Free Public CVE API

JSON + NDJSON access to the same vulnerability intelligence behind /pulse: NVD CVSS, EchelonGraph synthesised score, CISA KEV flag, FIRST EPSS percentile, GHSA links, and vendor advisory cross-walks (Microsoft, Red Hat, Cisco, AWS, GCP, GitLab).

No API key required. Rate-limited at 60 requests per minute per IP via our WAF. Need higher throughput? Get in touch.

Quickstart

Every endpoint is GET-only and returns JSON. Try this Log4Shell lookup:

curl https://app.echelongraph.io/api/v1/public/cves/CVE-2021-44228 | jq .

Endpoints

GET/api/v1/public/cves/summary

Overall counts (total + by severity + last 30 days) and the live NVD poller's health snapshot. Updated continuously.

curl https://app.echelongraph.io/api/v1/public/cves/summary
GET/api/v1/public/cves/{id}

Single CVE record. Returns the merged view: NVD CVSS, EchelonGraph synthesised score (when available), KEV/EPSS signals, GHSA references, vendor advisory cross-links.

curl https://app.echelongraph.io/api/v1/public/cves/CVE-2021-44228
GET/api/v1/public/cves/{id}/related

Three categories of related CVEs (same_product / same_vendor / same_cwe), 10 each, ranked by EchelonGraph score. Powers the sidebar on every /pulse/{id} page.

curl https://app.echelongraph.io/api/v1/public/cves/CVE-2021-44228/related
GET/api/v1/public/cves/{id}/references

Per-reference enrichment for one CVE — vendor advisory cross-walks, patch URLs, exploit POC indicators where surfaced.

curl https://app.echelongraph.io/api/v1/public/cves/CVE-2021-44228/references
GET/api/v1/public/cves/trends

Weekly + monthly volume + week-over-week delta + severity distribution. Backs the dashboard cards on /pulse.

curl https://app.echelongraph.io/api/v1/public/cves/trends
GET/api/v1/public/cves/export.ndjson

Streaming NDJSON bulk export — one CVE per line. Filters: year, severity, kev_only, min_cvss. Hard cap 50,000 rows per call (iterate via the year param for the full dataset).

curl "https://app.echelongraph.io/api/v1/public/cves/export.ndjson?year=2024&severity=CRITICAL&kev_only=true" | jq -c .
GET/api/v1/public/vendor-advisories

Vendor-disclosed security advisories (Microsoft MSRC, Red Hat RHSA, GitHub GHSA, Cisco PSIRT, AWS, GCP, GitLab). Many appear here before NVD assigns a CVE-ID.

curl https://app.echelongraph.io/api/v1/public/vendor-advisories?has_cve=true&limit=50
GET/api/v1/public/vendor-advisories/{vendor}/{advisory_id}

Single vendor-advisory detail — title, description, CVSS, affected products, remediation, references, linked CVE IDs.

curl https://app.echelongraph.io/api/v1/public/vendor-advisories/github/GHSA-99gv-2m7h-3hh9

Bulk NDJSON Export

For researchers + security teams who want offline analysis. The export streams one CVE per line as JSON (NDJSON / JSON Lines), so you can pipe it through jq -c . or process incrementally without buffering the whole dataset.

# All KEV-listed CVEs published in 2024
curl "https://app.echelongraph.io/api/v1/public/cves/export.ndjson?year=2024&kev_only=true" \
  | jq -c '{cve_id, severity, echelongraph_score, kev_added: .kev_added_date}'

# Full 2023 CRITICAL dataset
curl "https://app.echelongraph.io/api/v1/public/cves/export.ndjson?year=2023&severity=CRITICAL" \
  > cves-2023-critical.ndjson

Hard cap: 50,000 rows per call. Iterate via the year param for the full dataset. The endpoint streams from a DB cursor, so memory pressure stays flat regardless of result size.

Want to be notified when critical CVEs hit?

Subscribe to real-time or digest alerts covering NVD + vendor-disclosed advisories.

Subscribe via /pulse →

Notes

  • All endpoints are CORS-enabled for browser use.
  • Responses are versioned under /api/v1/. Breaking changes will land under /api/v2/ with a deprecation window.
  • Where two sources disagree on CVSS (CNA vs NVD analyst), the freshest modified timestamp wins. See Why is the EG score different from NVD?
  • Powered by direct feeds from MITRE cvelistV5 (fast), NVD API (deep), GHSA, CISA KEV, FIRST EPSS, and per-vendor advisory pollers.