List all vulnerabilities
const url = 'https://patchstack.com/database/api/beta/all?platform=wordpress&page=1&per_page=100&include=details';const options = {method: 'GET', headers: {PSKey: '<PSKey>'}};
try { const response = await fetch(url, options); const data = await response.json(); console.log(data);} catch (error) { console.error(error);}curl --request GET \ --url 'https://patchstack.com/database/api/beta/all?platform=wordpress&page=1&per_page=100&include=details' \ --header 'PSKey: <PSKey>'Paginated listing of every published vulnerability for the given
platform, ordered by descending id.
Supports two independent pagination strategies:
- Offset (
?page=&per_page=) — returns apaginationblock with totals. Easy to jump to a specific page; slower at depth and susceptible to row-shift when new vulnerabilities land while paging. - Cursor (
?cursor=) — returns acursorblock withnext_cursor,has_more,per_page. Stable under concurrent inserts and faster at any depth. Nototalcount.
cursor and page are mutually exclusive; passing both returns
422 Unprocessable Entity.
Authorizations
Section titled “Authorizations ”Parameters
Section titled “ Parameters ”Query Parameters
Section titled “Query Parameters ”Platform to query. Case-insensitive.
Offset-pagination page (1-indexed). Mutually exclusive with cursor.
Page size.
Opaque cursor. Presence of the param switches to cursor mode (send an
empty value to bootstrap). Mutually exclusive with page.
Pass details to include the full advisory body (advisory_details) per item.
Responses
Section titled “ Responses ”Paginated vulnerability listing.
object
Per-item shape shared across list endpoints when platform=npm.
object
Stable Patchstack vulnerability id.
Human-readable title (prefixed with NPM: for npm advisories).
When the vulnerability was publicly disclosed.
When the row was inserted into the Patchstack DB. Drives /latest windowing.
Public Patchstack vulnerability page (token-tagged).
High-level vulnerability category.
First CVE identifier, or empty string when none is assigned.
Whether exploitation has been observed in the wild.
1 (low) to 3 (high).
Full advisory body (markdown). Only present when ?include=details was passed.
object
object
object
object
External reference URLs (advisories, commits, tags).
GHSA identifier when the advisory came from the GitHub Advisory Database.
object
Affected version range (e.g. <= 2026.3.28).
First fixed version.
Structured list of patch ranges for advisories with multiple patch ranges.
object
object
object
Per-item shape shared across list endpoints when platform=npm.
object
Stable Patchstack vulnerability id.
Human-readable title (prefixed with NPM: for npm advisories).
When the vulnerability was publicly disclosed.
When the row was inserted into the Patchstack DB. Drives /latest windowing.
Public Patchstack vulnerability page (token-tagged).
High-level vulnerability category.
First CVE identifier, or empty string when none is assigned.
Whether exploitation has been observed in the wild.
1 (low) to 3 (high).
Full advisory body (markdown). Only present when ?include=details was passed.
object
object
object
object
External reference URLs (advisories, commits, tags).
GHSA identifier when the advisory came from the GitHub Advisory Database.
object
Affected version range (e.g. <= 2026.3.28).
First fixed version.
Structured list of patch ranges for advisories with multiple patch ranges.
object
object
Opaque cursor for the next page. null when there are no more pages.
Examples
Offset mode
{ "vulnerabilities": [], "pagination": { "current_page": 1, "per_page": 25, "total": 6115, "total_pages": 245, "has_next_page": true, "has_previous_page": false, "next_page": 2, "previous_page": null, "from": 1, "to": 25 }}Cursor mode
{ "vulnerabilities": [], "cursor": { "next_cursor": "djE6NDYzMzk", "has_more": true, "per_page": 25 }}Missing or invalid PSKey header.
API key not authorised for the requested endpoint.
Invalid parameter combination (e.g. cursor + page), invalid platform, or per_page > 500.
Rate limit exceeded.