tkevulns := []kevulnmodels.KEVuln{}\n+\t\t\tkevulns := []kevulnJSON{}\n \t\t\tif err := json.Unmarshal([]byte(res.json), &amp;kevulns); err != nil {\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n-\t\t\t\tnKEV++\n+\t\t\t\tv.KEVs = append(v.KEVs, convertKEVulnJSONToModel(kevulns)...)\n+\t\t\t\tif len(v.KEVs) &gt; 0 {\n+\t\t\t\t\tnKEV++\n+\t\t\t\t}\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t}\n@@ -108,16 +102,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = append(vuln.KEVs, convertKEVulnsToModel(kevulns)...)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +112,77 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func convertKEVulnsToModel(kevulns []kevulnmodels.KEVuln) []models.KEV {\n+\traws := make([]kevulnJSON, 0, len(kevulns))\n+\tfor _, kevuln := range kevulns {\n+\t\tb, err := json.Marshal(kevuln)\n+\t\tif err != nil {\n+\t\t\tcontinue\n+\t\t}\n+\n+\t\tvar raw kevulnJSON\n+\t\tif err := json.Unmarshal(b, &amp;raw); err != nil {\n+\t\t\tcontinue\n+\t\t}\n+\t\traws = append(raws, raw)\n+\t}\n+\treturn convertKEVulnJSONToModel(raws)\n+}\n+\n+func convertKEVulnJSONToModel(kevulns []kevulnJSON) []models.KEV {\n+\tkevs := make([]models.KEV, 0, len(kevulns))\n+\tfor _, raw := range kevulns {\n+\t\tkevType := models.KEVType(strings.ToLower(raw.Type))\n+\t\tif kevType == \"\" {\n+\t\t\tkevType = models.CISAKEVType\n+\t\t}\n+\n+\t\tkev := models.KEV{\n+\t\t\tType:                       kevType,\n+\t\t\tVendorProject:              raw.VendorProject,\n+\t\t\tProduct:                    raw.Product,\n+\t\t\tVulnerabilityName:          raw.VulnerabilityName,\n+\t\t\tShortDescription:           raw.ShortDescription,\n+\t\t\tRequiredAction:             raw.RequiredAction,\n+\t\t\tKnownRansomwareCampaignUse: raw.KnownRansomwareCampaignUse,\n+\t\t\tDateAdded:                  raw.DateAdded,\n+\t\t\tDueDate:                    raw.DueDate,\n+\t\t}\n+\n+\t\tswitch kevType {\n+\t\tcase models.CISAKEVType:\n+\t\t\tif raw.Note == \"\" {\n+\t\t\t\traw.Note = raw.Notes\n+\t\t\t}\n+\t\t\tkev.CISA = &amp;models.CISAKEV{Note: raw.Note}\n+\t\tcase models.VulnCheckKEVType:\n+\t\t\tkev.VulnCheck = &amp;models.VulnCheckKEV{\n+\t\t\t\tXDB:                  raw.XDB,\n+\t\t\t\tReportedExploitation: raw.ReportedExploitation,\n+\t\t\t}\n+\t\t}\n+\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs\n+}\n+\n+type kevulnJSON struct {\n+\tType                          string                                    `json:\"type\"`\n+\tVendorProject                 string                                    `json:\"vendorProject\"`\n+\tProduct                       string                                    `json:\"product\"`\n+\tVulnerabilityName             string                                    `json:\"vulnerabilityName\"`\n+\tShortDescription              string                                    `json:\"shortDescription\"`\n+\tRequiredAction                string                                    `json:\"requiredAction\"`\n+\tKnownRansomwareCampaignUse    string                                    `json:\"knownRansomwareCampaignUse\"`\n+\tDateAdded                     time.Time                                 `json:\"dateAdded\"`\n+\tDueDate                       *time.Time                                `json:\"dueDate\"`\n+\tNote                          string                                    `json:\"note\"`\n+\tNotes                         string                                    `json:\"notes\"`\n+\tXDB                           []models.VulnCheckXDB                    `json:\"xdb\"`\n+\tReportedExploitation []models.VulnCheckReportedExploitation `json:\"reportedExploitation\"`\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/examples/scan-result-kev.json b/examples/scan-result-kev.json\nnew file mode 100644\nindex 0000000..f181f99\n--- /dev/null\n+++ b/examples/scan-result-kev.json\n@@ -0,0 +1,65 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"24.04\",\n+  \"scannedAt\": \"2026-07-03T00:00:00Z\",\n+  \"reportedAt\": \"2026-07-03T00:00:00Z\",\n+  \"errors\": [],\n+  \"warnings\": [],\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic CISA KEV entry for documentation only.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Placeholder note for reviewers.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic VulnCheck KEV entry for documentation only.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.com/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"example\",\n+                \"cloneSSHURL\": \"git@example.com:placeholder/example.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/reported-exploitation\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"runningKernel\": {},\n+  \"packages\": {},\n+  \"config\": {\n+    \"scan\": {},\n+    \"report\": {}\n+  }\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..79846d9 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV cve\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -425,6 +433,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &lt; v.Mitigations[j].URL\n \t\t})\n+\t\tsort.SliceStable(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \n \t\tv.CveContents.Sort()\n \n@@ -434,9 +448,6 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n-\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..14e91bb 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -267,6 +267,7 @@ type VulnInfo struct {\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n@@ -284,6 +285,57 @@ type Alert struct {\n \tTeam  string `json:\"team,omitempty\"`\n }\n \n+// KEVType identifies the known-exploited-vulnerability data source.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the CISA Known Exploited Vulnerabilities catalog.\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType is VulnCheck KEV data.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has known exploited vulnerability information.\n+type KEV struct {\n+\tType                          KEVType       `json:\"type,omitempty\"`\n+\tVendorProject                 string        `json:\"vendorProject,omitempty\"`\n+\tProduct                       string        `json:\"product,omitempty\"`\n+\tVulnerabilityName             string        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription              string        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction                string        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse    string        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                     time.Time     `json:\"dateAdded,omitempty\"`\n+\tDueDate                       *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                          *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                     *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV fields.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV fields.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation references.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // GitHubSecurityAlerts is a list of GitHubSecurityAlert\n type GitHubSecurityAlerts []GitHubSecurityAlert\n \n@@ -910,8 +962,9 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n+\t// Deprecated: KEV data is stored in VulnInfo.KEVs instead.\n \tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n@@ -919,15 +972,12 @@ type AlertDict struct {\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a2dfbd0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T21:02:38.922326Z"}, {"uuid": "f03c2db5-0ebe-454b-9011-fbca49138c9e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/c811df831dbc6c88c391ae9b7f8a9776", "content": "diff --git a/README.md b/README.md\nindex 57102d1..5a3f53e 100644\n--- a/README.md\n+++ b/README.md\n@@ -93,6 +93,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n - CISA(Cybersecurity &amp; Infrastructure Security Agency)\n   - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n \n+- VulnCheck\n+  - Known Exploited Vulnerabilities data\n+\n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n \n@@ -179,6 +182,20 @@ Vuls has some options to detect the vulnerabilities\n For more information such as Installation, Tutorial, Usage, visit [vuls.io](https://vuls.io/)  \n [\u65e5\u672c\u8a9e\u7ffb\u8a33\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8](https://vuls.io/ja/)\n \n+## Example Config\n+\n+Use [`config.toml.example`](config.toml.example) as a ready-to-edit starting point. It includes the `[kevuln]` section needed to enrich scan results with CISA and VulnCheck KEV data through `go-kev`.\n+\n+The example uses placeholder hosts, paths, and credentials only. Do not publish a live `config.toml`; production configs often contain SSH, SMTP, Slack, ChatWork, or other secrets.\n+\n+```toml\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+```\n+\n+A synthetic scan output showing the new `kevs` JSON field is available at [`examples/kev-scan-result.json`](examples/kev-scan-result.json). A compact issue-ready version is available at [`examples/kev-tracking-issue-example.md`](examples/kev-tracking-issue-example.md).\n+\n ----\n \n ## Authors\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..bd2c9d4\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,42 @@\n+# Synthetic example configuration. Do not paste production secrets here.\n+\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\n+\n+[default]\n+port = \"22\"\n+user = \"vuls-scan\"\n+keyPath = \"/home/vuls-scan/.ssh/id_ed25519\"\n+scanMode = [\"fast-root\"]\n+scanModules = [\"ospkg\"]\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.10\"\n+memo = \"Synthetic example target\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..d4a950f 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -74,24 +74,17 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\treturn err\n \t\t}\n \t\tfor _, res := range responses {\n-\t\t\tkevulns := []kevulnmodels.KEVuln{}\n-\t\t\tif err := json.Unmarshal([]byte(res.json), &amp;kevulns); err != nil {\n+\t\t\tkevs, err := parseKEVsJSON([]byte(res.json))\n+\t\t\tif err != nil {\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n-\t\t\t\tnKEV++\n+\t\t\t\tv.KEVs = kevs\n+\t\t\t\tif len(kevs) &gt; 0 {\n+\t\t\t\t\tnKEV++\n+\t\t\t\t}\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t}\n@@ -108,16 +101,12 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tkevs, err := convertKEVulns(kevulns)\n+\t\t\tif err != nil {\n+\t\t\t\treturn err\n \t\t\t}\n \n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = kevs\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +116,149 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+type kevDate struct {\n+\ttime.Time\n+}\n+\n+func (d *kevDate) UnmarshalJSON(b []byte) error {\n+\tif string(b) == \"null\" {\n+\t\treturn nil\n+\t}\n+\tvar s string\n+\tif err := json.Unmarshal(b, &amp;s); err != nil {\n+\t\treturn err\n+\t}\n+\tif s == \"\" {\n+\t\treturn nil\n+\t}\n+\tfor _, layout := range []string{time.RFC3339, \"2006-01-02\"} {\n+\t\tif t, err := time.Parse(layout, s); err == nil {\n+\t\t\td.Time = t\n+\t\t\treturn nil\n+\t\t}\n+\t}\n+\treturn xerrors.Errorf(\"Failed to parse KEV date: %s\", s)\n+}\n+\n+type kevRaw struct {\n+\tType                       models.KEVType `json:\"type\"`\n+\tVendorProject              string         `json:\"vendorProject\"`\n+\tProduct                    string         `json:\"product\"`\n+\tVulnerabilityName          string         `json:\"vulnerabilityName\"`\n+\tShortDescription           string         `json:\"shortDescription\"`\n+\tRequiredAction             string         `json:\"requiredAction\"`\n+\tKnownRansomwareCampaignUse string         `json:\"knownRansomwareCampaignUse\"`\n+\tDateAdded                  kevDate       `json:\"dateAdded\"`\n+\tDueDate                    *kevDate      `json:\"dueDate\"`\n+\tNotes                      string         `json:\"notes\"`\n+\tNote                       string         `json:\"note\"`\n+\tCISA                       *struct {\n+\t\tNote string `json:\"note\"`\n+\t} `json:\"cisa\"`\n+\tVulnCheck *struct {\n+\t\tXDB []struct {\n+\t\t\tXDBID       string  `json:\"xdbID\"`\n+\t\t\tXDBURL      string  `json:\"xdbURL\"`\n+\t\t\tDateAdded   kevDate `json:\"dateAdded\"`\n+\t\t\tExploitType string  `json:\"exploitType\"`\n+\t\t\tCloneSSHURL string  `json:\"cloneSSHURL\"`\n+\t\t} `json:\"xdb\"`\n+\t\tReportedExploitation []struct {\n+\t\t\tURL       string  `json:\"url\"`\n+\t\t\tDateAdded kevDate `json:\"dateAdded\"`\n+\t\t} `json:\"reportedExploitation\"`\n+\t} `json:\"vulncheck\"`\n+}\n+\n+func convertKEVulns(kevulns []kevulnmodels.KEVuln) ([]models.KEV, error) {\n+\tvar kevs []models.KEV\n+\tfor _, kevuln := range kevulns {\n+\t\tb, err := json.Marshal(kevuln)\n+\t\tif err != nil {\n+\t\t\treturn nil, err\n+\t\t}\n+\t\tkev, err := parseKEVJSON(b)\n+\t\tif err != nil {\n+\t\t\treturn nil, err\n+\t\t}\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs, nil\n+}\n+\n+func parseKEVsJSON(b []byte) ([]models.KEV, error) {\n+\tvar raws []json.RawMessage\n+\tif err := json.Unmarshal(b, &amp;raws); err != nil {\n+\t\treturn nil, err\n+\t}\n+\tkevs := make([]models.KEV, 0, len(raws))\n+\tfor _, raw := range raws {\n+\t\tkev, err := parseKEVJSON(raw)\n+\t\tif err != nil {\n+\t\t\treturn nil, err\n+\t\t}\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs, nil\n+}\n+\n+func parseKEVJSON(b []byte) (models.KEV, error) {\n+\tvar raw kevRaw\n+\tif err := json.Unmarshal(b, &amp;raw); err != nil {\n+\t\treturn models.KEV{}, err\n+\t}\n+\n+\tdueDate := (*time.Time)(nil)\n+\tif raw.DueDate != nil {\n+\t\td := raw.DueDate.Time\n+\t\tdueDate = &amp;d\n+\t}\n+\tkev := models.KEV{\n+\t\tType:                       raw.Type,\n+\t\tVendorProject:              raw.VendorProject,\n+\t\tProduct:                    raw.Product,\n+\t\tVulnerabilityName:          raw.VulnerabilityName,\n+\t\tShortDescription:           raw.ShortDescription,\n+\t\tRequiredAction:             raw.RequiredAction,\n+\t\tKnownRansomwareCampaignUse: raw.KnownRansomwareCampaignUse,\n+\t\tDateAdded:                  raw.DateAdded.Time,\n+\t\tDueDate:                    dueDate,\n+\t}\n+\tif kev.Type == \"\" {\n+\t\tkev.Type = models.CISAKEVType\n+\t}\n+\tif raw.CISA != nil || raw.Notes != \"\" || raw.Note != \"\" || kev.Type == models.CISAKEVType {\n+\t\tnote := raw.Note\n+\t\tif raw.Notes != \"\" {\n+\t\t\tnote = raw.Notes\n+\t\t}\n+\t\tif raw.CISA != nil &amp;&amp; raw.CISA.Note != \"\" {\n+\t\t\tnote = raw.CISA.Note\n+\t\t}\n+\t\tkev.CISA = &amp;models.CISAKEV{Note: note}\n+\t}\n+\tif raw.VulnCheck != nil {\n+\t\tvulnCheck := &amp;models.VulnCheckKEV{}\n+\t\tfor _, xdb := range raw.VulnCheck.XDB {\n+\t\t\tvulnCheck.XDB = append(vulnCheck.XDB, models.VulnCheckXDB{\n+\t\t\t\tXDBID:       xdb.XDBID,\n+\t\t\t\tXDBURL:      xdb.XDBURL,\n+\t\t\t\tDateAdded:   xdb.DateAdded.Time,\n+\t\t\t\tExploitType: xdb.ExploitType,\n+\t\t\t\tCloneSSHURL: xdb.CloneSSHURL,\n+\t\t\t})\n+\t\t}\n+\t\tfor _, exploitation := range raw.VulnCheck.ReportedExploitation {\n+\t\t\tvulnCheck.ReportedExploitation = append(vulnCheck.ReportedExploitation, models.VulnCheckReportedExploitation{\n+\t\t\t\tURL:       exploitation.URL,\n+\t\t\t\tDateAdded: exploitation.DateAdded.Time,\n+\t\t\t})\n+\t\t}\n+\t\tkev.VulnCheck = vulnCheck\n+\t}\n+\treturn kev, nil\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/examples/kev-scan-result.json b/examples/kev-scan-result.json\nnew file mode 100644\nindex 0000000..9bf9cf1\n--- /dev/null\n+++ b/examples/kev-scan-result.json\n@@ -0,0 +1,57 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scanMode\": \"fast-root\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic CISA KEV example for documentation.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2024-01-15T00:00:00Z\",\n+          \"dueDate\": \"2024-02-05T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Placeholder note; not real vulnerability intelligence.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic VulnCheck KEV example for documentation.\",\n+          \"requiredAction\": \"Review exploitability and prioritize remediation.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2024-01-16T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.com/xdb/XDB-000000\",\n+                \"dateAdded\": \"2024-01-16T00:00:00Z\",\n+                \"exploitType\": \"proof-of-concept\",\n+                \"cloneSSHURL\": \"git@example.com:example/research.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/report/example-exploitation\",\n+                \"dateAdded\": \"2024-01-17T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\ndiff --git a/examples/kev-tracking-issue-example.md b/examples/kev-tracking-issue-example.md\nnew file mode 100644\nindex 0000000..672a63d\n--- /dev/null\n+++ b/examples/kev-tracking-issue-example.md\n@@ -0,0 +1,57 @@\n+# KEV Scan Result Example\n+\n+Synthetic example for the tracking issue. This intentionally contains no real hostnames, IP addresses, package inventory, UUIDs, accounts, or production scan output.\n+\n+```json\n+{\n+  \"serverName\": \"example-host\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic CISA KEV example for documentation.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2024-01-15T00:00:00Z\",\n+          \"dueDate\": \"2024-02-05T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Placeholder note; not real vulnerability intelligence.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic VulnCheck KEV example for documentation.\",\n+          \"requiredAction\": \"Review exploitability and prioritize remediation.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2024-01-16T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.com/xdb/XDB-000000\",\n+                \"dateAdded\": \"2024-01-16T00:00:00Z\",\n+                \"exploitType\": \"proof-of-concept\",\n+                \"cloneSSHURL\": \"git@example.com:example/research.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/report/example-exploitation\",\n+                \"dateAdded\": \"2024-01-17T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\n+```\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..11f6cbd 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of CVEs with KEV entries.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -425,6 +433,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &lt; v.Mitigations[j].URL\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \n \t\tv.CveContents.Sort()\n \ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..aaca5fc 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -267,6 +267,7 @@ type VulnInfo struct {\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n@@ -284,6 +285,57 @@ type Alert struct {\n \tTeam  string `json:\"team,omitempty\"`\n }\n \n+// KEVType is the source catalog for known exploited vulnerability data.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType represents CISA Known Exploited Vulnerabilities Catalog data.\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType represents VulnCheck Known Exploited Vulnerabilities data.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has known exploited vulnerability data for a vulnerability.\n+type KEV struct {\n+\tType                       KEVType       `json:\"type,omitempty\"`\n+\tVendorProject              string        `json:\"vendorProject,omitempty\"`\n+\tProduct                    string        `json:\"product,omitempty\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV fields.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV fields.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database details.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation details.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // GitHubSecurityAlerts is a list of GitHubSecurityAlert\n type GitHubSecurityAlerts []GitHubSecurityAlert\n \n@@ -910,7 +962,7 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data.\n type AlertDict struct {\n \tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n@@ -919,15 +971,12 @@ type AlertDict struct {\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a2dfbd0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T21:02:38.961592Z"}, {"uuid": "f18dae97-950a-4b66-b1a7-6b14d225a6b4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/3b4f90568c219888ebcd3a0ad354e16e", "content": "diff --git a/README.md b/README.md\nindex 57102d1..3f7372c 100644\n--- a/README.md\n+++ b/README.md\n@@ -90,8 +90,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n   - [US-CERT](https://www.us-cert.gov/ncas/alerts)\n   - [JPCERT](http://www.jpcert.or.jp/at/2019.html)\n \n-- CISA(Cybersecurity &amp; Infrastructure Security Agency)\n-  - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+- KEV(Known Exploited Vulnerabilities)\n+  - [CISA](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+  - VulnCheck\n \n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n@@ -152,6 +153,36 @@ Vuls has some options to detect the vulnerabilities\n - [Common Platform Enumeration (CPE) based Scan](https://vuls.io/docs/en/usage-scan-non-os-packages.html#cpe-scan)\n - [OWASP Dependency Check Integration](https://vuls.io/docs/en/usage-scan-non-os-packages.html#usage-integrate-with-owasp-dependency-check-to-automatic-update-when-the-libraries-are-updated-experimental)\n \n+## Example Configuration\n+\n+Here is a synthetic, ready-to-use example configuration (`config.toml.example`) showing how to enable KEV reporting:\n+\n+```toml\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/kev.sqlite3\"\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.1\"\n+port = \"22\"\n+user = \"scanner\"\n+keyPath = \"/home/scanner/.ssh/id_rsa\"\n+```\n+\n ## Scan WordPress core, themes, plugins\n \n - [Scan WordPress](https://vuls.io/docs/en/usage-scan-wordpress.html)\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..9af1678\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,23 @@\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/kev.sqlite3\"\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.1\"\n+port = \"22\"\n+user = \"scanner\"\n+keyPath = \"/home/scanner/.ssh/id_rsa\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..da293b9 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,19 +79,13 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n \t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\t\tnKEV++\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n-\t\t\t\tnKEV++\n+\t\t\t\t// KEV data is now handled in models\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t}\n@@ -108,17 +102,11 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n \t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\t\tnKEV++\n \t\t\t}\n \n-\t\t\tvuln.AlertDict.CISA = alerts\n-\t\t\tnKEV++\n+\t\t\t// KEV data is now handled in models\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n \t}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..587f916 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,6 +205,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n@@ -253,13 +254,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +264,18 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n+}\n+\n+// FormatKEVCveSummary returns a summary of KEV cve\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKevCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKevCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKevCve)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -434,8 +442,11 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n \t\t})\n \t\tr.ScannedCves[k] = v\n \t}\ndiff --git a/models/scanresults_test.go b/models/scanresults_test.go\nindex d429281..59430e4 100644\n--- a/models/scanresults_test.go\n+++ b/models/scanresults_test.go\n@@ -225,10 +225,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"a\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -288,10 +288,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"a\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -354,10 +354,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -417,10 +417,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"a\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..0ce202d 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -268,6 +268,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -910,24 +911,20 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\n@@ -1089,3 +1086,56 @@ var (\n \t// FortinetVendorProductMatch is a ranking how confident the CVE-ID was detected correctly\n \tFortinetVendorProductMatch = Confidence{10, FortinetVendorProductMatchStr, 9}\n )\n+\n+// KEVType is a type of Known Exploited Vulnerability\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType :\n+\tCISAKEVType = KEVType(\"cisa\")\n+\n+\t// VulnCheckKEVType :\n+\tVulnCheckKEVType = KEVType(\"vulncheck\")\n+)\n+\n+// KEV has Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                       KEVType\n+\tVendorProject              string\n+\tProduct                    string\n+\tVulnerabilityName          string\n+\tShortDescription           string\n+\tRequiredAction             string\n+\tKnownRansomwareCampaignUse string\n+\tDateAdded                  time.Time\n+\tDueDate                    *time.Time\n+\tCISA                       *CISAKEV\n+\tVulnCheck                  *VulnCheckKEV\n+}\n+\n+// CISAKEV has CISA specific KEV information\n+type CISAKEV struct {\n+\tNote string\n+}\n+\n+// VulnCheckKEV has VulnCheck specific KEV information\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB\n+\tReportedExploitation []VulnCheckReportedExploitation\n+}\n+\n+// VulnCheckXDB has XDB information\n+type VulnCheckXDB struct {\n+\tXDBID       string\n+\tXDBURL      string\n+\tDateAdded   time.Time\n+\tExploitType string\n+\tCloneSSHURL string\n+}\n+\n+// VulnCheckReportedExploitation has ReportedExploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string\n+\tDateAdded time.Time\n+}\n+\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..5b8697f 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -205,6 +205,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t}\n \t\t} else {\n \t\t\tcols = []interface{}{\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/sample_kev_scan_result.json b/sample_kev_scan_result.json\nnew file mode 100644\nindex 0000000..3f3c1fb\n--- /dev/null\n+++ b/sample_kev_scan_result.json\n@@ -0,0 +1,89 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"20.04\",\n+  \"container\": {\n+    \"containerID\": \"\",\n+    \"name\": \"\",\n+    \"image\": \"\",\n+    \"type\": \"\",\n+    \"uuid\": \"\"\n+  },\n+  \"platform\": {\n+    \"name\": \"\",\n+    \"instanceID\": \"\"\n+  },\n+  \"scannedAt\": \"2023-01-01T00:00:00Z\",\n+  \"scanMode\": \"fast\",\n+  \"scannedVersion\": \"1.0\",\n+  \"scannedRevision\": \"12345\",\n+  \"scannedBy\": \"vuls\",\n+  \"scannedVia\": \"local\",\n+  \"reportedAt\": \"2023-01-01T00:00:00Z\",\n+  \"reportedVersion\": \"1.0\",\n+  \"reportedRevision\": \"12345\",\n+  \"reportedBy\": \"vuls\",\n+  \"errors\": [],\n+  \"warnings\": [],\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"Type\": \"cisa\",\n+          \"VendorProject\": \"Example Project\",\n+          \"Product\": \"Example Product\",\n+          \"VulnerabilityName\": \"Example Vulnerability\",\n+          \"ShortDescription\": \"This is a synthetic documentation CVE.\",\n+          \"RequiredAction\": \"Apply updates.\",\n+          \"KnownRansomwareCampaignUse\": \"Unknown\",\n+          \"DateAdded\": \"2023-01-01T00:00:00Z\",\n+          \"DueDate\": \"2023-01-15T00:00:00Z\",\n+          \"CISA\": {\n+            \"Note\": \"This is a dummy note.\"\n+          }\n+        },\n+        {\n+          \"Type\": \"vulncheck\",\n+          \"VendorProject\": \"Example Project\",\n+          \"Product\": \"Example Product\",\n+          \"VulnerabilityName\": \"Example Vulnerability\",\n+          \"ShortDescription\": \"Synthetic VulnCheck entry\",\n+          \"RequiredAction\": \"\",\n+          \"KnownRansomwareCampaignUse\": \"Unknown\",\n+          \"DateAdded\": \"2023-01-02T00:00:00Z\",\n+          \"VulnCheck\": {\n+            \"XDB\": [\n+              {\n+                \"XDBID\": \"xdb-0000\",\n+                \"XDBURL\": \"https://example.com/xdb/0000\",\n+                \"DateAdded\": \"2023-01-02T00:00:00Z\",\n+                \"ExploitType\": \"local\",\n+                \"CloneSSHURL\": \"git@example.com:exploits/0000.git\"\n+              }\n+            ],\n+            \"ReportedExploitation\": [\n+              {\n+                \"URL\": \"https://example.com/report/1\",\n+                \"DateAdded\": \"2023-01-03T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"runningKernel\": {\n+    \"release\": \"5.4.0-dummy\",\n+    \"version\": \"dummy-version\",\n+    \"rebootRequired\": false\n+  },\n+  \"packages\": {},\n+  \"config\": {\n+    \"scan\": {},\n+    \"report\": {}\n+  }\n+}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..58a8768 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,13 +812,18 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\tif len(vinfo.KEVs) &gt; 0 {\n+\t\t\ttree.AddNode(tree.Root,\n+\t\t\t\t\"KEV\",\n+\t\t\t\t0,\n+\t\t\t\tfalse,\n+\t\t\t\tfunc(n *Node) {})\n+\t\t\tfor _, alert := range vinfo.KEVs {\n+\t\t\t\ttree.AddNode(tree.Root.Children[len(tree.Root.Children)-1],\n+\t\t\t\t\talert.VulnerabilityName,\n+\t\t\t\t\t0,\n+\t\t\t\t\tfalse,\n+\t\t\t\t\tfunc(n *Node) {})\n \t\t\t}\n \t\t}\n \n", "creation_timestamp": "2026-07-03T21:02:38.992547Z"}, {"uuid": "d5662bfe-4d83-4c24-a107-0ad5bfd895d6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/73a89f50cdc1033e0ae1bd42aac7e894", "content": "diff --git a/README.md b/README.md\nindex 57102d1..17cd94f 100644\n--- a/README.md\n+++ b/README.md\n@@ -179,6 +179,37 @@ Vuls has some options to detect the vulnerabilities\n For more information such as Installation, Tutorial, Usage, visit [vuls.io](https://vuls.io/)  \n [\u65e5\u672c\u8a9e\u7ffb\u8a33\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8](https://vuls.io/ja/)\n \n+### Example Configuration for KEV\n+\n+To enable KEV reporting (CISA and VulnCheck), use an example configuration like `config.toml.example`:\n+\n+```toml\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+[kev]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/kev.sqlite3\"\n+\n+[servers]\n+\n+[servers.example-server]\n+host         = \"192.168.0.1\"\n+port         = \"22\"\n+user         = \"example-user\"\n+keyPath      = \"/home/user/.ssh/id_rsa\"\n+```\n+\n+\n ----\n \n ## Authors\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..bf771c2\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,23 @@\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+[kev]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/kev.sqlite3\"\n+\n+[servers]\n+\n+[servers.example-server]\n+host         = \"192.168.0.1\"\n+port         = \"22\"\n+user         = \"example-user\"\n+keyPath      = \"/home/user/.ssh/id_rsa\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..aeb32f1 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -90,7 +90,6 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +107,6 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..371ec59 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -251,15 +251,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of kev cve\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +274,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -428,15 +435,19 @@ func (r *ScanResult) SortForJSONOutput() {\n \n \t\tv.CveContents.Sort()\n \n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n+\n \t\tsort.Slice(v.AlertDict.USCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.USCERT[i].Title &lt; v.AlertDict.USCERT[j].Title\n \t\t})\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n-\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/scanresults_test.go b/models/scanresults_test.go\nindex d429281..777f7c0 100644\n--- a/models/scanresults_test.go\n+++ b/models/scanresults_test.go\n@@ -225,10 +225,6 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -288,10 +284,6 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -354,10 +346,6 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -417,10 +405,6 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..851f5d0 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -267,6 +267,7 @@ type VulnInfo struct {\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n@@ -910,24 +911,71 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// KEVType indicates the source of the KEV\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is for CISA KEV\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType is for VulnCheck KEV\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerabilities information\n+type KEV struct {\n+\tType                       KEVType    `json:\"type,omitempty\"`\n+\tVendorProject              string     `json:\"vendorProject,omitempty\"`\n+\tProduct                    string     `json:\"product,omitempty\"`\n+\tVulnerabilityName          string     `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string     `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string     `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string     `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time  `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV   `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA specific KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck specific KEV information\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbid,omitempty\"`\n+\tXDBURL      string    `json:\"xdburl,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck ReportedExploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n+// AlertDict has target cve JPCERT, USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a44ae57 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -565,10 +565,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/sample_scan_result.json b/sample_scan_result.json\nnew file mode 100644\nindex 0000000..b314b74\n--- /dev/null\n+++ b/sample_scan_result.json\n@@ -0,0 +1,38 @@\n+{\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"20.04\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"This is a placeholder for a known exploited vulnerability.\",\n+          \"requiredAction\": \"Apply updates.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2024-01-01T00:00:00Z\"\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbid\": \"12345\",\n+                \"xdburl\": \"https://example.com/xdb/12345\",\n+                \"dateAdded\": \"2024-01-01T00:00:00Z\",\n+                \"exploitType\": \"remote\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\n\\ No newline at end of file\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..ac738d4 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,15 +812,17 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n+\t\t\tfor _, alert := range vinfo.AlertDict.USCERT {\n+\t\t\t\tfmt.Fprintf(os.Stdout, \"\\t* %-20s : %s\\n\", alert.Team, alert.URL)\n \t\t\t}\n \t\t}\n+\t\tif len(vinfo.AlertDict.JPCERT) &gt; 0 {\n+\t\t\tfor _, alert := range vinfo.AlertDict.JPCERT {\n+\t\t\t\tfmt.Fprintf(os.Stdout, \"\\t* %-20s : %s\\n\", alert.Team, alert.URL)\n+\t\t\t}\n+\t\t}\n+\t\t}\n \n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n", "creation_timestamp": "2026-07-03T21:02:39.035972Z"}, {"uuid": "dc58b39a-fc6b-4c54-a57f-488b03c48ef4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/c6f26cebf31133e36197482567aa0db6", "content": "diff --git a/README.md b/README.md\nindex 57102d1..5702337 100644\n--- a/README.md\n+++ b/README.md\n@@ -156,6 +156,34 @@ Vuls has some options to detect the vulnerabilities\n \n - [Scan WordPress](https://vuls.io/docs/en/usage-scan-wordpress.html)\n \n+## Example Configuration\n+\n+To enable KEV (Known Exploited Vulnerabilities) reporting along with standard vulnerability scanning, use an example configuration like the following `config.toml.example`:\n+\n+```toml\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-kev.sqlite3\"\n+\n+[servers]\n+\n+[servers.localhost]\n+host = \"localhost\"\n+port = \"local\"\n+```\n+\n ## MISC\n \n - Nondestructive testing\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..bda8383\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,21 @@\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-kev.sqlite3\"\n+\n+[servers]\n+\n+[servers.localhost]\n+host = \"localhost\"\n+port = \"local\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..1171e9c 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,31 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n+\t\t\tvar kevs []models.KEV\n+\t\t\tfor _, k := range kevulns {\n+\t\t\t\tvar dueDate *time.Time\n+\t\t\t\tif !k.DueDate.IsZero() {\n+\t\t\t\t\tdueDate = &amp;k.DueDate\n+\t\t\t\t}\n+\t\t\t\tkevs = append(kevs, models.KEV{\n+\t\t\t\t\tType:                       models.CISAKEVType,\n+\t\t\t\t\tVendorProject:              k.VendorProject,\n+\t\t\t\t\tProduct:                    k.Product,\n+\t\t\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\t\t\tDateAdded:                  k.DateAdded,\n+\t\t\t\t\tDueDate:                    dueDate,\n+\t\t\t\t\tCISA: &amp;models.CISAKEV{\n+\t\t\t\t\t\tNote: k.Notes,\n+\t\t\t\t\t},\n \t\t\t\t})\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tv.KEVs = append(v.KEVs, kevs...)\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +121,29 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n+\t\t\tvar kevs []models.KEV\n+\t\t\tfor _, k := range kevulns {\n+\t\t\t\tvar dueDate *time.Time\n+\t\t\t\tif !k.DueDate.IsZero() {\n+\t\t\t\t\tdueDate = &amp;k.DueDate\n+\t\t\t\t}\n+\t\t\t\tkevs = append(kevs, models.KEV{\n+\t\t\t\t\tType:                       models.CISAKEVType,\n+\t\t\t\t\tVendorProject:              k.VendorProject,\n+\t\t\t\t\tProduct:                    k.Product,\n+\t\t\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\t\t\tDateAdded:                  k.DateAdded,\n+\t\t\t\t\tDueDate:                    dueDate,\n+\t\t\t\t\tCISA: &amp;models.CISAKEV{\n+\t\t\t\t\t\tNote: k.Notes,\n+\t\t\t\t\t},\n \t\t\t\t})\n \t\t\t}\n \n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = append(vuln.KEVs, kevs...)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..bc1dbb4 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,6 +205,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n@@ -253,13 +254,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +264,18 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n+}\n+\n+// FormatKEVCveSummary returns a summary of KEV cve\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -434,8 +442,11 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n \t\t})\n \t\tr.ScannedCves[k] = v\n \t}\ndiff --git a/models/scanresults_test.go b/models/scanresults_test.go\nindex d429281..9466f55 100644\n--- a/models/scanresults_test.go\n+++ b/models/scanresults_test.go\n@@ -225,10 +225,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -288,10 +288,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -354,10 +354,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -417,10 +417,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..d6f77fc 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -268,6 +268,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -910,24 +911,71 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// KEVType represents the source of the KEV\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType represents CISA KEV\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType represents VulnCheck KEV\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerabilities information\n+type KEV struct {\n+\tType                       KEVType                        `json:\"type\"`\n+\tVendorProject              string                         `json:\"vendorProject,omitempty\"`\n+\tProduct                    string                         `json:\"product,omitempty\"`\n+\tVulnerabilityName          string                         `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string                         `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string                         `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string                         `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time                      `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time                     `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV                       `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV                  `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA specific KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck specific KEV information\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has XDB details\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has Reported Exploitation details\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..d13ccad 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -205,6 +205,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t}\n \t\t} else {\n \t\t\tcols = []interface{}{\n@@ -565,8 +566,12 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n+\t\tfor _, kev := range vuln.KEVs {\n+\t\t\tif kev.Type == models.CISAKEVType {\n+\t\t\t\tdata = append(data, []string{\"CISA KEV\", fmt.Sprintf(\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=%s\", vuln.CveID)})\n+\t\t\t} else if kev.Type == models.VulnCheckKEVType {\n+\t\t\t\tdata = append(data, []string{\"VulnCheck KEV\", \"Exploit exists\"})\n+\t\t\t}\n \t\t}\n \n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\ndiff --git a/sample_scan_result.json b/sample_scan_result.json\nnew file mode 100644\nindex 0000000..04bf281\n--- /dev/null\n+++ b/sample_scan_result.json\n@@ -0,0 +1,86 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"20.04\",\n+  \"container\": {\n+    \"containerID\": \"\",\n+    \"name\": \"\",\n+    \"image\": \"\",\n+    \"type\": \"\",\n+    \"uuid\": \"\"\n+  },\n+  \"platform\": {\n+    \"name\": \"\",\n+    \"instanceID\": \"\"\n+  },\n+  \"scannedAt\": \"2023-10-27T10:00:00Z\",\n+  \"scanMode\": \"fast\",\n+  \"scannedVersion\": \"0.24.0\",\n+  \"scannedRevision\": \"unknown\",\n+  \"scannedBy\": \"vuls\",\n+  \"scannedVia\": \"local\",\n+  \"reportedAt\": \"2023-10-27T10:05:00Z\",\n+  \"reportedVersion\": \"0.24.0\",\n+  \"reportedRevision\": \"unknown\",\n+  \"reportedBy\": \"vuls\",\n+  \"errors\": [],\n+  \"warnings\": [],\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"This is a synthetic example KEV.\",\n+          \"requiredAction\": \"Apply updates.\",\n+          \"dateAdded\": \"2023-01-01T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic CISA note\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"This is a synthetic example VulnCheck KEV.\",\n+          \"requiredAction\": \"Apply updates.\",\n+          \"dateAdded\": \"2023-01-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"1234\",\n+                \"xdbURL\": \"https://example.com/xdb/1234\",\n+                \"dateAdded\": \"2023-01-02T00:00:00Z\",\n+                \"exploitType\": \"local\",\n+                \"cloneSSHURL\": \"git@github.com:example/exploit.