Empirical.Models.Global
The Empirical.Models.Global API provides comprehensive, real-time security insights across a vast range of global vulnerabilities and threats. Designed for enterprise security teams, this API enables users to access critical data on known vulnerabilities and exploits, as well as exploitation probabilities empowering organizations to make faster, data-driven decisions to protect their assets.
With predictive scoring powered by machine learning, the API offers an accurate view of exploit likelihood through the Exploit Prediction Scoring System (EPSS). Users have access to historical and near-real time data about CVE details, CPE information, exploits, and historical exploitation data—giving a granular understanding of vulnerability risk and the data provenance to have confidence in the decisions the API enables.
Data Dictionary
Scoring
global
Empirical scores are generated from our Global Model and updated hourly.
empirical_score float (ex. 0.9713943314711305)
empirical_percentile float (ex. 0.9713943314711305)
computed_at datetime (ex. 2025-03-16 18:46:04 UTC)
epss_v4
Empirical Security generates the EPSS scores that are served from first.org. In our enterprise API, we update the scores hourly rather than daily.
epss_score float (ex. 0.9713943314711305)
epss_percentile float (ex. 0.9713943314711305)
computed_at datetime (ex. 2025-03-16 18:46:04 UTC)
epss_v3
Empirical Security generates the EPSS scores that are served from first.org. In our enterprise API, we update the scores hourly rather than daily
epss_score float (ex. 0.9713943314711305)
epss_percentile float (ex. 0.9713943314711305)
computed_at datetime (ex. 2025-03-16 18:46:04 UTC)
CVE Data
description
Text summary describing the CVE ID referenced by the identifier.
string (ex. "An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1")
vendor
The name of the software vendor responsible for the affected software. Spaces in vendor names should be replaced with underscores. string (ex. "google")
product
The name of the affected software product. Spaces in product names should be replaced with underscores. string (ex. "chrome_os")
tags
Empirical Security generated metadata relevant to the CVE ID
actor string
actor_action string
attack_vector string (ex. "Network")
component string (ex. ["mail server credentials", "license key"])
keywords string (ex. ["information disclosure", "web"])
outcome string (ex. ["credential disclosure", "web"])
prerequisite string (ex. ["URL is accessed"])
stride string (ex. ["tampering", "denial of service"])
weakness string (ex. ["reveals the configuration details of the PHP environment"])
Exploitation Activity and Exploits Data
has_exploitation_activity
Secondary source reporting of exploitation (DHS CISA, threat intel blogs, etc) is a useful but incomplete picture of exploitation activity. Our Exploitation Activity data answers the deeper questions about exploitation by measuring actual events and reporting primary source information. This data comes from aggregated sources, and includes malware and network detections. These observations are repeatable, systematic, and represent a much better guide for action.
boolean (ex. true)
exploitation_activity
Mutually exclusive time buckets ensure that data points are not double-counted or misallocated, and we wanted to prevent a single exploitation activity from making multiple categories light up, creating an inaccurate perception of activity volume.
0_to_7_days boolean Days with exploitation activity in the last 7 days
8_to_30_days boolean Any exploitation activity in the last month excluding the last 7 days
31_to_90_days boolean Any exploitation activity in the last 90 days excluding the last 30
91_to_365 boolean Any exploitation activity in last year (365 days) excluding the last 90
alltime boolean Any exploitation activity beyond 1 year (365 days)
exploits
Exploit Code is discovered using our proprietary machine learning model, a binary classifier to crawl GitHub and determine if a repository is an exploit or just a mention of a CVE. The model discovers new exploit code daily, and a repository crosses our model threshold, we include it here. Additional exploit code is included if we find it in the plethora of other sources we purchase or scrape.
metasploit See below for examples
exploitdb See below for examples
github See below for examples
metasploit
Exploits data includes:
name string (ex. "ownCloud Phpinfo Reader")
fullname string (ex. "uxiliary/gather/owncloud_phpinfo_reader")
description string
disclosure_date datetime (ex. "2023-11-21")
mod_date datetime (ex. "2023-12-04T20:09:56.000Z")
github
Exploits data includes:
repo string (ex. "d0rb/CVE-2023-49103")
prediction float (ex. 0.8660581707954407)
predicted_at datetime (ex. 2025-03-10T16:40:29.000Z)
repo_created_at datetime (ex. 2025-03-10T20:11:29.004Z)
exploitdb
Exploits data includes:
url url
published_on datetime (ex. "2018-08-03")
author string (ex. "Mark Corrigan")
platform string (ex. "xml")
exploit_type string (ex. "webapps")
CVSS and CWE Data
CVSS
Common Vulnerability Scoring System data
version integer (ex. 3.1)
score integer (ex. 10.0)
vector string (ex. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
metrics See below for examples
sources See below for examples
metrics
CVSS data includes:
attack_vector string (ex. "Network")
attack_complexity string (ex. "Low")
privileges_required string (ex. "None")
user_interaction string (ex. "None")
scope string (ex. "Changed")
confidentiality string (ex. "High")
integrity string (ex. "High")
availability string (ex. "High")
cwes
Common Weakness Enumeration data
identifier string (ex. "CWE-200")
name string ("Exposure of Sensitive Information to an Unauthorized Actor")
description string (ex. "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.")
