Try any of 817 endpoints — live.
Pick an endpoint, load a working example, tweak the params, and send — no signup to try. Results render the way the data deserves; raw JSON, headers & code are one tab away.
All known vulnerabilities affecting a package (by name+ecosystem, optionally pinned to an installed version) OR a git commit — via OSV.dev. The dependency-audit core.
Package name as published in its registry (npm 'lodash', PyPI 'django', Maven 'group:artifact' e.g. 'org.apache.logging.log4j:log4j-core', Go import path). Required unless you pass `commit` instead.
Package ecosystem / registry. Case-insensitive; common aliases map (cargo->crates.io, pip/python->PyPI is via the 'pypi' key, composer->Packagist). Required with `package` (omit when querying by `commit`).
Exact installed version to test (e.g. '2.14.1', '4.17.15'). Omit to return ALL known vulnerabilities for the package across every version.
Git commit hash to query instead of package+version+ecosystem (OSV resolves which vulns affect that exact source revision).
curl -X POST https://api.reefapi.com/vuln-intel/v1/package_vulns \
-H "x-api-key: $REEF_KEY" \
-H "content-type: application/json" \
-d '{"package":"org.apache.logging.log4j:log4j-core","ecosystem":"Maven","version":"2.14.1"}'Hit Send to run this endpoint live.