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/news/1234\",\n+                \"dateAdded\": \"2023-01-03T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"runningKernel\": {\n+    \"release\": \"5.4.0-100-generic\",\n+    \"version\": \"1\",\n+    \"rebootRequired\": false\n+  },\n+  \"packages\": {},\n+  \"config\": {\n+    \"scan\": {},\n+    \"report\": {}\n+  }\n+}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..44edc3a 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,13 +812,17 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n+\t\tif len(vinfo.KEVs) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n+\t\t\t\t\"Known Exploited Vulnerabilities\",\n+\t\t\t\t\"===============================\",\n \t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\t\tfor _, kev := range vinfo.KEVs {\n+\t\t\t\tif kev.Type == models.CISAKEVType {\n+\t\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [CISA KEV] %s\", kev.VulnerabilityName))\n+\t\t\t\t} else if kev.Type == models.VulnCheckKEVType {\n+\t\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [VulnCheck KEV] %s\", kev.VulnerabilityName))\n+\t\t\t\t}\n \t\t\t}\n \t\t}\n \n", "creation_timestamp": "2026-07-03T21:02:39.079766Z"}, {"uuid": "1516c8af-2b73-464d-a54f-7cfec05ea6db", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/70a2f4824c54a580f8df7db2a86276ab", "content": "diff --git a/.gitignore b/.gitignore\nindex 7f21d1e..71b4c8d 100644\n--- a/.gitignore\n+++ b/.gitignore\n@@ -4,6 +4,7 @@\n *.sqlite3*\n *.db\n *.toml\n+!config.toml.example\n tags\n .gitmodules\n coverage.out\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..274c3cf\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,90 @@\n+# Vuls Configuration Example\n+# Copy this file to config.toml and edit to match your environment.\n+# See https://vuls.io/docs/en/config.toml.html for full documentation.\n+\n+# ==============================================================================\n+# Default settings applied to all servers unless overridden\n+# ==============================================================================\n+[default]\n+port = \"22\"\n+user = \"your-ssh-user\"\n+keyPath = \"/path/to/your/ssh-key\"\n+scanMode = [\"fast\"]\n+scanModules = [\"ospkg\", \"lockfile\"]\n+\n+# ==============================================================================\n+# Vulnerability dictionary databases\n+# Each dictionary can be configured to use sqlite3, mysql, postgres, redis, or http.\n+# ==============================================================================\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-msfdb.sqlite3\"\n+\n+# Known Exploited Vulnerabilities (KEV) database (CISA / VulnCheck)\n+# KEV data is now reported as a first-class field on vulnerabilities.\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/path/to/go-cti.sqlite3\"\n+\n+# ==============================================================================\n+# Servers to scan\n+# ==============================================================================\n+[servers]\n+\n+[servers.example-server]\n+host = \"192.0.2.1\"\n+port = \"22\"\n+user = \"your-ssh-user\"\n+keyPath = \"/path/to/your/ssh-key\"\n+scanMode = [\"fast-root\"]\n+\n+[servers.another-server]\n+host = \"198.51.100.1\"\n+port = \"22\"\n+scanMode = [\"deep\"]\n+# Ignore specific CVEs for this server\n+ignoreCves = [\"CVE-0000-0000\"]\n+\n+# ==============================================================================\n+# Notification settings (all optional)\n+# ==============================================================================\n+# [slack]\n+# hookURL = \"https://hooks.slack.com/services/YOUR/WEBHOOK/URL\"\n+# channel = \"#your-channel\"\n+# authUser = \"vuls\"\n+# notifyUsers = [\"@your-user\"]\n+\n+# [email]\n+# smtpAddr = \"smtp.example.com\"\n+# smtpPort = \"587\"\n+# user = \"vuls@example.com\"\n+# password = \"your-smtp-password\"\n+# from = \"vuls@example.com\"\n+# to = [\"admin@example.com\"]\n+\n+# [chatWork]\n+# apiToken = \"your-chatwork-api-token\"\n+# room = \"your-room-id\"\n+\n+# [http]\n+# url = \"http://localhost:11234/vuls\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..1c9f8d2 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,14 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tif len(kevulns) == 0 {\n+\t\t\t\tcontinue\n \t\t\t}\n \n+\t\t\tkevs := convertToKEVs(kevulns)\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tv.KEVs = kevs\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +104,8 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tkevs := convertToKEVs(kevulns)\n+\t\t\tvuln.KEVs = kevs\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +115,31 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func convertToKEVs(kevulns []kevulnmodels.KEVuln) []models.KEV {\n+\tvar kevs []models.KEV\n+\tfor _, k := range kevulns {\n+\t\tkev := models.KEV{\n+\t\t\tType:                       models.CISAKEVType,\n+\t\t\tVendorProject:              k.VendorProject,\n+\t\t\tProduct:                    k.Product,\n+\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\tDateAdded:                  k.DateAdded,\n+\t\t}\n+\t\tif !k.DueDate.IsZero() {\n+\t\t\tdueDate := k.DueDate\n+\t\t\tkev.DueDate = &amp;dueDate\n+\t\t}\n+\t\tif k.Notes != \"\" {\n+\t\t\tkev.CISA = &amp;models.CISAKEV{Note: k.Notes}\n+\t\t}\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..cbbe54c 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV entries\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &gt; 0 {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -428,14 +436,20 @@ func (r *ScanResult) SortForJSONOutput() {\n \n \t\tv.CveContents.Sort()\n \n+\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n+\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n+\t\t})\n \t\tsort.Slice(v.AlertDict.USCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.USCERT[i].Title &lt; v.AlertDict.USCERT[j].Title\n \t\t})\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n \t\t})\n \t\tr.ScannedCves[k] = v\n \t}\ndiff --git a/models/testdata/sample_kevs_scan_result.json b/models/testdata/sample_kevs_scan_result.json\nnew file mode 100644\nindex 0000000..f7a0585\n--- /dev/null\n+++ b/models/testdata/sample_kevs_scan_result.json\n@@ -0,0 +1,75 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"serverName\": \"example-host\",\n+  \"family\": \"centos\",\n+  \"release\": \"8\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0001\": {\n+      \"cveID\": \"CVE-0000-0001\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleVendor ExampleProduct contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2024-01-15T00:00:00Z\",\n+          \"dueDate\": \"2024-02-05T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"https://example.com/advisory/2024-001\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleVendor ExampleProduct contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2024-01-10T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"abc123\",\n+                \"xdbURL\": \"https://vulncheck.example.com/xdb/abc123\",\n+                \"dateAdded\": \"2024-01-12T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/report/2024-001\",\n+                \"dateAdded\": \"2024-01-11T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"alertDict\": {}\n+    },\n+    \"CVE-0000-0002\": {\n+      \"cveID\": \"CVE-0000-0002\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"AnotherVendor\",\n+          \"product\": \"AnotherProduct\",\n+          \"vulnerabilityName\": \"AnotherVendor AnotherProduct Privilege Escalation Vulnerability\",\n+          \"shortDescription\": \"AnotherVendor AnotherProduct contains a privilege escalation vulnerability.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2024-03-01T00:00:00Z\",\n+          \"dueDate\": \"2024-03-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"\"\n+          }\n+        }\n+      ],\n+      \"alertDict\": {}\n+    }\n+  }\n+}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..7d1eba7 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -267,6 +267,7 @@ type VulnInfo struct {\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n@@ -910,24 +911,74 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// KEVType represents the source of KEV data\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the KEV type for CISA\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is the KEV type for VulnCheck\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                        KEVType       `json:\"type\"`\n+\tVendorProject               string        `json:\"vendorProject\"`\n+\tProduct                     string        `json:\"product\"`\n+\tVulnerabilityName           string        `json:\"vulnerabilityName\"`\n+\tShortDescription            string        `json:\"shortDescription\"`\n+\tRequiredAction              string        `json:\"requiredAction\"`\n+\tKnownRansomwareCampaignUse  string        `json:\"knownRansomwareCampaignUse\"`\n+\tDateAdded                   time.Time     `json:\"dateAdded\"`\n+\tDueDate                     *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                        *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                   *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV fields\n+type CISAKEV struct {\n+\tNote string `json:\"note\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV fields\n+type VulnCheckKEV struct {\n+\tXDB                    []VulnCheckXDB                    `json:\"xdb,omitempty\"`\n+\tReportedExploitation   []VulnCheckReportedExploitation   `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID\"`\n+\tXDBURL      string    `json:\"xdbURL\"`\n+\tDateAdded   time.Time `json:\"dateAdded\"`\n+\tExploitType string    `json:\"exploitType\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url\"`\n+\tDateAdded time.Time `json:\"dateAdded\"`\n+}\n+\n+// AlertDict has target cve JPCERT and USCERT alert data.\n+// CISA field is deprecated; KEV data is now stored in VulnInfo.KEVs.\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"cisa,omitempty\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..e3aef8f 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,8 +566,8 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n+\t\tfor _, kev := range vuln.KEVs {\n+\t\t\tdata = append(data, []string{fmt.Sprintf(\"KEV (%s)\", kev.Type), kev.VulnerabilityName})\n \t\t}\n \n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..dcd70d3 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,13 +812,13 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n+\t\tif len(vinfo.KEVs) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n+\t\t\t\t\"Known Exploited Vulnerabilities\",\n+\t\t\t\t\"================================\",\n \t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\t\tfor _, kev := range vinfo.KEVs {\n+\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s] %s - %s\", kev.Type, kev.VulnerabilityName, kev.ShortDescription))\n \t\t\t}\n \t\t}\n \n", "creation_timestamp": "2026-07-03T21:02:39.195251Z"}, {"uuid": "f71acbdf-1493-48d8-a9a2-4c17cd5356d2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/3aa722cf98ecac7b0e3cdc34b78ae151", "content": "diff --git a/README.md b/README.md\nindex 57102d1..9d75fdf 100644\n--- a/README.md\n+++ b/README.md\n@@ -93,6 +93,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n - CISA(Cybersecurity &amp; Infrastructure Security Agency)\n   - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n \n+- VulnCheck\n+  - [VulnCheck KEV](https://vulncheck.com/kev)\n+\n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n \n@@ -174,6 +177,13 @@ Vuls has some options to detect the vulnerabilities\n \n ----\n \n+## Examples\n+\n+- `examples/config.toml.example` shows a synthetic, ready-to-edit configuration with KEV reporting enabled through `[kevuln]`.\n+- `examples/kev-scan-result.json` shows the `scannedCves[].kevs` JSON shape for CISA and VulnCheck KEV entries.\n+\n+----\n+\n ## Document\n \n For more information such as Installation, Tutorial, Usage, visit [vuls.io](https://vuls.io/)  \ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..5cc914c 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -6,6 +6,8 @@ package detector\n import (\n \t\"encoding/json\"\n \t\"net/http\"\n+\t\"reflect\"\n+\t\"strings\"\n \t\"time\"\n \n \t\"github.com/cenkalti/backoff\"\n@@ -79,18 +81,9 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n-\t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\tif ok &amp;&amp; len(kevulns) &gt; 0 {\n+\t\t\t\tv.KEVs = kevulnsToModels(kevulns)\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +101,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = kevulnsToModels(kevulns)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +111,151 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func kevulnsToModels(kevulns []kevulnmodels.KEVuln) (kevs []models.KEV) {\n+\tfor _, kevuln := range kevulns {\n+\t\tkev := kevulnToModel(kevuln)\n+\t\tif kev.Type == \"\" {\n+\t\t\tkev.Type = models.CISAKEVType\n+\t\t}\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs\n+}\n+\n+func kevulnToModel(kevuln kevulnmodels.KEVuln) models.KEV {\n+\tv := reflect.ValueOf(kevuln)\n+\tif v.Kind() == reflect.Pointer {\n+\t\tif v.IsNil() {\n+\t\t\treturn models.KEV{}\n+\t\t}\n+\t\tv = v.Elem()\n+\t}\n+\tif v.Kind() != reflect.Struct {\n+\t\treturn models.KEV{}\n+\t}\n+\n+\ttyp := models.KEVType(strings.ToLower(fieldString(v, \"Type\", \"Source\")))\n+\tkev := models.KEV{\n+\t\tType:                       typ,\n+\t\tVendorProject:              fieldString(v, \"VendorProject\", \"Vendor\", \"Project\"),\n+\t\tProduct:                    fieldString(v, \"Product\"),\n+\t\tVulnerabilityName:          fieldString(v, \"VulnerabilityName\", \"Name\"),\n+\t\tShortDescription:           fieldString(v, \"ShortDescription\", \"Description\"),\n+\t\tRequiredAction:             fieldString(v, \"RequiredAction\"),\n+\t\tKnownRansomwareCampaignUse: fieldString(v, \"KnownRansomwareCampaignUse\", \"RansomwareCampaignUse\"),\n+\t\tDateAdded:                  fieldTime(v, \"DateAdded\"),\n+\t\tDueDate:                    fieldTimePtr(v, \"DueDate\"),\n+\t}\n+\n+\tif kev.Type == models.VulnCheckKEVType {\n+\t\tkev.VulnCheck = &amp;models.VulnCheckKEV{\n+\t\t\tXDB:                  vulnCheckXDBs(v),\n+\t\t\tReportedExploitation: vulnCheckReportedExploitations(v),\n+\t\t}\n+\t\treturn kev\n+\t}\n+\n+\tkev.Type = models.CISAKEVType\n+\tkev.CISA = &amp;models.CISAKEV{Note: fieldString(v, \"Notes\", \"Note\")}\n+\treturn kev\n+}\n+\n+func fieldString(v reflect.Value, names ...string) string {\n+\tfor _, name := range names {\n+\t\tf := v.FieldByName(name)\n+\t\tif f.IsValid() &amp;&amp; f.Kind() == reflect.String {\n+\t\t\treturn f.String()\n+\t\t}\n+\t}\n+\treturn \"\"\n+}\n+\n+func fieldTime(v reflect.Value, names ...string) time.Time {\n+\tfor _, name := range names {\n+\t\tf := v.FieldByName(name)\n+\t\tif f.IsValid() &amp;&amp; f.CanInterface() {\n+\t\t\tif t, ok := f.Interface().(time.Time); ok {\n+\t\t\t\treturn t\n+\t\t\t}\n+\t\t\tif f.Kind() == reflect.Pointer &amp;&amp; !f.IsNil() {\n+\t\t\t\tif t, ok := f.Interface().(*time.Time); ok {\n+\t\t\t\t\treturn *t\n+\t\t\t\t}\n+\t\t\t}\n+\t\t}\n+\t}\n+\treturn time.Time{}\n+}\n+\n+func fieldTimePtr(v reflect.Value, names ...string) *time.Time {\n+\tfor _, name := range names {\n+\t\tf := v.FieldByName(name)\n+\t\tif !f.IsValid() || !f.CanInterface() {\n+\t\t\tcontinue\n+\t\t}\n+\t\tif t, ok := f.Interface().(time.Time); ok &amp;&amp; !t.IsZero() {\n+\t\t\treturn &amp;t\n+\t\t}\n+\t\tif f.Kind() == reflect.Pointer &amp;&amp; !f.IsNil() {\n+\t\t\tif t, ok := f.Interface().(*time.Time); ok {\n+\t\t\t\treturn t\n+\t\t\t}\n+\t\t}\n+\t}\n+\treturn nil\n+}\n+\n+func vulnCheckXDBs(v reflect.Value) (xdbs []models.VulnCheckXDB) {\n+\tf := v.FieldByName(\"XDB\")\n+\tif !f.IsValid() || f.Kind() != reflect.Slice {\n+\t\treturn nil\n+\t}\n+\tfor i := 0; i &lt; f.Len(); i++ {\n+\t\tx := f.Index(i)\n+\t\tif x.Kind() == reflect.Pointer {\n+\t\t\tif x.IsNil() {\n+\t\t\t\tcontinue\n+\t\t\t}\n+\t\t\tx = x.Elem()\n+\t\t}\n+\t\tif x.Kind() != reflect.Struct {\n+\t\t\tcontinue\n+\t\t}\n+\t\txdbs = append(xdbs, models.VulnCheckXDB{\n+\t\t\tXDBID:       fieldString(x, \"XDBID\", \"ID\"),\n+\t\t\tXDBURL:      fieldString(x, \"XDBURL\", \"URL\"),\n+\t\t\tDateAdded:   fieldTime(x, \"DateAdded\"),\n+\t\t\tExploitType: fieldString(x, \"ExploitType\"),\n+\t\t\tCloneSSHURL: fieldString(x, \"CloneSSHURL\"),\n+\t\t})\n+\t}\n+\treturn xdbs\n+}\n+\n+func vulnCheckReportedExploitations(v reflect.Value) (reports []models.VulnCheckReportedExploitation) {\n+\tf := v.FieldByName(\"ReportedExploitation\")\n+\tif !f.IsValid() || f.Kind() != reflect.Slice {\n+\t\treturn nil\n+\t}\n+\tfor i := 0; i &lt; f.Len(); i++ {\n+\t\tr := f.Index(i)\n+\t\tif r.Kind() == reflect.Pointer {\n+\t\t\tif r.IsNil() {\n+\t\t\t\tcontinue\n+\t\t\t}\n+\t\t\tr = r.Elem()\n+\t\t}\n+\t\tif r.Kind() != reflect.Struct {\n+\t\t\tcontinue\n+\t\t}\n+\t\treports = append(reports, models.VulnCheckReportedExploitation{\n+\t\t\tURL:       fieldString(r, \"URL\"),\n+\t\t\tDateAdded: fieldTime(r, \"DateAdded\"),\n+\t\t})\n+\t}\n+\treturn reports\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/examples/config.toml.example b/examples/config.toml.example\nnew file mode 100644\nindex 0000000..33dbf5f\n--- /dev/null\n+++ b/examples/config.toml.example\n@@ -0,0 +1,37 @@\n+# Synthetic example configuration for KEV reporting.\n+# Replace every placeholder with values for your environment before use.\n+\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\n+\n+[servers.example-host]\n+host = \"192.0.2.10\"\n+port = \"22\"\n+user = \"vuls-scan\"\n+keyPath = \"/home/vuls/.ssh/id_ed25519\"\n+scanMode = [\"fast-root\"]\ndiff --git a/examples/kev-scan-result.json b/examples/kev-scan-result.json\nnew file mode 100644\nindex 0000000..e140794\n--- /dev/null\n+++ b/examples/kev-scan-result.json\n@@ -0,0 +1,69 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic example showing CISA KEV output shape.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-01-02T00:00:00Z\",\n+          \"dueDate\": \"2026-01-23T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic sample only.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic example showing VulnCheck KEV output shape.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-01-03T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.com/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-01-03T00:00:00Z\",\n+                \"exploitType\": \"proof-of-concept\",\n+                \"cloneSSHURL\": \"git@example.com:placeholder/example.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/advisories/CVE-0000-0000\",\n+                \"dateAdded\": \"2026-01-04T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-package\",\n+          \"fixedIn\": \"1.2.3\"\n+        }\n+      ]\n+    }\n+  },\n+  \"packages\": {\n+    \"example-package\": {\n+      \"name\": \"example-package\",\n+      \"version\": \"1.2.2\",\n+      \"newVersion\": \"1.2.3\"\n+    }\n+  }\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..f17b095 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV CVEs.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -425,6 +433,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &lt; v.Mitigations[j].URL\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \n \t\tv.CveContents.Sort()\n \n@@ -434,9 +448,6 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n-\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/scanresults_kev_test.go b/models/scanresults_kev_test.go\nnew file mode 100644\nindex 0000000..159ebfb\n--- /dev/null\n+++ b/models/scanresults_kev_test.go\n@@ -0,0 +1,57 @@\n+package models\n+\n+import (\n+\t\"reflect\"\n+\t\"testing\"\n+)\n+\n+func TestScanResult_FormatKEVCveSummary(t *testing.T) {\n+\tr := ScanResult{\n+\t\tScannedCves: VulnInfos{\n+\t\t\t\"CVE-0000-0001\": VulnInfo{KEVs: []KEV{{Type: CISAKEVType}}},\n+\t\t\t\"CVE-0000-0002\": VulnInfo{KEVs: []KEV{{Type: CISAKEVType}, {Type: VulnCheckKEVType}}},\n+\t\t\t\"CVE-0000-0003\": VulnInfo{},\n+\t\t},\n+\t}\n+\n+\tif got, want := r.FormatKEVCveSummary(), \"2 kevs\"; got != want {\n+\t\tt.Fatalf(\"FormatKEVCveSummary() = %q, want %q\", got, want)\n+\t}\n+}\n+\n+func TestScanResult_SortForJSONOutputKEVs(t *testing.T) {\n+\tr := &amp;ScanResult{\n+\t\tScannedCves: VulnInfos{\n+\t\t\t\"CVE-0000-0001\": VulnInfo{\n+\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"beta\"},\n+\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"zulu\"},\n+\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"alpha\"},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t},\n+\t}\n+\n+\tr.SortForJSONOutput()\n+\n+\tgot := r.ScannedCves[\"CVE-0000-0001\"].KEVs\n+\twant := []KEV{\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"alpha\"},\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"zulu\"},\n+\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"beta\"},\n+\t}\n+\tif !reflect.DeepEqual(got, want) {\n+\t\tt.Fatalf(\"sorted KEVs = %+v, want %+v\", got, want)\n+\t}\n+}\n+\n+func TestAlertDictIgnoresDeprecatedCISA(t *testing.T) {\n+\talerts := AlertDict{CISA: []Alert{{Title: \"legacy KEV alert\"}}}\n+\n+\tif !alerts.IsEmpty() {\n+\t\tt.Fatal(\"AlertDict with only deprecated CISA alerts should be empty\")\n+\t}\n+\tif got, want := alerts.FormatSource(), \"\"; got != want {\n+\t\tt.Fatalf(\"FormatSource() = %q, want %q\", got, want)\n+\t}\n+}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..4e13120 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -263,6 +263,7 @@ type VulnInfo struct {\n \tAffectedPackages     PackageFixStatuses   `json:\"affectedPackages,omitempty\"`\n \tDistroAdvisories     DistroAdvisories     `json:\"distroAdvisories,omitempty\"` // for Amazon, RHEL, Fedora, FreeBSD, Microsoft\n \tCveContents          CveContents          `json:\"cveContents,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tExploits             []Exploit            `json:\"exploits,omitempty\"`\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n@@ -284,6 +285,57 @@ type Alert struct {\n \tTeam  string `json:\"team,omitempty\"`\n }\n \n+// KEVType is a source of known exploited vulnerability data.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is CISA Known Exploited Vulnerabilities data.\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType is VulnCheck Known Exploited Vulnerabilities data.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has known exploited vulnerability information.\n+type KEV struct {\n+\tType                       KEVType       `json:\"type,omitempty\"`\n+\tVendorProject              string        `json:\"vendorProject,omitempty\"`\n+\tProduct                    string        `json:\"product,omitempty\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV information.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV information.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB exploit metadata.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation metadata.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // GitHubSecurityAlerts is a list of GitHubSecurityAlert\n type GitHubSecurityAlerts []GitHubSecurityAlert\n \n@@ -910,24 +962,21 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"cisa\"` // Deprecated: KEV data is represented by VulnInfo.KEVs.\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a2dfbd0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-04T00:01:07.449537Z"}, {"uuid": "a628a825-cbed-4a90-b2e0-04eaaf6f9680", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/6b4734c8a49b909d18f641adea88c00e", "content": "diff --git a/README.md b/README.md\nindex 57102d1..7cdbafc 100644\n--- a/README.md\n+++ b/README.md\n@@ -90,8 +90,11 @@ Vuls is a tool created to solve the problems listed above. It has the following\n   - [US-CERT](https://www.us-cert.gov/ncas/alerts)\n   - [JPCERT](http://www.jpcert.or.jp/at/2019.html)\n \n-- CISA(Cybersecurity &amp; Infrastructure Security Agency)\n-  - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+- KEV (Known Exploited Vulnerabilities)\n+  - [CISA KEV](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+  - [VulnCheck KEV](https://vulncheck.com/kev)\n+\n+See [config.toml.example](config.toml.example) for enabling KEV reporting.\n \n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..c611975\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,82 @@\n+[slack]\n+hookURL      = \"https://hooks.slack.com/services/XXXXX/XXXXX/XXXXX\"\n+channel      = \"#vuls\"\n+iconEmoji    = \":vuls:\"\n+authUser     = \"vuls\"\n+notifyUsers  = [\"@example\"]\n+\n+[mail]\n+smtpAddr = \"smtp.example.com\"\n+smtpPort = \"587\"\n+user     = \"username\"\n+password = \"password\"\n+from     = \"vuls@example.com\"\n+to       = [\"to@example.com\"]\n+cc       = [\"cc@example.com\"]\n+subjectPrefix = \"[vuls]\"\n+\n+[chatwork]\n+apiToken = \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\"\n+room     = \"12345678\"\n+\n+[default]\n+# port        = \"22\"\n+# user        = \"username\"\n+# keyPath     = \"/home/username/.ssh/id_rsa\"\n+# keyPassword = \"password\"\n+\n+[servers]\n+\n+[servers.example-host]\n+host     = \"example-host\"\n+port     = \"22\"\n+user     = \"vuls\"\n+keyPath  = \"/home/vuls/.ssh/id_rsa\"\n+\n+# [servers.example-host.container]\n+# type = \"docker\"\n+# name = \"example-container\"\n+\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+# Enable KEV (Known Exploited Vulnerabilities) reporting\n+# Supports CISA KEV and VulnCheck KEV\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-kev.sqlite3\"\n+# Or use HTTP server\n+# type = \"http\"\n+# url = \"http://kev-server.example.com:1328\"\n+\n+[cti]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-cti.sqlite3\"\n+\n+[google]\n+jsonKeyFilePath = \"/path/to/credential.json\"\n+\n+[wordpress]\n+tokenFilePath = \"/path/to/wordPressToken\"\n+\n+[defaultIgnore]\n+# cpes = [\n+#   \"cpe:/a:example:product:1.0::~~~\"\n+# ]\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..85a55d1 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,28 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n-\t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\tif ok &amp;&amp; len(kevulns) &gt; 0 {\n+\t\t\t\tkevs := []models.KEV{}\n+\t\t\t\tfor _, k := range kevulns {\n+\t\t\t\t\tdue := k.DueDate\n+\t\t\t\t\tkev := models.KEV{\n+\t\t\t\t\t\tType:                       models.CISAKEVType,\n+\t\t\t\t\t\tVendorProject:              k.VendorProject,\n+\t\t\t\t\t\tProduct:                    k.Product,\n+\t\t\t\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\t\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\t\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\t\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\t\t\t\tDateAdded:                  k.DateAdded,\n+\t\t\t\t\t\tDueDate:                    &amp;due,\n+\t\t\t\t\t\tCISA: &amp;models.CISAKEV{\n+\t\t\t\t\t\t\tNote: k.Notes,\n+\t\t\t\t\t\t},\n+\t\t\t\t\t}\n+\t\t\t\t\tkevs = append(kevs, kev)\n+\t\t\t\t}\n+\t\t\t\tv.KEVs = kevs\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +118,26 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tkevs := []models.KEV{}\n+\t\t\tfor _, k := range kevulns {\n+\t\t\t\tdue := k.DueDate\n+\t\t\t\tkev := models.KEV{\n+\t\t\t\t\tType:                       models.CISAKEVType,\n+\t\t\t\t\tVendorProject:              k.VendorProject,\n+\t\t\t\t\tProduct:                    k.Product,\n+\t\t\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\t\t\tDateAdded:                  k.DateAdded,\n+\t\t\t\t\tDueDate:                    &amp;due,\n+\t\t\t\t\tCISA: &amp;models.CISAKEV{\n+\t\t\t\t\t\tNote: k.Notes,\n+\t\t\t\t\t},\n+\t\t\t\t}\n+\t\t\t\tkevs = append(kevs, kev)\n \t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = kevs\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..cba5227 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV cve\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -434,8 +442,11 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n \t\t})\n \t\tr.ScannedCves[k] = v\n \t}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..1c80553 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -256,6 +256,57 @@ type PackageFixStatus struct {\n \tFixedIn     string `json:\"fixedIn,omitempty\"`\n }\n \n+// KEVType is a type of KEV\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is a CISA KEV type\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType is a VulnCheck KEV type\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has KEV information\n+type KEV struct {\n+\tType                        KEVType                     `json:\"type,omitempty\"`\n+\tVendorProject               string                      `json:\"vendorProject,omitempty\"`\n+\tProduct                     string                      `json:\"product,omitempty\"`\n+\tVulnerabilityName           string                      `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription            string                      `json:\"shortDescription,omitempty\"`\n+\tRequiredAction              string                      `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse  string                      `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                   time.Time                   `json:\"dateAdded,omitempty\"`\n+\tDueDate                     *time.Time                  `json:\"dueDate,omitempty\"`\n+\tCISA                        *CISAKEV                    `json:\"cisa,omitempty\"`\n+\tVulnCheck                   *VulnCheckKEV               `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"notes,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck KEV information\n+type VulnCheckKEV struct {\n+\tXDB                    []VulnCheckXDB                    `json:\"xdb,omitempty\"`\n+\tReportedExploitation   []VulnCheckReportedExploitation   `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck ReportedExploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // VulnInfo has a vulnerability information and unsecure packages\n type VulnInfo struct {\n \tCveID                string               `json:\"cveID,omitempty\"`\n@@ -275,6 +326,7 @@ type VulnInfo struct {\n \tWindowsKBFixedIns    []string             `json:\"windowsKBFixedIns,omitempty\"`\n \tVulnType             string               `json:\"vulnType,omitempty\"`\n \tDiffStatus           DiffStatus           `json:\"diffStatus,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n }\n \n // Alert has CERT alert information\n@@ -910,24 +962,20 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a2dfbd0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/testdata/kev_sample.json b/testdata/kev_sample.json\nnew file mode 100644\nindex 0000000..b5c5447\n--- /dev/null\n+++ b/testdata/kev_sample.json\n@@ -0,0 +1,95 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"confidences\": [\n+        {\n+          \"score\": 100,\n+          \"detectionMethod\": \"OvalMatch\"\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-pkg\",\n+          \"notFixedYet\": false,\n+          \"fixedIn\": \"1.2.3\"\n+        }\n+      ],\n+      \"cveContents\": {\n+        \"nvd\": [\n+          {\n+            \"type\": \"nvd\",\n+            \"cveID\": \"CVE-0000-0000\",\n+            \"title\": \"Example vulnerability\",\n+            \"summary\": \"Example vulnerability summary\",\n+            \"cvss3Score\": 9.8,\n+            \"cvss3Vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n+            \"cvss3Severity\": \"CRITICAL\"\n+          }\n+        ]\n+      },\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"Example vulnerability is actively exploited.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2024-01-01T00:00:00Z\",\n+          \"dueDate\": \"2024-01-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"notes\": \"Example note\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"Example vulnerability reported exploited.\",\n+          \"requiredAction\": \"Apply mitigations.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2024-01-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"12345\",\n+                \"xdbURL\": \"https://example.com/xdb/12345\",\n+                \"dateAdded\": \"2024-01-02T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.com:exploit.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/report\",\n+                \"dateAdded\": \"2024-01-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"alertDict\": {\n+        \"uscert\": [],\n+        \"jpcert\": []\n+      }\n+    }\n+  },\n+  \"runningKernel\": {\n+    \"release\": \"5.15.0\",\n+    \"version\": \"#1\",\n+    \"rebootRequired\": false\n+  },\n+  \"packages\": {\n+    \"example-pkg\": {\n+      \"name\": \"example-pkg\",\n+      \"version\": \"1.2.3\"\n+    }\n+  }\n+}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T22:03:50.600377Z"}, {"uuid": "5b1ac8f8-1a24-494f-9d0a-8686462130d1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/42d58a7a258e696d409baa8f8230be28", "content": "diff --git a/README.md b/README.md\nindex 57102d1..c07af19 100644\n--- a/README.md\n+++ b/README.md\n@@ -163,8 +163,22 @@ Vuls has some options to detect the vulnerabilities\n   - Vuls works well with Continuous Integration since tests can be run every day. This allows you to find vulnerabilities very quickly.\n - Auto-generation of configuration file template\n   - Auto-detection of servers set using CIDR, generate configuration file template\n-- Email and Slack notification is possible (supports Japanese language)\n-- Scan result is viewable on accessory software, TUI Viewer in a terminal or Web UI ([VulsRepo](https://github.com/ishiDACo/vulsrepo)).\n+- email and slack notification is possible (supports Japanese language)\n+- scan result is viewable on accessory software, TUI Viewer in a terminal or Web UI ([VulsRepo](https://github.com/ishiDACo/vulsrepo)).\n+\n+### Example Configuration\n+\n+To quickly get started, you can use the following example configuration. Save it as `config.toml`:\n+\n+```toml\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.1\"\n+port = \"22\"\n+user = \"vuls\"\n+keyPath = \"/home/vuls/.ssh/id_rsa\"\n+```\n \n ----\n \ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..1e6443b\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,7 @@\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.1\"\n+port = \"22\"\n+user = \"vuls\"\n+keyPath = \"/home/vuls/.ssh/id_rsa\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..8880bce 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,17 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n+\t\t\tkevs := []models.KEV{}\n+\t\t\tfor _, k := range kevulns {\n+\t\t\t\tkevs = append(kevs, models.KEV{\n+\t\t\t\t\tType:              models.CISAKEVType,\n+\t\t\t\t\tVulnerabilityName: k.VulnerabilityName,\n \t\t\t\t})\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tv.KEVs = append(v.KEVs, kevs...)\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +107,15 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n+\t\t\tkevs := []models.KEV{}\n+\t\t\tfor _, k := range kevulns {\n+\t\t\t\tkevs = append(kevs, models.KEV{\n+\t\t\t\t\tType:              models.CISAKEVType,\n+\t\t\t\t\tVulnerabilityName: k.VulnerabilityName,\n \t\t\t\t})\n \t\t\t}\n \n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = append(vuln.KEVs, kevs...)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..a9968a7 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,6 +205,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of kev cve\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -434,8 +442,11 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n \t\t})\n \t\tr.ScannedCves[k] = v\n \t}\ndiff --git a/models/scanresults_test.go b/models/scanresults_test.go\nindex d429281..9466f55 100644\n--- a/models/scanresults_test.go\n+++ b/models/scanresults_test.go\n@@ -225,10 +225,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -288,10 +288,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -354,10 +354,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -417,10 +417,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..9db346f 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -268,6 +268,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -910,30 +911,75 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\n \treturn strings.Join(s, \"/\")\n }\n \n+// KEVType is the type of Known Exploited Vulnerability source\n+type KEVType string\n+\n+const (\n+\tCISAKEVType      KEVType = \"cisa\"\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                       KEVType        `json:\"type\"`\n+\tVendorProject              string         `json:\"vendorProject,omitempty\"`\n+\tProduct                    string         `json:\"product,omitempty\"`\n+\tVulnerabilityName          string         `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string         `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string         `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string         `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time      `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time     `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV       `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV  `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA specific KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck specific KEV information\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // Confidences is a list of Confidence\n type Confidences []Confidence\n \ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..1a184e6 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -205,6 +205,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t}\n \t\t} else {\n \t\t\tcols = []interface{}{\n@@ -565,8 +566,10 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n+\t\tfor _, kev := range vuln.KEVs {\n+\t\t\tif kev.Type == models.CISAKEVType {\n+\t\t\t\tdata = append(data, []string{\"CISA KEV\", kev.VulnerabilityName})\n+\t\t\t}\n \t\t}\n \n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\ndiff --git a/sample_kev_scan_result.json b/sample_kev_scan_result.json\nnew file mode 100644\nindex 0000000..78fcd6f\n--- /dev/null\n+++ b/sample_kev_scan_result.json\n@@ -0,0 +1,29 @@\n+{\n+    \"serverName\": \"example-host\",\n+    \"scannedCves\": {\n+        \"CVE-0000-0000\": {\n+            \"cveID\": \"CVE-0000-0000\",\n+            \"kevs\": [\n+                {\n+                    \"type\": \"cisa\",\n+                    \"vulnerabilityName\": \"Example Vulnerability\"\n+                },\n+                {\n+                    \"type\": \"vulncheck\",\n+                    \"vulnerabilityName\": \"Example Vulnerability\",\n+                    \"vulncheck\": {\n+                        \"xdb\": [\n+                            {\n+                                \"xdbID\": \"1234\",\n+                                \"xdbURL\": \"https://example.com/1234\",\n+                                \"dateAdded\": \"2023-01-01T00:00:00Z\",\n+                                \"exploitType\": \"local\",\n+                                \"cloneSSHURL\": \"git@github.com:example/example.git\"\n+                            }\n+                        ]\n+                    }\n+                }\n+            ]\n+        }\n+    }\n+}\n\\ No newline at end of file\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..8b3a33d 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,13 +812,17 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n+\t\tif len(vinfo.KEVs) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n+\t\t\t\t\"KEV\",\n+\t\t\t\t\"===\",\n \t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\t\tfor _, kev := range vinfo.KEVs {\n+\t\t\t\tif kev.Type == models.CISAKEVType {\n+\t\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [CISA KEV] %s\", kev.VulnerabilityName))\n+\t\t\t\t} else if kev.Type == models.VulnCheckKEVType {\n+\t\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [VulnCheck KEV] %s\", kev.VulnerabilityName))\n+\t\t\t\t}\n \t\t\t}\n \t\t}\n \n", "creation_timestamp": "2026-07-03T22:03:50.831528Z"}, {"uuid": "5a9f4bc5-fab1-446d-8a5a-264d64098fa4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/b4acb7473aea2aebdcb5a7327c189837", "content": "diff --git a/.gitignore b/.gitignore\nindex 7f21d1e..71f4b24 100644\n--- a/.gitignore\n+++ b/.gitignore\n@@ -4,6 +4,7 @@\n *.sqlite3*\n *.db\n *.toml\n+!config.toml.example\n tags\n .gitmodules\n coverage.out\n@@ -11,6 +12,8 @@ issues/\n vendor/\n log/\n results\n+!sample/\n+!sample/**\n !setup/docker/*\n .DS_Store\n dist/\ndiff --git a/README.md b/README.md\nindex 57102d1..a58cfdc 100644\n--- a/README.md\n+++ b/README.md\n@@ -93,6 +93,11 @@ Vuls is a tool created to solve the problems listed above. It has the following\n - CISA(Cybersecurity &amp; Infrastructure Security Agency)\n   - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n \n+- Known Exploited Vulnerabilities\n+  - Configure `[kevuln]` to add CISA and VulnCheck KEV data to each vulnerability's `kevs` field.\n+  - See [`config.toml.example`](config.toml.example) for a redacted ready-to-use KEV configuration.\n+  - See [`sample/kev-scan-result.json`](sample/kev-scan-result.json) for a synthetic scan result with populated `kevs` output.\n+\n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n \ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..81668ac\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,39 @@\n+# Synthetic example configuration for enabling KEV reporting.\n+# Do not copy production secrets or internal host inventory into this file.\n+\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.10\"\n+port = \"22\"\n+user = \"vuls-scan\"\n+keyPath = \"/home/vuls/.ssh/id_rsa\"\n+scanMode = [\"fast-root\"]\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..9d728f5 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -6,6 +6,7 @@ package detector\n import (\n \t\"encoding/json\"\n \t\"net/http\"\n+\t\"strings\"\n \t\"time\"\n \n \t\"github.com/cenkalti/backoff\"\n@@ -79,18 +80,9 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n-\t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\tif ok &amp;&amp; len(kevulns) &gt; 0 {\n+\t\t\t\tv.KEVs = kevulnsToKEVs(kevulns)\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +100,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = kevulnsToKEVs(kevulns)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +110,131 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func kevulnsToKEVs(kevulns []kevulnmodels.KEVuln) (kevs []models.KEV) {\n+\tfor _, kevuln := range kevulns {\n+\t\tkev := models.KEV{\n+\t\t\tType: models.CISAKEVType,\n+\t\t\tCISA: &amp;models.CISAKEV{},\n+\t\t}\n+\t\tb, err := json.Marshal(kevuln)\n+\t\tif err != nil {\n+\t\t\tkevs = append(kevs, kev)\n+\t\t\tcontinue\n+\t\t}\n+\n+\t\tvar raw map[string]any\n+\t\tif err := json.Unmarshal(b, &amp;raw); err != nil {\n+\t\t\tkevs = append(kevs, kev)\n+\t\t\tcontinue\n+\t\t}\n+\n+\t\tif source := getString(raw, \"Type\", \"type\", \"Source\", \"source\", \"KEVType\", \"kevType\"); strings.EqualFold(source, string(models.VulnCheckKEVType)) || hasAny(raw, \"VulnCheck\", \"vulncheck\", \"XDB\", \"xdb\", \"ReportedExploitation\", \"reportedExploitation\") {\n+\t\t\tkev.Type = models.VulnCheckKEVType\n+\t\t\tkev.CISA = nil\n+\t\t\tkev.VulnCheck = vulnCheckKEV(raw)\n+\t\t}\n+\t\tkev.VendorProject = getString(raw, \"VendorProject\", \"vendorProject\", \"vendor_project\", \"Vendor\", \"vendor\")\n+\t\tkev.Product = getString(raw, \"Product\", \"product\")\n+\t\tkev.VulnerabilityName = getString(raw, \"VulnerabilityName\", \"vulnerabilityName\", \"vulnerability_name\", \"Name\", \"name\")\n+\t\tkev.ShortDescription = getString(raw, \"ShortDescription\", \"shortDescription\", \"short_description\", \"Description\", \"description\")\n+\t\tkev.RequiredAction = getString(raw, \"RequiredAction\", \"requiredAction\", \"required_action\")\n+\t\tkev.KnownRansomwareCampaignUse = getString(raw, \"KnownRansomwareCampaignUse\", \"knownRansomwareCampaignUse\", \"known_ransomware_campaign_use\")\n+\t\tkev.DateAdded = getTime(raw, \"DateAdded\", \"dateAdded\", \"date_added\")\n+\t\tkev.DueDate = getTimePtr(raw, \"DueDate\", \"dueDate\", \"due_date\")\n+\t\tif kev.CISA != nil {\n+\t\t\tkev.CISA.Note = getString(raw, \"Note\", \"note\", \"Notes\", \"notes\")\n+\t\t}\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs\n+}\n+\n+func vulnCheckKEV(raw map[string]any) *models.VulnCheckKEV {\n+\tv := &amp;models.VulnCheckKEV{}\n+\tfor _, xdb := range getMaps(raw, \"XDB\", \"xdb\") {\n+\t\tv.XDB = append(v.XDB, models.VulnCheckXDB{\n+\t\t\tXDBID:       getString(xdb, \"XDBID\", \"xdbID\", \"xdb_id\"),\n+\t\t\tXDBURL:      getString(xdb, \"XDBURL\", \"xdbURL\", \"xdb_url\"),\n+\t\t\tDateAdded:   getTime(xdb, \"DateAdded\", \"dateAdded\", \"date_added\"),\n+\t\t\tExploitType: getString(xdb, \"ExploitType\", \"exploitType\", \"exploit_type\"),\n+\t\t\tCloneSSHURL: getString(xdb, \"CloneSSHURL\", \"cloneSSHURL\", \"clone_ssh_url\"),\n+\t\t})\n+\t}\n+\tfor _, exploitation := range getMaps(raw, \"ReportedExploitation\", \"reportedExploitation\", \"reported_exploitation\") {\n+\t\tv.ReportedExploitation = append(v.ReportedExploitation, models.VulnCheckReportedExploitation{\n+\t\t\tURL:       getString(exploitation, \"URL\", \"url\"),\n+\t\t\tDateAdded: getTime(exploitation, \"DateAdded\", \"dateAdded\", \"date_added\"),\n+\t\t})\n+\t}\n+\treturn v\n+}\n+\n+func hasAny(raw map[string]any, keys ...string) bool {\n+\tfor _, key := range keys {\n+\t\tif _, ok := raw[key]; ok {\n+\t\t\treturn true\n+\t\t}\n+\t}\n+\treturn false\n+}\n+\n+func getMaps(raw map[string]any, keys ...string) (maps []map[string]any) {\n+\tfor _, key := range keys {\n+\t\tv, ok := raw[key]\n+\t\tif !ok {\n+\t\t\tcontinue\n+\t\t}\n+\t\titems, ok := v.