Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Authentication to the Empirical API begins with a client ID and a client secret. Your organization can create as many ID/secret pairs as needed.
A client ID and secret pair need to be exchanged for a JWT from our auth provider. The exchange process is a POST to https://empiricalsecurity.fusionauth.io/oauth2/token, authenticated with HTTP Basic auth. Provide the client ID as the username and the client secret as the password. The POST request will need to include two values:
grant_type=client_credentials
scope=target-entity:0c6d5dcc-8bf0-4cd1-bd65-066ef0422369The response to the POST request will be a JSON object and the JWT will be stored in the access_token key.
Empirical API requests should include an Authorization header with a value of Bearer <JWT>.
Your issued JWT is valid for one hour. A new JWT will need to be retrieved, using the same process, when the expiration time passes. The exp claim in the JWT contains the exact expiration time for the token.
, go to Settings, and click "API Clients".
Choose an alias name and click "Create API Client".
Copy and save your Client Credentials.
Welcome to the Empirical Security API. APIs are at the core of what we do, and they are the primary and foundational way we communicate the insights our models generate to our customers.
Empirical.Models.Global is our global model, as well as the underlying data that is used in the generation of that model. The outcome is a real time probability of exploitation, and the model uses the world's largest repository of exploitation activity on vulnerabilities as the outcome measure. We have data about over 16,000 actively exploited CVEs.
is enterprise support for our public (and free) model, EPSS. More information as well as the free API can be found on www.first.org/EPSS. Here, we provide hourly updates and support for legacy EPSS models.
Lastly, we build Locals models that are specific to enterprises. Reach out if you'd like to learn more: .
users can skip ahead to see the data dictionary for that product. We're no longer onboarding new users to EIS.
Search queries are submitted using Empirical's search syntax.
Learn about how our API handles and returns errors
Our API uses conventional HTTP response codes to indicate the success or failure of API requests. In general:
Codes in the 2xx range indicate success
Codes in the 4xx range indicate errors that failed given the information provided
Codes in the 5xx range indicate errors with our servers
All error responses follow a consistent format:
code - A string identifier that indicates the specific type of error that occurred
message - A human-readable message providing more details about the error
internal_server_error
Indicates an unexpected error occurred on our servers
not_found
The requested resource could not be found
parameter_missing
A required parameter was not provided
invalid_token
The provided authentication token is invalid
missing_token
No authentication token was provided
{
"error": {
"code": "error_code_string",
"message": "A human-readable message describing the error"
}
}Status: 401 Unauthorized{
"error": {
"code": "invalid_token",
"message": "The provided authentication token is invalid"
}
}Status: 404 Not Found{
"error": {
"code": "not_found",
"message": "Couldn't find User with 'id'=123"
}
}Status: 500 Internal Server Error{
"error": {
"code": "internal_server_error",
"message": "An unexpected error occurred"
}
}The Empirical API allows you to search for CVEs using a standardized syntax.
Search queries are built from search terms, separated by spaces. Search terms are built from a key and a value, joined with a colon.
When used with the Search API the querystring portion must be URL-encoded. For example, cURL users can specify -G --data-urlencode "q=score:>90" as part of their command to correctly encode and append the search query.
The result of a search query are those CVEs that match all terms in the query. In other words, terms are combined using AND.
past_day Return CVEs which Empirical has updated in the past 24 hours.
past_week Return CVEs which Empirical has updated in the past 7 days.
past_month Return CVEs which Empirical has updated in the past 1 month.
malware
true Return CVEs for which Empirical has associated malware hashes
score
Search against a CVE's current score. If you are an Empirical.Models.Global customer, the current global score will be used. If you are an Empirical.Models.EPSS customer, the current EPSS score will be used. In both situations, scores from the latest version of the model will be used. Syntax for specifying score constraints (all scores are specified on a 0-100 scale and may contain decimals):
>N
>=N
<N
<=N
[N M] Alias for score:>=N score:<=M
If multiple score terms are given for a constraint, the final term is used. For example, score:>80 score:>60 is equivalent to score:>60.
published_at
Search against a CVE's publication date.
Syntax for specifying publication date constraints (should be in the format YYYY-MM-DD):
>N
>=N
<N
<=N
[N M] Alias for published_at:>=N published_at:<=M
If multiple published_at terms are given for a constraint, the final term is used. For example, published_at:>2025-01-01 published_at:>2025-02-01 is equivalent to published_at:>2025-02-01.
exp_activity
Alias for exploitation_activity
exploitation_activity
One of the following values:
true Return CVEs for which Empirical has observed exploitation activity at any time.
cisa_kev Return CVEs that appear in the CISA Known Exploited Vulnerabilities list.
0-7 Return CVEs for which Empirical has observed exploitation activity 0 to 7 days ago.
last_7_days Alias for 0-7.
