What is the National Vulnerability Database (NVD)?

The NVD is a U.S. government repository of standards-based vulnerability management data, including CVEs, CPEs, and CVSS scores, maintained by NIST.

How does the NVD get its data?

The NVD integrates data from the Common Vulnerabilities and Exposures (CVE) list and enriches it with additional analysis such as CPE applicability and CVSS scores.

Is the NVD API free to use?

Yes, all data provided by the NVD, including access via its public API and data feeds, is available free of charge.

What kind of information can I get from the NVD API?

You can retrieve detailed information on cybersecurity vulnerabilities, including CVE IDs, descriptions, affected products (CPE), severity scores (CVSS), and associated references.

What is the primary use case for the NVD?

The NVD is primarily used for vulnerability management, security auditing, software component analysis, and threat intelligence by providing standardized, detailed vulnerability information.

Does the NVD offer data in formats other than API access?

Yes, the NVD also provides downloadable data feeds in XML and JSON formats for bulk processing and offline analysis.

National Vulnerability Database — Public Security Data API

Overview

The National Vulnerability Database (NVD) serves as a comprehensive U.S. government repository for cybersecurity vulnerability data, maintained by the National Institute of Standards and Technology (NIST). It acts as a centralized source for information regarding publicly known information security vulnerabilities. The NVD primarily integrates data from the Common Vulnerabilities and Exposures (CVE) list, providing enriched analysis that includes applicability to specific software and hardware platforms, as defined by Common Platform Enumeration (CPE), and severity metrics calculated using the Common Vulnerability Scoring System (CVSS).

Developers and technical buyers utilize the NVD for various security-related functions, including vulnerability management, security auditing, and software component analysis. By providing programmatic access to its data via a public API and downloadable data feeds, the NVD enables automated integration into security tools, vulnerability scanners, and threat intelligence platforms. This allows organizations to identify, assess, and prioritize vulnerabilities within their systems and software supply chains.

The NVD is particularly valuable for organizations requiring adherence to security standards and regulatory compliance, such as those governed by the Federal Information Security Modernization Act (FISMA). Its data is considered authoritative for assessing the security posture of systems. The NVD supports a broad range of use cases, from individual developers building security tools to large enterprises managing complex IT infrastructures and supply chain risk. Its vendor-neutral stance and free availability make it a foundational resource in the cybersecurity ecosystem, offering standardized, evidence-based insights into reported vulnerabilities.

Integrating with the NVD API allows for the automated retrieval of vulnerability details, including descriptions, impact scores, and suggested remediation steps. This facilitates proactive security measures and helps in maintaining up-to-date vulnerability intelligence. For instance, a software composition analysis (SCA) tool might query the NVD to determine if known vulnerabilities affect components used in a project, similar to how Mend.io describes the function of SCA. The NVD's structured data format and consistent updates ensure that users have access to current and reliable information for making informed security decisions.

Key features

CVE Data Feed: Provides detailed information on publicly disclosed cybersecurity vulnerabilities, including descriptions, references, and impact.
CPE Dictionary: Offers a standardized naming scheme for applications, operating systems, and hardware devices, enabling precise identification of affected products.
CVSS Scores: Supplies standardized numerical scores and qualitative ratings for assessing the severity and exploitability of vulnerabilities, aiding in prioritization.
Public API Access: A RESTful API allows programmatic retrieval of vulnerability data, facilitating integration into security tools and platforms (NVD API documentation).
Data Feeds: Bulk data downloads are available in XML and JSON formats for offline analysis and large-scale data processing.
Search & Filtering: Users can search and filter vulnerability data based on various criteria, including CVE ID, product name, vendor, and CVSS score ranges.

Pricing

The National Vulnerability Database is a public service provided by the U.S. government, and all its data, including API access and data feeds, is available free of charge.