([]any)\n+\t\tif !ok {\n+\t\t\tcontinue\n+\t\t}\n+\t\tfor _, item := range items {\n+\t\t\tm, ok := item.(map[string]any)\n+\t\t\tif ok {\n+\t\t\t\tmaps = append(maps, m)\n+\t\t\t}\n+\t\t}\n+\t\treturn maps\n+\t}\n+\treturn nil\n+}\n+\n+func getString(raw map[string]any, keys ...string) string {\n+\tfor _, key := range keys {\n+\t\tif v, ok := raw[key]; ok {\n+\t\t\tif s, ok := v.(string); ok {\n+\t\t\t\treturn s\n+\t\t\t}\n+\t\t}\n+\t}\n+\treturn \"\"\n+}\n+\n+func getTime(raw map[string]any, keys ...string) time.Time {\n+\tfor _, key := range keys {\n+\t\tif v, ok := raw[key]; ok {\n+\t\t\ts, ok := v.(string)\n+\t\t\tif !ok || s == \"\" {\n+\t\t\t\tcontinue\n+\t\t\t}\n+\t\t\tfor _, layout := range []string{time.RFC3339, \"2006-01-02\"} {\n+\t\t\t\tif t, err := time.Parse(layout, s); err == nil {\n+\t\t\t\t\treturn t\n+\t\t\t\t}\n+\t\t\t}\n+\t\t}\n+\t}\n+\treturn time.Time{}\n+}\n+\n+func getTimePtr(raw map[string]any, keys ...string) *time.Time {\n+\tt := getTime(raw, keys...)\n+\tif t.IsZero() {\n+\t\treturn nil\n+\t}\n+\treturn &amp;t\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..2c3a9d6 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,11 +197,12 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n@@ -229,6 +230,17 @@ func (r ScanResult) FormatUpdatablePkgsSummary() string {\n \t\tnUpdatable)\n }\n \n+// FormatKEVCveSummary returns a summary of CVEs with KEV entries.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatExploitCveSummary returns a summary of exploit cve\n func (r ScanResult) FormatExploitCveSummary() string {\n \tnExploitCve := 0\n@@ -253,13 +265,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -427,6 +435,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\t})\n \n \t\tv.CveContents.Sort()\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \n \t\tsort.Slice(v.AlertDict.USCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.USCERT[i].Title &lt; v.AlertDict.USCERT[j].Title\n@@ -434,9 +448,6 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n-\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..8fa55b9 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -263,6 +263,7 @@ type VulnInfo struct {\n \tAffectedPackages     PackageFixStatuses   `json:\"affectedPackages,omitempty\"`\n \tDistroAdvisories     DistroAdvisories     `json:\"distroAdvisories,omitempty\"` // for Amazon, RHEL, Fedora, FreeBSD, Microsoft\n \tCveContents          CveContents          `json:\"cveContents,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tExploits             []Exploit            `json:\"exploits,omitempty\"`\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n@@ -277,6 +278,57 @@ type VulnInfo struct {\n \tDiffStatus           DiffStatus           `json:\"diffStatus,omitempty\"`\n }\n \n+// KEVType identifies the Known Exploited Vulnerability source.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is CISA Known Exploited Vulnerabilities Catalog.\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType is VulnCheck Known Exploited Vulnerabilities Catalog.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability data.\n+type KEV struct {\n+\tType                       KEVType       `json:\"type,omitempty\"`\n+\tVendorProject              string        `json:\"vendorProject,omitempty\"`\n+\tProduct                    string        `json:\"product,omitempty\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV fields.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV fields.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database metadata.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation metadata.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // Alert has CERT alert information\n type Alert struct {\n \tURL   string `json:\"url,omitempty\"`\n@@ -910,24 +962,21 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"-\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..be90a05 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -202,6 +202,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.ScannedCves.FormatCveSummary(),\n \t\t\t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n@@ -565,8 +566,12 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n+\t\tfor _, kev := range vuln.KEVs {\n+\t\t\tsource := strings.ToUpper(string(kev.Type))\n+\t\t\tif source == \"\" {\n+\t\t\t\tsource = \"KEV\"\n+\t\t\t}\n+\t\t\tdata = append(data, []string{fmt.Sprintf(\"%s KEV\", source), kev.VulnerabilityName})\n \t\t}\n \n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\ndiff --git a/sample/kev-scan-result.json b/sample/kev-scan-result.json\nnew file mode 100644\nindex 0000000..507f126\n--- /dev/null\n+++ b/sample/kev-scan-result.json\n@@ -0,0 +1,62 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"ipv4Addrs\": [\n+    \"192.0.2.10\"\n+  ],\n+  \"scannedAt\": \"2026-07-03T00:00:00Z\",\n+  \"scanMode\": \"fast-root\",\n+  \"scannedVersion\": \"example\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Placeholder Vulnerability\",\n+          \"shortDescription\": \"Synthetic KEV entry used only to demonstrate the JSON shape.\",\n+          \"requiredAction\": \"Apply the vendor-provided update or mitigation.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic example; not a real vulnerability.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Placeholder Vulnerability\",\n+          \"shortDescription\": \"Synthetic VulnCheck KEV entry used only to demonstrate the JSON shape.\",\n+          \"requiredAction\": \"Review exposure and apply the vendor-provided update.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.invalid/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"example\",\n+                \"cloneSSHURL\": \"ssh://example.invalid/repo.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.invalid/report\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..9a5fe0c 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,13 +812,13 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n+\t\tif len(vinfo.KEVs) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n+\t\t\t\t\"KEV\",\n+\t\t\t\t\"===\",\n \t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\t\tfor _, kev := range vinfo.KEVs {\n+\t\t\t\tlines = append(lines, fmt.Sprintf(\"* %s: %s\", kev.Type, kev.VulnerabilityName))\n \t\t\t}\n \t\t}\n \n", "creation_timestamp": "2026-07-03T22:03:51.000530Z"}, {"uuid": "c1eac8a5-6576-4d9b-a808-ff2229af5769", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/202af0415e8cbca29036b19d37d19afd", "content": "diff --git a/.gitignore b/.gitignore\nindex 7f21d1e..71b4c8d 100644\n--- a/.gitignore\n+++ b/.gitignore\n@@ -4,6 +4,7 @@\n *.sqlite3*\n *.db\n *.toml\n+!config.toml.example\n tags\n .gitmodules\n coverage.out\ndiff --git a/README.md b/README.md\nindex 57102d1..a588a86 100644\n--- a/README.md\n+++ b/README.md\n@@ -90,8 +90,8 @@ Vuls is a tool created to solve the problems listed above. It has the following\n   - [US-CERT](https://www.us-cert.gov/ncas/alerts)\n   - [JPCERT](http://www.jpcert.or.jp/at/2019.html)\n \n-- CISA(Cybersecurity &amp; Infrastructure Security Agency)\n-  - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+- Known Exploited Vulnerabilities\n+  - CISA [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) and VulnCheck KEV data are reported in each vulnerability's `kevs` field. See `config.toml.example` for a redacted KEV-enabled configuration and `docs/sample-kev-scan-result.json` for a synthetic output sample.\n \n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..3a6fe58\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,43 @@\n+# Example Vuls configuration with KEV reporting enabled.\n+# Replace all placeholder paths and hosts before use. Do not copy secrets into this file.\n+\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\n+\n+[default]\n+port = \"22\"\n+user = \"vuls-scan\"\n+keyPath = \"/home/vuls-scan/.ssh/id_rsa\"\n+scanMode = [\"fast-root\"]\n+scanModules = [\"ospkg\"]\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.10\"\n+memo = \"Synthetic example target\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..1cbbe0f 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -6,6 +6,7 @@ package detector\n import (\n \t\"encoding/json\"\n \t\"net/http\"\n+\t\"strings\"\n \t\"time\"\n \n \t\"github.com/cenkalti/backoff\"\n@@ -79,18 +80,9 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n-\t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\tif ok &amp;&amp; len(kevulns) &gt; 0 {\n+\t\t\t\tv.KEVs = append(v.KEVs, toKEVs(kevulns)...)\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +100,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = append(vuln.KEVs, toKEVs(kevulns)...)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +110,70 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func toKEVs(kevulns []kevulnmodels.KEVuln) []models.KEV {\n+\tkevs := make([]models.KEV, 0, len(kevulns))\n+\tfor _, kevuln := range kevulns {\n+\t\tb, err := json.Marshal(kevuln)\n+\t\tif err != nil {\n+\t\t\tcontinue\n+\t\t}\n+\n+\t\tvar raw struct {\n+\t\t\tType                       models.KEVType `json:\"type\"`\n+\t\t\tVendorProject              string         `json:\"vendorProject\"`\n+\t\t\tProduct                    string         `json:\"product\"`\n+\t\t\tVulnerabilityName          string         `json:\"vulnerabilityName\"`\n+\t\t\tShortDescription           string         `json:\"shortDescription\"`\n+\t\t\tRequiredAction             string         `json:\"requiredAction\"`\n+\t\t\tKnownRansomwareCampaignUse string         `json:\"knownRansomwareCampaignUse\"`\n+\t\t\tDateAdded                  time.Time      `json:\"dateAdded\"`\n+\t\t\tDueDate                    *time.Time     `json:\"dueDate\"`\n+\t\t\tNotes                      string         `json:\"notes\"`\n+\t\t\tNote                       string         `json:\"note\"`\n+\t\t\tCISA                       *models.CISAKEV `json:\"cisa\"`\n+\t\t\tVulnCheck                  *struct {\n+\t\t\t\tXDB                  []models.VulnCheckXDB                  `json:\"xdb\"`\n+\t\t\t\tReportedExploitation []models.VulnCheckReportedExploitation `json:\"reportedExploitation\"`\n+\t\t\t} `json:\"vulncheck\"`\n+\t\t\tXDB                  []models.VulnCheckXDB                  `json:\"xdb\"`\n+\t\t\tReportedExploitation []models.VulnCheckReportedExploitation `json:\"reportedExploitation\"`\n+\t\t}\n+\t\tif err := json.Unmarshal(b, &amp;raw); err != nil {\n+\t\t\tcontinue\n+\t\t}\n+\n+\t\tkev := models.KEV{\n+\t\t\tType:                         raw.Type,\n+\t\t\tVendorProject:                raw.VendorProject,\n+\t\t\tProduct:                      raw.Product,\n+\t\t\tVulnerabilityName:            raw.VulnerabilityName,\n+\t\t\tShortDescription:             raw.ShortDescription,\n+\t\t\tRequiredAction:               raw.RequiredAction,\n+\t\t\tKnownRansomwareCampaignUse:   raw.KnownRansomwareCampaignUse,\n+\t\t\tDateAdded:                    raw.DateAdded,\n+\t\t\tDueDate:                      raw.DueDate,\n+\t\t\tCISA:                         raw.CISA,\n+\t\t}\n+\t\tif kev.Type == \"\" {\n+\t\t\tkev.Type = models.CISAKEVType\n+\t\t}\n+\t\tif kev.CISA == nil &amp;&amp; (kev.Type == models.CISAKEVType || raw.Notes != \"\" || raw.Note != \"\") {\n+\t\t\tkev.CISA = &amp;models.CISAKEV{Note: strings.TrimSpace(strings.Join([]string{raw.Notes, raw.Note}, \" \"))}\n+\t\t}\n+\t\tif raw.VulnCheck != nil {\n+\t\t\tkev.VulnCheck = &amp;models.VulnCheckKEV{XDB: raw.VulnCheck.XDB, ReportedExploitation: raw.VulnCheck.ReportedExploitation}\n+\t\t} else if 0 &lt; len(raw.XDB) || 0 &lt; len(raw.ReportedExploitation) {\n+\t\t\tkev.VulnCheck = &amp;models.VulnCheckKEV{XDB: raw.XDB, ReportedExploitation: raw.ReportedExploitation}\n+\t\t}\n+\t\tif kev.VulnCheck != nil &amp;&amp; kev.Type == models.CISAKEVType {\n+\t\t\tkev.Type = models.VulnCheckKEVType\n+\t\t}\n+\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/docs/sample-kev-scan-result.json b/docs/sample-kev-scan-result.json\nnew file mode 100644\nindex 0000000..c792a7b\n--- /dev/null\n+++ b/docs/sample-kev-scan-result.json\n@@ -0,0 +1,81 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2026-07-03T00:00:00Z\",\n+  \"scanMode\": \"fast-root\",\n+  \"scannedVersion\": \"example\",\n+  \"scannedRevision\": \"example\",\n+  \"scannedBy\": \"example-user\",\n+  \"scannedVia\": \"remote\",\n+  \"reportedAt\": \"2026-07-03T00:00:00Z\",\n+  \"reportedVersion\": \"example\",\n+  \"reportedRevision\": \"example\",\n+  \"reportedBy\": \"example-host\",\n+  \"errors\": [],\n+  \"warnings\": [],\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic CISA KEV entry for documentation.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-15T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic sample only.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic VulnCheck KEV entry for documentation.\",\n+          \"requiredAction\": \"Review exposure and apply updates.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.com/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.com:example/xdb-000000.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/reports/CVE-0000-0000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-package\",\n+          \"notFixedYet\": false,\n+          \"fixedIn\": \"1.2.3-1\"\n+        }\n+      ]\n+    }\n+  },\n+  \"runningKernel\": {},\n+  \"packages\": {},\n+  \"config\": {\n+    \"scan\": {},\n+    \"report\": {}\n+  }\n+}\ndiff --git a/models/kev_test.go b/models/kev_test.go\nnew file mode 100644\nindex 0000000..d8ec2f0\n--- /dev/null\n+++ b/models/kev_test.go\n@@ -0,0 +1,47 @@\n+package models\n+\n+import (\n+\t\"reflect\"\n+\t\"testing\"\n+)\n+\n+func TestScanResult_FormatKEVCveSummary(t *testing.T) {\n+\tr := ScanResult{\n+\t\tScannedCves: VulnInfos{\n+\t\t\t\"CVE-0000-0001\": {CveID: \"CVE-0000-0001\", KEVs: []KEV{{Type: CISAKEVType}}},\n+\t\t\t\"CVE-0000-0002\": {CveID: \"CVE-0000-0002\"},\n+\t\t\t\"CVE-0000-0003\": {CveID: \"CVE-0000-0003\", KEVs: []KEV{{Type: VulnCheckKEVType}}},\n+\t\t},\n+\t}\n+\n+\tif got, want := r.FormatKEVCveSummary(), \"2 kevs\"; got != want {\n+\t\tt.Fatalf(\"got %q, want %q\", got, want)\n+\t}\n+}\n+\n+func TestScanResult_SortForJSONOutputKEVs(t *testing.T) {\n+\tr := ScanResult{\n+\t\tScannedCves: VulnInfos{\n+\t\t\t\"CVE-0000-0001\": {\n+\t\t\t\tCveID: \"CVE-0000-0001\",\n+\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"z\"},\n+\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t},\n+\t}\n+\n+\tr.SortForJSONOutput()\n+\n+\tgot := r.ScannedCves[\"CVE-0000-0001\"].KEVs\n+\twant := []KEV{\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"z\"},\n+\t}\n+\tif !reflect.DeepEqual(got, want) {\n+\t\tt.Fatalf(\"got %+v, want %+v\", got, want)\n+\t}\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..1ff6ea1 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV cve.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -425,6 +433,23 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &lt; v.Mitigations[j].URL\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n+\t\tfor i := range v.KEVs {\n+\t\t\tif v.KEVs[i].VulnCheck == nil {\n+\t\t\t\tcontinue\n+\t\t\t}\n+\t\t\tsort.Slice(v.KEVs[i].VulnCheck.XDB, func(j, k int) bool {\n+\t\t\t\treturn v.KEVs[i].VulnCheck.XDB[j].XDBID &lt; v.KEVs[i].VulnCheck.XDB[k].XDBID\n+\t\t\t})\n+\t\t\tsort.Slice(v.KEVs[i].VulnCheck.ReportedExploitation, func(j, k int) bool {\n+\t\t\t\treturn v.KEVs[i].VulnCheck.ReportedExploitation[j].URL &lt; v.KEVs[i].VulnCheck.ReportedExploitation[k].URL\n+\t\t\t})\n+\t\t}\n \n \t\tv.CveContents.Sort()\n \ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..c7b1334 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -263,6 +263,7 @@ type VulnInfo struct {\n \tAffectedPackages     PackageFixStatuses   `json:\"affectedPackages,omitempty\"`\n \tDistroAdvisories     DistroAdvisories     `json:\"distroAdvisories,omitempty\"` // for Amazon, RHEL, Fedora, FreeBSD, Microsoft\n \tCveContents          CveContents          `json:\"cveContents,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tExploits             []Exploit            `json:\"exploits,omitempty\"`\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n@@ -284,6 +285,58 @@ type Alert struct {\n \tTeam  string `json:\"team,omitempty\"`\n }\n \n+// KEVType is the source of a Known Exploited Vulnerability record.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the CISA KEV catalog source.\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is the VulnCheck KEV source.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information.\n+type KEV struct {\n+\tType                         KEVType       `json:\"type,omitempty\"`\n+\tVendorProject                string        `json:\"vendorProject,omitempty\"`\n+\tProduct                      string        `json:\"product,omitempty\"`\n+\tVulnerabilityName            string        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription             string        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction               string        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse   string        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                    time.Time     `json:\"dateAdded,omitempty\"`\n+\tDueDate                      *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                         *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                    *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV information.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV information.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck exploitation report information.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // GitHubSecurityAlerts is a list of GitHubSecurityAlert\n type GitHubSecurityAlerts []GitHubSecurityAlert\n \n@@ -910,7 +963,7 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data.\n type AlertDict struct {\n \tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n@@ -919,15 +972,12 @@ type AlertDict struct {\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a2dfbd0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T22:03:51.051622Z"}, {"uuid": "5fefe719-d41f-441e-a2ea-e574abc3d13f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/a788b451c8dcaf23f4ef7ca1e12016d4", "content": "diff --git a/README.md b/README.md\nindex 57102d1..f71cef4 100644\n--- a/README.md\n+++ b/README.md\n@@ -163,6 +163,7 @@ Vuls has some options to detect the vulnerabilities\n   - Vuls works well with Continuous Integration since tests can be run every day. This allows you to find vulnerabilities very quickly.\n - Auto-generation of configuration file template\n   - Auto-detection of servers set using CIDR, generate configuration file template\n+  - See [config.toml.example](config.toml.example) for a ready-to-use example configuration (including KEV reporting).\n - Email and Slack notification is possible (supports Japanese language)\n - Scan result is viewable on accessory software, TUI Viewer in a terminal or Web UI ([VulsRepo](https://github.com/ishiDACo/vulsrepo)).\n \ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..487e2a4\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,46 @@\n+[servers]\n+\n+[servers.example-server]\n+host         = \"10.0.0.1\"\n+port        = \"22\"\n+user        = \"vuls\"\n+keyPath     = \"/home/vuls/.ssh/id_rsa\"\n+# ssh passphrase must be provided securely if required\n+# passphrase = \"REDACTED\"\n+\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[kev]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-kev.sqlite3\"\n+\n+[slack]\n+hookURL = \"https://hooks.slack.com/services/REDACTED/REDACTED/REDACTED\"\n+authUser = \"vuls\"\n+channel = \"#vuls\"\n+\n+[chatwork]\n+apiToken = \"REDACTED\"\n+room = \"123456\"\n+\n+[email]\n+smtpServer = \"smtp.example.com\"\n+smtpPort = \"587\"\n+user = \"vuls@example.com\"\n+password = \"REDACTED\"\n+from = \"vuls@example.com\"\n+to = [\"security@example.com\"]\n\\ No newline at end of file\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..14717c0 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,19 +79,11 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n-\t\t\t\tnKEV++\n+\t\t\t\tif len(kevulns) &gt; 0 {\n+\t\t\t\t\tnKEV++\n+\t\t\t\t}\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t}\n@@ -108,16 +100,6 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..f05f047 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,6 +205,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n@@ -253,13 +254,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +264,18 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n+}\n+\n+// FormatKEVCveSummary returns a summary of KEV cve\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVs := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &gt; 0 {\n+\t\t\tnKEVs++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVs)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -434,8 +442,11 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n \t\t})\n \t\tr.ScannedCves[k] = v\n \t}\ndiff --git a/models/scanresults_test.go b/models/scanresults_test.go\nindex d429281..f2e7595 100644\n--- a/models/scanresults_test.go\n+++ b/models/scanresults_test.go\n@@ -225,10 +225,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -288,10 +288,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -354,10 +354,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -417,10 +417,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..d16be41 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -268,6 +268,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -910,30 +911,75 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\n \treturn strings.Join(s, \"/\")\n }\n \n+// KEVType represents the source of the KEV\n+type KEVType string\n+\n+const (\n+\tCISAKEVType      KEVType = \"cisa\"\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerabilities information\n+type KEV struct {\n+\tType                       KEVType                       `json:\"type\"`\n+\tVendorProject              string                        `json:\"vendorProject,omitempty\"`\n+\tProduct                    string                        `json:\"product,omitempty\"`\n+\tVulnerabilityName          string                        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string                        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string                        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string                        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time                     `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time                    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV                      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV                 `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA specific KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck specific KEV information\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has XDB information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has ReportedExploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // Confidences is a list of Confidence\n type Confidences []Confidence\n \ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..5b8697f 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -205,6 +205,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t}\n \t\t} else {\n \t\t\tcols = []interface{}{\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/testdata/synthetic_scan_result.json b/testdata/synthetic_scan_result.json\nnew file mode 100644\nindex 0000000..52bc955\n--- /dev/null\n+++ b/testdata/synthetic_scan_result.json\n@@ -0,0 +1,39 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"20.04\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"This is a synthetic example.\",\n+          \"requiredAction\": \"Apply updates.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic CISA note\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-123\",\n+                \"xdbURL\": \"https://example.com/xdb/123\",\n+                \"exploitType\": \"Remote Code Execution\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\n\\ No newline at end of file\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T22:03:51.203565Z"}, {"uuid": "859b9de5-a168-46fd-b79d-01d34a8537df", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/40a238ab0abdb443a194769a3efdd184", "content": "diff --git a/README.md b/README.md\nindex 57102d1..1a65354 100644\n--- a/README.md\n+++ b/README.md\n@@ -22,6 +22,36 @@ Twitter: [@vuls_en](https://twitter.com/vuls_en)\n \n ----\n \n+## Example configuration\n+\n+Here is an example `config.toml` with KEV (Known Exploited Vulnerabilities) reporting enabled:\n+\n+```toml\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+[kev]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/kev.sqlite3\"\n+\n+[servers]\n+\n+[servers.example-host]\n+host         = \"192.168.0.1\"\n+port         = \"22\"\n+user         = \"example-user\"\n+keyPath      = \"/home/example-user/.ssh/id_rsa\"\n+```\n+\n ## Abstract\n \n For a system administrator, having to perform security vulnerability analysis and software update on a daily basis can be a burden.\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..c44f894\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,23 @@\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+[kev]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/kev.sqlite3\"\n+\n+[servers]\n+\n+[servers.example-host]\n+host         = \"192.168.0.1\"\n+port         = \"22\"\n+user         = \"example-user\"\n+keyPath      = \"/home/example-user/.ssh/id_rsa\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..06294c6 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,31 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n+\t\t\tkevs := []models.KEV{}\n+\t\t\tfor _, k := range kevulns {\n+\t\t\t\tvar dueDate *time.Time\n+\t\t\t\tif !k.DueDate.IsZero() {\n+\t\t\t\t\tdueDate = &amp;k.DueDate\n+\t\t\t\t}\n+\t\t\t\tkevs = append(kevs, models.KEV{\n+\t\t\t\t\tType:                       models.CISAKEVType,\n+\t\t\t\t\tVendorProject:              k.VendorProject,\n+\t\t\t\t\tProduct:                    k.Product,\n+\t\t\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\t\t\tDateAdded:                  k.DateAdded,\n+\t\t\t\t\tDueDate:                    dueDate,\n+\t\t\t\t\tCISA: &amp;models.CISAKEV{\n+\t\t\t\t\t\tNote: k.Notes,\n+\t\t\t\t\t},\n \t\t\t\t})\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n-\t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\tif ok &amp;&amp; len(kevs) &gt; 0 {\n+\t\t\t\tv.KEVs = append(v.KEVs, kevs...)\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,17 +121,31 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n+\t\t\tkevs := []models.KEV{}\n+\t\t\tfor _, k := range kevulns {\n+\t\t\t\tvar dueDate *time.Time\n+\t\t\t\tif !k.DueDate.IsZero() {\n+\t\t\t\t\tdueDate = &amp;k.DueDate\n+\t\t\t\t}\n+\t\t\t\tkevs = append(kevs, models.KEV{\n+\t\t\t\t\tType:                       models.CISAKEVType,\n+\t\t\t\t\tVendorProject:              k.VendorProject,\n+\t\t\t\t\tProduct:                    k.Product,\n+\t\t\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\t\t\tDateAdded:                  k.DateAdded,\n+\t\t\t\t\tDueDate:                    dueDate,\n+\t\t\t\t\tCISA: &amp;models.CISAKEV{\n+\t\t\t\t\t\tNote: k.Notes,\n+\t\t\t\t\t},\n \t\t\t\t})\n \t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n-\t\t\tnKEV++\n+\t\t\tif len(kevs) &gt; 0 {\n+\t\t\t\tvuln.KEVs = append(vuln.KEVs, kevs...)\n+\t\t\t\tnKEV++\n+\t\t\t}\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n \t}\ndiff --git a/docs/sample_kev_scan.json b/docs/sample_kev_scan.json\nnew file mode 100644\nindex 0000000..9952ac2\n--- /dev/null\n+++ b/docs/sample_kev_scan.json\n@@ -0,0 +1,61 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"dummy-uuid\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"20.04\",\n+  \"scannedAt\": \"2023-10-01T00:00:00Z\",\n+  \"scanMode\": \"fast\",\n+  \"scannedVersion\": \"v0.0.0\",\n+  \"scannedRevision\": \"hash\",\n+  \"scannedBy\": \"user\",\n+  \"scannedVia\": \"local\",\n+  \"reportedAt\": \"2023-10-01T00:01:00Z\",\n+  \"reportedVersion\": \"v0.0.0\",\n+  \"reportedRevision\": \"hash\",\n+  \"reportedBy\": \"user\",\n+  \"errors\": [],\n+  \"warnings\": [],\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vulnerabilityName\": \"Test Vulnerability Name\",\n+          \"shortDescription\": \"Test Short Description\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"dateAdded\": \"2021-11-03T00:00:00Z\",\n+          \"dueDate\": \"2021-11-17T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Test CISA Note\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vulnerabilityName\": \"Test VulnCheck Name\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"test-xdb-1\",\n+                \"xdbURL\": \"https://example.com/test\",\n+                \"dateAdded\": \"2021-11-03T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"runningKernel\": {\n+    \"release\": \"5.4.0-generic\",\n+    \"version\": \"1\",\n+    \"rebootRequired\": false\n+  },\n+  \"packages\": {},\n+  \"config\": {\n+    \"scan\": {},\n+    \"report\": {}\n+  }\n+}\n\\ No newline at end of file\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..4b059ca 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,6 +205,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n@@ -229,6 +230,17 @@ func (r ScanResult) FormatUpdatablePkgsSummary() string {\n \t\tnUpdatable)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV cves\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatExploitCveSummary returns a summary of exploit cve\n func (r ScanResult) FormatExploitCveSummary() string {\n \tnExploitCve := 0\n@@ -253,13 +265,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -434,9 +442,14 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n+\t\t\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n \t\t})\n+\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/scanresults_test.go b/models/scanresults_test.go\nindex d429281..8e44906 100644\n--- a/models/scanresults_test.go\n+++ b/models/scanresults_test.go\n@@ -225,10 +225,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: \"cisa\", VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: \"cisa\", VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -288,10 +288,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: \"cisa\", VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: \"cisa\", VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -354,10 +354,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: \"cisa\", VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t\t{Type: \"cisa\", VulnerabilityName: \"a\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -417,10 +417,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: \"cisa\", VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: \"cisa\", VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..b6bd4d2 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -268,6 +268,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -910,24 +911,72 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// KEVType represents the source of the KEV\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is for CISA KEV\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType is for VulnCheck KEV\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has KEV information\n+type KEV struct {\n+\tType                       KEVType    `json:\"type\"`\n+\tVendorProject              string     `json:\"vendorProject,omitempty\"`\n+\tProduct                    string     `json:\"product,omitempty\"`\n+\tVulnerabilityName          string     `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string     `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string     `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string     `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time  `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time `json:\"dueDate,omitempty\"`\n+\n+\tCISA      *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA specific KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck specific KEV information\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB information\n+type VulnCheckXDB struct {\n+\tXDBID         string    `json:\"xdbID,omitempty\"`\n+\tXDBURL        string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded     time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType   string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL   string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n+// AlertDict has target cve JPCERT, USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..5b8697f 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -205,6 +205,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t}\n \t\t} else {\n \t\t\tcols = []interface{}{\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/testkev.go b/testkev.go\nnew file mode 100644\nindex 0000000..064c3c9\n--- /dev/null\n+++ b/testkev.go\n@@ -0,0 +1,15 @@\n+package main\n+\n+import (\n+\t\"fmt\"\n+\t\"reflect\"\n+\t\"github.com/vulsio/go-kev/models\"\n+)\n+\n+func main() {\n+\tt := reflect.TypeOf(models.KEVuln{})\n+\tfor i := 0; i &lt; t.NumField(); i++ {\n+\t\tfield := t.Field(i)\n+\t\tfmt.Printf(\"%s %s\\n\", field.Name, field.Type)\n+\t}\n+}\n\\ No newline at end of file\ndiff --git a/tracking_issue_example.md b/tracking_issue_example.md\nnew file mode 100644\nindex 0000000..b09fe6a\n--- /dev/null\n+++ b/tracking_issue_example.md\n@@ -0,0 +1,32 @@\n+# Tracking Issue Example for KEV Promotion\n+\n+Here is a redacted sample JSON payload showing the new `kevs` field replacing the old `AlertDict.CISA` field:\n+\n+```json\n+{\n+  \"jsonVersion\": 1,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"dummy-uuid\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"20.04\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vulnerabilityName\": \"Test Vulnerability Name\",\n+          \"shortDescription\": \"Test Short Description\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"dateAdded\": \"2021-11-03T00:00:00Z\",\n+          \"dueDate\": \"2021-11-17T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Test CISA Note\"\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\n+```\n\\ No newline at end of file\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..30dac8c 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,13 +812,13 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n+\t\tif len(vinfo.KEVs) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n+\t\t\t\t\"Known Exploited Vulnerabilities\",\n+\t\t\t\t\"===============================\",\n \t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\t\tfor _, kev := range vinfo.KEVs {\n+\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s] %s: %s\", kev.Type, kev.VulnerabilityName, kev.ShortDescription))\n \t\t\t}\n \t\t}\n \n", "creation_timestamp": "2026-07-03T23:06:01.780417Z"}, {"uuid": "345218fd-8cca-423f-9059-42d6c3a0dd47", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/cac33ea32f93e96a33598e30cf7f77e7", "content": "diff --git a/README.md b/README.md\nindex 57102d1..40c4de2 100644\n--- a/README.md\n+++ b/README.md\n@@ -165,6 +165,7 @@ Vuls has some options to detect the vulnerabilities\n   - Auto-detection of servers set using CIDR, generate configuration file template\n - Email and Slack notification is possible (supports Japanese language)\n - Scan result is viewable on accessory software, TUI Viewer in a terminal or Web UI ([VulsRepo](https://github.com/ishiDACo/vulsrepo)).\n+- For configuration, a ready-to-use example configuration is provided in [config.toml.example](config.toml.example).\n \n ----\n \ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..5d83447\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,50 @@\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-msfdb.sqlite3\"\n+\n+[cisa]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cisa.sqlite3\"\n+\n+[vulncheck]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/vulncheck.sqlite3\"\n+\n+[slack]\n+hookURL = \"https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX\"\n+channel = \"#example-channel\"\n+authUser = \"username\"\n+notifyUsers = [\"@user1\", \"@user2\"]\n+\n+[email]\n+smtpServer = \"smtp.example.com\"\n+smtpPort = \"587\"\n+user = \"user@example.com\"\n+password = \"placeholder-smtp-password\"\n+from = \"vuls@example.com\"\n+to = [\"admin@example.com\"]\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.168.0.10\"\n+port = \"22\"\n+user = \"admin\"\n+keyPath = \"/home/user/.ssh/id_rsa\"\n+# passphrase = \"placeholder-ssh-passphrase\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..7624e44 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,33 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n+\t\t\tkevs := []models.KEV{}\n \t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\t\tfor _, k := range kevulns {\n+\t\t\t\t\tvar due *time.Time\n+\t\t\t\t\tif !k.DueDate.IsZero() {\n+\t\t\t\t\t\tdue = &amp;k.DueDate\n+\t\t\t\t\t}\n+\t\t\t\t\tkevs = append(kevs, models.KEV{\n+\t\t\t\t\t\tType: models.CISAKEVType,\n+\t\t\t\t\t\tVendorProject: k.VendorProject,\n+\t\t\t\t\t\tProduct: k.Product,\n+\t\t\t\t\t\tVulnerabilityName: k.VulnerabilityName,\n+\t\t\t\t\t\tShortDescription: k.ShortDescription,\n+\t\t\t\t\t\tRequiredAction: k.RequiredAction,\n+\t\t\t\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\t\t\t\tDateAdded: k.DateAdded,\n+\t\t\t\t\t\tDueDate: due,\n+\t\t\t\t\t\tCISA: &amp;models.CISAKEV{\n+\t\t\t\t\t\t\tNote: k.Notes,\n+\t\t\t\t\t\t},\n+\t\t\t\t\t})\n+\t\t\t\t}\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tv.KEVs = append(v.KEVs, kevs...)\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +123,31 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n+\t\t\tkevs := []models.KEV{}\n \t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\t\tfor _, k := range kevulns {\n+\t\t\t\t\tvar due *time.Time\n+\t\t\t\t\tif !k.DueDate.IsZero() {\n+\t\t\t\t\t\tdue = &amp;k.DueDate\n+\t\t\t\t\t}\n+\t\t\t\t\tkevs = append(kevs, models.KEV{\n+\t\t\t\t\t\tType: models.CISAKEVType,\n+\t\t\t\t\t\tVendorProject: k.VendorProject,\n+\t\t\t\t\t\tProduct: k.Product,\n+\t\t\t\t\t\tVulnerabilityName: k.VulnerabilityName,\n+\t\t\t\t\t\tShortDescription: k.ShortDescription,\n+\t\t\t\t\t\tRequiredAction: k.RequiredAction,\n+\t\t\t\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\t\t\t\tDateAdded: k.DateAdded,\n+\t\t\t\t\t\tDueDate: due,\n+\t\t\t\t\t\tCISA: &amp;models.CISAKEV{\n+\t\t\t\t\t\t\tNote: k.Notes,\n+\t\t\t\t\t\t},\n+\t\t\t\t\t})\n+\t\t\t\t}\n \t\t\t}\n \n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = append(vuln.KEVs, kevs...)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..a5a7299 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,6 +205,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n@@ -253,13 +254,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +264,18 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n+}\n+\n+// FormatKEVCveSummary returns a summary of KEVs\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKevs := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &gt; 0 {\n+\t\t\tnKevs++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKevs)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -434,8 +442,11 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n \t\t})\n \t\tr.ScannedCves[k] = v\n \t}\ndiff --git a/models/scanresults_test.go b/models/scanresults_test.go\nindex d429281..d286096 100644\n--- a/models/scanresults_test.go\n+++ b/models/scanresults_test.go\n@@ -225,10 +225,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -288,10 +288,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -354,10 +354,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -417,10 +417,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..d2d935d 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -268,6 +268,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -910,24 +911,65 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// KEVType is a type for KEV\n+type KEVType string\n+\n+const (\n+\tCISAKEVType      = KEVType(\"cisa\")\n+\tVulnCheckKEVType = KEVType(\"vulncheck\")\n+)\n+\n+// KEV has Known Exploited Vulnerabilities information\n+type KEV struct {\n+\tType                       KEVType       `json:\"type,omitempty\"`\n+\tVendorProject              string        `json:\"vendorProject,omitempty\"`\n+\tProduct                    string        `json:\"product,omitempty\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a44ae57 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -565,10 +565,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/synthetic_scan_result_sample.json b/synthetic_scan_result_sample.json\nnew file mode 100644\nindex 0000000..611a1a3\n--- /dev/null\n+++ b/synthetic_scan_result_sample.json\n@@ -0,0 +1,38 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"20.04\",\n+  \"scannedAt\": \"2023-10-01T10:00:00Z\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"dateAdded\": \"2023-10-01T00:00:00Z\",\n+          \"shortDescription\": \"This is a documentation CVE.\"\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"dateAdded\": \"2023-10-01T00:00:00Z\",\n+          \"vulncheck\": {\n+             \"xdb\": [\n+                {\n+                   \"xdbID\": \"xdb-example-1\",\n+                   \"xdbURL\": \"https://example.com/exploit\",\n+                   \"dateAdded\": \"2023-10-01T00:00:00Z\",\n+                   \"exploitType\": \"local\",\n+                   \"cloneSSHURL\": \"git@example.com:exploit.git\"\n+                }\n+             ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\n\\ No newline at end of file\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T23:06:01.833134Z"}, {"uuid": "fae20f71-2e8b-4ef9-bc1b-03d6eb93fb29", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/3aa722cf98ecac7b0e3cdc34b78ae151", "content": "diff --git a/README.md b/README.md\nindex 57102d1..9d75fdf 100644\n--- a/README.md\n+++ b/README.md\n@@ -93,6 +93,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n - CISA(Cybersecurity &amp; Infrastructure Security Agency)\n   - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n \n+- VulnCheck\n+  - [VulnCheck KEV](https://vulncheck.com/kev)\n+\n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n \n@@ -174,6 +177,13 @@ Vuls has some options to detect the vulnerabilities\n \n ----\n \n+## Examples\n+\n+- `examples/config.toml.example` shows a synthetic, ready-to-edit configuration with KEV reporting enabled through `[kevuln]`.