8-30 Return CVEs for which Empirical has observed exploitation activity 8 to 30 days ago.
31-90 Return CVEs for which Empirical has observed exploitation activity 31 to 90 days ago.
91-365 Return CVEs for which Empirical has observed exploitation activity 91 to 365 days ago.
366+ Return CVEs for which Empirical has observed exploitation activity over 365 days ago.
vendor
The name of the software vendor responsible for the affected software. Spaces in vendor names should be replaced with underscores, for example: trend_micro
product
The name of the affected software product. Spaces in product names should be replaced with underscores, for example: airflow_hive_provider
recently_updated
Data Dictionary
The Empirical.Models.EPSS API provides real-time updates and an accurate view of exploit likelihood through the Exploit Prediction Scoring System (EPSS). Users have access to EPSS scores updated hourly, support for legacy versions of EPSS (v3) as well as the newest version.
sources See below for examples
scope string (ex. "Changed")
confidentiality string (ex. "High")
integrity string (ex. "High")
availability string (ex. "High")
category_namecategory_id string (ex. "CWE-963")
{
"identifier": "CVE-2023-49103",
"description": "An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern. Note that Docker containers from before February 2023 are not vulnerable to the credential disclosure.",
"reserved_at": "2023-11-21T06:00:00.000Z",
"published_at": "2023-11-21T06:00:00.000Z",
"cvss": [
{
"version": "3.1",
"score": 10.0,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"metrics": {
"attack_vector": "Network",
"attack_complexity": "Low",
"privileges_required": "None",
"user_interaction": "None",
"scope": "Changed",
"confidentiality": "High",
"integrity": "High",
"availability": "High"
},
"sources": [
"mitre"
]
}
],
"cwes": [
{
"identifier": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor",
"description": "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.",
"category_name": "SFP Secondary Cluster: Exposed Data",
"category_id": "CWE-963"
}
],
"scores": {
"epss_v4": {
"score": 0.9091291982186883,
"percentile": 0.996181146025878,
"computed_at": "2025-03-16 18:46:04 UTC"
},
"epss_v3": {
"score": 0.92099,
"percentile": 0.99238,
"computed_at": "2025-03-16 15:46:16 UTC"
},
"global": {
"score": 0.9713943314711305,
"percentile": 0.9998484036161284,
"computed_at": "2025-03-16 07:27:24 UTC"
}
},
"platforms": [
{
"product": "product",
"vendor": "vendor"
}
]
}
Data Dictionary
The Empirical.Models.Global API provides comprehensive, real-time security insights across a vast range of global vulnerabilities and threats. Designed for enterprise security teams, this API enables users to access critical data on known vulnerabilities and exploits, as well as exploitation probabilities empowering organizations to make faster, data-driven decisions to protect their assets.
With predictive scoring powered by machine learning, the API offers an accurate view of exploit likelihood through the Exploit Prediction Scoring System (EPSS). Users have access to historical and near-real time data about CVE details, CPE information, exploits, and historical exploitation data—giving a granular understanding of vulnerability risk and the data provenance to have confidence in the decisions the API enables.
keywords string (ex. ["information disclosure", "web"])
outcome string (ex. ["credential disclosure", "web"])
prerequisite string (ex. ["URL is accessed"])
stride string (ex. ["tampering", "denial of service"])
weakness string (ex. ["reveals the configuration details of the PHP environment"])
91_to_365 boolean Any exploitation activity in last year (365 days) excluding the last 90
alltime boolean Any exploitation activity beyond 1 year (365 days)
mod_date datetime (ex. "2023-12-04T20:09:56.000Z")
exploit_type string (ex. "webapps")
sources See below for examples
scope string (ex. "Changed")
confidentiality string (ex. "High")
integrity string (ex. "High")
availability string (ex. "High")
category_namecategory_id string (ex. "CWE-963")
{
"identifier": "CVE-2023-49103",
"description": "An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo).",
"cvss": [
{
"version": "3.1",
"score": 10.0,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"metrics": {
"attack_vector": "Network",
"attack_complexity": "Low",
"privileges_required": "None",
"user_interaction": "None",
"scope": "Changed",
"confidentiality": "High",
"integrity": "High",
"availability": "High"
},
"sources": [
"[email protected]",
"mitre"
]
},
{
"version": "3.1",
"score": 7.5,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"metrics": {
"attack_vector": "Network",
"attack_complexity": "Low",
"privileges_required": "None",
"user_interaction": "None",
"scope": "Unchanged",
"confidentiality": "High",
"integrity": "None",
"availability": "None"
},
"sources": [
"[email protected]"
]
}
],
"references": [
"https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/",
"https://owncloud.org/security"
],
"has_exploitation_activity": true,
"exploitation_activity": {
"0_to_7_days": true,
"8_to_30_days": true,
"31_to_90_days": true,
"91_to_365_days": true,
"alltime": true
},
"tags": {
"actor": [],
"actor_action": [],
"attack_vector": [],
"component": [
"mail server credentials",
"license key",
"ownCloud admin password"
],
"keywords": [
"information disclosure",
"web",
"configuration"
],
"outcome": [
"credential disclosure",
"gather information"
],
"prerequisite": [
"URL is accessed"
],
"stride": [
"tampering",
"information disclosure",
"denial of service"
],
"weakness": [
