← all repositories
larlarua/AutoCVE

An assembly line for CVEs, staffed by LLM agents

AutoCVE orchestrates a team of specialized LLM agents to screen projects, audit source code, verify vulnerabilities, and generate submission-ready CVE reports.

707 stars Python AgentsDomain Apps
AutoCVE
Collecting fresh signals — velocity needs a few days of history.
collecting data…
star history

What it does

AutoCVE runs a multi-agent pipeline that handles the full vulnerability-research lifecycle from project selection to CVE filing. An orchestrator dispatches Recon, Scan, Triage, Finding, and Verification agents to audit source code, filter false positives, verify exploits, and output structured reports. The goal is to shrink the gap between spotting an interesting repository and submitting a finished CVE entry.

The interesting bit

The Finding Agent does the heavy lifting through a ReAct loop with dedicated tool calls, “nudge” correction, and a FinalizeFinding hard stop that forces structured, CVE-worthy output instead of meandering LLM prose. The README claims 30 CVEs across 14 projects in a seven-day test period, including a CVSS 9.9 authorization bypass.

Key highlights

  • Multi-agent workflow with distinct roles: reconnaissance, scanning, triage, deep finding, and verification.
  • Three audit modes ranging from quick tool-scan triage to deep “smart audit” for CVE and 0-day research.
  • Interactive sessions let users interrogate the audit trail and ask agents to fill evidence gaps or explain attack chains.
  • Skills system allows per-agent capability extensions without rearchitecting the pipeline.
  • FastAPI backend and React frontend with PostgreSQL; the UI visualizes agent trees, tool calls, and stage progress.

Caveats

  • The primary README is written in Chinese; English documentation exists but appears secondary.
  • The published CVE table lists 2026 identifiers, which are provisional or reserved rather than fully disclosed entries.

Verdict

Security researchers and bug hunters who want to automate the tedious audit-to-report pipeline should take a look; teams needing battle-tested, enterprise-grade assurance may want to wait for broader community validation.

Frequently asked

What is larlarua/AutoCVE?
AutoCVE orchestrates a team of specialized LLM agents to screen projects, audit source code, verify vulnerabilities, and generate submission-ready CVE reports.
Is AutoCVE open source?
Yes — larlarua/AutoCVE is open source, released under the AGPL-3.0 license.
What language is AutoCVE written in?
larlarua/AutoCVE is primarily written in Python.
How popular is AutoCVE?
larlarua/AutoCVE has 707 stars on GitHub.
Where can I find AutoCVE?
larlarua/AutoCVE is on GitHub at https://github.com/larlarua/AutoCVE.

heatdrop uses Google Analytics to see which pages get read — nothing else. Your call. How we handle data.