Get Issues (Nixpkgs)

Retrieve a list of tracked CVE issues from the Nixpkgs Security Tracker.

Data Source

This endpoint returns issues only from the Nixpkgs security tracker bot. For vulnerabilities in other ecosystems (npm, PyPI, Debian, etc.), use the OSV endpoint or CVE Matching endpoint.

Endpoint

GET /api/v1/issues

Response

json

{
  "success": true,
  "count": 88,
  "data": [
    {
      "id": "12345",
      "title": "CVE-2024-XXXX: openssl vulnerability description",
      "url": "https://github.com/NixOS/nixpkgs/issues/12345",
      "package": "openssl",
      "cveIds": ["CVE-2024-XXXX"],
      "severity": "high",
      "cvssScore": 8.1,
      "currentVersion": "3.1.4",
      "fixedVersion": "3.1.5",
      "createdAt": "2024-01-15T10:00:00Z",
      "assignees": ["maintainer1"],
      "dataSource": "nixpkgs-tracker",
      "isTracked": true,
      "difficulty": "easy"
    }
  ],
  "timestamp": "2026-02-10T12:00:00.000Z"
}

Response Fields

Issue Object

Field	Type	Description
`id`	string	GitHub issue number
`title`	string	Issue title, typically includes CVE ID and package
`url`	string	Direct link to the GitHub issue
`package`	string	Extracted affected package name
`cveIds`	string[]	CVE identifiers extracted from title and body
`severity`	string	Severity level: `critical`, `high`, `medium`, `low`, or `unknown`. Enriched from NVD CVSS data when available
`cvssScore`	number\|undefined	CVSS v3.1 base score (present when severity is enriched from NVD)
`currentVersion`	string	Current vulnerable version extracted from title
`fixedVersion`	string	Fixed version extracted from body (empty string if unknown)
`createdAt`	string	ISO 8601 timestamp
`assignees`	string[]	GitHub usernames assigned to the issue
`dataSource`	string	Always `nixpkgs-tracker`
`isTracked`	boolean	Always `true`
`difficulty`	string	Estimated fix difficulty: `easy`, `medium`, or `hard`

Difficulty Estimation

Difficulty is computed from issue characteristics:

Difficulty	Criteria
`easy`	Upstream fix available, single package, simple version bump
`medium`	Patch backporting required, moderate staging coordination
`hard`	Vendored dependencies, multiple versions, mass rebuilds

Get Single Issue

GET /api/v1/issues/:id

Returns a single issue by GitHub issue number.

Examples

bash

# Get all tracked issues
curl "https://api.vulnpatch.dev/api/v1/issues"

# Get a specific issue
curl "https://api.vulnpatch.dev/api/v1/issues/12345"

Code Examples

JavaScriptPython

javascript

async function getIssues() {
  const response = await fetch('https://api.vulnpatch.dev/api/v1/issues');
  const { data } = await response.json();

  for (const issue of data) {
    console.log(`[${issue.severity}] ${issue.package}: ${issue.cveIds.join(', ')} (${issue.difficulty})`);
  }
}

python

import requests

response = requests.get('https://api.vulnpatch.dev/api/v1/issues')
data = response.json()['data']

for issue in data:
    cves = ', '.join(issue['cveIds'])
    print(f"[{issue['severity']}] {issue['package']}: {cves} ({issue['difficulty']})")

Caching

This endpoint is cached for 5 minutes. The X-Cache header indicates cache status.

Get Issues (Nixpkgs) ​

Endpoint ​

Response ​

Response Fields ​

Issue Object ​

Difficulty Estimation ​

Get Single Issue ​

Examples ​

Code Examples ​

Caching ​