Service Component	Pricing Model	As of Date	Details
NVD API Access	Free	2026-05-28	Access to vulnerability data via RESTful API (NVD API documentation)
NVD Data Feeds	Free	2026-05-28	Downloadable XML and JSON feeds for bulk data (NVD data feeds)
Web Interface Access	Free	2026-05-28	Online search and browsing of the vulnerability database (NVD homepage)

Common integrations

Vulnerability Scanners: Tools like Nessus or OpenVAS can integrate NVD data to enhance their vulnerability detection capabilities and provide more accurate context.
Security Information and Event Management (SIEM) Systems: Platforms such as Splunk or Elastic Security can ingest NVD data to correlate vulnerability information with security events and alerts.
Software Composition Analysis (SCA) Tools: Products like Snyk or Mend.io leverage NVD data to identify known vulnerabilities in open-source and third-party software components.
Threat Intelligence Platforms: Systems that aggregate and analyze threat data can incorporate NVD feeds to enrich their vulnerability intelligence.
DevSecOps Pipelines: Integration into CI/CD pipelines allows for automated vulnerability checking during software development and deployment.
Asset Management Systems: NVD data helps asset management tools identify which assets are affected by specific vulnerabilities.

Alternatives

Snyk: A developer-first security platform focused on finding and fixing vulnerabilities in code, dependencies, containers, and infrastructure as code.
Mend.io: Offers software composition analysis (SCA), application security testing (AST), and supply chain security solutions.
Trellix (formerly FireEye/McAfee Enterprise): Provides extended detection and response (XDR) solutions, including endpoint, network, and cloud security, often incorporating vulnerability intelligence.

Getting started

To get started with the NVD API, you can make a simple HTTP GET request to retrieve vulnerability data. The API provides endpoints for searching CVEs, CPEs, and other related information. Below is an example using Python's requests library to fetch the latest vulnerabilities.

import requests
import json

# Base URL for the NVD API
NVD_API_BASE_URL = "https://services.nvd.nist.gov/rest/json/cves/2.0"

# Parameters for the request (e.g., fetch vulnerabilities published in the last 7 days)
# Note: The 'pubStartDate' and 'pubEndDate' parameters are for demonstration.
# For real-world use, you might use 'lastModStartDate'/'lastModEndDate' or specific CVE IDs.
# The NVD API has rate limits, so add appropriate delays for production use.

# Example: Get recent CVEs (limit to 10 for brevity)
params = {
    'resultsPerPage': 10
}

try:
    response = requests.get(NVD_API_BASE_URL, params=params)
    response.raise_for_status() # Raise an HTTPError for bad responses (4xx or 5xx)

    data = response.json()

    print(f"Successfully fetched {data.get('totalResults')} vulnerabilities.")
    print("Displaying first 10:")

    for vulnerability in data.get('vulnerabilities', [])[:10]:
        cve_id = vulnerability['cve']['id']
        description = vulnerability['cve']['descriptions'][0]['value'] if vulnerability['cve']['descriptions'] else 'No description available.'
        print(f"  CVE ID: {cve_id}")
        print(f"  Description: {description[:150]}...") # Truncate description
        if 'metrics' in vulnerability['cve'] and 'cvssMetricV31' in vulnerability['cve']['metrics']:
            cvss_score = vulnerability['cve']['metrics']['cvssMetricV31'][0]['cvssData']['baseScore']
            print(f"  CVSS v3.1 Base Score: {cvss_score}")
        print("\n")

except requests.exceptions.HTTPError as http_err:
    print(f"HTTP error occurred: {http_err}")
except requests.exceptions.ConnectionError as conn_err:
    print(f"Connection error occurred: {conn_err}")
except requests.exceptions.Timeout as timeout_err:
    print(f"Timeout error occurred: {timeout_err}")
except requests.exceptions.RequestException as req_err:
    print(f"An error occurred: {req_err}")
except json.JSONDecodeError:
    print("Failed to decode JSON response.")
    print(f"Response content: {response.text}")

This Python script demonstrates a basic query to the NVD API (v2.0) to retrieve a list of recent CVEs. It parses the JSON response and prints out the CVE ID, a truncated description, and the CVSS v3.1 base score if available. For more advanced queries and details on available parameters, refer to the NVD vulnerabilities API reference.

National Vulnerability Database

Overview

Key features

Pricing

Common integrations

Alternatives

Getting started

# frequently asked questions

## reviews

## comments

Overview

Key features

Pricing

Common integrations

Alternatives

Getting started

# frequently asked questions

# see also

## reviews

## comments