Vulnerability scan for a software package by ecosystem, name and version, or by package-URL (purl). Queries OSV.dev for known advisories, collects their CVE ids and enriches them with NVD CVSS, CISA KEV and EPSS, then returns a prioritized list of advisories with exact fixed versions. Risk indicators, not advice.