Vulnerability Snapshot Downloads

Download FOSSA's full vulnerability dataset as a gzipped JSON export via a single authenticated API request.

2 min readUpdated Jul 9, 2026

Overview

FOSSA publishes its full vulnerability dataset as a downloadable snapshot. A single authenticated GET request returns a pre-signed AWS S3 URL; following that URL downloads a gzipped tarball of the complete dataset in JSON format. The snapshot is updated daily.

Note

You need a Vulnerability Service API token ID and token secret to authenticate. See Vulnerability Service API Token Provisioning for how to obtain them.

Downloading the vulnerability snapshot

  1. 1

    Request a pre-signed download URL

    Make a GET request to the snapshot endpoint:

    GET https://vulns.fossa.com/api/vulns/snapshot
    Authorization: token <tokenId>:<tokenSecret>

    On success, the response body is:

    JSON
    { "url": "string" }

    On failure, the response includes an error description and a UUID. If you cannot resolve the issue, contact support@fossa.com and include the error UUID.

  2. 2

    Download the snapshot

    Make a GET request to the url value returned in the previous step. The file is a gzipped tarball containing the full vulnerability dataset as an array of JSON objects.

Snapshot schema

Each object in the array conforms to this schema:

FieldDescription
fetcherPackage type of the affected package (e.g. mvn, deb, npm)
packageName of the affected package
cveCVE identifier, or null if the vulnerability has no CVE
cwesCWEs associated with the vulnerability, or null if unavailable
cvssV2VectorCVSS v2 enum vector
cvssV3VectorCVSS v3 enum vector
cvssV4VectorCVSS v4 enum vector
cvssFOSSA-computed severity score, or null if unavailable
affectedVersionRangesVersion ranges affected by this vulnerability
descriptionLong-form explanation of the vulnerability, or null if unavailable
epssSscoreEPSS score, likelihood of exploitation in the wild (higher = more predictable, less sophisticated exploit)
epssPercentileEPSS percentile rank relative to all other vulnerabilities in the dataset
exploitabilityExploit maturity, sourced from the CISA Known Exploits catalog
publishedDate the vulnerability was published (ISO datetime string)
referencesLinks to external references such as disclosures, writeups, and post-mortems
createdAtWhen FOSSA first created this vulnerability entry (ISO datetime string)
updatedAtWhen FOSSA last updated this vulnerability entry (ISO datetime string)

IP allowlist for on-premises deployments

If your on-premises installation is behind a firewall, allowlist the following to reach the snapshot service and its file storage:

  • vulns.fossa.com
  • AWS S3, us-west-2 region
© 2026 FOSSA, Inc.support@fossa.com