"reveals the configuration details of the PHP environment",
"exposes various other potentially sensitive configuration details"
]
},
"cwes": [
{
"identifier": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor",
"description": "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.",
"category_name": "SFP Secondary Cluster: Exposed Data",
"category_id": "CWE-963"
}
],
"reserved_at": "2023-11-21T00:00:00.000Z",
"published_at": "2023-11-21T00:00:00.000Z",
"last_updated_at": "2025-01-27T22:24:27.772Z",
"cisa_kev_added_at": "2023-11-30T00:00:00.000Z",
"shodan_vulnerability_count": null,
"google_project_zero": {
"present": false,
"patched_at": null
},
"exploits": {
"metasploit": [
{
"name": "ownCloud Phpinfo Reader",
"fullname": "auxiliary/gather/owncloud_phpinfo_reader",
"description": "Docker containers of ownCloud compiled after February 2023, which have version 0.2.0 before 0.2.1 or 0.3.0 before 0.3.1 of the app `graph` installed\n contain a test file which prints `phpinfo()` to an unauthenticated user. A post file name must be appended to the URL to bypass the login filter.\n Docker may export sensitive environment variables including ownCloud, DB, redis, SMTP, and S3 credentials, as well as other host information.",
"disclosure_date": "2023-11-21",
"mod_time": "2023-12-04T20:09:56.000Z"
}
],
"exploitdb": [],
"github": [
{
"repo": "d0rb/CVE-2023-49103",
"prediction": 0.8660581707954407,
"predicted_at": "2025-03-10T16:40:29.000Z",
"repo_created_at": "2025-03-10T20:11:29.004Z"
}
]
},
"hackerone_reports_submitted": 4,
"scores": {
"epss_v4": {
"score": 0.9091291982186883,
"percentile": 0.996181146025878,
"computed_at": "2025-03-16 18:46:04 UTC"
},
"epss_v3": {
"score": 0.92099,
"percentile": 0.99238,
"computed_at": "2025-03-16 15:46:16 UTC"
},
"global": {
"score": 0.9713943314711305,
"percentile": 0.9998484036161284,
"computed_at": "2025-03-16 07:27:24 UTC"
}
}
}cve_id
string
The CVE identifier as assigned in the Mitre CVE List.
Format: CVE-YYYY-XXXX
mitre.published
string
The date when Mitre published the CVE on their CVEList
date
mitre.modified
string
The date when this CVE was last modified by Mitre
date
mitre.reserved
string
The date when Mitre reserved the CVE on their CVEList, not entirely trustworthy date before 2022.
date
nvd.published
string
The date when NVD published the CVE
nvd.modified
string
The date when NVD last modified this CVE
description
string
CVE Description
cwe
string, null
Common weakness enumeration - CWE
tags.keywords
array of strings
normalized tags extracted from text descriptions of this CVE
tags.outcome
array of strings
extracted and descriptive text that represent an outcome of exploitations
tags.actor_action
array of strings
extracted and descriptive text that represent the actions an attacker may take during exploitations
tags.actor
array of strings
extracted and descriptive text that represent the attacker and any qualifications
tags.weakness
array of strings
extracted and descriptive text that represent the weakness in the target
tags.prerequisite
array of strings
extracted and descriptive text that represent any prerequisite in the defenders environment that must exist prior to exploitation
tags.attack_vector
array of strings
extracted and descriptive text that represent the delivery of an exploitation (pdf file, crafted HTML, etc)
tags.stride
array of strings
STRIDE values derived from vulnerability attributes
references.description
string
description/classification of the url
references.url
string
URL reference
platform.part
string ["h","o","a"]
type of platform, (h)ardware, (o)perating system or (a)pplication
platform.vendor
string
vulnerable vendor for this CVE
platform.product
string
vulnerable product from associated vendor
epss.version
string
version of EPSS generating this score
epss.score
number
The EPSS score, probability of exploitation
epss.percentile
number
the ranked percentile of this score among all scored CVEs
cvss.v2.version
cvss.v2.vector_string
cvss.v2.exploitability_score
cvss.v2.impact_score
cvss.v2.base_score
cvss.v3.version
cvss.v3.vector_string
cvss.v3.exploitability_score
cvss.v3.impact_score
cvss.v3.base_score
exploits.github.repo
github repo: https://github.com/
exploits.github.prediction
number
likelihood the repository contains an exploit
ML Model
exploits.github.repo_created
string
date time the repo was first created
exploits.github.file_added
string
if a file exists specifically mentioning this CVE, this is the date and time file was created
exploits.github.status
string
typically only if the repo has been removed
exploits.metasploit.name
string
short name of the module
exploits.metasploit.fullname
string
exploits.metasploit.description
string
text description from the module
exploits.metasploit.disclosure_date
date the module was first published
exploits.metasploit.mod_time
string
last modification date/time for the module
exploits.exploitdb.url
string
url to exploit db page
exploits.exploitdb.date
exploits.exploitdb.author
exploits.exploitdb.platform
exploits.exploitdb.type
offsec.src
string
tool/software where CVE mapping was identified
offsec.added
string
when cve was added to tool/software
offsec.modified
string
when cve component was last modified
apts.name
string
Group name associated with this vulnerability
apts.akas.aka
string
Alias for the group name
apts.akas.aka_source
string
Source of the group name alias
Execute a search query. This query uses Empirical's search syntax and the query portion should be URL-encoded. For example, cURL users can specify -G --data-urlencode "q=score:>90" as part of their command to correctly encode and append the search query.
