Usage
Basic Usage
Look up a CVE:
wtf CVE-2021-44228
Output:
╭──────────────────── CVE-2021-44228 ─────────────────────╮
│ Log4Shell - Apache Log4j Remote Code Execution │
│ CRITICAL (10.0) │
╰─────────────────────────────────────────────────────────╯
What is it?
A critical remote code execution vulnerability in Apache
Log4j 2.x that allows attackers to execute arbitrary code
by sending specially crafted log messages.
Am I affected?
Apache Log4j versions 2.0-beta9 through 2.14.1. If you use
Java applications that use Log4j for logging, check your
dependencies.
How to fix
Upgrade to Log4j 2.17.0 or later.
References
- https://logging.apache.org/log4j/2.x/security.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Options
JSON Output
Get the response as JSON for scripting:
wtf CVE-2021-44228 --json
Or use the short flag:
wtf CVE-2021-44228 -j
Raw Output
Get the complete API response:
wtf CVE-2021-44228 --raw
Commands
Look up a CVE
wtf <CVE-ID>
The CVE ID can be in any of these formats:
CVE-2021-44228cve-2021-442282021-44228(CVE- prefix will be added)
Configure API Key
wtf auth
Interactive prompt for your API key.
wtf auth --key YOUR_KEY
Set the API key directly.
Show Version
wtf version
Environment Variables
| Variable | Description |
|---|---|
| WTF_API_KEY | Your API key (overrides config file) |
| WTF_API_URL | API base URL (for self-hosted instances) |
Exit Codes
| Code | Description |
|---|---|
| 0 | Success |
| 1 | Error (invalid key, not found) |
Examples
Scripting
Check if a CVE is critical:
if wtf CVE-2021-44228 --json | jq -e '.data.severity == "CRITICAL"' > /dev/null; then
echo "CRITICAL vulnerability!"
fi
Piping
Get just the summary:
wtf CVE-2021-44228 --json | jq -r '.data.summary'
Integration with other tools
Combine with git log to check for vulnerable dependencies:
# Find CVE mentions in commit messages
git log --oneline --grep="CVE-" | while read line; do
cve=$(echo "$line" | grep -oE 'CVE-[0-9]+-[0-9]+')
if [ -n "$cve" ]; then
echo "=== $cve ==="
wtf "$cve"
fi
done