vulnerablecode
VulnerableCode is a free, open-source vulnerability database with a web UI and API that tracks known software package vulnerabilities and their affected/fixed versions. It aggregates data from multiple upstream sources and uses Package URL (PURL) as a primary identifier for packages, making it easier to determine if a specific package is vulnerable.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | aboutcode-org/vulnerablecode |
| Owner | aboutcode-org |
| Primary language | Python |
| License | Apache-2.0 — OSI-approved |
| Stars | 691 |
| Forks | 311 |
| Open issues | 789 |
| Latest release | v40.0.1 (2026-07-07) |
| Last updated | 2026-07-07 |
| Source | https://github.com/aboutcode-org/vulnerablecode |
What vulnerablecode is
Python/Django application backed by PostgreSQL that ingests vulnerability data from multiple sources, correlates vulnerabilities to packages using PURL identifiers, and exposes data via REST API and web interface. The project includes importable pipelines for adding new advisory sources and supports self-hosted deployment via Docker.
Get the vulnerablecode source
Clone the repository and explore it locally.
git clone https://github.com/aboutcode-org/vulnerablecode.gitcd vulnerablecode# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires Python 3.8+, PostgreSQL, nginx, and Docker; plan infrastructure and database capacity based on dataset size and query load.
- Data accuracy depends on upstream source quality and staleness; establish update and validation pipelines appropriate to your risk tolerance.
- PURL-based package matching is core; ensure your dependency metadata can be normalized to PURL format, or be prepared to extend the importer pipelines.
- Multiple secondary licenses (LGPL, MIT, BSD, GPL 2/3) apply to third-party components; audit third-party dependencies if you have strict corporate license policies.
- Currently marked 'work in progress' stability; expect API and schema changes; plan for regular testing during upgrades and communicate changes to downstream consumers.
When to avoid it — and what to weigh
- Need commercial support SLA — While commercial support contact is offered, terms and availability are not documented. If you require contractual SLAs, response guarantees, or vendor indemnification, evaluate terms with the AboutCode team first.
- Limited to proprietary/closed-source packages — VulnerableCode focuses on open-source and public vulnerability data. If your primary need is tracking vulnerabilities in proprietary or internal software, this may not be the right fit.
- Minimal deployment resources or no PostgreSQL expertise — Self-hosting requires Python 3.8+, PostgreSQL, nginx, and Docker. Lightweight or embedded deployments may introduce operational burden; the public instance at public.vulnerablecode.io may be preferable.
- Real-time vulnerability disclosure tracking — VulnerableCode aggregates existing public sources; it is not a zero-day disclosure platform. For breaking vulnerability alerts, it relies on upstream sources to publish first.
License & commercial use
Code: Apache-2.0 (permissive, allows commercial use). Data: CC-BY-SA-4.0 (requires attribution and share-alike for derived datasets). Third-party components: mix of permissive (MIT, BSD) and copyleft (LGPL, GPL 2/3) licenses.
Apache-2.0 code license permits commercial use, modification, and distribution without royalties. However, CC-BY-SA-4.0 on reference datasets requires attribution and mandates that derivative datasets be released under the same license. If you modify or republish vulnerability data, you must license derivatives as CC-BY-SA-4.0. Commercial support is available via the AboutCode team; contact [email protected] for terms.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Good |
| Assessment confidence | High |
VulnerableCode aggregates public vulnerability data; inherits data quality and timeliness risks from upstream sources. No explicit security audit results or disclosure policy documented. Self-hosted instances should follow standard hardening practices: restrict network access, patch PostgreSQL and dependencies regularly, validate and sanitize importer pipeline inputs. The project itself does not claim to be a secure source of truth; it is a data aggregator. Audit upstream source reliability and completeness for your threat model.
Alternatives to consider
Snyk Vulnerability Database
Proprietary, curated database with real-time detection; commercial support and SLAs available. Recommended if you need vendor indemnification and guaranteed coverage for zero-days.
NVD (National Vulnerability Database) + Custom Integration
Free, authoritative source directly from NIST; no aggregation overhead. Recommended if you prefer data purity and can build lightweight custom tooling around NVD feeds.
OSV (Open Source Vulnerabilities) Database
Open-source vulnerability schema and free public database (db.osv.dev). Lighter-weight alternative if you only need querying without data aggregation; VulnerableCode actually ingests OSV data.
Build on vulnerablecode with DEV.co software developers
Review the full documentation at vulnerablecode.readthedocs.org, test the public instance at public.vulnerablecode.io, and assess deployment and data licensing requirements for your organization. For commercial support inquiries, contact [email protected].
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
vulnerablecode FAQ
Can I use VulnerableCode data commercially?
Is there a managed/hosted version?
What package ecosystems are supported?
How often is vulnerability data updated?
Software developers & web developers for hire
Adopting vulnerablecode is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.
Evaluate VulnerableCode for your vulnerability management stack
Review the full documentation at vulnerablecode.readthedocs.org, test the public instance at public.vulnerablecode.io, and assess deployment and data licensing requirements for your organization. For commercial support inquiries, contact [email protected].