What this endpoint does

This endpoint downloads a bulk file of CVEs from the Recorded Future vulnerability risk list, filtered by risk rule and including only vulnerabilities with a risk score of 25 or above. It is designed for feeding vulnerability management platforms, SIEMs, or patch prioritization workflows with CVE watchlists — not for individual lookups (use the Vulnerability: Lookup endpoint for single-CVE enrichment). The list parameter selects which risk rule to filter by, such as cyberSignalCritical for actively exploited vulnerabilities or linkedToRansomware for ransomware-associated CVEs; omitting it returns the default risk list. Use the Vulnerability Risk Rules endpoint to discover all valid risk rule names. Output formats include CSV (default), STIX 1.1.1, STIX 1.2, and STIX 2.1. For change detection polling, use the companion HEAD Vulnerability Risk List endpoint to retrieve ETag headers without downloading the full file.

Response data

The response is a binary file download (not JSON). In the default CSV format, each row represents one CVE with four columns: Name (the CVE identifier), Risk (numeric score 0-99), RiskString (triggered risk rules vs. total, e.g., "9/25"), and EvidenceDetails (a JSON-encoded array of evidence objects per triggered risk rule, including rule name, category, criticality, sighting counts, source references, and timestamps). STIX format options provide the same vulnerability data structured as STIX threat intelligence objects for integration with STIX-compatible platforms.

200Result of operation