API#
Vulnerability-Lookup exposes a REST API under the /api path of every
instance. The same instance also serves an interactive Swagger UI at
/api/, where you can browse the endpoints and try them out live.
PyVulnerabilityLookup
is the official Python client for the API.
Note
Building a mirror, scanner, or other automated consumer? Read
Access patterns for automated consumers first — it
covers the canonical sync path (since= + the pub/sub stream),
identification expectations, and the rate-limit posture. The same
guidance is exposed in machine-readable form at
/.well-known/api-policy.json.
Quick start#
The examples below use the public CIRCL instance
(https://vulnerability.circl.lu); replace the host with your own. Responses
are JSON.
Look up a vulnerability by ID:
$ curl 'https://vulnerability.circl.lu/api/vulnerability/CVE-2024-38063'
Filter comments by metadata — for example those flagged as a Proof of Concept.
The meta parameter is a JSON value matched against the comment’s meta field
(JSONB containment). Use -G/--data-urlencode so curl URL-encodes the JSON
for you instead of escaping it by hand:
$ curl -G 'https://vulnerability.circl.lu/api/comment/' \
--data-urlencode 'meta=[{"tags":["vulnerability:information=PoC"]}]'
Tags are matched exactly, so use the full machine-tag value (for example
vulnerability:information=PoC, not just PoC).
Paginate any list endpoint with page and per_page (see
Response format for the envelope):
$ curl 'https://vulnerability.circl.lu/api/sighting/?vuln_id=CVE-2024-38063&per_page=50'
For the full list of endpoints, parameters, and response models, see the OpenAPI specification below.
Response format#
All list endpoints return a paginated response with the following structure:
{
"metadata": {
"count": 42,
"page": 1,
"per_page": 10
},
"data": []
}
OpenAPI specification#
The complete reference below is generated from the API’s OpenAPI (Swagger)
specification — the same spec that powers the interactive Swagger UI at
/api/.
- GET /browse/#
Get the known vendors
Deprecated: use GET /api/browse/vendors instead. Get the known vendors. Deprecated in favor of /api/browse/vendors.
- Status Codes:
200 OK – Success
- GET /browse/vendors#
Get the known vendors with their last vulnerability change date
Get the known vendors with the date of their most recent vulnerability change, most recently changed first. Vendors without a known last change date are listed last with a null last_change.
- Query Parameters:
q (string) – Case-insensitive substring filter on the name.
since (string) – Only return entries whose last change is at or after this date (ISO 8601 datetime or Unix timestamp). Entries without a known last change date are excluded.
page (integer) – Number of the page.
per_page (integer) – Maximum number of elements to return (capped at 1000).
- Status Codes:
200 OK – Success
- GET /browse/vendors/{vendor}/products#
Get the products of a vendor with their last vulnerability change date
Get the known products of a vendor with the date of their most recent vulnerability change, most recently changed first. Products without a known last change date are listed last with a null last_change.
- Parameters:
vendor (string)
- Query Parameters:
q (string) – Case-insensitive substring filter on the name.
since (string) – Only return entries whose last change is at or after this date (ISO 8601 datetime or Unix timestamp). Entries without a known last change date are excluded.
page (integer) – Number of the page.
per_page (integer) – Maximum number of elements to return (capped at 1000).
- Status Codes:
200 OK – Success
- GET /browse/{vendor}#
Get the known products for a vendor
Deprecated: use GET /api/browse/vendors/<vendor>/products instead. Get the known products for a vendor. Deprecated in favor of /api/browse/vendors/<vendor>/products.
- Parameters:
vendor (string)
- Status Codes:
200 OK – Success
- GET /bundle/#
List all bundles
- Query Parameters:
page (integer) – Number of the page.
per_page (integer) – Maximum number of elements to return.
uuid (string) – UUID of the bundle.
author (string) – Author (login) of the bundle.
vuln_id (string) – Id of a vulnerability referenced by the bundle.
meta (string) – Query for the meta JSON field. Example: meta=[{‘tags’: [‘tcp’]}]
date_from (string) – The date of the bundles must be bigger or equal than this value. Format: YYYY-MM-DD
date_to (string) – The date of the bundles must be smaller or equal than this value. Format: YYYY-MM-DD
- Status Codes:
200 OK – Success
- Request Headers:
X-Fields – An optional fields mask
- Response JSON Object:
[].data[].author (any) – (read only)
[].data[].creation_timestamp (string) – Creation time of the bundle. (read only)
[].data[].description (string) – Description.
[].data[].meta (object) – Zero or more meta-fields.
[].data[].name (string) – Bundle name.
[].data[].related_vulnerabilities[] (string)
[].data[].timestamp (string) – Updated time of the bundle. (read only)
[].data[].uuid (string) – Bundle id.
[].data[].vulnerability_lookup_origin (string) – UUID of the Vulnerability-Lookup origin instance. (read only)
[].metadata (any) – Metadata related to the result.
- POST /bundle/#
Create a bundle.
- Request JSON Object:
author (any) – (read only)
creation_timestamp (string) – Creation time of the bundle. (read only)
description (string) – Description.
meta (object) – Zero or more meta-fields.
name (string) – Bundle name.
related_vulnerabilities[] (string)
timestamp (string) – Updated time of the bundle. (read only)
uuid (string) – Bundle id.
vulnerability_lookup_origin (string) – UUID of the Vulnerability-Lookup origin instance. (read only)
- Status Codes:
201 Created – Success.
400 Bad Request – JSON validation failed or incorrect payload to instantiate a bundle.
403 Forbidden – Administrator permission required.
- Request Headers:
X-Fields – An optional fields mask
- Response JSON Object:
[].data[].author (any) – (read only)
[].data[].creation_timestamp (string) – Creation time of the bundle. (read only)
[].data[].description (string) – Description.
[].data[].meta (object) – Zero or more meta-fields.
[].data[].name (string) – Bundle name.
[].data[].related_vulnerabilities[] (string)
[].data[].timestamp (string) – Updated time of the bundle. (read only)
[].data[].uuid (string) – Bundle id.
[].data[].vulnerability_lookup_origin (string) – UUID of the Vulnerability-Lookup origin instance. (read only)
[].metadata (any) – Metadata related to the result.
- DELETE /bundle/#
Delete bundles by vulnerability_lookup_origin
Delete bundles by vulnerability_lookup_origin (admin only).
- Query Parameters:
vulnerability_lookup_origin (string) – Delete bundles from this origin instance UUID.
- Status Codes:
200 OK – Deleted bundles successfully.
400 Bad Request – Invalid UUID format.
403 Forbidden – Admin permission required.
404 Not Found – No bundles matched the filter.
- GET /bundle/{bundle_uuid}#
Get a bundle with its UUID.
- Parameters:
bundle_uuid (string)
- Status Codes:
200 OK – Success.
404 Not Found – Bundle not found.
- Request Headers:
X-Fields – An optional fields mask
- Response JSON Object:
author (any) – (read only)
creation_timestamp (string) – Creation time of the bundle. (read only)
description (string) – Description.
meta (object) – Zero or more meta-fields.
name (string) – Bundle name.
related_vulnerabilities[] (string)
timestamp (string) – Updated time of the bundle. (read only)
uuid (string) – Bundle id.
vulnerability_lookup_origin (string) – UUID of the Vulnerability-Lookup origin instance. (read only)
- DELETE /bundle/{bundle_uuid}#
Endpoint for deleting a bundle
Delete a bundle. Only an admin can delete a bundle.
- Parameters:
bundle_uuid (string)
- Status Codes:
204 No Content – Success.
403 Forbidden – Administrator permission required or not the author of the bundle.
404 Not Found – Bundle not found.
- GET /capec/#
List all CAPECs
- Query Parameters:
page (integer) – Number of the page.
per_page (integer) – Maximum number of elements to return.
- Status Codes:
200 OK – Success
- Request Headers:
X-Fields – An optional fields mask
- Response JSON Object:
[].data[].@Description (string) – Description. (read only)
[].data[].@ID (string) – Identifiant. (read only)
[].data[].@Name (string) – Name. (read only)
[].metadata (any) – Metadata related to the result.
- GET /capec/{capec_id}#
Get detailed information about a CAPEC
Get detailed information about a CAPEC.
- Parameters:
capec_id (string)
- Status Codes:
200 OK – Success
- GET /cisa_kev/#
List all CISA KEV
- Query Parameters:
page (integer) – Number of the page.
per_page (integer) – Maximum number of elements to return.
- Status Codes:
200 OK – Success
- Request Headers:
X-Fields – An optional fields mask
- Response JSON Object:
[].data[].CVE (string) – CVE identifier (required)
[].data[].EUVD (string) – EUVD identifier
[].data[].cwes (string) – CWE identifiers
[].data[].dateReported (string) – Date when reported
[].data[].exploitationType (string) – Type of exploitation observed
[].data[].notes (string) – Additional notes or links
[].data[].originSource (string) – Source reporting the vulnerability
[].data[].product (string) – Product affected by the vulnerability
[].data[].shortDescription (string) – Short description of the vulnerability
[].data[].threatActorsExploiting (string) – Threat actors exploiting the vulnerability
[].data[].vendorProject (string) – Vendor or project name
[].data[].vulnerabilityName (string) – Vulnerability name
[].metadata (any) – Metadata related to the result.
- GET /cna/cve#
Retrieves all CVE Records after applying the query parameters as filters (accessible to Secretariat)
- Query Parameters:
time_modified.lt (string) – Most recent CVE record modified timestamp to retrieve (format: yyyy-MM-ddTHH:mm:ssZZZZ)
time_modified.gt (string) – Earliest CVE record modified timestamp to retrieve (format: yyyy-MM-ddTHH:mm:ssZZZZ)
state (string) – Filter by state
assigner_short_name (string) – Filter by assignerShortName
assigner (string) – Filter by assigner org UUID
page (integer) – The current page in the paginator
adp_short_name (string) – Filter by ADP short name
count_only (boolean) – Get count of records that match query
cna_modified (boolean) – Only get CVE records with cnaContainers modified/created within the time_modified range
- Status Codes:
200 OK – A filtered list of CVE Records, along with pagination fields if results span multiple pages of data
400 Bad Request – Bad Request
401 Unauthorized – Not Authenticated
403 Forbidden – Forbidden
404 Not Found – Not Found
500 Internal Server Error – Internal Server Error
- Request Headers:
CVE-API-ORG – Organization shortname is required
CVE-API-USER – Username is required
CVE-API-KEY – API key is required
- GET /cna/cve-id#
Retrieves information about CVE IDs after applying the query parameters as filters (accessible to all registered users)
- Query Parameters:
state (string) – Filter by state
cve_id_year (string) – Filter by the year of the CVE IDs
time_reserved.lt (string) – Most recent reserved timestamp to retrieve
time_reserved.gt (string) – Earliest CVE ID reserved timestamp to retrieve
time_modified.lt (string) – Most recent modified timestamp to retrieve
time_modified.gt (string) – Earliest CVE ID modified timestamp to retrieve
page (integer) – The current page in the paginator
sort_by (string) – Sort field (default: modified)
sort_dir (string) – Sort direction (default: desc)
search (string) – Substring filter on vuln_id (case-insensitive)
- Status Codes:
200 OK – Filtered CVE IDs
400 Bad Request – Bad Request
401 Unauthorized – Not Authenticated
403 Forbidden – Forbidden
404 Not Found – Not Found
500 Internal Server Error – Internal Server Error
- Request Headers:
CVE-API-ORG – Organization shortname is required
CVE-API-USER – Username is required
CVE-API-KEY – API key is required
- Response JSON Object:
currentPage (integer) – Current page
cve_ids[].cve_id (string) – ^CVE-[0-9]{4}-[0-9]{4,}$
cve_ids[].cve_year (string) – ^[0-9]{4}$
cve_ids[].owning_cna (string) – The shortname for the organization that owns the CVE ID
cve_ids[].requested_by.cna (string) – The shortname for the organization of the user that requested the ID
cve_ids[].requested_by.user (string) – The username for the account that requested the ID
cve_ids[].reserved (string) – The time the ID was reserved
cve_ids[].state (string)
cve_ids[].time.created (string) – The time the ID was created
cve_ids[].time.modified (string) – The last time the ID was modified
itemsPerPage (integer) – Number of CVE records in a page
nextPage (integer) – Next page
pageCount (integer) – Total number of pages
prevPage (integer) – Previous page
totalCount (integer) – Total CVE records found
- POST /cna/cve-id#
Reserves CVE IDs for the organization provided in the short_name query parameter (accessible to CNAs and Secretariat)
- Query Parameters:
amount (integer) – Quantity of CVE IDs to reserve
batch_type (string) – Required when amount is greater than one
cve_year (integer) – The year the CVE IDs will be reserved for
short_name (string) – The CNA that will own the reserved CVE IDs
- Status Codes:
200 OK – Reseved CVE IDs
206 Partial Content – Partially Reserved CVE IDs
400 Bad Request – Bad Request
401 Unauthorized – Not Authenticated
403 Forbidden – Forbidden
404 Not Found – Not Found
500 Internal Server Error – Internal Server Error
- Request Headers:
CVE-API-ORG – Organization shortname is required
CVE-API-USER – Username is required
CVE-API-KEY – API key is required
- Response JSON Object:
cve_ids[] (any)
details.amount_reserved (integer) – The quantity of IDs reserved in the system
error (string)
message (string)
cve_ids[]
meta.remaining_quota (integer)
- POST /cna/cve-id-range/{year}#
Creates a CVE-ID-Range for the specified year (accessible to Secretariat)
- Parameters:
year (integer)
- Status Codes:
200 OK – The CVE-ID-Range was created
400 Bad Request – Bad Request
401 Unauthorized – Not Authenticated
403 Forbidden – Forbidden
404 Not Found – Not Found
500 Internal Server Error – Internal Server Error
- Request Headers:
CVE-API-ORG – Organization shortname is required
CVE-API-USER – Username is required
CVE-API-KEY – API key is required
- PUT /cna/cve-id/{id}#
Updates information related to the specified CVE ID (accessible to CNAs and Secretariat)
- Parameters:
id (string)
- Query Parameters:
org (string) – The shortname of the new owning_cna for the CVE ID
state (string) – The id of the CVE ID to update
- Status Codes:
200 OK – The requested CVE ID information is returned
400 Bad Request – Bad Request
401 Unauthorized – Not Authenticated
403 Forbidden – Forbidden
404 Not Found – Not Found
500 Internal Server Error – Internal Server Error
- Request Headers:
CVE-API-ORG – Organization shortname is required
CVE-API-USER – Username is required
CVE-API-KEY – API key is required
- Response JSON Object:
message (string)
updated.cve_id (string) – ^CVE-[0-9]{4}-[0-9]{4,}$
updated.cve_year (string) – ^[0-9]{4}$
updated.owning_cna (string) – The shortname for the organization that owns the CVE ID
updated.requested_by.cna (string) – The shortname for the organization of the user that requested the ID
updated.requested_by.user (string) – The username for the account that requested the ID
updated.reserved (string) – The time the ID was reserved
updated.state (string)
updated.time.created (string) – The time the ID was created
updated.time.modified (string) – The last time the ID was modified
- GET /cna/cve-id/{id}#
Retrieves information about the specified CVE ID (accessible to all users)
- Parameters:
id (string)
- Status Codes:
200 OK – The requested CVE ID information is returned
400 Bad Request – Bad Request
401 Unauthorized – Not Authenticated
403 Forbidden – Forbidden
404 Not Found – Not Found
429 Too Many Requests – Too Many Requests
500 Internal Server Error – Internal Server Error
- Request Headers:
CVE-API-ORG – Organization shortname is required
CVE-API-USER – Username is required
CVE-API-KEY – API key is required
- Response Headers:
RateLimit-Limit – Indicates the service limit associated with the client in the current time window.
