API Overview
The Vulnpatch API provides programmatic access to vulnerability data aggregated from multiple sources.
Base URL
https://api.vulnpatch.dev/api/v1/Endpoints Summary
Nixpkgs-Specific Endpoints
These endpoints return data only from the Nixpkgs Security Tracker:
| Method | Endpoint | Description |
|---|---|---|
GET | /nix/stats | Get Nixpkgs tracker statistics |
GET | /nix/cves | Get Nix CVEs with linked PRs |
GET | /nix/channels | Get NixOS channel status |
GET | /nix/repology/:package | Get package version info from Repology |
GET | /issues | List Nixpkgs tracker issues (severity-enriched, with difficulty estimates) |
GET | /issues/:id | Get a specific Nixpkgs tracker issue by number |
GET | /sources | List available data sources |
Multi-Ecosystem Endpoints
These endpoints aggregate data from OSV.dev across 38+ ecosystems (npm, PyPI, Debian, etc.):
| Method | Endpoint | Description |
|---|---|---|
GET | /stats | Get aggregate statistics across all sources |
GET | /ecosystem-stats | Get aggregate ecosystem vulnerability counts |
GET | /recent-advisories | Get advisories published in last 12 hours |
GET | /osv/:package | Get vulnerabilities from OSV.dev |
GET | /vulns/:package | Get CVE matches with confidence scores |
GET | /osv-details/:id | Get detailed vulnerability information |
CVE Endpoints
Direct CVE lookup from the official MITRE CVE List V5:
| Method | Endpoint | Description |
|---|---|---|
GET | /cve/:id | Get CVE details by ID (includes EPSS + KEV + data quality score inline) |
POST | /cve/batch | Bulk lookup up to 50 CVEs |
GET | /cve/:id/history | Get CVE change history |
GET | /cve/:id/at/:date | Query CVE state at specific date |
GET | /search?q=term&sort=date | Full-text search across CVEs (sort: date/severity) |
GET | /mitre/recent?limit=50 | Latest CVEs from MITRE delta feed (~24h ahead of NVD) |
Exploitability Intelligence
| Method | Endpoint | Description |
|---|---|---|
GET | /exploitability | EPSS scores + CISA KEV status for tracked CVEs |
GET | /cve/:id/lifecycle | Full vulnerability lifecycle timeline (disclosure → patch) |
GET | /cve/:id/exploit-signals | Weaponization signals (PoC repos, Nuclei, ExploitDB) |
GET | /cve/:id/ai-assessment | AI-generated plain-English impact assessment |
GET | /fix-etas | Fix ETA predictions per CVE |
GET | /rebuild-impact | Package rebuild impact analysis |
GET | /rebuild-impact/:name | Single package rebuild impact |
Analytics Endpoints
| Method | Endpoint | Description |
|---|---|---|
GET | /trending | Recently updated vulnerabilities |
GET | /severity-breakdown | Vulnerabilities by severity level |
GET | /fix-rate | Fix availability statistics |
GET | /package/:name/history | Package vulnerability history |
GET | /package-health | Package maintenance health scores |
GET | /analytics/time-to-fix | Historical time-to-fix benchmarks |
GET | /data-quality/stats | CVE data quality score distribution |
GitHub Security Advisories
| Method | Endpoint | Description |
|---|---|---|
GET | /ghsa | GitHub Security Advisories (requires auth) |
Validation & PR Tools
| Method | Endpoint | Description |
|---|---|---|
POST | /pr/validate | Validate a nixpkgs PR diff |
POST | /pr/fix | Generate fixes for PR issues |
Remediation Planning
| Method | Endpoint | Description |
|---|---|---|
POST | /remediation/plan | Generate minimal upgrade plan to fix CVEs |
SBOM & PURL
| Method | Endpoint | Description |
|---|---|---|
GET | /purl/:purl | PURL vulnerability lookup |
POST | /sbom | Analyze SBOM for vulnerabilities (requires auth) |
POST | /sbom/time-travel | Analyze SBOM exposure at a past date |
GET | /sbom/formats | Supported SBOM formats and PURL types |
The frontend also supports client-side lockfile-to-SBOM generation for: package-lock.json, yarn.lock, pnpm-lock.yaml, Cargo.lock, go.sum, requirements.txt, Gemfile.lock, and flake.lock (experimental). Generated SBOMs can be analyzed via the /sbom endpoint. Vulnerability reports are downloadable as JSON.
Feeds
| Method | Endpoint | Description |
|---|---|---|
GET | /feed/rss | RSS feed of recent advisories |
GET | /feed/atom | Atom feed of recent advisories |
Knowledge Graph
Relationship-based queries across CVEs, packages, and weaknesses. Powered by Neo4j.
| Method | Endpoint | Description |
|---|---|---|
GET | /graph/stats | Graph node and relationship counts |
GET | /graph/cve/:id/affected | Packages affected by a CVE |
GET | /graph/cve/:id/related | Related CVEs (shared packages/CWEs) |
GET | /graph/package/:name/vulns | CVEs affecting a package |
GET | /graph/package/:name/transitive | Transitive vulnerabilities via dependencies |
GET | /graph/cwe/:id/cves | CVEs by weakness type |
Utility Endpoints
| Method | Endpoint | Description |
|---|---|---|
GET | /health | Health check |
GET | /version | API version info |
GET | /openapi.json | OpenAPI specification |
Common Parameters
Query Parameters
| Parameter | Type | Description |
|---|---|---|
ecosystem | string | Filter by ecosystem (e.g., npm, PyPI, Debian) |
version | string | Filter by package version |
Headers
| Header | Description |
|---|---|
Accept | Always returns application/json |
Response Format
Success Response
{
"success": true,
"data": {
// Endpoint-specific data
},
"timestamp": "2024-01-15T12:00:00.000Z"
}Error Response
{
"success": false,
"error": "Error message describing what went wrong"
}HTTP Status Codes
| Code | Description |
|---|---|
200 | Success |
400 | Bad request (invalid parameters) |
404 | Resource not found |
429 | Rate limit exceeded |
500 | Internal server error |
CORS
The API supports CORS for browser-based applications. All origins are allowed for read-only endpoints.
Caching
Responses include cache headers:
| Header | Description |
|---|---|
X-Cache | HIT if served from cache, MISS otherwise |
Cache-Control | Browser caching directives |
Rate Limiting
All API endpoints include rate limit headers:
| Header | Description |
|---|---|
X-RateLimit-Limit | Maximum requests allowed per window |
X-RateLimit-Remaining | Requests remaining in current window |
X-RateLimit-Reset | Unix timestamp when the rate limit resets |
Default limits:
- General API: 30 requests/minute
- Issues endpoint: 60 requests/minute
When rate limited, you'll receive a 429 response with a Retry-After header.
OpenAPI Specification
The full API specification is available at:
https://api.vulnpatch.dev/openapi.jsonUse this to auto-generate clients in your language of choice with tools like OpenAPI Generator.
SDKs & Libraries
Currently, there are no official SDKs. The API is designed to be easily consumed with standard HTTP clients:
curl https://api.vulnpatch.dev/api/v1/statsconst response = await fetch('https://api.vulnpatch.dev/api/v1/stats');
const data = await response.json();import requests
response = requests.get('https://api.vulnpatch.dev/api/v1/stats')
data = response.json()