Summary
LLM Zero Day pulls raw vulnerability records from public feeds (CISA's Known Exploited Vulnerabilities catalog, the NVD CVE API, and GHSA advisories), filters them down to the ones that actually touch AI/LLM products, and republishes the results as the feed lists and charts on this site.
Feed Scraping Overview
A scheduled job queries each source feed — CISA KEV, the NVD CVE API, and GHSA — and keeps the raw JSON responses. Every record is checked against a list of AI/LLM keywords (vendor names, model families, etc) so only entries relevant to language models survive. Matching records are deduplicated by CVE ID, merged into a normalized shape, and written to the static data files the site loads at request time. The diagram below outlines that pipeline.
Threat Research Pull Overview
Beyond the feed records, each normalized entry is classified by severity using its CVSS score (falling back through v3.1, v3.0, and v2 metrics, in that order) and, where available, tagged with CISA's Known Exploited Vulnerabilities status to flag issues seen actively exploited in the wild. Classified records are grouped by publish year and severity for the trend charts, and kept in their raw form for the paginated feed lists.