Detect Vulnerable Technologies on Any Website Using CPE Identifiers

February 11, 2026 · 6 min read

Every web technology—from jQuery to Nginx to WordPress—has a standardized identifier called a CPE (Common Platform Enumeration). These identifiers are the key that connects a website's tech stack to the National Vulnerability Database (NVD), the authoritative source of known security vulnerabilities.

This means that once you know what technologies a website is running, you can automatically check each one for known CVEs (Common Vulnerabilities and Exposures). That's a powerful capability for security teams, penetration testers, and anyone managing web infrastructure.

What Is a CPE?

A CPE is a structured naming scheme for IT products. It follows the format:

cpe:2.3:a:vendor:product:version:*:*:*:*:*:*:*

For example:

cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* — jQuery (any version)
cpe:2.3:a:nginx:nginx:*:*:*:*:*:*:*:* — Nginx
cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:* — WordPress

The NVD uses CPE identifiers to link vulnerabilities to affected products. If you have the CPE, you can query the NVD API to find every known vulnerability for that technology.

Getting CPEs from Tech Stack Detection

The DetectZeStack API returns CPE identifiers for detected technologies when available. A single API call gives you both the technology name and its corresponding CPE:

curl "https://detectzestack.com/analyze?url=example.com" \
  -H "X-Api-Key: YOUR_KEY"

Each technology in the response includes a cpe field when available:

{
  "domain": "example.com",
  "technologies": [
    {
      "name": "Nginx",
      "categories": ["Web servers"],
      "confidence": 100,
      "cpe": "cpe:2.3:a:nginx:nginx:*:*:*:*:*:*:*:*"
    },
    {
      "name": "jQuery",
      "categories": ["JavaScript libraries"],
      "confidence": 100,
      "cpe": "cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:*"
    }
  ]
}

Querying the NVD for Vulnerabilities

Once you have CPEs, you can query the NVD's public API to find known vulnerabilities:

curl "https://services.nvd.nist.gov/rest/json/cves/2.0?\
cpeName=cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:*&\
resultsPerPage=5"

The NVD returns matching CVEs with severity scores (CVSS), descriptions, and references. This lets you prioritize remediation based on actual risk.

Building an Automated Scanner

Combining tech stack detection with NVD lookups, you can build a scanner that takes a URL and returns a vulnerability report. Here's the workflow:

Detect technologies — Call the /analyze endpoint with the target URL
Extract CPEs — Filter technologies that have CPE identifiers
Query NVD — For each CPE, check the NVD API for known CVEs
Report — Aggregate findings with severity scores

Here's a Python script that implements this:

import requests

API_KEY = "your-detectzestack-key"
TARGET = "example.com"

# Step 1: Detect tech stack
resp = requests.get(
    "https://detectzestack.com/analyze",
    params={"url": TARGET},
    headers={"X-Api-Key": API_KEY}
)
techs = resp.json()["technologies"]

# Step 2-3: Check each CPE against NVD
for tech in techs:
    cpe = tech.get("cpe")
    if not cpe:
        continue

    nvd = requests.get(
        "https://services.nvd.nist.gov/rest/json/cves/2.0",
        params={"cpeName": cpe, "resultsPerPage": 3}
    )
    vulns = nvd.json().get("vulnerabilities", [])

    if vulns:
        print(f"\n{tech['name']} ({len(vulns)} CVEs found)")
        for v in vulns:
            cve = v["cve"]
            score = "N/A"
            metrics = cve.get("metrics", {})
            if "cvssMetricV31" in metrics:
                score = metrics["cvssMetricV31"][0]["cvssData"]["baseScore"]
            print(f"  {cve['id']} (CVSS: {score})")
            print(f"  {cve['descriptions'][0]['value'][:100]}...")

Use Cases

Security Audits

Before a penetration test, scan the target's tech stack to identify technologies with known vulnerabilities. This gives you a prioritized list of potential attack vectors before any manual testing begins.

Continuous Monitoring

Set up a cron job to periodically scan your own infrastructure, or use webhooks to receive the current tech stack each time a domain is analyzed. When a new CVE is published for a technology you're running, you'll know immediately.

Vendor Risk Assessment

Evaluating a third-party vendor? Scan their public-facing sites to understand their technology choices and check for known vulnerabilities. This provides data-driven input for risk assessments.

Competitive Intelligence

Track what technologies competitors are adopting or dropping. Changes in their stack can signal strategic shifts—and vulnerabilities in their current setup can inform your own security posture.

Start Scanning for Vulnerabilities

Get CPE identifiers for 7,200+ technologies with a single API call. Free tier includes 100 requests/month.

Get Your Free API Key

Beyond Detection: What Else CPEs Enable

CPE identifiers are not just useful for vulnerability scanning. They also enable:

Asset inventory — Maintain a machine-readable catalog of technologies across all your web properties
Compliance reporting — Automatically document your technology stack for compliance frameworks like SOC 2 or ISO 27001
SBOM generation — Contribute to Software Bill of Materials for your web applications

The combination of automated tech stack detection and standardized CPE identifiers turns what was once a manual, error-prone process into something that can be fully automated and continuously monitored.