API v1.5 Parameters Reference
This page provides a comprehensive reference for all query parameters supported by CyberSecFeed API v1.5 endpoints, including advanced sorting, named severity levels, and enterprise batch operations.
Global Parameters
These parameters are supported across multiple endpoints in API v1.5.
include
Controls which enrichment data is included in responses for optimal performance.
Type: String (comma-separated list)
Default: None (only core data, KEV, and EPSS included)
Valid Values: acsc, enrichment, attack
Performance Impact: Including enrichment data may increase response time by 10-30ms but provides comprehensive threat intelligence at the same credit cost.
Examples:
# Include ACSC data
?include=acsc
# Include enrichment framework data
?include=enrichment
# Include MITRE ATT&CK technique mappings
?include=attack
# Include both ACSC and enrichment data
?include=acsc,enrichment
# Include all enrichment types
?include=acsc,enrichment,attack
Supported Endpoints:
/api/v1/cve/{id}(GET)/api/v1/cves(GET)/api/v1/cve/batch(POST) - Enterprise batch endpoint
fields
Select specific fields to include in the response to reduce payload size.
Type: String (comma-separated list)
Default: All available fields for the endpoint
Available Fields (v1.5):
cve_id- CVE identifierpublished- Publication datemodified- Last modified dateseverity- Severity level (critical/high/medium/low)status- CVE statuskev- KEV catalog statusepss- EPSS score and percentileenrichment_status- Enrichment processing statussource_tag- Data source information
Examples:
# Get only ID and severity data
?fields=cve_id,severity
# Get essential risk assessment fields (85% payload reduction)
?fields=cve_id,severity,kev,epss
# Get ID, description, and ACSC data (requires include=acsc)
?fields=cve_id,description,acsc&include=acsc
Field Selection Performance: Using field selection can reduce payload size by up to 85%, significantly improving response times and bandwidth usage.
Supported Endpoints:
/api/v1/cve/{id}(GET)/api/v1/cves(GET)/api/v1/cve/batch(POST) - Enterprise batch endpoint
limit
Number of results to return per page.
Type: Integer
Range: 1-100
Default: 20
Examples:
# Get 10 results
?limit=10
# Get maximum 100 results
?limit=100
Supported Endpoints:
/api/v1/cves/api/v1/kev
after
Cursor for pagination to get the next page of results.
Type: String (opaque cursor value)
Default: None (first page)
Examples:
# Get next page using cursor from previous response
?after=eyJpZCI6IkNWRS0yMDI0LTAwMjAifQ==
Supported Endpoints:
/api/v1/cves/api/v1/kev
v1.5 Advanced Sorting Parameters
API v1.5 introduces advanced sorting capabilities with 8 sort options for optimized data retrieval.
sort
Sort results by specified criteria for optimized queries.
Type: String
Default: published_desc (newest first)
Valid Values:
severity_desc- Sort by severity (Critical → Low) - Fastest, recommendedseverity_asc- Sort by severity (Low → Critical)published_desc- Sort by publication date (newest first)published_asc- Sort by publication date (oldest first)modified_desc- Sort by modification date (recently updated first)modified_asc- Sort by modification date (oldest updates first)epss_desc- Sort by EPSS score (highest exploitation probability first)epss_asc- Sort by EPSS score (lowest exploitation probability first)
Performance Characteristics:
| Sort Option | Use Case | Performance | Query Optimization |
|---|---|---|---|
severity_desc | Critical vulnerability monitoring | Fastest | Primary index |
published_desc | Recent vulnerability tracking | Fast | Time-based index |
epss_desc | Exploitation prioritization | Fast | EPSS index |
modified_desc | Change monitoring | Fast | Modified index |
Examples:
# Get critical vulnerabilities first (fastest query)
?sort=severity_desc
# Get recently published CVEs
?sort=published_desc
# Prioritize by exploitation probability
?sort=epss_desc&severity=critical
# Monitor recent changes
?sort=modified_desc&modified_after=2024-01-01
Supported Endpoints:
/api/v1/cves(GET)/api/v1/cve/batch(POST)
v1.5 Enhanced Severity Parameters
API v1.5 introduces named severity levels alongside numeric CVSS scoring.
severity
Filter by named severity levels (v1.5 feature).
Type: String (comma-separated list)
Valid Values: critical, high, medium, low
Default: None (all severity levels)
CVSS Mapping:
critical- CVSS 9.0-10.0high- CVSS 7.0-8.9medium- CVSS 4.0-6.9low- CVSS 0.1-3.9
Examples:
# Critical vulnerabilities only
?severity=critical
# High and critical vulnerabilities
?severity=critical,high
# Medium and high severity
?severity=medium,high
# Everything except low severity
?severity=critical,high,medium
Performance Advantage: Named severity filtering is optimized and faster than numeric ranges.
