Audit¶
The Audit page describes Vulners’ host- and software-auditing APIs — fast, CPE-aware endpoints to convert installed software, OS versions and KB lists into actionable vulnerability intelligence: matched advisories, CVE lists, remediation commands and prioritized patch recommendations.
Open interactive specs
Software Audit API¶
Below are the audit endpoints which replace older burp endpoints.
Audit Multiple Software¶
Allows a batch submission of multiple software entries. Each entry can be provided either as a raw CPE string or as a CPE object (with the fields such as part, vendor, product, version, etc.). Additional attributes (like update, language, target_hw, etc.) may be included as needed.
Auth: X-Api-Key header required.
Parameters:
| Name | In | Type | Required | Description |
|---|---|---|---|---|
software |
body | array | yes | Array of software entries — either CPE objects (part/vendor/product/version/…) or raw CPE strings. |
match |
body | enum | no | partial (default) or full. full requires exact match for all provided fields. |
fields |
body | array | no | Which vulnerability fields to return (defaults: title, short_description, type, href, published, modified, ai_score) |
catalog |
body | enum | no | CPE catalog to match against. official (default) — only NVD CVE Dictionary CPEs. extended — NVD + Vulners custom CPEs (see note below). |
catalog: official vs extended
official— matches only CPEs published in the NVD CVE Dictionary. Strict and compatible with official CVE records; lowest false-positive rate.extended— adds Vulners custom-built CPEs on top of the official set. Covers software, libraries, and versions that aren't represented in NVD (common for OS packages, JS/Python libs, niche vendors). Higher coverage, but may introduce false positives — use when NVD gaps matter more than strict precision.
Response schema:
The endpoint returns a JSON array with one entry per submitted software item:
| Field | Type | Description |
|---|---|---|
input |
object | Echo of the submitted software entry. |
matched_criteria |
string | Canonical CPE 2.3 string the input resolved to. |
vulnerabilities |
array[object] | Matched vulnerabilities (see below). Empty if no matches. |
Each item in vulnerabilities always carries id and reasons, plus any optional fields requested via fields.
reasons[] — why a vulnerability matched:
| Field | Type | Description |
|---|---|---|
config |
string | Source of the match rule (e.g. nvd). |
criterias |
array[array] | OR-groups of AND-conditions. Outer array = OR, inner = AND. |
Each inner criterion object:
| Field | Type | Description |
|---|---|---|
criteria |
string | CPE 2.3 string the input matched against. |
vulnerable |
boolean | Whether this CPE is flagged as vulnerable. |
versionStartIncluding |
string | Lower bound, inclusive. Range-based rules only. |
versionStartExcluding |
string | Lower bound, exclusive. Range-based rules only. |
versionEndIncluding |
string | Upper bound, inclusive. Range-based rules only. |
versionEndExcluding |
string | Upper bound, exclusive. Range-based rules only. |
Fields controlled by the fields parameter (returned only when listed in fields):
| Field | Type | In defaults | Description |
|---|---|---|---|
title |
string | yes | Advisory title. |
short_description |
string | yes | One-line advisory summary. |
type |
string | yes | Advisory source type (e.g. cve, nessus, osv). |
href |
string | yes | URL to the advisory on vulners.com. |
published |
string | yes | ISO 8601 publication timestamp. |
modified |
string | yes | ISO 8601 last-modified timestamp. |
ai_score |
object | yes | AI-derived severity: value, uncertainty (both 0–10). |
metrics |
object | no | CVSS/EPSS metrics (cvss, cvss3, epss, …). |
exploitation |
object | no | Wild exploitation: wildExploited, wildExploitedSources. |
cvelist |
array[string] | no | CVE IDs covered by the advisory. |
Usage:
Query:
POST /api/v4/audit/software
Example with software objects:
curl -X POST https://vulners.com/api/v4/audit/software -H "X-Api-Key: YOUR_API_KEY" -H "Content-Type: application/json" -d '{
"software": [
{
"vendor": "ivanti",
"product": "connect_secure",
"version": "22.7",
"update": "r2.4"
},
{
"vendor": "sonicwall",
"product": "SMA 200 firmware",
"version": "10.2.1.5-34sv"
}
],
"match": "partial",
"fields": ["title", "short_description"]
}'
Software
software (array of objects or strings): Each item is either:
- An object, e.g.
{
"part": "a",
"vendor": "ivanti",
"product": "connect_secure",
"version": "22.7",
"update": "r2.4"
}
- A raw CPE string, e.g.
cpe:2.3:a:ivanti:connect_secure:22.7:r2.4.
Additional attributes can also be included (e.g., update, language, target_hw) within the software objects; these are fully described in the CPE Usage in Vulners API section.
Example with raw CPE strings:
curl -X POST https://vulners.com/api/v4/audit/software -H "X-Api-Key: YOUR_API_KEY" -H "Content-Type: application/json" -d '{
"software": [
"cpe:2.3:a:ivanti:connect_secure:22.7:r2.4",
"cpe:2.3:o:sonicwall:sma_200_firmware:10.2.1.5-34sv"
],
"match": "partial"
}'
Example with software objects:
vulners_api.audit.software(
software=[
{
"part": "a",
"vendor": "ivanti",
"product": "connect_secure",
"version": "22.7",
"update": "r2.4"
},
{
"vendor": "sonicwall",
"product": "SMA 200 firmware",
"version": "10.2.1.5-34sv"
}
],
fields=["title", "short_description"],
match='partial'
)
Example with raw CPE strings:
vulners_api.audit.software(
software=[
"cpe:2.3:a:ivanti:connect_secure:22.3:sp1",
"cpe:2.3:o:sonicwall:sma_200_firmware:10.2.1.5-34sv"
],
fields=["title", "short_description"],
match='partial'
)
{
"input": {
"part": "a",
"vendor": "ivanti",
"product": "connect_secure",
"update": "r2.4",
"version": "22.7"
},
"matched_criteria": "cpe:2.3:a:ivanti:connect_secure:22.7:r2.4:*:*:*:*:*:*",
"vulnerabilities": [
{
"id": "CVE-2025-0282",
"reasons": [
{
"config": "nvd",
"criterias": [
[
{
"criteria": "cpe:2.3:a:ivanti:connect_secure:22.7:r2.4:*:*:*:*:*:*",
"vulnerable": true
}
]
]
}
],
"title": "CVE-2025-0282",
"short_description": "Stack-based buffer overflow in Ivanti Connect Secure allows remote code execution by attackers."
},
{
"id": "CVE-2025-0283",
"reasons": [
{
"config": "nvd",
"criterias": [
[
{
"criteria": "cpe:2.3:a:ivanti:connect_secure:22.7:r2.4:*:*:*:*:*:*",
"vulnerable": true
}
]
]
}
],
"title": "CVE-2025-0283",
"short_description": "Stack buffer overflow in Ivanti products allows local attackers to escalate privileges before updates."
}
]
},
{
"input": {
"vendor": "sonicwall",
"product": "SMA 200 firmware",
"version": "10.2.1.5-34sv"
},
"matched_criteria": "cpe:2.3:o:sonicwall:sma_200_firmware:10.2.1.5-34sv:*:*:*:*:*:*:*",
"vulnerabilities": [
{
"id": "CVE-2022-2915",
"reasons": [
{
"config": "nvd",
"criterias": [
[
{
"criteria": "cpe:2.3:o:sonicwall:sma_200_firmware:*:*:*:*:*:*:*:*",
"vulnerable": true,
"versionEndIncluding": "10.2.1.5-34sv"
}
]
]
}
],
"title": "CVE-2022-2915",
"short_description": "A Heap-based Buffer Overflow vulnerability in SonicWall SMA100 appliance allows remote authenticated attacker to cause Denial of Service"
},
{
"id": "CVE-2023-44221",
"reasons": [
{
"config": "nvd",
"criterias": [
[
{
"criteria": "cpe:2.3:o:sonicwall:sma_200_firmware:*:*:*:*:*:*:*:*",
"vulnerable": true,
"versionEndIncluding": "10.2.1.9-57sv"
}
]
]
}
],
"title": "CVE-2023-44221",
"short_description": "Improper neutralization of special elements in SMA100 SSL-VPN management interface allows remote authenticated attacker to inject arbitrary commands"
},
{
"id": "CVE-2023-5970",
"reasons": [
{
"config": "nvd",
"criterias": [
[
{
"criteria": "cpe:2.3:o:sonicwall:sma_200_firmware:*:*:*:*:*:*:*:*",
"vulnerable": true,
"versionEndIncluding": "10.2.1.9-57sv"
}
]
]
}
],
"title": "CVE-2023-5970",
"short_description": " Improper authentication in SMA100 SSL-VPN allows remote attacker to create identical external domain user using accent characters, resulting in MFA bypass"
},
{
"id": "CVE-2024-22395",
"reasons": [
{
"config": "nvd",
"criterias": [
[
{
"criteria": "cpe:2.3:o:sonicwall:sma_200_firmware:*:*:*:*:*:*:*:*",
"vulnerable": true,
"versionEndExcluding": "10.2.1.11-65sv"
}
]
]
}
],
"title": "CVE-2024-22395",
"short_description": "Improper access control in SMA100 SSL-VPN virtual office portal"
}
]
}
Audit Host¶
This is a method for scanning multiple layers in one request. (There is no direct predecessor in older burp endpoints.)