\n+- `examples/kev-scan-result.json` shows the `scannedCves[].kevs` JSON shape for CISA and VulnCheck KEV entries.\n+\n+----\n+\n ## Document\n \n For more information such as Installation, Tutorial, Usage, visit [vuls.io](https://vuls.io/)  \ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..5cc914c 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -6,6 +6,8 @@ package detector\n import (\n \t\"encoding/json\"\n \t\"net/http\"\n+\t\"reflect\"\n+\t\"strings\"\n \t\"time\"\n \n \t\"github.com/cenkalti/backoff\"\n@@ -79,18 +81,9 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n-\t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\tif ok &amp;&amp; len(kevulns) &gt; 0 {\n+\t\t\t\tv.KEVs = kevulnsToModels(kevulns)\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +101,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = kevulnsToModels(kevulns)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +111,151 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func kevulnsToModels(kevulns []kevulnmodels.KEVuln) (kevs []models.KEV) {\n+\tfor _, kevuln := range kevulns {\n+\t\tkev := kevulnToModel(kevuln)\n+\t\tif kev.Type == \"\" {\n+\t\t\tkev.Type = models.CISAKEVType\n+\t\t}\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs\n+}\n+\n+func kevulnToModel(kevuln kevulnmodels.KEVuln) models.KEV {\n+\tv := reflect.ValueOf(kevuln)\n+\tif v.Kind() == reflect.Pointer {\n+\t\tif v.IsNil() {\n+\t\t\treturn models.KEV{}\n+\t\t}\n+\t\tv = v.Elem()\n+\t}\n+\tif v.Kind() != reflect.Struct {\n+\t\treturn models.KEV{}\n+\t}\n+\n+\ttyp := models.KEVType(strings.ToLower(fieldString(v, \"Type\", \"Source\")))\n+\tkev := models.KEV{\n+\t\tType:                       typ,\n+\t\tVendorProject:              fieldString(v, \"VendorProject\", \"Vendor\", \"Project\"),\n+\t\tProduct:                    fieldString(v, \"Product\"),\n+\t\tVulnerabilityName:          fieldString(v, \"VulnerabilityName\", \"Name\"),\n+\t\tShortDescription:           fieldString(v, \"ShortDescription\", \"Description\"),\n+\t\tRequiredAction:             fieldString(v, \"RequiredAction\"),\n+\t\tKnownRansomwareCampaignUse: fieldString(v, \"KnownRansomwareCampaignUse\", \"RansomwareCampaignUse\"),\n+\t\tDateAdded:                  fieldTime(v, \"DateAdded\"),\n+\t\tDueDate:                    fieldTimePtr(v, \"DueDate\"),\n+\t}\n+\n+\tif kev.Type == models.VulnCheckKEVType {\n+\t\tkev.VulnCheck = &amp;models.VulnCheckKEV{\n+\t\t\tXDB:                  vulnCheckXDBs(v),\n+\t\t\tReportedExploitation: vulnCheckReportedExploitations(v),\n+\t\t}\n+\t\treturn kev\n+\t}\n+\n+\tkev.Type = models.CISAKEVType\n+\tkev.CISA = &amp;models.CISAKEV{Note: fieldString(v, \"Notes\", \"Note\")}\n+\treturn kev\n+}\n+\n+func fieldString(v reflect.Value, names ...string) string {\n+\tfor _, name := range names {\n+\t\tf := v.FieldByName(name)\n+\t\tif f.IsValid() &amp;&amp; f.Kind() == reflect.String {\n+\t\t\treturn f.String()\n+\t\t}\n+\t}\n+\treturn \"\"\n+}\n+\n+func fieldTime(v reflect.Value, names ...string) time.Time {\n+\tfor _, name := range names {\n+\t\tf := v.FieldByName(name)\n+\t\tif f.IsValid() &amp;&amp; f.CanInterface() {\n+\t\t\tif t, ok := f.Interface().(time.Time); ok {\n+\t\t\t\treturn t\n+\t\t\t}\n+\t\t\tif f.Kind() == reflect.Pointer &amp;&amp; !f.IsNil() {\n+\t\t\t\tif t, ok := f.Interface().(*time.Time); ok {\n+\t\t\t\t\treturn *t\n+\t\t\t\t}\n+\t\t\t}\n+\t\t}\n+\t}\n+\treturn time.Time{}\n+}\n+\n+func fieldTimePtr(v reflect.Value, names ...string) *time.Time {\n+\tfor _, name := range names {\n+\t\tf := v.FieldByName(name)\n+\t\tif !f.IsValid() || !f.CanInterface() {\n+\t\t\tcontinue\n+\t\t}\n+\t\tif t, ok := f.Interface().(time.Time); ok &amp;&amp; !t.IsZero() {\n+\t\t\treturn &amp;t\n+\t\t}\n+\t\tif f.Kind() == reflect.Pointer &amp;&amp; !f.IsNil() {\n+\t\t\tif t, ok := f.Interface().(*time.Time); ok {\n+\t\t\t\treturn t\n+\t\t\t}\n+\t\t}\n+\t}\n+\treturn nil\n+}\n+\n+func vulnCheckXDBs(v reflect.Value) (xdbs []models.VulnCheckXDB) {\n+\tf := v.FieldByName(\"XDB\")\n+\tif !f.IsValid() || f.Kind() != reflect.Slice {\n+\t\treturn nil\n+\t}\n+\tfor i := 0; i &lt; f.Len(); i++ {\n+\t\tx := f.Index(i)\n+\t\tif x.Kind() == reflect.Pointer {\n+\t\t\tif x.IsNil() {\n+\t\t\t\tcontinue\n+\t\t\t}\n+\t\t\tx = x.Elem()\n+\t\t}\n+\t\tif x.Kind() != reflect.Struct {\n+\t\t\tcontinue\n+\t\t}\n+\t\txdbs = append(xdbs, models.VulnCheckXDB{\n+\t\t\tXDBID:       fieldString(x, \"XDBID\", \"ID\"),\n+\t\t\tXDBURL:      fieldString(x, \"XDBURL\", \"URL\"),\n+\t\t\tDateAdded:   fieldTime(x, \"DateAdded\"),\n+\t\t\tExploitType: fieldString(x, \"ExploitType\"),\n+\t\t\tCloneSSHURL: fieldString(x, \"CloneSSHURL\"),\n+\t\t})\n+\t}\n+\treturn xdbs\n+}\n+\n+func vulnCheckReportedExploitations(v reflect.Value) (reports []models.VulnCheckReportedExploitation) {\n+\tf := v.FieldByName(\"ReportedExploitation\")\n+\tif !f.IsValid() || f.Kind() != reflect.Slice {\n+\t\treturn nil\n+\t}\n+\tfor i := 0; i &lt; f.Len(); i++ {\n+\t\tr := f.Index(i)\n+\t\tif r.Kind() == reflect.Pointer {\n+\t\t\tif r.IsNil() {\n+\t\t\t\tcontinue\n+\t\t\t}\n+\t\t\tr = r.Elem()\n+\t\t}\n+\t\tif r.Kind() != reflect.Struct {\n+\t\t\tcontinue\n+\t\t}\n+\t\treports = append(reports, models.VulnCheckReportedExploitation{\n+\t\t\tURL:       fieldString(r, \"URL\"),\n+\t\t\tDateAdded: fieldTime(r, \"DateAdded\"),\n+\t\t})\n+\t}\n+\treturn reports\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/examples/config.toml.example b/examples/config.toml.example\nnew file mode 100644\nindex 0000000..33dbf5f\n--- /dev/null\n+++ b/examples/config.toml.example\n@@ -0,0 +1,37 @@\n+# Synthetic example configuration for KEV reporting.\n+# Replace every placeholder with values for your environment before use.\n+\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\n+\n+[servers.example-host]\n+host = \"192.0.2.10\"\n+port = \"22\"\n+user = \"vuls-scan\"\n+keyPath = \"/home/vuls/.ssh/id_ed25519\"\n+scanMode = [\"fast-root\"]\ndiff --git a/examples/kev-scan-result.json b/examples/kev-scan-result.json\nnew file mode 100644\nindex 0000000..e140794\n--- /dev/null\n+++ b/examples/kev-scan-result.json\n@@ -0,0 +1,69 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic example showing CISA KEV output shape.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-01-02T00:00:00Z\",\n+          \"dueDate\": \"2026-01-23T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic sample only.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic example showing VulnCheck KEV output shape.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-01-03T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.com/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-01-03T00:00:00Z\",\n+                \"exploitType\": \"proof-of-concept\",\n+                \"cloneSSHURL\": \"git@example.com:placeholder/example.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/advisories/CVE-0000-0000\",\n+                \"dateAdded\": \"2026-01-04T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-package\",\n+          \"fixedIn\": \"1.2.3\"\n+        }\n+      ]\n+    }\n+  },\n+  \"packages\": {\n+    \"example-package\": {\n+      \"name\": \"example-package\",\n+      \"version\": \"1.2.2\",\n+      \"newVersion\": \"1.2.3\"\n+    }\n+  }\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..f17b095 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV CVEs.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -425,6 +433,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &lt; v.Mitigations[j].URL\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \n \t\tv.CveContents.Sort()\n \n@@ -434,9 +448,6 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n-\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/scanresults_kev_test.go b/models/scanresults_kev_test.go\nnew file mode 100644\nindex 0000000..159ebfb\n--- /dev/null\n+++ b/models/scanresults_kev_test.go\n@@ -0,0 +1,57 @@\n+package models\n+\n+import (\n+\t\"reflect\"\n+\t\"testing\"\n+)\n+\n+func TestScanResult_FormatKEVCveSummary(t *testing.T) {\n+\tr := ScanResult{\n+\t\tScannedCves: VulnInfos{\n+\t\t\t\"CVE-0000-0001\": VulnInfo{KEVs: []KEV{{Type: CISAKEVType}}},\n+\t\t\t\"CVE-0000-0002\": VulnInfo{KEVs: []KEV{{Type: CISAKEVType}, {Type: VulnCheckKEVType}}},\n+\t\t\t\"CVE-0000-0003\": VulnInfo{},\n+\t\t},\n+\t}\n+\n+\tif got, want := r.FormatKEVCveSummary(), \"2 kevs\"; got != want {\n+\t\tt.Fatalf(\"FormatKEVCveSummary() = %q, want %q\", got, want)\n+\t}\n+}\n+\n+func TestScanResult_SortForJSONOutputKEVs(t *testing.T) {\n+\tr := &amp;ScanResult{\n+\t\tScannedCves: VulnInfos{\n+\t\t\t\"CVE-0000-0001\": VulnInfo{\n+\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"beta\"},\n+\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"zulu\"},\n+\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"alpha\"},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t},\n+\t}\n+\n+\tr.SortForJSONOutput()\n+\n+\tgot := r.ScannedCves[\"CVE-0000-0001\"].KEVs\n+\twant := []KEV{\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"alpha\"},\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"zulu\"},\n+\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"beta\"},\n+\t}\n+\tif !reflect.DeepEqual(got, want) {\n+\t\tt.Fatalf(\"sorted KEVs = %+v, want %+v\", got, want)\n+\t}\n+}\n+\n+func TestAlertDictIgnoresDeprecatedCISA(t *testing.T) {\n+\talerts := AlertDict{CISA: []Alert{{Title: \"legacy KEV alert\"}}}\n+\n+\tif !alerts.IsEmpty() {\n+\t\tt.Fatal(\"AlertDict with only deprecated CISA alerts should be empty\")\n+\t}\n+\tif got, want := alerts.FormatSource(), \"\"; got != want {\n+\t\tt.Fatalf(\"FormatSource() = %q, want %q\", got, want)\n+\t}\n+}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..4e13120 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -263,6 +263,7 @@ type VulnInfo struct {\n \tAffectedPackages     PackageFixStatuses   `json:\"affectedPackages,omitempty\"`\n \tDistroAdvisories     DistroAdvisories     `json:\"distroAdvisories,omitempty\"` // for Amazon, RHEL, Fedora, FreeBSD, Microsoft\n \tCveContents          CveContents          `json:\"cveContents,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tExploits             []Exploit            `json:\"exploits,omitempty\"`\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n@@ -284,6 +285,57 @@ type Alert struct {\n \tTeam  string `json:\"team,omitempty\"`\n }\n \n+// KEVType is a source of known exploited vulnerability data.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is CISA Known Exploited Vulnerabilities data.\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType is VulnCheck Known Exploited Vulnerabilities data.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has known exploited vulnerability information.\n+type KEV struct {\n+\tType                       KEVType       `json:\"type,omitempty\"`\n+\tVendorProject              string        `json:\"vendorProject,omitempty\"`\n+\tProduct                    string        `json:\"product,omitempty\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV information.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV information.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB exploit metadata.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation metadata.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // GitHubSecurityAlerts is a list of GitHubSecurityAlert\n type GitHubSecurityAlerts []GitHubSecurityAlert\n \n@@ -910,24 +962,21 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"cisa\"` // Deprecated: KEV data is represented by VulnInfo.KEVs.\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a2dfbd0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T23:06:27.703750Z"}, {"uuid": "15b6f7f2-d728-490c-8e68-c6a42cc1799c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/d7f43279e0916c2dae67dd88be0af0cb", "content": "diff --git a/README.md b/README.md\nindex 57102d1..6b1b437 100644\n--- a/README.md\n+++ b/README.md\n@@ -90,8 +90,14 @@ Vuls is a tool created to solve the problems listed above. It has the following\n   - [US-CERT](https://www.us-cert.gov/ncas/alerts)\n   - [JPCERT](http://www.jpcert.or.jp/at/2019.html)\n \n-- CISA(Cybersecurity &amp; Infrastructure Security Agency)\n-  - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+- Known Exploited Vulnerabilities\n+  - [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+  - VulnCheck KEV data via go-kev\n+\n+Example configuration and output:\n+\n+- `config.toml.example` shows a synthetic, ready-to-use KEV-enabled setup using placeholder values.\n+- `docs/sample-kev-scan-result.json` shows the `kevs` field populated with synthetic CISA and VulnCheck entries.\n \n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..9abfc3d\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,42 @@\n+# Synthetic example configuration for enabling KEV reporting.\n+# Do not paste production credentials into this file.\n+\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\n+\n+[default]\n+port = \"22\"\n+user = \"vuls\"\n+scanMode = [\"fast-root\"]\n+scanModules = [\"ospkg\", \"port\"]\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.10\"\n+memo = \"Synthetic example target\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..f2f2f6b 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -6,6 +6,7 @@ package detector\n import (\n \t\"encoding/json\"\n \t\"net/http\"\n+\t\"strings\"\n \t\"time\"\n \n \t\"github.com/cenkalti/backoff\"\n@@ -79,18 +80,14 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tkevs, err := convertKEVulns(kevulns)\n+\t\t\tif err != nil {\n+\t\t\t\treturn err\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n-\t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\tif ok &amp;&amp; len(kevs) &gt; 0 {\n+\t\t\t\tv.KEVs = kevs\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,17 +105,15 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tkevs, err := convertKEVulns(kevulns)\n+\t\t\tif err != nil {\n+\t\t\t\treturn err\n \t\t\t}\n \n-\t\t\tvuln.AlertDict.CISA = alerts\n-\t\t\tnKEV++\n+\t\t\tif len(kevs) &gt; 0 {\n+\t\t\t\tvuln.KEVs = kevs\n+\t\t\t\tnKEV++\n+\t\t\t}\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n \t}\n@@ -127,6 +122,222 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func convertKEVulns(kevulns []kevulnmodels.KEVuln) ([]models.KEV, error) {\n+\tkevs := []models.KEV{}\n+\tfor _, kevuln := range kevulns {\n+\t\tb, err := json.Marshal(kevuln)\n+\t\tif err != nil {\n+\t\t\treturn nil, xerrors.Errorf(\"Failed to marshal KEVuln. err: %w\", err)\n+\t\t}\n+\n+\t\tvar m map[string]json.RawMessage\n+\t\tif err := json.Unmarshal(b, &amp;m); err != nil {\n+\t\t\treturn nil, xerrors.Errorf(\"Failed to unmarshal KEVuln. err: %w\", err)\n+\t\t}\n+\n+\t\tif cisa, ok, err := parseCISAKEV(rawFor(m, \"cisa\", \"CISA\", \"cisaKEV\", \"CISAKEV\")); err != nil {\n+\t\t\treturn nil, err\n+\t\t} else if ok {\n+\t\t\tkevs = append(kevs, cisa)\n+\t\t}\n+\n+\t\tif vulncheck, ok, err := parseVulnCheckKEV(rawFor(m, \"vulncheck\", \"vulnCheck\", \"VulnCheck\", \"vulnCheckKEV\", \"VulnCheckKEV\")); err != nil {\n+\t\t\treturn nil, err\n+\t\t} else if ok {\n+\t\t\tkevs = append(kevs, vulncheck)\n+\t\t}\n+\t}\n+\treturn kevs, nil\n+}\n+\n+func parseCISAKEV(raw json.RawMessage) (models.KEV, bool, error) {\n+\tif len(raw) == 0 || string(raw) == \"null\" {\n+\t\treturn models.KEV{}, false, nil\n+\t}\n+\tvar m map[string]json.RawMessage\n+\tif err := json.Unmarshal(raw, &amp;m); err != nil {\n+\t\treturn models.KEV{}, false, xerrors.Errorf(\"Failed to unmarshal CISA KEV. err: %w\", err)\n+\t}\n+\tif isEmptyRawMap(m) {\n+\t\treturn models.KEV{}, false, nil\n+\t}\n+\n+\tdueDate, err := rawTimePtr(rawFor(m, \"dueDate\", \"DueDate\", \"due_date\"))\n+\tif err != nil {\n+\t\treturn models.KEV{}, false, err\n+\t}\n+\tdateAdded, err := rawTime(rawFor(m, \"dateAdded\", \"DateAdded\", \"date_added\"))\n+\tif err != nil {\n+\t\treturn models.KEV{}, false, err\n+\t}\n+\n+\treturn models.KEV{\n+\t\tType:                       models.CISAKEVType,\n+\t\tVendorProject:              rawString(rawFor(m, \"vendorProject\", \"VendorProject\", \"vendor_project\")),\n+\t\tProduct:                    rawString(rawFor(m, \"product\", \"Product\")),\n+\t\tVulnerabilityName:          rawString(rawFor(m, \"vulnerabilityName\", \"VulnerabilityName\", \"vulnerability_name\")),\n+\t\tShortDescription:           rawString(rawFor(m, \"shortDescription\", \"ShortDescription\", \"short_description\")),\n+\t\tRequiredAction:             rawString(rawFor(m, \"requiredAction\", \"RequiredAction\", \"required_action\")),\n+\t\tKnownRansomwareCampaignUse: rawString(rawFor(m, \"knownRansomwareCampaignUse\", \"KnownRansomwareCampaignUse\", \"known_ransomware_campaign_use\")),\n+\t\tDateAdded:                  dateAdded,\n+\t\tDueDate:                    dueDate,\n+\t\tCISA: &amp;models.CISAKEV{\n+\t\t\tNote: rawString(rawFor(m, \"note\", \"Note\", \"notes\")),\n+\t\t},\n+\t}, true, nil\n+}\n+\n+func parseVulnCheckKEV(raw json.RawMessage) (models.KEV, bool, error) {\n+\tif len(raw) == 0 || string(raw) == \"null\" {\n+\t\treturn models.KEV{}, false, nil\n+\t}\n+\tvar m map[string]json.RawMessage\n+\tif err := json.Unmarshal(raw, &amp;m); err != nil {\n+\t\treturn models.KEV{}, false, xerrors.Errorf(\"Failed to unmarshal VulnCheck KEV. err: %w\", err)\n+\t}\n+\tif isEmptyRawMap(m) {\n+\t\treturn models.KEV{}, false, nil\n+\t}\n+\n+\tdueDate, err := rawTimePtr(rawFor(m, \"dueDate\", \"DueDate\", \"due_date\"))\n+\tif err != nil {\n+\t\treturn models.KEV{}, false, err\n+\t}\n+\tdateAdded, err := rawTime(rawFor(m, \"dateAdded\", \"DateAdded\", \"date_added\"))\n+\tif err != nil {\n+\t\treturn models.KEV{}, false, err\n+\t}\n+\txdb, err := parseVulnCheckXDB(rawFor(m, \"xdb\", \"XDB\"))\n+\tif err != nil {\n+\t\treturn models.KEV{}, false, err\n+\t}\n+\treportedExploitation, err := parseVulnCheckReportedExploitation(rawFor(m, \"reportedExploitation\", \"ReportedExploitation\", \"reported_exploitation\"))\n+\tif err != nil {\n+\t\treturn models.KEV{}, false, err\n+\t}\n+\n+\treturn models.KEV{\n+\t\tType:                       models.VulnCheckKEVType,\n+\t\tVendorProject:              rawString(rawFor(m, \"vendorProject\", \"VendorProject\", \"vendor_project\")),\n+\t\tProduct:                    rawString(rawFor(m, \"product\", \"Product\")),\n+\t\tVulnerabilityName:          rawString(rawFor(m, \"vulnerabilityName\", \"VulnerabilityName\", \"vulnerability_name\")),\n+\t\tShortDescription:           rawString(rawFor(m, \"shortDescription\", \"ShortDescription\", \"short_description\")),\n+\t\tRequiredAction:             rawString(rawFor(m, \"requiredAction\", \"RequiredAction\", \"required_action\")),\n+\t\tKnownRansomwareCampaignUse: rawString(rawFor(m, \"knownRansomwareCampaignUse\", \"KnownRansomwareCampaignUse\", \"known_ransomware_campaign_use\")),\n+\t\tDateAdded:                  dateAdded,\n+\t\tDueDate:                    dueDate,\n+\t\tVulnCheck: &amp;models.VulnCheckKEV{\n+\t\t\tXDB:                  xdb,\n+\t\t\tReportedExploitation: reportedExploitation,\n+\t\t},\n+\t}, true, nil\n+}\n+\n+func parseVulnCheckXDB(raw json.RawMessage) ([]models.VulnCheckXDB, error) {\n+\tif len(raw) == 0 || string(raw) == \"null\" {\n+\t\treturn nil, nil\n+\t}\n+\tvar xs []map[string]json.RawMessage\n+\tif err := json.Unmarshal(raw, &amp;xs); err != nil {\n+\t\treturn nil, xerrors.Errorf(\"Failed to unmarshal VulnCheck XDB. err: %w\", err)\n+\t}\n+\n+\txdbs := []models.VulnCheckXDB{}\n+\tfor _, x := range xs {\n+\t\tdateAdded, err := rawTime(rawFor(x, \"dateAdded\", \"DateAdded\", \"date_added\"))\n+\t\tif err != nil {\n+\t\t\treturn nil, err\n+\t\t}\n+\t\txdbs = append(xdbs, models.VulnCheckXDB{\n+\t\t\tXDBID:       rawString(rawFor(x, \"xdbID\", \"XDBID\", \"xdb_id\")),\n+\t\t\tXDBURL:      rawString(rawFor(x, \"xdbURL\", \"XDBURL\", \"xdb_url\")),\n+\t\t\tDateAdded:   dateAdded,\n+\t\t\tExploitType: rawString(rawFor(x, \"exploitType\", \"ExploitType\", \"exploit_type\")),\n+\t\t\tCloneSSHURL: rawString(rawFor(x, \"cloneSSHURL\", \"CloneSSHURL\", \"clone_ssh_url\")),\n+\t\t})\n+\t}\n+\treturn xdbs, nil\n+}\n+\n+func parseVulnCheckReportedExploitation(raw json.RawMessage) ([]models.VulnCheckReportedExploitation, error) {\n+\tif len(raw) == 0 || string(raw) == \"null\" {\n+\t\treturn nil, nil\n+\t}\n+\tvar rs []map[string]json.RawMessage\n+\tif err := json.Unmarshal(raw, &amp;rs); err != nil {\n+\t\treturn nil, xerrors.Errorf(\"Failed to unmarshal VulnCheck reported exploitation. err: %w\", err)\n+\t}\n+\n+\treports := []models.VulnCheckReportedExploitation{}\n+\tfor _, r := range rs {\n+\t\tdateAdded, err := rawTime(rawFor(r, \"dateAdded\", \"DateAdded\", \"date_added\"))\n+\t\tif err != nil {\n+\t\t\treturn nil, err\n+\t\t}\n+\t\treports = append(reports, models.VulnCheckReportedExploitation{\n+\t\t\tURL:       rawString(rawFor(r, \"url\", \"URL\")),\n+\t\t\tDateAdded: dateAdded,\n+\t\t})\n+\t}\n+\treturn reports, nil\n+}\n+\n+func rawFor(m map[string]json.RawMessage, keys ...string) json.RawMessage {\n+\tfor _, key := range keys {\n+\t\tif raw, ok := m[key]; ok {\n+\t\t\treturn raw\n+\t\t}\n+\t}\n+\treturn nil\n+}\n+\n+func rawString(raw json.RawMessage) string {\n+\tif len(raw) == 0 || string(raw) == \"null\" {\n+\t\treturn \"\"\n+\t}\n+\tvar s string\n+\tif err := json.Unmarshal(raw, &amp;s); err == nil {\n+\t\treturn s\n+\t}\n+\treturn strings.Trim(string(raw), `\"`)\n+}\n+\n+func rawTime(raw json.RawMessage) (time.Time, error) {\n+\tif len(raw) == 0 || string(raw) == \"null\" {\n+\t\treturn time.Time{}, nil\n+\t}\n+\ts := rawString(raw)\n+\tif s == \"\" || s == \"0001-01-01T00:00:00Z\" {\n+\t\treturn time.Time{}, nil\n+\t}\n+\tfor _, layout := range []string{time.RFC3339Nano, time.RFC3339, \"2006-01-02\"} {\n+\t\tif t, err := time.Parse(layout, s); err == nil {\n+\t\t\treturn t, nil\n+\t\t}\n+\t}\n+\treturn time.Time{}, xerrors.Errorf(\"Failed to parse KEV date: %s\", s)\n+}\n+\n+func rawTimePtr(raw json.RawMessage) (*time.Time, error) {\n+\tt, err := rawTime(raw)\n+\tif err != nil || t.IsZero() {\n+\t\treturn nil, err\n+\t}\n+\treturn &amp;t, nil\n+}\n+\n+func isEmptyRawMap(m map[string]json.RawMessage) bool {\n+\tif len(m) == 0 {\n+\t\treturn true\n+\t}\n+\tfor _, raw := range m {\n+\t\tif len(raw) != 0 &amp;&amp; string(raw) != \"null\" &amp;&amp; string(raw) != `\"\"` &amp;&amp; string(raw) != \"[]\" &amp;&amp; string(raw) != \"{}\" {\n+\t\t\treturn false\n+\t\t}\n+\t}\n+\treturn true\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/docs/sample-kev-scan-result.json b/docs/sample-kev-scan-result.json\nnew file mode 100644\nindex 0000000..83a0c71\n--- /dev/null\n+++ b/docs/sample-kev-scan-result.json\n@@ -0,0 +1,60 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Placeholder Vulnerability\",\n+          \"shortDescription\": \"Synthetic CISA KEV example for documentation.\",\n+          \"requiredAction\": \"Apply vendor-provided updates or mitigations.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-01-02T00:00:00Z\",\n+          \"dueDate\": \"2026-02-01T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic sample; not real vulnerability intelligence.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Placeholder Vulnerability\",\n+          \"shortDescription\": \"Synthetic VulnCheck KEV example for documentation.\",\n+          \"requiredAction\": \"Review exploitation evidence and remediate affected assets.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-01-03T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.com/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-01-03T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.com:example/xdb-000000.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/reports/CVE-0000-0000\",\n+                \"dateAdded\": \"2026-01-04T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-package\",\n+          \"fixedIn\": \"1.2.3\"\n+        }\n+      ]\n+    }\n+  }\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..33c32c7 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of CVEs with KEV entries.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -422,6 +430,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Metasploits, func(i, j int) bool {\n \t\t\treturn v.Metasploits[i].Name &lt; v.Metasploits[j].Name\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &lt; v.Mitigations[j].URL\n \t\t})\n@@ -434,9 +448,6 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n-\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..8a6e0dc 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -265,6 +265,7 @@ type VulnInfo struct {\n \tCveContents          CveContents          `json:\"cveContents,omitempty\"`\n \tExploits             []Exploit            `json:\"exploits,omitempty\"`\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n@@ -284,6 +285,57 @@ type Alert struct {\n \tTeam  string `json:\"team,omitempty\"`\n }\n \n+// KEVType identifies the source of known exploited vulnerability data.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType represents CISA Known Exploited Vulnerabilities Catalog data.\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType represents VulnCheck KEV data.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has known exploited vulnerability information.\n+type KEV struct {\n+\tType                       KEVType       `json:\"type,omitempty\"`\n+\tVendorProject              string        `json:\"vendorProject,omitempty\"`\n+\tProduct                    string        `json:\"product,omitempty\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV fields.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV fields.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database metadata.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation metadata.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // GitHubSecurityAlerts is a list of GitHubSecurityAlert\n type GitHubSecurityAlerts []GitHubSecurityAlert\n \n@@ -910,24 +962,21 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data.\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"-\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a2dfbd0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T23:06:32.310292Z"}, {"uuid": "c9bec138-3fd2-46c7-b1f2-43a14e453d4c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/cac33ea32f93e96a33598e30cf7f77e7", "content": "diff --git a/README.md b/README.md\nindex 57102d1..40c4de2 100644\n--- a/README.md\n+++ b/README.md\n@@ -165,6 +165,7 @@ Vuls has some options to detect the vulnerabilities\n   - Auto-detection of servers set using CIDR, generate configuration file template\n - Email and Slack notification is possible (supports Japanese language)\n - Scan result is viewable on accessory software, TUI Viewer in a terminal or Web UI ([VulsRepo](https://github.com/ishiDACo/vulsrepo)).\n+- For configuration, a ready-to-use example configuration is provided in [config.toml.example](config.toml.example).\n \n ----\n \ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..5d83447\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,50 @@\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-msfdb.sqlite3\"\n+\n+[cisa]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cisa.sqlite3\"\n+\n+[vulncheck]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/vulncheck.sqlite3\"\n+\n+[slack]\n+hookURL = \"https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX\"\n+channel = \"#example-channel\"\n+authUser = \"username\"\n+notifyUsers = [\"@user1\", \"@user2\"]\n+\n+[email]\n+smtpServer = \"smtp.example.com\"\n+smtpPort = \"587\"\n+user = \"user@example.com\"\n+password = \"placeholder-smtp-password\"\n+from = \"vuls@example.com\"\n+to = [\"admin@example.com\"]\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.168.0.10\"\n+port = \"22\"\n+user = \"admin\"\n+keyPath = \"/home/user/.ssh/id_rsa\"\n+# passphrase = \"placeholder-ssh-passphrase\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..7624e44 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,33 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n+\t\t\tkevs := []models.KEV{}\n \t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\t\tfor _, k := range kevulns {\n+\t\t\t\t\tvar due *time.Time\n+\t\t\t\t\tif !k.DueDate.IsZero() {\n+\t\t\t\t\t\tdue = &amp;k.DueDate\n+\t\t\t\t\t}\n+\t\t\t\t\tkevs = append(kevs, models.KEV{\n+\t\t\t\t\t\tType: models.CISAKEVType,\n+\t\t\t\t\t\tVendorProject: k.VendorProject,\n+\t\t\t\t\t\tProduct: k.Product,\n+\t\t\t\t\t\tVulnerabilityName: k.VulnerabilityName,\n+\t\t\t\t\t\tShortDescription: k.ShortDescription,\n+\t\t\t\t\t\tRequiredAction: k.RequiredAction,\n+\t\t\t\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\t\t\t\tDateAdded: k.DateAdded,\n+\t\t\t\t\t\tDueDate: due,\n+\t\t\t\t\t\tCISA: &amp;models.CISAKEV{\n+\t\t\t\t\t\t\tNote: k.Notes,\n+\t\t\t\t\t\t},\n+\t\t\t\t\t})\n+\t\t\t\t}\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tv.KEVs = append(v.KEVs, kevs...)\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +123,31 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n+\t\t\tkevs := []models.KEV{}\n \t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\t\tfor _, k := range kevulns {\n+\t\t\t\t\tvar due *time.Time\n+\t\t\t\t\tif !k.DueDate.IsZero() {\n+\t\t\t\t\t\tdue = &amp;k.DueDate\n+\t\t\t\t\t}\n+\t\t\t\t\tkevs = append(kevs, models.KEV{\n+\t\t\t\t\t\tType: models.CISAKEVType,\n+\t\t\t\t\t\tVendorProject: k.VendorProject,\n+\t\t\t\t\t\tProduct: k.Product,\n+\t\t\t\t\t\tVulnerabilityName: k.VulnerabilityName,\n+\t\t\t\t\t\tShortDescription: k.ShortDescription,\n+\t\t\t\t\t\tRequiredAction: k.RequiredAction,\n+\t\t\t\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\t\t\t\tDateAdded: k.DateAdded,\n+\t\t\t\t\t\tDueDate: due,\n+\t\t\t\t\t\tCISA: &amp;models.CISAKEV{\n+\t\t\t\t\t\t\tNote: k.Notes,\n+\t\t\t\t\t\t},\n+\t\t\t\t\t})\n+\t\t\t\t}\n \t\t\t}\n \n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = append(vuln.KEVs, kevs...)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..a5a7299 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,6 +205,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n@@ -253,13 +254,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +264,18 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n+}\n+\n+// FormatKEVCveSummary returns a summary of KEVs\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKevs := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &gt; 0 {\n+\t\t\tnKevs++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKevs)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -434,8 +442,11 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n \t\t})\n \t\tr.ScannedCves[k] = v\n \t}\ndiff --git a/models/scanresults_test.go b/models/scanresults_test.go\nindex d429281..d286096 100644\n--- a/models/scanresults_test.go\n+++ b/models/scanresults_test.go\n@@ -225,10 +225,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -288,10 +288,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -354,10 +354,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -417,10 +417,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..d2d935d 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -268,6 +268,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -910,24 +911,65 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// KEVType is a type for KEV\n+type KEVType string\n+\n+const (\n+\tCISAKEVType      = KEVType(\"cisa\")\n+\tVulnCheckKEVType = KEVType(\"vulncheck\")\n+)\n+\n+// KEV has Known Exploited Vulnerabilities information\n+type KEV struct {\n+\tType                       KEVType       `json:\"type,omitempty\"`\n+\tVendorProject              string        `json:\"vendorProject,omitempty\"`\n+\tProduct                    string        `json:\"product,omitempty\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a44ae57 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -565,10 +565,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/synthetic_scan_result_sample.json b/synthetic_scan_result_sample.json\nnew file mode 100644\nindex 0000000..611a1a3\n--- /dev/null\n+++ b/synthetic_scan_result_sample.json\n@@ -0,0 +1,38 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"20.04\",\n+  \"scannedAt\": \"2023-10-01T10:00:00Z\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"dateAdded\": \"2023-10-01T00:00:00Z\",\n+          \"shortDescription\": \"This is a documentation CVE.\"\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"dateAdded\": \"2023-10-01T00:00:00Z\",\n+          \"vulncheck\": {\n+             \"xdb\": [\n+                {\n+                   \"xdbID\": \"xdb-example-1\",\n+                   \"xdbURL\": \"https://example.com/exploit\",\n+                   \"dateAdded\": \"2023-10-01T00:00:00Z\",\n+                   \"exploitType\": \"local\",\n+                   \"cloneSSHURL\": \"git@example.com:exploit.git\"\n+                }\n+             ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\n\\ No newline at end of file\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-04T00:01:07.410345Z"}, {"uuid": "b7558e13-618f-4f78-bbb1-42d2a9c9713b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/91e64cf478c23cc6b25eb7344ff845db", "content": "diff --git a/README.md b/README.md\nindex 57102d1..3023ab2 100644\n--- a/README.md\n+++ b/README.md\n@@ -90,8 +90,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n   - [US-CERT](https://www.us-cert.gov/ncas/alerts)\n   - [JPCERT](http://www.jpcert.or.jp/at/2019.html)\n \n-- CISA(Cybersecurity &amp; Infrastructure Security Agency)\n-  - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+- Known Exploited Vulnerabilities (KEV)\n+  - [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+  - [VulnCheck KEV](https://vulncheck.com/)\n \n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n@@ -174,6 +175,11 @@ Vuls has some options to detect the vulnerabilities\n \n ----\n \n+## Setup\n+\n+An example configuration file is available at [`config.toml.example`](config.toml.example).\n+Copy it to `config.toml` and edit it for your environment.\n+\n ## Document\n \n For more information such as Installation, Tutorial, Usage, visit [vuls.io](https://vuls.io/)  \ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..339148f\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,121 @@\n+# Vuls configuration file example\n+# See https://vuls.io/docs/en/config.toml.html for details\n+#\n+# Copy this file to config.toml and customize for your environment.\n+# All values below are placeholders \u2014 replace them with your own settings.\n+\n+# https://vuls.io/docs/en/config.toml.html#database-section\n+[cveDict]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/cve.sqlite3\"\n+#url = \"\"\n+\n+[ovalDict]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/oval.sqlite3\"\n+#url = \"\"\n+\n+[gost]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/gost.sqlite3\"\n+#url = \"\"\n+\n+[exploit]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+#url = \"\"\n+\n+[metasploit]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-msfdb.sqlite3\"\n+#url = \"\"\n+\n+# Known Exploited Vulnerabilities (KEV) \u2014 CISA &amp; VulnCheck\n+# https://vuls.io/docs/en/config.toml.html#database-section\n+[kevuln]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-kev.sqlite3\"\n+#url = \"\"\n+\n+[cti]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-cti.sqlite3\"\n+#url = \"\"\n+\n+# https://vuls.io/docs/en/config.toml.html#slack-section\n+#[slack]\n+#hookURL      = \"https://hooks.slack.com/services/xxx/yyy/zzz\"\n+#channel      = \"#vuls-notifications\"\n+#iconEmoji    = \":ghost:\"\n+#authUser     = \"vuls-bot\"\n+#notifyUsers  = [\"@admin\"]\n+\n+# https://vuls.io/docs/en/config.toml.html#email-section\n+#[email]\n+#smtpAddr              = \"smtp.example.com\"\n+#smtpPort              = \"587\"\n+#tlsMode               = \"STARTTLS\"\n+#tlsInsecureSkipVerify = false\n+#user                  = \"vuls@example.com\"\n+#password              = \"REPLACE_ME\"\n+#from                  = \"vuls@example.com\"\n+#to                    = [\"admin@example.com\"]\n+#cc                    = [\"security-team@example.com\"]\n+#subjectPrefix         = \"[vuls]\"\n+\n+# https://vuls.io/docs/en/config.toml.html#http-section\n+#[http]\n+#url = \"http://localhost:11234\"\n+\n+# https://vuls.io/docs/en/config.toml.html#syslog-section\n+#[syslog]\n+#protocol    = \"tcp\"\n+#host        = \"localhost\"\n+#port        = \"514\"\n+#tag         = \"vuls\"\n+#facility    = \"local0\"\n+#severity    = \"alert\"\n+#verbose     = false\n+\n+# https://vuls.io/docs/en/usage-report.html#example-put-results-in-s3-bucket\n+#[aws]\n+#region     = \"us-east-1\"\n+#s3Bucket   = \"my-vuls-bucket\"\n+#s3ResultsDir = \"/vuls-results\"\n+\n+# https://vuls.io/docs/en/usage-report.html#example-put-results-in-azure-blob-storage\n+#[azure]\n+#endpoint      = \"https://myaccount.blob.core.windows.net/\"\n+#accountName   = \"myaccount\"\n+#accountKey    = \"REPLACE_ME\"\n+#containerName = \"vuls\"\n+\n+# https://vuls.io/docs/en/config.toml.html#chatwork-section\n+#[chatwork]\n+#room     = \"123456789\"\n+#apiToken = \"REPLACE_ME\"\n+\n+#[wpscan]\n+#token = \"REPLACE_ME\"\n+#detectInactive = false\n+\n+# https://vuls.io/docs/en/config.toml.html#default-section\n+[default]\n+#port        = \"22\"\n+#user        = \"vuls-user\"\n+#keyPath     = \"/home/vuls-user/.ssh/id_rsa\"\n+#scanMode    = [\"fast\"]\n+#scanModules = [\"ospkg\", \"lockfile\"]\n+\n+# https://vuls.io/docs/en/config.toml.html#servers-section\n+[servers]\n+\n+[servers.example-host]\n+host         = \"192.0.2.1\"\n+#port        = \"22\"\n+#user        = \"scan-user\"\n+#keyPath     = \"/home/scan-user/.ssh/id_rsa\"\n+#scanMode    = [\"fast\"]\n+#scanModules = [\"ospkg\", \"lockfile\"]\n+#cpeNames    = [\"cpe:/a:example:product:1.0\"]\n+#ignoreCves  = [\"CVE-0000-0000\"]\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..64d59bc 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -253,13 +254,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +264,18 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n+}\n+\n+// FormatKEVCveSummary returns a summary of how many scanned CVEs have KEV entries\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tkevCnt := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &gt; 0 {\n+\t\t\tkevCnt++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", kevCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..cb4f9b7 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -268,6 +268,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -919,21 +920,70 @@ type AlertDict struct {\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\n \treturn strings.Join(s, \"/\")\n }\n \n+// KEVType represents the source of a Known Exploited Vulnerability entry\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the KEV type for CISA\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is the KEV type for VulnCheck\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                       KEVType       `json:\"type\"`\n+\tVendorProject              string        `json:\"vendorProject\"`\n+\tProduct                    string        `json:\"product\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName\"`\n+\tShortDescription           string        `json:\"shortDescription\"`\n+\tRequiredAction             string        `json:\"requiredAction\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"note\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV information\n+type VulnCheckKEV struct {\n+\tXDB                    []VulnCheckXDB                    `json:\"xdb,omitempty\"`\n+\tReportedExploitation   []VulnCheckReportedExploitation   `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID\"`\n+\tXDBURL      string    `json:\"xdbURL\"`\n+\tDateAdded   time.Time `json:\"dateAdded\"`\n+\tExploitType string    `json:\"exploitType\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url\"`\n+\tDateAdded time.Time `json:\"dateAdded\"`\n+}\n+\n // Confidences is a list of Confidence\n type Confidences []Confidence\n \ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..72499b0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\ndiff --git a/sample_scan_result.json b/sample_scan_result.json\nnew file mode 100644\nindex 0000000..eb4e521\n--- /dev/null\n+++ b/sample_scan_result.json\n@@ -0,0 +1,76 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2026-07-01T00:00:00Z\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"confidences\": [\n+        {\n+          \"score\": 100,\n+          \"detectionMethod\": \"OvalMatch\"\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-pkg\",\n+          \"fixedIn\": \"2.0.0\"\n+        }\n+      ],\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Example Vulnerability\",\n+          \"shortDescription\": \"A synthetic example vulnerability used for demonstration.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-01-01T00:00:00Z\",\n+          \"dueDate\": \"2026-02-01T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"This is a synthetic example for demonstration purposes.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Example Vulnerability\",\n+          \"shortDescription\": \"A synthetic example vulnerability used for demonstration.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-01-15T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-0000\",\n+                \"xdbURL\": \"https://example.com/xdb/0000\",\n+                \"dateAdded\": \"2026-01-10T00:00:00Z\",\n+                \"exploitType\": \"poc\",\n+                \"cloneSSHURL\": \"git@example.com:exploits/example.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/reports/exploitation-0000\",\n+                \"dateAdded\": \"2026-01-12T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"packages\": {\n+    \"example-pkg\": {\n+      \"name\": \"example-pkg\",\n+      \"version\": \"1.0.0\",\n+      \"newVersion\": \"2.0.0\"\n+    }\n+  }\n+}\n", "creation_timestamp": "2026-07-03T23:34:53.104423Z"}, {"uuid": "b5776dd9-09e1-4bb7-bc3b-19c50ee88736", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/fafbe4930480e353571155d02dc0b9f6", "content": "diff --git a/README.md b/README.md\nindex 57102d1..9a02b46 100644\n--- a/README.md\n+++ b/README.md\n@@ -90,8 +90,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n   - [US-CERT](https://www.us-cert.gov/ncas/alerts)\n   - [JPCERT](http://www.jpcert.or.jp/at/2019.html)\n \n-- CISA(Cybersecurity &amp; Infrastructure Security Agency)\n-  - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+- CISA/VulnCheck KEV (Known Exploited Vulnerabilities)\n+  - [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+  - KEV data is a first-class field on the vulnerability model (see `config.toml.example` for setup)\n \n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..5843bf9\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,126 @@\n+# Vuls configuration file example\n+# Copy this file to config.toml and customize for your environment.\n+# See https://vuls.io/docs/en/config.toml.html for full documentation.