The query to execute, using Empirical search syntax
score:>90 vendor:microsoft exp_activity:trueThe key of the scoring/model to use for the search (e.g., epss_v4, global, etc.)
JSON is the default response type. If JSON Lines is preferable, set this header to application/jsonl.
application/jsonlsuccessful
successful
Retrieve a list of saved search queries belonging to your organization. Provides queries that are marked as shared and not private.
successful
successful
Executes the specified saved query and returns the search results.
The saved query id for the query to be executed
Pmdas85LycyVZxP1The key of the scoring model to use for the search (e.g., epss_v4, global, etc.)
JSON is the default response type. If JSON Lines is preferable, set this header to application/jsonl.
application/jsonlsuccessful
successful
Provides the most up-to-date data about a CVE.
The identifier of the CVE to return, in the format CVE-YYYY-######
CVE-2023-49103successful
successful
Retrieve the entire score history for the CVE. Supported scoring_model values are global epss_v3 epss_v4 all. Note that EPSS customers cannot request global scores.
The identifier of the CVE to return, in the format CVE-YYYY-######
CVE-2023-49103The scoring model to retrieve historical scores for.
epss_v4successful
bad request
forbidden
Provides the entire change history of a CVE.
The identifier of the CVE to return, in the format CVE-YYYY-######
CVE-2023-49103JSON is the default response type. If JSON Lines is preferable, set this header to application/jsonl.
application/jsonlsuccessful
successful
Provides a redirect which should be followed to obtain the latest CVE data file. The data is returned as a gzipped jsonl (JSON Lines) formatted file containing data for all CVEs we have in our system. If a file is unavailable a 202 Accepted is returned while the file is generated, and this endpoint should be periodically polled. If/when a file is available a 302 Found is issued with a redirect location to fetch the file.
accepted
redirect
No content
Provides all malware hashes associated with the given CVE identifier
The identifier of the CVE to return, in the format CVE-YYYY-######
CVE-2023-49103JSON is the default response type. If JSON Lines is preferable, set this header to application/jsonl.
application/jsonlsuccessful
successful
GET /api/search HTTP/1.1
Host: app.empiricalsecurity.com
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*
[
{
"identifier": "CVE-2023-49103",
"description": "An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo).",
"cvss": [
{
"version": "3.1",
"score": 10,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"metrics": {
"attack_vector": "Network",
"attack_complexity": "Low",
"privileges_required": "None",
"user_interaction": "None",
"scope": "Changed",
"confidentiality": "High",
"integrity": "High",
"availability": "High"
},
"sources": [
"[email protected]",
"mitre"
]
},
{
"version": "3.1",
"score": 7.5,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"metrics": {
"attack_vector": "Network",
"attack_complexity": "Low",
"privileges_required": "None",
"user_interaction": "None",
"scope": "Unchanged",
"confidentiality": "High",
"integrity": "None",
"availability": "None"
},
"sources": [
"[email protected]"
]
}
],
"references": [
"https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/",
"https://owncloud.org/security"
],
"has_exploitation_activity": true,
"exploitation_activity": {
"0_to_7_days": true,
"8_to_30_days": true,
"31_to_90_days": true,
"91_to_365_days": true,
"alltime": true
},
"tags": {
"actor": [],
"actor_action": [],
"attack_vector": [],
"component": [
"mail server credentials",
"license key",
"ownCloud admin password"
],
"keywords": [
"information disclosure",
"web",
"configuration"
],
"outcome": [
"credential disclosure",
"gather information"
],
"prerequisite": [
"URL is accessed"
],
"stride": [
"tampering",
"information disclosure",
"denial of service"
],
"weakness": [
"reveals the configuration details of the PHP environment",
"exposes various other potentially sensitive configuration details"
]
},
"cwes": [
{
"identifier": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor",
"description": "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.",