Allows you to specify multiple software items plus additional filtering criteria that narrow down vulnerabilities to those relevant for a host environment.
In this endpoint, the parameters operating_system, hardware, and application serve as filters and are not treated as software entries.
At least one filter parameter (operating_system or application) is required.
Auth: X-Api-Key header required.
Parameters:
| Name | In | Type | Required | Description |
|---|---|---|---|---|
software |
body | array | yes | Array of software entries — either CPE objects (part/vendor/product/version/…) or raw CPE strings. |
operating_system |
body | object/string | conditional | OS filter (CPE or object). At least one of operating_system or application is required. |
application |
body | object/string | conditional | Application filter (e.g., WordPress) — used to limit results to application context. |
hardware |
body | object/string | no | Hardware/environment filter (CPE string or object). Use to narrow matches by target hardware/platform when applicable. |
match |
body | enum | no | partial (default) or full. full requires exact match for all provided fields. |
fields |
body | array | no | Which vulnerability fields to return (defaults: title, short_description, type, href, published, modified, ai_score) |
catalog |
body | enum | no | CPE catalog to match against: official (default, NVD only) or extended (NVD + Vulners custom CPEs). See catalog behavior under /audit/software for the trade-off. |
Important
For Audit Host, it is required to include at least one filter parameter (operating_system or application). These filters ensure that vulnerabilities are returned only for the host environment (based on OS, hardware, and/or application) and not for all provided software entries.
Response shape
The response shape is identical to /audit/software — an array of { input, matched_criteria, vulnerabilities[] }. The same fields parameter controls which optional vulnerability fields (metrics, exploitation, cvelist, …) are included. See the Response schema block under /audit/software for the full breakdown of reasons[] and the fields-gated properties.
Example 1: Windows + .NET
Scenario: This scenario sets Windows 10/11 as the operating system, and .NET Framework 4.8 as installed software.
Usage:
Query:
POST /api/v4/audit/host
Query example:
curl -X POST https://vulners.com/api/v4/audit/host \
-H "Content-Type: application/json" \
-H "X-Api-Key: YOUR_API_KEY" \
-d '{
"software": [ # (1)
{
"part": "a",
"vendor": "microsoft",
"product": ".net_framework",
"version": "3.6"
},
{
"part": "a",
"vendor": "microsoft",
"product": ".net_framework",
"version": "4.8.1"
}
],
"operating_system": { # (2)
"part": "o",
"vendor": "microsoft",
"product": "windows_server_2022_23h2"
},
"fields": ["title", "short_description"] # (3)
}'
-
software (array of objects or strings): Each item is either:
- An object, e.g.
{ "part": "a", "vendor": "ivanti", "product": "connect_secure", "version": "22.7", "update": "r2.4" }- A raw CPE string, e.g.
cpe:2.3:a:ivanti:connect_secure:22.7:r2.4.
Additional attributes can also be included (e.g.,
update,language,target_hw) within the software objects; these are fully described in the CPE Usage in Vulners API section. -
- operating_system (object | string): OS-level software. Could be
cpe:2.3:o:microsoft:windows_10:21h2or parted fields. - application (object | string): Specifies a top-level application. This parameter is used as an additional filter and ensures that the returned vulnerabilities are not solely for software items. At least one of
operating_systemorapplicationmust be provided.
- operating_system (object | string): OS-level software. Could be
-
List of fields to retrieve for each vulnerability. If not specified, the default fields are used. Descriptions for specified fields can be found in default fields section.
- Defaults:
"title", "short_description", "type", "href", "published", "modified", "ai_score" - Available to include:
"metrics", "exploitation", "cvelist".
- Defaults:
vulners_api.audit.host(
software=[
{
"part": "a",
"vendor": "microsoft",
"product": ".net_framework",
"version": "3.6"
},
{
"part": "a",
"vendor": "microsoft",
"product": ".net_framework",
"version": "4.8.1"
}
],
operating_system={
"part": "o",
"vendor": "microsoft",
"product": "windows_server_2022_23h2"
},
fields=[
"title",
"short_description"
],
match="partial"
)
[
{
"input": {
"part": "a",
"vendor": "microsoft",
"product": ".NET Framework",
"version": "3.6"
},
"matched_criteria": "cpe:2.3:a:microsoft:.net_framework:3.6:*:*:*:*:*:*:*",
"vulnerabilities": []
},
{
"input": {
"part": "a",
"vendor": "microsoft",
"product": ".net_framework",
"version": "4.8.1"
},
"matched_criteria": "cpe:2.3:a:microsoft:.net_framework:4.8.1:*:*:*:*:*:*:*",
"vulnerabilities": [
{
"id": "CVE-2024-0056",
"title": "CVE-2024-0056",
"short_description": "CVE-2024-0056 Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass ..."
},
{
"id": "CVE-2024-0057",
"title": "CVE-2024-0057",
"short_description": "NET, .NET Framework, and Visual Studio Security Feature Bypass Vulnerability"
},
{
"...": "... other vulnerabilities truncated ..."
}
]
}
]
Example 2: Linux + Curl/SSH
Scenario: This scenario sets Red Hat Enterprise Linux as the OS, plus two installed packages (curl and OpenSSH).
Usage:
Query:
POST /api/v4/audit/host
Query example:
curl -X POST https://vulners.com/api/v4/audit/host -H "X-Api-Key: YOUR_API_KEY" -H 'Content-Type: application/json' -d '{
"software": [
{
"part": "a",
"vendor": "haxx",
"product": "libcurl",
"version": "8.8"
},
{
"part": "a",
"vendor": "openbsd",
"product": "openssh",
"version": "8.5"
}
],
"operating_system": {
"part": "o",
"vendor": "redhat",
"product": "enterprise_linux",
"version": "9.4"
},
"fields": [
"title",
"short_description"
],
"match": "partial" # (1)
}'
"partial"(default): Relaxed matching. For example, ifupdateortarget_hwis not specified, vulnerabilities can still match partial criteria."full": Strict matching. All specified attributes must match exactly (includingupdate,language, etc.). If any field (liketarget_hw) is missing in the vulnerability listing or in your request, it won’t match.
vulners_api.audit.host(
software=[
{
"part": "a",
"vendor": "haxx",
"product": "libcurl",
"version": "8.8"
},
{
"part": "a",
"vendor": "openbsd",
"product": "openssh",
"version": "8.5"
}
],
operating_system={
"part": "o",
"vendor": "redhat",
"product": "enterprise_linux",
"version": "9.4"
},
fields=[
"title",
"short_description"
],
match="partial"
)
[
{
"input": {
"part": "a",
"vendor": "haxx",
"product": "libcurl",
"version": "8.8"
},
"matched_criteria": "cpe:2.3:a:haxx:libcurl:8.8:*:*:*:*:*:*:*",
"vulnerabilities": [
{
"id": "CVE-2024-6874",
"title": "CVE-2024-6874",
"short_description": "CVE-2024-6874 macidn punycode buffer overread in libcurl url function"
},
{
"id": "CVE-2024-7264",
"title": "CVE-2024-7264",
"short_description": "libcurl ASN1 parser `GTime2str()` function vulnerability"
},
{
"...": "... other vulnerabilities truncated ..."
}
]
},
{
"input": {
"part": "a",
"vendor": "openbsd",
"product": "openssh",
"version": "8.5"
},
"matched_criteria": "cpe:2.3:a:openbsd:openssh:8.5:*:*:*:*:*:*:*",
"vulnerabilities": [
{
"id": "CVE-2024-6387",
"title": "CVE-2024-6387",
"short_description": "Security regression in OpenSSH server (sshd). Race condition ..."
},
{
"id": "CVE-2020-14145",
"title": "CVE-2020-14145",
"short_description": "The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy ..."
},
{
"...": "... other vulnerabilities truncated ..."
}
]
}
]
Example 3: WordPress + Plugin
Scenario: This scenario sets WordPress as the application filter plus a Yoast SEO plugin as installed software.
