Look up known vulnerabilities for a package+version via OSV API. Supports npm, PyPI, Maven, Go, Cargo, NuGet. Returns CVEs with severity and fix versions.