"category_name": "SFP Secondary Cluster: Exposed Data",
"category_id": "CWE-963"
}
],
"reserved_at": "2023-11-21T00:00:00.000Z",
"published_at": "2023-11-21T00:00:00.000Z",
"last_updated_at": "2025-01-27T22:24:27.772Z",
"cisa_kev_added_at": "2023-11-30T00:00:00.000Z",
"shodan_vulnerability_count": null,
"google_project_zero": {
"present": false,
"patched_at": null
},
"exploits": {
"metasploit": [
{
"name": "ownCloud Phpinfo Reader",
"fullname": "auxiliary/gather/owncloud_phpinfo_reader",
"description": "Docker containers of ownCloud compiled after February 2023, which have version 0.2.0 before 0.2.1 or 0.3.0 before 0.3.1 of the app `graph` installed\n contain a test file which prints `phpinfo()` to an unauthenticated user. A post file name must be appended to the URL to bypass the login filter.\n Docker may export sensitive environment variables including ownCloud, DB, redis, SMTP, and S3 credentials, as well as other host information.",
"disclosure_date": "2023-11-21",
"mod_time": "2023-12-04T20:09:56.000Z",
"url": "https://github.com/rapid7/metasploit-framework/tree/master/modules/auxiliary/gather/owncloud_phpinfo_reader.rb"
}
],
"exploitdb": [],
"github": [
{
"repo": "d0rb/CVE-2023-49103",
"prediction": 0.8660581707954407,
"predicted_at": "2025-03-10T16:40:29.000Z",
"repo_created_at": "2025-03-10T20:11:29.004Z",
"url": "https://github.com/d0rb/CVE-2023-49103"
}
]
},
"hackerone_reports_submitted": 4,
"scores": {
"global": {
"score": 0.9713943314711305,
"percentile": 0.9998484036161284,
"computed_at": "2025-03-16T07:27:24.000Z"
},
"epss_v3": {
"score": 0.92099,
"percentile": 0.99238,
"computed_at": "2025-03-16T15:46:16.000Z"
},
"epss_v4": {
"score": 0.9091291982186883,
"percentile": 0.996181146025878,
"computed_at": "2025-03-16T18:47:04.000Z"
}
},
"platforms": [
{
"product": "product",
"vendor": "vendor"
}
],
"most_recent_exploitation_activity_date": "2025-07-20",
"exploitation_activity_source_count": 1,
"replacement_cve": null
}
]GET /api/saved_queries HTTP/1.1
Host: app.empiricalsecurity.com
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*
{
"saved_queries": [
{
"name": "saved query",
"id": "Pmdas85LycyVZxP1",
"url": "https://app.empiricalsecurity.com/api/saved_queries/Pmdas85LycyVZxP1",
"query_string": "score:>90"
}
]
}GET /api/saved_queries/{id} HTTP/1.1
Host: app.empiricalsecurity.com
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*
[
{
"identifier": "CVE-2023-49103",
"description": "An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo).",
"cvss": [
{
"version": "3.1",
"score": 10,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"metrics": {
"attack_vector": "Network",
"attack_complexity": "Low",
"privileges_required": "None",
"user_interaction": "None",
"scope": "Changed",
"confidentiality": "High",
"integrity": "High",
"availability": "High"
},
"sources": [
"[email protected]",
"mitre"
]
},
{
"version": "3.1",
"score": 7.5,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"metrics": {
"attack_vector": "Network",
"attack_complexity": "Low",
"privileges_required": "None",
"user_interaction": "None",
"scope": "Unchanged",
"confidentiality": "High",
"integrity": "None",
"availability": "None"
},
"sources": [
"[email protected]"
]
}
],
"references": [
"https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/",
"https://owncloud.org/security"
],
"has_exploitation_activity": true,
"exploitation_activity": {
"0_to_7_days": true,
"8_to_30_days": true,
"31_to_90_days": true,
"91_to_365_days": true,
"alltime": true
},
"tags": {
"actor": [],
"actor_action": [],
"attack_vector": [],
"component": [
"mail server credentials",
"license key",
"ownCloud admin password"
],
"keywords": [
"information disclosure",
"web",
"configuration"
],
"outcome": [
"credential disclosure",
"gather information"
],
"prerequisite": [
"URL is accessed"
],
"stride": [
"tampering",
"information disclosure",
"denial of service"
],
"weakness": [
"reveals the configuration details of the PHP environment",
"exposes various other potentially sensitive configuration details"
]
},
"cwes": [
{
"identifier": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor",
"description": "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.",
