{"openapi":"3.1.0","info":{"title":"OSV Vulnerabilities API","version":"1.0.0","description":"The Open Source Vulnerabilities database (OSV / osv.dev) as an API — the supply-chain security check for open-source dependencies. Scan any package version (PyPI, npm, Go, crates.io, Maven, NuGet, RubyGems, Packagist, Hex and more) and instantly learn whether it is affected by known vulnerabilities, with each advisory's severity, CVSS score, CVE aliases, CWE weakness and references; list every advisory ever published for a package; and look up a single advisory (GHSA, PYSEC, GO, RUSTSEC, CVE…) in full detail, including the affected packages and version ranges. Live from Google's official OSV.dev database, which aggregates GitHub Security Advisories, PyPA, RustSec, Go and many other sources. Ideal for dependency scanning, SBOM and supply-chain tooling, CI security gates and devsecops dashboards. Open data.","contact":{"name":"PremiumApi","url":"https://www.oanor.com/by/premiumapi"}},"servers":[{"url":"https://api.oanor.com/osv-api","description":"oanor gateway"}],"tags":[{"name":"OSV"},{"name":"Meta"}],"components":{"securitySchemes":{"oanorKey":{"type":"apiKey","in":"header","name":"x-oanor-key","description":"Get your key at https://www.oanor.com/developer/keys"}}},"security":[{"oanorKey":[]}],"paths":{"/v1/package":{"get":{"operationId":"get_v1_package","tags":["OSV"],"summary":"Every known advisory for a package","description":"","parameters":[{"name":"name","in":"query","required":true,"description":"Package name, e.g. lodash","schema":{"type":"string"},"example":"lodash"},{"name":"ecosystem","in":"query","required":true,"description":"Ecosystem, e.g. npm","schema":{"type":"string"},"example":"npm"}],"security":[{"oanorKey":[]}],"responses":{"200":{"description":"OK","content":{"application/json":{"example":{"data":{"count":10,"package":"lodash","ecosystem":"npm","vulnerabilities":[{"id":"GHSA-29mw-wpgm-hmr9","aliases":["CVE-2020-28500"],"cvss_v3":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","cwe_ids":["CWE-1333","CWE-400"],"osv_url":"https://osv.dev/vulnerability/GHSA-29mw-wpgm-hmr9","summary":"Regular Expression Denial of Service (ReDoS) in lodash","modified":"2025-09-29T21:12:31.102523Z","severity":"MODERATE","published":"2022-01-06T20:30:46Z","references_count":20},{"id":"GHSA-35jh-r3h4-6jhm","aliases":["CVE-2021-23337"],"cvss_v3":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","cwe_ids":["CWE-77","CWE-94"],"osv_url":"https://osv.dev/vulnerability/GHSA-35jh-r3h4-6jhm","summary":"Command Injection in lodash","modified":"2025-08-12T21:55:57.719943Z","severity":"HIGH","published":"2021-05-06T16:05:51Z","references_count":17},{"id":"GHSA-4xc9-xhrj-v574","aliases":["CVE-2018-16487"],"cwe_ids":["CWE-400"],"osv_url":"https://osv.dev/vulnerability/GHSA-4xc9-xhrj-v574","summary":"Prototype Pollution in lodash","modified":"2025-08-12T21:55:35.778975Z","severity":"HIGH","published":"2019-02-07T18:16:48Z","references_count":5},{"id":"GHSA-f23m-r3pf-42rh","aliases":["CVE-2026-2950"],"cvss_v3":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L","cwe_ids":["CWE-1321"],"osv_url":"https://osv.dev/vulnerability/GHSA-f23m-r3pf-42rh","summary":"lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`","modified":"2026-04-02T17:29:51.565211556Z","severity":"MODERATE","published":"2026-04-01T23:50:27Z","references_count":4},{"id":"GHSA-fvqr-27wr-82fm","aliases":["CVE-2018-3721"],"cvss_v3":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","cwe_ids":["CWE-1321","CWE-471"],"osv_url":"https://osv.dev/vulnerability/GHSA-fvqr-27wr-82fm","summary":"Prototype Pollution in