RateLimit-Policy – Indicates a service policy currently associated with the client.
RateLimit-Remaining – Indicates the remaining quota units associated with the expiring-limit.
RateLimit-Reset – Indicates the number of seconds until the quota resets.
RateLimit-Limit – Indicates the service limit associated with the client in the current time window.
RateLimit-Policy – Indicates a service policy currently associated with the client.
RateLimit-Remaining – Indicates the remaining quota units associated with the expiring-limit.
RateLimit-Reset – Indicates the number of seconds until the quota resets.
RateLimit-Limit – Indicates the service limit associated with the client in the current time window.
RateLimit-Policy – Indicates a service policy currently associated with the client.
RateLimit-Remaining – Indicates the remaining quota units associated with the expiring-limit.
RateLimit-Reset – Indicates the number of seconds until the quota resets.
RateLimit-Limit – Indicates the service limit associated with the client in the current time window.
RateLimit-Policy – Indicates a service policy currently associated with the client.
RateLimit-Remaining – Indicates the remaining quota units associated with the expiring-limit.
RateLimit-Reset – Indicates the number of seconds until the quota resets.
RateLimit-Limit – Indicates the service limit associated with the client in the current time window.
RateLimit-Policy – Indicates a service policy currently associated with the client.
RateLimit-Remaining – Indicates the remaining quota units associated with the expiring-limit.
RateLimit-Reset – Indicates the number of seconds until the quota resets.
RateLimit-Limit – Indicates the service limit associated with the client in the current time window.
RateLimit-Policy – Indicates a service policy currently associated with the client.
RateLimit-Remaining – Indicates the remaining quota units associated with the expiring-limit.
RateLimit-Reset – Indicates the number of seconds until the quota resets.
RateLimit-Limit – Indicates the service limit associated with the client in the current time window.
RateLimit-Policy – Indicates a service policy currently associated with the client.
RateLimit-Remaining – Indicates the remaining quota units associated with the expiring-limit.
RateLimit-Reset – Indicates the number of seconds until the quota resets.
- Response JSON Object:
cve_id (string) – ^CVE-[0-9]{4}-[0-9]{4,}$
cve_year (string) – ^[0-9]{4}$
message (string)
owning_cna (string) – The shortname for the organization that owns the CVE ID
requested_by.cna (string) – The shortname for the organization of the user that requested the ID
requested_by.user (string) – The username for the account that requested the ID
reserved (string) – The time the ID was reserved
state (string)
time.created (string) – The time the ID was created
time.modified (string) – The last time the ID was modified
- PUT /cna/cve/{id}#
Updates a CVE Record from full CVE Record JSON for the specified ID (accessible to Secretariat
)
- Parameters:
id (string)
- Status Codes:
200 OK – The CVE Record created
400 Bad Request – Bad Request
401 Unauthorized – Not Authenticated
403 Forbidden – Forbidden
404 Not Found – Not Found
500 Internal Server Error – Internal Server Error
- Response JSON Object:
message (string)
updated.containers.cna.affected.product (string)
updated.containers.cna.affected.vendor (string)
updated.containers.cna.affected.versions[].status (string)
updated.containers.cna.affected.versions[].version (string)
updated.containers.cna.dataType (string)
updated.containers.cna.dataVersion (string)
updated.containers.cna.descriptions[].lang (string)
updated.containers.cna.descriptions[].value (string)
updated.containers.cna.problemTypes[].descriptions[].description (string)
updated.containers.cna.problemTypes[].descriptions[].lang (string)
updated.containers.cna.problemTypes[].descriptions[].type (string)
updated.containers.cna.providerMetadata.orgId (string)
updated.containers.cna.references[].name (string)
updated.containers.cna.references[].url (string)
updated.cveMetadata.assignerOrgId (string)
updated.cveMetadata.assignerShortName (string)
updated.cveMetadata.cveId (string)
updated.cveMetadata.datePublished (string)
updated.cveMetadata.dateReserved (string)
updated.cveMetadata.requesterUserId (string)
updated.cveMetadata.state (string)
updated.dataType (string)
updated.dataVersion (string)
- GET /cna/cve/{id}#
Returns a CVE Record by CVE ID (accessible to all users)
- Parameters:
id (string)
- Status Codes:
200 OK – The requested CVE Record
400 Bad Request – Bad Request
403 Forbidden – Forbidden
404 Not Found – Not Found
429 Too Many Requests – Too Many Requests
500 Internal Server Error – Internal Server Error
- Response Headers:
RateLimit-Limit – Indicates the service limit associated with the client in the current time window.
RateLimit-Policy – Indicates a service policy currently associated with the client.
RateLimit-Remaining – Indicates the remaining quota units associated with the expiring-limit.
RateLimit-Reset – Indicates the number of seconds until the quota resets.
RateLimit-Limit – Indicates the service limit associated with the client in the current time window.
RateLimit-Policy – Indicates a service policy currently associated with the client.
RateLimit-Remaining – Indicates the remaining quota units associated with the expiring-limit.
RateLimit-Reset – Indicates the number of seconds until the quota resets.
RateLimit-Limit – Indicates the service limit associated with the client in the current time window.
RateLimit-Policy – Indicates a service policy currently associated with the client.
RateLimit-Remaining – Indicates the remaining quota units associated with the expiring-limit.
RateLimit-Reset – Indicates the number of seconds until the quota resets.
RateLimit-Limit – Indicates the service limit associated with the client in the current time window.
RateLimit-Policy – Indicates a service policy currently associated with the client.
RateLimit-Remaining – Indicates the remaining quota units associated with the expiring-limit.
RateLimit-Reset – Indicates the number of seconds until the quota resets.
RateLimit-Limit – Indicates the service limit associated with the client in the current time window.
RateLimit-Policy – Indicates a service policy currently associated with the client.
RateLimit-Remaining – Indicates the remaining quota units associated with the expiring-limit.
RateLimit-Reset – Indicates the number of seconds until the quota resets.
- POST /cna/cve/{id}#
Creates a CVE Record from full CVE Record JSON for the specified ID (accessible to Secretariat
)
- Parameters:
id (string)
- Status Codes:
200 OK – The CVE Record created
400 Bad Request – Bad Request
401 Unauthorized – Not Authenticated
403 Forbidden – Forbidden
404 Not Found – Not Found
500 Internal Server Error – Internal Server Error
- Request Headers:
CVE-API-ORG – Organization shortname is required
CVE-API-USER – Username is required
CVE-API-KEY – API key is required
- Response JSON Object:
created.containers.cna.affected.product (string)
created.containers.cna.affected.vendor (string)
created.containers.cna.affected.versions[].status (string)
created.containers.cna.affected.versions[].version (string)
created.containers.cna.descriptions[].lang (string)
created.containers.cna.descriptions[].value (string)
created.containers.cna.problemTypes[].descriptions[].description (string)
created.containers.cna.problemTypes[].descriptions[].lang (string)
created.containers.cna.problemTypes[].descriptions[].type (string)
created.containers.cna.providerMetadata.dateUpdated (string)
created.containers.cna.providerMetadata.orgId (string)
created.containers.cna.providerMetadata.shortName (string)
created.containers.cna.references[].name (string)
created.containers.cna.references[].tags[] (string)
created.containers.cna.references[].url (string)
created.cveMetadata.assignerOrgId (string)
created.cveMetadata.assignerShortName (string)
created.cveMetadata.cveId (string)
created.cveMetadata.datePublished (string)
created.cveMetadata.dateReserved (string)
created.cveMetadata.requesterUserId (string)
created.cveMetadata.state (string)
created.dataType (string)
created.dataVersion (string)
message (string)
- DELETE /cna/cve/{id}#
- Parameters:
id (string)
- Status Codes:
400 Bad Request – Bad Request
401 Unauthorized – Not Authenticated
403 Forbidden – Forbidden
404 Not Found – Not Found
500 Internal Server Error – Internal Server Error
- PUT /cna/cve/{id}/adp#
Inserts or replaces the ADP container for the caller org on an existing CVE Record
- Parameters:
id (string)
- Request JSON Object:
adpContainer.affected[].collectionURL (string)
adpContainer.affected[].cpes[] (string)
adpContainer.affected[].defaultStatus (string)
adpContainer.affected[].modules[] (string)
adpContainer.affected[].packageName (string)
adpContainer.affected[].platforms[] (string)
adpContainer.affected[].product (string)
adpContainer.affected[].programFiles[] (string)
adpContainer.affected[].programRoutines[].name (string) – (required)
adpContainer.affected[].repo (string)
adpContainer.affected[].vendor (string)
adpContainer.affected[].versions[].changes[].at (string) – (required)
adpContainer.affected[].versions[].changes[].status (string) – (required)
adpContainer.affected[].versions[].lessThan (string)
adpContainer.affected[].versions[].lessThanOrEqual (string)
adpContainer.affected[].versions[].status (string)
adpContainer.affected[].versions[].version (string)
adpContainer.affected[].versions[].versionType (string)
adpContainer.configurations[].lang (string) – (required)
adpContainer.configurations[].supportingMedia[].base64 (boolean)
adpContainer.configurations[].supportingMedia[].type (string) – (required)
adpContainer.configurations[].supportingMedia[].value (string) – (required)
adpContainer.configurations[].value (string) – (required)
adpContainer.credits[].lang (string) – (required)
adpContainer.credits[].type (string)
adpContainer.credits[].user (string)
adpContainer.credits[].value (string) – (required)
adpContainer.datePublic (string)
adpContainer.descriptions[].lang (string) – (required)
adpContainer.descriptions[].supportingMedia[].base64 (boolean)
adpContainer.descriptions[].supportingMedia[].type (string) – (required)
adpContainer.descriptions[].supportingMedia[].value (string) – (required)
adpContainer.descriptions[].value (string) – (required)
adpContainer.exploits[].lang (string) – (required)
adpContainer.exploits[].supportingMedia[].base64 (boolean)
adpContainer.exploits[].supportingMedia[].type (string) – (required)
adpContainer.exploits[].supportingMedia[].value (string) – (required)
adpContainer.exploits[].value (string) – (required)
adpContainer.impacts[].capecId (string)
adpContainer.impacts[].descriptions[].lang (string) – (required)
adpContainer.impacts[].descriptions[].supportingMedia[].base64 (boolean)
adpContainer.impacts[].descriptions[].supportingMedia[].type (string) – (required)
adpContainer.impacts[].descriptions[].supportingMedia[].value (string) – (required)
adpContainer.impacts[].descriptions[].value (string) – (required)
adpContainer.metrics[].cvssV2_0.accessComplexity (string)
adpContainer.metrics[].cvssV2_0.accessVector (string)
adpContainer.metrics[].cvssV2_0.authentication (string)
adpContainer.metrics[].cvssV2_0.availabilityImpact (string)
adpContainer.metrics[].cvssV2_0.availabilityRequirement (string)
adpContainer.metrics[].cvssV2_0.baseScore (number) – (required)
adpContainer.metrics[].cvssV2_0.collateralDamagePotential (string)
adpContainer.metrics[].cvssV2_0.confidentialityImpact (string)
adpContainer.metrics[].cvssV2_0.confidentialityRequirement (string)
adpContainer.metrics[].cvssV2_0.environmentalScore (number)
adpContainer.metrics[].cvssV2_0.exploitability (string)
adpContainer.metrics[].cvssV2_0.integrityImpact (string)
adpContainer.metrics[].cvssV2_0.integrityRequirement (string)
adpContainer.metrics[].cvssV2_0.remediationLevel (string)
adpContainer.metrics[].cvssV2_0.reportConfidence (string)
adpContainer.metrics[].cvssV2_0.targetDistribution (string)
adpContainer.metrics[].cvssV2_0.temporalScore (number)
adpContainer.metrics[].cvssV2_0.vectorString (string) – (required)
adpContainer.metrics[].cvssV2_0.version (string) – (required)
adpContainer.metrics[].cvssV3_0.attackComplexity (string)
adpContainer.metrics[].cvssV3_0.attackVector (string)
adpContainer.metrics[].cvssV3_0.availabilityImpact (string)
adpContainer.metrics[].cvssV3_0.availabilityRequirement (string)
adpContainer.metrics[].cvssV3_0.baseScore (number) – (required)
adpContainer.metrics[].cvssV3_0.baseSeverity (string) – (required)
adpContainer.metrics[].cvssV3_0.confidentialityImpact (string)
adpContainer.metrics[].cvssV3_0.confidentialityRequirement (string)
adpContainer.metrics[].cvssV3_0.environmentalScore (number)
adpContainer.metrics[].cvssV3_0.environmentalSeverity (string)
adpContainer.metrics[].cvssV3_0.exploitCodeMaturity (string)
adpContainer.metrics[].cvssV3_0.integrityImpact (string)
adpContainer.metrics[].cvssV3_0.integrityRequirement (string)
adpContainer.metrics[].cvssV3_0.modifiedAttackComplexity (string)
adpContainer.metrics[].cvssV3_0.modifiedAttackVector (string)
adpContainer.metrics[].cvssV3_0.modifiedAvailabilityImpact (string)
adpContainer.metrics[].cvssV3_0.modifiedConfidentialityImpact (string)
adpContainer.metrics[].cvssV3_0.modifiedIntegrityImpact (string)
adpContainer.metrics[].cvssV3_0.modifiedPrivilegesRequired (string)
adpContainer.metrics[].cvssV3_0.modifiedScope (string)
adpContainer.metrics[].cvssV3_0.modifiedUserInteraction (string)
adpContainer.metrics[].cvssV3_0.privilegesRequired (string)
adpContainer.metrics[].cvssV3_0.remediationLevel (string)
adpContainer.metrics[].cvssV3_0.reportConfidence (string)
adpContainer.metrics[].cvssV3_0.scope (string)
adpContainer.metrics[].cvssV3_0.temporalScore (number)