"category_name": "SFP Secondary Cluster: Exposed Data",
"category_id": "CWE-963"
}
],
"reserved_at": "2023-11-21T00:00:00.000Z",
"published_at": "2023-11-21T00:00:00.000Z",
"last_updated_at": "2025-01-27T22:24:27.772Z",
"cisa_kev_added_at": "2023-11-30T00:00:00.000Z",
"shodan_vulnerability_count": null,
"google_project_zero": {
"present": false,
"patched_at": null
},
"exploits": {
"metasploit": [
{
"name": "ownCloud Phpinfo Reader",
"fullname": "auxiliary/gather/owncloud_phpinfo_reader",
"description": "Docker containers of ownCloud compiled after February 2023, which have version 0.2.0 before 0.2.1 or 0.3.0 before 0.3.1 of the app `graph` installed\n contain a test file which prints `phpinfo()` to an unauthenticated user. A post file name must be appended to the URL to bypass the login filter.\n Docker may export sensitive environment variables including ownCloud, DB, redis, SMTP, and S3 credentials, as well as other host information.",
"disclosure_date": "2023-11-21",
"mod_time": "2023-12-04T20:09:56.000Z",
"url": "https://github.com/rapid7/metasploit-framework/tree/master/modules/auxiliary/gather/owncloud_phpinfo_reader.rb"
}
],
"exploitdb": [],
"github": [
{
"repo": "d0rb/CVE-2023-49103",
"prediction": 0.8660581707954407,
"predicted_at": "2025-03-10T16:40:29.000Z",
"repo_created_at": "2025-03-10T20:11:29.004Z",
"url": "https://github.com/d0rb/CVE-2023-49103"
}
]
},
"hackerone_reports_submitted": 4,
"scores": {
"global": {
"score": 0.9713943314711305,
"percentile": 0.9998484036161284,
"computed_at": "2025-03-16T07:27:24.000Z"
},
"epss_v3": {
"score": 0.92099,
"percentile": 0.99238,
"computed_at": "2025-03-16T15:46:16.000Z"
},
"epss_v4": {
"score": 0.9091291982186883,
"percentile": 0.996181146025878,
"computed_at": "2025-03-16T18:47:04.000Z"
}
},
"platforms": [
{
"product": "product",
"vendor": "vendor"
}
],
"most_recent_exploitation_activity_date": "2025-07-20",
"exploitation_activity_source_count": 1,
"replacement_cve": null
}
]GET /api/cves/{cve_id} HTTP/1.1
Host: app.empiricalsecurity.com
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*
{
"identifier": "CVE-2023-49103",
"description": "An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo).",
"cvss": [
{
"version": "3.1",
"score": 10,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"metrics": {
"attack_vector": "Network",
"attack_complexity": "Low",
"privileges_required": "None",
"user_interaction": "None",
"scope": "Changed",
"confidentiality": "High",
"integrity": "High",
"availability": "High"
},
"sources": [
"[email protected]",
"mitre"
]
},
{
"version": "3.1",
"score": 7.5,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"metrics": {
"attack_vector": "Network",
"attack_complexity": "Low",
"privileges_required": "None",
"user_interaction": "None",
"scope": "Unchanged",
"confidentiality": "High",
"integrity": "None",
"availability": "None"
},
"sources": [
"[email protected]"
]
}
],
"references": [
"https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/",
"https://owncloud.org/security"
],
"has_exploitation_activity": true,
"exploitation_activity": {
"0_to_7_days": true,
"8_to_30_days": true,
"31_to_90_days": true,
"91_to_365_days": true,
"alltime": true
},
"tags": {
"actor": [],
"actor_action": [],
"attack_vector": [],
"component": [
"mail server credentials",
"license key",
"ownCloud admin password"
],
"keywords": [
"information disclosure",
"web",
"configuration"
],
"outcome": [
"credential disclosure",
"gather information"
],
"prerequisite": [
"URL is accessed"
],
"stride": [
"tampering",
"information disclosure",
"denial of service"
],
"weakness": [
"reveals the configuration details of the PHP environment",
"exposes various other potentially sensitive configuration details"
]
},
"cwes": [
{
"identifier": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor",
"description": "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.",
"category_name": "SFP Secondary Cluster: Exposed Data",
"category_id": "CWE-963"
}
],
"reserved_at": "2023-11-21T00:00:00.000Z",
"published_at": "2023-11-21T00:00:00.000Z",
"last_updated_at": "2025-01-27T22:24:27.772Z",
"cisa_kev_added_at": "2023-11-30T00:00:00.000Z",
"shodan_vulnerability_count": null,
"google_project_zero": {