lodash","modified":"2025-08-12T21:55:16.003066Z","severity":"MODERATE","published":"2018-07-26T15:14:52Z","references_count":5},{"id":"GHSA-jf85-cpcp-j695","aliases":["CVE-2019-10744"],"cvss_v3":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H","cwe_ids":["CWE-1321","CWE-20"],"osv_url":"https://osv.dev/vulnerability/GHSA-jf85-cpcp-j695","summary":"Prototype Pollution in lodash","modified":"2026-03-14T09:41:05.242311Z","severity":"CRITICAL","published":"2019-07-10T19:45:23Z","references_count":10},{"id":"GHSA-p6mc-m468-83gw","aliases":["CVE-2020-8203"],"cvss_v3":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H","cwe_ids":["CWE-1321","CWE-770"],"osv_url":"https://osv.dev/vulnerability/GHSA-p6mc-m468-83gw","summary":"Prototype Pollution in lodash","modified":"2025-08-12T21:56:17.174859Z","severity":"HIGH","published":"2020-07-15T19:15:48Z","references_count":12},{"id":"GHSA-r5fr-rjxr-66jc","aliases":["CVE-2026-4800"],"cvss_v3":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","cwe_ids":["CWE-94"],"osv_url":"https://osv.dev/vulnerability/GHSA-r5fr-rjxr-66jc","summary":"lodash vulnerable to Code Injection via `_.template` imports key names","modified":"2026-04-02T17:29:57.498155673Z","severity":"HIGH","published":"2026-04-01T23:51:12Z","references_count":6},{"id":"GHSA-x5rq-j2xg-h7qm","aliases":["CVE-2019-1010266"],"cvss_v3":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","cwe_ids":["CWE-400"],"osv_url":"https://osv.dev/vulnerability/GHSA-x5rq-j2xg-h7qm","summary":"Regular Expression Denial of Service (ReDoS) in lodash","modified":"2026-03-13T21:56:22.446078Z","severity":"MODERATE","published":"2019-07-19T16:13:07Z","references_count":9},{"id":"GHSA-xxjr-mmjv-4gpg","aliases":["CVE-2025-13465"],"cvss_v3":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L","cwe_ids":["CWE-1321"],"osv_url":"https://osv.dev/vulnerability/GHSA-xxjr-mmjv-4gpg","summary":"Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions","modified":"2026-02-04T03:38:10.856561Z","severity":"MODERATE","published":"2026-01-21T23:01:22Z","references_count":4}]},"meta":{"timestamp":"2026-05-31T13:21:03.115Z","request_id":"4ad3c7fe-b429-457f-a4be-bb531aed26be"},"status":"ok","message":"Package advisories retrieved","success":true}}}},"401":{"description":"Missing or invalid x-oanor-key header"},"402":{"description":"Active subscription required"},"429":{"description":"Rate-limit or monthly quota reached"},"502":{"description":"Upstream did not respond"}}}},"/v1/scan":{"get":{"operationId":"get_v1_scan","tags":["OSV"],"summary":"Vulnerabilities affecting a package version","description":"","parameters":[{"name":"name","in":"query","required":true,"description":"Package name, e.g. jinja2","schema":{"type":"string"},"example":"jinja2"},{"name":"ecosystem","in":"query","required":true,"description":"Ecosystem: PyPI, npm, Go, crates.io, Maven, … (aliases like pip/cargo/gem accepted)","schema":{"type":"string"},"example":"PyPI"},{"name":"version","in":"query","required":true,"description":"Exact version, e.g. 2.4.1","schema":{"type":"string"},"example":"2.4.1"}],"security":[{"oanorKey":[]}],"responses":{"200":{"description":"OK","content":{"application/json":{"example":{"data":{"count":14,"package":"jinja2","version":"2.4.1","ecosystem":"PyPI","vulnerable":true,"vulnerabilities":[{"id":"GHSA-462w-v97r-4m45","aliases":["CVE-2019-10906","PYSEC-2019-217"],"cvss_v3":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","cwe_ids":["CWE-693"],"osv_url":"https://osv.dev/vulnerability/GHSA-462w-v97r-4m45","summary":"Jinja2 sandbox escape via string