\n+\n+# https://vuls.io/docs/en/config.toml.html#database-section\n+[cveDict]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/cve.sqlite3\"\n+#url = \"\"\n+\n+[ovalDict]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/oval.sqlite3\"\n+#url = \"\"\n+\n+[gost]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/gost.sqlite3\"\n+#url = \"\"\n+\n+[exploit]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+#url = \"\"\n+\n+[metasploit]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-msfdb.sqlite3\"\n+#url = \"\"\n+\n+# KEV (Known Exploited Vulnerabilities) reporting via CISA/VulnCheck data.\n+# Uncomment and configure to enable KEV detection in scan results.\n+[kevuln]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-kev.sqlite3\"\n+#url = \"\"\n+\n+[cti]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-cti.sqlite3\"\n+#url = \"\"\n+\n+# https://vuls.io/docs/en/config.toml.html#slack-section\n+#[slack]\n+#hookURL      = \"https://hooks.slack.com/services/xxx/yyy/zzz\"\n+#channel      = \"#channel-name\"\n+#iconEmoji    = \":ghost:\"\n+#authUser     = \"username\"\n+#notifyUsers  = [\"@username\"]\n+\n+# https://vuls.io/docs/en/config.toml.html#email-section\n+#[email]\n+#smtpAddr              = \"smtp.example.com\"\n+#smtpPort              = \"587\"\n+#tlsMode               = \"STARTTLS\"\n+#tlsInsecureSkipVerify = false\n+#user                  = \"username\"\n+#password              = \"password\"\n+#from                  = \"from@example.com\"\n+#to                    = [\"to@example.com\"]\n+#cc                    = [\"cc@example.com\"]\n+#subjectPrefix         = \"[vuls]\"\n+\n+# https://vuls.io/docs/en/config.toml.html#http-section\n+#[http]\n+#url = \"http://localhost:11234\"\n+\n+# https://vuls.io/docs/en/config.toml.html#syslog-section\n+#[syslog]\n+#protocol    = \"tcp\"\n+#host        = \"localhost\"\n+#port        = \"514\"\n+#tag         = \"vuls\"\n+#facility    = \"local0\"\n+#severity    = \"alert\"\n+#verbose     = false\n+\n+# https://vuls.io/docs/en/usage-report.html#example-put-results-in-s3-bucket\n+#[aws]\n+#region     = \"ap-northeast-1\"\n+#profile    = \"default\"\n+#s3Bucket   = \"vuls\"\n+#s3ResultsDir = \"/path/to/result\"\n+\n+# https://vuls.io/docs/en/usage-report.html#example-put-results-in-azure-blob-storage\n+#[azure]\n+#endpoint      = \"https://default.blob.core.windows.net/\"\n+#accountName   = \"default\"\n+#accountKey    = \"xxxxxxxxxxxxxx\"\n+#containerName = \"vuls\"\n+\n+# https://vuls.io/docs/en/config.toml.html#chatwork-section\n+#[chatwork]\n+#room     = \"xxxxxxxxxxx\"\n+#apiToken = \"xxxxxxxxxxxxxxxxxx\"\n+\n+# https://vuls.io/docs/en/config.toml.html#googlechat-section\n+#[googlechat]\n+#webHookURL = \"https://chat.googleapis.com/v1/spaces/xxxxxxxxxx/messages?key=yyyyyyyyyy&amp;token=zzzzzzzzzz\"\n+\n+# https://vuls.io/docs/en/config.toml.html#telegram-section\n+#[telegram]\n+#chatID = \"xxxxxxxxxxx\"\n+#token  = \"xxxxxxxxxxxxxxxxxx\"\n+\n+#[wpscan]\n+#token = \"xxxxxxxxxxx\"\n+#detectInactive = false\n+\n+# https://vuls.io/docs/en/config.toml.html#default-section\n+[default]\n+#port       = \"22\"\n+#user       = \"username\"\n+#keyPath    = \"/home/username/.ssh/id_rsa\"\n+#scanMode   = [\"fast\"]\n+#scanModules = [\"ospkg\", \"wordpress\", \"lockfile\", \"port\"]\n+\n+# https://vuls.io/docs/en/config.toml.html#servers-section\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.1\"\n+#port = \"22\"\n+#user = \"scan-user\"\n+#keyPath = \"/home/username/.ssh/id_rsa\"\n+#scanMode = [\"fast\"]\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..2610d75 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,13 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tif len(kevulns) == 0 {\n+\t\t\t\tcontinue\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tv.KEVs = convertToKEVs(kevulns)\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +103,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = convertToKEVs(kevulns)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -226,6 +212,31 @@ func httpGetKEVuln(url string, req kevulnRequest, resChan chan&lt;- kevulnResponse,\n \t}\n }\n \n+func convertToKEVs(kevulns []kevulnmodels.KEVuln) []models.KEV {\n+\tkevs := make([]models.KEV, 0, len(kevulns))\n+\tfor _, k := range kevulns {\n+\t\tkev := models.KEV{\n+\t\t\tType:                       models.CISAKEVType,\n+\t\t\tVendorProject:              k.VendorProject,\n+\t\t\tProduct:                    k.Product,\n+\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\tDateAdded:                  k.DateAdded,\n+\t\t\tCISA: &amp;models.CISAKEV{\n+\t\t\t\tNote: k.Notes,\n+\t\t\t},\n+\t\t}\n+\t\tif !k.DueDate.IsZero() {\n+\t\t\tdueDate := k.DueDate\n+\t\t\tkev.DueDate = &amp;dueDate\n+\t\t}\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs\n+}\n+\n func newKEVulnDB(cnf config.VulnDictInterface) (kevulndb.DB, error) {\n \tif cnf.IsFetchViaHTTP() {\n \t\treturn nil, nil\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..0fa5eb4 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of CVEs with KEV entries\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &gt; 0 {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -428,15 +436,22 @@ func (r *ScanResult) SortForJSONOutput() {\n \n \t\tv.CveContents.Sort()\n \n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n+\n+\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n+\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n+\t\t})\n \t\tsort.Slice(v.AlertDict.USCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.USCERT[i].Title &lt; v.AlertDict.USCERT[j].Title\n \t\t})\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n-\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/testdata/sample_kev_scanresult.json b/models/testdata/sample_kev_scanresult.json\nnew file mode 100644\nindex 0000000..ecf802e\n--- /dev/null\n+++ b/models/testdata/sample_kev_scanresult.json\n@@ -0,0 +1,64 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"debian\",\n+  \"release\": \"12\",\n+  \"scannedAt\": \"2026-07-01T00:00:00Z\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleVendor ExampleProduct contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-01-15T00:00:00Z\",\n+          \"dueDate\": \"2026-02-05T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleVendor ExampleProduct contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-01-10T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"00000000-0000-0000-0000-000000000001\",\n+                \"xdbURL\": \"https://vulncheck.com/xdb/example\",\n+                \"dateAdded\": \"2026-01-10T00:00:00Z\",\n+                \"exploitType\": \"poc\",\n+                \"cloneSSHURL\": \"\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/exploitation-report\",\n+                \"dateAdded\": \"2026-01-12T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"alertDict\": {},\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-package\",\n+          \"fixedIn\": \"1.2.4\"\n+        }\n+      ]\n+    }\n+  }\n+}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..e2a3784 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -267,6 +267,7 @@ type VulnInfo struct {\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n@@ -910,28 +911,78 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// KEVType represents the source of KEV data\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the CISA KEV source\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is the VulnCheck KEV source\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                        KEVType       `json:\"type\"`\n+\tVendorProject               string        `json:\"vendorProject\"`\n+\tProduct                     string        `json:\"product\"`\n+\tVulnerabilityName           string        `json:\"vulnerabilityName\"`\n+\tShortDescription            string        `json:\"shortDescription\"`\n+\tRequiredAction              string        `json:\"requiredAction\"`\n+\tKnownRansomwareCampaignUse  string        `json:\"knownRansomwareCampaignUse\"`\n+\tDateAdded                   time.Time     `json:\"dateAdded\"`\n+\tDueDate                     *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                        *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                   *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV data\n+type CISAKEV struct {\n+\tNote string `json:\"note\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV data\n+type VulnCheckKEV struct {\n+\tXDB                    []VulnCheckXDB                    `json:\"xdb,omitempty\"`\n+\tReportedExploitation   []VulnCheckReportedExploitation   `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database entry\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID\"`\n+\tXDBURL      string    `json:\"xdbURL\"`\n+\tDateAdded   time.Time `json:\"dateAdded\"`\n+\tExploitType string    `json:\"exploitType\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation data\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url\"`\n+\tDateAdded time.Time `json:\"dateAdded\"`\n+}\n+\n+// AlertDict has target cve JPCERT and USCERT alert data.\n+// The CISA field is retained for backward compatibility but KEV data\n+// now lives on VulnInfo.KEVs. New code should not populate CISA.\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"cisa,omitempty\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n-\tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n-\t\ts = append(s, \"CERT\")\n+\t\treturn \"CERT\"\n \t}\n-\treturn strings.Join(s, \"/\")\n+\treturn \"\"\n }\n \n // Confidences is a list of Confidence\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..e3aef8f 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,8 +566,8 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n+\t\tfor _, kev := range vuln.KEVs {\n+\t\t\tdata = append(data, []string{fmt.Sprintf(\"KEV (%s)\", kev.Type), kev.VulnerabilityName})\n \t\t}\n \n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..4097f0c 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,13 +812,14 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n+\t\tif len(vinfo.KEVs) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n+\t\t\t\t\"Known Exploited Vulnerabilities\",\n+\t\t\t\t\"===============================\",\n \t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\t\tfor _, kev := range vinfo.KEVs {\n+\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s] %s - %s\",\n+\t\t\t\t\tkev.Type, kev.VulnerabilityName, kev.ShortDescription))\n \t\t\t}\n \t\t}\n \n", "creation_timestamp": "2026-07-03T23:34:53.440698Z"}, {"uuid": "156d8a31-2504-4ce9-b32d-04b05919c1de", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/bb428b700122569f3dd1ebe128ebea73", "content": "diff --git a/README.md b/README.md\nindex 57102d1..ceab982 100644\n--- a/README.md\n+++ b/README.md\n@@ -93,6 +93,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n - CISA(Cybersecurity &amp; Infrastructure Security Agency)\n   - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n \n+- VulnCheck\n+  - Known Exploited Vulnerabilities data is reported in the first-class `kevs` scan-result field alongside CISA KEV entries.\n+\n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n \n@@ -179,6 +182,12 @@ Vuls has some options to detect the vulnerabilities\n For more information such as Installation, Tutorial, Usage, visit [vuls.io](https://vuls.io/)  \n [\u65e5\u672c\u8a9e\u7ffb\u8a33\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8](https://vuls.io/ja/)\n \n+## KEV Reporting Example\n+\n+Use the synthetic `config.toml.example` as a starting point for enabling KEV reporting with the `[kevuln]` database configuration. Replace placeholder paths and host values with environment-appropriate values, and never copy production secrets into tracked configuration files.\n+\n+The synthetic `sample-kev-scan-result.json` shows the JSON shape for CISA and VulnCheck KEV entries under each vulnerability's `kevs` field.\n+\n ----\n \n ## Authors\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..9db5842\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,40 @@\n+# Synthetic example configuration for enabling KEV reporting.\n+# Do not paste production secrets or internal host details into this file.\n+\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\n+\n+[default]\n+scanMode = [\"fast-root\"]\n+port = \"22\"\n+user = \"vuls\"\n+keyPath = \"/home/vuls/.ssh/id_ed25519\"\n+\n+[servers.example-host]\n+host = \"192.0.2.10\"\n+scanMode = [\"fast-root\"]\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..e675ecb 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -6,6 +6,7 @@ package detector\n import (\n \t\"encoding/json\"\n \t\"net/http\"\n+\t\"strings\"\n \t\"time\"\n \n \t\"github.com/cenkalti/backoff\"\n@@ -79,19 +80,12 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n-\t\t\t\tnKEV++\n+\t\t\t\tv.KEVs = convertKEVulnsToModel(kevulns)\n+\t\t\t\tif 0 &lt; len(v.KEVs) {\n+\t\t\t\t\tnKEV++\n+\t\t\t\t}\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t}\n@@ -108,16 +102,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = convertKEVulnsToModel(kevulns)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +112,156 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func convertKEVulnsToModel(kevulns []kevulnmodels.KEVuln) []models.KEV {\n+\tbs, err := json.Marshal(kevulns)\n+\tif err != nil {\n+\t\treturn nil\n+\t}\n+\n+\tvar raws []map[string]interface{}\n+\tif err := json.Unmarshal(bs, &amp;raws); err != nil {\n+\t\treturn nil\n+\t}\n+\n+\tkevs := make([]models.KEV, 0, len(raws))\n+\tfor _, raw := range raws {\n+\t\tkev := models.KEV{\n+\t\t\tType:                       parseKEVType(firstString(raw, \"type\", \"source\")),\n+\t\t\tVendorProject:              firstString(raw, \"vendorProject\", \"vendor_project\", \"vendor\"),\n+\t\t\tProduct:                    firstString(raw, \"product\"),\n+\t\t\tVulnerabilityName:          firstString(raw, \"vulnerabilityName\", \"vulnerability_name\", \"name\"),\n+\t\t\tShortDescription:           firstString(raw, \"shortDescription\", \"short_description\", \"description\"),\n+\t\t\tRequiredAction:             firstString(raw, \"requiredAction\", \"required_action\"),\n+\t\t\tKnownRansomwareCampaignUse: firstString(raw, \"knownRansomwareCampaignUse\", \"known_ransomware_campaign_use\"),\n+\t\t\tDateAdded:                  firstTime(raw, \"dateAdded\", \"date_added\"),\n+\t\t}\n+\t\tif kev.Type == \"\" {\n+\t\t\tkev.Type = models.CISAKEVType\n+\t\t}\n+\t\tif dueDate := firstTime(raw, \"dueDate\", \"due_date\"); !dueDate.IsZero() {\n+\t\t\tkev.DueDate = &amp;dueDate\n+\t\t}\n+\n+\t\tif note := firstString(raw, \"note\", \"notes\"); note != \"\" || kev.Type == models.CISAKEVType {\n+\t\t\tkev.CISA = &amp;models.CISAKEV{Note: note}\n+\t\t}\n+\t\tif vulnCheck := parseVulnCheckKEV(raw); vulnCheck != nil {\n+\t\t\tkev.VulnCheck = vulnCheck\n+\t\t}\n+\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs\n+}\n+\n+func parseKEVType(s string) models.KEVType {\n+\tswitch strings.ToLower(s) {\n+\tcase string(models.VulnCheckKEVType):\n+\t\treturn models.VulnCheckKEVType\n+\tcase string(models.CISAKEVType), \"\":\n+\t\treturn models.CISAKEVType\n+\tdefault:\n+\t\treturn models.KEVType(s)\n+\t}\n+}\n+\n+func parseVulnCheckKEV(raw map[string]interface{}) *models.VulnCheckKEV {\n+\tvulnCheckRaw := raw\n+\tif nested, ok := firstMap(raw, \"vulncheck\", \"vulnCheck\", \"vuln_check\"); ok {\n+\t\tvulnCheckRaw = nested\n+\t}\n+\n+\tvulnCheck := &amp;models.VulnCheckKEV{\n+\t\tXDB:                  parseVulnCheckXDBs(vulnCheckRaw),\n+\t\tReportedExploitation: parseVulnCheckReportedExploitations(vulnCheckRaw),\n+\t}\n+\tif len(vulnCheck.XDB) == 0 &amp;&amp; len(vulnCheck.ReportedExploitation) == 0 {\n+\t\treturn nil\n+\t}\n+\treturn vulnCheck\n+}\n+\n+func parseVulnCheckXDBs(raw map[string]interface{}) []models.VulnCheckXDB {\n+\txdbs := []models.VulnCheckXDB{}\n+\tfor _, item := range firstSlice(raw, \"xdb\", \"xDB\", \"XDB\") {\n+\t\tm, ok := item.(map[string]interface{})\n+\t\tif !ok {\n+\t\t\tcontinue\n+\t\t}\n+\t\txdbs = append(xdbs, models.VulnCheckXDB{\n+\t\t\tXDBID:       firstString(m, \"xdbID\", \"xdbId\", \"xdb_id\", \"id\"),\n+\t\t\tXDBURL:      firstString(m, \"xdbURL\", \"xdbUrl\", \"xdb_url\", \"url\"),\n+\t\t\tDateAdded:   firstTime(m, \"dateAdded\", \"date_added\"),\n+\t\t\tExploitType: firstString(m, \"exploitType\", \"exploit_type\"),\n+\t\t\tCloneSSHURL: firstString(m, \"cloneSSHURL\", \"cloneSSHUrl\", \"clone_ssh_url\"),\n+\t\t})\n+\t}\n+\treturn xdbs\n+}\n+\n+func parseVulnCheckReportedExploitations(raw map[string]interface{}) []models.VulnCheckReportedExploitation {\n+\treported := []models.VulnCheckReportedExploitation{}\n+\tfor _, item := range firstSlice(raw, \"reportedExploitation\", \"reported_exploitation\", \"reportedExploitations\", \"reported_exploitations\") {\n+\t\tm, ok := item.(map[string]interface{})\n+\t\tif !ok {\n+\t\t\tcontinue\n+\t\t}\n+\t\treported = append(reported, models.VulnCheckReportedExploitation{\n+\t\t\tURL:       firstString(m, \"url\"),\n+\t\t\tDateAdded: firstTime(m, \"dateAdded\", \"date_added\"),\n+\t\t})\n+\t}\n+\treturn reported\n+}\n+\n+func firstString(m map[string]interface{}, keys ...string) string {\n+\tfor _, key := range keys {\n+\t\tif v, ok := m[key]; ok {\n+\t\t\tif s, ok := v.(string); ok {\n+\t\t\t\treturn s\n+\t\t\t}\n+\t\t}\n+\t}\n+\treturn \"\"\n+}\n+\n+func firstTime(m map[string]interface{}, keys ...string) time.Time {\n+\tfor _, key := range keys {\n+\t\tif v, ok := m[key]; ok {\n+\t\t\tif s, ok := v.(string); ok {\n+\t\t\t\tfor _, layout := range []string{time.RFC3339, \"2006-01-02\", \"2006-01-02 15:04:05\"} {\n+\t\t\t\t\tif t, err := time.Parse(layout, s); err == nil {\n+\t\t\t\t\t\treturn t\n+\t\t\t\t\t}\n+\t\t\t\t}\n+\t\t\t}\n+\t\t}\n+\t}\n+\treturn time.Time{}\n+}\n+\n+func firstMap(m map[string]interface{}, keys ...string) (map[string]interface{}, bool) {\n+\tfor _, key := range keys {\n+\t\tif v, ok := m[key]; ok {\n+\t\t\tif nested, ok := v.(map[string]interface{}); ok {\n+\t\t\t\treturn nested, true\n+\t\t\t}\n+\t\t}\n+\t}\n+\treturn nil, false\n+}\n+\n+func firstSlice(m map[string]interface{}, keys ...string) []interface{} {\n+\tfor _, key := range keys {\n+\t\tif v, ok := m[key]; ok {\n+\t\t\tif items, ok := v.([]interface{}); ok {\n+\t\t\t\treturn items\n+\t\t\t}\n+\t\t}\n+\t}\n+\treturn nil\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..4ad0d3f 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,11 +197,12 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of CVEs with Known Exploited Vulnerability entries.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -422,6 +430,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Metasploits, func(i, j int) bool {\n \t\t\treturn v.Metasploits[i].Name &lt; v.Metasploits[j].Name\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &lt; v.Mitigations[j].URL\n \t\t})\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..875ce66 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -265,6 +265,7 @@ type VulnInfo struct {\n \tCveContents          CveContents          `json:\"cveContents,omitempty\"`\n \tExploits             []Exploit            `json:\"exploits,omitempty\"`\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n@@ -284,6 +285,58 @@ type Alert struct {\n \tTeam  string `json:\"team,omitempty\"`\n }\n \n+// KEVType identifies the source of Known Exploited Vulnerability data.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is CISA Known Exploited Vulnerabilities Catalog data.\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is VulnCheck Known Exploited Vulnerabilities data.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information.\n+type KEV struct {\n+\tType                         KEVType       `json:\"type,omitempty\"`\n+\tVendorProject                string        `json:\"vendorProject,omitempty\"`\n+\tProduct                      string        `json:\"product,omitempty\"`\n+\tVulnerabilityName            string        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription             string        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction               string        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse   string        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                    time.Time     `json:\"dateAdded,omitempty\"`\n+\tDueDate                      *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                         *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                    *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific Known Exploited Vulnerability information.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific Known Exploited Vulnerability information.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // GitHubSecurityAlerts is a list of GitHubSecurityAlert\n type GitHubSecurityAlerts []GitHubSecurityAlert\n \n@@ -910,24 +963,21 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"-\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..6cbe9fe 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -202,6 +202,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.ScannedCves.FormatCveSummary(),\n \t\t\t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n@@ -415,6 +416,15 @@ No CVE-IDs are found in updatable packages.\n \t\t\tdata = append(data, []string{\"GitHub\", alert.RepoURLPackageName()})\n \t\t}\n \n+\t\tfor _, kev := range vuln.KEVs {\n+\t\t\tlabel := fmt.Sprintf(\"KEV[%s]\", kev.Type)\n+\t\t\tvalue := kev.VulnerabilityName\n+\t\t\tif kev.ShortDescription != \"\" {\n+\t\t\t\tvalue = kev.ShortDescription\n+\t\t\t}\n+\t\t\tdata = append(data, []string{label, value})\n+\t\t}\n+\n \t\tfor _, wp := range vuln.WpPackageFixStats {\n \t\t\tif p, ok := r.WordPressPackages.Find(wp.Name); ok {\n \t\t\t\tif p.Type == models.WPCore {\n@@ -565,10 +575,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/sample-kev-scan-result.json b/sample-kev-scan-result.json\nnew file mode 100644\nindex 0000000..9cf105c\n--- /dev/null\n+++ b/sample-kev-scan-result.json\n@@ -0,0 +1,58 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2026-07-03T00:00:00Z\",\n+  \"reportedAt\": \"2026-07-03T00:00:00Z\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic CISA KEV entry showing the first-class kevs field.\",\n+          \"requiredAction\": \"Apply vendor-provided mitigations or discontinue use if mitigations are unavailable.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic example only.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic VulnCheck KEV entry showing source-specific details.\",\n+          \"requiredAction\": \"Review exploitability and prioritize remediation.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.invalid/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"initial-access\",\n+                \"cloneSSHURL\": \"ssh://example.invalid/research/example.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.invalid/reports/CVE-0000-0000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"packages\": {}\n+}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..093ab65 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,13 +812,17 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n+\t\tif len(vinfo.KEVs) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n+\t\t\t\t\"Known Exploited Vulnerabilities\",\n+\t\t\t\t\"===============================\",\n \t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\t\tfor _, kev := range vinfo.KEVs {\n+\t\t\t\tdesc := kev.VulnerabilityName\n+\t\t\t\tif kev.ShortDescription != \"\" {\n+\t\t\t\t\tdesc = kev.ShortDescription\n+\t\t\t\t}\n+\t\t\t\tlines = append(lines, fmt.Sprintf(\"* %s: %s\", kev.Type, desc))\n \t\t\t}\n \t\t}\n \n", "creation_timestamp": "2026-07-03T23:34:53.528039Z"}, {"uuid": "d99d4c13-b401-40ac-bda9-7c7071ac6b06", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/c8ef69dd980ac66c634a1c1f57d1d8a1", "content": "diff --git a/README.md b/README.md\nindex 57102d1..b705528 100644\n--- a/README.md\n+++ b/README.md\n@@ -181,6 +181,12 @@ For more information such as Installation, Tutorial, Usage, visit [vuls.io](http\n \n ----\n \n+## Example Configuration\n+\n+An example configuration file is provided in [`config.toml.example`](config.toml.example). You can use this as a starting point to configure Vuls for your environment.\n+\n+----\n+\n ## Authors\n \n kotakanbe ([@kotakanbe](https://twitter.com/kotakanbe)) created vuls and [these fine people](https://github.com/future-architect/vuls/graphs/contributors) have contributed.\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..daf4523\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,37 @@\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-msfdb.sqlite3\"\n+\n+[kev]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/kev.sqlite3\"\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.168.1.100\"\n+port = \"22\"\n+user = \"vuls\"\n+keyPath = \"/home/vuls/.ssh/id_rsa\"\n+\n+[servers.example-host-2]\n+host = \"192.168.1.101\"\n+port = \"22\"\n+user = \"vuls\"\n+keyPath = \"/home/vuls/.ssh/id_rsa\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..c8907d8 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -90,7 +90,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\t// Removed AlertDict.CISA population\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -117,7 +117,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\t})\n \t\t\t}\n \n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\t// Removed AlertDict.CISA population\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..0b4f205 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,6 +205,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV entries\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/scanresults_kev_test.go b/models/scanresults_kev_test.go\nnew file mode 100644\nindex 0000000..0a7f0d6\n--- /dev/null\n+++ b/models/scanresults_kev_test.go\n@@ -0,0 +1,71 @@\n+package models\n+\n+import (\n+\t\"reflect\"\n+\t\"testing\"\n+)\n+\n+func TestScanResult_SortKEV(t *testing.T) {\n+\ttests := []struct {\n+\t\tname     string\n+\t\tfields   ScanResult\n+\t\texpected ScanResult\n+\t}{\n+\t\t{\n+\t\t\tname: \"sort KEV\",\n+\t\t\tfields: ScanResult{\n+\t\t\t\tScannedCves: VulnInfos{\n+\t\t\t\t\t\"CVE-2014-3591\": VulnInfo{\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{\n+\t\t\t\t\t\t\t\tType:              VulnCheckKEVType,\n+\t\t\t\t\t\t\t\tVulnerabilityName: \"B\",\n+\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t\t{\n+\t\t\t\t\t\t\t\tType:              CISAKEVType,\n+\t\t\t\t\t\t\t\tVulnerabilityName: \"C\",\n+\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t\t{\n+\t\t\t\t\t\t\t\tType:              CISAKEVType,\n+\t\t\t\t\t\t\t\tVulnerabilityName: \"A\",\n+\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t\texpected: ScanResult{\n+\t\t\t\tScannedCves: VulnInfos{\n+\t\t\t\t\t\"CVE-2014-3591\": VulnInfo{\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{\n+\t\t\t\t\t\t\t\tType:              CISAKEVType,\n+\t\t\t\t\t\t\t\tVulnerabilityName: \"A\",\n+\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t\t{\n+\t\t\t\t\t\t\t\tType:              CISAKEVType,\n+\t\t\t\t\t\t\t\tVulnerabilityName: \"C\",\n+\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t\t{\n+\t\t\t\t\t\t\t\tType:              VulnCheckKEVType,\n+\t\t\t\t\t\t\t\tVulnerabilityName: \"B\",\n+\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t},\n+\t}\n+\tfor _, tt := range tests {\n+\t\tt.Run(tt.name, func(t *testing.T) {\n+\t\t\tr := &amp;ScanResult{\n+\t\t\t\tPackages:    tt.fields.Packages,\n+\t\t\t\tScannedCves: tt.fields.ScannedCves,\n+\t\t\t}\n+\t\t\tr.SortForJSONOutput()\n+\n+\t\t\tif !reflect.DeepEqual(r.ScannedCves, tt.expected.ScannedCves) {\n+\t\t\t\tt.Errorf(\"act %+v, want %+v\", r.ScannedCves, tt.expected.ScannedCves)\n+\t\t\t}\n+\t\t})\n+\t}\n+}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..c679392 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -275,6 +275,7 @@ type VulnInfo struct {\n \tWindowsKBFixedIns    []string             `json:\"windowsKBFixedIns,omitempty\"`\n \tVulnType             string               `json:\"vulnType,omitempty\"`\n \tDiffStatus           DiffStatus           `json:\"diffStatus,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n }\n \n // Alert has CERT alert information\n@@ -910,24 +911,21 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"cisa\"` // deprecated, kept for test compatibility\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\n@@ -1089,3 +1087,56 @@ var (\n \t// FortinetVendorProductMatch is a ranking how confident the CVE-ID was detected correctly\n \tFortinetVendorProductMatch = Confidence{10, FortinetVendorProductMatchStr, 9}\n )\n+\n+// KEVType represents the source of the KEV\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is for CISA KEVs\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is for VulnCheck KEVs\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV represents a Known Exploited Vulnerability entry\n+type KEV struct {\n+\tType                       KEVType    `json:\"type\"`\n+\tVendorProject              string     `json:\"vendorProject,omitempty\"`\n+\tProduct                    string     `json:\"product,omitempty\"`\n+\tVulnerabilityName          string     `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string     `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string     `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string     `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time  `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time `json:\"dueDate,omitempty\"`\n+\n+\tCISA      *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV holds CISA-specific KEV fields\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV holds VulnCheck-specific KEV fields\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB holds VulnCheck XDB information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbid,omitempty\"`\n+\tXDBURL      string    `json:\"xdburl,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation holds reported exploitation details\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..5b8697f 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -205,6 +205,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t}\n \t\t} else {\n \t\t\tcols = []interface{}{\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/sample-kev-result.json b/sample-kev-result.json\nnew file mode 100644\nindex 0000000..2d940a6\n--- /dev/null\n+++ b/sample-kev-result.json\n@@ -0,0 +1,70 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"20.04\",\n+  \"scannedAt\": \"2023-10-01T12:00:00Z\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"confidences\": [\n+        {\n+          \"score\": 100,\n+          \"detectionMethod\": \"OvalMatch\"\n+        }\n+      ],\n+      \"cveContents\": {\n+        \"nvd\": [\n+          {\n+            \"type\": \"nvd\",\n+            \"cveID\": \"CVE-0000-0000\",\n+            \"title\": \"Example Documentation CVE\",\n+            \"summary\": \"This is a dummy CVE used for documentation purposes.\",\n+            \"cvss3Score\": 9.8,\n+            \"cvss3Severity\": \"CRITICAL\"\n+          }\n+        ]\n+      },\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"This is an example description.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2021-11-03T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Example note\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"dateAdded\": \"2021-11-03T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbid\": \"XDB-001\",\n+                \"xdburl\": \"https://example.com/xdb/001\",\n+                \"dateAdded\": \"2021-11-04T00:00:00Z\",\n+                \"exploitType\": \"RCE\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/report/123\",\n+                \"dateAdded\": \"2021-11-05T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\n", "creation_timestamp": "2026-07-03T23:34:55.080327Z"}, {"uuid": "9bedd450-4821-4692-b951-9d0daad93d61", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/e393ff53dbe702f5ce9b22fbd21d6ee0", "content": "diff --git a/README.md b/README.md\nindex 57102d1..ae6c54d 100644\n--- a/README.md\n+++ b/README.md\n@@ -179,6 +179,8 @@ Vuls has some options to detect the vulnerabilities\n For more information such as Installation, Tutorial, Usage, visit [vuls.io](https://vuls.io/)  \n [\u65e5\u672c\u8a9e\u7ffb\u8a33\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8](https://vuls.io/ja/)\n \n+Example configuration with KEV reporting enabled: see [config.toml.example](config.toml.example)\n+\n ----\n \n ## Authors\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..45097d2\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,78 @@\n+# Vuls config.toml example\n+# Copy to config.toml and edit for your environment\n+\n+[slack]\n+hookURL      = \"https://hooks.slack.com/services/XXXX/XXXX/XXXX\"\n+channel      = \"#vuls\"\n+authUser     = \"vuls\"\n+notifyUsers  = [\"@example\"]\n+# https://vuls.io/docs/en/slack.html\n+\n+[email]\n+smtpAddr     = \"smtp.example.com\"\n+smtpPort     = \"587\"\n+user         = \"username\"\n+password     = \"password\"\n+from         = \"vuls@example.com\"\n+to           = [\"to@example.com\"]\n+cc           = [\"cc@example.com\"]\n+subject      = \"[vuls] Vuls Report\"\n+\n+[default]\n+#port        = \"22\"\n+#user        = \"username\"\n+#keyPath     = \"/home/username/.ssh/id_rsa\"\n+#scanMode    = [\"fast\"]\n+#scanModules = [\"wordpress\", \"lockfiles\"]\n+\n+[servers]\n+\n+[servers.example-host]\n+host         = \"192.0.2.1\"\n+port         = \"22\"\n+user         = \"vuls\"\n+keyPath      = \"/home/vuls/.ssh/id_rsa\"\n+#scanMode    = [\"deep\"]\n+\n+# Known Exploited Vulnerabilities (KEV) configuration\n+# https://vuls.io/docs/en/kev.html\n+[kevuln]\n+type         = \"sqlite3\"\n+# sqlite3Path = \"/path/to/go-kev.sqlite3\"\n+# url        = \"http://127.0.0.1:1328\"\n+# Set type = \"http\" and url to use go-kev HTTP server\n+\n+# CVE Dictionary\n+# https://vuls.io/docs/en/install-vulsrepo.html\n+#[cvedb]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/cve.sqlite3\"\n+#url = \"http://127.0.0.1:1323\"\n+\n+# OVAL Dictionary\n+# https://vuls.io/docs/en/install-oval.html\n+#[ovaldb]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/oval.sqlite3\"\n+#url = \"http://127.0.0.1:1324\"\n+\n+# GOST (Red Hat / Debian Security Tracker)\n+# https://vuls.io/docs/en/install-gost.html\n+#[gost]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/gost.sqlite3\"\n+#url = \"http://127.0.0.1:1325\"\n+\n+# Exploit DB\n+# https://vuls.io/docs/en/install-exploitdb.html\n+#[exploit]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+#url = \"http://127.0.0.1:1326\"\n+\n+# Metasploit-Framework\n+# https://vuls.io/docs/en/install-metasploit.html\n+#[metasploit]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-msfdb.sqlite3\"\n+#url = \"http://127.0.0.1:1327\"\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..efc951b 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV cve\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/scanresults_kev_test.go b/models/scanresults_kev_test.go\nnew file mode 100644\nindex 0000000..43e4d3a\n--- /dev/null\n+++ b/models/scanresults_kev_test.go\n@@ -0,0 +1,73 @@\n+package models\n+\n+import (\n+\t\"reflect\"\n+\t\"testing\"\n+\t\"time\"\n+)\n+\n+func TestScanResult_Sort_KEV(t *testing.T) {\n+\tr := &amp;ScanResult{\n+\t\tScannedCves: VulnInfos{\n+\t\t\t\"CVE-0000-0000\": VulnInfo{\n+\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t},\n+\t}\n+\tr.SortForJSONOutput()\n+\tgot := r.ScannedCves[\"CVE-0000-0000\"].KEVs\n+\twant := []KEV{\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"a\"},\n+\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n+\t}\n+\tif !reflect.DeepEqual(got, want) {\n+\t\tt.Errorf(\"KEV sort failed, got %+v, want %+v\", got, want)\n+\t}\n+}\n+\n+func TestScanResult_FormatKEVCveSummary(t *testing.T) {\n+\tr := ScanResult{\n+\t\tScannedCves: VulnInfos{\n+\t\t\t\"CVE-1\": VulnInfo{KEVs: []KEV{{Type: CISAKEVType}}},\n+\t\t\t\"CVE-2\": VulnInfo{KEVs: []KEV{{Type: VulnCheckKEVType}}},\n+\t\t\t\"CVE-3\": VulnInfo{},\n+\t\t},\n+\t}\n+\tgot := r.FormatKEVCveSummary()\n+\twant := \"2 kevs\"\n+\tif got != want {\n+\t\tt.Errorf(\"got %s, want %s\", got, want)\n+\t}\n+}\n+\n+// Ensure KEV fields marshal with expected JSON names\n+func TestKEV_JSON(t *testing.T) {\n+\tdue := time.Date(2024, 1, 22, 0, 0, 0, 0, time.UTC)\n+\tkev := KEV{\n+\t\tType:                       CISAKEVType,\n+\t\tVendorProject:              \"vp\",\n+\t\tProduct:                    \"prod\",\n+\t\tVulnerabilityName:          \"vn\",\n+\t\tShortDescription:           \"sd\",\n+\t\tRequiredAction:             \"ra\",\n+\t\tKnownRansomwareCampaignUse: \"kr\",\n+\t\tDateAdded:                  time.Date(2024, 1, 1, 0, 0, 0, 0, time.UTC),\n+\t\tDueDate:                    &amp;due,\n+\t\tCISA:                       &amp;CISAKEV{Note: \"note\"},\n+\t\tVulnCheck: &amp;VulnCheckKEV{\n+\t\t\tXDB: []VulnCheckXDB{{XDBID: \"1\", XDBURL: \"u\", DateAdded: time.Date(2024, 1, 2, 0, 0, 0, 0, time.UTC), ExploitType: \"remote\", CloneSSHURL: \"ssh\"}},\n+\t\t\tReportedExploitation: []VulnCheckReportedExploitation{{URL: \"http://e\", DateAdded: time.Date(2024, 1, 3, 0, 0, 0, 0, time.UTC)}},\n+\t\t},\n+\t}\n+\t// Simple sanity: fields are set\n+\tif kev.Type != CISAKEVType || kev.CISA == nil || kev.VulnCheck == nil {\n+\t\tt.Errorf(\"KEV struct not populated correctly\")\n+\t}\n+}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..9f9453b 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -257,6 +257,57 @@ type PackageFixStatus struct {\n }\n \n // VulnInfo has a vulnerability information and unsecure packages\n+// KEVType is a type of KEV\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is CISA KEV\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType is VulnCheck KEV\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerabilities information\n+type KEV struct {\n+\tType                       KEVType     `json:\"type,omitempty\"`\n+\tVendorProject              string      `json:\"vendorProject,omitempty\"`\n+\tProduct                    string      `json:\"product,omitempty\"`\n+\tVulnerabilityName          string      `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string      `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string      `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string      `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time   `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time  `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV    `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"notes,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck KEV information\n+type VulnCheckKEV struct {\n+\tXDB                   []VulnCheckXDB                   `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck ReportedExploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n type VulnInfo struct {\n \tCveID                string               `json:\"cveID,omitempty\"`\n \tConfidences          Confidences          `json:\"confidences,omitempty\"`\n@@ -268,6 +319,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -910,24 +962,21 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n-\tJPCERT []Alert `json:\"jpcert\"`\n-\tUSCERT []Alert `json:\"uscert\"`\n+\tCISA   []Alert `json:\"cisa,omitempty\"`\n+\tJPCERT []Alert `json:\"jpcert,omitempty\"`\n+\tUSCERT []Alert `json:\"uscert,omitempty\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a2dfbd0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/sample_kev_result.json b/sample_kev_result.json\nnew file mode 100644\nindex 0000000..e3d2704\n--- /dev/null\n+++ b/sample_kev_result.json\n@@ -0,0 +1,74 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2025-01-01T00:00:00Z\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"Example short description\",\n+          \"requiredAction\": \"Apply updates per vendor instructions\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2024-01-01T00:00:00Z\",\n+          \"dueDate\": \"2024-01-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"notes\": \"Example CISA note\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"Example Vulnerability (VulnCheck)\",\n+          \"shortDescription\": \"Example VulnCheck description\",\n+          \"requiredAction\": \"\",\n+          \"knownRansomwareCampaignUse\": \"\",\n+          \"dateAdded\": \"2024-01-02T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XXXXX\",\n+                \"xdbURL\": \"https://example.com/xdb/XXXXX\",\n+                \"dateAdded\": \"2024-01-02T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/report\",\n+                \"dateAdded\": \"2024-01-03T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"confidences\": [\n+        {\n+          \"score\": 100,\n+          \"detectionMethod\": \"OvalMatch\"\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-pkg\",\n+          \"notFixedYet\": false,\n+          \"fixedIn\": \"1.2.3\"\n+        }\n+      ]\n+    }\n+  },\n+  \"packages\": {\n+    \"example-pkg\": {\n+      \"name\": \"example-pkg\",\n+      \"version\": \"1.2.2\"\n+    }\n+  }\n+}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..00df505 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -809,18 +809,8 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t\t\t\tlines = append(lines, fmt.Sprintf(\" - %s\", u))\n \t\t\t\t\t}\n \t\t\t\t}\n-\t\t\t}\n-\t\t}\n-\n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n \t\t}\n+\t}\n \n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n", "creation_timestamp": "2026-07-03T23:34:55.254019Z"}, {"uuid": "71fdd9be-100d-4b80-8e43-3e792ab7221e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/d8a4988827d34dea1ea880cf5c9c8bb8", "content": "diff --git a/README.md b/README.md\nindex 57102d1..14d512c 100644\n--- a/README.md\n+++ b/README.md\n@@ -92,6 +92,7 @@ Vuls is a tool created to solve the problems listed above. It has the following\n \n - CISA(Cybersecurity &amp; Infrastructure Security Agency)\n   - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+  - Configure `[kevuln]` to populate first-class KEV data in scan results. See [`examples/config.toml.example`](examples/config.toml.example) and [`examples/scan-result-kev.json`](examples/scan-result-kev.json).\n \n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..afbd5d6 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -78,22 +78,16 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\tif err := json.Unmarshal([]byte(res.json), &amp;kevulns); err != nil {\n \t\t\t\treturn err\n \t\t\t}\n-\n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tif len(kevulns) == 0 {\n+\t\t\t\tcontinue\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tv.KEVs = append(v.KEVs, toKEVs(kevulns)...)\n \t\t\t\tnKEV++\n+\t\t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t\t}\n-\t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t}\n \t} else {\n \t\tfor cveID, vuln := range r.ScannedCves {\n@@ -108,16 +102,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = append(vuln.KEVs, toKEVs(kevulns)...)