Skip to content

Latest vulnerabilities

GET
/latest
curl --request GET \
--url https://patchstack.com/database/api/v2/latest \
--header 'PSKey: <PSKey>'

Return the 20 most recently added vulnerabilities, ordered by descending created_at (insertion time, not disclosure_date).

The 20 most recent vulnerabilities.

Media type application/json
object
vulnerabilities
required
Array<object>

Flat per-item shape returned by the Extended tier. Superset of the Standard shape — adds description, vuln_type, cvss_score, cve, is_exploited, patch_priority, affected_in, and patched_in_ranges.

object
id
required

Stable Patchstack vulnerability id.

integer
product_id
required

Stable Patchstack product id.

integer
title
required

Human-readable title including product name, affected version, and vulnerability type.

string
description
required

Short narrative summary of the advisory.

string
disclosure_date

Disclosure date in YYYY-MM-DD HH:MM:SS form (legacy).

string
disclosed_at
required

Disclosure date in ISO 8601.

string format: date-time
created_at
required

When the row was inserted into the Patchstack database (ISO 8601). Drives /latest windowing.

string format: date-time
url
required

URL slug for the advisory.

string
product_slug
required

Lowercase slug of the product.

string
product_name
required

Display name of the product.

string
product_name_premium

Premium variant name when the author ships two plugins under the same slug. null in the common case.

string
nullable
product_type
required

Product ecosystem.

string
Allowed values: Plugin Theme WordPress
vuln_type
required

High-level vulnerability category (e.g. SQL Injection, Cross Site Scripting (XSS)).

string
cvss_score

CVSS base score, 1.0–10.0. null for unclassified advisories.

number format: float
nullable
cve
required

CVE identifiers. An advisory can have zero, one, or multiple.

Array<string>
is_exploited

Whether exploitation has been observed in the wild.

boolean
patch_priority

Recommended patch urgency.

  • 1 — Low → patch within 30 days
  • 2 — Medium → patch within 7 days
  • 3+ — High → patch immediately
  • null — unknown
integer
nullable >= 1
affected_in
required

Affected version range. Formats include <= x.x.x, < x.x.x, x.x.x-x.x.x, x.x.x,x.x.x, or a single x.x.x.

string
fixed_in
required

First fixed version. Empty string when Patchstack has not yet recorded one.

string
patched_in_ranges

For products that ship patches across multiple minor lines (WordPress core, WooCommerce, Ninja Forms, …), each entry describes a from_versionto_version range and its fix.

Array<object>
object
from_version
required

Starting version, inclusive.

string
to_version
required

Ending version, inclusive.

string
fixed_in
required

Version that contains the patch for this range.

string
direct_url
required

Public Patchstack vulnerability page.

string format: uri
Example
{
"vulnerabilities": [
{
"id": 7976,
"product_id": 2175,
"title": "WordPress File Upload plugin <= 4.16.2 - Contributor+ Path Traversal vulnerability leading to Remote Code Execution (RCE)",
"description": "Contributor+ Path Traversal vulnerability leading to Remote Code Execution (RCE) discovered by apple502j in WordPress File Upload plugin (versions <= 4.16.2).",
"disclosure_date": "2022-03-01 00:00:00",
"disclosed_at": "2022-03-01T00:00:00+00:00",
"created_at": "2022-03-07T11:17:05+00:00",
"url": "wordpress-file-upload-plugin-4-16-2-contributor-path-traversal-vulnerability-leading-to-remote-code-execution-rce",
"product_slug": "wp-file-upload",
"product_name": "WordPress File Upload",
"product_name_premium": null,
"product_type": "Plugin",
"vuln_type": "Directory Traversal",
"cvss_score": 8.8,
"cve": [
"2021-24962"
],
"is_exploited": false,
"patch_priority": 3,
"affected_in": "<= 4.16.2",
"fixed_in": "4.16.3",
"patched_in_ranges": [
{
"from_version": "3.0",
"to_version": "3.0.34.1",
"fixed_in": "3.0.34.2"
}
],
"direct_url": "https://patchstack.com/database/vulnerability/wp-file-upload/wordpress-file-upload-plugin-4-16-2-contributor-path-traversal-vulnerability-leading-to-remote-code-execution-rce"
}
]
}

Missing or invalid PSKey header.

API key not authorised for the requested endpoint.

Rate limit exceeded.