adpContainer.metrics[].cvssV3_0.temporalSeverity (string)
adpContainer.metrics[].cvssV3_0.userInteraction (string)
adpContainer.metrics[].cvssV3_0.vectorString (string) – (required)
adpContainer.metrics[].cvssV3_0.version (string) – (required)
adpContainer.metrics[].cvssV3_1.attackComplexity (string)
adpContainer.metrics[].cvssV3_1.attackVector (string)
adpContainer.metrics[].cvssV3_1.availabilityImpact (string)
adpContainer.metrics[].cvssV3_1.availabilityRequirement (string)
adpContainer.metrics[].cvssV3_1.baseScore (number) – (required)
adpContainer.metrics[].cvssV3_1.baseSeverity (string) – (required)
adpContainer.metrics[].cvssV3_1.confidentialityImpact (string)
adpContainer.metrics[].cvssV3_1.confidentialityRequirement (string)
adpContainer.metrics[].cvssV3_1.environmentalScore (number)
adpContainer.metrics[].cvssV3_1.environmentalSeverity (string)
adpContainer.metrics[].cvssV3_1.exploitCodeMaturity (string)
adpContainer.metrics[].cvssV3_1.integrityImpact (string)
adpContainer.metrics[].cvssV3_1.integrityRequirement (string)
adpContainer.metrics[].cvssV3_1.modifiedAttackComplexity (string)
adpContainer.metrics[].cvssV3_1.modifiedAttackVector (string)
adpContainer.metrics[].cvssV3_1.modifiedAvailabilityImpact (string)
adpContainer.metrics[].cvssV3_1.modifiedConfidentialityImpact (string)
adpContainer.metrics[].cvssV3_1.modifiedIntegrityImpact (string)
adpContainer.metrics[].cvssV3_1.modifiedPrivilegesRequired (string)
adpContainer.metrics[].cvssV3_1.modifiedScope (string)
adpContainer.metrics[].cvssV3_1.modifiedUserInteraction (string)
adpContainer.metrics[].cvssV3_1.privilegesRequired (string)
adpContainer.metrics[].cvssV3_1.remediationLevel (string)
adpContainer.metrics[].cvssV3_1.reportConfidence (string)
adpContainer.metrics[].cvssV3_1.scope (string)
adpContainer.metrics[].cvssV3_1.temporalScore (number)
adpContainer.metrics[].cvssV3_1.temporalSeverity (string)
adpContainer.metrics[].cvssV3_1.userInteraction (string)
adpContainer.metrics[].cvssV3_1.vectorString (string) – (required)
adpContainer.metrics[].cvssV3_1.version (string) – CVSS Version (required)
adpContainer.metrics[].cvssV4_0.Automatable (string)
adpContainer.metrics[].cvssV4_0.Recovery (string)
adpContainer.metrics[].cvssV4_0.Safety (string)
adpContainer.metrics[].cvssV4_0.attackComplexity (string)
adpContainer.metrics[].cvssV4_0.attackRequirements (string)
adpContainer.metrics[].cvssV4_0.attackVector (string)
adpContainer.metrics[].cvssV4_0.availabilityRequirement (string)
adpContainer.metrics[].cvssV4_0.baseScore (number) – (required)
adpContainer.metrics[].cvssV4_0.baseSeverity (string) – (required)
adpContainer.metrics[].cvssV4_0.confidentialityRequirement (string)
adpContainer.metrics[].cvssV4_0.exploitMaturity (string)
adpContainer.metrics[].cvssV4_0.integrityRequirement (string)
adpContainer.metrics[].cvssV4_0.modifiedAttackComplexity (string)
adpContainer.metrics[].cvssV4_0.modifiedAttackRequirements (string)
adpContainer.metrics[].cvssV4_0.modifiedAttackVector (string)
adpContainer.metrics[].cvssV4_0.modifiedPrivilegesRequired (string)
adpContainer.metrics[].cvssV4_0.modifiedSubAvailabilityImpact (string)
adpContainer.metrics[].cvssV4_0.modifiedSubConfidentialityImpact (string)
adpContainer.metrics[].cvssV4_0.modifiedSubIntegrityImpact (string)
adpContainer.metrics[].cvssV4_0.modifiedUserInteraction (string)
adpContainer.metrics[].cvssV4_0.modifiedVulnAvailabilityImpact (string)
adpContainer.metrics[].cvssV4_0.modifiedVulnConfidentialityImpact (string)
adpContainer.metrics[].cvssV4_0.modifiedVulnIntegrityImpact (string)
adpContainer.metrics[].cvssV4_0.privilegesRequired (string)
adpContainer.metrics[].cvssV4_0.providerUrgency (string)
adpContainer.metrics[].cvssV4_0.subAvailabilityImpact (string)
adpContainer.metrics[].cvssV4_0.subConfidentialityImpact (string)
adpContainer.metrics[].cvssV4_0.subIntegrityImpact (string)
adpContainer.metrics[].cvssV4_0.userInteraction (string)
adpContainer.metrics[].cvssV4_0.valueDensity (string)
adpContainer.metrics[].cvssV4_0.vectorString (string) – (required)
adpContainer.metrics[].cvssV4_0.version (string) – CVSS Version (required)
adpContainer.metrics[].cvssV4_0.vulnAvailabilityImpact (string)
adpContainer.metrics[].cvssV4_0.vulnConfidentialityImpact (string)
adpContainer.metrics[].cvssV4_0.vulnIntegrityImpact (string)
adpContainer.metrics[].cvssV4_0.vulnerabilityResponseEffort (string)
adpContainer.metrics[].format (string)
adpContainer.metrics[].other.content (object) – (required)
adpContainer.metrics[].other.type (string) – (required)
adpContainer.metrics[].scenarios[].lang (string) – (required)
adpContainer.metrics[].scenarios[].value (string) – (required)
adpContainer.problemTypes[].descriptions[].cweId (string)
adpContainer.problemTypes[].descriptions[].description (string) – (required)
adpContainer.problemTypes[].descriptions[].lang (string) – (required)
adpContainer.problemTypes[].descriptions[].references[].name (string)
adpContainer.problemTypes[].descriptions[].references[].tags[] (any)
adpContainer.problemTypes[].descriptions[].references[].url (string) – (required)
adpContainer.problemTypes[].descriptions[].type (string)
adpContainer.providerMetadata.dateUpdated (string)
adpContainer.providerMetadata.orgId (string) – (required)
adpContainer.providerMetadata.shortName (string)
adpContainer.references[].name (string)
adpContainer.references[].tags[] (any)
adpContainer.references[].url (string) – (required)
adpContainer.solutions[].lang (string) – (required)
adpContainer.solutions[].supportingMedia[].base64 (boolean)
adpContainer.solutions[].supportingMedia[].type (string) – (required)
adpContainer.solutions[].supportingMedia[].value (string) – (required)
adpContainer.solutions[].value (string) – (required)
adpContainer.source (object)
adpContainer.tags[] (any)
adpContainer.taxonomyMappings[].taxonomyName (string) – (required)
adpContainer.taxonomyMappings[].taxonomyRelations[].relationshipName (string) – (required)
adpContainer.taxonomyMappings[].taxonomyRelations[].relationshipValue (string) – (required)
adpContainer.taxonomyMappings[].taxonomyRelations[].taxonomyId (string) – (required)
adpContainer.taxonomyMappings[].taxonomyVersion (string)
adpContainer.timeline[].lang (string) – (required)
adpContainer.timeline[].time (string) – (required)
adpContainer.timeline[].value (string) – (required)
adpContainer.title (string)
adpContainer.workarounds[].lang (string) – (required)
adpContainer.workarounds[].supportingMedia[].base64 (boolean)
adpContainer.workarounds[].supportingMedia[].type (string) – (required)
adpContainer.workarounds[].supportingMedia[].value (string) – (required)
adpContainer.workarounds[].value (string) – (required)
- Status Codes:
200 OK – The CVE Record created
400 Bad Request – Bad Request
401 Unauthorized – Not Authenticated
403 Forbidden – Forbidden
404 Not Found – Not Found
500 Internal Server Error – Internal Server Error
- Request Headers:
CVE-API-ORG – Organization shortname is required
CVE-API-USER – Username is required
CVE-API-KEY – API key is required
- Response JSON Object:
message (string)
updated.containers.cna.affected.product (string)
updated.containers.cna.affected.vendor (string)
updated.containers.cna.affected.versions[].status (string)
updated.containers.cna.affected.versions[].version (string)
updated.containers.cna.dataType (string)
updated.containers.cna.dataVersion (string)
updated.containers.cna.descriptions[].lang (string)
updated.containers.cna.descriptions[].value (string)
updated.containers.cna.problemTypes[].descriptions[].description (string)
updated.containers.cna.problemTypes[].descriptions[].lang (string)
updated.containers.cna.problemTypes[].descriptions[].type (string)
updated.containers.cna.providerMetadata.orgId (string)
updated.containers.cna.references[].name (string)
updated.containers.cna.references[].url (string)
updated.cveMetadata.assignerOrgId (string)
updated.cveMetadata.assignerShortName (string)
updated.cveMetadata.cveId (string)
updated.cveMetadata.datePublished (string)
updated.cveMetadata.dateReserved (string)
updated.cveMetadata.requesterUserId (string)
updated.cveMetadata.state (string)
updated.dataType (string)
updated.dataVersion (string)
- PUT /cna/cve/{id}/cna#
- Parameters:
id (string)
- Query Parameters:
erlcheck (boolean) – Enable ERL check
- Request JSON Object:
adpContainer.affected[].collectionURL (string)
adpContainer.affected[].cpes[] (string)
adpContainer.affected[].defaultStatus (string)
adpContainer.affected[].modules[] (string)
adpContainer.affected[].packageName (string)
adpContainer.affected[].platforms[] (string)
adpContainer.affected[].product (string)
adpContainer.affected[].programFiles[] (string)
adpContainer.affected[].programRoutines[].name (string) – (required)
adpContainer.affected[].repo (string)
adpContainer.affected[].vendor (string)
adpContainer.affected[].versions[].changes[].at (string) – (required)
adpContainer.affected[].versions[].changes[].status (string) – (required)
adpContainer.affected[].versions[].lessThan (string)
adpContainer.affected[].versions[].lessThanOrEqual (string)
adpContainer.affected[].versions[].status (string)
adpContainer.affected[].versions[].version (string)
adpContainer.affected[].versions[].versionType (string)
adpContainer.configurations[].lang (string) – (required)
adpContainer.configurations[].supportingMedia[].base64 (boolean)
adpContainer.configurations[].supportingMedia[].type (string) – (required)
adpContainer.configurations[].supportingMedia[].value (string) – (required)
adpContainer.configurations[].value (string) – (required)
adpContainer.credits[].lang (string) – (required)
adpContainer.credits[].type (string)
adpContainer.credits[].user (string)
adpContainer.credits[].value (string) – (required)
adpContainer.datePublic (string)
adpContainer.descriptions[].lang (string) – (required)
adpContainer.descriptions[].supportingMedia[].base64 (boolean)
adpContainer.descriptions[].supportingMedia[].type (string) – (required)
adpContainer.descriptions[].supportingMedia[].value (string) – (required)
adpContainer.descriptions[].value (string) – (required)
adpContainer.exploits[].lang (string) – (required)
adpContainer.exploits[].supportingMedia[].base64 (boolean)
adpContainer.exploits[].supportingMedia[].type (string) – (required)
adpContainer.exploits[].supportingMedia[].value (string) – (required)
adpContainer.exploits[].value (string) – (required)
adpContainer.impacts[].capecId (string)
adpContainer.impacts[].descriptions[].lang (string) – (required)
adpContainer.impacts[].descriptions[].supportingMedia[].base64 (boolean)
adpContainer.impacts[].descriptions[].supportingMedia[].type (string) – (required)
adpContainer.impacts[].descriptions[].supportingMedia[].value (string) – (required)
adpContainer.impacts[].descriptions[].value (string) – (required)
adpContainer.metrics[].cvssV2_0.accessComplexity (string)
adpContainer.metrics[].cvssV2_0.accessVector (string)
adpContainer.metrics[].cvssV2_0.authentication (string)
adpContainer.metrics[].cvssV2_0.availabilityImpact (string)
adpContainer.metrics[].cvssV2_0.availabilityRequirement (string)
adpContainer.metrics[].cvssV2_0.baseScore (number) – (required)
adpContainer.metrics[].cvssV2_0.collateralDamagePotential (string)
adpContainer.metrics[].cvssV2_0.confidentialityImpact (string)
adpContainer.metrics[].cvssV2_0.confidentialityRequirement (string)
adpContainer.metrics[].cvssV2_0.environmentalScore (number)
adpContainer.metrics[].cvssV2_0.exploitability (string)
adpContainer.metrics[].cvssV2_0.integrityImpact (string)
adpContainer.metrics[].cvssV2_0.integrityRequirement (string)
adpContainer.metrics[].cvssV2_0.remediationLevel (string)
adpContainer.metrics[].cvssV2_0.reportConfidence (string)
adpContainer.metrics[].cvssV2_0.targetDistribution (string)
adpContainer.metrics[].cvssV2_0.temporalScore (number)
adpContainer.metrics[].cvssV2_0.vectorString (string) – (required)
adpContainer.metrics[].cvssV2_0.version (string) – (required)
adpContainer.metrics[].cvssV3_0.attackComplexity (string)
adpContainer.metrics[].cvssV3_0.attackVector (string)
adpContainer.metrics[].cvssV3_0.availabilityImpact (string)
adpContainer.metrics[].cvssV3_0.availabilityRequirement (string)
adpContainer.metrics[].cvssV3_0.baseScore (number) – (required)
adpContainer.metrics[].cvssV3_0.baseSeverity (string) – (required)
adpContainer.metrics[].cvssV3_0.confidentialityImpact (string)
adpContainer.metrics[].cvssV3_0.confidentialityRequirement (string)
adpContainer.metrics[].cvssV3_0.environmentalScore (number)
adpContainer.metrics[].cvssV3_0.environmentalSeverity (string)
adpContainer.metrics[].cvssV3_0.exploitCodeMaturity (string)
adpContainer.metrics[].cvssV3_0.integrityImpact (string)
adpContainer.metrics[].cvssV3_0.integrityRequirement (string)
adpContainer.metrics[].cvssV3_0.modifiedAttackComplexity (string)
adpContainer.metrics[].cvssV3_0.modifiedAttackVector (string)
adpContainer.metrics[].cvssV3_0.modifiedAvailabilityImpact (string)
adpContainer.metrics[].cvssV3_0.modifiedConfidentialityImpact (string)
adpContainer.metrics[].cvssV3_0.modifiedIntegrityImpact (string)
adpContainer.metrics[].cvssV3_0.modifiedPrivilegesRequired (string)
adpContainer.metrics[].cvssV3_0.modifiedScope (string)
adpContainer.metrics[].cvssV3_0.modifiedUserInteraction (string)
adpContainer.metrics[].cvssV3_0.privilegesRequired (string)
adpContainer.metrics[].cvssV3_0.remediationLevel (string)
adpContainer.metrics[].cvssV3_0.reportConfidence (string)
adpContainer.metrics[].cvssV3_0.scope (string)
adpContainer.metrics[].cvssV3_0.temporalScore (number)
adpContainer.metrics[].cvssV3_0.temporalSeverity (string)
adpContainer.metrics[].cvssV3_0.userInteraction (string)
adpContainer.metrics[].cvssV3_0.vectorString (string) – (required)
adpContainer.metrics[].cvssV3_0.version (string) – (required)
adpContainer.metrics[].cvssV3_1.attackComplexity (string)
