Free CVE API
A free, no-key API for CVE data that leads with the fix. Every record carries the exact fixed versions and advisories per affected product, plus CVSS, EPSS, and CISA KEV status, with machine-readable source and license provenance.
Quick start
No key or sign-up required. The base URL is https://tridentstack.com/api/v1. Responses are JSON.
curl https://tridentstack.com/api/v1/cve/CVE-2024-3094Full machine-readable contract: OpenAPI 3.1 spec.
Endpoints
dataSources lists only the sources that contributed to that record.database_specific.q, severity, kev, fix, epss_min, and year; sort by published, epss, cvss, cve, fix, or kev. Paginate with limit (max 100) and the nextCursor from each response.{ "ids": ["CVE-2024-3094", ...] }; get back the full records found plus a notFound list.?after=CVE-XXXX. Pair it with the delta feed to stay in sync.cve_id,modified delta feed for the whole catalog, so you can diff against your last sync and re-fetch only what changed.# Actively-exploited CVEs that have an available fix, highest EPSS first
curl "https://tridentstack.com/api/v1/cve?kev=true&fix=true&sort=epss&limit=20"Example response
An abbreviated GET /api/v1/cve/{id} response:
{
"cveId": "CVE-2024-3094",
"severity": "CRITICAL",
"cvss": { "version": "3.1", "baseScore": 10.0, "severity": "CRITICAL" },
"epss": { "score": 0.94, "percentile": 0.99 },
"kev": { "dateAdded": "2024-03-29", "dueDate": "2024-04-05", "ransomware": false },
"remediation": {
"available": true,
"products": [
{
"ecosystem": "debian", "product": "xz-utils",
"atoms": [
{
"fixedVersion": "5.6.1+really5.4.5-1",
"advisoryId": "DSA-5649-1",
"sourceUrl": "https://security-tracker.debian.org/tracker/CVE-2024-3094",
"source": "Debian Security Tracker",
"license": "Open data (factual records)"
}
]
}
]
},
"dataSources": [
{ "name": "NVD (National Vulnerability Database)", "license": "Public domain (U.S. Government work)" },
{ "name": "CISA Known Exploited Vulnerabilities", "license": "Public domain (CC0)" },
{ "name": "Debian Security Tracker", "license": "Open data (factual records)" }
],
"_links": { "self": "/api/v1/cve/CVE-2024-3094", "html": "https://tridentstack.com/cve/CVE-2024-3094" }
}Rate limits
The API is rate-limited per IP. Every response includes X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset. When you exceed the limit you get a 429 with a Retry-After header. CVE data changes slowly, so cache responses where you can. For bulk needs, a daily bulk download is on the roadmap.
Attribution & licensing
The API is free to use. Each record is built from public and openly-licensed sources, and every remediation entry carries its own source and license so you can honor the terms of each. If you redistribute the data, preserve those per-record attributions. A full breakdown of every source and its license is on the about & data sources page.
The same remediation data powers TridentStack Control, which automates patching, vulnerability detection, and compliance across your fleet.