"present": false,
"patched_at": null
},
"exploits": {
"metasploit": [
{
"name": "ownCloud Phpinfo Reader",
"fullname": "auxiliary/gather/owncloud_phpinfo_reader",
"description": "Docker containers of ownCloud compiled after February 2023, which have version 0.2.0 before 0.2.1 or 0.3.0 before 0.3.1 of the app `graph` installed\n contain a test file which prints `phpinfo()` to an unauthenticated user. A post file name must be appended to the URL to bypass the login filter.\n Docker may export sensitive environment variables including ownCloud, DB, redis, SMTP, and S3 credentials, as well as other host information.",
"disclosure_date": "2023-11-21",
"mod_time": "2023-12-04T20:09:56.000Z",
"url": "https://github.com/rapid7/metasploit-framework/tree/master/modules/auxiliary/gather/owncloud_phpinfo_reader.rb"
}
],
"exploitdb": [],
"github": [
{
"repo": "d0rb/CVE-2023-49103",
"prediction": 0.8660581707954407,
"predicted_at": "2025-03-10T16:40:29.000Z",
"repo_created_at": "2025-03-10T20:11:29.004Z",
"url": "https://github.com/d0rb/CVE-2023-49103"
}
]
},
"hackerone_reports_submitted": 4,
"scores": {
"global": {
"score": 0.9713943314711305,
"percentile": 0.9998484036161284,
"computed_at": "2025-03-16T07:27:24.000Z"
},
"epss_v3": {
"score": 0.92099,
"percentile": 0.99238,
"computed_at": "2025-03-16T15:46:16.000Z"
},
"epss_v4": {
"score": 0.9091291982186883,
"percentile": 0.996181146025878,
"computed_at": "2025-03-16T18:47:04.000Z"
}
},
"platforms": [
{
"product": "product",
"vendor": "vendor"
}
],
"most_recent_exploitation_activity_date": "2025-07-20",
"exploitation_activity_source_count": 1,
"replacement_cve": null
}GET /api/cves/{cve_id}/score_history?scoring_model=text HTTP/1.1
Host: app.empiricalsecurity.com
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*
{
"identifier": "CVE-2023-49103",
"scores": {
"epss_v4": [
{
"percentile": 0.996181146025878,
"score": 0.9091291982186883,
"computed_at": "2025-03-16T18:47:04.000Z"
},
{
"percentile": 0.966181146025878,
"score": 0.8991291982186883,
"computed_at": "2025-03-16T18:46:04.000Z"
}
]
}
}GET /api/cves/{cve_id}/history HTTP/1.1
Host: app.empiricalsecurity.com
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*
[
{
"data": {
"identifier": "CVE-2023-49103",
"description": "An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo).",
"cvss": [
{
"version": "3.1",
"score": 10,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"metrics": {
"attack_vector": "Network",
"attack_complexity": "Low",
"privileges_required": "None",
"user_interaction": "None",
"scope": "Changed",
"confidentiality": "High",
"integrity": "High",
"availability": "High"
},
"sources": [
"[email protected]",
"mitre"
]
},
{
"version": "3.1",
"score": 7.5,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"metrics": {
"attack_vector": "Network",
"attack_complexity": "Low",
"privileges_required": "None",
"user_interaction": "None",
"scope": "Unchanged",
"confidentiality": "High",
"integrity": "None",
"availability": "None"
},
"sources": [
"[email protected]"
]
}
],
"references": [
"https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/",
"https://owncloud.org/security"
],
"has_exploitation_activity": true,
"exploitation_activity": {
"0_to_7_days": true,
"8_to_30_days": true,
"31_to_90_days": true,
"91_to_365_days": true,
"alltime": true
},
"tags": {
"actor": [],
"actor_action": [],
"attack_vector": [],
"component": [
"mail server credentials",
"license key",
"ownCloud admin password"
],
"keywords": [
"information disclosure",
"web",
"configuration"
],
"outcome": [
"credential disclosure",
"gather information"
],
"prerequisite": [
"URL is accessed"
],
"stride": [
"tampering",
"information disclosure",
"denial of service"
],
"weakness": [
"reveals the configuration details of the PHP environment",
"exposes various other potentially sensitive configuration details"
]
},
"cwes": [
{
"identifier": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor",
"description": "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.",
"category_name": "SFP Secondary Cluster: Exposed Data",
"category_id": "CWE-963"
}
],
"reserved_at": "2023-11-21T00:00:00.000Z",
"published_at": "2023-11-21T00:00:00.000Z",
"last_updated_at": "2025-01-27T22:24:27.772Z",