Usage:
Query:
POST /api/v4/audit/host
Query example:
curl -X POST https://vulners.com/api/v4/audit/host -H "X-Api-Key: YOUR_API_KEY" -H "Content-Type: application/json" -d '{
"software": [
{
"part": "a",
"vendor": "yoast",
"product": "yoast seo",
"version": "3.4"
}
],
"application": {
"part": "a",
"vendor": "wordpress",
"product": "wordpress"
},
"fields": ["title", "short_description"]
}'
vulners_api.audit.host(
software=[
{
"part": "a",
"vendor": "yoast",
"product": "yoast seo",
"version": "20.4"
}
],
application= {
"part": "a",
"vendor": "wordpress",
"product": "wordpress"
},
fields=[
"title",
"short_description"
],
match="partial"
)
{
"input": {
"part": "a",
"vendor": "yoast",
"product": "yoast seo",
"version": "20.4"
},
"matched_criteria": "cpe:2.3:a:yoast:yoast_seo:20.4:*:*:*:*:*:*:*",
"vulnerabilities": [
{
"id": "PATCHSTACK:D15EC4814FA577180898B6C415B337D4",
"reasons": [
{
"config": "vulners",
"criterias": [
[
{
"criteria": "cpe:2.3:a:yoast:yoast_seo:*:*:*:*:*:typo3:*:*",
"vulnerable": true,
"versionEndIncluding": "20.4"
}
]
]
}
],
"title": "WordPress Yoast SEO Premium Plugin <= 20.4 is vulnerable to Broken Access Control",
"short_description": "WordPress Yoast SEO Premium Plugin <= 20.4 vulnerability: Broken Access Control"
},
{
"id": "CVE-2023-40680",
"reasons": [
{
"config": "nvd",
"criterias": [
[
{
"criteria": "cpe:2.3:a:yoast:yoast_seo:*:*:*:*:*:wordpress:*:*",
"vulnerable": true,
"versionEndIncluding": "21.0"
}
]
]
}
],
"title": "CVE-2023-40680",
"short_description": "CVE-2023-40680: Stored XSS in Team Yoast Yoast SEO"
},
{
"id": "CVE-2023-28775",
"reasons": [
{
"config": "nvd",
"criterias": [
[
{
"criteria": "cpe:2.3:a:yoast:yoast_seo:*:*:*:*:*:wordpress:*:*",
"vulnerable": true,
"versionEndExcluding": "20.5"
}
]
]
}
],
"title": "CVE-2023-28775",
"short_description": "Yoast SEO Premium Missing Authorization Vulnerability"
},
{
"id": "CVE-2024-4041",
"reasons": [
{
"config": "vulners",
"criterias": [
[
{
"criteria": "cpe:2.3:a:yoast:yoast_seo:*:*:*:*:*:wordpress:*:*",
"vulnerable": true,
"versionEndIncluding": "22.5"
}
]
]
}
],
"title": "CVE-2024-4041",
"short_description": "The Yoast SEO plugin for WordPress has Reflected Cross-Site Scripting vulnerability"
},
{
"id": "CVE-2024-4984",
"reasons": [
{
"config": "vulners",
"criterias": [
[
{
"criteria": "cpe:2.3:a:yoast:yoast_seo:*:*:*:*:*:wordpress:*:*",
"vulnerable": true,
"versionEndIncluding": "22.6"
}
]
]
}
],
"title": "CVE-2024-4984",
"short_description": "Yoast SEO plugin vulnerability allows injection of arbitrary web script"
}
]
}
Example 4: WordPress + Plugin + Linux
Scenario: This scenario sets Debian Linux as operating_system, WordPress as application, and a popular plugin (Woocommerce Pre-Orders) as installed software.
Usage:
Query:
POST /api/v4/audit/host
Query example:
curl -X POST https://vulners.com/api/v4/audit/host -H "X-Api-Key: YOUR_API_KEY" -H 'Content-Type: application/json' -d '{
"software": [
{
"part": "a",
"vendor": "woocommerce",
"product": "woocommerce_pre-orders",
"version": "2.0"
}
],
"operating_system": {
"part": "o",
"vendor": "debian",
"product": "debian_linux",
"version": "11"
},
"application": {
"part": "a",
"vendor": "wordpress",
"product": "wordpress"
},
"fields": [
"title",
"short_description"
],
"match": "partial"
}'
vulners_api.audit.host(
software=[
{
"part": "a",
"vendor": "woocommerce",
"product": "woocommerce_pre-orders",
"version": "2.0"
}
],
operating_system={
"part": "o",
"vendor": "debian",
"product": "debian_linux",
"version": "11"
},
application= {
"part": "a",
"vendor": "wordpress",
"product": "wordpress"
},
fields=[
"title",
"short_description"
],
match="partial"
)
[
{
"input": {
"part": "a",
"vendor": "woocommerce",
"product": "woocommerce_pre-orders",
"version": "2.0"
},
"matched_criteria": "cpe:2.3:a:woocommerce:woocommerce_pre\\-orders:2.0:*:*:*:*:*:*:*",
"vulnerabilities": [
{
"id": "CVE-2023-32793",
"reasons": [
{
"config": "nvd",
"criterias": [
[
{
"criteria": "cpe:2.3:a:woocommerce:woocommerce_pre\\-orders:*:*:*:*:*:wordpress:*:*",
"vulnerable": true,
"versionEndIncluding": "2.0.0"
}
]
]
},
{
"config": "vulners",
"criterias": [
[
{
"criteria": "cpe:2.3:a:woocommerce:woocommerce_pre\\-orders:*:*:*:*:*:wordpress:*:*",
"vulnerable": true,
"versionEndIncluding": "2.0.0"
}
]
]
}
],
"title": "CVE-2023-32793",
"short_description": "Auth. Stored Cross-Site Scripting (XSS) vulnerability in WooCommerce WooCommerce Pre-Orders plugin <=\u00a02.0.0 versions"
},
{
"id": "PATCHSTACK:E2F81C0D4E183BAF40E850AA31186ED1",
"reasons": [
{
"config": "vulners",
"criterias": [
[
{
"criteria": "cpe:2.3:a:woocommerce:woocommerce_pre\\-orders:*:*:*:*:*:wordpress:*:*",
"vulnerable": true,
"versionEndIncluding": "2.0.0"
}
]
]
}
],
"title": "WordPress WooCommerce Pre-Orders Plugin <= 2.0.0 is vulnerable to Cross Site Scripting (XSS)",
"short_description": "WordPress WooCommerce Pre-Orders Plugin <= 2.0.0 Cross-Site Scripting Vulnerability. Low Severit"
},
{
"id": "CVE-2023-3507",
"reasons": [
{
"config": "nvd",
"criterias": [
[
{
"criteria": "cpe:2.3:a:woocommerce:woocommerce_pre\\-orders:*:*:*:*:*:wordpress:*:*",
"vulnerable": true,
"versionEndExcluding": "2.0.3"
}
]
]
},
{
"config": "vulners",
"criterias": [
[
{
"criteria": "cpe:2.3:a:woocommerce:woocommerce_pre\\-orders:*:*:*:*:*:wordpress:*:*",
"vulnerable": true,
"versionEndExcluding": "2.0.3"
}
]
]
}
],
"title": "CVE-2023-3507",
"short_description": "The WooCommerce Pre-Orders WordPress plugin before 2.0.3 has a flawed CSRF check when canceling pre-order"
},
{
"id": "CVE-2023-3508",
"reasons": [
{
"config": "nvd",
"criterias": [
[
{
"criteria": "cpe:2.3:a:woocommerce:woocommerce_pre\\-orders:*:*:*:*:*:wordpress:*:*",
"vulnerable": true,
"versionEndExcluding": "2.0.3"
}
]
]
},
{
"config": "vulners",
"criterias": [
[
{
"criteria": "cpe:2.3:a:woocommerce:woocommerce_pre\\-orders:*:*:*:*:*:wordpress:*:*",
"vulnerable": true,
"versionEndExcluding": "2.0.3"
}
]
]
}
],
"title": "CVE-2023-3508",
"short_description": " WooCommerce Pre-Orders WordPress plugin 2.0.3 CSRF vulnerability"
},
{
"id": "WPVDB-ID:C431878C-8BCA-4688-9C6B-1C9E871A6A7B",
"reasons": [
{
"config": "vulners",
"criterias": [
[
{
"criteria": "cpe:2.3:a:woocommerce:woocommerce_pre\\-orders:*:*:*:*:*:wordpress:*:*",
"vulnerable": true,
"versionEndExcluding": "2.0.2"
}
]
]
}
],
"title": "WooCommerce Pre-Orders < 2.0.2 - Reflected XSS",
"short_description": "WooCommerce Pre-Orders plugin < 2.0.2 - Reflected XSS, unescaped URLs in attribute"
},
{
"id": "WPVDB-ID:064C7ACB-DB57-4537-8A6D-32F7EA31C738",
"reasons": [
{
"config": "vulners",
"criterias": [
[
{
"criteria": "cpe:2.3:a:woocommerce:woocommerce_pre\\-orders:*:*:*:*:*:wordpress:*:*",
"vulnerable": true,
"versionEndExcluding": "2.0.3"
}
]
]
}
],
"title": "WooCommerce Pre-Orders < 2.0.3 - Unauthorised Actions via CSRF",
"short_description": "Flawed CSRF check in WooCommerce Pre-Orders < 2.0.3 allows unauthorized actions"
},
{
"id": "WPVDB-ID:E72BBE9B-E51D-40AB-820D-404E0CB86EE6",
"reasons": [
{
"config": "vulners",
"criterias": [
[
{
"criteria": "cpe:2.3:a:woocommerce:woocommerce_pre\\-orders:*:*:*:*:*:wordpress:*:*",
"vulnerable": true,
"versionEndExcluding": "2.0.3"
}
]
]
}
],
"title": "WooCommerce Pre-Orders < 2.0.3 - Arbitrary Pre-Order Canceling via CSRF",
"short_description": "WooCommerce Pre-Orders < 2.0.3 flawed CSRF allows arbitrary pre-order canceling"
},
{
"id": "WPVDB-ID:A86BDCFB-A1DB-4775-8F30-8EEC3F53A77A",
"reasons": [
{
"config": "vulners",
"criterias": [
[
{
"criteria": "cpe:2.3:a:woocommerce:woocommerce_pre\\-orders:*:*:*:*:*:wordpress:*:*",
"vulnerable": true,
"versionEndExcluding": "2.0.1"
}
]
]
}
],
"title": "WooCommerce Pre-Orders < 2.0.1 - Contributor+ Stored XSS",
"short_description": "WooCommerce Pre-Orders plugin vulnerability Stored XSS"
}
]
}
]
Deprecated Endpoints¶
Deprecated
The following endpoints remain operational for now but are slated for future removal:
POST /api/v3/burp/softwareapi/POST /api/v3/burp/packages/
Use the new /api/v4/audit/ endpoints instead:
POST /api/v4/audit/softwarePOST /api/v4/audit/host
Package Audit API¶
The Package Audit API processes dependency lists from your project's package manager output and cross-references them against Vulners' vulnerability database. It identifies vulnerable packages, suggests fixed versions, and lists applicable advisories with version match ranges.
