StackPatch is liveSee product

Back to StackPatch
Free · 5 seconds · No signup

Free CVE scanner for Linux servers

One command. No signup. Real CVE matches.

Run this on any Linux server (Ubuntu / Debian / Alpine / AlmaLinux / Rocky Linux):

curl https://mindsparkstack.com/scan.sh | bash

The script reads /etc/os-release, uname -r, and the top 200 installed packages from your distro's package manager (dpkg-query, apk info, or rpm -qa), POSTs the inventory to a public matcher API, and prints any matching CVEs in under 1 second. Source is rendered as text/plain at /scan.sh — read it before piping.

Why is it free?

Because the matcher infrastructure is already running. We index 41,000+ CVEs across 5 distros every hour to power our paid product (continuous monitoring with email/webhook alerts + audit URL). The free scan uses the same matcher for one-shot anonymous queries. Zero marginal cost to us; useful demo for you. Win-win.

We don't persist the inventory you POST. 5-minute server cache, then dropped. No cookies. No third-party trackers. The only persisted data is an anonymous funnel event (event name + path + daily-rotating IP hash, see /patch/security).

What does the output look like?

Real example on an Ubuntu 24.04 (noble) box with an unpatched openssh:

=== StackPatch quickscan ===
  distro:   ubuntu
  codename: noble
  kernel:   6.8.0-100-generic
  packages: 187

⚠️  2 active CVE matches on your stack right now (worst: high).
   Run the recommended commands above. To monitor every server hourly...

  [HIGH] CVE-2026-31431  Linux kernel "Copy Fail" — local-priv-esc
        match: Running kernel: 6.8.0-100-generic
        recommend: echo -e 'blacklist algif_aead\ninstall algif_aead /bin/false'...

  [HIGH] USN-8222-1  OpenSSH 9.6p1 vulnerabilities
        match: openssh-client: installed 1:9.6p1-3ubuntu13.10 < fixed 1:9.6p1-3ubuntu13.16
        recommend: sudo apt-get update && sudo apt-get install --only-upgrade -y openssh-client

--
  Buy founder seat ($99 lifetime, 50 only): https://buy.stripe.com/3cIcN73Rx9r25QG1VGcV20g
  Live audit URL of our own VPS:            /patch/audit/mss-vps

vs other free Linux CVE scanners

All four free OSS alternatives are great tools — different trade-offs. We've written honest comparison pages for each:

vs vuls.io

Self-hosted, half-day setup, broad distro support. Better if you have a security engineer.

vs Trivy

Container + IaC + Kubernetes focused. Better if your problem is build-time scans.

vs Grype

SBOM-first scanner from Anchore. Better if you generate SBOMs in CI.

vs Snyk

Enterprise commercial dev-time platform. Per-developer pricing.

Form-based version (if you can't pipe-to-bash)

If your environment doesn't allow curl | bash, paste your distro / codename / kernel / package versions into the form at /patch/scan. Same matcher, same output, same trust panel.

When you outgrow the free scanner

The free scan is one-shot. Continuous monitoring requires:

  • • Hourly inventory + matcher per server
  • • Email + Discord/Slack webhook alerts on new findings
  • • Public audit URL per server (sales-trust artifact)
  • • JSON/CSV export per server
  • • Persistence across reboots

That's the paid tier — $99 lifetime founder seat, 50 only, 30-day refund. See StackPatch.

Stop reading. Start scanning.

curl https://mindsparkstack.com/scan.sh | bash
Form-based quickscan Full pillar guide