Skip to content

List all vulnerabilities

GET
/all
curl --request GET \
--url 'https://patchstack.com/database/api/beta/all?platform=wordpress&page=1&per_page=100&include=details' \
--header 'PSKey: <PSKey>'

Paginated listing of every published vulnerability for the given platform, ordered by descending id.

Supports two independent pagination strategies:

  • Offset (?page=&per_page=) — returns a pagination block with totals. Easy to jump to a specific page; slower at depth and susceptible to row-shift when new vulnerabilities land while paging.
  • Cursor (?cursor=) — returns a cursor block with next_cursor, has_more, per_page. Stable under concurrent inserts and faster at any depth. No total count.

cursor and page are mutually exclusive; passing both returns 422 Unprocessable Entity.

platform
string
default: wordpress
Allowed values: wordpress npm

Platform to query. Case-insensitive.

page
integer
default: 1 >= 1

Offset-pagination page (1-indexed). Mutually exclusive with cursor.

per_page
integer
default: 100 >= 1 <= 500

Page size.

cursor
string

Opaque cursor. Presence of the param switches to cursor mode (send an empty value to bootstrap). Mutually exclusive with page.

include
string
Allowed values: details

Pass details to include the full advisory body (advisory_details) per item.

Paginated vulnerability listing.

Media type application/json
One of:
object
vulnerabilities
required
Array<object>

Per-item shape shared across list endpoints when platform=npm.

object
id
required

Stable Patchstack vulnerability id.

integer
title
required

Human-readable title (prefixed with NPM: for npm advisories).

string
disclosed_at
required

When the vulnerability was publicly disclosed.

string format: date-time
created_at
required

When the row was inserted into the Patchstack DB. Drives /latest windowing.

string format: date-time
url
required

Public Patchstack vulnerability page (token-tagged).

string format: uri
vuln_type
required

High-level vulnerability category.

string
cve
required

First CVE identifier, or empty string when none is assigned.

string
is_exploited
required

Whether exploitation has been observed in the wild.

boolean
patch_priority
required

1 (low) to 3 (high).

integer
>= 1 <= 3
advisory_details

Full advisory body (markdown). Only present when ?include=details was passed.

string
product
required
object
id
required
integer
name
required
string
slug
required
string
cvss
required
object
score
number format: float
nullable
vector
string
nullable
cwe
required
object
id
integer
nullable
name
string
nullable
capec
required
object
id
integer
nullable
name
string
nullable
references
required

External reference URLs (advisories, commits, tags).

Array<string>
ghsa
required

GHSA identifier when the advisory came from the GitHub Advisory Database.

string
version_info
required
object
affected
required

Affected version range (e.g. <= 2026.3.28).

string
fixed
required

First fixed version.

string
patched_ranges
required

Structured list of patch ranges for advisories with multiple patch ranges.

Array<object>
object
from_version
string
to_version
string
fixed_in
string
pagination
required
object
current_page
required
integer
per_page
required
integer
total
required
integer
total_pages
required
integer
has_next_page
required
boolean
has_previous_page
required
boolean
next_page
integer
nullable
previous_page
integer
nullable
from
required
integer
to
required
integer
Examples

Offset mode

{
"vulnerabilities": [],
"pagination": {
"current_page": 1,
"per_page": 25,
"total": 6115,
"total_pages": 245,
"has_next_page": true,
"has_previous_page": false,
"next_page": 2,
"previous_page": null,
"from": 1,
"to": 25
}
}

Missing or invalid PSKey header.

API key not authorised for the requested endpoint.

Invalid parameter combination (e.g. cursor + page), invalid platform, or per_page > 500.

Rate limit exceeded.