Latest vulnerabilities
const url = 'https://patchstack.com/database/api/v2/latest';const options = {method: 'GET', headers: {PSKey: '<PSKey>'}};
try { const response = await fetch(url, options); const data = await response.json(); console.log(data);} catch (error) { console.error(error);}curl --request GET \ --url https://patchstack.com/database/api/v2/latest \ --header 'PSKey: <PSKey>'Return the 20 most recently added vulnerabilities, ordered by
descending created_at (insertion time, not disclosure_date).
Authorizations
Section titled “Authorizations ”Responses
Section titled “ Responses ”The 20 most recent vulnerabilities.
object
Flat per-item shape returned by the Extended tier. Superset of the
Standard shape — adds description, vuln_type, cvss_score, cve,
is_exploited, patch_priority, affected_in, and
patched_in_ranges.
object
Stable Patchstack vulnerability id.
Stable Patchstack product id.
Human-readable title including product name, affected version, and vulnerability type.
Short narrative summary of the advisory.
Disclosure date in YYYY-MM-DD HH:MM:SS form (legacy).
Disclosure date in ISO 8601.
When the row was inserted into the Patchstack database (ISO 8601). Drives /latest windowing.
URL slug for the advisory.
Lowercase slug of the product.
Display name of the product.
Premium variant name when the author ships two plugins under the same slug. null in the common case.
Product ecosystem.
High-level vulnerability category (e.g. SQL Injection, Cross Site Scripting (XSS)).
CVSS base score, 1.0–10.0. null for unclassified advisories.
CVE identifiers. An advisory can have zero, one, or multiple.
Whether exploitation has been observed in the wild.
Recommended patch urgency.
1— Low → patch within 30 days2— Medium → patch within 7 days3+— High → patch immediatelynull— unknown
Affected version range. Formats include <= x.x.x, < x.x.x,
x.x.x-x.x.x, x.x.x,x.x.x, or a single x.x.x.
First fixed version. Empty string when Patchstack has not yet recorded one.
For products that ship patches across multiple minor lines
(WordPress core, WooCommerce, Ninja Forms, …), each entry
describes a from_version–to_version range and its fix.
object
Starting version, inclusive.
Ending version, inclusive.
Version that contains the patch for this range.
Public Patchstack vulnerability page.
Example
{ "vulnerabilities": [ { "id": 7976, "product_id": 2175, "title": "WordPress File Upload plugin <= 4.16.2 - Contributor+ Path Traversal vulnerability leading to Remote Code Execution (RCE)", "description": "Contributor+ Path Traversal vulnerability leading to Remote Code Execution (RCE) discovered by apple502j in WordPress File Upload plugin (versions <= 4.16.2).", "disclosure_date": "2022-03-01 00:00:00", "disclosed_at": "2022-03-01T00:00:00+00:00", "created_at": "2022-03-07T11:17:05+00:00", "url": "wordpress-file-upload-plugin-4-16-2-contributor-path-traversal-vulnerability-leading-to-remote-code-execution-rce", "product_slug": "wp-file-upload", "product_name": "WordPress File Upload", "product_name_premium": null, "product_type": "Plugin", "vuln_type": "Directory Traversal", "cvss_score": 8.8, "cve": [ "2021-24962" ], "is_exploited": false, "patch_priority": 3, "affected_in": "<= 4.16.2", "fixed_in": "4.16.3", "patched_in_ranges": [ { "from_version": "3.0", "to_version": "3.0.34.1", "fixed_in": "3.0.34.2" } ], "direct_url": "https://patchstack.com/database/vulnerability/wp-file-upload/wordpress-file-upload-plugin-4-16-2-contributor-path-traversal-vulnerability-leading-to-remote-code-execution-rce" } ]}Missing or invalid PSKey header.
API key not authorised for the requested endpoint.
Rate limit exceeded.