adpContainer.metrics[].cvssV3_1.attackVector (string)
adpContainer.metrics[].cvssV3_1.availabilityImpact (string)
adpContainer.metrics[].cvssV3_1.availabilityRequirement (string)
adpContainer.metrics[].cvssV3_1.baseScore (number) – (required)
adpContainer.metrics[].cvssV3_1.baseSeverity (string) – (required)
adpContainer.metrics[].cvssV3_1.confidentialityImpact (string)
adpContainer.metrics[].cvssV3_1.confidentialityRequirement (string)
adpContainer.metrics[].cvssV3_1.environmentalScore (number)
adpContainer.metrics[].cvssV3_1.environmentalSeverity (string)
adpContainer.metrics[].cvssV3_1.exploitCodeMaturity (string)
adpContainer.metrics[].cvssV3_1.integrityImpact (string)
adpContainer.metrics[].cvssV3_1.integrityRequirement (string)
adpContainer.metrics[].cvssV3_1.modifiedAttackComplexity (string)
adpContainer.metrics[].cvssV3_1.modifiedAttackVector (string)
adpContainer.metrics[].cvssV3_1.modifiedAvailabilityImpact (string)
adpContainer.metrics[].cvssV3_1.modifiedConfidentialityImpact (string)
adpContainer.metrics[].cvssV3_1.modifiedIntegrityImpact (string)
adpContainer.metrics[].cvssV3_1.modifiedPrivilegesRequired (string)
adpContainer.metrics[].cvssV3_1.modifiedScope (string)
adpContainer.metrics[].cvssV3_1.modifiedUserInteraction (string)
adpContainer.metrics[].cvssV3_1.privilegesRequired (string)
adpContainer.metrics[].cvssV3_1.remediationLevel (string)
adpContainer.metrics[].cvssV3_1.reportConfidence (string)
adpContainer.metrics[].cvssV3_1.scope (string)
adpContainer.metrics[].cvssV3_1.temporalScore (number)
adpContainer.metrics[].cvssV3_1.temporalSeverity (string)
adpContainer.metrics[].cvssV3_1.userInteraction (string)
adpContainer.metrics[].cvssV3_1.vectorString (string) – (required)
adpContainer.metrics[].cvssV3_1.version (string) – CVSS Version (required)
adpContainer.metrics[].cvssV4_0.Automatable (string)
adpContainer.metrics[].cvssV4_0.Recovery (string)
adpContainer.metrics[].cvssV4_0.Safety (string)
adpContainer.metrics[].cvssV4_0.attackComplexity (string)
adpContainer.metrics[].cvssV4_0.attackRequirements (string)
adpContainer.metrics[].cvssV4_0.attackVector (string)
adpContainer.metrics[].cvssV4_0.availabilityRequirement (string)
adpContainer.metrics[].cvssV4_0.baseScore (number) – (required)
adpContainer.metrics[].cvssV4_0.baseSeverity (string) – (required)
adpContainer.metrics[].cvssV4_0.confidentialityRequirement (string)
adpContainer.metrics[].cvssV4_0.exploitMaturity (string)
adpContainer.metrics[].cvssV4_0.integrityRequirement (string)
adpContainer.metrics[].cvssV4_0.modifiedAttackComplexity (string)
adpContainer.metrics[].cvssV4_0.modifiedAttackRequirements (string)
adpContainer.metrics[].cvssV4_0.modifiedAttackVector (string)
adpContainer.metrics[].cvssV4_0.modifiedPrivilegesRequired (string)
adpContainer.metrics[].cvssV4_0.modifiedSubAvailabilityImpact (string)
adpContainer.metrics[].cvssV4_0.modifiedSubConfidentialityImpact (string)
adpContainer.metrics[].cvssV4_0.modifiedSubIntegrityImpact (string)
adpContainer.metrics[].cvssV4_0.modifiedUserInteraction (string)
adpContainer.metrics[].cvssV4_0.modifiedVulnAvailabilityImpact (string)
adpContainer.metrics[].cvssV4_0.modifiedVulnConfidentialityImpact (string)
adpContainer.metrics[].cvssV4_0.modifiedVulnIntegrityImpact (string)
adpContainer.metrics[].cvssV4_0.privilegesRequired (string)
adpContainer.metrics[].cvssV4_0.providerUrgency (string)
adpContainer.metrics[].cvssV4_0.subAvailabilityImpact (string)
adpContainer.metrics[].cvssV4_0.subConfidentialityImpact (string)
adpContainer.metrics[].cvssV4_0.subIntegrityImpact (string)
adpContainer.metrics[].cvssV4_0.userInteraction (string)
adpContainer.metrics[].cvssV4_0.valueDensity (string)
adpContainer.metrics[].cvssV4_0.vectorString (string) – (required)
adpContainer.metrics[].cvssV4_0.version (string) – CVSS Version (required)
adpContainer.metrics[].cvssV4_0.vulnAvailabilityImpact (string)
adpContainer.metrics[].cvssV4_0.vulnConfidentialityImpact (string)
adpContainer.metrics[].cvssV4_0.vulnIntegrityImpact (string)
adpContainer.metrics[].cvssV4_0.vulnerabilityResponseEffort (string)
adpContainer.metrics[].format (string)
adpContainer.metrics[].other.content (object) – (required)
adpContainer.metrics[].other.type (string) – (required)
adpContainer.metrics[].scenarios[].lang (string) – (required)
adpContainer.metrics[].scenarios[].value (string) – (required)
adpContainer.problemTypes[].descriptions[].cweId (string)
adpContainer.problemTypes[].descriptions[].description (string) – (required)
adpContainer.problemTypes[].descriptions[].lang (string) – (required)
adpContainer.problemTypes[].descriptions[].references[].name (string)
adpContainer.problemTypes[].descriptions[].references[].tags[] (any)
adpContainer.problemTypes[].descriptions[].references[].url (string) – (required)
adpContainer.problemTypes[].descriptions[].type (string)
adpContainer.providerMetadata.dateUpdated (string)
adpContainer.providerMetadata.orgId (string) – (required)
adpContainer.providerMetadata.shortName (string)
adpContainer.references[].name (string)
adpContainer.references[].tags[] (any)
adpContainer.references[].url (string) – (required)
adpContainer.solutions[].lang (string) – (required)
adpContainer.solutions[].supportingMedia[].base64 (boolean)
adpContainer.solutions[].supportingMedia[].type (string) – (required)
adpContainer.solutions[].supportingMedia[].value (string) – (required)
adpContainer.solutions[].value (string) – (required)
adpContainer.source (object)
adpContainer.tags[] (any)
adpContainer.taxonomyMappings[].taxonomyName (string) – (required)
adpContainer.taxonomyMappings[].taxonomyRelations[].relationshipName (string) – (required)
adpContainer.taxonomyMappings[].taxonomyRelations[].relationshipValue (string) – (required)
adpContainer.taxonomyMappings[].taxonomyRelations[].taxonomyId (string) – (required)
adpContainer.taxonomyMappings[].taxonomyVersion (string)
adpContainer.timeline[].lang (string) – (required)
adpContainer.timeline[].time (string) – (required)
adpContainer.timeline[].value (string) – (required)
adpContainer.title (string)
adpContainer.workarounds[].lang (string) – (required)
adpContainer.workarounds[].supportingMedia[].base64 (boolean)
adpContainer.workarounds[].supportingMedia[].type (string) – (required)
adpContainer.workarounds[].supportingMedia[].value (string) – (required)
adpContainer.workarounds[].value (string) – (required)
- Status Codes:
200 OK – The CVE Record created
400 Bad Request – Bad Request
401 Unauthorized – Not Authenticated
403 Forbidden – Forbidden
404 Not Found – Not Found
500 Internal Server Error – Internal Server Error
- Request Headers:
CVE-API-ORG – Organization shortname is required
CVE-API-USER – Username is required
CVE-API-KEY – API key is required
- Response JSON Object:
message (string)
updated.containers.cna.affected.product (string)
updated.containers.cna.affected.vendor (string)
updated.containers.cna.affected.versions[].status (string)
updated.containers.cna.affected.versions[].version (string)
updated.containers.cna.dataType (string)
updated.containers.cna.dataVersion (string)
updated.containers.cna.descriptions[].lang (string)
updated.containers.cna.descriptions[].value (string)
updated.containers.cna.problemTypes[].descriptions[].description (string)
updated.containers.cna.problemTypes[].descriptions[].lang (string)
updated.containers.cna.problemTypes[].descriptions[].type (string)
updated.containers.cna.providerMetadata.orgId (string)
updated.containers.cna.references[].name (string)
updated.containers.cna.references[].url (string)
updated.cveMetadata.assignerOrgId (string)
updated.cveMetadata.assignerShortName (string)
updated.cveMetadata.cveId (string)
updated.cveMetadata.datePublished (string)
updated.cveMetadata.dateReserved (string)
updated.cveMetadata.requesterUserId (string)
updated.cveMetadata.state (string)
updated.dataType (string)
updated.dataVersion (string)
- POST /cna/cve/{id}/cna#
Creates a CVE Record from CNA Container JSON for the specified ID (accessible to CNAs and Secretariat)
- Parameters:
id (string)
- Query Parameters:
erlcheck (boolean) – Enable ERL check
- Request JSON Object:
adpContainer.affected[].collectionURL (string)
adpContainer.affected[].cpes[] (string)
adpContainer.affected[].defaultStatus (string)
adpContainer.affected[].modules[] (string)
adpContainer.affected[].packageName (string)
adpContainer.affected[].platforms[] (string)
adpContainer.affected[].product (string)
adpContainer.affected[].programFiles[] (string)
adpContainer.affected[].programRoutines[].name (string) – (required)
adpContainer.affected[].repo (string)
adpContainer.affected[].vendor (string)
adpContainer.affected[].versions[].changes[].at (string) – (required)
adpContainer.affected[].versions[].changes[].status (string) – (required)
adpContainer.affected[].versions[].lessThan (string)
adpContainer.affected[].versions[].lessThanOrEqual (string)
adpContainer.affected[].versions[].status (string)
adpContainer.affected[].versions[].version (string)
adpContainer.affected[].versions[].versionType (string)
adpContainer.configurations[].lang (string) – (required)
adpContainer.configurations[].supportingMedia[].base64 (boolean)
adpContainer.configurations[].supportingMedia[].type (string) – (required)
adpContainer.configurations[].supportingMedia[].value (string) – (required)
adpContainer.configurations[].value (string) – (required)
adpContainer.credits[].lang (string) – (required)
adpContainer.credits[].type (string)
adpContainer.credits[].user (string)
adpContainer.credits[].value (string) – (required)
adpContainer.datePublic (string)
adpContainer.descriptions[].lang (string) – (required)
adpContainer.descriptions[].supportingMedia[].base64 (boolean)
adpContainer.descriptions[].supportingMedia[].type (string) – (required)
adpContainer.descriptions[].supportingMedia[].value (string) – (required)
adpContainer.descriptions[].value (string) – (required)
adpContainer.exploits[].lang (string) – (required)
adpContainer.exploits[].supportingMedia[].base64 (boolean)
adpContainer.exploits[].supportingMedia[].type (string) – (required)
adpContainer.exploits[].supportingMedia[].value (string) – (required)
adpContainer.exploits[].value (string) – (required)
adpContainer.impacts[].capecId (string)
adpContainer.impacts[].descriptions[].lang (string) – (required)
adpContainer.impacts[].descriptions[].supportingMedia[].base64 (boolean)
adpContainer.impacts[].descriptions[].supportingMedia[].type (string) – (required)
adpContainer.impacts[].descriptions[].supportingMedia[].value (string) – (required)
adpContainer.impacts[].descriptions[].value (string) – (required)
adpContainer.metrics[].cvssV2_0.accessComplexity (string)
adpContainer.metrics[].cvssV2_0.accessVector (string)
adpContainer.metrics[].cvssV2_0.authentication (string)
adpContainer.metrics[].cvssV2_0.availabilityImpact (string)
adpContainer.metrics[].cvssV2_0.availabilityRequirement (string)
adpContainer.metrics[].cvssV2_0.baseScore (number) – (required)
adpContainer.metrics[].cvssV2_0.collateralDamagePotential (string)
adpContainer.metrics[].cvssV2_0.confidentialityImpact (string)
adpContainer.metrics[].cvssV2_0.confidentialityRequirement (string)
adpContainer.metrics[].cvssV2_0.environmentalScore (number)
adpContainer.metrics[].cvssV2_0.exploitability (string)
adpContainer.metrics[].cvssV2_0.integrityImpact (string)
adpContainer.metrics[].cvssV2_0.integrityRequirement (string)
adpContainer.metrics[].cvssV2_0.remediationLevel (string)
adpContainer.metrics[].cvssV2_0.reportConfidence (string)
adpContainer.metrics[].cvssV2_0.targetDistribution (string)
adpContainer.metrics[].cvssV2_0.temporalScore (number)
adpContainer.metrics[].cvssV2_0.vectorString (string) – (required)
adpContainer.metrics[].cvssV2_0.version (string) – (required)
adpContainer.metrics[].cvssV3_0.attackComplexity (string)
adpContainer.metrics[].cvssV3_0.attackVector (string)
adpContainer.metrics[].cvssV3_0.availabilityImpact (string)
adpContainer.metrics[].cvssV3_0.availabilityRequirement (string)
adpContainer.metrics[].cvssV3_0.baseScore (number) – (required)
adpContainer.metrics[].cvssV3_0.baseSeverity (string) – (required)
adpContainer.metrics[].cvssV3_0.confidentialityImpact (string)
adpContainer.metrics[].cvssV3_0.confidentialityRequirement (string)
adpContainer.metrics[].cvssV3_0.environmentalScore (number)
adpContainer.metrics[].cvssV3_0.environmentalSeverity (string)
adpContainer.metrics[].cvssV3_0.exploitCodeMaturity (string)
adpContainer.metrics[].cvssV3_0.integrityImpact (string)
adpContainer.metrics[].cvssV3_0.integrityRequirement (string)
adpContainer.metrics[].cvssV3_0.modifiedAttackComplexity (string)
adpContainer.metrics[].cvssV3_0.modifiedAttackVector (string)
adpContainer.metrics[].cvssV3_0.modifiedAvailabilityImpact (string)
adpContainer.metrics[].cvssV3_0.modifiedConfidentialityImpact (string)
adpContainer.metrics[].cvssV3_0.modifiedIntegrityImpact (string)
adpContainer.metrics[].cvssV3_0.modifiedPrivilegesRequired (string)
adpContainer.metrics[].cvssV3_0.modifiedScope (string)
adpContainer.metrics[].cvssV3_0.modifiedUserInteraction (string)
adpContainer.metrics[].cvssV3_0.privilegesRequired (string)
adpContainer.metrics[].cvssV3_0.remediationLevel (string)
adpContainer.metrics[].cvssV3_0.reportConfidence (string)
adpContainer.metrics[].cvssV3_0.scope (string)
adpContainer.metrics[].cvssV3_0.temporalScore (number)
adpContainer.metrics[].cvssV3_0.temporalSeverity (string)
adpContainer.metrics[].cvssV3_0.userInteraction (string)
adpContainer.metrics[].cvssV3_0.vectorString (string) – (required)
adpContainer.metrics[].cvssV3_0.version (string) – (required)
adpContainer.metrics[].cvssV3_1.attackComplexity (string)
adpContainer.metrics[].cvssV3_1.attackVector (string)
adpContainer.metrics[].cvssV3_1.availabilityImpact (string)
adpContainer.metrics[].cvssV3_1.availabilityRequirement (string)
adpContainer.metrics[].cvssV3_1.baseScore (number) – (required)
