# OSV Vulnerabilities API > The Open Source Vulnerabilities database (OSV / osv.dev) as an API — the supply-chain security check for open-source dependencies. Scan any package version (PyPI, npm, Go, crates.io, Maven, NuGet, RubyGems, Packagist, Hex and more) and instantly learn whether it is affected by known vulnerabilities, with each advisory's severity, CVSS score, CVE aliases, CWE weakness and references; list every advisory ever published for a package; and look up a single advisory (GHSA, PYSEC, GO, RUSTSEC, CVE…) in full detail, including the affected packages and version ranges. Live from Google's official OSV.dev database, which aggregates GitHub Security Advisories, PyPA, RustSec, Go and many other sources. Ideal for dependency scanning, SBOM and supply-chain tooling, CI security gates and devsecops dashboards. Open data. ## Authentication All requests require your oanor API key in the `x-oanor-key` header. Get one at https://www.oanor.com/developer/keys. ```bash curl -H "x-oanor-key: oanor_live_…" "https://api.oanor.com/osv-api/..." ``` ## Pricing - **Free** (Free) — 3,700 calls/Mo, 2 req/s - **Starter** ($5/Mo) — 50,500 calls/Mo, 8 req/s - **Pro** ($14/Mo) — 247,000 calls/Mo, 20 req/s - **Mega** ($36/Mo) — 1,225,000 calls/Mo, 50 req/s ## Endpoints ### OSV #### `GET /v1/package` — Every known advisory for a package **Parameters:** - `name` (query, required, string) — Package name, e.g. lodash Example: `lodash` - `ecosystem` (query, required, string) — Ecosystem, e.g. npm Example: `npm` **Example:** ```bash curl -H "x-oanor-key: $KEY" \ "https://api.oanor.com/osv-api/v1/package?name=lodash&ecosystem=npm" ``` **Response:** ```json { "data": { "count": 10, "package": "lodash", "ecosystem": "npm", "vulnerabilities": [ { "id": "GHSA-29mw-wpgm-hmr9", "aliases": [ "CVE-2020-28500" ], "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "cwe_ids": [ "CWE-1333", "CWE-400" ], "osv_url": "https://osv.dev/vulnerability/GHSA-29mw-wpgm-hmr9", "summary": "Regular Expression Denial of Service (ReDoS) in lodash", "modified": "2025-09-29T21:12:31.102523Z", "severity": "MODERATE", "published": "2022-01-06T20:30:46Z", "references_count": 20 }, { "id": "GHSA-35jh-r3h4-6jhm", "aliases": [ "CVE-2021-23337" ], "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "cwe_ids": [ "CWE-77", "CWE-94" ], "osv_url": "https://osv.dev/vulnerability/GHSA-35jh-r3h4-6jhm", "summary": "Command Injection in lodash", "modified": "2025-08-12T21:55:57.719943Z", "severity": "HIGH", "published": "2021-05-06T16:05:51Z", "references_count": 17 }, …(truncated, see openapi.json for full schema) ``` #### `GET /v1/scan` — Vulnerabilities affecting a package version **Parameters:** - `name` (query, required, string) — Package name, e.g. jinja2 Example: `jinja2` - `ecosystem` (query, required, string) — Ecosystem: PyPI, npm, Go, crates.io, Maven, … (aliases like pip/cargo/gem accepted) Example: `PyPI` - `version` (query, required, string) — Exact version, e.g. 2.4.1 Example: `2.4.1` **Example:** ```bash curl -H "x-oanor-key: $KEY" \ "https://api.oanor.com/osv-api/v1/scan?name=jinja2&ecosystem=PyPI&version=2.4.1" ``` **Response:** ```json { "data": { "count": 14, "package": "jinja2", "version": "2.4.1", "ecosystem": "PyPI", "vulnerable": true, "vulnerabilities": [ { "id": "GHSA-462w-v97r-4m45", "aliases": [ "CVE-2019-10906", "PYSEC-2019-217" ], "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "cwe_ids": [ "CWE-693" ], "osv_url": "https://osv.dev/vulnerability/GHSA-462w-v97r-4m45", "summary": "Jinja2 sandbox escape via string formatting", "modified": "2024-09-24T21:03:59.802687Z", "severity": "HIGH", "published": "2019-04-10T14:30:24Z", "references_count": 23 }, { "id": "GHSA-8r7q-cvjq-x353", "aliases": [ "CVE-2014-1402", "PYSEC-2014-8" ], "cvss_v3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cwe_ids": [ "CWE-266" ], "osv_url": "https://osv.dev/vulnerability/GHSA-8r7q-cvjq-x353", "summary": "Incorrect Privilege Assignment in Jinja2", "modified": "2024-09-24T18:48:44.375484Z", "severity": "HIGH", "published": "2022-05-14T04:04:14Z" …(truncated, see openapi.json for full schema) ``` #### `GET /v1/vulnerability` — Single advisory in detail **Parameters:** - `id` (query, required, string) — Advisory id (GHSA / PYSEC / GO / CVE …) Example: `GHSA-462w-v97r-4m45` **Example:** ```bash curl -H "x-oanor-key: $KEY" \ "https://api.oanor.com/osv-api/v1/vulnerability?id=GHSA-462w-v97r-4m45" ``` **Response:** ```json { "data": { "vulnerability": { "id": "GHSA-462w-v97r-4m45", "aliases": [ "CVE-2019-10906", "PYSEC-2019-217" ], "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "cvss_v4": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N", "cwe_ids": [ "CWE-693" ], "details": "In Pallets Jinja before 2.10.1, `str.format_map` allows a sandbox escape. The sandbox is used to restrict what code can be evaluated when rendering untrusted, user-provided templates. Due to the way string formatting works in Python, the `str.format_map` method could be used to escape the sandbox. This issue was previously addressed for the `str.format` method in Jinja 2.8.1, which discusses the issue in detail. However, the less-common `str.format_map` method was overlooked. This release applies the same sandboxing to both methods. If you cannot upgrade Jinja, you can override the `is_safe_attribute` method on the sandbox and explicitly disallow the `format_map` method on string objects.", "osv_url": "https://osv.dev/vulnerability/GHSA-462w-v97r-4m45", "summary": "Jinja2 sandbox escape via string formatting", "affected": [ { "name": "jinja2", "ecosystem": "PyPI" } ], "modified": "2024-09-24T21:03:59.802687Z", …(truncated, see openapi.json for full schema) ``` ### Meta #### `GET /v1/meta` — Supported ecosystems & source **Example:** ```bash curl -H "x-oanor-key: $KEY" \ "https://api.oanor.com/osv-api/v1/meta" ``` **Response:** ```json { "data": { "note": "Live OSV.dev data. /v1/scan = vulnerabilities affecting a specific package VERSION (the supply-chain check); /v1/package = every known advisory for a package; /v1/vulnerability = a single advisory (GHSA/PYSEC/GO/RUSTSEC/CVE…) in detail with CVSS, CWE, affected packages and references. Ecosystem aliases are accepted (pip→PyPI, cargo→crates.io, gem→RubyGems, composer→Packagist, …).", "source": "OSV — the Open Source Vulnerabilities database (osv.dev)", "endpoints": [ "/v1/scan", "/v1/package", "/v1/vulnerability", "/v1/meta" ], "ecosystems": [ "PyPI", "npm", "Go", "crates.io", "Maven", "NuGet", "RubyGems", "Packagist", "Hex", "Pub", "CRAN", "Debian", "Alpine", "Ubuntu", "GitHub Actions" ] }, "meta": { "timestamp": "2026-05-31T13:21:03.922Z", "request_id": "0b4bd9bc-d46b-4795-868a-a680f25d2602" }, "status": "ok", "message": "Meta retrieved", "success": true } ``` --- Marketplace page: https://www.oanor.com/api/osv-api OpenAPI spec: https://www.oanor.com/api/osv-api/openapi.json