Every API, one clean contract.

All known vulnerabilities affecting a package (by name+ecosystem, optionally pinned to an installed version) OR a git commit — via OSV.dev. The dependency-audit core.

{
  "package": "org.apache.logging.log4j:log4j-core",
  "ecosystem": "Maven",
  "version": "2.14.1"
}

Full detail for one vulnerability by OSV id, GHSA id, or CVE id. OSV is the base record; if it resolves to a GHSA the response is enriched with GitHub's numeric CVSS base score, EPSS exploitation probability, and CWEs.

{
  "id": "GHSA-jfh8-c2jp-5v3q"
}

Search the GitHub Advisory Database (GHSA) by ecosystem, severity, CVE, free text, type. Cursor-paginated (meta.next_cursor).

{
  "ecosystem": "pip",
  "severity": "critical",
  "per_page": 5
}

Is a CVE in the CISA Known-Exploited-Vulnerabilities catalog (actively exploited in the wild)? Returns the KEV entry when listed.

{
  "cve_id": "CVE-2021-44228"
}

Browse / filter the full CISA KEV catalog by vendor, product, or ransomware flag, with page pagination.

{
  "vendor": "Microsoft",
  "per_page": 5
}

Public exploit / PoC lookup for a CVE via the Exploit-DB (Offensive Security) database (keyless, CVE-indexed). Answers 'is there a weaponized public exploit?' — has_public_exploit + each entry's edb_id, type (remote/local/webapps/dos), platform, verified flag, date_published, and deep links (exploit_db_url + upstream source_url).

{
  "cve_id": "CVE-2021-44228"
}

Bulk-scan up to 100 package/commit queries in one call (OSV querybatch), each hydrated to full vulnerability detail by default.

{
  "queries": [
    {
      "package": "lodash",
      "ecosystem": "npm",
      "version": "4.17.15"
    },
    {
      "package": "django",
      "ecosystem": "PyPI",
      "version": "3.0.0"
    }
  ]
}