Request CVE Coverage Information
The API Reference information for retrieving CVE Coverage information can be found here.
Overview
The Threat Vault API can be used to request CVE Coverage information. Consider the following examples:
Keep a few things in mind when formatting your API query:
- All the query strings in Get requests must be a URL-Encoded parameter string. If you use a space in the URL-Encoded request, you must include either a plus sign (+) or %20 to replace the space.
- You can specify the content type of the request body and response by specifying the Content-Type header. Some responses generate an HTTP response in addition to a JSON object.
- Do not embed API keys in code or application source tree files. This can inadvertently expose the API key. Instead, consider storing the API key in environmental variables or files that are excluded from your application source tree files.
Example 1: Request information about a CVE ID that is covered by existing signatures:
curl -H 'X-API-KEY: API_KEY' 'https://api.threatvault.paloaltonetworks.com/service/v1/threats/cve-coverage?cve_id=CVE-2021-1647'
A successful API call returns, within the contents section, status="success" along with the matching CVE results. In this example, the CVE entries for CVE-2021-1647 have matching Threat Vault (antivirus and vulnerability) signatures. Matches are indicated by the entry "cve_status": "cve_covered".
{
"success": true,
"link": {
"next": null,
"previous": null
},
"count": 6,
"data": {
"cve_id": "CVE-2021-1647",
"cve_status": "cve_covered",
"nvd_link": "https://nvd.nist.gov/vuln/detail/CVE-2021-1647",
"antivirus": [
{
"name": "Virus/Win32.CVE-2021-1647.a",
"severity": "medium",
"type": "0",
"subtype": "virus",
"description": "This signature detected Virus/Win32.CVE-2021-1647.a",
"action": "",
"id": "396564186",
"create_time": "2021-01-11T12:00:48-08:00",
"status": "active",
"related_sha256_hashes": [
"2084858ba68c50881ce80605202febdcd8bd9d62f652f5ee9f9a0809f4b44956"
],
"release": {
"antivirus": {
"first_release_version": "5136",
"first_release_time": "2025-03-27T11:18:26Z",
"last_release_version": "5171",
"last_release_time": "2025-05-01T11:00:08Z",
"in_current_release": true
},
"wildfire": {
"first_release_version": "964108",
"first_release_time": "2025-03-26T15:17:09Z",
"last_release_version": "974539",
"last_release_time": "2025-05-01T21:02:07Z",
"in_current_release": true
}
}
},
{
"name": "Virus/Win32.CVE-2021-1647.b",
"severity": "medium",
"type": "0",
"subtype": "virus",
"description": "This signature detected Virus/Win32.CVE-2021-1647.b",
"action": "",
"id": "396564189",
"create_time": "2021-01-11T12:00:48-08:00",
"status": "active",
"related_sha256_hashes": [
"1a1a24d7923f33bb564d25cf7b60310563fccc18f25269f5a9b0fe4555224ea7"
],
"release": {
"antivirus": {
"first_release_version": "5136",
"first_release_time": "2025-03-27T11:18:26Z",
"last_release_version": "5171",
"last_release_time": "2025-05-01T11:00:08Z",
"in_current_release": true
},
"wildfire": {
"first_release_version": "964108",
"first_release_time": "2025-03-26T15:17:09Z",
"last_release_version": "974539",
"last_release_time": "2025-05-01T21:02:07Z",
"in_current_release": true
}
}
},
{
"name": "Virus/Win32.CVE-2021-1647.c",
"severity": "medium",
"type": "0",
"subtype": "virus",
"description": "This signature detected Virus/Win32.CVE-2021-1647.c",
"action": "",
"id": "396564192",
"create_time": "2021-01-11T12:00:48-08:00",
"status": "active",
"related_sha256_hashes": [
"32023fcbebfab76ae2a5c268677232b470c0af16a17fc2014df02411c1247519"
],
"release": {
"antivirus": {
"first_release_version": "5136",
"first_release_time": "2025-03-27T11:18:26Z",
"last_release_version": "5171",
"last_release_time": "2025-05-01T11:00:08Z",
"in_current_release": true
},
"wildfire": {
"first_release_version": "964108",
"first_release_time": "2025-03-26T15:17:09Z",
"last_release_version": "974539",
"last_release_time": "2025-05-01T21:02:07Z",
"in_current_release": true
}
}
},
{
"name": "Virus/Win32.CVE-2021-1647.d",
"severity": "medium",
"type": "0",
"subtype": "virus",
"description": "This signature detected Virus/Win32.CVE-2021-1647.d",
"action": "",
"id": "396564195",
"create_time": "2021-01-11T12:00:48-08:00",
"status": "active",
"related_sha256_hashes": [
"e43bc1b90f9cfd22ce909dd02fa9fd909f567046ec139659f8159bdff9c21485"
],
"release": {}
},
{
"name": "Exploit/Win32.cve-2021-1647.e",
"severity": "medium",
"type": "0",
"subtype": "virus",
