critical
Ray: CSRF / Remote Code Execution / Local File Inclusion
AI-security PoC reference from Protect AI metadata. Private-source flags stay in hub; public page shows only product, class and route.
poc.xml
live vulnerability signal room
Find exploitable signals before they become CVE noise.
b4cve normalizes pre-CVE, non-CVE, PoC-heavy, known-exploited, supply-chain, AI-security and research-first vulnerability signals into a searchable paid hub and tokenized RSS feeds. Public surfaces stay metadata-first: no payload bodies, scanner commands, or target-specific reproduction steps.
2,251normalized records in the current live database snapshot
73records with public PoC/source context marked for careful review
293pre-CVE or non-CVE signals retained outside ordinary CVE-first flow
30mscheduled collection cadence for the private intelligence pipeline
Snapshot: live VPS database checked 2026-06-14. CVE records are enrichment; early PoC, research, malicious-package and private-source routing are the paid signal layer.
Live proof room
2,251 records73 PoC293 pre-CVE/non-CVE
safe metadata preview
public page, private context
public page, private context
100OpenSSF malicious package records
98CIRCL exploited / PoC sightings
67ZDI advisory signals
35GitLab advisory DB records
16smart-contract incident references
high
WordPress Contest Gallery 28.1.4 unauthenticated blind SQL injection
PoC-disclosure signal with pre-CVE/non-CVE flag. Useful for WordPress-heavy scopes after authorization gates.
hub
watch
OpenSSF malicious package cluster across npm and PyPI
Supply-chain burst grouped from package-intelligence sources. Searchable by ecosystem, package, source and tag.
feed
high
Metasploit module commit for CVE-2026-41679
Exploit-framework signal stored as source context. Customers get timing, identifiers, classes and RSS routing, not exploit instructions.
hot.xml
hot.xmlhigh-priority exploitability and known-exploitation signals
pre-cve.xmlresearch-first, negative-day and non-CVE records
poc.xmlPoC/source-context records with safe metadata only
hub searchauthenticated filters, detail pane, source context and record history
Not another CVE mirror.
| Objection | How b4cve answers it | Proof on the page |
|---|---|---|
| Is this just NVD with nicer UI? | CVE data is enrichment. The paid layer is PoC metadata, pre-CVE/non-CVE flags, research RSS, malicious packages, exploit-framework signals, ZDI, AI-security and private-source routing. | 293 pre-CVE/non-CVE |
| Will it drown me in noise? | Records are normalized, deduplicated and routed as candidate, needs-scope, watch, blocked or private-only. Public Telegram is only a teaser, not the full firehose. | routing policy |
| What do I get after access? | Authenticated search, filters, detail view, source context and tokenized RSS feeds for hot, pre-CVE, PoC and known-exploited records. | hub + RSS |
| Is it safe for a professional team? | The product keeps useful PoC/source context but avoids payload bodies, exploit commands, scanner guidance and target-specific reproduction on public surfaces. | metadata-first |
Who uses it.
Bug bounty huntersFind product and class leads earlier, then validate only inside authorized scopes with separate risk gates.
Red teamsTrack exploitability shifts, PoC availability and emerging classes without manually reading every advisory source.
Blue teamsPrioritize detection and patch triage by source quality, PoC presence, known exploitation wording and affected stack.
PentestersSearch by product, class, identifier, source and tag before a scoped engagement, without carrying unsafe public payloads.