DEV.co
Open-Source Security · aboutcode-org

vulnerablecode

VulnerableCode is a free, open-source vulnerability database with a web UI and API that tracks known software package vulnerabilities and their affected/fixed versions. It aggregates data from multiple upstream sources and uses Package URL (PURL) as a primary identifier for packages, making it easier to determine if a specific package is vulnerable.

Source: GitHub — github.com/aboutcode-org/vulnerablecode
691
GitHub stars
311
Forks
Python
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryaboutcode-org/vulnerablecode
Owneraboutcode-org
Primary languagePython
LicenseApache-2.0 — OSI-approved
Stars691
Forks311
Open issues789
Latest releasev40.0.1 (2026-07-07)
Last updated2026-07-07
Sourcehttps://github.com/aboutcode-org/vulnerablecode

What vulnerablecode is

Python/Django application backed by PostgreSQL that ingests vulnerability data from multiple sources, correlates vulnerabilities to packages using PURL identifiers, and exposes data via REST API and web interface. The project includes importable pipelines for adding new advisory sources and supports self-hosted deployment via Docker.

Quickstart

Get the vulnerablecode source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/aboutcode-org/vulnerablecode.gitcd vulnerablecode# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Software Composition Analysis (SCA) backbone

Use VulnerableCode as the vulnerability knowledge base for building or enhancing in-house SCA tools, dependency scanning, and supply-chain risk platforms targeting open-source packages.

Self-hosted vulnerability database

Organizations requiring control over vulnerability data sources, update frequency, and API availability can deploy their own instance rather than depending on proprietary third-party vulnerability feeds.

Vulnerability data aggregation and normalization

Import, correlate, and deduplicate vulnerability advisories from NVD, OSV, Snyk, OSSIndex, and other sources into a single queryable dataset with PURL-based package mapping.

Implementation considerations

  • Requires Python 3.8+, PostgreSQL, nginx, and Docker; plan infrastructure and database capacity based on dataset size and query load.
  • Data accuracy depends on upstream source quality and staleness; establish update and validation pipelines appropriate to your risk tolerance.
  • PURL-based package matching is core; ensure your dependency metadata can be normalized to PURL format, or be prepared to extend the importer pipelines.
  • Multiple secondary licenses (LGPL, MIT, BSD, GPL 2/3) apply to third-party components; audit third-party dependencies if you have strict corporate license policies.
  • Currently marked 'work in progress' stability; expect API and schema changes; plan for regular testing during upgrades and communicate changes to downstream consumers.

When to avoid it — and what to weigh

  • Need commercial support SLA — While commercial support contact is offered, terms and availability are not documented. If you require contractual SLAs, response guarantees, or vendor indemnification, evaluate terms with the AboutCode team first.
  • Limited to proprietary/closed-source packages — VulnerableCode focuses on open-source and public vulnerability data. If your primary need is tracking vulnerabilities in proprietary or internal software, this may not be the right fit.
  • Minimal deployment resources or no PostgreSQL expertise — Self-hosting requires Python 3.8+, PostgreSQL, nginx, and Docker. Lightweight or embedded deployments may introduce operational burden; the public instance at public.vulnerablecode.io may be preferable.
  • Real-time vulnerability disclosure tracking — VulnerableCode aggregates existing public sources; it is not a zero-day disclosure platform. For breaking vulnerability alerts, it relies on upstream sources to publish first.

License & commercial use

Code: Apache-2.0 (permissive, allows commercial use). Data: CC-BY-SA-4.0 (requires attribution and share-alike for derived datasets). Third-party components: mix of permissive (MIT, BSD) and copyleft (LGPL, GPL 2/3) licenses.

Apache-2.0 code license permits commercial use, modification, and distribution without royalties. However, CC-BY-SA-4.0 on reference datasets requires attribution and mandates that derivative datasets be released under the same license. If you modify or republish vulnerability data, you must license derivatives as CC-BY-SA-4.0. Commercial support is available via the AboutCode team; contact [email protected] for terms.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceHigh
Security considerations

VulnerableCode aggregates public vulnerability data; inherits data quality and timeliness risks from upstream sources. No explicit security audit results or disclosure policy documented. Self-hosted instances should follow standard hardening practices: restrict network access, patch PostgreSQL and dependencies regularly, validate and sanitize importer pipeline inputs. The project itself does not claim to be a secure source of truth; it is a data aggregator. Audit upstream source reliability and completeness for your threat model.

Alternatives to consider

Snyk Vulnerability Database

Proprietary, curated database with real-time detection; commercial support and SLAs available. Recommended if you need vendor indemnification and guaranteed coverage for zero-days.

NVD (National Vulnerability Database) + Custom Integration

Free, authoritative source directly from NIST; no aggregation overhead. Recommended if you prefer data purity and can build lightweight custom tooling around NVD feeds.

OSV (Open Source Vulnerabilities) Database

Open-source vulnerability schema and free public database (db.osv.dev). Lighter-weight alternative if you only need querying without data aggregation; VulnerableCode actually ingests OSV data.

Software development agency

Build on vulnerablecode with DEV.co software developers

Review the full documentation at vulnerablecode.readthedocs.org, test the public instance at public.vulnerablecode.io, and assess deployment and data licensing requirements for your organization. For commercial support inquiries, contact [email protected].

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

vulnerablecode FAQ

Can I use VulnerableCode data commercially?
Yes, with conditions. The code (Apache-2.0) permits commercial use. The data (CC-BY-SA-4.0) requires attribution and mandates that any derivative datasets be licensed CC-BY-SA-4.0. If you republish or modify vulnerability data, you must release derivatives under the same license.
Is there a managed/hosted version?
Yes, a free public instance is available at public.vulnerablecode.io. For self-hosted deployment, you manage infrastructure (Docker, PostgreSQL, nginx). Commercial hosted options are not documented; contact [email protected].
What package ecosystems are supported?
VulnerableCode ingests from multiple sources (NVD, OSV, Snyk, OSSIndex); support depends on upstream source coverage. PURL is the canonical identifier, supporting many ecosystems (npm, PyPI, RubyGems, Maven, etc.). Consult documentation for current ecosystem coverage.
How often is vulnerability data updated?
Update frequency depends on your importer pipeline configuration and upstream source update cadence. The public instance updates reflect upstream source delays. For time-critical vulnerabilities, monitor upstream sources directly or configure faster ingestion.

Software developers & web developers for hire

Adopting vulnerablecode is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.

Evaluate VulnerableCode for your vulnerability management stack

Review the full documentation at vulnerablecode.readthedocs.org, test the public instance at public.vulnerablecode.io, and assess deployment and data licensing requirements for your organization. For commercial support inquiries, contact [email protected].