formatting","modified":"2024-09-24T21:03:59.802687Z","severity":"HIGH","published":"2019-04-10T14:30:24Z","references_count":23},{"id":"GHSA-8r7q-cvjq-x353","aliases":["CVE-2014-1402","PYSEC-2014-8"],"cvss_v3":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","cwe_ids":["CWE-266"],"osv_url":"https://osv.dev/vulnerability/GHSA-8r7q-cvjq-x353","summary":"Incorrect Privilege Assignment in Jinja2","modified":"2024-09-24T18:48:44.375484Z","severity":"HIGH","published":"2022-05-14T04:04:14Z","references_count":14},{"id":"GHSA-cpwx-vrp4-4pq7","aliases":["CVE-2025-27516"],"cwe_ids":["CWE-1336"],"osv_url":"https://osv.dev/vulnerability/GHSA-cpwx-vrp4-4pq7","summary":"Jinja2 vulnerable to sandbox breakout through attr filter selecting format method","modified":"2026-02-04T04:14:58.595738Z","severity":"MODERATE","published":"2025-03-05T20:40:14Z","references_count":6},{"id":"GHSA-fqh9-2qgg-h84h","aliases":["CVE-2014-0012","PYSEC-2014-82"],"cvss_v3":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","cwe_ids":["CWE-377"],"osv_url":"https://osv.dev/vulnerability/GHSA-fqh9-2qgg-h84h","summary":"Insecure Temporary File in Jinja2","modified":"2024-09-23T20:03:14.751414Z","severity":"MODERATE","published":"2022-05-17T04:01:00Z","references_count":13},{"id":"GHSA-g3rq-g295-4j3m","aliases":["CVE-2020-28493","PYSEC-2021-66","SNYK-PYTHON-JINJA2-1012994"],"cvss_v3":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","cwe_ids":["CWE-400"],"osv_url":"https://osv.dev/vulnerability/GHSA-g3rq-g295-4j3m","summary":"Regular Expression Denial of Service (ReDoS) in Jinja2","modified":"2025-02-14T05:26:14.565160Z","severity":"MODERATE","published":"2021-03-19T21:28:05Z","references_count":10},{"id":"GHSA-h5c8-rqwp-cp95","aliases":["CVE-2024-22195"],"cvss_v3":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N","cwe_ids":["CWE-79"],"osv_url":"https://osv.dev/vulnerability/GHSA-h5c8-rqwp-cp95","summary":"Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter","modified":"2026-02-04T04:32:39.638919Z","severity":"MODERATE","published":"2024-01-11T15:20:48Z","references_count":10},{"id":"GHSA-h75v-3vvj-5mfj","aliases":["CVE-2024-34064"],"cvss_v3":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N","cwe_ids":["CWE-79"],"osv_url":"https://osv.dev/vulnerability/GHSA-h75v-3vvj-5mfj","summary":"Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter","modified":"2026-02-04T03:24:55.822549Z","severity":"MODERATE","published":"2024-05-06T14:20:59Z","references_count":9},{"id":"GHSA-hj2j-77xm-mc5v","aliases":["CVE-2016-10745","PYSEC-2019-220"],"cvss_v3":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","cwe_ids":["CWE-134"],"osv_url":"https://osv.dev/vulnerability/GHSA-hj2j-77xm-mc5v","summary":"Jinja2 sandbox escape vulnerability","modified":"2024-09-24T21:04:16.963502Z","severity":"HIGH","published":"2019-04-10T14:30:13Z","references_count":15},{"id":"GHSA-q2x7-8rv6-6q7h","aliases":["CVE-2024-56326"],"cvss_v3":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","cwe_ids":["CWE-693"],"osv_url":"https://osv.dev/vulnerability/GHSA-q2x7-8rv6-6q7h","summary":"Jinja has a sandbox breakout through indirect reference to format method","modified":"2026-02-04T03:01:31.510689Z","severity":"MODERATE","published":"2024-12-23T17:56:08Z","references_count":6},{"id":"PYSEC-2014-8","aliases":["CVE-2014-1402","GHSA-8r7q-cvjq-x353"],"cwe_ids":[],"osv_url":"https://osv.dev/vulnerability/PYSEC-2014-8","modified":"2023-11-08T03:57:34.512953Z","published":"2014-05-19T14:55:00Z","references_count":18},{"id":"PYSEC-2014-82","aliases":["CVE-2014-0012","GHSA-fqh9-2qgg-h84h"],"cwe_ids":[],"osv_url":"https://osv.dev/vulnerability/PYSEC-2014-82","modified":"2023-11-08T03:57:29.971954Z","published":"2014-05-19T14:55:00Z","references_count":8},{"id":"PYSEC-2019-217","aliases":["CVE-2019-10906","GHSA-462