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +112,33 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func toKEVs(kevulns []kevulnmodels.KEVuln) (kevs []models.KEV) {\n+\tfor _, kevuln := range kevulns {\n+\t\tb, err := json.Marshal(kevuln)\n+\t\tif err != nil {\n+\t\t\tlogging.Log.Debugf(\"Failed to marshal KEVuln. err: %+v\", err)\n+\t\t\tcontinue\n+\t\t}\n+\n+\t\tvar kev models.KEV\n+\t\tif err := json.Unmarshal(b, &amp;kev); err != nil {\n+\t\t\tlogging.Log.Debugf(\"Failed to unmarshal KEVuln into models.KEV. err: %+v\", err)\n+\t\t\tcontinue\n+\t\t}\n+\t\tif kev.Type == \"\" {\n+\t\t\tkev.Type = models.CISAKEVType\n+\t\t}\n+\t\tif kev.Type == models.CISAKEVType &amp;&amp; kev.CISA == nil {\n+\t\t\tkev.CISA = &amp;models.CISAKEV{}\n+\t\t}\n+\t\tif kev.Type == models.VulnCheckKEVType &amp;&amp; kev.VulnCheck == nil {\n+\t\t\tkev.VulnCheck = &amp;models.VulnCheckKEV{}\n+\t\t}\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/examples/config.toml.example b/examples/config.toml.example\nnew file mode 100644\nindex 0000000..6e8783f\n--- /dev/null\n+++ b/examples/config.toml.example\n@@ -0,0 +1,49 @@\n+# Synthetic Vuls configuration example.\n+# Replace all placeholder values before use; do not copy secrets from a live config.toml.\n+\n+[default]\n+#port        = \"22\"\n+#user        = \"vuls\"\n+#keyPath     = \"/home/vuls/.ssh/id_rsa\"\n+#scanMode    = [\"fast-root\"]\n+\n+[servers]\n+\n+[servers.example-host]\n+host        = \"192.0.2.10\"\n+port        = \"22\"\n+user        = \"vuls\"\n+keyPath     = \"/home/vuls/.ssh/id_rsa\"\n+scanMode    = [\"fast-root\"]\n+\n+[cveDict]\n+type        = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/cve.sqlite3\"\n+\n+[ovalDict]\n+type        = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/oval.sqlite3\"\n+\n+[gost]\n+type        = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type        = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type        = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+# Enables CISA and VulnCheck KEV enrichment when the go-kev database contains them.\n+type        = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+# For an HTTP go-kev service, use:\n+#type       = \"http\"\n+#url        = \"http://127.0.0.1:1326\"\n+\n+[cti]\n+type        = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\ndiff --git a/examples/scan-result-kev.json b/examples/scan-result-kev.json\nnew file mode 100644\nindex 0000000..e4b769b\n--- /dev/null\n+++ b/examples/scan-result-kev.json\n@@ -0,0 +1,61 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2026-07-03T00:00:00Z\",\n+  \"scanMode\": \"fast-root\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic CISA KEV entry for documentation.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic example only.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic VulnCheck KEV entry for documentation.\",\n+          \"requiredAction\": \"Review exposure and patch.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.invalid/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"proof-of-concept\",\n+                \"cloneSSHURL\": \"git@example.invalid:research/example-poc.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.invalid/reports/CVE-0000-0000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"packages\": {},\n+  \"errors\": [],\n+  \"warnings\": []\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..b07f845 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of cves with known exploited vulnerability entries.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -422,6 +430,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Metasploits, func(i, j int) bool {\n \t\t\treturn v.Metasploits[i].Name &lt; v.Metasploits[j].Name\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &lt; v.Mitigations[j].URL\n \t\t})\n@@ -434,9 +448,6 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n-\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..6384cd8 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -265,6 +265,7 @@ type VulnInfo struct {\n \tCveContents          CveContents          `json:\"cveContents,omitempty\"`\n \tExploits             []Exploit            `json:\"exploits,omitempty\"`\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n@@ -284,6 +285,57 @@ type Alert struct {\n \tTeam  string `json:\"team,omitempty\"`\n }\n \n+// KEVType is a known exploited vulnerability source.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is CISA Known Exploited Vulnerabilities Catalog.\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType is VulnCheck KEV.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has known exploited vulnerability metadata.\n+type KEV struct {\n+\tType                          KEVType        `json:\"type,omitempty\"`\n+\tVendorProject                 string         `json:\"vendorProject,omitempty\"`\n+\tProduct                       string         `json:\"product,omitempty\"`\n+\tVulnerabilityName             string         `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription              string         `json:\"shortDescription,omitempty\"`\n+\tRequiredAction                string         `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse    string         `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                     time.Time      `json:\"dateAdded,omitempty\"`\n+\tDueDate                       *time.Time     `json:\"dueDate,omitempty\"`\n+\tCISA                          *CISAKEV       `json:\"cisa,omitempty\"`\n+\tVulnCheck                     *VulnCheckKEV  `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV metadata.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV metadata.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database metadata.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has reported exploitation metadata.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // GitHubSecurityAlerts is a list of GitHubSecurityAlert\n type GitHubSecurityAlerts []GitHubSecurityAlert\n \n@@ -910,24 +962,22 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data.\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\t// Deprecated: KEV data is represented by VulnInfo.KEVs instead.\n+\tCISA   []Alert `json:\"-\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a2dfbd0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T23:34:55.292190Z"}, {"uuid": "7c84e5f7-3c08-4e3a-a18b-9871a41a9dec", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/db3e98ef89fc16b2dcd28b4e7873f4aa", "content": "diff --git a/README.md b/README.md\nindex 57102d1..b92f351 100644\n--- a/README.md\n+++ b/README.md\n@@ -165,6 +165,7 @@ Vuls has some options to detect the vulnerabilities\n   - Auto-detection of servers set using CIDR, generate configuration file template\n - Email and Slack notification is possible (supports Japanese language)\n - Scan result is viewable on accessory software, TUI Viewer in a terminal or Web UI ([VulsRepo](https://github.com/ishiDACo/vulsrepo)).\n+- Example Configuration: See [config.toml.example](config.toml.example) for a ready-to-use template including KEV reporting setup.\n \n ----\n \ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..8e4ab21\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,11 @@\n+[servers]\n+\n+[servers.example-host]\n+host         = \"192.0.2.10\"\n+port         = \"22\"\n+user         = \"example-user\"\n+keyPath      = \"/path/to/example/key\"\n+\n+[kevuln]\n+type         = \"sqlite3\"\n+SQLite3Path  = \"/path/to/go-kev.sqlite3\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..f0230da 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,8 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +98,6 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..8139fb5 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of kev cve\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKevs := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &gt; 0 {\n+\t\t\tnKevs++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKevs)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -434,9 +442,14 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n+\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n \t\t})\n+\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/scanresults_test.go b/models/scanresults_test.go\nindex d429281..454eeac 100644\n--- a/models/scanresults_test.go\n+++ b/models/scanresults_test.go\n@@ -225,10 +225,6 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -288,10 +284,6 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -354,10 +346,6 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -417,10 +405,6 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -535,6 +519,33 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t},\n \t\t\t},\n \t\t},\n+\t\t{\n+\t\t\tname: \"sort KEV\",\n+\t\t\tfields: fields{\n+\t\t\t\tScannedCves: VulnInfos{\n+\t\t\t\t\t\"CVE-2014-3591\": VulnInfo{\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"c\"},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t\texpected: fields{\n+\t\t\t\tScannedCves: VulnInfos{\n+\t\t\t\t\t\"CVE-2014-3591\": VulnInfo{\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"c\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t},\n \t}\n \tfor _, tt := range tests {\n \t\tt.Run(tt.name, func(t *testing.T) {\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..355ffba 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -275,6 +275,56 @@ type VulnInfo struct {\n \tWindowsKBFixedIns    []string             `json:\"windowsKBFixedIns,omitempty\"`\n \tVulnType             string               `json:\"vulnType,omitempty\"`\n \tDiffStatus           DiffStatus           `json:\"diffStatus,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n+}\n+\n+// KEVType string type with constants\n+type KEVType string\n+\n+const (\n+\tCISAKEVType      KEVType = \"cisa\"\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV struct\n+type KEV struct {\n+\tType                       KEVType                       `json:\"type,omitempty\"`\n+\tVendorProject              string                        `json:\"vendorProject,omitempty\"`\n+\tProduct                    string                        `json:\"product,omitempty\"`\n+\tVulnerabilityName          string                        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string                        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string                        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string                        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time                     `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time                    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV                      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV                 `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV struct\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV struct\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB struct\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbid,omitempty\"`\n+\tXDBURL      string    `json:\"xdburl,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSshUrl,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation struct\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n }\n \n // Alert has CERT alert information\n@@ -910,24 +960,20 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT, USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a2dfbd0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/sample_scan_result.json b/sample_scan_result.json\nnew file mode 100644\nindex 0000000..dd4cefc\n--- /dev/null\n+++ b/sample_scan_result.json\n@@ -0,0 +1,48 @@\n+{\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"A synthetic example vulnerability.\",\n+          \"requiredAction\": \"Apply updates.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic CISA note\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"A synthetic example vulnerability.\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbid\": \"1234\",\n+                \"xdburl\": \"https://example.com/exploit/1234\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"RCE\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/report/1\",\n+                \"dateAdded\": \"2026-07-03T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\n\\ No newline at end of file\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-03T23:34:55.339227Z"}, {"uuid": "d1bdca18-9574-48f9-9784-97b70cecf75f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/f28f61dfebac866cd95125fe0ed35450", "content": "diff --git a/README.md b/README.md\nindex 57102d1..9d9a9aa 100644\n--- a/README.md\n+++ b/README.md\n@@ -181,6 +181,13 @@ For more information such as Installation, Tutorial, Usage, visit [vuls.io](http\n \n ----\n \n+## Configuration Example\n+\n+An example configuration file is available at [config.toml.example](config.toml.example).\n+A sample scan result with KEV fields is available at [sample-scan-result.json](sample-scan-result.json).\n+\n+----\n+\n ## Authors\n \n kotakanbe ([@kotakanbe](https://twitter.com/kotakanbe)) created vuls and [these fine people](https://github.com/future-architect/vuls/graphs/contributors) have contributed.\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..87b510e\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,31 @@\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[msf]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-msfdb.sqlite3\"\n+\n+[kev]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-kev.sqlite3\"\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.1\"\n+port = \"22\"\n+user = \"vuls-user\"\n+keyPath = \"/path/to/id_rsa\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..9f612f6 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,21 +79,22 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n \t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\t\tvar kevs []models.KEV\n+\t\t\t\tfor _, k := range kevulns {\n+\t\t\t\t\tkevs = append(kevs, models.KEV{\n+\t\t\t\t\t\tType:              models.CISAKEVType,\n+\t\t\t\t\t\tVulnerabilityName: k.VulnerabilityName,\n+\t\t\t\t\t\tCISA:              &amp;models.CISAKEV{},\n+\t\t\t\t\t})\n+\t\t\t\t}\n+\t\t\t\tv, ok := r.ScannedCves[res.request.cveID]\n+\t\t\t\tif ok {\n+\t\t\t\t\tv.KEVs = append(v.KEVs, kevs...)\n+\t\t\t\t\tnKEV++\n+\t\t\t\t}\n+\t\t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t\t}\n-\n-\t\t\tv, ok := r.ScannedCves[res.request.cveID]\n-\t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n-\t\t\t\tnKEV++\n-\t\t\t}\n-\t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t}\n \t} else {\n \t\tfor cveID, vuln := range r.ScannedCves {\n@@ -108,18 +109,19 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n \t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\t\tvar kevs []models.KEV\n+\t\t\t\tfor _, k := range kevulns {\n+\t\t\t\t\tkevs = append(kevs, models.KEV{\n+\t\t\t\t\t\tType:              models.CISAKEVType,\n+\t\t\t\t\t\tVulnerabilityName: k.VulnerabilityName,\n+\t\t\t\t\t\tCISA:              &amp;models.CISAKEV{},\n+\t\t\t\t\t})\n+\t\t\t\t}\n+\t\t\t\tvuln.KEVs = append(vuln.KEVs, kevs...)\n+\t\t\t\tnKEV++\n+\t\t\t\tr.ScannedCves[cveID] = vuln\n \t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n-\t\t\tnKEV++\n-\t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n \t}\n \ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..5a10e6d 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,6 +205,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n@@ -253,13 +254,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +264,18 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n+}\n+\n+// FormatKEVCveSummary returns a summary of KEV\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -434,8 +442,11 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n \t\t})\n \t\tr.ScannedCves[k] = v\n \t}\ndiff --git a/models/scanresults_test.go b/models/scanresults_test.go\nindex d429281..47e31ed 100644\n--- a/models/scanresults_test.go\n+++ b/models/scanresults_test.go\n@@ -225,10 +225,11 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -288,10 +289,11 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"a\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -354,10 +356,12 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -417,10 +421,12 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..628b56d 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -275,6 +275,59 @@ type VulnInfo struct {\n \tWindowsKBFixedIns    []string             `json:\"windowsKBFixedIns,omitempty\"`\n \tVulnType             string               `json:\"vulnType,omitempty\"`\n \tDiffStatus           DiffStatus           `json:\"diffStatus,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n+}\n+\n+// KEVType is the type of KEV\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is CISA KEV type\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is VulnCheck KEV type\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerabilities information\n+type KEV struct {\n+\tType                       KEVType        `json:\"type,omitempty\"`\n+\tVendorProject              string         `json:\"vendorProject,omitempty\"`\n+\tProduct                    string         `json:\"product,omitempty\"`\n+\tVulnerabilityName          string         `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string         `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string         `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string         `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time      `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time     `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV       `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV  `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA specific KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck specific KEV information\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbId,omitempty\"`\n+\tXDBURL      string    `json:\"xdbUrl,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSshUrl,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck ReportedExploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n }\n \n // Alert has CERT alert information\n@@ -910,24 +963,20 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..1a184e6 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -205,6 +205,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t}\n \t\t} else {\n \t\t\tcols = []interface{}{\n@@ -565,8 +566,10 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n+\t\tfor _, kev := range vuln.KEVs {\n+\t\t\tif kev.Type == models.CISAKEVType {\n+\t\t\t\tdata = append(data, []string{\"CISA KEV\", kev.VulnerabilityName})\n+\t\t\t}\n \t\t}\n \n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\ndiff --git a/sample-scan-result.json b/sample-scan-result.json\nnew file mode 100644\nindex 0000000..3deb308\n--- /dev/null\n+++ b/sample-scan-result.json\n@@ -0,0 +1,60 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"20.04\",\n+  \"scannedAt\": \"2023-01-01T00:00:00Z\",\n+  \"scanMode\": \"fast\",\n+  \"scannedVersion\": \"v0.0.0\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vulnerabilityName\": \"Test Vulnerability\",\n+          \"shortDescription\": \"This is a synthetic vulnerability.\",\n+          \"requiredAction\": \"Apply updates.\",\n+          \"dateAdded\": \"2023-01-01T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic note\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vulnerabilityName\": \"Test Vulnerability 2\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbId\": \"1234\",\n+                \"xdbUrl\": \"https://example.com/xdb/1234\",\n+                \"dateAdded\": \"2023-01-02T00:00:00Z\",\n+                \"exploitType\": \"local\",\n+                \"cloneSshUrl\": \"git@github.com:example/exploit.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/report/1\",\n+                \"dateAdded\": \"2023-01-03T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"runningKernel\": {\n+    \"release\": \"5.4.0-100-generic\",\n+    \"version\": \"#113-Ubuntu SMP Thu Feb 3 18:43:29 UTC 2022\",\n+    \"rebootRequired\": false\n+  },\n+  \"packages\": {\n+    \"example-package\": {\n+      \"name\": \"example-package\",\n+      \"version\": \"1.0.0\"\n+    }\n+  }\n+}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..dbbf8ac 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,13 +812,13 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n+\t\tif len(vinfo.KEVs) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n+\t\t\t\t\"KEV\",\n+\t\t\t\t\"===\",\n \t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\t\tfor _, kev := range vinfo.KEVs {\n+\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s] %s\", kev.Type, kev.VulnerabilityName))\n \t\t\t}\n \t\t}\n \n", "creation_timestamp": "2026-07-03T23:34:55.420478Z"}, {"uuid": "100e291a-b955-4b1e-a5db-d670e7d75799", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/91e64cf478c23cc6b25eb7344ff845db", "content": "diff --git a/README.md b/README.md\nindex 57102d1..3023ab2 100644\n--- a/README.md\n+++ b/README.md\n@@ -90,8 +90,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n   - [US-CERT](https://www.us-cert.gov/ncas/alerts)\n   - [JPCERT](http://www.jpcert.or.jp/at/2019.html)\n \n-- CISA(Cybersecurity &amp; Infrastructure Security Agency)\n-  - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+- Known Exploited Vulnerabilities (KEV)\n+  - [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+  - [VulnCheck KEV](https://vulncheck.com/)\n \n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n@@ -174,6 +175,11 @@ Vuls has some options to detect the vulnerabilities\n \n ----\n \n+## Setup\n+\n+An example configuration file is available at [`config.toml.example`](config.toml.example).\n+Copy it to `config.toml` and edit it for your environment.\n+\n ## Document\n \n For more information such as Installation, Tutorial, Usage, visit [vuls.io](https://vuls.io/)  \ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..339148f\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,121 @@\n+# Vuls configuration file example\n+# See https://vuls.io/docs/en/config.toml.html for details\n+#\n+# Copy this file to config.toml and customize for your environment.\n+# All values below are placeholders \u2014 replace them with your own settings.\n+\n+# https://vuls.io/docs/en/config.toml.html#database-section\n+[cveDict]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/cve.sqlite3\"\n+#url = \"\"\n+\n+[ovalDict]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/oval.sqlite3\"\n+#url = \"\"\n+\n+[gost]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/gost.sqlite3\"\n+#url = \"\"\n+\n+[exploit]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+#url = \"\"\n+\n+[metasploit]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-msfdb.sqlite3\"\n+#url = \"\"\n+\n+# Known Exploited Vulnerabilities (KEV) \u2014 CISA &amp; VulnCheck\n+# https://vuls.io/docs/en/config.toml.html#database-section\n+[kevuln]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-kev.sqlite3\"\n+#url = \"\"\n+\n+[cti]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-cti.sqlite3\"\n+#url = \"\"\n+\n+# https://vuls.io/docs/en/config.toml.html#slack-section\n+#[slack]\n+#hookURL      = \"https://hooks.slack.com/services/xxx/yyy/zzz\"\n+#channel      = \"#vuls-notifications\"\n+#iconEmoji    = \":ghost:\"\n+#authUser     = \"vuls-bot\"\n+#notifyUsers  = [\"@admin\"]\n+\n+# https://vuls.io/docs/en/config.toml.html#email-section\n+#[email]\n+#smtpAddr              = \"smtp.example.com\"\n+#smtpPort              = \"587\"\n+#tlsMode               = \"STARTTLS\"\n+#tlsInsecureSkipVerify = false\n+#user                  = \"vuls@example.com\"\n+#password              = \"REPLACE_ME\"\n+#from                  = \"vuls@example.com\"\n+#to                    = [\"admin@example.com\"]\n+#cc                    = [\"security-team@example.com\"]\n+#subjectPrefix         = \"[vuls]\"\n+\n+# https://vuls.io/docs/en/config.toml.html#http-section\n+#[http]\n+#url = \"http://localhost:11234\"\n+\n+# https://vuls.io/docs/en/config.toml.html#syslog-section\n+#[syslog]\n+#protocol    = \"tcp\"\n+#host        = \"localhost\"\n+#port        = \"514\"\n+#tag         = \"vuls\"\n+#facility    = \"local0\"\n+#severity    = \"alert\"\n+#verbose     = false\n+\n+# https://vuls.io/docs/en/usage-report.html#example-put-results-in-s3-bucket\n+#[aws]\n+#region     = \"us-east-1\"\n+#s3Bucket   = \"my-vuls-bucket\"\n+#s3ResultsDir = \"/vuls-results\"\n+\n+# https://vuls.io/docs/en/usage-report.html#example-put-results-in-azure-blob-storage\n+#[azure]\n+#endpoint      = \"https://myaccount.blob.core.windows.net/\"\n+#accountName   = \"myaccount\"\n+#accountKey    = \"REPLACE_ME\"\n+#containerName = \"vuls\"\n+\n+# https://vuls.io/docs/en/config.toml.html#chatwork-section\n+#[chatwork]\n+#room     = \"123456789\"\n+#apiToken = \"REPLACE_ME\"\n+\n+#[wpscan]\n+#token = \"REPLACE_ME\"\n+#detectInactive = false\n+\n+# https://vuls.io/docs/en/config.toml.html#default-section\n+[default]\n+#port        = \"22\"\n+#user        = \"vuls-user\"\n+#keyPath     = \"/home/vuls-user/.ssh/id_rsa\"\n+#scanMode    = [\"fast\"]\n+#scanModules = [\"ospkg\", \"lockfile\"]\n+\n+# https://vuls.io/docs/en/config.toml.html#servers-section\n+[servers]\n+\n+[servers.example-host]\n+host         = \"192.0.2.1\"\n+#port        = \"22\"\n+#user        = \"scan-user\"\n+#keyPath     = \"/home/scan-user/.ssh/id_rsa\"\n+#scanMode    = [\"fast\"]\n+#scanModules = [\"ospkg\", \"lockfile\"]\n+#cpeNames    = [\"cpe:/a:example:product:1.0\"]\n+#ignoreCves  = [\"CVE-0000-0000\"]\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..64d59bc 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -253,13 +254,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +264,18 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n+}\n+\n+// FormatKEVCveSummary returns a summary of how many scanned CVEs have KEV entries\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tkevCnt := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &gt; 0 {\n+\t\t\tkevCnt++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", kevCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..cb4f9b7 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -268,6 +268,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -919,21 +920,70 @@ type AlertDict struct {\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\n \treturn strings.Join(s, \"/\")\n }\n \n+// KEVType represents the source of a Known Exploited Vulnerability entry\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the KEV type for CISA\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is the KEV type for VulnCheck\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                       KEVType       `json:\"type\"`\n+\tVendorProject              string        `json:\"vendorProject\"`\n+\tProduct                    string        `json:\"product\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName\"`\n+\tShortDescription           string        `json:\"shortDescription\"`\n+\tRequiredAction             string        `json:\"requiredAction\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"note\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV information\n+type VulnCheckKEV struct {\n+\tXDB                    []VulnCheckXDB                    `json:\"xdb,omitempty\"`\n+\tReportedExploitation   []VulnCheckReportedExploitation   `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID\"`\n+\tXDBURL      string    `json:\"xdbURL\"`\n+\tDateAdded   time.Time `json:\"dateAdded\"`\n+\tExploitType string    `json:\"exploitType\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url\"`\n+\tDateAdded time.Time `json:\"dateAdded\"`\n+}\n+\n // Confidences is a list of Confidence\n type Confidences []Confidence\n \ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..72499b0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\ndiff --git a/sample_scan_result.json b/sample_scan_result.json\nnew file mode 100644\nindex 0000000..eb4e521\n--- /dev/null\n+++ b/sample_scan_result.json\n@@ -0,0 +1,76 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2026-07-01T00:00:00Z\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"confidences\": [\n+        {\n+          \"score\": 100,\n+          \"detectionMethod\": \"OvalMatch\"\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-pkg\",\n+          \"fixedIn\": \"2.0.0\"\n+        }\n+      ],\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Example Vulnerability\",\n+          \"shortDescription\": \"A synthetic example vulnerability used for demonstration.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-01-01T00:00:00Z\",\n+          \"dueDate\": \"2026-02-01T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"This is a synthetic example for demonstration purposes.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Example Vulnerability\",\n+          \"shortDescription\": \"A synthetic example vulnerability used for demonstration.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-01-15T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-0000\",\n+                \"xdbURL\": \"https://example.com/xdb/0000\",\n+                \"dateAdded\": \"2026-01-10T00:00:00Z\",\n+                \"exploitType\": \"poc\",\n+                \"cloneSSHURL\": \"git@example.com:exploits/example.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/reports/exploitation-0000\",\n+                \"dateAdded\": \"2026-01-12T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"packages\": {\n+    \"example-pkg\": {\n+      \"name\": \"example-pkg\",\n+      \"version\": \"1.0.0\",\n+      \"newVersion\": \"2.0.0\"\n+    }\n+  }\n+}\n", "creation_timestamp": "2026-07-04T00:01:06.651477Z"}, {"uuid": "521d8514-44a0-4e7f-9818-9722a4d7cb8e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/fafbe4930480e353571155d02dc0b9f6", "content": "diff --git a/README.md b/README.md\nindex 57102d1..9a02b46 100644\n--- a/README.md\n+++ b/README.md\n@@ -90,8 +90,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n   - [US-CERT](https://www.us-cert.gov/ncas/alerts)\n   - [JPCERT](http://www.jpcert.or.jp/at/2019.html)\n \n-- CISA(Cybersecurity &amp; Infrastructure Security Agency)\n-  - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+- CISA/VulnCheck KEV (Known Exploited Vulnerabilities)\n+  - [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+  - KEV data is a first-class field on the vulnerability model (see `config.toml.example` for setup)\n \n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..5843bf9\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,126 @@\n+# Vuls configuration file example\n+# Copy this file to config.toml and customize for your environment.\n+# See https://vuls.io/docs/en/config.toml.html for full documentation.\n+\n+# https://vuls.io/docs/en/config.toml.html#database-section\n+[cveDict]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/cve.sqlite3\"\n+#url = \"\"\n+\n+[ovalDict]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/oval.sqlite3\"\n+#url = \"\"\n+\n+[gost]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/gost.sqlite3\"\n+#url = \"\"\n+\n+[exploit]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+#url = \"\"\n+\n+[metasploit]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-msfdb.sqlite3\"\n+#url = \"\"\n+\n+# KEV (Known Exploited Vulnerabilities) reporting via CISA/VulnCheck data.\n+# Uncomment and configure to enable KEV detection in scan results.\n+[kevuln]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-kev.sqlite3\"\n+#url = \"\"\n+\n+[cti]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-cti.sqlite3\"\n+#url = \"\"\n+\n+# https://vuls.io/docs/en/config.toml.html#slack-section\n+#[slack]\n+#hookURL      = \"https://hooks.slack.com/services/xxx/yyy/zzz\"\n+#channel      = \"#channel-name\"\n+#iconEmoji    = \":ghost:\"\n+#authUser     = \"username\"\n+#notifyUsers  = [\"@username\"]\n+\n+# https://vuls.io/docs/en/config.toml.html#email-section\n+#[email]\n+#smtpAddr              = \"smtp.example.com\"\n+#smtpPort              = \"587\"\n+#tlsMode               = \"STARTTLS\"\n+#tlsInsecureSkipVerify = false\n+#user                  = \"username\"\n+#password              = \"password\"\n+#from                  = \"from@example.com\"\n+#to                    = [\"to@example.com\"]\n+#cc                    = [\"cc@example.com\"]\n+#subjectPrefix         = \"[vuls]\"\n+\n+# https://vuls.io/docs/en/config.toml.html#http-section\n+#[http]\n+#url = \"http://localhost:11234\"\n+\n+# https://vuls.io/docs/en/config.toml.html#syslog-section\n+#[syslog]\n+#protocol    = \"tcp\"\n+#host        = \"localhost\"\n+#port        = \"514\"\n+#tag         = \"vuls\"\n+#facility    = \"local0\"\n+#severity    = \"alert\"\n+#verbose     = false\n+\n+# https://vuls.io/docs/en/usage-report.html#example-put-results-in-s3-bucket\n+#[aws]\n+#region     = \"ap-northeast-1\"\n+#profile    = \"default\"\n+#s3Bucket   = \"vuls\"\n+#s3ResultsDir = \"/path/to/result\"\n+\n+# https://vuls.io/docs/en/usage-report.html#example-put-results-in-azure-blob-storage\n+#[azure]\n+#endpoint      = \"https://default.blob.core.windows.net/\"\n+#accountName   = \"default\"\n+#accountKey    = \"xxxxxxxxxxxxxx\"\n+#containerName = \"vuls\"\n+\n+# https://vuls.io/docs/en/config.toml.html#chatwork-section\n+#[chatwork]\n+#room     = \"xxxxxxxxxxx\"\n+#apiToken = \"xxxxxxxxxxxxxxxxxx\"\n+\n+# https://vuls.io/docs/en/config.toml.html#googlechat-section\n+#[googlechat]\n+#webHookURL = \"https://chat.googleapis.com/v1/spaces/xxxxxxxxxx/messages?key=yyyyyyyyyy&amp;token=zzzzzzzzzz\"\n+\n+# https://vuls.io/docs/en/config.toml.html#telegram-section\n+#[telegram]\n+#chatID = \"xxxxxxxxxxx\"\n+#token  = \"xxxxxxxxxxxxxxxxxx\"\n+\n+#[wpscan]\n+#token = \"xxxxxxxxxxx\"\n+#detectInactive = false\n+\n+# https://vuls.io/docs/en/config.toml.html#default-section\n+[default]\n+#port       = \"22\"\n+#user       = \"username\"\n+#keyPath    = \"/home/username/.ssh/id_rsa\"\n+#scanMode   = [\"fast\"]\n+#scanModules = [\"ospkg\", \"wordpress\", \"lockfile\", \"port\"]\n+\n+# https://vuls.io/docs/en/config.toml.html#servers-section\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.1\"\n+#port = \"22\"\n+#user = \"scan-user\"\n+#keyPath = \"/home/username/.ssh/id_rsa\"\n+#scanMode = [\"fast\"]\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..2610d75 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,13 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tif len(kevulns) == 0 {\n+\t\t\t\tcontinue\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tv.KEVs = convertToKEVs(kevulns)\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +103,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = convertToKEVs(kevulns)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -226,6 +212,31 @@ func httpGetKEVuln(url string, req kevulnRequest, resChan chan&lt;- kevulnResponse,\n \t}\n }\n \n+func convertToKEVs(kevulns []kevulnmodels.KEVuln) []models.KEV {\n+\tkevs := make([]models.KEV, 0, len(kevulns))\n+\tfor _, k := range kevulns {\n+\t\tkev := models.KEV{\n+\t\t\tType:                       models.CISAKEVType,\n+\t\t\tVendorProject:              k.VendorProject,\n+\t\t\tProduct:                    k.Product,\n+\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\tDateAdded:                  k.DateAdded,\n+\t\t\tCISA: &amp;models.CISAKEV{\n+\t\t\t\tNote: k.Notes,\n+\t\t\t},\n+\t\t}\n+\t\tif !k.DueDate.IsZero() {\n+\t\t\tdueDate := k.DueDate\n+\t\t\tkev.DueDate = &amp;dueDate\n+\t\t}\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs\n+}\n+\n func newKEVulnDB(cnf config.VulnDictInterface) (kevulndb.DB, error) {\n \tif cnf.IsFetchViaHTTP() {\n \t\treturn nil, nil\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..0fa5eb4 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of CVEs with KEV entries\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &gt; 0 {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -428,15 +436,22 @@ func (r *ScanResult) SortForJSONOutput() {\n \n \t\tv.CveContents.Sort()\n \n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n+\n+\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n+\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n+\t\t})\n \t\tsort.Slice(v.AlertDict.USCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.USCERT[i].Title &lt; v.AlertDict.USCERT[j].Title\n \t\t})\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n-\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/testdata/sample_kev_scanresult.json b/models/testdata/sample_kev_scanresult.json\nnew file mode 100644\nindex 0000000..ecf802e\n--- /dev/null\n+++ b/models/testdata/sample_kev_scanresult.json\n@@ -0,0 +1,64 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"debian\",\n+  \"release\": \"12\",\n+  \"scannedAt\": \"2026-07-01T00:00:00Z\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleVendor ExampleProduct contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-01-15T00:00:00Z\",\n+          \"dueDate\": \"2026-02-05T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"ExampleVendor ExampleProduct Remote Code Execution Vulnerability\",\n+          \"shortDescription\": \"ExampleVendor ExampleProduct contains a vulnerability that allows remote code execution.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-01-10T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"00000000-0000-0000-0000-000000000001\",\n+                \"xdbURL\": \"https://vulncheck.com/xdb/example\",\n+                \"dateAdded\": \"2026-01-10T00:00:00Z\",\n+                \"exploitType\": \"poc\",\n+                \"cloneSSHURL\": \"\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/exploitation-report\",\n+                \"dateAdded\": \"2026-01-12T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"alertDict\": {},\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-package\",\n+          \"fixedIn\": \"1.2.4\"\n+        }\n+      ]\n+    }\n+  }\n+}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..e2a3784 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -267,6 +267,7 @@ type VulnInfo struct {\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n@@ -910,28 +911,78 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// KEVType represents the source of KEV data\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is the CISA KEV source\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is the VulnCheck KEV source\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information\n+type KEV struct {\n+\tType                        KEVType       `json:\"type\"`\n+\tVendorProject               string        `json:\"vendorProject\"`\n+\tProduct                     string        `json:\"product\"`\n+\tVulnerabilityName           string        `json:\"vulnerabilityName\"`\n+\tShortDescription            string        `json:\"shortDescription\"`\n+\tRequiredAction              string        `json:\"requiredAction\"`\n+\tKnownRansomwareCampaignUse  string        `json:\"knownRansomwareCampaignUse\"`\n+\tDateAdded                   time.Time     `json:\"dateAdded\"`\n+\tDueDate                     *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                        *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                   *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV data\n+type CISAKEV struct {\n+\tNote string `json:\"note\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV data\n+type VulnCheckKEV struct {\n+\tXDB                    []VulnCheckXDB                    `json:\"xdb,omitempty\"`\n+\tReportedExploitation   []VulnCheckReportedExploitation   `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database entry\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID\"`\n+\tXDBURL      string    `json:\"xdbURL\"`\n+\tDateAdded   time.Time `json:\"dateAdded\"`\n+\tExploitType string    `json:\"exploitType\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation data\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url\"`\n+\tDateAdded time.Time `json:\"dateAdded\"`\n+}\n+\n+// AlertDict has target cve JPCERT and USCERT alert data.\n+// The CISA field is retained for backward compatibility but KEV data\n+// now lives on VulnInfo.KEVs. New code should not populate CISA.\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"cisa,omitempty\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n-\tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n-\t\ts = append(s, \"CERT\")\n+\t\treturn \"CERT\"\n \t}\n-\treturn strings.Join(s, \"/\")\n+\treturn \"\"\n }\n \n // Confidences is a list of Confidence\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..e3aef8f 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,8 +566,8 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n+\t\tfor _, kev := range vuln.KEVs {\n+\t\t\tdata = append(data, []string{fmt.Sprintf(\"KEV (%s)\", kev.Type), kev.VulnerabilityName})\n \t\t}\n \n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..4097f0c 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,13 +812,14 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n+\t\tif len(vinfo.KEVs) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n+\t\t\t\t\"Known Exploited Vulnerabilities\",\n+\t\t\t\t\"===============================\",\n \t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\t\tfor _, kev := range vinfo.KEVs {\n+\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s] %s - %s\",\n+\t\t\t\t\tkev.Type, kev.VulnerabilityName, kev.ShortDescription))\n \t\t\t}\n \t\t}\n \n", "creation_timestamp": "2026-07-04T00:01:06.701286Z"}, {"uuid": "8e53b0a9-4fd1-45d4-8bad-8d56cd3b631b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/bb428b700122569f3dd1ebe128ebea73", "content": "diff --git a/README.md b/README.md\nindex 57102d1..ceab982 100644\n--- a/README.md\n+++ b/README.md\n@@ -93,6 +93,9 @@ Vuls is a tool created to solve the problems listed above. It has the following\n - CISA(Cybersecurity &amp; Infrastructure Security Agency)\n   - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n \n+- VulnCheck\n+  - Known Exploited Vulnerabilities data is reported in the first-class `kevs` scan-result field alongside CISA KEV entries.\n+\n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\n \n@@ -179,6 +182,12 @@ Vuls has some options to detect the vulnerabilities\n For more information such as Installation, Tutorial, Usage, visit [vuls.io](https://vuls.io/)  \n [\u65e5\u672c\u8a9e\u7ffb\u8a33\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8](https://vuls.io/ja/)\n \n+## KEV Reporting Example\n+\n+Use the synthetic `config.toml.example` as a starting point for enabling KEV reporting with the `[kevuln]` database configuration. Replace placeholder paths and host values with environment-appropriate values, and never copy production secrets into tracked configuration files.\n+\n+The synthetic `sample-kev-scan-result.json` shows the JSON shape for CISA and VulnCheck KEV entries under each vulnerability's `kevs` field.\n+\n ----\n \n ## Authors\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..9db5842\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,40 @@\n+# Synthetic example configuration for enabling KEV reporting.\n+# Do not paste production secrets or internal host details into this file.