Linux Package Vulnerability Scanner

Find unpatched CVEs in your installed packages. No signup needed.

1. Pick your distribution

Debian family

RHEL family

Other

2. Pick your version

3. Run this command on your server

Read-only. Lists installed packages. No network, no install.

dpkg-query -W -f='${Package}\t${Version}\n'

4. Paste the output here

Your paste is processed in memory and never stored or logged.

Get a shareable link to these results. The link shows your distro, CVE counts, and CVE IDs, never your package list. Note: CVE IDs imply which packages you run.

What this tool does, and what it doesn't

You paste a list of installed packages. We compare each package version against the OSV vulnerability database for your distro and return the CVEs that affect what you have installed, sorted by severity, with the version that fixes each one.

What we don't do: store your paste, log it, share it, or use it for marketing. The scan happens in this request and the data is gone when the response is sent.

What we don't see: your IP packets, your hostnames, your filesystem, or anything else on your server. Only the package names and versions you choose to paste.

What you get: a CVE list with severity, fix version, and a link to the upstream advisory. The whole thing runs in under a second for typical server inventories.

FAQ

How do I check for unpatched CVEs on my Linux server? +

Run the package-list command for your distro (dpkg -l for Debian/Ubuntu, rpm -qa for RHEL family, apk list -I for Alpine, pacman -Q for Arch), paste the output here, and you get a CVE report sorted by severity with fix versions. The scan runs in your browser session and your package list is never stored or logged.

Where does Fivenines get its CVE data? +

We use the OSV (Open Source Vulnerabilities) database, an aggregator maintained by Google that pulls from per-distro security advisories: Debian Security Advisories, Ubuntu Security Notices, Red Hat Errata, Alpine secdb, and others. The same data backs the continuous scanning we offer to paying customers.

Is it safe to paste my package list? +

Yes. The paste is processed in memory and never stored, logged, or shared. We scrub the package list from request logs and exception reports. Nothing about your installed packages is retained on our side after the scan completes.

Why doesn't my Arch Linux package show any vulnerabilities? +

Arch packages are tracked in OSV, but coverage is sparser than Debian/Ubuntu/RHEL because Arch's rolling release model means version-locked CVE matching is harder. If you're concerned about Arch security, the Arch Security Tracker (security.archlinux.org) is the authoritative source.

What's the difference between a CVE and a security advisory? +

A CVE (Common Vulnerabilities and Exposures) is a unique ID for a specific vulnerability, like CVE-2024-12345. A security advisory (like DSA-5500-1 from Debian or RHSA-2024:1234 from Red Hat) is a distro vendor's announcement that one or more CVEs affect specific package versions and which release fixes them. The OSV database links them together.

Can I scan my server automatically without pasting? +

Yes. The Fivenines agent installs in 2 minutes, reads your installed packages directly, and continuously checks them against the same OSV database. You get alerts when new CVEs land for packages you have installed. Plans start at €9/month with a 14-day free trial.

Stop pasting. Start monitoring.

Fivenines installs in 2 minutes and continuously checks every server you run against the same CVE database. 14-day trial, no credit card.

Start free trial

14-day trial. No credit card required.