Supported package managers:
| Manager | Endpoint | Input format | Example input source |
|---|---|---|---|
| Maven | /api/v4/audit/package/maven |
Maven dependency list (text/plain) | mvn dependency:list |
| Pip | /api/v4/audit/package/pip |
Pip freeze output (text/plain) | pip freeze |
| Poetry | /api/v4/audit/package/poetry |
Poetry lock file content (text/plain) | cat poetry.lock |
| NPM | /api/v4/audit/package/npm |
package-lock.json content (text/plain) | cat package-lock.json |
| Golang | /api/v4/audit/package/golang |
Go modules list (text/plain) | go list -m all |
Response format:
All endpoints return a consistent JSON structure:
result.issues: Array of vulnerable packagespackage: Package nameversion: Current versionfixedVersion: Recommended safe versionscopes: Dependency scopes (e.g., "test", "main")applicableAdvisories: Matching vulnerabilities with IDs and version rangesresult.totalPackages: Number of packages parsed from the input.
If no issues found, issues is an empty array.
Query parameters (all optional, applied identically to every package endpoint):
| Name | Type | Default | Description |
|---|---|---|---|
includeAnyVersion |
boolean | true |
Include advisories that match the package name regardless of version. Snake_case alias include_any_version. |
includeCandidates |
boolean | false |
Include candidate advisories (those awaiting vendor confirmation). |
includeUnofficial |
boolean | false |
Include advisories sourced from unofficial / third-party feeds. |
includeTransitives |
boolean | false |
Include transitively-introduced packages in the audit. |
Auth: X-Api-Key header required.
Maven audit¶
Usage:
Query:
POST /api/v4/audit/package/maven
Example:
curl -XPOST https://vulners.com/api/v4/audit/package/maven \
-H "X-Api-Key: YOUR_API_KEY" \
-H "Content-Type: text/plain" \
-d "$(mvn -B -q dependency:list -DoutputFile=/dev/stdout)"
{
"result": {
"issues": [
{
"package": "junit:junit",
"version": "4.12",
"fixedVersion": "4.13.1",
"scopes": [
"test"
],
"applicableAdvisories": [
{
"id": "OSV:GHSA-269G-PWP5-87PP",
"match": ">=4.7,<4.13.1"
}
]
}
]
}
}
Pip audit¶
Usage:
Query:
POST /api/v4/audit/package/pip
Example:
curl -XPOST https://vulners.com/api/v4/audit/package/pip \
-H "X-Api-Key: YOUR_API_KEY" \
-H "Content-Type: text/plain" \
-d "$(pip freeze)"
{
"result": {
"issues": [
{
"package": "notebook",
"version": "4.2.0",
"fixedVersion": "6.1.5",
"scopes": [
"main"
],
"applicableAdvisories": [
{
"id": "OSV:PYSEC-2018-17",
"match": ">=0,<5.7.1"
},
{
"id": "OSV:PYSEC-2018-18",
"match": ">=0,<5.7.2"
},
{
"id": "OSV:PYSEC-2020-215",
"match": ">=0,<6.1.5"
}
]
}
]
}
}
Poetry/uv audit¶
Usage:
Query:
POST /api/v4/audit/package/poetry
Example:
curl -XPOST https://vulners.com/api/v4/audit/package/poetry \
-H "X-Api-Key: YOUR_API_KEY" \
-H "Content-Type: text/plain" \
-d "$(cat poetry.lock)"
{
"result": {
"issues": [
{
"package": "notebook",
"version": "4.2.0",
"fixedVersion": "6.1.5",
"scopes": [
"main"
],
"applicableAdvisories": [
{
"id": "OSV:PYSEC-2018-17",
"match": ">=0,<5.7.1"
},
{
"id": "OSV:PYSEC-2018-18",
"match": ">=0,<5.7.2"
},
{
"id": "OSV:PYSEC-2020-215",
"match": ">=0,<6.1.5"
}
]
}
]
}
}
Query:
POST /api/v4/audit/package/uv
Example:
curl -XPOST https://vulners.com/api/v4/audit/package/uv \
-H "X-Api-Key: YOUR_API_KEY" \
-H "Content-Type: text/plain" \
-d "$(cat uv.lock)"
{
"result": {
"issues": [
{
"package": "notebook",
"version": "4.2.0",
"fixedVersion": "6.1.5",
"scopes": [
"main"
],
"applicableAdvisories": [
{
"id": "OSV:PYSEC-2018-17",
"match": ">=0,<5.7.1"
},
{
"id": "OSV:PYSEC-2018-18",
"match": ">=0,<5.7.2"
},
{
"id": "OSV:PYSEC-2020-215",
"match": ">=0,<6.1.5"
}
]
}
]
}
}
Npm audit¶
Usage:
Query:
POST /api/v4/audit/package/npm
Example:
curl -XPOST https://vulners.com/api/v4/audit/package/npm \
-H "X-Api-Key: YOUR_API_KEY" \
-H "Content-Type: text/plain" \
-d "$(cat package-lock.json)"
{
"result": {
"issues": [
{
"package": "@babel/helpers",
"version": "7.26.0",
"fixedVersion": "7.26.10",
"scopes": [
"main"
],
"applicableAdvisories": [
{
"id": "OSV:GHSA-968P-4WVH-CQC8",
"match": ">=0,<7.26.10"
}
]
},
{
"package": "nuxt",
"version": "3.15.2",
"fixedVersion": "3.19.0",
"scopes": [
"main"
],
"applicableAdvisories": [
{
"id": "SNYK:JS-NUXT-12878602",
"match": ">=3.6.0,<3.19.0"
}
]
}
]
}
}
Golang audit¶
Usage:
Query:
POST /api/v4/audit/package/golang
Example:
curl -XPOST https://vulners.com/api/v4/audit/package/golang \
-H "X-Api-Key: YOUR_API_KEY" \
-H "Content-Type: text/plain" \
-d "$(go list -m all)"
{
"result": {
"issues": [
]
}
}
Library Audit¶
Audit packages identified by PURL (Package URL). Send a list of PURLs from any registry (pkg:npm/…, pkg:pypi/…, pkg:maven/…, pkg:deb/…, …); returns the vulnerable ones with fix versions and matching advisories. For raw lock-file input, use /audit/package/{ecosystem}.
Auth: X-Api-Key header required.