Supported Endpoints:
/api/v1/cves(GET)/api/v1/cve/batch(POST)
CVE Search Parameters
These parameters are specific to CVE search endpoints with v1.5 enhancements.
q
Full-text search query across CVE descriptions and metadata.
Type: String
Default: None (no text filtering)
Examples:
# Search for buffer overflow vulnerabilities
?q=buffer+overflow
# Search for specific products
?q=apache+httpd
# Search for attack types
?q=remote+code+execution
ids
Batch lookup of specific CVE IDs.
Type: String (comma-separated list of CVE IDs)
Default: None
Examples:
# Look up specific CVEs
?ids=CVE-2024-0001,CVE-2024-0002,CVE-2024-0003
# Single CVE lookup (alternative to /cve/{id} endpoint)
?ids=CVE-2024-0001
severity_min / severity_max
Filter by CVSS base score range (legacy v1.4 parameters - use severity for better performance).
Type: Float
Range: 0.0-10.0
Default: None (no severity filtering)
Recommendation: Use the v1.5 severity parameter with named levels for better performance.
Examples:
# High and critical severity only
?severity_min=7.0
# v1.5 Equivalent (faster): ?severity=critical,high
# Medium to high severity
?severity_min=4.0&severity_max=8.9
# v1.5 Equivalent (faster): ?severity=medium,high
# Critical severity only
?severity_min=9.0&severity_max=10.0
# v1.5 Equivalent (faster): ?severity=critical
published_after / published_before
Filter by CVE publication date.
Type: String (ISO 8601 date)
Format: YYYY-MM-DD or YYYY-MM-DDTHH:MM:SSZ
Default: None (no date filtering)
Examples:
# CVEs published in 2024
?published_after=2024-01-01&published_before=2024-12-31
# CVEs published in the last 30 days
?published_after=2024-01-01
# CVEs published before a specific date
?published_before=2024-06-01
modified_after / modified_before
Filter by CVE last modified date.
Type: String (ISO 8601 date)
Format: YYYY-MM-DD or YYYY-MM-DDTHH:MM:SSZ
Default: None (no modification date filtering)
Examples:
# Recently updated CVEs
?modified_after=2024-01-20
# CVEs modified in a specific time range
?modified_after=2024-01-01&modified_before=2024-01-31
kev
Filter by Known Exploited Vulnerabilities status.
Type: Boolean
Valid Values: true, false
Default: None (include both KEV and non-KEV)
Examples:
# Only CVEs in the KEV catalog
?kev=true
# Only CVEs NOT in the KEV catalog
?kev=false
has_acsc
Filter CVEs by ACSC notice presence for efficient discovery.
Type: Boolean
Valid Values: true, false
Default: None (include all CVEs)
Efficiency Benefit: Server-side filtering for targeted ACSC intelligence
Examples:
# Get only CVEs with ACSC notices
?has_acsc=true
# Combine with severity filtering for high-priority ACSC alerts
?has_acsc=true&severity=critical&include=acsc
# Recent ACSC activity monitoring
?has_acsc=true&published_after=2024-01-01&include=acsc
Best Practice: Use has_acsc=true when you specifically need ACSC-related CVEs, then add include=acsc to get the actual notice details.
Supported Endpoints:
/api/v1/cves(GET)/api/v1/cves/recent(GET)
epss_min / epss_max
Filter by EPSS (Exploit Prediction Scoring System) score range.
Type: Float
Range: 0.0-1.0
Default: None (no EPSS filtering)
Examples:
# High exploitation probability
?epss_min=0.8
# Low to medium exploitation probability
?epss_min=0.1&epss_max=0.5
# Very high exploitation probability
?epss_min=0.95
vendor
Filter CVEs by vendor tags from enrichment data. Requires include=enrichment for /api/v1/cves endpoint.