w-v97r-4m45"],"cwe_ids":[],"osv_url":"https://osv.dev/vulnerability/PYSEC-2019-217","modified":"2023-11-08T04:00:58.644982Z","published":"2019-04-07T00:29:00Z","references_count":20},{"id":"PYSEC-2019-220","aliases":["CVE-2016-10745","GHSA-hj2j-77xm-mc5v"],"cwe_ids":[],"osv_url":"https://osv.dev/vulnerability/PYSEC-2019-220","modified":"2023-11-08T03:58:21.453618Z","published":"2019-04-08T13:29:00Z","references_count":12},{"id":"PYSEC-2021-66","aliases":["CVE-2020-28493","GHSA-g3rq-g295-4j3m","SNYK-PYTHON-JINJA2-1012994"],"cwe_ids":[],"osv_url":"https://osv.dev/vulnerability/PYSEC-2021-66","modified":"2023-11-08T04:03:28.543308Z","published":"2021-02-01T20:15:00Z","references_count":5}]},"meta":{"timestamp":"2026-05-31T13:21:03.621Z","request_id":"0ee657f6-cee9-47e3-b8db-4fe9cda2a260"},"status":"ok","message":"Scan complete","success":true}}}},"401":{"description":"Missing or invalid x-oanor-key header"},"402":{"description":"Active subscription required"},"429":{"description":"Rate-limit or monthly quota reached"},"502":{"description":"Upstream did not respond"}}}},"/v1/vulnerability":{"get":{"operationId":"get_v1_vulnerability","tags":["OSV"],"summary":"Single advisory in detail","description":"","parameters":[{"name":"id","in":"query","required":true,"description":"Advisory id (GHSA / PYSEC / GO / CVE …)","schema":{"type":"string"},"example":"GHSA-462w-v97r-4m45"}],"security":[{"oanorKey":[]}],"responses":{"200":{"description":"OK","content":{"application/json":{"example":{"data":{"vulnerability":{"id":"GHSA-462w-v97r-4m45","aliases":["CVE-2019-10906","PYSEC-2019-217"],"cvss_v3":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","cvss_v4":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N","cwe_ids":["CWE-693"],"details":"In Pallets Jinja before 2.10.1, `str.format_map` allows a sandbox escape. The sandbox is used to restrict what code can be evaluated when rendering untrusted, user-provided templates. Due to the way string formatting works in Python, the `str.format_map` method could be used to escape the sandbox. This issue was previously addressed for the `str.format` method in Jinja 2.8.1, which discusses the issue in detail. However, the less-common `str.format_map` method was overlooked. This release applies the same sandboxing to both methods. If you cannot upgrade Jinja, you can override the `is_safe_attribute` method on the sandbox and explicitly disallow the `format_map` method on string objects.","osv_url":"https://osv.dev/vulnerability/GHSA-462w-v97r-4m45","summary":"Jinja2 sandbox escape via string formatting","affected":[{"name":"jinja2","ecosystem":"PyPI"}],"modified":"2024-09-24T21:03:59.802687Z","severity":"HIGH","published":"2019-04-10T14:30:24Z","references":[{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-10906","type":"ADVISORY"},{"url":"https://usn.ubuntu.com/4011-2","type":"WEB"},{"url":"https://usn.ubuntu.com/4011-1","type":"WEB"},{"url":"https://palletsprojects.com/blog/jinja-2-10-1-released","type":"WEB"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS7IVZAJBWOHNRDMFJDIZVFCMRP6YIUQ","type":"WEB"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QCDYIS254EJMBNWOG4S5QY6AOTOR4TZU","type":"WEB"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DSW3QZMFVVR7YE3UT4YRQA272TYAL5AF","type":"WEB"},{"url":"https://lists.apache.org/thread.html/f0c4a03418bcfe70c539c5dbaf99c04c98da13bfa1d3266f08564316@%3Ccommits.airflow.apache.org%3E","type":"WEB"},{"url":"https://lists.apache.org/thread.html/b2380d147b508bbcb90d2cad443c159e63e12555966ab4f320ee22da@%3Ccommits.airflow.apache.org%3E","type":"WEB"},{"url":"https://lists.apache.org/thread.html/7f39f01392d320dfb48e4901db68daeece62fd60