Skip to content

API for developers

Pull the community verdict for any CVE — real vs false positive, exploitability, real-world severity, and where it diverges from the CVSS score — as JSON. Free, public, read-only. No API key, CORS-open, edge-cached.

Verdict endpoint

Returns the community ground truth for a single CVE.

GET https://www.truepositive.app/api/cve/{cveId}/verdict

Example

curl https://www.truepositive.app/api/cve/CVE-2021-44228/verdict

Response

{
  "cveId": "CVE-2021-44228",
  "url": "https://www.truepositive.app/cve/CVE-2021-44228",
  "badge": "https://www.truepositive.app/cve/CVE-2021-44228/badge.svg",
  "cvss": 10,
  "cvssSeverity": "critical",
  "kev": true,
  "epss": 0.99999,
  "publishedAt": "2021-12-10T10:15:09.143Z",
  "community": {
    "sampleSize": 4,
    "topVerdict": "real_exploitable",
    "topVerdictLabel": "Real & exploitable",
    "tally": { "real_exploitable": 3, "real_conditional": 1 },
    "practicalSeverity": { "top": "critical", "distribution": { "critical": 3, "high": 1 } }
  },
  "divergesFromCvss": false,
  "generatedAt": "2026-06-22T12:00:00.000Z"
}

Fields

cveIdThe CVE identifier.
cvss / cvssSeverityNVD CVSS base score and its severity band.
kevListed in the CISA Known Exploited Vulnerabilities catalog.
epssFIRST EPSS exploitation-probability (0–1).
community.sampleSizeNumber of practitioner verdicts (0 if none yet — honest, never fabricated).
community.topVerdictMost common verdict: real_exploitable | real_conditional | real_theoretical | false_positive | cannot_reproduce.
community.tallyCount of each verdict value.
community.practicalSeverityReal-world severity distribution from the field.
divergesFromCvssTrue when CVSS is high (≥7) but the field considers it not actually exploitable — the signal NVD can't give you.

Embeddable badge

A live SVG verdict badge for READMEs, advisories, dashboards:

[![TruePositive](https://www.truepositive.app/cve/CVE-2021-44228/badge.svg)](https://www.truepositive.app/cve/CVE-2021-44228)

Notes

← Browse CVEs