adpContainer.metrics[].cvssV3_1.baseSeverity (string) – (required)
adpContainer.metrics[].cvssV3_1.confidentialityImpact (string)
adpContainer.metrics[].cvssV3_1.confidentialityRequirement (string)
adpContainer.metrics[].cvssV3_1.environmentalScore (number)
adpContainer.metrics[].cvssV3_1.environmentalSeverity (string)
adpContainer.metrics[].cvssV3_1.exploitCodeMaturity (string)
adpContainer.metrics[].cvssV3_1.integrityImpact (string)
adpContainer.metrics[].cvssV3_1.integrityRequirement (string)
adpContainer.metrics[].cvssV3_1.modifiedAttackComplexity (string)
adpContainer.metrics[].cvssV3_1.modifiedAttackVector (string)
adpContainer.metrics[].cvssV3_1.modifiedAvailabilityImpact (string)
adpContainer.metrics[].cvssV3_1.modifiedConfidentialityImpact (string)
adpContainer.metrics[].cvssV3_1.modifiedIntegrityImpact (string)
adpContainer.metrics[].cvssV3_1.modifiedPrivilegesRequired (string)
adpContainer.metrics[].cvssV3_1.modifiedScope (string)
adpContainer.metrics[].cvssV3_1.modifiedUserInteraction (string)
adpContainer.metrics[].cvssV3_1.privilegesRequired (string)
adpContainer.metrics[].cvssV3_1.remediationLevel (string)
adpContainer.metrics[].cvssV3_1.reportConfidence (string)
adpContainer.metrics[].cvssV3_1.scope (string)
adpContainer.metrics[].cvssV3_1.temporalScore (number)
adpContainer.metrics[].cvssV3_1.temporalSeverity (string)
adpContainer.metrics[].cvssV3_1.userInteraction (string)
adpContainer.metrics[].cvssV3_1.vectorString (string) – (required)
adpContainer.metrics[].cvssV3_1.version (string) – CVSS Version (required)
adpContainer.metrics[].cvssV4_0.Automatable (string)
adpContainer.metrics[].cvssV4_0.Recovery (string)
adpContainer.metrics[].cvssV4_0.Safety (string)
adpContainer.metrics[].cvssV4_0.attackComplexity (string)
adpContainer.metrics[].cvssV4_0.attackRequirements (string)
adpContainer.metrics[].cvssV4_0.attackVector (string)
adpContainer.metrics[].cvssV4_0.availabilityRequirement (string)
adpContainer.metrics[].cvssV4_0.baseScore (number) – (required)
adpContainer.metrics[].cvssV4_0.baseSeverity (string) – (required)
adpContainer.metrics[].cvssV4_0.confidentialityRequirement (string)
adpContainer.metrics[].cvssV4_0.exploitMaturity (string)
adpContainer.metrics[].cvssV4_0.integrityRequirement (string)
adpContainer.metrics[].cvssV4_0.modifiedAttackComplexity (string)
adpContainer.metrics[].cvssV4_0.modifiedAttackRequirements (string)
adpContainer.metrics[].cvssV4_0.modifiedAttackVector (string)
adpContainer.metrics[].cvssV4_0.modifiedPrivilegesRequired (string)
adpContainer.metrics[].cvssV4_0.modifiedSubAvailabilityImpact (string)
adpContainer.metrics[].cvssV4_0.modifiedSubConfidentialityImpact (string)
adpContainer.metrics[].cvssV4_0.modifiedSubIntegrityImpact (string)
adpContainer.metrics[].cvssV4_0.modifiedUserInteraction (string)
adpContainer.metrics[].cvssV4_0.modifiedVulnAvailabilityImpact (string)
adpContainer.metrics[].cvssV4_0.modifiedVulnConfidentialityImpact (string)
adpContainer.metrics[].cvssV4_0.modifiedVulnIntegrityImpact (string)
adpContainer.metrics[].cvssV4_0.privilegesRequired (string)
adpContainer.metrics[].cvssV4_0.providerUrgency (string)
adpContainer.metrics[].cvssV4_0.subAvailabilityImpact (string)
adpContainer.metrics[].cvssV4_0.subConfidentialityImpact (string)
adpContainer.metrics[].cvssV4_0.subIntegrityImpact (string)
adpContainer.metrics[].cvssV4_0.userInteraction (string)
adpContainer.metrics[].cvssV4_0.valueDensity (string)
adpContainer.metrics[].cvssV4_0.vectorString (string) – (required)
adpContainer.metrics[].cvssV4_0.version (string) – CVSS Version (required)
adpContainer.metrics[].cvssV4_0.vulnAvailabilityImpact (string)
adpContainer.metrics[].cvssV4_0.vulnConfidentialityImpact (string)
adpContainer.metrics[].cvssV4_0.vulnIntegrityImpact (string)
adpContainer.metrics[].cvssV4_0.vulnerabilityResponseEffort (string)
adpContainer.metrics[].format (string)
adpContainer.metrics[].other.content (object) – (required)
adpContainer.metrics[].other.type (string) – (required)
adpContainer.metrics[].scenarios[].lang (string) – (required)
adpContainer.metrics[].scenarios[].value (string) – (required)
adpContainer.problemTypes[].descriptions[].cweId (string)
adpContainer.problemTypes[].descriptions[].description (string) – (required)
adpContainer.problemTypes[].descriptions[].lang (string) – (required)
adpContainer.problemTypes[].descriptions[].references[].name (string)
adpContainer.problemTypes[].descriptions[].references[].tags[] (any)
adpContainer.problemTypes[].descriptions[].references[].url (string) – (required)
adpContainer.problemTypes[].descriptions[].type (string)
adpContainer.providerMetadata.dateUpdated (string)
adpContainer.providerMetadata.orgId (string) – (required)
adpContainer.providerMetadata.shortName (string)
adpContainer.references[].name (string)
adpContainer.references[].tags[] (any)
adpContainer.references[].url (string) – (required)
adpContainer.solutions[].lang (string) – (required)
adpContainer.solutions[].supportingMedia[].base64 (boolean)
adpContainer.solutions[].supportingMedia[].type (string) – (required)
adpContainer.solutions[].supportingMedia[].value (string) – (required)
adpContainer.solutions[].value (string) – (required)
adpContainer.source (object)
adpContainer.tags[] (any)
adpContainer.taxonomyMappings[].taxonomyName (string) – (required)
adpContainer.taxonomyMappings[].taxonomyRelations[].relationshipName (string) – (required)
adpContainer.taxonomyMappings[].taxonomyRelations[].relationshipValue (string) – (required)
adpContainer.taxonomyMappings[].taxonomyRelations[].taxonomyId (string) – (required)
adpContainer.taxonomyMappings[].taxonomyVersion (string)
adpContainer.timeline[].lang (string) – (required)
adpContainer.timeline[].time (string) – (required)
adpContainer.timeline[].value (string) – (required)
adpContainer.title (string)
adpContainer.workarounds[].lang (string) – (required)
adpContainer.workarounds[].supportingMedia[].base64 (boolean)
adpContainer.workarounds[].supportingMedia[].type (string) – (required)
adpContainer.workarounds[].supportingMedia[].value (string) – (required)
adpContainer.workarounds[].value (string) – (required)
- Status Codes:
200 OK – The CVE Record created
400 Bad Request – Bad Request
401 Unauthorized – Not Authenticated
403 Forbidden – Forbidden
404 Not Found – Not Found
500 Internal Server Error – Internal Server Error
- Request Headers:
CVE-API-ORG – Organization shortname is required
CVE-API-USER – Username is required
CVE-API-KEY – API key is required
- Response JSON Object:
message (string)
updated.containers.cna.affected.product (string)
updated.containers.cna.affected.vendor (string)
updated.containers.cna.affected.versions[].status (string)
updated.containers.cna.affected.versions[].version (string)
updated.containers.cna.dataType (string)
updated.containers.cna.dataVersion (string)
updated.containers.cna.descriptions[].lang (string)
updated.containers.cna.descriptions[].value (string)
updated.containers.cna.problemTypes[].descriptions[].description (string)
updated.containers.cna.problemTypes[].descriptions[].lang (string)
updated.containers.cna.problemTypes[].descriptions[].type (string)
updated.containers.cna.providerMetadata.orgId (string)
updated.containers.cna.references[].name (string)
updated.containers.cna.references[].url (string)
updated.cveMetadata.assignerOrgId (string)
updated.cveMetadata.assignerShortName (string)
updated.cveMetadata.cveId (string)
updated.cveMetadata.datePublished (string)
updated.cveMetadata.dateReserved (string)
updated.cveMetadata.requesterUserId (string)
updated.cveMetadata.state (string)
updated.dataType (string)
updated.dataVersion (string)
- PUT /cna/cve/{id}/reject#
- Parameters:
id (string)
- Status Codes:
200 OK – The CVE Record created
400 Bad Request – Bad Request
401 Unauthorized – Not Authenticated
403 Forbidden – Forbidden
404 Not Found – Not Found
500 Internal Server Error – Internal Server Error
- Response JSON Object:
message (string)
updated.containers.cna.affected.product (string)
updated.containers.cna.affected.vendor (string)
updated.containers.cna.affected.versions[].status (string)
updated.containers.cna.affected.versions[].version (string)
updated.containers.cna.dataType (string)
updated.containers.cna.dataVersion (string)
updated.containers.cna.descriptions[].lang (string)
updated.containers.cna.descriptions[].value (string)
updated.containers.cna.problemTypes[].descriptions[].description (string)
updated.containers.cna.problemTypes[].descriptions[].lang (string)
updated.containers.cna.problemTypes[].descriptions[].type (string)
updated.containers.cna.providerMetadata.orgId (string)
updated.containers.cna.references[].name (string)
updated.containers.cna.references[].url (string)
updated.cveMetadata.assignerOrgId (string)
updated.cveMetadata.assignerShortName (string)
updated.cveMetadata.cveId (string)
updated.cveMetadata.datePublished (string)
updated.cveMetadata.dateReserved (string)
updated.cveMetadata.requesterUserId (string)
updated.cveMetadata.state (string)
updated.dataType (string)
updated.dataVersion (string)
- POST /cna/cve/{id}/reject#
Creates a rejected CVE Record for the specified ID if no record yet exists (accessible to CNAs and Secretariat)
- Parameters:
id (string)
- Status Codes:
200 OK – The CVE Record created
400 Bad Request – Bad Request
401 Unauthorized – Not Authenticated
403 Forbidden – Forbidden
404 Not Found – Not Found
500 Internal Server Error – Internal Server Error
- Response JSON Object:
message (string)
updated.containers.cna.affected.product (string)
updated.containers.cna.affected.vendor (string)
updated.containers.cna.affected.versions[].status (string)
updated.containers.cna.affected.versions[].version (string)
updated.containers.cna.dataType (string)
updated.containers.cna.dataVersion (string)
updated.containers.cna.descriptions[].lang (string)
updated.containers.cna.descriptions[].value (string)
updated.containers.cna.problemTypes[].descriptions[].description (string)
updated.containers.cna.problemTypes[].descriptions[].lang (string)
updated.containers.cna.problemTypes[].descriptions[].type (string)
updated.containers.cna.providerMetadata.orgId (string)
updated.containers.cna.references[].name (string)
updated.containers.cna.references[].url (string)
updated.cveMetadata.assignerOrgId (string)
updated.cveMetadata.assignerShortName (string)
updated.cveMetadata.cveId (string)
updated.cveMetadata.datePublished (string)
updated.cveMetadata.dateReserved (string)
updated.cveMetadata.requesterUserId (string)
updated.cveMetadata.state (string)
updated.dataType (string)
updated.dataVersion (string)
- GET /cna/cve_count#
Retrieves the count of all the CVE Records after applying the query parameters as filters (accessible to all users)
- Query Parameters:
state (string) – Filter by state
- Status Codes:
200 OK – A count of the total number of filtered CVE records
400 Bad Request – Bad Request
404 Not Found – Not Found
500 Internal Server Error – Internal Server Error
- Response JSON Object:
totalCount (integer)
- GET /cna/cve_cursor#
Retrieves all CVE Records after applying the query parameters as filters (accessible to Secretariat)
- Query Parameters:
time_modified.lt (string) – Most recent CVE record modified timestamp to retrieve
time_modified.gt (string) – Earliest CVE record modified timestamp to retrieve
state (string) – Filter by state
count_only (boolean) – Get count of records that match query
assigner_short_name (string) – Filter by assignerShortName
assigner (string) – Filter by assigner org UUID
cna_modified (boolean) – Only get CVE records with cnaContainers that have been modified/created within the set time_modified range
adp_short_name (string) – Only get CVE records that have an adpContainer owned by this org
next_page (string) – Key returned by a GET /cve_cursor call that must be used to get the next page of results in a subsequent call
previous_page (string) – Key returned by a GET /cve_cursor call that must be used to get the previous page of results in a subsequent call
limit (integer) – Maximum number of records to return
- Status Codes:
200 OK – A filtered list of CVE Records, along with pagination fields if results span multiple pages of data
400 Bad Request – Bad Request
401 Unauthorized – Not Authenticated
403 Forbidden – Forbidden
404 Not Found – Not Found
500 Internal Server Error – Internal Server Error
- GET /cna/health-check#
Check that the system is running
Checks that the system is running (accessible to all users)
- Status Codes:
200 OK – Returns a 200 respose code
- GET /cna/org#
- Query Parameters:
page (integer) – The current page in the paginator
- Status Codes:
400 Bad Request – Bad Request
401 Unauthorized – Not Authenticated
403 Forbidden – Forbidden
404 Not Found – Not Found
500 Internal Server Error – Internal Server Error
- Request Headers:
CVE-API-ORG – Organization shortname is required
CVE-API-USER – Username is required
CVE-API-KEY – API key is required
- GET /cna/org/{identifier}#
- Parameters:
identifier (string)
- Status Codes:
400 Bad Request – Bad Request
401 Unauthorized – Not Authenticated
403 Forbidden – Forbidden
404 Not Found – Not Found
500 Internal Server Error – Internal Server Error
- Request Headers:
CVE-API-ORG – Organization shortname is required
CVE-API-USER – Username is required
CVE-API-KEY – API key is required
- GET /cna/users#
- Query Parameters:
page (integer) – The current page in the paginator
- Status Codes:
400 Bad Request – Bad Request
401 Unauthorized – Not Authenticated
403 Forbidden – Forbidden
404 Not Found – Not Found
500 Internal Server Error – Internal Server Error
- Request Headers:
CVE-API-ORG – Organization shortname is required
CVE-API-USER – Username is required
CVE-API-KEY – API key is required
- GET /cnw_kev/#
List all CNW KEV
- Query Parameters:
page (integer) – Number of the page.
per_page (integer) – Maximum number of elements to return.