Parameters:
| Name | In | Type | Required | Description |
|---|---|---|---|---|
packages |
body | array[string] | yes | List of PURLs (e.g. pkg:npm/[email protected], pkg:pypi/[email protected]). 1–2500 entries. |
include_unofficial |
body | boolean | no | Include packages from unofficial / community sources. Default false. |
include_candidates |
body | boolean | no | Include candidate (not-yet-confirmed) affected packages. Default false. |
include_any_version |
body | boolean | no | Include records that match any version (no specific range). Default false. |
cvelist_metrics |
body | boolean | no | Attach CVE-list metrics to each advisory. Paid plans only; no effect on the free tier. Default false. |
Response schema:
| Field | Type | Description |
|---|---|---|
result.issues |
array[object] | One entry per vulnerable input package. Sorted by advisory count (descending), then by package name. |
result.errors |
object | Parse errors, keyed by the input's 0-based index in packages. Empty {} when every PURL parsed. |
result.totalPackages |
integer | Count of PURLs that parsed successfully. |
Each issues[] entry:
| Field | Type | Always present | Description |
|---|---|---|---|
package |
string | yes | Echoes the input PURL. |
version |
string | — | Version from the input PURL. Omitted if the PURL didn't carry one. |
fixedVersion |
string | — | Latest known fix. Omitted if no fix is known. |
applicableAdvisories |
array[object] | yes | Matching advisories for this package/version. |
Each applicableAdvisories[] entry. Optional fields (distro, arch, classifier, cvelistMetrics) are omitted when not applicable, not returned as null.
| Field | Type | Always present | Description |
|---|---|---|---|
id |
string | yes | Advisory identifier (e.g. OSV:GHSA-…, SNYK:…, DEBIANCVE:CVE-…). |
match |
string | yes | Vulnerable version range that matched (e.g. <4.17.21, >=4.2,<4.2.30). |
registry |
string | yes | Registry the advisory targets (npm, pypi, maven, deb, rpm, …). |
distro |
array[string] | — | Distribution scope (e.g. ["debian", "debian-10"]). Present only for OS-package registries. |
arch |
array[string] | — | Affected architectures. Present only on arch-specific advisories. |
classifier |
array[string] | — | Classifiers (e.g. Maven classifier). Present only when the advisory targets one. |
cvelistMetrics |
array[object] | — | CVE-list metrics. Present only when cvelist_metrics=true on a paid plan. |
Usage:
Query:
POST /api/v4/audit/library
Single npm package:
curl -XPOST https://vulners.com/api/v4/audit/library \
-H "X-Api-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"packages": ["pkg:npm/[email protected]"]}'
Multi-ecosystem:
curl -XPOST https://vulners.com/api/v4/audit/library \
-H "X-Api-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"packages": [
"pkg:npm/[email protected]",
"pkg:pypi/[email protected]",
"pkg:maven/org.apache.logging.log4j/[email protected]"
]}'
Mixed valid + invalid (populates errors):
curl -XPOST https://vulners.com/api/v4/audit/library \
-H "X-Api-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"packages": [
"pkg:npm/[email protected]",
"not-a-purl",
"pkg:pypi/",
"pkg:npm/[email protected]"
]}'
Single npm package:
vulners_api.audit.library_audit(packages=["pkg:npm/[email protected]"])
Multi-ecosystem:
vulners_api.audit.library_audit(packages=[
"pkg:npm/[email protected]",
"pkg:pypi/[email protected]",
"pkg:maven/org.apache.logging.log4j/[email protected]",
])
With unofficial / candidate / any-version records and CVE-list metrics (paid plans):
vulners_api.audit.library_audit(
packages=["pkg:npm/[email protected]"],
include_unofficial=True,
include_candidates=True,
include_any_version=True,
cvelist_metrics=True,
)
{
"result": {
"issues": [
{
"package": "pkg:npm/[email protected]",
"version": "4.16.0",
"fixedVersion": "4.20.0",
"applicableAdvisories": [
{ "id": "OSV:GHSA-RV95-896H-C2VC", "match": "<4.19.2", "registry": "npm" },
{ "id": "OSV:GHSA-QW6H-VGH9-J6WX", "match": "<4.20.0", "registry": "npm" }
]
}
],
"errors": {},
"totalPackages": 1
}
}
errors is keyed by the 0-based input index: "not-a-purl" failed at index 1, "pkg:pypi/" at index 2. Advisory lists trimmed here for brevity.
{
"result": {
"issues": [
{
"package": "pkg:npm/[email protected]",
"version": "4.17.15",
"fixedVersion": "4.18.1",
"applicableAdvisories": [
{ "id": "SNYK:JS-LODASH-6139239", "match": "<4.17.17", "registry": "npm" },
{ "id": "OSV:GHSA-P6MC-M468-83GW", "match": ">=3.7.0,<4.17.19", "registry": "npm" },
{ "id": "OSV:GHSA-35JH-R3H4-6JHM", "match": "<4.17.21", "registry": "npm" }
]
},
{
"package": "pkg:npm/[email protected]",
"version": "4.16.0",
"fixedVersion": "4.20.0",
"applicableAdvisories": [
{ "id": "OSV:GHSA-RV95-896H-C2VC", "match": "<4.19.2", "registry": "npm" },
{ "id": "OSV:GHSA-QW6H-VGH9-J6WX", "match": "<4.20.0", "registry": "npm" }
]
}
],
"errors": {
"1": "purl is missing the required \"pkg\" scheme component: 'not-a-purl'.",
"2": "purl is missing the required name component: 'pkg:pypi/'"
},
"totalPackages": 2
}
}
OS-package registries (deb, rpm, apk, alpm) add distro to each advisory, and arch when the advisory is arch-specific. Excerpt from pkg:deb/debian/[email protected]:
{
"result": {
"issues": [
{
"package": "pkg:deb/debian/[email protected]",
"version": "7.64.0-4",
"fixedVersion": "8.14.1-1",
"applicableAdvisories": [
{
"id": "OSV:DSA-4633-1",
"match": ">=7,<7.64.0-4+deb10u1",
"registry": "deb",
"distro": ["debian", "debian-10"]
},
{
"id": "OSV:DEBIAN-CVE-2019-5482",
"match": "<7.66.0-1",
"registry": "deb",
"distro": ["debian", "debian-11", "debian-12", "debian-13", "debian-14"]
}
]
}
],
"errors": {},
"totalPackages": 1
}
}
CVE Audit¶
Reverse-lookup the package impact surface of a single CVE: given a CVE identifier (and optionally a package registry), return every known affected package together with its vulnerable version range, distribution scope, and architecture/classifier where applicable. Useful for triage workflows and LLM agents that need to translate a CVE into actionable package fix data without scanning a host or dependency list first.
Auth: X-Api-Key header required.
Parameters:
| Name | In | Type | Required | Description |
|---|---|---|---|---|
cve |
body | string | yes | CVE (or CAN) identifier. Must match C(VE\|AN)-YYYY-NNNN+. Auto-uppercased server-side. |
registry |
body | enum | no | Restrict results to a single package registry. One of: pypi, rubygems, composer, apk, cargo, swift, cocoapods, alpm, conan, pub, packagist, cran, gem, swifturl, nuget, hackage, deb, golang, npm, maven, rpm, bitnami. Omit to return all registries. |
include_unofficial |
body | boolean | no | Include packages from unofficial / community sources. Default false. |
include_candidates |
body | boolean | no | Include candidate (not-yet-confirmed) affected packages. Default false. |
include_any_version |
body | boolean | no | Include records that match any version (no specific range). Default false. |
include_transitives |
body | boolean | no | Include packages affected only via transitive dependencies. Default false. |
Response schema:
The endpoint returns a JSON object with a single result key:
| Field | Type | Description |
|---|---|---|
result.cve |
string | Echo of the queried CVE identifier (uppercased). |
result.affectedPackages |
array[object] | Affected packages. Empty if no records matched the filters. |
Each affectedPackages[] entry always includes name, range, and registry. The distro, arch, and classifier fields are omitted from the JSON when not applicable (they are not returned as null).
| Field | Type | Always present | Description |
|---|---|---|---|
name |
string | yes | Package name as it appears in the registry. |
range |
string | yes | Vulnerable version range (e.g. <2.15.0, >=2,<2.17.1). |
registry |
string | yes | Registry the package belongs to (see registry enum above). |
distro |
array[string] | — | Distribution scope (e.g. ["debian", "debian-11"], ["ubuntu", "ubuntu-20.04"]). Present only for OS-package registries (deb, rpm, apk, alpm). |
arch |
array[string] | — | Architectures affected (e.g. ["x86_64", "i686"]). Present only when the advisory is architecture-specific. |
classifier |
array[string] | — | Additional classifiers (e.g. Maven classifiers). Present only when the advisory targets a specific classifier. |
Usage:
Query:
POST /api/v4/audit/cve
Example:
curl -XPOST https://vulners.com/api/v4/audit/cve \
-H "X-Api-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"cve": "CVE-2021-44228", "registry": "maven"}'
Minimal example:
vulners_api.audit.cve_audit(cve="CVE-2021-44228")
Restrict to a single registry:
vulners_api.audit.cve_audit(cve="CVE-2021-44228", registry="maven")
Include unofficial / candidate / any-version records:
vulners_api.audit.cve_audit(
cve="CVE-2021-44228",
registry="maven",
include_unofficial=True,
include_candidates=True,
include_any_version=True,
)
{
"result": {
"cve": "CVE-2021-44228",
"affectedPackages": [
{
"name": "com.guicedee.services:log4j-core",
"range": ">=1,<=1.2.1.2-jre17",
"registry": "maven"
},
{
"name": "log4j:log4j",
"range": ">=1.2.0,<=1.2.17",
"registry": "maven"
},
{
"name": "liblog4j2-java",
"range": "<0:2.17.1-1~deb10u1",
"registry": "deb",
"distro": ["astra", "astra-4"],
"arch": ["arm"]
}
]
}
}
SBOM Audit¶
Audit software components from an uploaded SBOM (Software Bill of Materials). Vulners parses the SBOM, extracts components, matches them to known packages/versions, and returns applicable advisories enriched with CVSS/EPSS/AI scoring when available.
