docs / vuln-intel

Vulnerability & Dependency Intelligence API

base /vuln-intel/v17 endpoints

post/vuln-intel/v1/package_vulns1 credit

All known vulnerabilities affecting a package (by name+ecosystem, optionally pinned to an installed version) OR a git commit — via OSV.dev. The dependency-audit core.

Parameter		Allowed / range	Description
package	required	—	Package name as published in its registry (npm 'lodash', PyPI 'django', Maven 'group:artifact' e.g. 'org.apache.logging.log4j:log4j-core', Go import path). Required unless you pass `commit` instead.
ecosystem	required	alpine · android · bitnami · cargo · composer · crates.io · debian · githubactions · go · hex · maven · npm · nuget · packagist · pub · pypi · rubygems · swifturl · ubuntu	Package ecosystem / registry. Case-insensitive; common aliases map (cargo->crates.io, pip/python->PyPI is via the 'pypi' key, composer->Packagist). Required with `package` (omit when querying by `commit`).
version	optional	—	Exact installed version to test (e.g. '2.14.1', '4.17.15'). Omit to return ALL known vulnerabilities for the package across every version.
commit	optional	—	Git commit hash to query instead of package+version+ecosystem (OSV resolves which vulns affect that exact source revision).

Try in playground →

post/vuln-intel/v1/vuln_detail1 credit

Full detail for one vulnerability by OSV id, GHSA id, or CVE id. OSV is the base record; if it resolves to a GHSA the response is enriched with GitHub's numeric CVSS base score, EPSS exploitation probability, and CWEs.

Parameter		Allowed / range	Description
id	required	—	A vulnerability id: OSV id (GHSA-…, PYSEC-…, GO-…, RUSTSEC-…) or a CVE (CVE-2021-44228). CVE ids are resolved via OSV's alias index. Case-insensitive.

Try in playground →

post/vuln-intel/v1/advisory_search1 credit

Search the GitHub Advisory Database (GHSA) by ecosystem, severity, CVE, free text, type. Cursor-paginated (meta.next_cursor).

Parameter		Allowed / range	Description
ecosystem	optional	actions · composer · erlang · go · maven · npm · nuget · other · pip · pub · rubygems · rust · swift	Filter advisories by GitHub ecosystem token (note GitHub's spelling: 'pip' for Python, 'rust' for crates, 'actions' for GitHub Actions).
severity	optional	low · medium · high · critical	Filter advisories by qualitative severity.
cve_id	optional	—	Return only the advisory(ies) for this exact CVE id.
query	optional	—	Free-text search across advisory summary/description.
type	optional	reviewed · unreviewed · malware	Advisory review state. 'reviewed' (default) = GitHub-curated; 'malware' = malicious-package advisories.
sort	optional	published · updated	Sort field for the advisory list.
direction	optional	desc · asc	Sort direction.
per_page = 30	optional	1–100	Results per page (1-100, default 30). Larger values are clamped.
cursor	optional	—	Opaque pagination cursor for the next page of advisories — pass the value from meta.next_cursor. (GHSA paginates by cursor, not page number.)

Try in playground →

post/vuln-intel/v1/kev_check1 credit

Is a CVE in the CISA Known-Exploited-Vulnerabilities catalog (actively exploited in the wild)? Returns the KEV entry when listed.

Parameter		Allowed / range	Description
cve_id	required	—	The CVE id to look up in the CISA Known-Exploited-Vulnerabilities catalog. Case-insensitive.

Try in playground →

post/vuln-intel/v1/kev_list1 credit

Browse / filter the full CISA KEV catalog by vendor, product, or ransomware flag, with page pagination.

Parameter		Allowed / range	Description
vendor	optional	—	Filter KEV entries by vendor/project (substring, case-insensitive).
product	optional	—	Filter KEV entries by product (substring, case-insensitive).
ransomware	optional	Known · Unknown	Filter KEV entries by whether the CVE is known-used in ransomware campaigns (CISA's knownRansomwareCampaignUse field).
page = 1	optional	1–	1-based page number for the KEV list. Page forward with meta.next_page.
per_page = 30	optional	1–100	Results per page (1-100, default 30). Larger values are clamped.

Try in playground →

post/vuln-intel/v1/exploits1 credit

Public exploit / PoC lookup for a CVE via the Exploit-DB (Offensive Security) database (keyless, CVE-indexed). Answers 'is there a weaponized public exploit?' — has_public_exploit + each entry's edb_id, type (remote/local/webapps/dos), platform, verified flag, date_published, and deep links (exploit_db_url + upstream source_url).

Parameter		Allowed / range	Description
cve_id	required	—	The CVE id to look up in the Exploit-DB (Offensive Security) public exploit/PoC database. Case-insensitive. Returns every exploit row whose 'codes' column references this CVE.
verified_only = false	optional	—	If true, return only Exploit-DB entries marked verified (reproduced by the Exploit-DB team). Default false = all entries.

Try in playground →

post/vuln-intel/v1/batch1 credit

Bulk-scan up to 100 package/commit queries in one call (OSV querybatch), each hydrated to full vulnerability detail by default.

Parameter		Allowed / range	Description
queries	required	—	Array of up to 100 query objects. Each is either {package, ecosystem, version?} or {commit}. Returns one result group per query (order preserved), each hydrated to full vulnerability detail.
hydrate = true	optional	—	If true (default) each batch hit is expanded to the full normalized vulnerability via OSV /vulns/{id}. Set false for a faster id-only response (returns {id, modified} per hit).

Try in playground →

Example request · package_vulns

curl -X POST https://api.reefapi.com/vuln-intel/v1/package_vulns \
  -H "x-api-key: $REEF_KEY" \
  -H "content-type: application/json" \
  -d '{"package":"org.apache.logging.log4j:log4j-core","ecosystem":"Maven","version":"2.14.1"}'

Response shape

{
  "ok": true,
  "data": { /* the result */ },
  "meta": {
    "latency_ms": 240,
    "record_count": 12,
    "completeness_pct": 100
  },
  "error": null
}