- Status Codes:
200 OK – Success
- Request Headers:
X-Fields – An optional fields mask
- Response JSON Object:
[].data[].CVE (string) – CVE identifier (required)
[].data[].EUVD (string) – EUVD identifier
[].data[].cwes (string) – CWE identifiers
[].data[].dateReported (string) – Date when reported
[].data[].exploitationType (string) – Type of exploitation observed
[].data[].notes (string) – Additional notes or links
[].data[].originSource (string) – Source reporting the vulnerability
[].data[].product (string) – Product affected by the vulnerability
[].data[].shortDescription (string) – Short description of the vulnerability
[].data[].threatActorsExploiting (string) – Threat actors exploiting the vulnerability
[].data[].vendorProject (string) – Vendor or project name
[].data[].vulnerabilityName (string) – Vulnerability name
[].metadata (any) – Metadata related to the result.
- GET /comment/#
List all comments
- Query Parameters:
page (integer) – Number of the page.
per_page (integer) – Maximum number of elements to return.
uuid (string) – UUID of the comment.
vuln_id (string) – Vulnerability related to the comment.
author (string) – Author of the comment.
meta (string) – Query for the meta JSON field. Example: meta=[{‘tags’: [‘PoC’]}]
date_from (string) – The date of the comments must be bigger or equal than this value. Format: YYYY-MM-DD
date_to (string) – The date of the comments must be smaller or equal than this value. Format: YYYY-MM-DD
- Status Codes:
200 OK – Success
- Request Headers:
X-Fields – An optional fields mask
- Response JSON Object:
[].data[].author (any) – (read only)
[].data[].creation_timestamp (string) – Creation time of the comment. (read only)
[].data[].description (string) – Description.
[].data[].description_format (string) – Description format (markdown or text).
[].data[].meta (object) – Zero or more meta-fields.
[].data[].related_vulnerabilities[] (string)
[].data[].timestamp (string) – Updated time of the comment. (read only)
[].data[].title (string) – Comment title.
[].data[].uuid (string) – Comment uuid.
[].data[].vulnerability (string) – Vulnerability id.
[].data[].vulnerability_lookup_origin (string) – UUID of the Vulnerability-Lookup origin instance. (read only)
[].metadata (any) – Metadata related to the result.
- POST /comment/#
Create a new comment related to a security advisory (vulnerability)
Create a comment related to a security advisory.
- Request JSON Object:
author (any) – (read only)
creation_timestamp (string) – Creation time of the comment. (read only)
description (string) – Description.
description_format (string) – Description format (markdown or text).
meta (object) – Zero or more meta-fields.
related_vulnerabilities[] (string)
timestamp (string) – Updated time of the comment. (read only)
title (string) – Comment title.
uuid (string) – Comment uuid.
vulnerability (string) – Vulnerability id.
vulnerability_lookup_origin (string) – UUID of the Vulnerability-Lookup origin instance. (read only)
- Status Codes:
201 Created – Success.
400 Bad Request – JSON validation failed or incorrect payload to instantiate a comment.
403 Forbidden – Commenter permission required or not the author of the comment.
- Request Headers:
X-Fields – An optional fields mask
- Response JSON Object:
[].data[].author (any) – (read only)
[].data[].creation_timestamp (string) – Creation time of the comment. (read only)
[].data[].description (string) – Description.
[].data[].description_format (string) – Description format (markdown or text).
[].data[].meta (object) – Zero or more meta-fields.
[].data[].related_vulnerabilities[] (string)
[].data[].timestamp (string) – Updated time of the comment. (read only)
[].data[].title (string) – Comment title.
[].data[].uuid (string) – Comment uuid.
[].data[].vulnerability (string) – Vulnerability id.
[].data[].vulnerability_lookup_origin (string) – UUID of the Vulnerability-Lookup origin instance. (read only)
[].metadata (any) – Metadata related to the result.
- DELETE /comment/#
Delete comments by vulnerability_lookup_origin
Delete comments by vulnerability_lookup_origin (admin only).
- Query Parameters:
vulnerability_lookup_origin (string) – Delete comments from this origin instance UUID.
- Status Codes:
200 OK – Deleted comments successfully.
400 Bad Request – Invalid UUID format.
403 Forbidden – Admin permission required.
404 Not Found – No comments matched the filter.
- GET /comment/{comment_uuid}#
Get a comment with its UUID.
- Parameters:
comment_uuid (string)
- Status Codes:
200 OK – Success.
404 Not Found – Comment not found.
- Request Headers:
X-Fields – An optional fields mask
- Response JSON Object:
author (any) – (read only)
creation_timestamp (string) – Creation time of the comment. (read only)
description (string) – Description.
description_format (string) – Description format (markdown or text).
meta (object) – Zero or more meta-fields.
related_vulnerabilities[] (string)
timestamp (string) – Updated time of the comment. (read only)
title (string) – Comment title.
uuid (string) – Comment uuid.
vulnerability (string) – Vulnerability id.
vulnerability_lookup_origin (string) – UUID of the Vulnerability-Lookup origin instance. (read only)
- DELETE /comment/{comment_uuid}#
Endpoint for deleting a comment
Delete a comment.
- Parameters:
comment_uuid (string)
- Status Codes:
204 No Content – Success.
403 Forbidden – Commenter permission required or not the author of the comment.
404 Not Found – Comment not found.
- GET /cwe/#
List all CWEs
- Query Parameters:
vuln_id (string) – ID of a vulnerability that references one or more CWE identifiers.
page (integer) – Number of the page.
per_page (integer) – Maximum number of elements to return.
- Status Codes:
200 OK – Success
- Request Headers:
X-Fields – An optional fields mask
- Response JSON Object:
[].data[].@Abstraction (string) – Abstraction of the CWE (required)
[].data[].@ID (string) – CWE ID (required)
[].data[].@Name (string) – Name of the CWE (required)
[].data[].@Status (string) – Status of the CWE (required)
[].data[].@Structure (string) – Structure of the CWE (required)
[].data[].Description (string) – Description of the CWE (required)
[].data[].Potential_Mitigations (any) – Potential mitigations
[].data[].Related_Weaknesses (any) – Related weaknesses
[].metadata (any) – Metadata related to the result.
- GET /cwe/{cwe_id}#
Get detailed information about a CWE
Get detailed information about a CWE.
- Parameters:
cwe_id (string)
- Status Codes:
200 OK – Success
- GET /emb3d/#
List all Adversarial Techniques from MITRE EMB3D
- Query Parameters:
page (integer) – Number of the page.
per_page (integer) – Maximum number of elements to return.
vuln_id (string) – Vulnerability identifier.
- Status Codes:
200 OK – Success
- Request Headers:
X-Fields – An optional fields mask
- Response JSON Object:
[].data[].CWE (object) – CWE (read only)
[].data[].Type (string) – Type (read only)
[].data[].description (string) – Description (read only)
[].data[].id (string) – Identifiant (read only)
[].metadata (any) – Metadata related to the result.
- GET /emb3d/{emb3d_id}#
Get detailed information about a MITRE EMB3D Adversarial Technique
Get detailed information about a MITRE EMB3D Adversarial Technique.
- Parameters:
emb3d_id (string)
- Status Codes:
200 OK – Success
- GET /epss/{vulnerability_id}#
Get the EPSS score of a vulnerability
Get the EPSS score of a vulnerability.
- Parameters:
vulnerability_id (string)
- Status Codes:
200 OK – Success.
404 Not Found – EPSS score not found.
502 Bad Gateway – Bad Gateway: Invalid response from EPSS service.
503 Service Unavailable – Service Unavailable: Unable to reach EPSS service or misconfigured.
- GET /gcve/publication#
List the GCVE published by the local Vulnerability-Lookup instance
- Query Parameters:
page (integer) – Number of the page.
per_page (integer) – Maximum number of elements to return.
date_sort (string) – Field to sort by (published, updated, reserved).
sort_order (string) – Sort order: asc or desc.
since (string) – Retrieve vulnerabilities published/updated after this date.
- Status Codes:
200 OK – Success
- GET /gcve/registry#
List the GNAs from the local GCVE registry of the Vulnerability-Lookup instance
- Query Parameters:
page (integer) – Number of the page.
per_page (integer) – Maximum number of elements to return.
short_name (string) – Short name of the organization.
- Status Codes:
200 OK – Success
- Request Headers:
X-Fields – An optional fields mask
- Response JSON Object:
[].data[].cpe_vendor_name (string) – Official CPE vendor name. (read only)
[].data[].full_name (string) – Full legal name of the organization. (read only)
[].data[].gcve_allocation (string) – URL of the interface used to allocate or register new vulnerabilities. (read only)
[].data[].gcve_api (string) – URL of the API endpoint providing vulnerability data. (read only)
[].data[].gcve_dump (string) – URL to a machine-readable dump (e.g., JSON) of vulnerability information. (read only)
[].data[].gcve_pull_api (string) – URL of the interface compatible to retrieve the local GNA publications. (read only)
[].data[].gcve_url (string) – URL to the public vulnerability disclosure website. (read only)
[].data[].id (string) – Unique identifier for the GCVE Numbering Authority. (read only)
[].data[].short_name (string) – Short name of the organization. (read only)
[].metadata (any) – Metadata related to the result.
- GET /gcve/registry/integrity#
Verify the integrity of the local registry
- Status Codes:
200 OK – Success
- GET /kev#
List KEV entries with pagination and filtering
- Query Parameters:
page (integer) – Page number
per_page (integer) – Items per page (max 1000)
vuln_id (string) – Filter by vulnerability ID
status_reason (string)
exploited (boolean) – Filter by exploited status
vulnerability_lookup_origin (string) – Filter by origin instance UUID
date_from (string) – Filter from date (YYYY-MM-DD)
date_to (string) – Filter to date (YYYY-MM-DD)
author (string) – Filter by author login
- Status Codes:
200 OK – Success
- Request Headers:
X-Fields – An optional fields mask
- Response JSON Object:
data[].characteristics (object) – Technical characteristics
data[].evidence[].confidence (object) – Confidence (number 0.0-1.0 or string)
data[].evidence[].details (object) – Implementation-specific details
data[].evidence[].signal (object) – Evidence signal (string or array of strings)
data[].evidence[].source (string) – Evidence source (required) (required)
data[].evidence[].type (string) – Evidence type (optional)
data[].gcve (any) – GCVE origin metadata for the KEV assertion
data[].references (object) – Related references
data[].scope (object) – Geographical/sectoral context
data[].status.exploited (boolean) – Exploitation observed (required)
data[].status.status_reason (string) – Status reason (required)
data[].status.status_updated_at (string) – Status update time (required)
data[].timestamps (object) – Temporal context
data[].uuid (string) – KEV entry UUID (read only)
data[].vulnerability.altId[] (string)
data[].vulnerability.vulnId (string) – Vulnerability ID (required)
metadata.count (integer) – Total number of the items of the data. (read only)
metadata.page (integer) – Number of the page. (read only)
metadata.per_page (integer) – Requested limit data. (read only)
- GET /kev/#
List KEV entries with pagination and filtering
- Query Parameters:
page (integer) – Page number
per_page (integer) – Items per page (max 1000)
vuln_id (string) – Filter by vulnerability ID
status_reason (string)
exploited (boolean) – Filter by exploited status
vulnerability_lookup_origin (string) – Filter by origin instance UUID
date_from (string) – Filter from date (YYYY-MM-DD)
date_to (string) – Filter to date (YYYY-MM-DD)
author (string) – Filter by author login
- Status Codes:
200 OK – Success
- Request Headers:
X-Fields – An optional fields mask
- Response JSON Object:
data[].characteristics (object) – Technical characteristics
data[].evidence[].confidence (object) – Confidence (number 0.0-1.0 or string)
data[].evidence[].details (object) – Implementation-specific details
data[].evidence[].signal (object) – Evidence signal (string or array of strings)
data[].evidence[].source (string) – Evidence source (required) (required)
data[].evidence[].type (string) – Evidence type (optional)
data[].gcve (any) – GCVE origin metadata for the KEV assertion
data[].references (object) – Related references
data[].scope (object) – Geographical/sectoral context
data[].status.exploited (boolean) – Exploitation observed (required)
data[].status.status_reason (string) – Status reason (required)
data[].status.status_updated_at (string) – Status update time (required)
data[].timestamps (object) – Temporal context
data[].uuid (string) – KEV entry UUID (read only)
data[].vulnerability.altId[] (string)
data[].vulnerability.vulnId (string) – Vulnerability ID (required)
metadata.count (integer) – Total number of the items of the data. (read only)
metadata.page (integer) – Number of the page. (read only)
metadata.per_page (integer) – Requested limit data. (read only)
- DELETE /kev/catalog/{catalog_uuid}#
Delete all KEV entries from a specific catalog (admin only)
- Parameters:
catalog_uuid (string)
- Status Codes:
200 OK – Success
- PUT /kev/{kev_uuid}#
Update KEV entry (author or admin only)
- Parameters:
kev_uuid (string)
- Status Codes:
200 OK – Success
- GET /kev/{kev_uuid}#
Get single KEV entry
- Parameters:
kev_uuid (string)
- Status Codes:
200 OK – Success
- Request Headers:
X-Fields – An optional fields mask
- Response JSON Object:
characteristics (object) – Technical characteristics
evidence[].confidence (object) – Confidence (number 0.0-1.0 or string)
evidence[].details (object) – Implementation-specific details
evidence[].signal (object) – Evidence signal (string or array of strings)
evidence[].source (string) – Evidence source (required) (required)
evidence[].type (string) – Evidence type (optional)
gcve (any) – GCVE origin metadata for the KEV assertion
references (object) – Related references
scope (object) – Geographical/sectoral context
status.exploited (boolean) – Exploitation observed (required)
status.status_reason (string) – Status reason (required)
status.status_updated_at (string) – Status update time (required)
timestamps (object) – Temporal context
uuid (string) – KEV entry UUID (read only)
vulnerability.altId[] (string)
vulnerability.vulnId (string) – Vulnerability ID (required)
- DELETE /kev/{kev_uuid}#
Delete KEV entry (admin only)
- Parameters:
kev_uuid (string)
- Status Codes:
200 OK – Success
- GET /organization/#
List all organizations
- Query Parameters:
page (integer) – Number of the page.
per_page (integer) – Maximum number of elements to return.
id (integer) – ID of the organization.
uuid (string) – UUID of the organization.
name (string) – The name of the organization.
gna_id (integer) – The reserved GNA identifier of the organization.
- Status Codes:
200 OK – Success
- Request Headers:
X-Fields – An optional fields mask
- Response JSON Object:
[].data[].creation_timestamp (string) – Creation time of the organization. (read only)
[].data[].description (string) – Description.
[].data[].gna_id (integer) – The reserved GNA identifier of the organization.
[].data[].id (string) – Organization id.
[].data[].name (string) – Organization name.
[].data[].short_name (string) – Organization short name.
[].data[].updated_timestamp (string) – Updated time of the organization. (read only)
[].data[].uuid (string) – Organization uuid.
[].metadata (any) – Metadata related to the result.
- GET /product/#
List all products
- Query Parameters:
page (integer) – Number of the page.
per_page (integer) – Maximum number of elements to return.
uuid (string) – UUID of the product.
name (string) – The name of the product.
organization_name (string) – The name of the organization related to the product.
organization_id (string) – The id of the organization related to the product.
organization_uuid (string) – The uuid of the organization related to the product.
- Status Codes:
200 OK – Success
- Request Headers:
X-Fields – An optional fields mask
- Response JSON Object:
[].data[].creation_timestamp (string) – Creation time of the product. (read only)
[].data[].description (string) – Description.