\n+\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\n+\n+[default]\n+scanMode = [\"fast-root\"]\n+port = \"22\"\n+user = \"vuls\"\n+keyPath = \"/home/vuls/.ssh/id_ed25519\"\n+\n+[servers.example-host]\n+host = \"192.0.2.10\"\n+scanMode = [\"fast-root\"]\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..e675ecb 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -6,6 +6,7 @@ package detector\n import (\n \t\"encoding/json\"\n \t\"net/http\"\n+\t\"strings\"\n \t\"time\"\n \n \t\"github.com/cenkalti/backoff\"\n@@ -79,19 +80,12 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n-\t\t\t\tnKEV++\n+\t\t\t\tv.KEVs = convertKEVulnsToModel(kevulns)\n+\t\t\t\tif 0 &lt; len(v.KEVs) {\n+\t\t\t\t\tnKEV++\n+\t\t\t\t}\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t}\n@@ -108,16 +102,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = convertKEVulnsToModel(kevulns)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +112,156 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func convertKEVulnsToModel(kevulns []kevulnmodels.KEVuln) []models.KEV {\n+\tbs, err := json.Marshal(kevulns)\n+\tif err != nil {\n+\t\treturn nil\n+\t}\n+\n+\tvar raws []map[string]interface{}\n+\tif err := json.Unmarshal(bs, &amp;raws); err != nil {\n+\t\treturn nil\n+\t}\n+\n+\tkevs := make([]models.KEV, 0, len(raws))\n+\tfor _, raw := range raws {\n+\t\tkev := models.KEV{\n+\t\t\tType:                       parseKEVType(firstString(raw, \"type\", \"source\")),\n+\t\t\tVendorProject:              firstString(raw, \"vendorProject\", \"vendor_project\", \"vendor\"),\n+\t\t\tProduct:                    firstString(raw, \"product\"),\n+\t\t\tVulnerabilityName:          firstString(raw, \"vulnerabilityName\", \"vulnerability_name\", \"name\"),\n+\t\t\tShortDescription:           firstString(raw, \"shortDescription\", \"short_description\", \"description\"),\n+\t\t\tRequiredAction:             firstString(raw, \"requiredAction\", \"required_action\"),\n+\t\t\tKnownRansomwareCampaignUse: firstString(raw, \"knownRansomwareCampaignUse\", \"known_ransomware_campaign_use\"),\n+\t\t\tDateAdded:                  firstTime(raw, \"dateAdded\", \"date_added\"),\n+\t\t}\n+\t\tif kev.Type == \"\" {\n+\t\t\tkev.Type = models.CISAKEVType\n+\t\t}\n+\t\tif dueDate := firstTime(raw, \"dueDate\", \"due_date\"); !dueDate.IsZero() {\n+\t\t\tkev.DueDate = &amp;dueDate\n+\t\t}\n+\n+\t\tif note := firstString(raw, \"note\", \"notes\"); note != \"\" || kev.Type == models.CISAKEVType {\n+\t\t\tkev.CISA = &amp;models.CISAKEV{Note: note}\n+\t\t}\n+\t\tif vulnCheck := parseVulnCheckKEV(raw); vulnCheck != nil {\n+\t\t\tkev.VulnCheck = vulnCheck\n+\t\t}\n+\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs\n+}\n+\n+func parseKEVType(s string) models.KEVType {\n+\tswitch strings.ToLower(s) {\n+\tcase string(models.VulnCheckKEVType):\n+\t\treturn models.VulnCheckKEVType\n+\tcase string(models.CISAKEVType), \"\":\n+\t\treturn models.CISAKEVType\n+\tdefault:\n+\t\treturn models.KEVType(s)\n+\t}\n+}\n+\n+func parseVulnCheckKEV(raw map[string]interface{}) *models.VulnCheckKEV {\n+\tvulnCheckRaw := raw\n+\tif nested, ok := firstMap(raw, \"vulncheck\", \"vulnCheck\", \"vuln_check\"); ok {\n+\t\tvulnCheckRaw = nested\n+\t}\n+\n+\tvulnCheck := &amp;models.VulnCheckKEV{\n+\t\tXDB:                  parseVulnCheckXDBs(vulnCheckRaw),\n+\t\tReportedExploitation: parseVulnCheckReportedExploitations(vulnCheckRaw),\n+\t}\n+\tif len(vulnCheck.XDB) == 0 &amp;&amp; len(vulnCheck.ReportedExploitation) == 0 {\n+\t\treturn nil\n+\t}\n+\treturn vulnCheck\n+}\n+\n+func parseVulnCheckXDBs(raw map[string]interface{}) []models.VulnCheckXDB {\n+\txdbs := []models.VulnCheckXDB{}\n+\tfor _, item := range firstSlice(raw, \"xdb\", \"xDB\", \"XDB\") {\n+\t\tm, ok := item.(map[string]interface{})\n+\t\tif !ok {\n+\t\t\tcontinue\n+\t\t}\n+\t\txdbs = append(xdbs, models.VulnCheckXDB{\n+\t\t\tXDBID:       firstString(m, \"xdbID\", \"xdbId\", \"xdb_id\", \"id\"),\n+\t\t\tXDBURL:      firstString(m, \"xdbURL\", \"xdbUrl\", \"xdb_url\", \"url\"),\n+\t\t\tDateAdded:   firstTime(m, \"dateAdded\", \"date_added\"),\n+\t\t\tExploitType: firstString(m, \"exploitType\", \"exploit_type\"),\n+\t\t\tCloneSSHURL: firstString(m, \"cloneSSHURL\", \"cloneSSHUrl\", \"clone_ssh_url\"),\n+\t\t})\n+\t}\n+\treturn xdbs\n+}\n+\n+func parseVulnCheckReportedExploitations(raw map[string]interface{}) []models.VulnCheckReportedExploitation {\n+\treported := []models.VulnCheckReportedExploitation{}\n+\tfor _, item := range firstSlice(raw, \"reportedExploitation\", \"reported_exploitation\", \"reportedExploitations\", \"reported_exploitations\") {\n+\t\tm, ok := item.(map[string]interface{})\n+\t\tif !ok {\n+\t\t\tcontinue\n+\t\t}\n+\t\treported = append(reported, models.VulnCheckReportedExploitation{\n+\t\t\tURL:       firstString(m, \"url\"),\n+\t\t\tDateAdded: firstTime(m, \"dateAdded\", \"date_added\"),\n+\t\t})\n+\t}\n+\treturn reported\n+}\n+\n+func firstString(m map[string]interface{}, keys ...string) string {\n+\tfor _, key := range keys {\n+\t\tif v, ok := m[key]; ok {\n+\t\t\tif s, ok := v.(string); ok {\n+\t\t\t\treturn s\n+\t\t\t}\n+\t\t}\n+\t}\n+\treturn \"\"\n+}\n+\n+func firstTime(m map[string]interface{}, keys ...string) time.Time {\n+\tfor _, key := range keys {\n+\t\tif v, ok := m[key]; ok {\n+\t\t\tif s, ok := v.(string); ok {\n+\t\t\t\tfor _, layout := range []string{time.RFC3339, \"2006-01-02\", \"2006-01-02 15:04:05\"} {\n+\t\t\t\t\tif t, err := time.Parse(layout, s); err == nil {\n+\t\t\t\t\t\treturn t\n+\t\t\t\t\t}\n+\t\t\t\t}\n+\t\t\t}\n+\t\t}\n+\t}\n+\treturn time.Time{}\n+}\n+\n+func firstMap(m map[string]interface{}, keys ...string) (map[string]interface{}, bool) {\n+\tfor _, key := range keys {\n+\t\tif v, ok := m[key]; ok {\n+\t\t\tif nested, ok := v.(map[string]interface{}); ok {\n+\t\t\t\treturn nested, true\n+\t\t\t}\n+\t\t}\n+\t}\n+\treturn nil, false\n+}\n+\n+func firstSlice(m map[string]interface{}, keys ...string) []interface{} {\n+\tfor _, key := range keys {\n+\t\tif v, ok := m[key]; ok {\n+\t\t\tif items, ok := v.([]interface{}); ok {\n+\t\t\t\treturn items\n+\t\t\t}\n+\t\t}\n+\t}\n+\treturn nil\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..4ad0d3f 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,11 +197,12 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of CVEs with Known Exploited Vulnerability entries.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -422,6 +430,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Metasploits, func(i, j int) bool {\n \t\t\treturn v.Metasploits[i].Name &lt; v.Metasploits[j].Name\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &lt; v.Mitigations[j].URL\n \t\t})\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..875ce66 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -265,6 +265,7 @@ type VulnInfo struct {\n \tCveContents          CveContents          `json:\"cveContents,omitempty\"`\n \tExploits             []Exploit            `json:\"exploits,omitempty\"`\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n@@ -284,6 +285,58 @@ type Alert struct {\n \tTeam  string `json:\"team,omitempty\"`\n }\n \n+// KEVType identifies the source of Known Exploited Vulnerability data.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is CISA Known Exploited Vulnerabilities Catalog data.\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is VulnCheck Known Exploited Vulnerabilities data.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerability information.\n+type KEV struct {\n+\tType                         KEVType       `json:\"type,omitempty\"`\n+\tVendorProject                string        `json:\"vendorProject,omitempty\"`\n+\tProduct                      string        `json:\"product,omitempty\"`\n+\tVulnerabilityName            string        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription             string        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction               string        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse   string        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                    time.Time     `json:\"dateAdded,omitempty\"`\n+\tDueDate                      *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                         *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                    *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific Known Exploited Vulnerability information.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific Known Exploited Vulnerability information.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database information.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // GitHubSecurityAlerts is a list of GitHubSecurityAlert\n type GitHubSecurityAlerts []GitHubSecurityAlert\n \n@@ -910,24 +963,21 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"-\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..6cbe9fe 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -202,6 +202,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.ScannedCves.FormatCveSummary(),\n \t\t\t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n@@ -415,6 +416,15 @@ No CVE-IDs are found in updatable packages.\n \t\t\tdata = append(data, []string{\"GitHub\", alert.RepoURLPackageName()})\n \t\t}\n \n+\t\tfor _, kev := range vuln.KEVs {\n+\t\t\tlabel := fmt.Sprintf(\"KEV[%s]\", kev.Type)\n+\t\t\tvalue := kev.VulnerabilityName\n+\t\t\tif kev.ShortDescription != \"\" {\n+\t\t\t\tvalue = kev.ShortDescription\n+\t\t\t}\n+\t\t\tdata = append(data, []string{label, value})\n+\t\t}\n+\n \t\tfor _, wp := range vuln.WpPackageFixStats {\n \t\t\tif p, ok := r.WordPressPackages.Find(wp.Name); ok {\n \t\t\t\tif p.Type == models.WPCore {\n@@ -565,10 +575,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/sample-kev-scan-result.json b/sample-kev-scan-result.json\nnew file mode 100644\nindex 0000000..9cf105c\n--- /dev/null\n+++ b/sample-kev-scan-result.json\n@@ -0,0 +1,58 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2026-07-03T00:00:00Z\",\n+  \"reportedAt\": \"2026-07-03T00:00:00Z\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic CISA KEV entry showing the first-class kevs field.\",\n+          \"requiredAction\": \"Apply vendor-provided mitigations or discontinue use if mitigations are unavailable.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic example only.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic VulnCheck KEV entry showing source-specific details.\",\n+          \"requiredAction\": \"Review exploitability and prioritize remediation.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.invalid/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"initial-access\",\n+                \"cloneSSHURL\": \"ssh://example.invalid/research/example.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.invalid/reports/CVE-0000-0000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"packages\": {}\n+}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..093ab65 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,13 +812,17 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n+\t\tif len(vinfo.KEVs) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n+\t\t\t\t\"Known Exploited Vulnerabilities\",\n+\t\t\t\t\"===============================\",\n \t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\t\tfor _, kev := range vinfo.KEVs {\n+\t\t\t\tdesc := kev.VulnerabilityName\n+\t\t\t\tif kev.ShortDescription != \"\" {\n+\t\t\t\t\tdesc = kev.ShortDescription\n+\t\t\t\t}\n+\t\t\t\tlines = append(lines, fmt.Sprintf(\"* %s: %s\", kev.Type, desc))\n \t\t\t}\n \t\t}\n \n", "creation_timestamp": "2026-07-04T00:01:06.750630Z"}, {"uuid": "35462476-7e5a-4994-90dd-00ad21806aa6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/c8ef69dd980ac66c634a1c1f57d1d8a1", "content": "diff --git a/README.md b/README.md\nindex 57102d1..b705528 100644\n--- a/README.md\n+++ b/README.md\n@@ -181,6 +181,12 @@ For more information such as Installation, Tutorial, Usage, visit [vuls.io](http\n \n ----\n \n+## Example Configuration\n+\n+An example configuration file is provided in [`config.toml.example`](config.toml.example). You can use this as a starting point to configure Vuls for your environment.\n+\n+----\n+\n ## Authors\n \n kotakanbe ([@kotakanbe](https://twitter.com/kotakanbe)) created vuls and [these fine people](https://github.com/future-architect/vuls/graphs/contributors) have contributed.\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..daf4523\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,37 @@\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-msfdb.sqlite3\"\n+\n+[kev]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/kev.sqlite3\"\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.168.1.100\"\n+port = \"22\"\n+user = \"vuls\"\n+keyPath = \"/home/vuls/.ssh/id_rsa\"\n+\n+[servers.example-host-2]\n+host = \"192.168.1.101\"\n+port = \"22\"\n+user = \"vuls\"\n+keyPath = \"/home/vuls/.ssh/id_rsa\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..c8907d8 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -90,7 +90,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\t// Removed AlertDict.CISA population\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -117,7 +117,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\t})\n \t\t\t}\n \n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\t// Removed AlertDict.CISA population\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..0b4f205 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,6 +205,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV entries\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/scanresults_kev_test.go b/models/scanresults_kev_test.go\nnew file mode 100644\nindex 0000000..0a7f0d6\n--- /dev/null\n+++ b/models/scanresults_kev_test.go\n@@ -0,0 +1,71 @@\n+package models\n+\n+import (\n+\t\"reflect\"\n+\t\"testing\"\n+)\n+\n+func TestScanResult_SortKEV(t *testing.T) {\n+\ttests := []struct {\n+\t\tname     string\n+\t\tfields   ScanResult\n+\t\texpected ScanResult\n+\t}{\n+\t\t{\n+\t\t\tname: \"sort KEV\",\n+\t\t\tfields: ScanResult{\n+\t\t\t\tScannedCves: VulnInfos{\n+\t\t\t\t\t\"CVE-2014-3591\": VulnInfo{\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{\n+\t\t\t\t\t\t\t\tType:              VulnCheckKEVType,\n+\t\t\t\t\t\t\t\tVulnerabilityName: \"B\",\n+\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t\t{\n+\t\t\t\t\t\t\t\tType:              CISAKEVType,\n+\t\t\t\t\t\t\t\tVulnerabilityName: \"C\",\n+\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t\t{\n+\t\t\t\t\t\t\t\tType:              CISAKEVType,\n+\t\t\t\t\t\t\t\tVulnerabilityName: \"A\",\n+\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t\texpected: ScanResult{\n+\t\t\t\tScannedCves: VulnInfos{\n+\t\t\t\t\t\"CVE-2014-3591\": VulnInfo{\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{\n+\t\t\t\t\t\t\t\tType:              CISAKEVType,\n+\t\t\t\t\t\t\t\tVulnerabilityName: \"A\",\n+\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t\t{\n+\t\t\t\t\t\t\t\tType:              CISAKEVType,\n+\t\t\t\t\t\t\t\tVulnerabilityName: \"C\",\n+\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t\t{\n+\t\t\t\t\t\t\t\tType:              VulnCheckKEVType,\n+\t\t\t\t\t\t\t\tVulnerabilityName: \"B\",\n+\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t},\n+\t}\n+\tfor _, tt := range tests {\n+\t\tt.Run(tt.name, func(t *testing.T) {\n+\t\t\tr := &amp;ScanResult{\n+\t\t\t\tPackages:    tt.fields.Packages,\n+\t\t\t\tScannedCves: tt.fields.ScannedCves,\n+\t\t\t}\n+\t\t\tr.SortForJSONOutput()\n+\n+\t\t\tif !reflect.DeepEqual(r.ScannedCves, tt.expected.ScannedCves) {\n+\t\t\t\tt.Errorf(\"act %+v, want %+v\", r.ScannedCves, tt.expected.ScannedCves)\n+\t\t\t}\n+\t\t})\n+\t}\n+}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..c679392 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -275,6 +275,7 @@ type VulnInfo struct {\n \tWindowsKBFixedIns    []string             `json:\"windowsKBFixedIns,omitempty\"`\n \tVulnType             string               `json:\"vulnType,omitempty\"`\n \tDiffStatus           DiffStatus           `json:\"diffStatus,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n }\n \n // Alert has CERT alert information\n@@ -910,24 +911,21 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"cisa\"` // deprecated, kept for test compatibility\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\n@@ -1089,3 +1087,56 @@ var (\n \t// FortinetVendorProductMatch is a ranking how confident the CVE-ID was detected correctly\n \tFortinetVendorProductMatch = Confidence{10, FortinetVendorProductMatchStr, 9}\n )\n+\n+// KEVType represents the source of the KEV\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is for CISA KEVs\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is for VulnCheck KEVs\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV represents a Known Exploited Vulnerability entry\n+type KEV struct {\n+\tType                       KEVType    `json:\"type\"`\n+\tVendorProject              string     `json:\"vendorProject,omitempty\"`\n+\tProduct                    string     `json:\"product,omitempty\"`\n+\tVulnerabilityName          string     `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string     `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string     `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string     `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time  `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time `json:\"dueDate,omitempty\"`\n+\n+\tCISA      *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV holds CISA-specific KEV fields\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV holds VulnCheck-specific KEV fields\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB holds VulnCheck XDB information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbid,omitempty\"`\n+\tXDBURL      string    `json:\"xdburl,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation holds reported exploitation details\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..5b8697f 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -205,6 +205,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t}\n \t\t} else {\n \t\t\tcols = []interface{}{\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/sample-kev-result.json b/sample-kev-result.json\nnew file mode 100644\nindex 0000000..2d940a6\n--- /dev/null\n+++ b/sample-kev-result.json\n@@ -0,0 +1,70 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"20.04\",\n+  \"scannedAt\": \"2023-10-01T12:00:00Z\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"confidences\": [\n+        {\n+          \"score\": 100,\n+          \"detectionMethod\": \"OvalMatch\"\n+        }\n+      ],\n+      \"cveContents\": {\n+        \"nvd\": [\n+          {\n+            \"type\": \"nvd\",\n+            \"cveID\": \"CVE-0000-0000\",\n+            \"title\": \"Example Documentation CVE\",\n+            \"summary\": \"This is a dummy CVE used for documentation purposes.\",\n+            \"cvss3Score\": 9.8,\n+            \"cvss3Severity\": \"CRITICAL\"\n+          }\n+        ]\n+      },\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"This is an example description.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2021-11-03T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Example note\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"dateAdded\": \"2021-11-03T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbid\": \"XDB-001\",\n+                \"xdburl\": \"https://example.com/xdb/001\",\n+                \"dateAdded\": \"2021-11-04T00:00:00Z\",\n+                \"exploitType\": \"RCE\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/report/123\",\n+                \"dateAdded\": \"2021-11-05T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\n", "creation_timestamp": "2026-07-04T00:01:06.797929Z"}, {"uuid": "fb50b5f5-8307-44af-be84-d053cbb7ef24", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/e393ff53dbe702f5ce9b22fbd21d6ee0", "content": "diff --git a/README.md b/README.md\nindex 57102d1..ae6c54d 100644\n--- a/README.md\n+++ b/README.md\n@@ -179,6 +179,8 @@ Vuls has some options to detect the vulnerabilities\n For more information such as Installation, Tutorial, Usage, visit [vuls.io](https://vuls.io/)  \n [\u65e5\u672c\u8a9e\u7ffb\u8a33\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8](https://vuls.io/ja/)\n \n+Example configuration with KEV reporting enabled: see [config.toml.example](config.toml.example)\n+\n ----\n \n ## Authors\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..45097d2\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,78 @@\n+# Vuls config.toml example\n+# Copy to config.toml and edit for your environment\n+\n+[slack]\n+hookURL      = \"https://hooks.slack.com/services/XXXX/XXXX/XXXX\"\n+channel      = \"#vuls\"\n+authUser     = \"vuls\"\n+notifyUsers  = [\"@example\"]\n+# https://vuls.io/docs/en/slack.html\n+\n+[email]\n+smtpAddr     = \"smtp.example.com\"\n+smtpPort     = \"587\"\n+user         = \"username\"\n+password     = \"password\"\n+from         = \"vuls@example.com\"\n+to           = [\"to@example.com\"]\n+cc           = [\"cc@example.com\"]\n+subject      = \"[vuls] Vuls Report\"\n+\n+[default]\n+#port        = \"22\"\n+#user        = \"username\"\n+#keyPath     = \"/home/username/.ssh/id_rsa\"\n+#scanMode    = [\"fast\"]\n+#scanModules = [\"wordpress\", \"lockfiles\"]\n+\n+[servers]\n+\n+[servers.example-host]\n+host         = \"192.0.2.1\"\n+port         = \"22\"\n+user         = \"vuls\"\n+keyPath      = \"/home/vuls/.ssh/id_rsa\"\n+#scanMode    = [\"deep\"]\n+\n+# Known Exploited Vulnerabilities (KEV) configuration\n+# https://vuls.io/docs/en/kev.html\n+[kevuln]\n+type         = \"sqlite3\"\n+# sqlite3Path = \"/path/to/go-kev.sqlite3\"\n+# url        = \"http://127.0.0.1:1328\"\n+# Set type = \"http\" and url to use go-kev HTTP server\n+\n+# CVE Dictionary\n+# https://vuls.io/docs/en/install-vulsrepo.html\n+#[cvedb]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/cve.sqlite3\"\n+#url = \"http://127.0.0.1:1323\"\n+\n+# OVAL Dictionary\n+# https://vuls.io/docs/en/install-oval.html\n+#[ovaldb]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/oval.sqlite3\"\n+#url = \"http://127.0.0.1:1324\"\n+\n+# GOST (Red Hat / Debian Security Tracker)\n+# https://vuls.io/docs/en/install-gost.html\n+#[gost]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/gost.sqlite3\"\n+#url = \"http://127.0.0.1:1325\"\n+\n+# Exploit DB\n+# https://vuls.io/docs/en/install-exploitdb.html\n+#[exploit]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+#url = \"http://127.0.0.1:1326\"\n+\n+# Metasploit-Framework\n+# https://vuls.io/docs/en/install-metasploit.html\n+#[metasploit]\n+#type = \"sqlite3\"\n+#sqlite3Path = \"/path/to/go-msfdb.sqlite3\"\n+#url = \"http://127.0.0.1:1327\"\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..efc951b 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV cve\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -437,6 +445,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n \t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/scanresults_kev_test.go b/models/scanresults_kev_test.go\nnew file mode 100644\nindex 0000000..43e4d3a\n--- /dev/null\n+++ b/models/scanresults_kev_test.go\n@@ -0,0 +1,73 @@\n+package models\n+\n+import (\n+\t\"reflect\"\n+\t\"testing\"\n+\t\"time\"\n+)\n+\n+func TestScanResult_Sort_KEV(t *testing.T) {\n+\tr := &amp;ScanResult{\n+\t\tScannedCves: VulnInfos{\n+\t\t\t\"CVE-0000-0000\": VulnInfo{\n+\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t},\n+\t}\n+\tr.SortForJSONOutput()\n+\tgot := r.ScannedCves[\"CVE-0000-0000\"].KEVs\n+\twant := []KEV{\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"a\"},\n+\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n+\t}\n+\tif !reflect.DeepEqual(got, want) {\n+\t\tt.Errorf(\"KEV sort failed, got %+v, want %+v\", got, want)\n+\t}\n+}\n+\n+func TestScanResult_FormatKEVCveSummary(t *testing.T) {\n+\tr := ScanResult{\n+\t\tScannedCves: VulnInfos{\n+\t\t\t\"CVE-1\": VulnInfo{KEVs: []KEV{{Type: CISAKEVType}}},\n+\t\t\t\"CVE-2\": VulnInfo{KEVs: []KEV{{Type: VulnCheckKEVType}}},\n+\t\t\t\"CVE-3\": VulnInfo{},\n+\t\t},\n+\t}\n+\tgot := r.FormatKEVCveSummary()\n+\twant := \"2 kevs\"\n+\tif got != want {\n+\t\tt.Errorf(\"got %s, want %s\", got, want)\n+\t}\n+}\n+\n+// Ensure KEV fields marshal with expected JSON names\n+func TestKEV_JSON(t *testing.T) {\n+\tdue := time.Date(2024, 1, 22, 0, 0, 0, 0, time.UTC)\n+\tkev := KEV{\n+\t\tType:                       CISAKEVType,\n+\t\tVendorProject:              \"vp\",\n+\t\tProduct:                    \"prod\",\n+\t\tVulnerabilityName:          \"vn\",\n+\t\tShortDescription:           \"sd\",\n+\t\tRequiredAction:             \"ra\",\n+\t\tKnownRansomwareCampaignUse: \"kr\",\n+\t\tDateAdded:                  time.Date(2024, 1, 1, 0, 0, 0, 0, time.UTC),\n+\t\tDueDate:                    &amp;due,\n+\t\tCISA:                       &amp;CISAKEV{Note: \"note\"},\n+\t\tVulnCheck: &amp;VulnCheckKEV{\n+\t\t\tXDB: []VulnCheckXDB{{XDBID: \"1\", XDBURL: \"u\", DateAdded: time.Date(2024, 1, 2, 0, 0, 0, 0, time.UTC), ExploitType: \"remote\", CloneSSHURL: \"ssh\"}},\n+\t\t\tReportedExploitation: []VulnCheckReportedExploitation{{URL: \"http://e\", DateAdded: time.Date(2024, 1, 3, 0, 0, 0, 0, time.UTC)}},\n+\t\t},\n+\t}\n+\t// Simple sanity: fields are set\n+\tif kev.Type != CISAKEVType || kev.CISA == nil || kev.VulnCheck == nil {\n+\t\tt.Errorf(\"KEV struct not populated correctly\")\n+\t}\n+}\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..9f9453b 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -257,6 +257,57 @@ type PackageFixStatus struct {\n }\n \n // VulnInfo has a vulnerability information and unsecure packages\n+// KEVType is a type of KEV\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is CISA KEV\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType is VulnCheck KEV\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerabilities information\n+type KEV struct {\n+\tType                       KEVType     `json:\"type,omitempty\"`\n+\tVendorProject              string      `json:\"vendorProject,omitempty\"`\n+\tProduct                    string      `json:\"product,omitempty\"`\n+\tVulnerabilityName          string      `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string      `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string      `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string      `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time   `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time  `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV    `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulnCheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"notes,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck KEV information\n+type VulnCheckKEV struct {\n+\tXDB                   []VulnCheckXDB                   `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck ReportedExploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n type VulnInfo struct {\n \tCveID                string               `json:\"cveID,omitempty\"`\n \tConfidences          Confidences          `json:\"confidences,omitempty\"`\n@@ -268,6 +319,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -910,24 +962,21 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n-\tJPCERT []Alert `json:\"jpcert\"`\n-\tUSCERT []Alert `json:\"uscert\"`\n+\tCISA   []Alert `json:\"cisa,omitempty\"`\n+\tJPCERT []Alert `json:\"jpcert,omitempty\"`\n+\tUSCERT []Alert `json:\"uscert,omitempty\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a2dfbd0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/sample_kev_result.json b/sample_kev_result.json\nnew file mode 100644\nindex 0000000..e3d2704\n--- /dev/null\n+++ b/sample_kev_result.json\n@@ -0,0 +1,74 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2025-01-01T00:00:00Z\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"Example short description\",\n+          \"requiredAction\": \"Apply updates per vendor instructions\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2024-01-01T00:00:00Z\",\n+          \"dueDate\": \"2024-01-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"notes\": \"Example CISA note\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"ExampleVendor\",\n+          \"product\": \"ExampleProduct\",\n+          \"vulnerabilityName\": \"Example Vulnerability (VulnCheck)\",\n+          \"shortDescription\": \"Example VulnCheck description\",\n+          \"requiredAction\": \"\",\n+          \"knownRansomwareCampaignUse\": \"\",\n+          \"dateAdded\": \"2024-01-02T00:00:00Z\",\n+          \"vulnCheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XXXXX\",\n+                \"xdbURL\": \"https://example.com/xdb/XXXXX\",\n+                \"dateAdded\": \"2024-01-02T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/report\",\n+                \"dateAdded\": \"2024-01-03T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"confidences\": [\n+        {\n+          \"score\": 100,\n+          \"detectionMethod\": \"OvalMatch\"\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-pkg\",\n+          \"notFixedYet\": false,\n+          \"fixedIn\": \"1.2.3\"\n+        }\n+      ]\n+    }\n+  },\n+  \"packages\": {\n+    \"example-pkg\": {\n+      \"name\": \"example-pkg\",\n+      \"version\": \"1.2.2\"\n+    }\n+  }\n+}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..00df505 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -809,18 +809,8 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t\t\t\tlines = append(lines, fmt.Sprintf(\" - %s\", u))\n \t\t\t\t\t}\n \t\t\t\t}\n-\t\t\t}\n-\t\t}\n-\n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n \t\t}\n+\t}\n \n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n", "creation_timestamp": "2026-07-04T00:01:06.880353Z"}, {"uuid": "0f2e2fc9-054b-498e-bfc2-fb34a843daee", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/d8a4988827d34dea1ea880cf5c9c8bb8", "content": "diff --git a/README.md b/README.md\nindex 57102d1..14d512c 100644\n--- a/README.md\n+++ b/README.md\n@@ -92,6 +92,7 @@ Vuls is a tool created to solve the problems listed above. It has the following\n \n - CISA(Cybersecurity &amp; Infrastructure Security Agency)\n   - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+  - Configure `[kevuln]` to populate first-class KEV data in scan results. See [`examples/config.toml.example`](examples/config.toml.example) and [`examples/scan-result-kev.json`](examples/scan-result-kev.json).\n \n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..afbd5d6 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -78,22 +78,16 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\tif err := json.Unmarshal([]byte(res.json), &amp;kevulns); err != nil {\n \t\t\t\treturn err\n \t\t\t}\n-\n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tif len(kevulns) == 0 {\n+\t\t\t\tcontinue\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\t\tv.KEVs = append(v.KEVs, toKEVs(kevulns)...)\n \t\t\t\tnKEV++\n+\t\t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t\t}\n-\t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t}\n \t} else {\n \t\tfor cveID, vuln := range r.ScannedCves {\n@@ -108,16 +102,7 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n+\t\t\tvuln.KEVs = append(vuln.KEVs, toKEVs(kevulns)...)\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n@@ -127,6 +112,33 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func toKEVs(kevulns []kevulnmodels.KEVuln) (kevs []models.KEV) {\n+\tfor _, kevuln := range kevulns {\n+\t\tb, err := json.Marshal(kevuln)\n+\t\tif err != nil {\n+\t\t\tlogging.Log.Debugf(\"Failed to marshal KEVuln. err: %+v\", err)\n+\t\t\tcontinue\n+\t\t}\n+\n+\t\tvar kev models.KEV\n+\t\tif err := json.Unmarshal(b, &amp;kev); err != nil {\n+\t\t\tlogging.Log.Debugf(\"Failed to unmarshal KEVuln into models.KEV. err: %+v\", err)\n+\t\t\tcontinue\n+\t\t}\n+\t\tif kev.Type == \"\" {\n+\t\t\tkev.Type = models.CISAKEVType\n+\t\t}\n+\t\tif kev.Type == models.CISAKEVType &amp;&amp; kev.CISA == nil {\n+\t\t\tkev.CISA = &amp;models.CISAKEV{}\n+\t\t}\n+\t\tif kev.Type == models.VulnCheckKEVType &amp;&amp; kev.VulnCheck == nil {\n+\t\t\tkev.VulnCheck = &amp;models.VulnCheckKEV{}\n+\t\t}\n+\t\tkevs = append(kevs, kev)\n+\t}\n+\treturn kevs\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/examples/config.toml.example b/examples/config.toml.example\nnew file mode 100644\nindex 0000000..6e8783f\n--- /dev/null\n+++ b/examples/config.toml.example\n@@ -0,0 +1,49 @@\n+# Synthetic Vuls configuration example.\n+# Replace all placeholder values before use; do not copy secrets from a live config.toml.\n+\n+[default]\n+#port        = \"22\"\n+#user        = \"vuls\"\n+#keyPath     = \"/home/vuls/.ssh/id_rsa\"\n+#scanMode    = [\"fast-root\"]\n+\n+[servers]\n+\n+[servers.example-host]\n+host        = \"192.0.2.10\"\n+port        = \"22\"\n+user        = \"vuls\"\n+keyPath     = \"/home/vuls/.ssh/id_rsa\"\n+scanMode    = [\"fast-root\"]\n+\n+[cveDict]\n+type        = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/cve.sqlite3\"\n+\n+[ovalDict]\n+type        = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/oval.sqlite3\"\n+\n+[gost]\n+type        = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type        = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type        = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+# Enables CISA and VulnCheck KEV enrichment when the go-kev database contains them.\n+type        = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+# For an HTTP go-kev service, use:\n+#type       = \"http\"\n+#url        = \"http://127.0.0.1:1326\"\n+\n+[cti]\n+type        = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\ndiff --git a/examples/scan-result-kev.json b/examples/scan-result-kev.json\nnew file mode 100644\nindex 0000000..e4b769b\n--- /dev/null\n+++ b/examples/scan-result-kev.json\n@@ -0,0 +1,61 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedAt\": \"2026-07-03T00:00:00Z\",\n+  \"scanMode\": \"fast-root\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic CISA KEV entry for documentation.\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"dueDate\": \"2026-07-22T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic example only.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Vulnerability\",\n+          \"shortDescription\": \"Synthetic VulnCheck KEV entry for documentation.\",\n+          \"requiredAction\": \"Review exposure and patch.\",\n+          \"knownRansomwareCampaignUse\": \"Known\",\n+          \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.invalid/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"proof-of-concept\",\n+                \"cloneSSHURL\": \"git@example.invalid:research/example-poc.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.invalid/reports/CVE-0000-0000\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"packages\": {},\n+  \"errors\": [],\n+  \"warnings\": []\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..b07f845 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of cves with known exploited vulnerability entries.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -422,6 +430,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Metasploits, func(i, j int) bool {\n \t\t\treturn v.Metasploits[i].Name &lt; v.Metasploits[j].Name\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &lt; v.Mitigations[j].URL\n \t\t})\n@@ -434,9 +448,6 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n-\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..6384cd8 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -265,6 +265,7 @@ type VulnInfo struct {\n \tCveContents          CveContents          `json:\"cveContents,omitempty\"`\n \tExploits             []Exploit            `json:\"exploits,omitempty\"`\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n@@ -284,6 +285,57 @@ type Alert struct {\n \tTeam  string `json:\"team,omitempty\"`\n }\n \n+// KEVType is a known exploited vulnerability source.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is CISA Known Exploited Vulnerabilities Catalog.\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType is VulnCheck KEV.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has known exploited vulnerability metadata.\n+type KEV struct {\n+\tType                          KEVType        `json:\"type,omitempty\"`\n+\tVendorProject                 string         `json:\"vendorProject,omitempty\"`\n+\tProduct                       string         `json:\"product,omitempty\"`\n+\tVulnerabilityName             string         `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription              string         `json:\"shortDescription,omitempty\"`\n+\tRequiredAction                string         `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse    string         `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                     time.Time      `json:\"dateAdded,omitempty\"`\n+\tDueDate                       *time.Time     `json:\"dueDate,omitempty\"`\n+\tCISA                          *CISAKEV       `json:\"cisa,omitempty\"`\n+\tVulnCheck                     *VulnCheckKEV  `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV metadata.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV metadata.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database metadata.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has reported exploitation metadata.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // GitHubSecurityAlerts is a list of GitHubSecurityAlert\n type GitHubSecurityAlerts []GitHubSecurityAlert\n \n@@ -910,24 +962,22 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data.\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\t// Deprecated: KEV data is represented by VulnInfo.KEVs instead.\n+\tCISA   []Alert `json:\"-\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a2dfbd0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-04T00:01:06.934817Z"}, {"uuid": "c9174058-9bd5-4834-a094-7692fec0001d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/db3e98ef89fc16b2dcd28b4e7873f4aa", "content": "diff --git a/README.md b/README.md\nindex 57102d1..b92f351 100644\n--- a/README.md\n+++ b/README.md\n@@ -165,6 +165,7 @@ Vuls has some options to detect the vulnerabilities\n   - Auto-detection of servers set using CIDR, generate configuration file template\n - Email and Slack notification is possible (supports Japanese language)\n - Scan result is viewable on accessory software, TUI Viewer in a terminal or Web UI ([VulsRepo](https://github.com/ishiDACo/vulsrepo)).\n+- Example Configuration: See [config.toml.example](config.toml.example) for a ready-to-use template including KEV reporting setup.\n \n ----\n \ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..8e4ab21\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,11 @@\n+[servers]\n+\n+[servers.example-host]\n+host         = \"192.0.2.10\"\n+port         = \"22\"\n+user         = \"example-user\"\n+keyPath      = \"/path/to/example/key\"\n+\n+[kevuln]\n+type         = \"sqlite3\"\n+SQLite3Path  = \"/path/to/go-kev.sqlite3\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..f0230da 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,8 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n \t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,16 +98,6 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n-\t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n \t\t\tnKEV++\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..8139fb5 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of kev cve\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKevs := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif len(vuln.KEVs) &gt; 0 {\n+\t\t\tnKevs++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKevs)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -434,9 +442,14 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n+\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n \t\t})\n+\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/scanresults_test.go b/models/scanresults_test.go\nindex d429281..454eeac 100644\n--- a/models/scanresults_test.go\n+++ b/models/scanresults_test.go\n@@ -225,10 +225,6 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -288,10 +284,6 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -354,10 +346,6 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -417,10 +405,6 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -535,6 +519,33 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t},\n \t\t\t},\n \t\t},\n+\t\t{\n+\t\t\tname: \"sort KEV\",\n+\t\t\tfields: fields{\n+\t\t\t\tScannedCves: VulnInfos{\n+\t\t\t\t\t\"CVE-2014-3591\": VulnInfo{\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"c\"},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t\texpected: fields{\n+\t\t\t\tScannedCves: VulnInfos{\n+\t\t\t\t\t\"CVE-2014-3591\": VulnInfo{\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"c\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t},\n+\t\t\t\t},\n+\t\t\t},\n+\t\t},\n \t}\n \tfor _, tt := range tests {\n \t\tt.Run(tt.name, func(t *testing.T) {\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..355ffba 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -275,6 +275,56 @@ type VulnInfo struct {\n \tWindowsKBFixedIns    []string             `json:\"windowsKBFixedIns,omitempty\"`\n \tVulnType             string               `json:\"vulnType,omitempty\"`\n \tDiffStatus           DiffStatus           `json:\"diffStatus,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n+}\n+\n+// KEVType string type with constants\n+type KEVType string\n+\n+const (\n+\tCISAKEVType      KEVType = \"cisa\"\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV struct\n+type KEV struct {\n+\tType                       KEVType                       `json:\"type,omitempty\"`\n+\tVendorProject              string                        `json:\"vendorProject,omitempty\"`\n+\tProduct                    string                        `json:\"product,omitempty\"`\n+\tVulnerabilityName          string                        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string                        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string                        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string                        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time                     `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time                    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV                      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV                 `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV struct\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV struct\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB struct\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbid,omitempty\"`\n+\tXDBURL      string    `json:\"xdburl,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSshUrl,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation struct\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n }\n \n // Alert has CERT alert information\n@@ -910,24 +960,20 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT, USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a2dfbd0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/sample_scan_result.json b/sample_scan_result.json\nnew file mode 100644\nindex 0000000..dd4cefc\n--- /dev/null\n+++ b/sample_scan_result.json\n@@ -0,0 +1,48 @@\n+{\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"A synthetic example vulnerability.\",\n+          \"requiredAction\": \"Apply updates.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-07-01T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic CISA note\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Vulnerability\",\n+          \"shortDescription\": \"A synthetic example vulnerability.