Type: String
Default: None (all vendors) for /api/v1/cves, nvd for /api/v1/cve/{id}/detail
Valid Values:
- All plans:
nvd,mitre - Enterprise only:
cisco,flashpoint, and other vendor-specific feeds
Examples:
For CVE Search (/api/v1/cves):
# NVD-enriched CVEs (available to all plans)
?vendor=nvd&include=enrichment
# MITRE-enriched CVEs
?vendor=mitre&include=enrichment
# Examples of vendor-specific feeds (Enterprise plan only)
?vendor=cisco&include=enrichment
?vendor=microsoft&include=enrichment
?vendor=redhat&include=enrichment
?vendor=vmware&include=enrichment
For CVE Detail (/api/v1/cve/{id}/detail):
# Default NVD detailed data
GET /api/v1/cve/CVE-2024-0001/detail
# MITRE detailed data
GET /api/v1/cve/CVE-2024-0001/detail?vendor=mitre
# Vendor-specific detailed data (Enterprise)
GET /api/v1/cve/CVE-2024-0001/detail?vendor=cisco
GET /api/v1/cve/CVE-2024-0001/detail?vendor=flashpoint
Note: Enterprise customers can access custom vendor feeds based on their subscription. Available vendors vary by Enterprise agreement and may include Cisco, Microsoft, Red Hat, VMware, Oracle, IBM, Adobe, Flashpoint, and many others. Contact sales for available vendor feeds.
Supported Endpoints:
/api/v1/cves(requiresinclude=enrichment)/api/v1/cve/{id}/detail(standalone parameter)
attack_vector
Filter CVEs by CVSS attack vector. Requires include=enrichment.
Type: String
Valid Values: network, adjacent, local, physical (or N, A, L, P)
Default: None (all attack vectors)
Examples:
# Network-exploitable vulnerabilities
?attack_vector=network&include=enrichment
# Local privilege escalation vulnerabilities
?attack_vector=local&include=enrichment
exploit (Enhanced in v1.5)
Filter CVEs by exploit availability with enhanced detection capabilities.
Type: Boolean
Valid Values: true, false
Default: None (include both)
v1.5 Enhancement: No longer requires include=enrichment - exploit detection is now built-in.
Detection Sources:
- CISA KEV catalog
- Enrichment framework analysis
- Public exploit databases
- Proof-of-concept availability
Examples:
# Only CVEs with confirmed exploits (v1.5 enhanced detection)
?exploit=true
# CVEs without known exploits
?exploit=false
# High-priority exploit targets
?exploit=true&severity=critical&sort=epss_desc
patched
Filter CVEs by patch availability. Requires include=enrichment.
Type: Boolean
Valid Values: true, false
Default: None (include both)
Examples:
# Only patched CVEs
?patched=true&include=enrichment
# Only unpatched CVEs
?patched=false&include=enrichment
Enterprise Batch Endpoint Parameters (v1.5)
The POST /api/v1/cve/batch endpoint supports these parameters in the request body.
cve_ids (Required)
Array of CVE IDs to retrieve in batch.
Type: Array of strings
Range: 1-50 CVE IDs per request
Format: CVE-YYYY-NNNN+
Example:
{
"cve_ids": ["CVE-2024-0001", "CVE-2024-0002", "CVE-2021-44228"]
}
fields (Optional)
Array of fields to include in response for payload optimization.
Type: Array of strings
Default: All available fields
Example:
{
"cve_ids": ["CVE-2024-0001"],
"fields": ["cve_id", "severity", "kev", "epss"]
}
include (Optional)
Array of enrichment data types to include.
Type: Array of strings
Valid Values: ["enrichment", "acsc", "attack"]
Example:
{
"cve_ids": ["CVE-2024-0001"],
"include": ["enrichment", "attack"]
}
Enterprise Batch Performance
- Cost: 35 credits (flat rate for 1-50 CVEs)
- Savings: 86% vs individual calls (250 credits for 50 CVEs)
- Response Time: Single request vs 50 HTTP round trips
- Features: Field selection, enrichment, comprehensive threat intelligence
KEV Search Parameters
These parameters are specific to the /api/v1/kev endpoint.
vendor
Filter KEV entries by vendor name.
Type: String
Default: None (all vendors)
Examples:
# Microsoft products only
?vendor=Microsoft
# Adobe products only
?vendor=Adobe
product
Filter KEV entries by product name.
Type: String
Default: None (all products)
Examples:
# Windows-related vulnerabilities
?product=Windows
# Apache HTTP Server vulnerabilities
?product=HTTP+Server
ransomware
Filter KEV entries by ransomware association.
