APIs
CVEdetails.com provides APIs which can be used to integrate our data into other systems, setup automations and much more. The following data can be consumed via APIs:
- CVEs by vendor, product, version, CPE
- CVE details
- CVE information in NVD json format (e.g if you already have existing code which supports NVD json format)
- CVSS scores for CVEs, including scores both from NVD and other sources
- EPSS history for CVEs
- Emerging CVEs
- Data mentioning CVEs
- Full-text search in CVE data
- Open source vulnerabilities
- Open source packages
- Open source vulnerability details in OSSF format
- Generic data listing and details: All data types in our database (e.g CVEs, OSV, web pages, advisories etc) in a common internal format
- Tags for any data entry
- IP address search
- Domain facets: Attack surface summary for your domain
- Domain IP list: IP addresses attributed to your domain
- IP CPE list: CPEs, products, discovered on a given list of IP addresses
- Vendor, product, version search
- Product information
New endpoints and support for new operations are added in new releases, please see the "API Documentation" link under the user menu for
latest API details.
Please note that API access requires an active subscription which includes API access, typically Business or Enterprise plans include API access.
API authentication
All API calls require Bearer access tokens. A username and/or password is not required when using bearer tokens.
curl \
--url "https://www.cvedetails.com/api/v1/vulnerability/search?isInCISAKEV=1" \
--header 'Authorization: Bearer REPLACE_THIS_WITH_YOUR_ACCESS_TOKEN' \
--header 'accept: */*'
Access tokens
Users can manage (create, delete) their access tokens using this form which just expects a descriptive token name (to be used for display purposes) and valid until date.
Rate limiting
All API calls are rate limited by default (unless you are on a custom subscription with no rate limiting) and number of calls allowed vary per subscription plan. Rate limiting is applied per minute only, there are no total call limits per day, per month etc.
API endpoints will respond with http 429 status when the rate limit is reached. When you receive a http 429 response, you can wait for a minute and retry, the rate limit will be automatically reset.
Rate limiting is applied at the organization level.
For example let's assume that your organization have 5 users, and each user created 2 access tokens, and you are sending requests in parallel using
10 different access tokens, from 10 different applications.
The rate limit will be applied to the total number of requests coming from any user and/or access token under your subscription.