The VEL API is a JSON-formatted feed of extensions on the VEL live and resolved lists. It can be accessed at . There is also a verification hash at . There are also two shortcuts available:-

The verification hash updates when the feed updates, so plugins can use this to check whether it is necessary to fetch an updated version of the feed. Please do use this check first.

Note that the feed and its data are licensed under the GPL, and may be used in any way compatible with the GPL, including being used in commercial plugins. We will however take a dim view of anyone charging their clients to access the data, for example.

Format of the Response

The response is compatible with the standard Joomla JSON response to an AJAX request, as described here: and consists of two properties:-

  • success: true
  • data: the actual response data, either a JSON-formatted feed, or a single string verification hash, depending on whether task=verify has been set in the URL parameters.

Format of the Feed

The feed has the following properties:-

  • api_version
  • api_version_name
  • timestamp: when the feed was last updated, according to ISO8601 specification
  • license: note that the feed data is licensed under the GPL
  • items: array of extension listings

Format of the Feed Items

  • id: the id of the listing
  • title: the name of the listing, usually the extension name plus vulnerable versions
  • description: includes information that cannot be easily put in other fields, eg if version numbers do not correspond to standard version conventions this can be explained here
  • status: 1 = live, 2 = resolved
  • jed: url of jed listing if any
  • cve_id: CVE and/or other vulnerability tracking database IDs
  • cwe_id: CWE vulnerability classification IDs
  • risk level: eg low, medium, high
  • recommendation: this field is used to give recommendation to the end user how to handle the subject extension, eg to update
  • cvss30_base: cvss 3.0 base vector string see
  • cvss30_base_score: cvss 3.0 numeric score
  • start_version: starting extension version where vulnerability is present, will be empty if all previous versions are likely to be vulnerable
  • vulnerable_version: most recent version known to be vulnerable
  • patch_version: version where vulnerability is patched, will be empty if no patch available
  • update_notice: url of developer's update notice, if any
  • install_data: json fomatted installation data from extension installation manifest, including name, type, creationDate, author, authorUrl, copyright, version and group (for plugins). This can be used to distinguish extensions with similar names, note that we don't include the author email
  • created: ISO8601 creation date of the listing
  • modified: ISO8601 modification date of the listing
  • statusText: "Live", or "Resolved"

Calculating the Verification Hash

If you wish to use the verification hash to verify the data do the following:-

  1. json_encode the feed data
  2. remove all spaces, tabs and returns
  3. calculate the sha256 hash
	$output = json_encode($feed);					
	$output = str_replace(array(" ","\t","\r","\n"),"",$output);
	$output = hash("sha256",$output);

Compare with the value returned by the URL