Achilles

idle

CVE sources

Public, unauthenticated. EU-CNA coverage the US-centric feeds miss. Achilles' primary source — on by default.

Public, unauthenticated. Covers Electron, Tauri, React Native, and every bundled npm dependency.

Keyed by CPE. Covers runtimes EUVD/OSV don't: Chromium, Node.js, Qt, Flutter, JDK, WebKit, …

Unauth rate limit (60/h) is too low to be useful. A classic PAT with no scopes suffices.

Filtering

Wide-net CPEs (Safari, Java, Qt, Chromium …) otherwise return decades of irrelevant history. Advisories without a publication date are never filtered.