README.md

June 13, 2026 · View on GitHub

GitHub Release Crate Release Continuous Integration Continuous Deployment Documentation

flawz is a Terminal User Interface (TUI) for browsing the security vulnerabilities (also known as CVEs).

As default it uses the vulnerability database (NVD) from NIST and provides search and listing functionalities in the terminal with different theming options.

For example, to view details on the notorious xz vulnerability:

flawz --feeds 2024 --query xz

demo

Table of Contents

Installation

Packaging status

Packaging status

Cargo

flawz can be installed from crates.io using cargo if Rust is installed.

cargo install --locked flawz

The minimum supported Rust version (MSRV) is 1.88.0.

Note

You need to have SQLite 3 development files installed. On Debian and its derivates you can do so with the following command:

sudo apt install libsqlite3-dev

Arch Linux

flawz can be installed from the official repositories using pacman:

pacman -S flawz

Alpine Linux

flawz is available for Alpine Edge. It can be installed via apk after enabling the testing repository.

apk add flawz

Homebrew

flawz is available for macOS via Homebrew. It can be installed using brew

brew install flawz

Nixpkgs

flawz is available for Nix via nixpkgs-unstable channel. To make it available in the environment, simply run:

nix-channel --add https://nixos.org/channels/nixpkgs-unstable
nix-channel --update nixpkgs
nix-env -iA nixpkgs.flawz

On NixOS:

nix-channel --add https://nixos.org/channels/nixos-unstable
nix-channel --update nixos
nix-env -iA nixos.flawz

Alternatively, if you're using the new experimental CLI, you can use the following:

nix run nixpkgs#flawz

NetBSD

flawz is available from the official repositories. To install it, simply run:

pkgin install flawz

Binary releases

See the available binaries for different targets from the releases page.

Build from source

  1. Clone the repository.
git clone https://github.com/orhun/flawz && cd flawz/
  1. Build.
CARGO_TARGET_DIR=target cargo build --release

Binary will be located at target/release/flawz.

Usage

flawz [OPTIONS]

Options:

  -f, --feeds [<FEEDS>...]
          Feeds to sync. Accepts a year (`2026`), a year range (`2002:2026`), `recent` (last 8 days
          of new publications) or `modified` (last 8 days of modifications). Multiple feeds can be
          given

          [env: FEEDS=]
          [default: 2002:2026 recent modified]

  -d, --db <DB>
          Path to the SQLite database used to store the synced CVE data

          [env: DB=]

  -k, --api-key <API_KEY>
          NVD API key. With a key the rate limit is 50 requests / 30s (instead of 5 / 30s), making
          sync roughly 10× faster. Get one at <https://nvd.nist.gov/developers/request-an-api-key>

          [env: NVD_API_KEY=]

  -u, --force-update
          Re-sync feeds that are already present in the cache

  -o, --offline
          Do not fetch feeds read only what is already cached

  -q, --query <QUERY>
          Start with a search query

          [env: QUERY=]

  -t, --theme <THEME>
          Set the theme

          Possible values:
          - dracula:                    Dracula
          - nord:                       Nord
          - one-dark:                   One Dark
          - solarized-dark:             Solarized Dark
          - gruvbox-light:              Gruvbox Light
          - gruvbox-material-dark-hard: Gruvbox Material Dark Hard
          - catppuccin:                 Catppuccin

          [default: dracula]

  -h, --help
          Print help (see a summary with '-h')

  -V, --version
          Print version

Key bindings

KeyActionDescription
k / UpScroll UpScroll up the list
j / DownScroll DownScroll down the list
EnterSelectView the selected CVE details
/SearchSearch for a CVE
SpaceOpenOpen the first CVE reference in the browser
qQuitSet computer on fire

Examples

To start with a specific search query:

flawz --query "buffer overflow"

You can use the --feeds option to sync specific years of feeds:

flawz --feeds 2010:2015 recent

Additionally, you can use the following flags:

  • --force-update: Always fetch feeds, even if they are already up to date.
  • --offline: Run without fetching feeds (useful if you have already synced the data):

For example, you can use the following command to search for a specific vulnerability from 2014:

flawz -q "CVE-2014-0160" -f 2014 --force-update

Themes

Start flawz with --theme option to set a custom theme, e.g. --theme nord.

Dracula (default)

dracula

Nord

nord

One Dark

one dark

Solarized Dark

solarized dark

Gruvbox Light

gruvbox light

Gruvbox Material Dark Hard

gruvbox material dark hard

catppuccin

Catppuccin

Support

Support me on GitHub Sponsors

If you find flawz and/or other projects on my GitHub useful, consider supporting me on GitHub Sponsors! 💖

Contributing

See our Contribution Guide and please follow the Code of Conduct in all your interactions with the project.

License

License: MIT License: Apache 2.0

Licensed under either of Apache License Version 2.0 or The MIT License at your option.

🦀 ノ( º _ º ノ) - respect crables!

Copyright © 2024-2026, Orhun Parmaksız