Skip to content
Last updated July 2, 2026

Vulnerabilities

The Vulnerabilities page is the fleet-wide roll-up of every CVE HostAtlas has found across your servers, using the installed OS package inventory and the public CVE feeds. It is your “what should I patch first” view.

You’ll find it in the sidebar under Security → Vulnerabilities.

Four KPI cards across the top:

  • Critical — count of active findings with severity CRITICAL or any finding tagged as KEV (CISA’s Known Exploited Vulnerabilities catalogue), regardless of severity.
  • High — active High-severity findings not already counted as KEV.
  • KEV — total active findings on the CISA KEV list. These are CVEs known to be exploited in the wild and should be treated as top priority.
  • Total — total active findings across the fleet.

Coverage line — how many of your servers have been scanned at least once versus how many have never been scanned.

Top 10 CVEs by host count — the “fix these first” list. Each row shows the CVE ID (deep-linked to the primary advisory), severity, KEV flag, a title, how many distinct hosts are affected and when it was last seen. KEV entries and higher severities float to the top.

Worst-affected hosts — the ten servers with the most active findings, with a critical/KEV count next to each. Click a host to jump to its own vulnerabilities view.

Recent scan runs — the last 20 scans across the fleet with server, timestamp and outcome.

  • Turn scanning on or off for the whole tenant via the mode selector: Inherit (use your plan’s default), On (force on regardless of plan default) or Off (force off).
  • Click a CVE to open the upstream advisory.
  • Click a server to see its per-host findings and a Fix action that generates a package-update recipe for the affected packages on that host.
  • Filter the finding list on a per-server view by severity, KEV status or package name.
  • Deep-link to any finding — every row has its own URL so you can share it in an incident chat.

Each server’s HostAtlas agent uploads its installed-package inventory (name, version, source). On the server side, HostAtlas matches those packages against the OSV and CISA KEV feeds and writes one finding per (server, CVE, package). Findings persist — resolved ones stay in the database as audit / SOC 2 evidence — and the dashboard only counts active ones.

A finding is considered resolved the next time the server reports the package at a fixed version. There is nothing to click.

When a new critical or KEV finding first appears on a server, an alert is raised through the standard alert channels (email, Slack, webhook, SIEM), so you don’t have to poll this page.

  • Tenant scan mode — Inherit / On / Off (the toggle on this page).
  • Plan gating — whether scanning is on by default depends on your plan. Business and Enterprise have it on by default; the tenant-level override wins either way.
  • Per-server exclusion — if a specific host shouldn’t be scanned (bare probes, ephemeral CI runners), you can turn scanning off on that server’s page.

Scans run on a schedule after every fresh package inventory upload — there is no “run now” button because the source data is refreshed by the agent, not by a scan job.

  • Security Scanner Insights — the cross-fleet insights tab that pairs CVE counts with audit findings.
  • Policy Engine — enforce rules like “no critical CVEs older than 14 days”.
  • Compliance Hub — the umbrella dashboard that includes vulnerabilities alongside audit findings and policy adherence.
Was this page helpful?