ef20955966739993@%3Ccommits.airflow.apache.org%3E","type":"WEB"},{"url":"https://lists.apache.org/thread.html/57673a78c4d5c870d3f21465c7e2946b9f8285c7c57e54c2ae552f02@%3Ccommits.airflow.apache.org%3E","type":"WEB"},{"url":"https://lists.apache.org/thread.html/46c055e173b52d599c648a98199972dbd6a89d2b4c4647b0500f2284@%3Cdevnull.infra.apache.org%3E","type":"WEB"},{"url":"https://lists.apache.org/thread.html/320441dccbd9a545320f5f07306d711d4bbd31ba43dc9eebcfc602df@%3Cdevnull.infra.apache.org%3E","type":"WEB"},{"url":"https://lists.apache.org/thread.html/2b52b9c8b9d6366a4f1b407a8bde6af28d9fc73fdb3b37695fd0d9ac@%3Cdevnull.infra.apache.org%3E","type":"WEB"},{"url":"https://lists.apache.org/thread.html/09fc842ff444cd43d9d4c510756fec625ef8eb1175f14fd21de2605f@%3Cdevnull.infra.apache.org%3E","type":"WEB"},{"url":"https://github.com/pypa/advisory-database/tree/main/vulns/jinja2/PYSEC-2019-217.yaml","type":"WEB"},{"url":"https://github.com/pallets/jinja","type":"PACKAGE"},{"url":"https://github.com/advisories/GHSA-462w-v97r-4m45","type":"ADVISORY"},{"url":"https://access.redhat.com/errata/RHSA-2019:1329","type":"WEB"},{"url":"https://access.redhat.com/errata/RHSA-2019:1237","type":"WEB"},{"url":"https://access.redhat.com/errata/RHSA-2019:1152","type":"WEB"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00030.html","type":"WEB"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00064.html","type":"WEB"}]}},"meta":{"timestamp":"2026-05-31T13:21:03.842Z","request_id":"520d3dd0-0940-4902-9bc4-3e9c4bc10f5d"},"status":"ok","message":"Vulnerability retrieved","success":true}}}},"401":{"description":"Missing or invalid x-oanor-key header"},"402":{"description":"Active subscription required"},"429":{"description":"Rate-limit or monthly quota reached"},"502":{"description":"Upstream did not respond"}}}},"/v1/meta":{"get":{"operationId":"get_v1_meta","tags":["Meta"],"summary":"Supported ecosystems & source","description":"","parameters":[],"security":[{"oanorKey":[]}],"responses":{"200":{"description":"OK","content":{"application/json":{"example":{"data":{"note":"Live OSV.dev data. /v1/scan = vulnerabilities affecting a specific package VERSION (the supply-chain check); /v1/package = every known advisory for a package; /v1/vulnerability = a single advisory (GHSA/PYSEC/GO/RUSTSEC/CVE…) in detail with CVSS, CWE, affected packages and references. Ecosystem aliases are accepted (pip→PyPI, cargo→crates.io, gem→RubyGems, composer→Packagist, …).","source":"OSV — the Open Source Vulnerabilities database (osv.dev)","endpoints":["/v1/scan","/v1/package","/v1/vulnerability","/v1/meta"],"ecosystems":["PyPI","npm","Go","crates.io","Maven","NuGet","RubyGems","Packagist","Hex","Pub","CRAN","Debian","Alpine","Ubuntu","GitHub Actions"]},"meta":{"timestamp":"2026-05-31T13:21:03.922Z","request_id":"0b4bd9bc-d46b-4795-868a-a680f25d2602"},"status":"ok","message":"Meta retrieved","success":true}}}},"401":{"description":"Missing or invalid x-oanor-key header"},"402":{"description":"Active subscription required"},"429":{"description":"Rate-limit or monthly quota reached"},"502":{"description":"Upstream did not respond"}}}}},"x-oanor-pricing":[{"slug":"free","name":"Free","price_cents_month":0,"monthly_call_quota":3700,"rps_limit":2,"hard_limit":true},{"slug":"starter","name":"Starter","price_cents_month":465,"monthly_call_quota":50500,"rps_limit":8,"hard_limit":true},{"slug":"pro","name":"Pro","price_cents_month":1395,"monthly_call_quota":247000,"rps_limit":20,"hard_limit":true},{"slug":"mega","name":"Mega","price_cents_month":3625,"monthly_call_quota":1225000,"rps_limit":50,"hard_limit":true}],"x-oanor-marketplace-url":"https://www.oanor.com/api/osv-api"}