Auth: X-Api-Key header required.
Content-Type: multipart/form-data
Form field: file (SBOM JSON)
Supported formats
- SPDX (v2.x) — JSON
- CycloneDX (v1.x) — JSON
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
file |
form | file | yes | SBOM file in SPDX/CycloneDX JSON. |
Response schema:
Each entry in result.data describes one component extracted from the SBOM:
| Field | Type | Description |
|---|---|---|
package |
string | Component name. |
version |
string | Component version reported by the SBOM. |
fixedVersion |
string | null | Latest known fixed version, if any. |
applicableAdvisories |
array[object] | Matching advisories (see below). Empty array if none. |
Each advisory in applicableAdvisories:
| Field | Type | Description |
|---|---|---|
id |
string | Advisory identifier (e.g. OSV:..., USN-..., DSA-...). |
match |
string | Version range that matched (e.g. >=3.11.0,<3.11.5). |
registry |
string | Package registry: deb, apk, rpm, maven, pypi, bitnami, … |
distro |
array[string] | null | OS distribution scope, e.g. ["ubuntu", "ubuntu-22.04"]. |
arch |
array[string] | null | Architectures, e.g. ["amd64", "arm64"]. |
classifier |
array[string] | null | Ubuntu-only labels — see note below. |
type |
string | Advisory source type (e.g. osv, ubuntu, debian). |
title |
string | Short advisory title. |
description |
string | Advisory description. |
published |
string | ISO 8601 publication timestamp. |
epss |
array[object] | Per-CVE EPSS entries: cve, epss, percentile, date. |
aiScore |
object | AI-derived severity: value, uncertainty. |
metrics |
object | CVSS/EPSS metrics for the advisory. |
exploitation |
object | Wild exploitation: wildExploited, wildExploitedSources. |
references |
array[string] | Advisory reference URLs. |
cvelist |
array[string] | CVE IDs covered by this advisory. |
distro, arch, and classifier are null when the advisory isn't scoped that way (non-OS advisories, architecture-agnostic advisories, non-Ubuntu advisories). The classifier field is currently only populated for Ubuntu advisories, with values drawn from candidate, unofficial, transitive.
Usage:
Query:
POST /api/v4/audit/sbom
Example:
curl -X POST "https://vulners.com/api/v4/audit/sbom" \
-H "X-Api-Key: YOUR_API_KEY" \
-H "Accept: application/json" \
-F "file=@/path/to/sbom.json"
Replace YOUR_API_KEY with your Vulners API key and /path/to/sbom.json with the path to your SBOM file.
On success, the endpoint returns a JSON object with a result envelope containing the matched components under data, plus a summaryId and totalPackages count. Components with no matches are returned with an empty applicableAdvisories array.
{
"result": {
"data": [
{
"package": "python",
"version": "3.11.4",
"fixedVersion": "3.15.0",
"applicableAdvisories": [
{
"id": "OSV:BIT-PYTHON-2023-41105",
"match": ">=3.11.0,<3.11.5",
"registry": "bitnami",
"distro": null,
"arch": null,
"classifier": null,
"type": "osv",
"title": "BIT-PYTHON-2023-41105",
"description": "An issue was discovered in Python 3.11 through 3.11.4 ...",
"published": "2024-10-04T16:35:59",
"epss": [
{
"cve": "CVE-2023-41105",
"epss": 0.00363,
"percentile": 0.57892,
"date": "2026-02-27"
}
],
"aiScore": {
"value": 7.3,
"uncertainty": 0.2
},
"metrics": {
"cvss": {
"score": 7.5,
"severity": "HIGH",
"version": "3.1",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"source": "nvd"
},
"epss": ["CVE-2023-41105"]
},
"exploitation": {
"wildExploited": false,
"wildExploitedSources": []
},
"references": [
"https://nvd.nist.gov/vuln/detail/CVE-2023-41105"
],
"cvelist": ["CVE-2023-41105"]
},
{
"id": "USN-6891-1",
"match": "<3.11.6-0ubuntu1",
"registry": "deb",
"distro": ["ubuntu", "ubuntu-22.04"],
"arch": ["amd64", "arm64"],
"classifier": ["candidate", "transitive"],
"type": "ubuntu",
"title": "Python vulnerabilities",
"description": "Several issues were fixed in Python.",
"published": "2024-06-20T00:00:00",
"epss": [],
"aiScore": { "value": 6.8, "uncertainty": 0.4 },
"metrics": {
"cvss": {
"score": 7.5,
"severity": "HIGH",
"version": "3.1",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"source": "ubuntu"
},
"epss": []
},
"exploitation": {
"wildExploited": false,
"wildExploitedSources": []
},
"references": [
"https://ubuntu.com/security/notices/USN-6891-1"
],
"cvelist": ["CVE-2023-41105"]
}
]
},
{
"package": "Simple Launcher",
"version": "1.1.0.14",
"fixedVersion": null,
"applicableAdvisories": []
}
],
"summaryId": "8e46a7a2c5943fe9914369e20a54c615",
"totalPackages": 8
}
}
Errors
- 401 Unauthorized — missing/invalid
X-Api-Key. - 403 Forbidden — IP not allowed or insufficient license scope.
- 400 Bad Request — invalid/unsupported SBOM format or malformed JSON.
Best practices
- Validate SPDX/CycloneDX JSON before upload.
- Include PURLs and consistent package identifiers to improve matching.
- Use
metrics.cvssandepssto prioritize remediation. - Narrow results by
registry,distro, andarchwhen audit output covers multiple ecosystems; useclassifierto filter Ubuntu-specific labels (candidate,unofficial,transitive).
Windows Audit¶
Audit Windows via KB¶
Quick audit of Windows hosts by OS version + installed KB list. Good for patch status checks.
Auth: X-Api-Key header required.
Parameters:
| Name | In | Type | Required | Description |
|---|---|---|---|---|
os |
body | string | yes | OS name/version (e.g., Windows Server 2012 R2) |
kbList |
body | array[string] | yes | Array of installed KB IDs (e.g., ["KB5009586","KB5009624"]). |
Usage:
Query:
POST /api/v3/audit/kb/
Query example:
curl -XPOST https://vulners.com/api/v3/audit/kb/ -H "X-Api-Key: YOUR_API_KEY" -H 'Content-Type: application/json' -d '{
"os": "Windows Server 2012 R2", # (1)
"kbList": ["KB5009586", "KB5009624", "KB5008230", "KB5007247", "KB5005693", "KB5007205", "KB5003646"]
# (2)
}'
-
OS version can be obtained from systeminfo
-
Installed KBs is also via systeminfo or via wmic qfe list.
win_vulners = vulners_api.audit.kb_audit(
os="Windows Server 2016", kb_list=["KB5009586", "KB5009624", "KB5008230", "KB5007247", "KB5005693", "KB5007205", "KB5003646"])
need_2_install_kb = win_vulners['kbMissed']
affected_cve = win_vulners['cvelist']
latest_kb = win_vulners['kbLatest'] # latest applicable KB for the OS
{
"result": "OK",
"data": {
"kbLatest": "KB5034119",
"kbMissed": ["KB5000803", "KB5017095", "..."],
"cvelist": ["CVE-2021-36942", "CVE-2021-31958", "..."]
