Volerion logoVolerion
Volerion logoVolerion

Affected Product Matching

The problem

Common Platform Enumeration (CPE) data is the cornerstone of vulnerability management automation. It's what allows security teams to match CVEs to their software inventories. However, the NVD's severe enrichment delays make this critical data unavailable when it's needed most.

Meanwhile, some other data sources rush to fill the gap by "hallucinating" CPEs, generating entries that look plausible but don't exist in the official CPE dictionary. These fabricated identifiers are useless for real-world automation, as they won't match anything in your asset inventory or CMDB, rendering the entire vulnerability management pipeline broken.

The solution

Volerion provides dictionary-validated CPE assignments within minutes of CVE publication, not months later. Our AI-driven product extraction analyzes all available references and advisories to identify affected products and versions, then validates every CPE against the official dictionary before publishing.

No hallucinations. No made-up entries. Every CPE we provide is guaranteed to exist in the official dictionary, ensuring complete interoperability with your existing tools, SBOMs, and automation workflows.

We have also trained a model on hundreds of manually created samples to extract affected version ranges and remediation guidance directly from unstructured text (e.g. vendor advisories), providing structured data that can be directly integrated into vulnerability management systems.

Example (CVE-2025-32421)

The NVD took 119 days to add CPE data for this CVE, while Volerion had it available within minutes. Fully automated, with semver-compatible version constraints and structured remediation guidance.

Terminal
$ curl -s 'https://api.volerion.com/v1/cve/intel?id=CVE-2025-32421' | jq '.[0].products'
[
  {
    "part": "a",
    "vendor": "vercel",
    "product": "next.js",
    "target_sw": "node.js",
    "state": "vulnerable",
    "versions": ["> 14.2.24, < 15.1.6"],
    "remedies": [
      {
        "type": "mitigate",
        "instructions": "Strip the \`x-now-route-matches\` header from all incoming requests at your CDN and set \`cache-control: no-store\` for all responses under risk.",
        "effort": "low"
      },
      {
        "type": "upgrade",
        "identifier": "14.2.24",
        "effort": "moderate"
      },
      {
        "type": "upgrade",
        "identifier": "15.1.6",
        "effort": "moderate"
      }
    ]
  }
]

Dictionary-validated CPE Complete version ranges Structured remediation

Contact sales