"description": "This signature detected Exploit/Win32.cve-2021-1647.e",
"action": "",
"id": "483585665",
"create_time": "2022-04-24T05:17:53-07:00",
"status": "active",
"related_sha256_hashes": [
"6e1e9fa0334d8f1f5d0e3a160ba65441f0656d1f1c99f8a9f1ae4b1b1bf7d788",
"638c14f53ca39c9572bee12adc1c11194b84e6abaa08b0ff30977aa56ec9ba6b"
],
"release": {
"antivirus": {
"first_release_version": "4108",
"first_release_time": "2022-06-09 11:01:14",
"last_release_version": "4999",
"last_release_time": "2024-11-11T17:47:34Z",
"in_current_release": false
},
"wildfire": {
"first_release_version": "671962",
"first_release_time": "2022-06-13 10:27:22",
"last_release_version": "918566",
"last_release_time": "2024-10-19T08:57:16Z",
"in_current_release": false
}
}
}
],
"vulnerability": [
{
"id": "90207",
"name": "Microsoft Windows Defender Remote Code Execution Vulnerability",
"description": "Microsoft Windows Defender is prone to a remote code execution vulnerability while parsing certain crafted PE files. The vulnerability is due to the lack of proper checks on PE files, leading to an exploitable remote code execution vulnerability. An attacker could exploit the vulnerability by sending a crafted PE file. A successful attack could lead to code execution with the privileges of the currently logged-in user.",
"category": "code-execution",
"min_version": "8.1.0",
"max_version": "",
"severity": "high",
"default_action": "reset-both",
"cve": [
"CVE-2021-1647"
],
"vendor": [],
"reference": [
"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-1647"
],
"status": "released",
"details": {
"change_data": "new coverage"
},
"ori_release_version": "8364",
"latest_release_version": "8364",
"ori_release_time": "2021-01-12T10:40:13Z",
"latest_release_time": "2021-01-12T10:40:13Z"
}
]
},
"message": "Successful"
}
Example 2: Request information about a CVE ID that is a work-in-progress:
curl -H 'X-API-KEY: API_KEY' 'https://api.threatvault.paloaltonetworks.com/service/v1/threats/cve-coverage?cve_id=CVE-2025-23120'
A successful API call returns, within the Contents section, status="success" along with the associated IP feed entry details. In this example, the CVE entry for CVE-2025-23120 indicates a matching CVE result. While there are no active Threat Vault signatures available, one is currently undergoing testing and is expected to be released.
{
"success": true,
"link": {
"next": null,
"previous": null
},
"count": 1,
"data": [
{
"cve_id": "CVE-2025-23120",
"nvd_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-23120",
"cve_status": "cve_under_testing",
"release_week": null,
"not_cover_reason": null,
"response_text": "This CVE has been assigned to a researcher and is being analyzed"
}
],
"message": "Successful"
}
Example 3: Request information about a CVE ID that is being monitored:
curl -H 'X-API-KEY: API_KEY' 'https://api.threatvault.paloaltonetworks.com/service/v1/threats/cve-coverage?cve_id=CVE-2025-26633'
A successful API call returns, within the Contents section, status="success" along with the associated IP feed entry details. In this example, the CVE entries for CVE-2025-26633 have matching CVE result, however, it does not have any active Threat Vault signatures available, but it is being actively monitored:
{
"success": true,
"link": {
"next": null,
"previous": null
},
"count": 1,
"data": [
{
"cve_id": "CVE-2025-26633",
"nvd_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-26633",
"cve_status": "cve_being_monitored",
"release_week": null,
"not_cover_reason": null,
"response_text": "We are aware of this CVE but didn't find PoC"
}
],
"message": "Successful"
}
Example 4: Request information about a CVE ID that cannot be covered by threat signature:
curl -H 'X-API-KEY: API_KEY' 'https://api.threatvault.paloaltonetworks.com/service/v1/threats/cve-coverage?cve_id=CVE-2024-38140''
A successful API call returns, within the Contents section, status="success" along with the associated IP feed entry details. In this example, the CVE entries for CVE-2024-38140 have matching CVE result, however, it does not have any active Threat Vault signatures available:
{
"success": true,
"link": {
"next": null,
"previous": null
},
"count": 1,
"data": [
{
"cve_id": "CVE-2024-38140",
"nvd_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38140",
"cve_status": "cve_cannot_cover",
"release_week": null,
"not_cover_reason": "threat_detection_limitations",
"response_text": "Threat signature-based detection is not very effective against this CVE."
}
],
"message": "Successful"
}