}
}
[
"KB5000803",
"KB5017095",
"KB5011495",
"KB5003638",
"KB5009546",
"KB5012596",
"KB5004948",
"KB5001347",
"KB5007192",
"KB5004238",
"KB5010359",
"KB5014702",
"KB5016622",
"KB4601318",
"KB5005573",
"KB5008207",
"KB5006669",
"KB5012170",
"KB5015808",
"KB5005043",
"KB5013952",
"KB5003197"
]
[ "CVE-2021-36942",
"CVE-2021-31958",
"CVE-2022-34302",
"CVE-2022-30166",
"CVE-2022-22002",
"CVE-2021-1640",
"CVE-2021-24111",
"CVE-2022-26832",
"CVE-2021-33757",
"CVE-2021-41361",
"CVE-2021-36938",
"CVE-2020-1036",
"CVE-2021-42279",
"CVE-2022-34303",
"CVE-2021-28318",
"CVE-2020-1472",
"CVE-2022-21897",
"CVE-2021-38667",
"CVE-2021-31959",
"CVE-2021-34481",
"CVE-2022-30154",
"CVE-2021-34459",
"CVE-2022-23293",
"CVE-2020-17049",
"CVE-2020-26784",
"CVE-2022-22048",
"CVE-2021-33779",
"CVE-2021-43893",
"CVE-2022-26784",
"CVE-2021-26419",
"CVE-2021-34527",
"CVE-2022-35822",
"CVE-2022-34301",
"CVE-2022-30138",
"CVE-2021-26411"
]
Audit installed KBs and software¶
Use quick audit of Windows hosts for installed security KB and software. Windows audit requires OS version, a list of installed updates (KB) and a list of installed software, CPE parts such as target_sw, sw_edition, and platform can be used to improve accuracy.
Auth: X-Api-Key header required.
Parameters:
| Name | In | Type | Required | Description |
|---|---|---|---|---|
os |
body | string | yes | OS name (e.g., windows). |
os_version |
body | string | yes | OS version string (e.g., 10.0.19045). |
kb_list |
body | array | yes | Installed KB IDs. |
software |
body | array | no | Installed software list with optional CPE-like attributes. |
platform |
body | string | no | Applies target_hw to all software entries if provided. |
Possible values for CPE parameters:
*: Includes all values, both those containing - or * and without."-": Filters results to exclude specified values."software_name": Includes results with this value and any values containing*.
Defaults:
- platform:
arm64if not explicitly specified. - target_sw:
windowsif not explicitly specified
Usage:
Query:
POST /api/v3/audit/winaudit/
Query example:
curl -XPOST https://vulners.com/api/v3/audit/winaudit/ -H "X-Api-Key: YOUR_API_KEY" -H 'Content-Type: application/json' -d '{
"os": "windows",
"os_version": "10.0.19045",
"kb_list": ["KB5009586", "KB5009624", "KB5008230", "KB5007247", "KB5005693", "KB5007205", "KB5003646"],
# (1)
"software": [ # (2)
{"software": "7-Zip", "version": "19.00", "sw_edition": "home_premium", "target_sw": "windows", "target_hw": "x64", "update": "sp1", "language": "en"},
{"software": "Git", "version": "2.33.0.2", "target_sw": "windows", "target_hw": "x64"},
{"software": "Notepad++", "version": "8.4.6", "target_sw": "windows", "target_hw": "x64"},
{"software": "Microsoft OneDrive", "version": "22.227.1030.0001", "sw_edition": "home_premium", "target_sw": "windows", "target_hw": "x64"},
{"software": "VMware Fusion", "version": "13.1", "target_sw": "windows", "target_hw": "x64"}
]
}'
-
List of installed updates (KB), which can be gathered via commands
systeminfoorwmic qfe list. -
List of installed software and version information, with optional CPE parameters for further refinement. Read more
kb = ["KB5009586", "KB5009624", "KB5008230", "KB5007247", "KB5005693", "KB5007205", "KB5003646"]
software = [{'software': '7-Zip', 'version': '19.00', 'sw_edition': 'home_premium', 'target_sw': 'windows', 'target_hw': 'x64', 'update': 'sp1', 'language': 'en'},
{'software': 'Git', 'version': '2.33.0.2', 'target_sw': 'windows', 'target_hw': 'x64'},
{'software': 'Notepad++', 'version': '8.4.6', 'target_sw': 'windows', 'target_hw': 'x64'},
{'software': 'Microsoft OneDrive', 'version': '22.227.1030.0001', 'sw_edition': 'home_premium', 'target_sw': 'windows', 'target_hw': 'x64'},
{'software': 'VMware Fusion', 'version': '13.1', 'target_sw': 'windows', 'target_hw': 'x64'}
]
os_name = 'windows'
os_version = '10.0.19045'
report = vulners_api.audit.win_audit(os=os_name, os_version=os_version, kb_list=kb, software=software)
- package: The name of the software package.
- published: The date when the bulletin was published.
- bulletinID: The ID of the bulletin associated with the CVEs.
- cvelist: List of CVE IDs linked to the package.
- cvss: CVSS score and severity level of the vulnerabilities.
- fix: Suggested update or patch to fix the issue.
[
{
"package": "windows 11 version 22h2",
"published": "2024-09-10",
"bulletinID": "MS:CVE-2024-38254",
"cvelist": ["CVE-2024-38254"],
"cvss": {
"score": 6.2,
"severity": "MEDIUM"
},
"fix": "Install KB5043076 update"
},
{
"package": "windows 11 version 23h2",
"published": "2024-09-10",
"bulletinID": "MS:CVE-2024-38257",
"cvelist": ["CVE-2024-38257"],
"cvss": {
"score": 7.5,
"severity": "HIGH"
},
"fix": "Install KB5043076 update"
},
{
"package": "windows 11 version 23h2",
"published": "2024-07-09",
"bulletinID": "MS:CVE-2024-38517",
"cvelist": ["CVE-2024-38517"],
"cvss": {
"score": 7.8,
"severity": "HIGH"
},
"fix": "Install KB5040442 update"
}
]
Windows KB superseding/parentseeding¶
Refer to this if you need more information about KB after the previous method. Superseded information will be returned as a dictionary with two fields: superseeds, parentseeds.
Auth: X-Api-Key header required.
Parameters:
| Name | In | Type | Required | Description |
|---|---|---|---|---|
id |
body | string | yes | KB identifier (e.g., KB4524135). |
fields |
body | string | yes | Include superseeds and/or parentseeds. |
Usage:
Query:
POST /api/v3/search/id/
Query example:
curl -XPOST https://vulners.com/api/v3/search/id/ -H "X-Api-Key: YOUR_API_KEY" -H 'Content-Type: application/json' -d '{
"id": "KB4524135",
"fields": [
"superseeds", # (1)
"parentseeds" # (2)
]
}'
-
Superseeds means "what KB are covered by this KB".
-
Parentseeds means "what KB are covering this KB".
seeds = vulners_api.search.get_kb_seeds("KB4524135")
{
"superseeds": [
"KB3021952",
"KB4103768",
"KB2699988",
"KB3100773",
"KB931768",
"KB4466536",
"KB4343205",
"KB896688",
"KB4462949",
"KB2977629",
"KB2817183",
"KB972260",
"KB4457426",
"KB980182",
"KB929969",
"KB4470199",
"KB2544521",
"KB4511872",
"KB2744842",
"KB2879017",
"KB2497640",
"KB2360131",
"KB4025252",
"KB2829530",
"KB4047206",
"KB3093983",
"KB4507434",
"KB4056568",
"KB960714",
"KB2530548",
"KB3203621",
"KB833989",
"KB2761451",
"KB3139929",
"KB4339093",
"KB4483187",
"KB969897",
"KB910620",
"KB942615",
"KB956390",
"KB937143",
"KB4052978",
"KB2416400",
"KB4018271",
"KB2987107",
"KB2870699",
"KB982381",
"KB2183461",
"KB2586448",
"KB958215",
"KB963027",
"KB2862772",
"KB4012204",
"KB4036586",
"KB3175443",
"KB933566",
"KB947864",
"KB2647516",
"KB4486474",
"KB944533",
"KB2976627",
"KB4074736",
"KB2792100",
"KB905915",
"KB922760",
"KB4489873",
"KB883939",
"KB2797052",
"KB2909212",
"KB4230450",
"KB3003057",
"KB4092946",
"KB2963952",
"KB978207",
"KB4034733",
"KB939653",
"KB976325",
"KB3154070",
"KB4040685",
"KB3038314",
"KB928090",
"KB2675157",
"KB4493435",
"KB3197655",
"KB896727",
"KB3034196",
"KB3049563",
"KB3032359",
"KB2618444",
"KB974455",
"KB938127",
"KB2838727",
"KB3148198",
"KB3191492",
"KB3170106",
"KB2559049",
"KB2809289",
"KB3058515",
"KB4014661",
"KB4516046",
"KB950759",
"KB925486",
"KB3036197",
"KB3124275",
"KB2799329",
"KB3008923",
"KB3078071",
"KB953838",
"KB3065822",
"KB2722913",
"KB4021558",
"KB3104002",
"KB912812",
"KB918899",
"KB2482017",
"KB3160005",
"KB2962872",
"KB4096040",
"KB916281",
"KB3185319",
"KB3087038",
"KB4480965",
"KB2761465",
"KB4089187",
"KB2846071",
"KB890923",
"KB4503259",
"KB4498206",
"KB3134814"
],
"parentseeds": [
"KB4571687",
"KB4534251",
"KB4540671",
"KB4586768",
"KB4519974",
"KB4525106",
"KB4530677",
"KB4556798",
"KB4565479",
"KB4561603",
"KB4537767",
"KB4550905",
"KB4577010"
]
}
Get the list of Windows KB updates with download urls¶
Search Microsoft Catalog entries for KBs and return catalog URLs.