\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbid\": \"1234\",\n+                \"xdburl\": \"https://example.com/exploit/1234\",\n+                \"dateAdded\": \"2026-07-02T00:00:00Z\",\n+                \"exploitType\": \"RCE\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/report/1\",\n+                \"dateAdded\": \"2026-07-03T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\n\\ No newline at end of file\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-04T00:01:06.995836Z"}, {"uuid": "41def01e-757f-4588-ba5f-100efea3df56", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/f28f61dfebac866cd95125fe0ed35450", "content": "diff --git a/README.md b/README.md\nindex 57102d1..9d9a9aa 100644\n--- a/README.md\n+++ b/README.md\n@@ -181,6 +181,13 @@ For more information such as Installation, Tutorial, Usage, visit [vuls.io](http\n \n ----\n \n+## Configuration Example\n+\n+An example configuration file is available at [config.toml.example](config.toml.example).\n+A sample scan result with KEV fields is available at [sample-scan-result.json](sample-scan-result.json).\n+\n+----\n+\n ## Authors\n \n kotakanbe ([@kotakanbe](https://twitter.com/kotakanbe)) created vuls and [these fine people](https://github.com/future-architect/vuls/graphs/contributors) have contributed.\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..87b510e\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,31 @@\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-exploitdb.sqlite3\"\n+\n+[msf]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-msfdb.sqlite3\"\n+\n+[kev]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/go-kev.sqlite3\"\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.1\"\n+port = \"22\"\n+user = \"vuls-user\"\n+keyPath = \"/path/to/id_rsa\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..9f612f6 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,21 +79,22 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n \t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\t\tvar kevs []models.KEV\n+\t\t\t\tfor _, k := range kevulns {\n+\t\t\t\t\tkevs = append(kevs, models.KEV{\n+\t\t\t\t\t\tType:              models.CISAKEVType,\n+\t\t\t\t\t\tVulnerabilityName: k.VulnerabilityName,\n+\t\t\t\t\t\tCISA:              &amp;models.CISAKEV{},\n+\t\t\t\t\t})\n+\t\t\t\t}\n+\t\t\t\tv, ok := r.ScannedCves[res.request.cveID]\n+\t\t\t\tif ok {\n+\t\t\t\t\tv.KEVs = append(v.KEVs, kevs...)\n+\t\t\t\t\tnKEV++\n+\t\t\t\t}\n+\t\t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t\t}\n-\n-\t\t\tv, ok := r.ScannedCves[res.request.cveID]\n-\t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n-\t\t\t\tnKEV++\n-\t\t\t}\n-\t\t\tr.ScannedCves[res.request.cveID] = v\n \t\t}\n \t} else {\n \t\tfor cveID, vuln := range r.ScannedCves {\n@@ -108,18 +109,19 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n \t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\t\tvar kevs []models.KEV\n+\t\t\t\tfor _, k := range kevulns {\n+\t\t\t\t\tkevs = append(kevs, models.KEV{\n+\t\t\t\t\t\tType:              models.CISAKEVType,\n+\t\t\t\t\t\tVulnerabilityName: k.VulnerabilityName,\n+\t\t\t\t\t\tCISA:              &amp;models.CISAKEV{},\n+\t\t\t\t\t})\n+\t\t\t\t}\n+\t\t\t\tvuln.KEVs = append(vuln.KEVs, kevs...)\n+\t\t\t\tnKEV++\n+\t\t\t\tr.ScannedCves[cveID] = vuln\n \t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n-\t\t\tnKEV++\n-\t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n \t}\n \ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..5a10e6d 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,6 +205,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n@@ -253,13 +254,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +264,18 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n+}\n+\n+// FormatKEVCveSummary returns a summary of KEV\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -434,8 +442,11 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n \t\t})\n \t\tr.ScannedCves[k] = v\n \t}\ndiff --git a/models/scanresults_test.go b/models/scanresults_test.go\nindex d429281..47e31ed 100644\n--- a/models/scanresults_test.go\n+++ b/models/scanresults_test.go\n@@ -225,10 +225,11 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -288,10 +289,11 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"a\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -354,10 +356,12 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -417,10 +421,12 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: CISAKEVType, VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: VulnCheckKEVType, VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..628b56d 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -275,6 +275,59 @@ type VulnInfo struct {\n \tWindowsKBFixedIns    []string             `json:\"windowsKBFixedIns,omitempty\"`\n \tVulnType             string               `json:\"vulnType,omitempty\"`\n \tDiffStatus           DiffStatus           `json:\"diffStatus,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n+}\n+\n+// KEVType is the type of KEV\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is CISA KEV type\n+\tCISAKEVType KEVType = \"cisa\"\n+\n+\t// VulnCheckKEVType is VulnCheck KEV type\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has Known Exploited Vulnerabilities information\n+type KEV struct {\n+\tType                       KEVType        `json:\"type,omitempty\"`\n+\tVendorProject              string         `json:\"vendorProject,omitempty\"`\n+\tProduct                    string         `json:\"product,omitempty\"`\n+\tVulnerabilityName          string         `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string         `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string         `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string         `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time      `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time     `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV       `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV  `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA specific KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck specific KEV information\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB information\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbId,omitempty\"`\n+\tXDBURL      string    `json:\"xdbUrl,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSshUrl,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck ReportedExploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n }\n \n // Alert has CERT alert information\n@@ -910,24 +963,20 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..1a184e6 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -205,6 +205,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t}\n \t\t} else {\n \t\t\tcols = []interface{}{\n@@ -565,8 +566,10 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n+\t\tfor _, kev := range vuln.KEVs {\n+\t\t\tif kev.Type == models.CISAKEVType {\n+\t\t\t\tdata = append(data, []string{\"CISA KEV\", kev.VulnerabilityName})\n+\t\t\t}\n \t\t}\n \n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\ndiff --git a/sample-scan-result.json b/sample-scan-result.json\nnew file mode 100644\nindex 0000000..3deb308\n--- /dev/null\n+++ b/sample-scan-result.json\n@@ -0,0 +1,60 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"00000000-0000-0000-0000-000000000000\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"20.04\",\n+  \"scannedAt\": \"2023-01-01T00:00:00Z\",\n+  \"scanMode\": \"fast\",\n+  \"scannedVersion\": \"v0.0.0\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vulnerabilityName\": \"Test Vulnerability\",\n+          \"shortDescription\": \"This is a synthetic vulnerability.\",\n+          \"requiredAction\": \"Apply updates.\",\n+          \"dateAdded\": \"2023-01-01T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic note\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vulnerabilityName\": \"Test Vulnerability 2\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbId\": \"1234\",\n+                \"xdbUrl\": \"https://example.com/xdb/1234\",\n+                \"dateAdded\": \"2023-01-02T00:00:00Z\",\n+                \"exploitType\": \"local\",\n+                \"cloneSshUrl\": \"git@github.com:example/exploit.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/report/1\",\n+                \"dateAdded\": \"2023-01-03T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"runningKernel\": {\n+    \"release\": \"5.4.0-100-generic\",\n+    \"version\": \"#113-Ubuntu SMP Thu Feb 3 18:43:29 UTC 2022\",\n+    \"rebootRequired\": false\n+  },\n+  \"packages\": {\n+    \"example-package\": {\n+      \"name\": \"example-package\",\n+      \"version\": \"1.0.0\"\n+    }\n+  }\n+}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..dbbf8ac 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,13 +812,13 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n+\t\tif len(vinfo.KEVs) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n+\t\t\t\t\"KEV\",\n+\t\t\t\t\"===\",\n \t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\t\tfor _, kev := range vinfo.KEVs {\n+\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s] %s\", kev.Type, kev.VulnerabilityName))\n \t\t\t}\n \t\t}\n \n", "creation_timestamp": "2026-07-04T00:01:07.182101Z"}, {"uuid": "39f2e628-a76a-4bc9-96d2-a0868d5f3fa4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/40a238ab0abdb443a194769a3efdd184", "content": "diff --git a/README.md b/README.md\nindex 57102d1..1a65354 100644\n--- a/README.md\n+++ b/README.md\n@@ -22,6 +22,36 @@ Twitter: [@vuls_en](https://twitter.com/vuls_en)\n \n ----\n \n+## Example configuration\n+\n+Here is an example `config.toml` with KEV (Known Exploited Vulnerabilities) reporting enabled:\n+\n+```toml\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+[kev]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/kev.sqlite3\"\n+\n+[servers]\n+\n+[servers.example-host]\n+host         = \"192.168.0.1\"\n+port         = \"22\"\n+user         = \"example-user\"\n+keyPath      = \"/home/example-user/.ssh/id_rsa\"\n+```\n+\n ## Abstract\n \n For a system administrator, having to perform security vulnerability analysis and software update on a daily basis can be a burden.\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..c44f894\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,23 @@\n+[cveDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/gost.sqlite3\"\n+\n+[kev]\n+type = \"sqlite3\"\n+SQLite3Path = \"/path/to/kev.sqlite3\"\n+\n+[servers]\n+\n+[servers.example-host]\n+host         = \"192.168.0.1\"\n+port         = \"22\"\n+user         = \"example-user\"\n+keyPath      = \"/home/example-user/.ssh/id_rsa\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..06294c6 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -79,18 +79,31 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n+\t\t\tkevs := []models.KEV{}\n+\t\t\tfor _, k := range kevulns {\n+\t\t\t\tvar dueDate *time.Time\n+\t\t\t\tif !k.DueDate.IsZero() {\n+\t\t\t\t\tdueDate = &amp;k.DueDate\n+\t\t\t\t}\n+\t\t\t\tkevs = append(kevs, models.KEV{\n+\t\t\t\t\tType:                       models.CISAKEVType,\n+\t\t\t\t\tVendorProject:              k.VendorProject,\n+\t\t\t\t\tProduct:                    k.Product,\n+\t\t\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\t\t\tDateAdded:                  k.DateAdded,\n+\t\t\t\t\tDueDate:                    dueDate,\n+\t\t\t\t\tCISA: &amp;models.CISAKEV{\n+\t\t\t\t\t\tNote: k.Notes,\n+\t\t\t\t\t},\n \t\t\t\t})\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n-\t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\tif ok &amp;&amp; len(kevs) &gt; 0 {\n+\t\t\t\tv.KEVs = append(v.KEVs, kevs...)\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,17 +121,31 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n+\t\t\tkevs := []models.KEV{}\n+\t\t\tfor _, k := range kevulns {\n+\t\t\t\tvar dueDate *time.Time\n+\t\t\t\tif !k.DueDate.IsZero() {\n+\t\t\t\t\tdueDate = &amp;k.DueDate\n+\t\t\t\t}\n+\t\t\t\tkevs = append(kevs, models.KEV{\n+\t\t\t\t\tType:                       models.CISAKEVType,\n+\t\t\t\t\tVendorProject:              k.VendorProject,\n+\t\t\t\t\tProduct:                    k.Product,\n+\t\t\t\t\tVulnerabilityName:          k.VulnerabilityName,\n+\t\t\t\t\tShortDescription:           k.ShortDescription,\n+\t\t\t\t\tRequiredAction:             k.RequiredAction,\n+\t\t\t\t\tKnownRansomwareCampaignUse: k.KnownRansomwareCampaignUse,\n+\t\t\t\t\tDateAdded:                  k.DateAdded,\n+\t\t\t\t\tDueDate:                    dueDate,\n+\t\t\t\t\tCISA: &amp;models.CISAKEV{\n+\t\t\t\t\t\tNote: k.Notes,\n+\t\t\t\t\t},\n \t\t\t\t})\n \t\t\t}\n-\n-\t\t\tvuln.AlertDict.CISA = alerts\n-\t\t\tnKEV++\n+\t\t\tif len(kevs) &gt; 0 {\n+\t\t\t\tvuln.KEVs = append(vuln.KEVs, kevs...)\n+\t\t\t\tnKEV++\n+\t\t\t}\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n \t}\ndiff --git a/docs/sample_kev_scan.json b/docs/sample_kev_scan.json\nnew file mode 100644\nindex 0000000..9952ac2\n--- /dev/null\n+++ b/docs/sample_kev_scan.json\n@@ -0,0 +1,61 @@\n+{\n+  \"jsonVersion\": 1,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"dummy-uuid\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"20.04\",\n+  \"scannedAt\": \"2023-10-01T00:00:00Z\",\n+  \"scanMode\": \"fast\",\n+  \"scannedVersion\": \"v0.0.0\",\n+  \"scannedRevision\": \"hash\",\n+  \"scannedBy\": \"user\",\n+  \"scannedVia\": \"local\",\n+  \"reportedAt\": \"2023-10-01T00:01:00Z\",\n+  \"reportedVersion\": \"v0.0.0\",\n+  \"reportedRevision\": \"hash\",\n+  \"reportedBy\": \"user\",\n+  \"errors\": [],\n+  \"warnings\": [],\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vulnerabilityName\": \"Test Vulnerability Name\",\n+          \"shortDescription\": \"Test Short Description\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"dateAdded\": \"2021-11-03T00:00:00Z\",\n+          \"dueDate\": \"2021-11-17T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Test CISA Note\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vulnerabilityName\": \"Test VulnCheck Name\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"test-xdb-1\",\n+                \"xdbURL\": \"https://example.com/test\",\n+                \"dateAdded\": \"2021-11-03T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ]\n+    }\n+  },\n+  \"runningKernel\": {\n+    \"release\": \"5.4.0-generic\",\n+    \"version\": \"1\",\n+    \"rebootRequired\": false\n+  },\n+  \"packages\": {},\n+  \"config\": {\n+    \"scan\": {},\n+    \"report\": {}\n+  }\n+}\n\\ No newline at end of file\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..4b059ca 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,7 +197,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n@@ -205,6 +205,7 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n \t\tr.FormatAlertSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tpkgs)\n }\n \n@@ -229,6 +230,17 @@ func (r ScanResult) FormatUpdatablePkgsSummary() string {\n \t\tnUpdatable)\n }\n \n+// FormatKEVCveSummary returns a summary of KEV cves\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatExploitCveSummary returns a summary of exploit cve\n func (r ScanResult) FormatExploitCveSummary() string {\n \tnExploitCve := 0\n@@ -253,13 +265,9 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -434,9 +442,14 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n+\t\t\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n \t\t})\n+\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/scanresults_test.go b/models/scanresults_test.go\nindex d429281..8e44906 100644\n--- a/models/scanresults_test.go\n+++ b/models/scanresults_test.go\n@@ -225,10 +225,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: \"cisa\", VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: \"cisa\", VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -288,10 +288,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: \"cisa\", VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: \"cisa\", VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -354,10 +354,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: \"cisa\", VulnerabilityName: \"b\"},\n+\t\t\t\t\t\t\t{Type: \"cisa\", VulnerabilityName: \"a\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\n@@ -417,10 +417,10 @@ func TestScanResult_Sort(t *testing.T) {\n \t\t\t\t\t\t\t\t{Title: \"a\"},\n \t\t\t\t\t\t\t\t{Title: \"b\"},\n \t\t\t\t\t\t\t},\n-\t\t\t\t\t\t\tCISA: []Alert{\n-\t\t\t\t\t\t\t\t{Title: \"a\"},\n-\t\t\t\t\t\t\t\t{Title: \"b\"},\n-\t\t\t\t\t\t\t},\n+\t\t\t\t\t\t},\n+\t\t\t\t\t\tKEVs: []KEV{\n+\t\t\t\t\t\t\t{Type: \"cisa\", VulnerabilityName: \"a\"},\n+\t\t\t\t\t\t\t{Type: \"cisa\", VulnerabilityName: \"b\"},\n \t\t\t\t\t\t},\n \t\t\t\t\t},\n \t\t\t\t},\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..b6bd4d2 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -268,6 +268,7 @@ type VulnInfo struct {\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tCpeURIs              []string             `json:\"cpeURIs,omitempty\"` // CpeURIs related to this CVE defined in config.toml\n \tGitHubSecurityAlerts GitHubSecurityAlerts `json:\"gitHubSecurityAlerts,omitempty\"`\n \tWpPackageFixStats    WpPackageFixStats    `json:\"wpPackageFixStats,omitempty\"`\n@@ -910,24 +911,72 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// KEVType represents the source of the KEV\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType is for CISA KEV\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType is for VulnCheck KEV\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has KEV information\n+type KEV struct {\n+\tType                       KEVType    `json:\"type\"`\n+\tVendorProject              string     `json:\"vendorProject,omitempty\"`\n+\tProduct                    string     `json:\"product,omitempty\"`\n+\tVulnerabilityName          string     `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string     `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string     `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string     `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time  `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time `json:\"dueDate,omitempty\"`\n+\n+\tCISA      *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA specific KEV information\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck specific KEV information\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck XDB information\n+type VulnCheckXDB struct {\n+\tXDBID         string    `json:\"xdbID,omitempty\"`\n+\tXDBURL        string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded     time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType   string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL   string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation information\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n+// AlertDict has target cve JPCERT, USCERT alert data\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..5b8697f 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -205,6 +205,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t}\n \t\t} else {\n \t\t\tcols = []interface{}{\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/testkev.go b/testkev.go\nnew file mode 100644\nindex 0000000..064c3c9\n--- /dev/null\n+++ b/testkev.go\n@@ -0,0 +1,15 @@\n+package main\n+\n+import (\n+\t\"fmt\"\n+\t\"reflect\"\n+\t\"github.com/vulsio/go-kev/models\"\n+)\n+\n+func main() {\n+\tt := reflect.TypeOf(models.KEVuln{})\n+\tfor i := 0; i &lt; t.NumField(); i++ {\n+\t\tfield := t.Field(i)\n+\t\tfmt.Printf(\"%s %s\\n\", field.Name, field.Type)\n+\t}\n+}\n\\ No newline at end of file\ndiff --git a/tracking_issue_example.md b/tracking_issue_example.md\nnew file mode 100644\nindex 0000000..b09fe6a\n--- /dev/null\n+++ b/tracking_issue_example.md\n@@ -0,0 +1,32 @@\n+# Tracking Issue Example for KEV Promotion\n+\n+Here is a redacted sample JSON payload showing the new `kevs` field replacing the old `AlertDict.CISA` field:\n+\n+```json\n+{\n+  \"jsonVersion\": 1,\n+  \"lang\": \"en\",\n+  \"serverUUID\": \"dummy-uuid\",\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"20.04\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vulnerabilityName\": \"Test Vulnerability Name\",\n+          \"shortDescription\": \"Test Short Description\",\n+          \"requiredAction\": \"Apply updates per vendor instructions.\",\n+          \"dateAdded\": \"2021-11-03T00:00:00Z\",\n+          \"dueDate\": \"2021-11-17T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Test CISA Note\"\n+          }\n+        }\n+      ]\n+    }\n+  }\n+}\n+```\n\\ No newline at end of file\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..30dac8c 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,13 +812,13 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n+\t\tif len(vinfo.KEVs) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n+\t\t\t\t\"Known Exploited Vulnerabilities\",\n+\t\t\t\t\"===============================\",\n \t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n+\t\t\tfor _, kev := range vinfo.KEVs {\n+\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s] %s: %s\", kev.Type, kev.VulnerabilityName, kev.ShortDescription))\n \t\t\t}\n \t\t}\n \n", "creation_timestamp": "2026-07-04T00:01:07.364761Z"}, {"uuid": "62124af3-a033-4200-881c-4f6249e29e8d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-0000-0000", "type": "seen", "source": "https://gist.github.com/tu-trinh-scale/d7f43279e0916c2dae67dd88be0af0cb", "content": "diff --git a/README.md b/README.md\nindex 57102d1..6b1b437 100644\n--- a/README.md\n+++ b/README.md\n@@ -90,8 +90,14 @@ Vuls is a tool created to solve the problems listed above. It has the following\n   - [US-CERT](https://www.us-cert.gov/ncas/alerts)\n   - [JPCERT](http://www.jpcert.or.jp/at/2019.html)\n \n-- CISA(Cybersecurity &amp; Infrastructure Security Agency)\n-  - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+- Known Exploited Vulnerabilities\n+  - [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n+  - VulnCheck KEV data via go-kev\n+\n+Example configuration and output:\n+\n+- `config.toml.example` shows a synthetic, ready-to-use KEV-enabled setup using placeholder values.\n+- `docs/sample-kev-scan-result.json` shows the `kevs` field populated with synthetic CISA and VulnCheck entries.\n \n - Cyber Threat Intelligence(MITRE ATT&amp;CK and CAPEC)\n   - [mitre/cti](https://github.com/mitre/cti)\ndiff --git a/config.toml.example b/config.toml.example\nnew file mode 100644\nindex 0000000..9abfc3d\n--- /dev/null\n+++ b/config.toml.example\n@@ -0,0 +1,42 @@\n+# Synthetic example configuration for enabling KEV reporting.\n+# Do not paste production credentials into this file.\n+\n+[cveDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/cve.sqlite3\"\n+\n+[ovalDict]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/oval.sqlite3\"\n+\n+[gost]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/gost.sqlite3\"\n+\n+[exploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-exploitdb.sqlite3\"\n+\n+[metasploit]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-msfdb.sqlite3\"\n+\n+[kevuln]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-kev.sqlite3\"\n+\n+[cti]\n+type = \"sqlite3\"\n+sqlite3Path = \"/var/lib/vuls/go-cti.sqlite3\"\n+\n+[default]\n+port = \"22\"\n+user = \"vuls\"\n+scanMode = [\"fast-root\"]\n+scanModules = [\"ospkg\", \"port\"]\n+\n+[servers]\n+\n+[servers.example-host]\n+host = \"192.0.2.10\"\n+memo = \"Synthetic example target\"\ndiff --git a/detector/kevuln.go b/detector/kevuln.go\nindex 41afdfe..f2f2f6b 100644\n--- a/detector/kevuln.go\n+++ b/detector/kevuln.go\n@@ -6,6 +6,7 @@ package detector\n import (\n \t\"encoding/json\"\n \t\"net/http\"\n+\t\"strings\"\n \t\"time\"\n \n \t\"github.com/cenkalti/backoff\"\n@@ -79,18 +80,14 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\treturn err\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tkevs, err := convertKEVulns(kevulns)\n+\t\t\tif err != nil {\n+\t\t\t\treturn err\n \t\t\t}\n \n \t\t\tv, ok := r.ScannedCves[res.request.cveID]\n-\t\t\tif ok {\n-\t\t\t\tv.AlertDict.CISA = alerts\n+\t\t\tif ok &amp;&amp; len(kevs) &gt; 0 {\n+\t\t\t\tv.KEVs = kevs\n \t\t\t\tnKEV++\n \t\t\t}\n \t\t\tr.ScannedCves[res.request.cveID] = v\n@@ -108,17 +105,15 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \t\t\t\tcontinue\n \t\t\t}\n \n-\t\t\talerts := []models.Alert{}\n-\t\t\tif len(kevulns) &gt; 0 {\n-\t\t\t\talerts = append(alerts, models.Alert{\n-\t\t\t\t\tTitle: \"Known Exploited Vulnerabilities Catalog\",\n-\t\t\t\t\tURL:   \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n-\t\t\t\t\tTeam:  \"cisa\",\n-\t\t\t\t})\n+\t\t\tkevs, err := convertKEVulns(kevulns)\n+\t\t\tif err != nil {\n+\t\t\t\treturn err\n \t\t\t}\n \n-\t\t\tvuln.AlertDict.CISA = alerts\n-\t\t\tnKEV++\n+\t\t\tif len(kevs) &gt; 0 {\n+\t\t\t\tvuln.KEVs = kevs\n+\t\t\t\tnKEV++\n+\t\t\t}\n \t\t\tr.ScannedCves[cveID] = vuln\n \t\t}\n \t}\n@@ -127,6 +122,222 @@ func FillWithKEVuln(r *models.ScanResult, cnf config.KEVulnConf, logOpts logging\n \treturn nil\n }\n \n+func convertKEVulns(kevulns []kevulnmodels.KEVuln) ([]models.KEV, error) {\n+\tkevs := []models.KEV{}\n+\tfor _, kevuln := range kevulns {\n+\t\tb, err := json.Marshal(kevuln)\n+\t\tif err != nil {\n+\t\t\treturn nil, xerrors.Errorf(\"Failed to marshal KEVuln. err: %w\", err)\n+\t\t}\n+\n+\t\tvar m map[string]json.RawMessage\n+\t\tif err := json.Unmarshal(b, &amp;m); err != nil {\n+\t\t\treturn nil, xerrors.Errorf(\"Failed to unmarshal KEVuln. err: %w\", err)\n+\t\t}\n+\n+\t\tif cisa, ok, err := parseCISAKEV(rawFor(m, \"cisa\", \"CISA\", \"cisaKEV\", \"CISAKEV\")); err != nil {\n+\t\t\treturn nil, err\n+\t\t} else if ok {\n+\t\t\tkevs = append(kevs, cisa)\n+\t\t}\n+\n+\t\tif vulncheck, ok, err := parseVulnCheckKEV(rawFor(m, \"vulncheck\", \"vulnCheck\", \"VulnCheck\", \"vulnCheckKEV\", \"VulnCheckKEV\")); err != nil {\n+\t\t\treturn nil, err\n+\t\t} else if ok {\n+\t\t\tkevs = append(kevs, vulncheck)\n+\t\t}\n+\t}\n+\treturn kevs, nil\n+}\n+\n+func parseCISAKEV(raw json.RawMessage) (models.KEV, bool, error) {\n+\tif len(raw) == 0 || string(raw) == \"null\" {\n+\t\treturn models.KEV{}, false, nil\n+\t}\n+\tvar m map[string]json.RawMessage\n+\tif err := json.Unmarshal(raw, &amp;m); err != nil {\n+\t\treturn models.KEV{}, false, xerrors.Errorf(\"Failed to unmarshal CISA KEV. err: %w\", err)\n+\t}\n+\tif isEmptyRawMap(m) {\n+\t\treturn models.KEV{}, false, nil\n+\t}\n+\n+\tdueDate, err := rawTimePtr(rawFor(m, \"dueDate\", \"DueDate\", \"due_date\"))\n+\tif err != nil {\n+\t\treturn models.KEV{}, false, err\n+\t}\n+\tdateAdded, err := rawTime(rawFor(m, \"dateAdded\", \"DateAdded\", \"date_added\"))\n+\tif err != nil {\n+\t\treturn models.KEV{}, false, err\n+\t}\n+\n+\treturn models.KEV{\n+\t\tType:                       models.CISAKEVType,\n+\t\tVendorProject:              rawString(rawFor(m, \"vendorProject\", \"VendorProject\", \"vendor_project\")),\n+\t\tProduct:                    rawString(rawFor(m, \"product\", \"Product\")),\n+\t\tVulnerabilityName:          rawString(rawFor(m, \"vulnerabilityName\", \"VulnerabilityName\", \"vulnerability_name\")),\n+\t\tShortDescription:           rawString(rawFor(m, \"shortDescription\", \"ShortDescription\", \"short_description\")),\n+\t\tRequiredAction:             rawString(rawFor(m, \"requiredAction\", \"RequiredAction\", \"required_action\")),\n+\t\tKnownRansomwareCampaignUse: rawString(rawFor(m, \"knownRansomwareCampaignUse\", \"KnownRansomwareCampaignUse\", \"known_ransomware_campaign_use\")),\n+\t\tDateAdded:                  dateAdded,\n+\t\tDueDate:                    dueDate,\n+\t\tCISA: &amp;models.CISAKEV{\n+\t\t\tNote: rawString(rawFor(m, \"note\", \"Note\", \"notes\")),\n+\t\t},\n+\t}, true, nil\n+}\n+\n+func parseVulnCheckKEV(raw json.RawMessage) (models.KEV, bool, error) {\n+\tif len(raw) == 0 || string(raw) == \"null\" {\n+\t\treturn models.KEV{}, false, nil\n+\t}\n+\tvar m map[string]json.RawMessage\n+\tif err := json.Unmarshal(raw, &amp;m); err != nil {\n+\t\treturn models.KEV{}, false, xerrors.Errorf(\"Failed to unmarshal VulnCheck KEV. err: %w\", err)\n+\t}\n+\tif isEmptyRawMap(m) {\n+\t\treturn models.KEV{}, false, nil\n+\t}\n+\n+\tdueDate, err := rawTimePtr(rawFor(m, \"dueDate\", \"DueDate\", \"due_date\"))\n+\tif err != nil {\n+\t\treturn models.KEV{}, false, err\n+\t}\n+\tdateAdded, err := rawTime(rawFor(m, \"dateAdded\", \"DateAdded\", \"date_added\"))\n+\tif err != nil {\n+\t\treturn models.KEV{}, false, err\n+\t}\n+\txdb, err := parseVulnCheckXDB(rawFor(m, \"xdb\", \"XDB\"))\n+\tif err != nil {\n+\t\treturn models.KEV{}, false, err\n+\t}\n+\treportedExploitation, err := parseVulnCheckReportedExploitation(rawFor(m, \"reportedExploitation\", \"ReportedExploitation\", \"reported_exploitation\"))\n+\tif err != nil {\n+\t\treturn models.KEV{}, false, err\n+\t}\n+\n+\treturn models.KEV{\n+\t\tType:                       models.VulnCheckKEVType,\n+\t\tVendorProject:              rawString(rawFor(m, \"vendorProject\", \"VendorProject\", \"vendor_project\")),\n+\t\tProduct:                    rawString(rawFor(m, \"product\", \"Product\")),\n+\t\tVulnerabilityName:          rawString(rawFor(m, \"vulnerabilityName\", \"VulnerabilityName\", \"vulnerability_name\")),\n+\t\tShortDescription:           rawString(rawFor(m, \"shortDescription\", \"ShortDescription\", \"short_description\")),\n+\t\tRequiredAction:             rawString(rawFor(m, \"requiredAction\", \"RequiredAction\", \"required_action\")),\n+\t\tKnownRansomwareCampaignUse: rawString(rawFor(m, \"knownRansomwareCampaignUse\", \"KnownRansomwareCampaignUse\", \"known_ransomware_campaign_use\")),\n+\t\tDateAdded:                  dateAdded,\n+\t\tDueDate:                    dueDate,\n+\t\tVulnCheck: &amp;models.VulnCheckKEV{\n+\t\t\tXDB:                  xdb,\n+\t\t\tReportedExploitation: reportedExploitation,\n+\t\t},\n+\t}, true, nil\n+}\n+\n+func parseVulnCheckXDB(raw json.RawMessage) ([]models.VulnCheckXDB, error) {\n+\tif len(raw) == 0 || string(raw) == \"null\" {\n+\t\treturn nil, nil\n+\t}\n+\tvar xs []map[string]json.RawMessage\n+\tif err := json.Unmarshal(raw, &amp;xs); err != nil {\n+\t\treturn nil, xerrors.Errorf(\"Failed to unmarshal VulnCheck XDB. err: %w\", err)\n+\t}\n+\n+\txdbs := []models.VulnCheckXDB{}\n+\tfor _, x := range xs {\n+\t\tdateAdded, err := rawTime(rawFor(x, \"dateAdded\", \"DateAdded\", \"date_added\"))\n+\t\tif err != nil {\n+\t\t\treturn nil, err\n+\t\t}\n+\t\txdbs = append(xdbs, models.VulnCheckXDB{\n+\t\t\tXDBID:       rawString(rawFor(x, \"xdbID\", \"XDBID\", \"xdb_id\")),\n+\t\t\tXDBURL:      rawString(rawFor(x, \"xdbURL\", \"XDBURL\", \"xdb_url\")),\n+\t\t\tDateAdded:   dateAdded,\n+\t\t\tExploitType: rawString(rawFor(x, \"exploitType\", \"ExploitType\", \"exploit_type\")),\n+\t\t\tCloneSSHURL: rawString(rawFor(x, \"cloneSSHURL\", \"CloneSSHURL\", \"clone_ssh_url\")),\n+\t\t})\n+\t}\n+\treturn xdbs, nil\n+}\n+\n+func parseVulnCheckReportedExploitation(raw json.RawMessage) ([]models.VulnCheckReportedExploitation, error) {\n+\tif len(raw) == 0 || string(raw) == \"null\" {\n+\t\treturn nil, nil\n+\t}\n+\tvar rs []map[string]json.RawMessage\n+\tif err := json.Unmarshal(raw, &amp;rs); err != nil {\n+\t\treturn nil, xerrors.Errorf(\"Failed to unmarshal VulnCheck reported exploitation. err: %w\", err)\n+\t}\n+\n+\treports := []models.VulnCheckReportedExploitation{}\n+\tfor _, r := range rs {\n+\t\tdateAdded, err := rawTime(rawFor(r, \"dateAdded\", \"DateAdded\", \"date_added\"))\n+\t\tif err != nil {\n+\t\t\treturn nil, err\n+\t\t}\n+\t\treports = append(reports, models.VulnCheckReportedExploitation{\n+\t\t\tURL:       rawString(rawFor(r, \"url\", \"URL\")),\n+\t\t\tDateAdded: dateAdded,\n+\t\t})\n+\t}\n+\treturn reports, nil\n+}\n+\n+func rawFor(m map[string]json.RawMessage, keys ...string) json.RawMessage {\n+\tfor _, key := range keys {\n+\t\tif raw, ok := m[key]; ok {\n+\t\t\treturn raw\n+\t\t}\n+\t}\n+\treturn nil\n+}\n+\n+func rawString(raw json.RawMessage) string {\n+\tif len(raw) == 0 || string(raw) == \"null\" {\n+\t\treturn \"\"\n+\t}\n+\tvar s string\n+\tif err := json.Unmarshal(raw, &amp;s); err == nil {\n+\t\treturn s\n+\t}\n+\treturn strings.Trim(string(raw), `\"`)\n+}\n+\n+func rawTime(raw json.RawMessage) (time.Time, error) {\n+\tif len(raw) == 0 || string(raw) == \"null\" {\n+\t\treturn time.Time{}, nil\n+\t}\n+\ts := rawString(raw)\n+\tif s == \"\" || s == \"0001-01-01T00:00:00Z\" {\n+\t\treturn time.Time{}, nil\n+\t}\n+\tfor _, layout := range []string{time.RFC3339Nano, time.RFC3339, \"2006-01-02\"} {\n+\t\tif t, err := time.Parse(layout, s); err == nil {\n+\t\t\treturn t, nil\n+\t\t}\n+\t}\n+\treturn time.Time{}, xerrors.Errorf(\"Failed to parse KEV date: %s\", s)\n+}\n+\n+func rawTimePtr(raw json.RawMessage) (*time.Time, error) {\n+\tt, err := rawTime(raw)\n+\tif err != nil || t.IsZero() {\n+\t\treturn nil, err\n+\t}\n+\treturn &amp;t, nil\n+}\n+\n+func isEmptyRawMap(m map[string]json.RawMessage) bool {\n+\tif len(m) == 0 {\n+\t\treturn true\n+\t}\n+\tfor _, raw := range m {\n+\t\tif len(raw) != 0 &amp;&amp; string(raw) != \"null\" &amp;&amp; string(raw) != `\"\"` &amp;&amp; string(raw) != \"[]\" &amp;&amp; string(raw) != \"{}\" {\n+\t\t\treturn false\n+\t\t}\n+\t}\n+\treturn true\n+}\n+\n type kevulnResponse struct {\n \trequest kevulnRequest\n \tjson    string\ndiff --git a/docs/sample-kev-scan-result.json b/docs/sample-kev-scan-result.json\nnew file mode 100644\nindex 0000000..83a0c71\n--- /dev/null\n+++ b/docs/sample-kev-scan-result.json\n@@ -0,0 +1,60 @@\n+{\n+  \"jsonVersion\": 4,\n+  \"serverName\": \"example-host\",\n+  \"family\": \"ubuntu\",\n+  \"release\": \"22.04\",\n+  \"scannedCves\": {\n+    \"CVE-0000-0000\": {\n+      \"cveID\": \"CVE-0000-0000\",\n+      \"kevs\": [\n+        {\n+          \"type\": \"cisa\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Placeholder Vulnerability\",\n+          \"shortDescription\": \"Synthetic CISA KEV example for documentation.\",\n+          \"requiredAction\": \"Apply vendor-provided updates or mitigations.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-01-02T00:00:00Z\",\n+          \"dueDate\": \"2026-02-01T00:00:00Z\",\n+          \"cisa\": {\n+            \"note\": \"Synthetic sample; not real vulnerability intelligence.\"\n+          }\n+        },\n+        {\n+          \"type\": \"vulncheck\",\n+          \"vendorProject\": \"Example Vendor\",\n+          \"product\": \"Example Product\",\n+          \"vulnerabilityName\": \"Example Product Placeholder Vulnerability\",\n+          \"shortDescription\": \"Synthetic VulnCheck KEV example for documentation.\",\n+          \"requiredAction\": \"Review exploitation evidence and remediate affected assets.\",\n+          \"knownRansomwareCampaignUse\": \"Unknown\",\n+          \"dateAdded\": \"2026-01-03T00:00:00Z\",\n+          \"vulncheck\": {\n+            \"xdb\": [\n+              {\n+                \"xdbID\": \"XDB-000000\",\n+                \"xdbURL\": \"https://example.com/xdb/XDB-000000\",\n+                \"dateAdded\": \"2026-01-03T00:00:00Z\",\n+                \"exploitType\": \"remote\",\n+                \"cloneSSHURL\": \"git@example.com:example/xdb-000000.git\"\n+              }\n+            ],\n+            \"reportedExploitation\": [\n+              {\n+                \"url\": \"https://example.com/reports/CVE-0000-0000\",\n+                \"dateAdded\": \"2026-01-04T00:00:00Z\"\n+              }\n+            ]\n+          }\n+        }\n+      ],\n+      \"affectedPackages\": [\n+        {\n+          \"name\": \"example-package\",\n+          \"fixedIn\": \"1.2.3\"\n+        }\n+      ]\n+    }\n+  }\n+}\ndiff --git a/models/scanresults.go b/models/scanresults.go\nindex 508b992..33c32c7 100644\n--- a/models/scanresults.go\n+++ b/models/scanresults.go\n@@ -197,13 +197,14 @@ func (r ScanResult) FormatTextReportHeader() string {\n \t\tpkgs = fmt.Sprintf(\"%s, %d libs\", pkgs, r.LibraryScanners.Total())\n \t}\n \n-\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s\\n%s\\n\",\n+\treturn fmt.Sprintf(\"%s\\n%s\\n%s\\n%s, %s, %s, %s, %s\\n%s\\n\",\n \t\tr.ServerInfo(),\n \t\tbuf.String(),\n \t\tr.ScannedCves.FormatCveSummary(),\n \t\tr.ScannedCves.FormatFixedStatus(r.Packages),\n \t\tr.FormatExploitCveSummary(),\n \t\tr.FormatMetasploitCveSummary(),\n+\t\tr.FormatKEVCveSummary(),\n \t\tr.FormatAlertSummary(),\n \t\tpkgs)\n }\n@@ -251,15 +252,22 @@ func (r ScanResult) FormatMetasploitCveSummary() string {\n \treturn fmt.Sprintf(\"%d exploits\", nMetasploitCve)\n }\n \n+// FormatKEVCveSummary returns a summary of CVEs with KEV entries.\n+func (r ScanResult) FormatKEVCveSummary() string {\n+\tnKEVCve := 0\n+\tfor _, vuln := range r.ScannedCves {\n+\t\tif 0 &lt; len(vuln.KEVs) {\n+\t\t\tnKEVCve++\n+\t\t}\n+\t}\n+\treturn fmt.Sprintf(\"%d kevs\", nKEVCve)\n+}\n+\n // FormatAlertSummary returns a summary of CERT alerts\n func (r ScanResult) FormatAlertSummary() string {\n-\tcisaCnt := 0\n \tuscertCnt := 0\n \tjpcertCnt := 0\n \tfor _, vuln := range r.ScannedCves {\n-\t\tif len(vuln.AlertDict.CISA) &gt; 0 {\n-\t\t\tcisaCnt += len(vuln.AlertDict.CISA)\n-\t\t}\n \t\tif len(vuln.AlertDict.USCERT) &gt; 0 {\n \t\t\tuscertCnt += len(vuln.AlertDict.USCERT)\n \t\t}\n@@ -267,7 +275,7 @@ func (r ScanResult) FormatAlertSummary() string {\n \t\t\tjpcertCnt += len(vuln.AlertDict.JPCERT)\n \t\t}\n \t}\n-\treturn fmt.Sprintf(\"cisa: %d, uscert: %d, jpcert: %d alerts\", cisaCnt, uscertCnt, jpcertCnt)\n+\treturn fmt.Sprintf(\"uscert: %d, jpcert: %d alerts\", uscertCnt, jpcertCnt)\n }\n \n func (r ScanResult) isDisplayUpdatableNum(mode config.ScanMode) bool {\n@@ -422,6 +430,12 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.Metasploits, func(i, j int) bool {\n \t\t\treturn v.Metasploits[i].Name &lt; v.Metasploits[j].Name\n \t\t})\n+\t\tsort.Slice(v.KEVs, func(i, j int) bool {\n+\t\t\tif v.KEVs[i].Type != v.KEVs[j].Type {\n+\t\t\t\treturn v.KEVs[i].Type &lt; v.KEVs[j].Type\n+\t\t\t}\n+\t\t\treturn v.KEVs[i].VulnerabilityName &lt; v.KEVs[j].VulnerabilityName\n+\t\t})\n \t\tsort.Slice(v.Mitigations, func(i, j int) bool {\n \t\t\treturn v.Mitigations[i].URL &lt; v.Mitigations[j].URL\n \t\t})\n@@ -434,9 +448,6 @@ func (r *ScanResult) SortForJSONOutput() {\n \t\tsort.Slice(v.AlertDict.JPCERT, func(i, j int) bool {\n \t\t\treturn v.AlertDict.JPCERT[i].Title &lt; v.AlertDict.JPCERT[j].Title\n \t\t})\n-\t\tsort.Slice(v.AlertDict.CISA, func(i, j int) bool {\n-\t\t\treturn v.AlertDict.CISA[i].Title &lt; v.AlertDict.CISA[j].Title\n-\t\t})\n \t\tr.ScannedCves[k] = v\n \t}\n }\ndiff --git a/models/vulninfos.go b/models/vulninfos.go\nindex 3e85e81..8a6e0dc 100644\n--- a/models/vulninfos.go\n+++ b/models/vulninfos.go\n@@ -265,6 +265,7 @@ type VulnInfo struct {\n \tCveContents          CveContents          `json:\"cveContents,omitempty\"`\n \tExploits             []Exploit            `json:\"exploits,omitempty\"`\n \tMetasploits          []Metasploit         `json:\"metasploits,omitempty\"`\n+\tKEVs                 []KEV                `json:\"kevs,omitempty\"`\n \tMitigations          []Mitigation         `json:\"mitigations,omitempty\"`\n \tCtis                 []string             `json:\"ctis,omitempty\"`\n \tAlertDict            AlertDict            `json:\"alertDict,omitempty\"`\n@@ -284,6 +285,57 @@ type Alert struct {\n \tTeam  string `json:\"team,omitempty\"`\n }\n \n+// KEVType identifies the source of known exploited vulnerability data.\n+type KEVType string\n+\n+const (\n+\t// CISAKEVType represents CISA Known Exploited Vulnerabilities Catalog data.\n+\tCISAKEVType KEVType = \"cisa\"\n+\t// VulnCheckKEVType represents VulnCheck KEV data.\n+\tVulnCheckKEVType KEVType = \"vulncheck\"\n+)\n+\n+// KEV has known exploited vulnerability information.\n+type KEV struct {\n+\tType                       KEVType       `json:\"type,omitempty\"`\n+\tVendorProject              string        `json:\"vendorProject,omitempty\"`\n+\tProduct                    string        `json:\"product,omitempty\"`\n+\tVulnerabilityName          string        `json:\"vulnerabilityName,omitempty\"`\n+\tShortDescription           string        `json:\"shortDescription,omitempty\"`\n+\tRequiredAction             string        `json:\"requiredAction,omitempty\"`\n+\tKnownRansomwareCampaignUse string        `json:\"knownRansomwareCampaignUse,omitempty\"`\n+\tDateAdded                  time.Time     `json:\"dateAdded,omitempty\"`\n+\tDueDate                    *time.Time    `json:\"dueDate,omitempty\"`\n+\tCISA                       *CISAKEV      `json:\"cisa,omitempty\"`\n+\tVulnCheck                  *VulnCheckKEV `json:\"vulncheck,omitempty\"`\n+}\n+\n+// CISAKEV has CISA-specific KEV fields.\n+type CISAKEV struct {\n+\tNote string `json:\"note,omitempty\"`\n+}\n+\n+// VulnCheckKEV has VulnCheck-specific KEV fields.\n+type VulnCheckKEV struct {\n+\tXDB                  []VulnCheckXDB                  `json:\"xdb,omitempty\"`\n+\tReportedExploitation []VulnCheckReportedExploitation `json:\"reportedExploitation,omitempty\"`\n+}\n+\n+// VulnCheckXDB has VulnCheck exploit database metadata.\n+type VulnCheckXDB struct {\n+\tXDBID       string    `json:\"xdbID,omitempty\"`\n+\tXDBURL      string    `json:\"xdbURL,omitempty\"`\n+\tDateAdded   time.Time `json:\"dateAdded,omitempty\"`\n+\tExploitType string    `json:\"exploitType,omitempty\"`\n+\tCloneSSHURL string    `json:\"cloneSSHURL,omitempty\"`\n+}\n+\n+// VulnCheckReportedExploitation has VulnCheck reported exploitation metadata.\n+type VulnCheckReportedExploitation struct {\n+\tURL       string    `json:\"url,omitempty\"`\n+\tDateAdded time.Time `json:\"dateAdded,omitempty\"`\n+}\n+\n // GitHubSecurityAlerts is a list of GitHubSecurityAlert\n type GitHubSecurityAlerts []GitHubSecurityAlert\n \n@@ -910,24 +962,21 @@ type Mitigation struct {\n \tURL            string         `json:\"url,omitempty\"`\n }\n \n-// AlertDict has target cve JPCERT, USCERT and CISA alert data\n+// AlertDict has target cve JPCERT and USCERT alert data.\n type AlertDict struct {\n-\tCISA   []Alert `json:\"cisa\"`\n+\tCISA   []Alert `json:\"-\"`\n \tJPCERT []Alert `json:\"jpcert\"`\n \tUSCERT []Alert `json:\"uscert\"`\n }\n \n // IsEmpty checks if the content of AlertDict is empty\n func (a AlertDict) IsEmpty() bool {\n-\treturn len(a.CISA) == 0 &amp;&amp; len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n+\treturn len(a.JPCERT) == 0 &amp;&amp; len(a.USCERT) == 0\n }\n \n // FormatSource returns which source has this alert\n func (a AlertDict) FormatSource() string {\n \tvar s []string\n-\tif len(a.CISA) != 0 {\n-\t\ts = append(s, \"CISA\")\n-\t}\n \tif len(a.USCERT) != 0 || len(a.JPCERT) != 0 {\n \t\ts = append(s, \"CERT\")\n \t}\ndiff --git a/reporter/util.go b/reporter/util.go\nindex d9cfdaa..a2dfbd0 100644\n--- a/reporter/util.go\n+++ b/reporter/util.go\n@@ -204,6 +204,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {\n \t\t\t\tr.FormatUpdatablePkgsSummary(),\n \t\t\t\tr.FormatExploitCveSummary(),\n \t\t\t\tr.FormatMetasploitCveSummary(),\n+\t\t\t\tr.FormatKEVCveSummary(),\n \t\t\t\tr.FormatAlertSummary(),\n \t\t\t}\n \t\t} else {\n@@ -565,10 +566,6 @@ No CVE-IDs are found in updatable packages.\n \t\t})\n \t\tdata = append(data, ds...)\n \n-\t\tfor _, alert := range vuln.AlertDict.CISA {\n-\t\t\tdata = append(data, []string{\"CISA Alert\", alert.URL})\n-\t\t}\n-\n \t\tfor _, alert := range vuln.AlertDict.JPCERT {\n \t\t\tdata = append(data, []string{\"JPCERT Alert\", alert.URL})\n \t\t}\ndiff --git a/tui/tui.go b/tui/tui.go\nindex 4407f56..80afe95 100644\n--- a/tui/tui.go\n+++ b/tui/tui.go\n@@ -812,16 +812,6 @@ func setChangelogLayout(g *gocui.Gui) error {\n \t\t\t}\n \t\t}\n \n-\t\tif len(vinfo.AlertDict.CISA) &gt; 0 {\n-\t\t\tlines = append(lines, \"\\n\",\n-\t\t\t\t\"CISA Alert\",\n-\t\t\t\t\"===========\",\n-\t\t\t)\n-\t\t\tfor _, alert := range vinfo.AlertDict.CISA {\n-\t\t\t\tlines = append(lines, fmt.Sprintf(\"* [%s](%s)\", alert.Title, alert.URL))\n-\t\t\t}\n-\t\t}\n-\n \t\tif len(vinfo.AlertDict.USCERT) &gt; 0 {\n \t\t\tlines = append(lines, \"\\n\",\n \t\t\t\t\"USCERT Alert\",\n", "creation_timestamp": "2026-07-04T00:01:07.916595Z"}]}