category_name string (ex. "SFP Secondary Cluster: Exposed Data")
category_id string (ex. "CWE-963")
API Response Example
{
"identifier": "CVE-2023-49103",
"description": "An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo).",
"cvss": [
{
"version": "3.1",
"score": 10.0,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"metrics": {
"attack_vector": "Network",
"attack_complexity": "Low",
"privileges_required": "None",
"user_interaction": "None",
"scope": "Changed",
"confidentiality": "High",
"integrity": "High",
"availability": "High"
},
"sources": [
"cve@mitre.org",
"mitre"
]
},
{
"version": "3.1",
"score": 7.5,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"metrics": {
"attack_vector": "Network",
"attack_complexity": "Low",
"privileges_required": "None",
"user_interaction": "None",
"scope": "Unchanged",
"confidentiality": "High",
"integrity": "None",
"availability": "None"
},
"sources": [
"nvd@nist.gov"
]
}
],
"references": [
"https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/",
"https://owncloud.org/security"
],
"has_exploitation_activity": true,
"exploitation_activity": {
"0_to_7_days": true,
"8_to_30_days": true,
"31_to_90_days": true,
"91_to_365_days": true,
"alltime": true
},
"tags": {
"actor": [],
"actor_action": [],
"attack_vector": [],
"component": [
"mail server credentials",
"license key",
"ownCloud admin password"
],
"keywords": [
"information disclosure",
"web",
"configuration"
],
"outcome": [
"credential disclosure",
"gather information"
],
"prerequisite": [
"URL is accessed"
],
"stride": [
"tampering",
"information disclosure",
"denial of service"
],
"weakness": [
"reveals the configuration details of the PHP environment",
"exposes various other potentially sensitive configuration details"
]
},
"cwes": [
{
"identifier": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor",
"description": "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.",
"category_name": "SFP Secondary Cluster: Exposed Data",
"category_id": "CWE-963"
}
],
"reserved_at": "2023-11-21T00:00:00.000Z",
"published_at": "2023-11-21T00:00:00.000Z",
"last_updated_at": "2025-01-27T22:24:27.772Z",
"cisa_kev_added_at": "2023-11-30T00:00:00.000Z",
"shodan_vulnerability_count": null,
"google_project_zero": {
"present": false,
"patched_at": null
},
"exploits": {
"metasploit": [
{
"name": "ownCloud Phpinfo Reader",
"fullname": "auxiliary/gather/owncloud_phpinfo_reader",
"description": "Docker containers of ownCloud compiled after February 2023, which have version 0.2.0 before 0.2.1 or 0.3.0 before 0.3.1 of the app `graph` installed\n contain a test file which prints `phpinfo()` to an unauthenticated user. A post file name must be appended to the URL to bypass the login filter.\n Docker may export sensitive environment variables including ownCloud, DB, redis, SMTP, and S3 credentials, as well as other host information.",
"disclosure_date": "2023-11-21",
"mod_time": "2023-12-04T20:09:56.000Z"
}
],
"exploitdb": [],
"github": [
{
"repo": "d0rb/CVE-2023-49103",
"prediction": 0.8660581707954407,
"predicted_at": "2025-03-10T16:40:29.000Z",
"repo_created_at": "2025-03-10T20:11:29.004Z"
}
]
},
"hackerone_reports_submitted": 4,
"scores": {
"epss_v4": {
"score": 0.9091291982186883,
"percentile": 0.996181146025878,
"computed_at": "2025-03-16 18:46:04 UTC"
},
"epss_v3": {
"score": 0.92099,
"percentile": 0.99238,
"computed_at": "2025-03-16 15:46:16 UTC"
},
"global": {
"score": 0.9713943314711305,
"percentile": 0.9998484036161284,
"computed_at": "2025-03-16 07:27:24 UTC"
}
}
}Last updated
Was this helpful?