Vulnerabilities
The Vulnerabilities page is the fleet-wide roll-up of every CVE HostAtlas has found across your servers, using the installed OS package inventory and the public CVE feeds. It is your “what should I patch first” view.
You’ll find it in the sidebar under Security → Vulnerabilities.
What you see
Section titled “What you see”Four KPI cards across the top:
- Critical — count of active findings with severity CRITICAL or any finding tagged as KEV (CISA’s Known Exploited Vulnerabilities catalogue), regardless of severity.
- High — active High-severity findings not already counted as KEV.
- KEV — total active findings on the CISA KEV list. These are CVEs known to be exploited in the wild and should be treated as top priority.
- Total — total active findings across the fleet.
Coverage line — how many of your servers have been scanned at least once versus how many have never been scanned.
Top 10 CVEs by host count — the “fix these first” list. Each row shows the CVE ID (deep-linked to the primary advisory), severity, KEV flag, a title, how many distinct hosts are affected and when it was last seen. KEV entries and higher severities float to the top.
Worst-affected hosts — the ten servers with the most active findings, with a critical/KEV count next to each. Click a host to jump to its own vulnerabilities view.
Recent scan runs — the last 20 scans across the fleet with server, timestamp and outcome.
What you can do
Section titled “What you can do”- Turn scanning on or off for the whole tenant via the mode selector: Inherit (use your plan’s default), On (force on regardless of plan default) or Off (force off).
- Click a CVE to open the upstream advisory.
- Click a server to see its per-host findings and a Fix action that generates a package-update recipe for the affected packages on that host.
- Filter the finding list on a per-server view by severity, KEV status or package name.
- Deep-link to any finding — every row has its own URL so you can share it in an incident chat.
How it works
Section titled “How it works”Each server’s HostAtlas agent uploads its installed-package inventory (name, version, source). On the server side, HostAtlas matches those packages against the OSV and CISA KEV feeds and writes one finding per (server, CVE, package). Findings persist — resolved ones stay in the database as audit / SOC 2 evidence — and the dashboard only counts active ones.
A finding is considered resolved the next time the server reports the package at a fixed version. There is nothing to click.
When a new critical or KEV finding first appears on a server, an alert is raised through the standard alert channels (email, Slack, webhook, SIEM), so you don’t have to poll this page.
Configuration
Section titled “Configuration”- Tenant scan mode — Inherit / On / Off (the toggle on this page).
- Plan gating — whether scanning is on by default depends on your plan. Business and Enterprise have it on by default; the tenant-level override wins either way.
- Per-server exclusion — if a specific host shouldn’t be scanned (bare probes, ephemeral CI runners), you can turn scanning off on that server’s page.
Scans run on a schedule after every fresh package inventory upload — there is no “run now” button because the source data is refreshed by the agent, not by a scan job.
Related
Section titled “Related”- Security Scanner Insights — the cross-fleet insights tab that pairs CVE counts with audit findings.
- Policy Engine — enforce rules like “no critical CVEs older than 14 days”.
- Compliance Hub — the umbrella dashboard that includes vulnerabilities alongside audit findings and policy adherence.