# Vulnerability Intelligence API > Prioritise CVEs by real-world exploitation risk — not just severity. Combines the FIRST.org EPSS score (the probability, 0 to 1, that a CVE will be exploited in the next 30 days, with its percentile rank) and the CISA KEV catalog (vulnerabilities confirmed to be actively exploited in the wild — with the vendor, product, date added, remediation due date and whether the flaw is used in ransomware campaigns), and derives a single priority level for each CVE. Look up to 25 CVEs in one call, browse the full CISA Known Exploited Vulnerabilities catalog filtered by vendor, product or ransomware use, or list the CVEs with the highest current EPSS scores. Built for vulnerability management, patch prioritisation, risk scoring and security dashboards — answering not "how bad could this be?" but "how likely is it to actually be exploited?". A vulnerability-prioritisation layer — distinct from raw CVE details and CVSS severity (cve), password-breach checks (pwned) and the HTTP security-header grader (secheaders). Data live from FIRST.org and CISA. No upstream key, no cache. ## Authentication All requests require your oanor API key in the `x-oanor-key` header. Get one at https://www.oanor.com/developer/keys. ```bash curl -H "x-oanor-key: oanor_live_…" "https://api.oanor.com/vulnintel-api/..." ``` ## Pricing - **Free** (Free) — 2,320 calls/Mo, 2 req/s - **Starter** ($7/Mo) — 46,000 calls/Mo, 8 req/s - **Pro** ($21/Mo) — 236,000 calls/Mo, 20 req/s - **Mega** ($56/Mo) — 870,000 calls/Mo, 50 req/s ## Endpoints ### Vulnerability Intelligence #### `GET /v1/cve` — EPSS + KEV intelligence for a CVE **Parameters:** - `cve` (query, required, string) — CVE id(s), comma-separated (max 25) Example: `CVE-2021-44228` **Example:** ```bash curl -H "x-oanor-key: $KEY" \ "https://api.oanor.com/vulnintel-api/v1/cve?cve=CVE-2021-44228" ``` **Response:** ```json { "data": { "count": 1, "results": [ { "cve": "CVE-2021-44228", "kev": { "cve": "CVE-2021-44228", "name": "Apache Log4j2 Remote Code Execution Vulnerability", "listed": true, "vendor": "Apache", "product": "Log4j2", "due_date": "2021-12-24", "date_added": "2021-12-10", "required_action": "For all affected software assets for which updates exist, the only acceptable remediation actions are: 1) Apply updates; OR 2) remove affected assets from agency networks. Temporary mitigations using one of the measures provided at https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures are only acceptable until updates are available.", "known_ransomware": true }, "epss": { "date": "2026-06-01", "score": 0.94358, "percentile": 0.99964 }, "priority": "critical — actively exploited (CISA KEV)" } ], "kev_catalog_version": "2026.06.01" }, "meta": { "timestamp": "2026-06-01T23:40:49.098Z", "request_id": "86f9000d-112f-4def-92a5-73f0003bc983" }, "status": "ok", "message": "CVE intelligence retrieved", "success": true } ``` #### `GET /v1/kev` — Browse the CISA KEV catalog **Parameters:** - `vendor` (query, optional, string) — Filter by vendor - `product` (query, optional, string) — Filter by product - `ransomware` (query, optional, string) — true = ransomware-linked only - `limit` (query, optional, string) — 1-200 (default 20) - `offset` (query, optional, string) — Paging offset **Example:** ```bash curl -H "x-oanor-key: $KEY" \ "https://api.oanor.com/vulnintel-api/v1/kev" ``` **Response:** ```json { "data": { "count": 20, "limit": 20, "total": 1608, "offset": 0, "catalog_version": "2026.06.01", "vulnerabilities": [ { "cve": "CVE-2024-21182", "name": "Oracle WebLogic Server Unspecified Vulnerability", "vendor": "Oracle", "product": "WebLogic Server", "due_date": "2026-06-04", "date_added": "2026-06-01", "required_action": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", "known_ransomware": false }, { "cve": "CVE-2026-0257", "name": "Palo Alto Networks PAN-OS Authentication Bypass Vulnerability", "vendor": "Palo Alto Networks", "product": "PAN-OS", "due_date": "2026-06-01", "date_added": "2026-05-29", "required_action": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", "known_ransomware": false }, { "cve": "CVE-2026-48027", "name": "Nx Console Embedded Malicious Code Vulnerability", "vendor": "Nx", "product": "Nx …(truncated, see openapi.json for full schema) ``` #### `GET /v1/top` — Highest-EPSS CVEs **Parameters:** - `limit` (query, optional, string) — 1-100 (default 20) Example: `10` **Example:** ```bash curl -H "x-oanor-key: $KEY" \ "https://api.oanor.com/vulnintel-api/v1/top?limit=10" ``` **Response:** ```json { "data": { "count": 10, "results": [ { "cve": "CVE-2023-23752", "date": "2026-06-01", "epss": 0.9452, "percentile": 1 }, { "cve": "CVE-2017-8917", "date": "2026-06-01", "epss": 0.94513, "percentile": 1 }, { "cve": "CVE-2018-7600", "date": "2026-06-01", "epss": 0.94489, "percentile": 1 }, { "cve": "CVE-2021-22986", "date": "2026-06-01", "epss": 0.94485, "percentile": 0.99999 }, { "cve": "CVE-2018-1000861", "date": "2026-06-01", "epss": 0.94485, "percentile": 1 }, { "cve": "CVE-2017-1000353", "date": "2026-06-01", "epss": 0.94479, "percentile": 0.99999 }, { "cve": "CVE-2018-13379", "date": "2026-06-01", "epss": 0.94473, "percentile": 0.99999 }, { "cve": "CVE-2019-3396", "date": "2026-06-01", "epss": 0.94471, "percentile": 0.99998 }, { "cve …(truncated, see openapi.json for full schema) ``` ### Meta #### `GET /v1/meta` — Sources & priority levels **Example:** ```bash curl -H "x-oanor-key: $KEY" \ "https://api.oanor.com/vulnintel-api/v1/meta" ``` **Response:** ```json { "data": { "note": "Prioritise CVEs by real-world exploitation risk, not just severity. /v1/cve?cve=CVE-2021-44228 combines the FIRST.org EPSS score (the probability — 0 to 1 — that a CVE will be exploited in the next 30 days, with its percentile rank) and the CISA KEV catalog (vulnerabilities confirmed to be exploited in the wild, with the vendor, product, date added, remediation due date and whether it is used in ransomware), and derives a single priority level. Look up to 25 CVEs at once. /v1/kev browses the full CISA Known Exploited Vulnerabilities catalog, filterable by vendor, product or ransomware use. /v1/top lists the CVEs with the highest current EPSS scores. Built for vulnerability management, patch prioritisation, risk scoring and security dashboards — answering not 'how bad could this be?' but 'how likely is it to actually be exploited?'. A vulnerability-prioritisation layer — distinct from raw CVE details and CVSS severity (cve), password-breach checks (pwned) and the security-header grader (secheaders). Data live from FIRST.org and CISA. No key, no cache.", "sources": [ "FIRST.org EPSS (api.first.org)", "CISA Known Exploited Vulnerabilities (cisagov KEV)" ], "endpoints": [ "/v1/cve", "/v1/kev", "/v1/top", "/v1/meta" ], "priority_levels": [ "critical — actively exploited (CISA KEV)", "high (EPSS ≥ 0.5)", …(truncated, see openapi.json for full schema) ``` --- Marketplace page: https://www.oanor.com/api/vulnintel-api OpenAPI spec: https://www.oanor.com/api/vulnintel-api/openapi.json