Auth: X-Api-Key header required.
Parameters:
| Name | In | Type | Required | Description |
|---|---|---|---|---|
query |
body | string | yes | Lucene query, e.g. type:msupdate AND kb:(KB4524135) |
skip |
body | int | no | Offset (default 0). |
size |
body | int | no | Limit (default 100). |
Usage:
Query:
POST /api/v3/search/lucene/
Query example:
curl -XPOST https://vulners.com/api/v3/search/lucene/ -H "X-Api-Key: YOUR_API_KEY" -H 'Content-Type: application/json' -d '{
"query": "type:msupdate AND kb:(KB4524135)",
"skip": 0,
"size": 100,
"fields": [
"id",
"title",
"description",
"type",
"bulletinFamily",
"cvss",
"published",
"modified",
"lastseen",
"href",
"sourceHref",
"sourceData",
"cvelist"]
}'
microsoft_updates_for_kb = vulners_api.search.get_kb_updates("KB4524135")
updates_download_links = [update.get('href') for update in microsoft_updates_for_kb]
[
"https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=ef31383a-7932-441a-a626-f0a145cc422a",
"https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=18552c40-7e36-4f15-960a-9717a4912af1",
"https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=375f016c-b4ac-4d71-9dee-8095427a3c86",
"https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=2ca3d95f-1ecb-4850-aeb4-afb63cd6374a",
"https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=72890150-da44-47b2-b1b5-7dce2d5d1a30",
"https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=fba96f27-5955-45e1-82e5-ad350b4627e0",
"https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=9668152f-78a1-44f9-a229-38e86189703a",
"https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=e08d28ef-d685-412c-b0bc-8cc26bf899c3",
"https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=a22dcbac-485a-4834-8556-fee2e437ab9b",
"https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=db62995c-3814-4fd7-a481-dc285f0640e2",
"https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=16216817-6043-4587-a803-9b3a9f3a58cc",
"https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=393d67e1-8827-4c6d-9187-b6320a9a03bc",
"https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=b18abca1-c8ec-4e43-9fa0-cc2b2a518304",
"https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=96c42c78-234b-4ae7-b097-be0eb8ac6f25",
"https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=63cc9ae6-6d02-4936-8b77-b976b440ff25",
"https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=2661795f-8beb-468f-9c4f-0de83724a90f"
]
Linux Audit¶
Analyze installed Linux packages (RPM, DEB, APK) and match them against Vulners vulnerability database. This endpoint is intended for fast, batch auditing of package lists exported from servers, containers or build images.
Supported systems¶
Fetch all currently supported operating systems. These values are used as inputs for the audit request below.
Auth: X-Api-Key header required.
Parameters: None
Usage:
Query:
GET /api/v3/audit/getSupportedOS
Query example:
curl -G "https://vulners.com/api/v3/audit/getSupportedOS" -H "X-Api-Key: YOUR_API_KEY"
data.supportedOS is a map from OS short name to the shell snippet
Vulners recommends for enumerating installed packages.
{
"result": "OK",
"data": {
"supportedOS": {
"centos": "rpm -qa --qf '%{NAME}-%{VERSION}-%{RELEASE}.%{ARCH}\\n'",
"ubuntu": "dpkg-query -W -f='${binary:Package} ${Version} ${Architecture}\\n'",
"alpine": "apk info -vv",
"rhel": "rpm -qa --qf '%{NAME}-%{VERSION}-%{RELEASE}.%{ARCH}\\n'"
}
}
}
Audit Linux hosts¶
Check installed packages against known vulnerabilities and retrieve matching advisories.
Quick notes:
- Accepts package lists from RPM (RHEL/CentOS/OL), DEB (Debian/Ubuntu) and APK (Alpine).
- packages is required — up to 2500 entries per request.
- osName and osVersion are required so the matcher can pick the right distro feed.
- cvelistMetrics is paid-tier only; free / trial keys ignore it.
- Alongside result.issues the response carries result.errors (map of input-package index → parser error) and result.totalPackages (count of parsed packages).
Auth: X-Api-Key header required.
Request body parameters:
| Field | Type | Required | Description |
|---|---|---|---|
osName |
string | yes | OS name or ID (ubuntu, debian, rhel, ol, alpine, etc.). |
osVersion |
string | yes | OS version (e.g. 22.04, 7, 8.6, ...). |
osArch |
string | no | OS architecture (e.g. x86_64, aarch64) — used as default arch for packages when not specified. |
packages |
array[string] | yes | List of packages (strings). Each item should be the package name with version and, if applicable, arch. Min 1 / Max 2500 entries. |
includeUnofficial |
boolean | no | If true, include matches from unofficial sources (third‑party repos). Default: false. |
includeCandidates |
boolean | no | If true, include "candidate" findings (lower confidence or tentative matches). Default: false. |
includeAnyVersion |
boolean | no | If true, include vulnerabilities that match any version (broad/less strict matching). Default: false. |
cvelistMetrics |
boolean | no | Add additional CVE list metrics — available for non‑free/trial licenses. Default: false. |
Usage:
Query:
POST /api/v4/audit/linux
Query example:
curl -sS -X POST "https://vulners.com/api/v4/audit/linux" \
-H "Content-Type: application/json" \
-H "X-Api-Key: YOUR_API_KEY" \
--data-binary @- << 'JSON'
{
"osName": "ubuntu",
"osVersion": "22.04",
"packages": [
"bash 5.1-6ubuntu1.2 amd64",
"openssl 3.0.2-0ubuntu1.10 amd64",
"nginx 1.18.0-0ubuntu1 amd64"
],
"includeUnofficial": false,
"includeCandidates": false,
"includeAnyVersion": false,
"cvelistMetrics": false
}
JSON
api.audit.linux_audit(
os_name="ubuntu",
os_version="22.04",
packages=[
"bash 5.1-6ubuntu1.2 amd64",
"openssl 3.0.2-0ubuntu1.10 amd64",
"nginx 1.18.0-0ubuntu1 amd64"
],
include_unofficial=False,
include_candidates=False,
include_any_version=False,
)
{
"result": {
"issues": [
{
"package": "nginx 1.18.0-0ubuntu1 amd64",
"fixedPackage": "nginx_1.18.0-6ubuntu14.7_noarch.deb",
"applicableAdvisories": [
{
"id": "USN-5371-2",
"operator": "lt",
"version": "1.18.0-6ubuntu14.1"
},
{
"id": "USN-5722-1",
"operator": "lt",
"version": "1.18.0-6ubuntu14.3"
},
{
"id": "UB:CVE-2024-7347",
"operator": "lt",
"version": "1.18.0-6ubuntu14.5"
},
{
"id": "USN-7014-1",
"operator": "lt",
"version": "1.18.0-6ubuntu14.5"
},
{
"id": "USN-7285-1",
"operator": "lt",
"version": "1.18.0-6ubuntu14.6"
},
{
"id": "USN-7715-1",
"operator": "lt",
"version": "1.18.0-6ubuntu14.7"
}
]
},
{
"package": "openssl 3.0.2-0ubuntu1.10 amd64",
"fixedPackage": "openssl_3.0.2-0ubuntu1.20_noarch.deb",
"applicableAdvisories": [
{
"id": "USN-6450-1",
"operator": "lt",
"version": "3.0.2-0ubuntu1.12"
},
{
"id": "USN-6622-1",
"operator": "lt",
"version": "3.0.2-0ubuntu1.14"
},
{
"id": "USN-6663-1",
"operator": "lt",
"version": "3.0.2-0ubuntu1.15"
},
{
"id": "USN-6854-1",
"operator": "lt",
"version": "3.0.2-0ubuntu1.16"
},
{
"id": "USN-6937-1",
"operator": "lt",
"version": "3.0.2-0ubuntu1.17"
},
{
"id": "UB:CVE-2024-6119",
"operator": "lt",
"version": "3.0.2-0ubuntu1.18"
},
{
"id": "USN-6986-1",
"operator": "lt",
"version": "3.0.2-0ubuntu1.18"
},
{
"id": "UB:CVE-2024-9143",
"operator": "lt",
"version": "3.0.2-0ubuntu1.19"
},
{
"id": "USN-7278-1",
"operator": "lt",
"version": "3.0.2-0ubuntu1.19"
},
{
"id": "USN-7786-1",
"operator": "lt",
"version": "3.0.2-0ubuntu1.20"
}
]
}
],
"errors": []
}
}