"cisa_kev_added_at": "2023-11-30T00:00:00.000Z",
"shodan_vulnerability_count": null,
"google_project_zero": {
"present": false,
"patched_at": null
},
"exploits": {
"metasploit": [
{
"name": "ownCloud Phpinfo Reader",
"fullname": "auxiliary/gather/owncloud_phpinfo_reader",
"description": "Docker containers of ownCloud compiled after February 2023, which have version 0.2.0 before 0.2.1 or 0.3.0 before 0.3.1 of the app `graph` installed\n contain a test file which prints `phpinfo()` to an unauthenticated user. A post file name must be appended to the URL to bypass the login filter.\n Docker may export sensitive environment variables including ownCloud, DB, redis, SMTP, and S3 credentials, as well as other host information.",
"disclosure_date": "2023-11-21",
"mod_time": "2023-12-04T20:09:56.000Z",
"url": "https://github.com/rapid7/metasploit-framework/tree/master/modules/auxiliary/gather/owncloud_phpinfo_reader.rb"
}
],
"exploitdb": [],
"github": [
{
"repo": "d0rb/CVE-2023-49103",
"prediction": 0.8660581707954407,
"predicted_at": "2025-03-10T16:40:29.000Z",
"repo_created_at": "2025-03-10T20:11:29.004Z",
"url": "https://github.com/d0rb/CVE-2023-49103"
}
]
},
"hackerone_reports_submitted": 4,
"scores": {
"global": {
"score": 0.9713943314711305,
"percentile": 0.9998484036161284,
"computed_at": "2025-03-16T07:27:24.000Z"
},
"epss_v3": {
"score": 0.92099,
"percentile": 0.99238,
"computed_at": "2025-03-16T15:46:16.000Z"
},
"epss_v4": {
"score": 0.9091291982186883,
"percentile": 0.996181146025878,
"computed_at": "2025-03-16T18:47:04.000Z"
}
},
"platforms": [
{
"product": "product",
"vendor": "vendor"
}
],
"most_recent_exploitation_activity_date": "2025-07-20",
"exploitation_activity_source_count": 1,
"replacement_cve": null
},
"diff": {
"cvss": {
"old": [
{
"version": "3.1",
"score": 10,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"metrics": {
"attack_vector": "Network",
"attack_complexity": "Low",
"privileges_required": "None",
"user_interaction": "None",
"scope": "Changed",
"confidentiality": "High",
"integrity": "High",
"availability": "High"
},
"sources": [
"[email protected]",
"mitre"
]
}
],
"new": [
{
"version": "3.1",
"score": 10,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"metrics": {
"attack_vector": "Network",
"attack_complexity": "Low",
"privileges_required": "None",
"user_interaction": "None",
"scope": "Changed",
"confidentiality": "High",
"integrity": "High",
"availability": "High"
},
"sources": [
"[email protected]",
"mitre"
]
},
{
"version": "3.1",
"score": 7.5,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"metrics": {
"attack_vector": "Network",
"attack_complexity": "Low",
"privileges_required": "None",
"user_interaction": "None",
"scope": "Unchanged",
"confidentiality": "High",
"integrity": "None",
"availability": "None"
},
"sources": [
"[email protected]"
]
}
]
},
"scores": {
"old": {
"global": {
"score": 0.9137943314711305,
"percentile": 0.9798484036161283,
"computed_at": "2025-03-16T07:27:24.000Z"
},
"epss_v3": {
"score": 0.90299,
"percentile": 0.92938,
"computed_at": "2025-03-16T15:46:16.000Z"
},
"epss_v4": {
"score": 0.8991291982186883,
"percentile": 0.966181146025878,
"computed_at": "2025-03-16T18:46:04.000Z"
}
},
"new": {
"global": {
"score": 0.9713943314711305,
"percentile": 0.9998484036161284,
"computed_at": "2025-03-16T07:27:24.000Z"
},
"epss_v3": {
"score": 0.92099,
"percentile": 0.99238,
"computed_at": "2025-03-16T15:46:16.000Z"
},
"epss_v4": {
"score": 0.9091291982186883,
"percentile": 0.996181146025878,
"computed_at": "2025-03-16T18:47:04.000Z"
}
}
}
},
"generated_at": "2025-04-02T21:20:15.366Z"
}
]GET /api/cves/all HTTP/1.1
Host: app.empiricalsecurity.com
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*
GET /api/cves/{cve_id}/malware HTTP/1.1
Host: app.empiricalsecurity.com
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*
[
{
"md5": "161bc25962da8fed6d2f59922fb642aa",
"sha1": "6e71b3cac15d32fe2d36c270887df9479c25c640",
"sha256": "12998c017066eb0d2a70b94e6ed3192985855ce390f321bbdb832022888bd251"
},
{
"md5": "09edade86566ee60e5cdd8c0edbc2b5a",
"sha1": "35b03d1adda20ff42f78b2aaebd106c847f97a81",
"sha256": "354cacb2d2c45cb28af92ca348ea3a2236ecc48c81c78e0924bf46bd68d9c407"
}
]