Search: exploit¶
Description¶
Search exploit and vulnerability intelligence reports using free-text query and structured filters such as CVE identifier, vendor, product, platform, or keyword.
The request is an HTTP POST with a JSON body matching the search_leak_param_model schema:
{
"q": "CVE-2024-12345",
"category": "all",
"page": 1,
"safe": false,
"network": "all",
"matchtype": "or",
"daterange": "2025-11-01,2025-12-07",
"content": "all",
"entity": "cve",
"must": false,
"entity_filter": {
"m_cve": ["CVE-2024-12345"],
"m_vendor": ["ExampleCorp"],
"m_product": ["ExampleServer"]
}
}
Field semantics:
q — free-text query (CVE id, exploit name, vendor, product, function name, etc.). Empty string searches all.
category — ML-based content/category classifier (e.g.,
cve,exploit,poc,advisory); set toallto disable.page — page number for paginated results (1-based).
safe — safety toggle; when true, UI can mask or downrank potentially dangerous payload details.
network — content network filter:
all,clearnet,onion,i2p, etc.matchtype — logical operator for combining query and filters:
or(default) orand.daterange — optional date range filter in
YYYY-MM-DD,YYYY-MM-DDformat (e.g.,2025-11-01,2025-12-07).content — exploit content-type filter, such as
all,cve,exploit,poc,advisory.entity — primary entity/IOC dimension for the query (e.g.,
cve,vendor,product,ip,domain).must — when true, values under entity_filter must be present in the matched documents (hard filter).
entity_filter — IOC/entity filter map; keys are IOC fields (e.g.,
m_cve,m_vendor,m_product,m_domain) and values are lists of required values for those fields.
Response¶
Exploit intelligence search results containing metadata for each matching exploit or vulnerability report.
The response is a JSON object with pagination and a list of exploit documents. Typical fields:
total — total number of exploit documents matching the query and filters
page — current page number
results — list of exploit report summaries, where each entry may include:
m_title — exploit or vulnerability title (often includes CVE id and short description)
m_url — primary URL of the exploit or advisory page
m_base_url — base URL/host of the source site (e.g.
https://www.rapid7.com)m_content — normalized exploit/advisory description or body text
m_important_content — key snippet summarizing the exploit or impact
m_network — network classification (
clearnet,onion, etc.)m_content_type — internal labels such as
cve,exploit,poc,advisorym_cve — list of associated CVE identifiers
m_vendor — list of affected vendors
m_product — list of affected products or components
m_platform — list of affected platforms/OS (e.g.
Windows,Linux)m_publication_date — publication or first-seen date for the exploit/advisory
m_exploit_type — exploit type or tactic (e.g.
remote_code_execution,privilege_escalation)m_source — normalized name of the source (e.g.
rapid7,exploitdb)m_hash — internal document hash identifier used for correlation
optional IOC/enrichment fields (IP addresses, domains, URLs, file hashes, etc.) depending on the document
Example response:
{
"total": 87,
"page": 1,
"results": [
{
"m_title": "CVE-2024-12345 Remote Code Execution in ExampleServer",
"m_url": "https://www.rapid7.com/db/modules/exploit/example/cve_2024_12345/",
"m_base_url": "https://www.rapid7.com",
"m_content": "This module exploits a remote code execution vulnerability in ExampleServer...",
"m_important_content": "Unauthenticated RCE in ExampleServer via crafted HTTP request.",
"m_network": "clearnet",
"m_content_type": ["cve", "exploit"],
"m_cve": ["CVE-2024-12345"],
"m_vendor": ["ExampleCorp"],
"m_product": ["ExampleServer"],
"m_platform": ["Windows"],
"m_publication_date": "2025-11-30T14:33:00Z",
"m_exploit_type": ["remote_code_execution"],
"m_source": "rapid7",
"m_hash": "f9d8e7c6b5a4..."
}
]
}