Find vulnerabilities for a product

GET

/product/{type}/{name}/{version}

• Production

Match a specific product + version against the vulnerability database and return every applicable advisory.

npm package slugs that include a / (e.g. @scope/pkg) conflict with the route separator. URL-encode the / as %2F.

Authorizations

• PSKey

Parameters

Path Parameters

type

required

string

Allowed values: npm plugin theme wordpress

Example

npm

Product ecosystem.

name

required

string

Example

axios

Npm package slug or WordPress plugin/theme slug. Use wordpress when type=wordpress.

version

required

string

Example

0.21.4

Concrete version (e.g. 0.21.4) or * to return every advisory for the product.

Query Parameters

include

string

Allowed values: details

Pass details to include the full advisory body (advisory_details) per item.

Responses

200

Matched advisories (possibly empty).

object

vulnerabilities

Array<object>

Per-item shape shared across list endpoints when platform=npm.

object

id

required

Stable Patchstack vulnerability id.

integer

Example

46500

title

required

Human-readable title (prefixed with NPM: for npm advisories).

string

Example

NPM: OpenClaw: ...

disclosed_at

required

When the vulnerability was publicly disclosed.

string format: date-time

created_at

required

When the row was inserted into the Patchstack DB. Drives /latest windowing.

string format: date-time

url

required

Public Patchstack vulnerability page (token-tagged).

string format: uri

vuln_type

required

High-level vulnerability category.

string

Example

Other Vulnerability Type

cve

required

First CVE identifier, or empty string when none is assigned.

string

Example

2026-41331

is_exploited

required

Whether exploitation has been observed in the wild.

boolean

patch_priority

required

1 (low) to 3 (high).

integer

>= 1 <= 3

advisory_details

Full advisory body (markdown). Only present when ?include=details was passed.

string

product

required

object

id

required

integer

name

required

string

slug

required

string

cvss

required

object

score

number format: float

nullable

vector

string

nullable

cwe

required

object

id

integer

nullable

name

string

nullable

capec

required

object

id

integer

nullable

name

string

nullable

references

required

External reference URLs (advisories, commits, tags).

Array<string>

ghsa

required

GHSA identifier when the advisory came from the GitHub Advisory Database.

string

version_info

required

object

affected

required

Affected version range (e.g. <= 2026.3.28).

string

fixed

required

First fixed version.

string

patched_ranges

required

Structured list of patch ranges for advisories with multiple patch ranges.

Array<object>

object

from_version

string

to_version

string

fixed_in

string

Example

{
  "id": 46500,
  "title": "NPM: OpenClaw: ...",
  "disclosed_at": "2026-04-03T03:15:56+00:00",
  "created_at": "2026-04-21T08:38:34+00:00",
  "url": "https://patchstack.com/database/npm/npm/openclaw/vulnerability/...",
  "vuln_type": "Other Vulnerability Type",
  "cve": "2026-41331",
  "is_exploited": false,
  "patch_priority": 2,
  "advisory_details": "## Summary\n...",
  "product": {
    "id": 23595,
    "name": "openclaw",
    "slug": "openclaw"
  },
  "cvss": {
    "score": 6.9,
    "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"
  },
  "cwe": {
    "id": 770,
    "name": "Allocation of Resources Without Limits or Throttling"
  },
  "capec": {
    "id": null,
    "name": null
  },
  "references": [
    "https://github.com/openclaw/openclaw/security/advisories/GHSA-m6fx-m8hc-572m",
    "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"
  ],
  "ghsa": "GHSA-m6fx-m8hc-572m",
  "version_info": {
    "affected": "<= 2026.3.28",
    "fixed": "2026.3.31",
    "patched_ranges": []
  }
}

401

Missing or invalid PSKey header.

403

API key not authorised for the requested endpoint.

422

Invalid parameter combination (e.g. cursor + page), invalid platform, or per_page > 500.

429

Rate limit exceeded.