provides APIs which can be used to integrate our data into other systems, setup automations and much more. The following data can be consumed via APIs:

  • CVEs by vendor, product, version, CPE
  • CVE details
  • CVE information in NVD json format (e.g if you already have existing code which supports NVD json format)
  • CVSS scores for CVEs, including scores both from NVD and other sources
  • EPSS history for CVEs
  • Emerging CVEs
  • Data mentioning CVEs
  • Full-text search in CVE data
  • Open source vulnerabilities
  • Open source packages
  • Open source vulnerability details in OSSF format
  • Generic data listing and details: All data types in our database (e.g CVEs, OSV, web pages, advisories etc) in a common internal format
  • Tags for any data entry
  • IP address search
  • Domain facets: Attack surface summary for your domain
  • Domain IP list: IP addresses attributed to your domain
  • IP CPE list: CPEs, products, discovered on a given list of IP addresses
  • Vendor, product, version search
  • Product information

New endpoints and support for new operations are added in new releases, please see the "API Documentation" link under the user menu for latest API details.
Please note that API access requires an active subscription which includes API access, typically Business or Enterprise plans include API access.

API authentication

All API calls require Bearer access tokens. A username and/or password is not required when using bearer tokens.

Example API call using curl:
curl \
	--url "" \
	--header 'Authorization: Bearer REPLACE_THIS_WITH_YOUR_ACCESS_TOKEN' \
	--header 'accept: */*'
Access tokens

Users can manage (create, delete) their access tokens using this form which just expects a descriptive token name (to be used for display purposes) and valid until date.

Please note that access tokens will be displayed only once, when they are created. Do not forget to save your access token. It is not possible to recover a lost access token. You can always create a new one.
Rate limiting

All API calls are rate limited by default (unless you are on a custom subscription with no rate limiting) and number of calls allowed vary per subscription plan. Rate limiting is applied per minute only, there are no total call limits per day, per month etc.

API endpoints will respond with http 429 status when the rate limit is reached. When you receive a http 429 response, you can wait for a minute and retry, the rate limit will be automatically reset.

Rate limiting is applied at the organization level. For example let's assume that your organization have 5 users, and each user created 2 access tokens, and you are sending requests in parallel using 10 different access tokens, from 10 different applications.
The rate limit will be applied to the total number of requests coming from any user and/or access token under your subscription.

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to terms of use!