[].data[].id (string) – Product id.
[].data[].name (string) – Product name.
[].data[].updated_timestamp (string) – Updated time of the product. (read only)
[].data[].uuid (string) – Product uuid.
[].metadata (any) – Metadata related to the result.
- GET /rulezet/search_rules_by_vulnerabilities/{vulnerability_id}#
Get rules from Rulezet by vulnerability id
Get rules from Rulezet by vulnerability id.
- Parameters:
vulnerability_id (string)
- Query Parameters:
page (integer) – Number of the page.
per_page (integer) – Maximum number of elements to return.
- Status Codes:
200 OK – Success.
404 Not Found – Rule not found in Rulezet.
502 Bad Gateway – Bad Gateway: Invalid response from Rulezet.
503 Service Unavailable – Service Unavailable: Unable to reach Rulezet or misconfigured.
- Request Headers:
X-Fields – An optional fields mask
- Response JSON Object:
[].data[].creation_date (string) – Date the ule was created. (required)
[].data[].description (string) – Description of the rule. (required)
[].data[].detail_url (string) – URL of the rule. (required)
[].data[].format (string) – Format of the rule. (required)
[].data[].id (integer) – Rule ID. (required)
[].data[].raw (string) – raw version of the rule. (required)
[].data[].title (string) – Title of the rule. (required)
[].data[].updated_date (string) – Date the rule was updated. (required)
[].data[].uuid (string) – Rule UUID. (required)
[].data[].vulnerability_id (string) – Related vulnerability. (required)
[].metadata (any) – Metadata related to the result.
- GET /sighting#
List all sightings
- Query Parameters:
page (integer) – Number of the page.
per_page (integer) – Maximum number of elements to return.
uuid (string) – UUID of the sighting.
type (string) –
- Type of sightings:
Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
vuln_id (string) – Vulnerability related to the sighting.
author (string) – Author of the sighting (login).
date_from (string) – The date of the sightings must be bigger or equal than this value. Format: YYYY-MM-DD
date_to (string) – The date of the sightings must be smaller or equal than this value. Format: YYYY-MM-DD
source (string) – Source of the sighting.
advisory_status (string) – Filter sightings by the status of the related advisory.
- Status Codes:
200 OK – Success
- Request Headers:
X-Fields – An optional fields mask
- Response JSON Object:
[].data[].author (any) – (read only)
[].data[].content (string) – Optional content of the sighting (e.g. the body of a Telegram message, a Bluesky/Mastodon post, a GitHub Gist or a blog article).
[].data[].creation_timestamp (string) – Creation time of the sighting.
[].data[].source (string) – The source of the sighting (Fediverse status URI, link, tool, etc.).
[].data[].type (string) – Type of the sighting.
[].data[].uuid (string) – Sighting UUID. (read only)
[].data[].vulnerability (string) – Vulnerability id.
[].data[].vulnerability_lookup_origin (string) – UUID of the Vulnerability-Lookup origin instance. (read only)
[].metadata (any) – Metadata related to the result.
- POST /sighting#
Create a new sighting
Create a new sighting.
- Request JSON Object:
author (any) – (read only)
content (string) – Optional content of the sighting (e.g. the body of a Telegram message, a Bluesky/Mastodon post, a GitHub Gist or a blog article).
creation_timestamp (string) – Creation time of the sighting.
source (string) – The source of the sighting (Fediverse status URI, link, tool, etc.).
type (string) – Type of the sighting.
uuid (string) – Sighting UUID. (read only)
vulnerability (string) – Vulnerability id.
vulnerability_lookup_origin (string) – UUID of the Vulnerability-Lookup origin instance. (read only)
- Status Codes:
201 Created – Success.
400 Bad Request – Incorrect payload to instantiate a sighting.
409 Conflict – Duplicate sighting.
- Request Headers:
X-Fields – An optional fields mask
- Response JSON Object:
[].data[].author (any) – (read only)
[].data[].content (string) – Optional content of the sighting (e.g. the body of a Telegram message, a Bluesky/Mastodon post, a GitHub Gist or a blog article).
[].data[].creation_timestamp (string) – Creation time of the sighting.
[].data[].source (string) – The source of the sighting (Fediverse status URI, link, tool, etc.).
[].data[].type (string) – Type of the sighting.
[].data[].uuid (string) – Sighting UUID. (read only)
[].data[].vulnerability (string) – Vulnerability id.
[].data[].vulnerability_lookup_origin (string) – UUID of the Vulnerability-Lookup origin instance. (read only)
[].metadata (any) – Metadata related to the result.
- DELETE /sighting#
Delete sightings by filters (author, source, date)
Delete sightings by filters (author, source, date). At least one filter must be specified. At least one filter must be specified.
- Query Parameters:
author (string) – Author of the sightings to delete (login). Only the author themselves or an admin can delete.
source (string) – Source of the sightings (supports partial match using ilike).
date_from (string) – Delete sightings from this date (inclusive). Format: YYYY-MM-DD.
date_to (string) – Delete sightings up to this date (inclusive). Format: YYYY-MM-DD.
vulnerability_lookup_origin (string) – Delete sightings from this origin instance UUID.
- Status Codes:
200 OK – Deleted sightings successfully.
403 Forbidden – Not allowed to delete these sightings.
404 Not Found – No sightings matched the filters.
- GET /sighting/#
List all sightings
- Query Parameters:
page (integer) – Number of the page.
per_page (integer) – Maximum number of elements to return.
uuid (string) – UUID of the sighting.
type (string) –
- Type of sightings:
Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
vuln_id (string) – Vulnerability related to the sighting.
author (string) – Author of the sighting (login).
date_from (string) – The date of the sightings must be bigger or equal than this value. Format: YYYY-MM-DD
date_to (string) – The date of the sightings must be smaller or equal than this value. Format: YYYY-MM-DD
source (string) – Source of the sighting.
advisory_status (string) – Filter sightings by the status of the related advisory.
- Status Codes:
200 OK – Success
- Request Headers:
X-Fields – An optional fields mask
- Response JSON Object:
[].data[].author (any) – (read only)
[].data[].content (string) – Optional content of the sighting (e.g. the body of a Telegram message, a Bluesky/Mastodon post, a GitHub Gist or a blog article).
[].data[].creation_timestamp (string) – Creation time of the sighting.
[].data[].source (string) – The source of the sighting (Fediverse status URI, link, tool, etc.).
[].data[].type (string) – Type of the sighting.
[].data[].uuid (string) – Sighting UUID. (read only)
[].data[].vulnerability (string) – Vulnerability id.
[].data[].vulnerability_lookup_origin (string) – UUID of the Vulnerability-Lookup origin instance. (read only)
[].metadata (any) – Metadata related to the result.
- POST /sighting/#
Create a new sighting
Create a new sighting.
- Request JSON Object:
author (any) – (read only)
content (string) – Optional content of the sighting (e.g. the body of a Telegram message, a Bluesky/Mastodon post, a GitHub Gist or a blog article).
creation_timestamp (string) – Creation time of the sighting.
source (string) – The source of the sighting (Fediverse status URI, link, tool, etc.).
type (string) – Type of the sighting.
uuid (string) – Sighting UUID. (read only)
vulnerability (string) – Vulnerability id.
vulnerability_lookup_origin (string) – UUID of the Vulnerability-Lookup origin instance. (read only)
- Status Codes:
201 Created – Success.
400 Bad Request – Incorrect payload to instantiate a sighting.
409 Conflict – Duplicate sighting.
- Request Headers:
X-Fields – An optional fields mask
- Response JSON Object:
[].data[].author (any) – (read only)
[].data[].content (string) – Optional content of the sighting (e.g. the body of a Telegram message, a Bluesky/Mastodon post, a GitHub Gist or a blog article).
[].data[].creation_timestamp (string) – Creation time of the sighting.
[].data[].source (string) – The source of the sighting (Fediverse status URI, link, tool, etc.).
[].data[].type (string) – Type of the sighting.
[].data[].uuid (string) – Sighting UUID. (read only)
[].data[].vulnerability (string) – Vulnerability id.
[].data[].vulnerability_lookup_origin (string) – UUID of the Vulnerability-Lookup origin instance. (read only)
[].metadata (any) – Metadata related to the result.
- DELETE /sighting/#
Delete sightings by filters (author, source, date)
Delete sightings by filters (author, source, date). At least one filter must be specified. At least one filter must be specified.
- Query Parameters:
author (string) – Author of the sightings to delete (login). Only the author themselves or an admin can delete.
source (string) – Source of the sightings (supports partial match using ilike).
date_from (string) – Delete sightings from this date (inclusive). Format: YYYY-MM-DD.
date_to (string) – Delete sightings up to this date (inclusive). Format: YYYY-MM-DD.
vulnerability_lookup_origin (string) – Delete sightings from this origin instance UUID.
- Status Codes:
200 OK – Deleted sightings successfully.
403 Forbidden – Not allowed to delete these sightings.
404 Not Found – No sightings matched the filters.
- GET /sighting/stats#
Aggregated sighting counts over a date range. Returns pre-grouped (no pagination) rows so the homepage can render the top-N charts and the evolution table without fetching raw sightings.
- Query Parameters:
date_from (string) – Inclusive lower bound of creation date. Format: YYYY-MM-DD.
date_to (string) – Inclusive upper bound of creation date. Format: YYYY-MM-DD.
type (string) – Optional filter on sighting type.
group_by (string) – Grouping dimensions. ‘type,vulnerability’ returns per-type vulnerability counts (charts); ‘vulnerability,date’ returns daily counts per vulnerability (table).
- Status Codes:
200 OK – Success
- GET /sighting/{sighting_uuid}#
Get a sighting with its UUID.
- Parameters:
sighting_uuid (string)
- Status Codes:
200 OK – Success.
404 Not Found – Sighting not found.
- Request Headers:
X-Fields – An optional fields mask
- Response JSON Object:
author (any) – (read only)
content (string) – Optional content of the sighting (e.g. the body of a Telegram message, a Bluesky/Mastodon post, a GitHub Gist or a blog article).
creation_timestamp (string) – Creation time of the sighting.
source (string) – The source of the sighting (Fediverse status URI, link, tool, etc.).
type (string) – Type of the sighting.
uuid (string) – Sighting UUID. (read only)
vulnerability (string) – Vulnerability id.
vulnerability_lookup_origin (string) – UUID of the Vulnerability-Lookup origin instance. (read only)
- DELETE /sighting/{sighting_uuid}#
Delete a single sighting by UUID
Delete a single sighting by its UUID.
- Parameters:
sighting_uuid (string)
- Status Codes:
200 OK – Sighting deleted successfully.
403 Forbidden – Not allowed to delete this sighting.
404 Not Found – Sighting not found.
- GET /stats/assigners/ranking#
Returns the assigners ranking.
- Query Parameters:
limit (integer) – The top elements to take into account in the query.
output (string) – The format of the output.
period (string) – The period of the stats. Format: YYYY[-MM]
source (string) – The source of the vulnerability advisories.
- Status Codes:
200 OK – Success
- GET /stats/cwe/most_used#
Returns the most used CWEs based on sightings
- Query Parameters:
limit (integer) – The top elements to take into account in the query.
output (string) – The format of the output.
period (string) – The period of the stats. Format: YYYY[-MM]
- Status Codes:
200 OK – Success
- GET /stats/sighting/exploitation_ratio#
Per CVE year, the share of CVEs that have at least one exploitation sighting (type ‘exploited’ or ‘published-proof-of-concept’) over the total number of published CVEs for that year. Useful to track whether the proportion of exploited vulnerabilities evolves over time, independently of the raw discovery volume. Note: recent years are undercounted, as sightings accumulate over time.
- Query Parameters:
year_from (integer) – Inclusive lower bound of the CVE year range. Format: YYYY.
year_to (integer) – Inclusive upper bound of the CVE year range. Defaults to the current year.
output (string) – The format of the output.
- Status Codes:
200 OK – Success
- GET /stats/sighting/exploitation_ratio_cumulative#
Cumulative share of published CVEs that have received at least one exploitation sighting (‘exploited’ or ‘published-proof-of-concept’), bucketed by the date of the sighting rather than the CVE year. Each bucket reports the running totals up to that point, so the series is monotonic in its inputs and reflects how the overall exploited fraction evolves over time. Returns the trailing ‘window’ buckets (default 30).
- Query Parameters:
granularity (string) – Bucket size of the cumulative series.
window (integer) – Number of trailing buckets to return. Use 0 for the full history.
output (string) – The format of the output.
- Status Codes:
200 OK – Success
- GET /stats/vendors/ranking#
Returns the vendors ranking.
- Query Parameters:
limit (integer) – The top elements to take into account in the query.
output (string) – The format of the output.
period (string) – The period of the stats. Format: YYYY[-MM]
source (string) – The source of the vulnerability advisories.
- Status Codes:
200 OK – Success
- GET /stats/vulnerability/count#
Returns the number of published/reserved vulnerabilities for a specific period.
- Query Parameters:
state (string) – The state of the advisory.
period (string) – The period of the stats. Format: YYYY[-MM]
source (string) – The source of the vulnerability advisories.
- Status Codes:
200 OK – Success
- GET /stats/vulnerability/most_commented#
Returns the most commented vulnerabilities.
- Query Parameters:
date_from (string) – The date of the sightings must be bigger or equal than this value. Format: YYYY-MM-DD
date_to (string) – The date of the sightings must be smaller or equal than this value. Format: YYYY-MM-DD
limit (integer) – The top elements to take into account in the query.
output (string) – The format of the output.
- Status Codes:
200 OK – Success
- GET /stats/vulnerability/most_sighted#
Returns the most sighted vulnerabilities.
- Query Parameters:
date_from (string) – The date of the sightings must be bigger or equal than this value. Format: YYYY-MM-DD
date_to (string) – The date of the sightings must be smaller or equal than this value. Format: YYYY-MM-DD
sighting_type (string) – The type of the sighting.
limit (integer) – The top elements to take into account in the query.
output (string) – The format of the output.
- Status Codes:
200 OK – Success
- GET /system/checkProcess#
Checks the heartbeats of the various processes
Checks the heartbeats of the various processes.
- Status Codes:
200 OK – Success
- GET /system/checkSMTP#
Checks the SMTP connection
Checks the SMTP connection.
- Status Codes:
200 OK – Success
- GET /system/configInfo#
Returns non-sensitive information about the configuration of the system
Returns non-sensitive information about the configuration of the system.
- Status Codes:
200 OK – Success
- GET /system/dbInfo#
Returns information about the current sources in the Kvrocks database in use and when it was updated
Returns information about the current sources in the Kvrocks database in use and when it was updated.
- Status Codes:
200 OK – Success
- GET /system/pgInfo#
Returns information about the PostgreSQL database
Returns information about the PostgreSQL database.
- Status Codes:
200 OK – Success
- GET /system/redis_up#
Check if Valkey/Redis is up and running
Alias for /api/system/redis_up
- Status Codes:
200 OK – Success
- GET /system/valkey_up#
Check if Valkey/Redis is up and running
Check if Valkey/Redis is up and running.
- Status Codes:
200 OK – Success
- GET /user/#
List all users
Only available to administrators.