Type: Boolean
Valid Values: true, false
Default: None (include both ransomware and non-ransomware)
Examples:
# Only vulnerabilities used by ransomware
?ransomware=true
# Only vulnerabilities NOT used by ransomware
?ransomware=false
Parameter Combinations
v1.5 parameters can be combined for precise filtering with optimal performance:
High-Risk Vulnerability Search (v1.5 Optimized)
# Critical CVEs with confirmed exploits and high EPSS scores
GET /api/v1/cves?severity=critical&exploit=true&epss_min=0.8&sort=severity_desc&limit=20
# Enterprise batch version (86% cost savings)
POST /api/v1/cve/batch
{
"cve_ids": ["CVE-2024-0001", "CVE-2024-0002", ...],
"fields": ["cve_id", "severity", "kev", "epss"],
"include": ["enrichment"]
}
Product-Specific Intelligence (v1.5)
# Recent Microsoft vulnerabilities with optimized sorting
GET /api/v1/cves?q=Microsoft&published_after=2024-01-01&severity=critical,high&sort=published_desc&limit=50
Exploitation Monitoring (v1.5 Enhanced)
# Recently disclosed exploits with threat intelligence
GET /api/v1/cves?exploit=true&published_after=2024-01-01&sort=epss_desc&include=enrichment,attack
Performance-Optimized Queries (v1.5)
# Fast critical vulnerability monitoring
GET /api/v1/cves?severity=critical&sort=severity_desc&fields=cve_id,severity,kev,epss&limit=10
# Bandwidth-optimized threat intelligence
GET /api/v1/cves?severity=critical,high&exploit=true&fields=cve_id,severity,epss&include=attack&limit=20
Enterprise Batch Examples (v1.5)
# Ultra-fast batch processing (35 credits vs 250)
POST /api/v1/cve/batch
{
"cve_ids": [/* 50 CVE IDs */],
"fields": ["cve_id", "severity"] # 90% payload reduction
}
# Comprehensive threat intelligence batch
POST /api/v1/cve/batch
{
"cve_ids": [/* CVE IDs */],
"include": ["enrichment", "attack", "acsc"] # Full intelligence
}
Regional Threat Monitoring (v1.5)
# ACSC-relevant vulnerabilities with named severity
GET /api/v1/cves?severity=medium,high,critical&include=acsc&sort=severity_desc&limit=20
Ransomware Intelligence
# All ransomware-associated KEV entries
GET /api/v1/kev?ransomware=true&limit=100
URL Encoding
Remember to URL-encode special characters in parameter values:
| Character | Encoded |
|---|---|
| Space | + or %20 |
| Comma | %2C |
| Ampersand | %26 |
| Plus | %2B |
Examples:
# Search for "remote code execution"
?q=remote+code+execution
# or
?q=remote%20code%20execution
# Multiple CVE IDs
?ids=CVE-2024-0001%2CCVE-2024-0002
v1.5 Performance Optimization
Advanced Performance Strategies
- Use
severityoverseverity_min/max- Named severity levels are faster (optimized indexes) - Use
sort=severity_desc- Fastest query performance for critical vulnerability monitoring - Leverage field selection - Reduce payload by up to 85% with targeted fields
- Enterprise batch operations - 86% cost savings for bulk CVE analysis
- Exploit filtering optimization - Built-in exploit detection without
include=enrichment - Smart sorting - Choose sort options based on use case for optimal performance
Performance Impact Matrix (v1.5)
| Configuration | Query Performance | Payload Size | Credits | Efficiency |
|---|---|---|---|---|
| Named severity + field select | Fastest | 85% ↓ | Same | Maximum |
| Default query | Standard | Baseline | Same | Good |
| Enterprise batch (50 CVEs) | Single request | Bulk opt | 35 | 86% savings |
| Legacy severity_min/max | Slower | Full | Same | Moderate |
Recommended Patterns
# ✅ v1.5 Optimized - fastest performance
?severity=critical&sort=severity_desc&fields=cve_id,severity,kev
# ❌ Legacy v1.4 - slower performance
?severity_min=9.0&severity_max=10.0
# ✅ Enterprise batch - maximum efficiency
POST /api/v1/cve/batch with field selection
# ❌ Individual calls - 86% more expensive
Multiple GET /api/v1/cve/{id} calls
Error Handling
Invalid parameter values will return a 400 Bad Request response:
{
"error": {
"code": "INVALID_PARAMETER",
"message": "Invalid value for parameter 'severity_min': must be between 0.0 and 10.0",
"parameter": "severity_min",
"value": "15.0"
}
}
Common parameter validation errors (v1.5):
- severity: Must be one of:
critical,high,medium,low - sort: Must be valid sort option (8 available options)
- severity_min/max: Must be 0.0-10.0 (legacy parameters)
- epss_min/max: Must be 0.0-1.0
- limit: Must be 1-100
- published_after/before: Must be valid ISO 8601 date
- exploit/kev/ransomware: Must be
trueorfalse - include: Must be valid enrichment type(s)
- cve_ids (batch): Must be 1-50 valid CVE IDs in CVE-YYYY-NNNN+ format
- fields (batch): Must be valid field names from available field list