OpenKAT will request information about CVE’s from It is possible to run your own instance in case you don’t want to rely on third party service for this. The kat-cveapi Debian package that can be downloaded from GitHub can be used for this.

The package has a script that will download all the CVE information to the /var/lib/kat-cveapi directory. The package includes a systemd timer that will run the script after the package is installed and hourly to keep the CVE information up-to-date. The /var/lib/kat-cveapi can then be served as static files by your webserver. Example nginx configuration that is used by

server {
    listen   [::]:443;


    ssl_certificate /etc/letsencrypt/live/;
    ssl_certificate_key /etc/letsencrypt/live/;

    access_log /var/log/nginx/cve/access.log;
    error_log /var/log/nginx/cve/error.log;

    root /var/lib/kat-cveapi;

The CVEAPI_URL configuration parameter of the kat_cve_finding_types boefje can then be set to your own instance.