- Query Parameters:
page (integer) – Number of the page.
per_page (integer) – Maximum number of elements to return.
- Status Codes:
200 OK – Success.
403 Forbidden – Admin permission required.
- Request Headers:
X-Fields – An optional fields mask
- Response JSON Object:
[].data[].created_at (string) – Creation time of the user. (read only)
[].data[].is_admin (boolean) – Boolean specifying whether the user is administrator.
[].data[].is_commenter (boolean) – Boolean specifying whether the user is commenter.
[].data[].is_reporter (boolean) – Boolean specifying whether the user is reporter.
[].data[].last_seen (string) – Last seen time of the user. (read only)
[].data[].login (string) – User login.
[].data[].uuid (string) – User UUID.
[].metadata (any) – Metadata related to the result.
- POST /user/#
Create a non-admin user.
- Query Parameters:
page (integer) – Number of the page.
per_page (integer) – Maximum number of elements to return.
- Request JSON Object:
email (string)
login (string)
name (string)
organisation (string)
- Status Codes:
200 OK – Success
201 Created – Success.
403 Forbidden – Self-registration is disabled.
422 Unprocessable Entity – Email address not accepted (disposable email detected, blocked domain, or invalid domain).
429 Too Many Requests – Too many requests (maximum 3 registrations/hour per IP)
- Request Headers:
X-Fields – An optional fields mask
- Response JSON Object:
created_at (string) – Creation time of the user. (read only)
is_admin (boolean) – Boolean specifying whether the user is administrator.
is_commenter (boolean) – Boolean specifying whether the user is commenter.
is_reporter (boolean) – Boolean specifying whether the user is reporter.
last_seen (string) – Last seen time of the user. (read only)
login (string) – User login.
uuid (string) – User UUID.
- POST /user/api_key#
Regenerating the API key of the authenticated user with the current API key
Regenerating the API key of the authenticated user with the current API key.
- Request JSON Object:
apikey (string) – The current API key of the user.
- Status Codes:
200 OK – Success.
403 Forbidden – Wrong API key submitted.
404 Not Found – User not found.
- Request Headers:
X-Fields – An optional fields mask
- Response JSON Object:
created_at (string) – Creation time of the user. (read only)
is_admin (boolean) – Boolean specifying whether the user is administrator.
is_commenter (boolean) – Boolean specifying whether the user is commenter.
is_reporter (boolean) – Boolean specifying whether the user is reporter.
last_seen (string) – Last seen time of the user. (read only)
login (string) – User login.
uuid (string) – User UUID.
- GET /user/me#
Get information about the currently authenticated user
Get information about the currently authenticated user.
- Status Codes:
200 OK – Success.
404 Not Found – User not found.
- Request Headers:
X-Fields – An optional fields mask
- Response JSON Object:
created_at (string) – Creation time of the user. (read only)
is_admin (boolean) – Boolean specifying whether the user is administrator.
is_commenter (boolean) – Boolean specifying whether the user is commenter.
is_reporter (boolean) – Boolean specifying whether the user is reporter.
last_seen (string) – Last seen time of the user. (read only)
login (string) – User login.
uuid (string) – User UUID.
- DELETE /user/{user_id}#
Endpoint for deleting a user
Delete a user.
- Parameters:
user_id (integer)
- Status Codes:
204 No Content – Success.
403 Forbidden – Administrator permission required or not the current user.
404 Not Found – User not found.
500 Internal Server Error – Internal server error.
- POST /vlai/severity-classification#
Classify vulnerabilities by severity based on their descriptions.
- Request JSON Object:
description (string)
model (string)
- Status Codes:
200 OK – Success.
500 Internal Server Error – Unexpected error.
502 Bad Gateway – Bad content: Invalid response from ML-Gateway.
503 Service Unavailable – Connection Error: Unable to reach ML-Gateway.
- GET /vulnerability/#
Retrieve vulnerabilities with optional filters
Retrieve vulnerabilities with optional filtering and pagination.
Supports light mode for minimal data (returns only vulnerability ID and source). Returns full vulnerability details by default, or only IDs and sources in light mode.
Query Parameters#
- sourcestr
Optional source to filter vulnerabilities (e.g., ‘CVE’, ‘GHSA’, ‘PySec’).
- per_pageint, default=30
Maximum number of results (capped at 100).
- date_sortstr
Field to sort by. Options: ‘’, ‘published’, ‘updated’, ‘reserved’.
- sort_orderstr
Sort order: ‘asc’ or ‘desc’.
- sincestr
Retrieve vulnerabilities published/updated after the specified date.
- pageint
Pagination page number.
- cwestr
Filter vulnerabilities by a specific CWE ID.
- productstr
Optional product name to filter vulnerabilities (case-insensitive). If set, the endpoint returns vulnerabilities related to this product across all vendors. Use with assigner to further narrow results.
- assignerstr
Optional CNA/assigner short name to filter results (case-insensitive). Only effective when used with product or vendor filters.
- lightstr
If ‘1’, returns only (vulnerability_id, source) instead of full details.
- with_metastr
If ‘true’, includes metadata for each vulnerability. Ignored in light mode.
Returns#
- list[dict[str, Any]] | list[tuple[str, str | None]]
Full vulnerability details or minimal tuples if light mode is enabled.
- query string product:
Optional product name to filter vulnerabilities (case-insensitive). When provided, results are returned for the product across all vendors.
- query string with_meta:
If ‘true’, include metadata for each vulnerability. Ignored in light mode.
- query string light:
If ‘1’, returns only vulnerability ID and source
- query string cwe:
Filter vulnerabilities by a specific CWE ID
- query string since:
Retrieve vulnerabilities reported after the specified date.
- query string sort_order:
Sort order: ‘asc’ or ‘desc’
- query string date_sort:
Sort field: ‘’, ‘published’, ‘updated’, ‘reserved’
- query string per_page:
Maximum number of results (capped at 100)
- query string page:
Pagination page number
- query string source:
Optional data source to filter vulnerabilities (e.g., ‘cvelistv5’, ‘github’, ‘nvd’)
- status 200:
Success
- POST /vulnerability/#
Endpoint for creating and editing vulnerabilities in the local source
Retrieve vulnerabilities with optional filtering and pagination.
Supports light mode for minimal data (returns only vulnerability ID and source). Create a vulnerability with the CVE version 5 format. (Deprecated)
- Query Parameters:
product (string) – Optional product name to filter vulnerabilities (case-insensitive). When provided, results are returned for the product across all vendors.
with_meta (string) – If ‘true’, include metadata for each vulnerability. Ignored in light mode.
light (string) – If ‘1’, returns only vulnerability ID and source
cwe (string) – Filter vulnerabilities by a specific CWE ID
since (string) – Retrieve vulnerabilities reported after the specified date.
sort_order (string) – Sort order: ‘asc’ or ‘desc’
date_sort (string) – Sort field: ‘’, ‘published’, ‘updated’, ‘reserved’
per_page (string) – Maximum number of results (capped at 100)
page (string) – Pagination page number
source (string) – Optional data source to filter vulnerabilities (e.g., ‘cvelistv5’, ‘github’, ‘nvd’)
- Request JSON Object:
data (string)
- Status Codes:
200 OK – Success.
400 Bad Request – JSON validation failed.
403 Forbidden – Reporter permission required.
422 Unprocessable Entity – Not possible to edit a vulnerability from the requested source.
- GET /vulnerability/browse/#
Get the known vendors
Deprecated: use GET /api/browse/vendors instead. Get the known vendors. Deprecated in favor of /api/browse/vendors.
- Status Codes:
200 OK – Success
- GET /vulnerability/browse/assigners#
Get the known CNAs
Get the known CNAs.
- Status Codes:
200 OK – Success
- GET /vulnerability/cpesearch/{cpe}#
Get vulnerabilities by CPE (based on the extracted CPE vendor and product)
Get vulnerabilities by CPE (based on the extracted CPE vendor and product).
- Parameters:
cpe (string)
- Query Parameters:
sort_order (string) – Sort order: ‘asc’ or ‘desc’
date_sort (string) – Sort field: ‘’, ‘published’, ‘updated’, ‘reserved’
per_page (string) – Maximum number of results (capped at 100)
page (string) – Pagination page number
source (string) – Optional source to filter vulnerabilities (e.g., ‘cvelistv5’, ‘nvd’)
- Status Codes:
200 OK – Success.
404 Not Found – No match found in the CPE string.
- GET /vulnerability/fulltext#
Search vulnerabilities using fulltext search
Fulltext search across all indexed vulnerability sources.
- Query Parameters:
q (string) – Fulltext search query string.
page (integer) – Number of the page.
per_page (integer) – Maximum number of elements to return (capped at 100).
sources (string) – Comma-separated list of sources to search (e.g., ‘cvelistv5’, ‘variot’, ‘certfr_alerte’, ‘certfr_avis’, ‘jvndb’). Defaults to ‘cvelistv5’.
- Status Codes:
200 OK – Success.
400 Bad Request – Missing or empty query parameter.
503 Service Unavailable – Fulltext search is not enabled on this instance.
- GET /vulnerability/last#
Retrieve the latest vulnerabilities, with optional filters for source and number of results
Retrieve the latest vulnerabilities, with optional filters for source and number of results. Supports light mode for minimal data and provides backward-compatible routes.The light mode only returns the vulnerability id and the sources. Supports light mode for minimal data and provides backward-compatible routes. The light mode only returns the vulnerability id and the sources.
- Query Parameters:
page (integer) – Number of the page.
cwe (string) – CWE mentioned in the vulnerability.
- Status Codes:
200 OK – Success
- GET /vulnerability/last/{number}#
Retrieve the latest vulnerabilities, with optional filters for source and number of results
Retrieve the latest vulnerabilities, with optional filters for source and number of results. Supports light mode for minimal data and provides backward-compatible routes.The light mode only returns the vulnerability id and the sources. Supports light mode for minimal data and provides backward-compatible routes. The light mode only returns the vulnerability id and the sources.
- Parameters:
number (integer)
- Query Parameters:
page (integer) – Number of the page.
cwe (string) – CWE mentioned in the vulnerability.
- Status Codes:
200 OK – Success
- GET /vulnerability/last/{source}#
Retrieve the latest vulnerabilities, with optional filters for source and number of results
Retrieve the latest vulnerabilities, with optional filters for source and number of results. Supports light mode for minimal data and provides backward-compatible routes.The light mode only returns the vulnerability id and the sources. Supports light mode for minimal data and provides backward-compatible routes. The light mode only returns the vulnerability id and the sources.
- Parameters:
source (string)
- Query Parameters:
page (integer) – Number of the page.
cwe (string) – CWE mentioned in the vulnerability.
- Status Codes:
200 OK – Success
- GET /vulnerability/last/{source}/{number}#
Retrieve the latest vulnerabilities, with optional filters for source and number of results
Retrieve the latest vulnerabilities, with optional filters for source and number of results. Supports light mode for minimal data and provides backward-compatible routes.The light mode only returns the vulnerability id and the sources. Supports light mode for minimal data and provides backward-compatible routes. The light mode only returns the vulnerability id and the sources.
- Parameters:
source (string)
number (integer)
- Query Parameters:
page (integer) – Number of the page.
cwe (string) – CWE mentioned in the vulnerability.
- Status Codes:
200 OK – Success
- GET /vulnerability/recent#
Retrieve vulnerabilities reported after a specified date, with optional filters for source and number of results
Retrieve vulnerabilities reported after a specified date, with optional filters for source and number of results. Defaults to the last 24 hours if no date is provided. Supports light mode for minimal data. Defaults to the last 24 hours if no date is provided. Supports light mode for minimal data.
- Status Codes:
200 OK – Success
- GET /vulnerability/recent/#
Retrieve vulnerabilities reported after a specified date, with optional filters for source and number of results
Retrieve vulnerabilities reported after a specified date, with optional filters for source and number of results. Defaults to the last 24 hours if no date is provided. Supports light mode for minimal data. Defaults to the last 24 hours if no date is provided. Supports light mode for minimal data.
- Status Codes:
200 OK – Success
- GET /vulnerability/recent/{date}#
Retrieve vulnerabilities reported after a specified date, with optional filters for source and number of results
Retrieve vulnerabilities reported after a specified date, with optional filters for source and number of results. Defaults to the last 24 hours if no date is provided. Supports light mode for minimal data. Defaults to the last 24 hours if no date is provided. Supports light mode for minimal data.
- Parameters:
date (string)
- Status Codes:
200 OK – Success
- GET /vulnerability/recent/{date}/{number}#
Retrieve vulnerabilities reported after a specified date, with optional filters for source and number of results
Retrieve vulnerabilities reported after a specified date, with optional filters for source and number of results. Defaults to the last 24 hours if no date is provided. Supports light mode for minimal data. Defaults to the last 24 hours if no date is provided. Supports light mode for minimal data.
- Parameters:
date (string)
number (integer)
- Status Codes:
200 OK – Success
- GET /vulnerability/recent/{date}/{source}#
Retrieve vulnerabilities reported after a specified date, with optional filters for source and number of results
Retrieve vulnerabilities reported after a specified date, with optional filters for source and number of results. Defaults to the last 24 hours if no date is provided. Supports light mode for minimal data. Defaults to the last 24 hours if no date is provided. Supports light mode for minimal data.
- Parameters:
date (string)
source (string)
- Status Codes:
200 OK – Success
- GET /vulnerability/recent/{date}/{source}/{number}#
Retrieve vulnerabilities reported after a specified date, with optional filters for source and number of results
Retrieve vulnerabilities reported after a specified date, with optional filters for source and number of results. Defaults to the last 24 hours if no date is provided. Supports light mode for minimal data. Defaults to the last 24 hours if no date is provided. Supports light mode for minimal data.
- Parameters:
date (string)
source (string)
number (integer)
- Status Codes:
200 OK – Success
- GET /vulnerability/search/{vendor}/{product}#
Returns a list of vulnerabilities related to the vendor and product
Returns a list of vulnerabilities related to the product. Optionally filter vulnerabilities published or updated after the specified date (format: YYYY-MM-DD).
- Parameters:
vendor (string)
product (string)
- Query Parameters:
page (integer) – Number of the page.
per_page (integer) – Maximum number of elements to return.
since (string) – Filter vulnerabilities published or updated after the specified date (format: YYYY-MM-DD).
- Status Codes:
200 OK – Success
- GET /vulnerability/{vulnerability_id}#
Get a vulnerability with its id
Get a vulnerability.
- Parameters:
vulnerability_id (string)
- Query Parameters:
with_meta (boolean) – Include metadata.
with_linked (boolean) – Include the linked vulnerabilities.
with_comments (boolean) – Include the comments.
with_bundles (boolean) – Include the bundles.
with_sightings (boolean) – Include the sightings.
- Status Codes:
200 OK – Success
- DELETE /vulnerability/{vulnerability_id}#
Endpoint for deleting a vulnerability
Delete a vulnerability from the local source. We only accept to delete vulnerabilities from the local source.
- Parameters:
vulnerability_id (string)
- Status Codes:
204 No Content – Success.
403 Forbidden – Admin permission required.
422 Unprocessable Entity – Not possible to edit a vulnerability from the requested source.