CVE Chapter

What is the NVD (National Vulnerability Database)?

Jul 3, 2026 · 8 min read · Beginner

What is the NVD?

The National Vulnerability Database (NVD) is the United States government's official repository of vulnerability management data. Maintained by the National Institute of Standards and Technology (NIST), it serves as the central enrichment layer on top of the CVE list maintained by MITRE.

Think of the CVE list as a raw catalogue of vulnerability IDs and brief descriptions. The NVD takes each CVE entry and adds structured, standardised analysis: severity scores, affected software lists, weakness classifications, and links to patches and advisories. This enrichment is what makes the NVD indispensable for security teams, compliance auditors, and software vendors worldwide.

Key fact: As of mid-2026, the NVD contains enrichment data for over 250,000 CVE entries dating back to 1999. It processes an average of 70–100 new CVEs every day.

NVD vs CVE: What is the Difference?

People often use "CVE" and "NVD" interchangeably, but they are managed by different organisations with different roles.

DimensionCVE List (MITRE)NVD (NIST)
Managed byMITRE CorporationNIST (US Dept of Commerce)
PurposeAssign unique IDs to vulnerabilitiesEnrich CVEs with analysis data
CVSS scoresSometimes provided by the CNAAlways calculated by NIST analysts
CWE classificationNoYes
CPE affected softwareNoYes
Patch linksSometimes in referencesStructured reference tags (Patch, Vendor Advisory)
API availableYes (api.cve.org)Yes (services.nvd.nist.gov)

In practice, most security tools pull from the NVD because it provides a complete, structured picture. The CVE list is the authoritative source for IDs and descriptions; the NVD is the authoritative source for severity and classification.

What the NVD Adds to CVE Entries

When NIST analysts process a new CVE, they add several layers of structured data.

CVSS Scores

The NVD calculates CVSS v3.1 (and sometimes v2.0) Base Scores for every CVE. This gives a 0–10 numeric severity that security teams can use to prioritise patching. The NVD score is considered the reference score — vendors can provide their own CVSS vectors, which the NVD stores separately as "CNA-supplied scores."

CWE — Weakness Classification

Every CVE gets mapped to one or more Common Weakness Enumerations (CWE). CWE is a taxonomy of software weaknesses. For example:

Knowing the CWE helps developers understand the class of vulnerability and apply the right defensive coding patterns, not just the specific patch for one CVE.

CPE — Affected Software List

Common Platform Enumeration (CPE) is a structured naming scheme for hardware and software. The NVD attaches a list of CPE entries to each CVE, specifying exactly which vendor, product, and version ranges are affected.

A CPE string looks like this:

cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*

Breaking it down: a = application, apache = vendor, log4j = product, * = any version. Security scanners use CPE data to match vulnerabilities against the software inventory in your environment — this is how tools like Qualys, Tenable, and Wiz know which CVEs apply to your systems.

Reference Tags

The NVD adds structured tags to each reference URL, categorising them as: Patch, Vendor Advisory, Exploit, Mailing List, Third Party Advisory, or VDB Entry. This makes it easy to jump straight to the vendor's official patch notice rather than reading through a long list of links.

The NVD web interface is at nvd.nist.gov. Here are the most useful search approaches.

Search by CVE ID

If you already know the CVE number, type it directly into the search box. For example, searching CVE-2021-44228 immediately shows the Log4Shell entry with CVSS 10.0, CWE-917, CPE list, and all references.

Search by Keyword

Enter a product name, vendor, or technology to find all related CVEs. Searching apache log4j returns dozens of entries. Tip: use the Advanced Search to filter by CVSS score range (e.g., 9.0–10.0 for critical only) and publication date.

Filter by CVSS Severity

In Advanced Search, the CVSS Score filter lets you narrow results to only Critical (9.0+) or High (7.0–8.9) vulnerabilities — useful when you want to build a prioritised patch list for a specific product.

Filter by CWE

You can search for all CVEs of a particular weakness type, such as all SQL injection vulnerabilities (CWE-89) in a specific vendor's products. This is useful for compliance teams that need to demonstrate control over specific weakness categories.

The NVD API

The NVD offers a free, public REST API at services.nvd.nist.gov/rest/json/cves/2.0. No authentication is required for basic use, though you can request an API key for higher rate limits (50 requests per 30 seconds vs 5 per 30 seconds without a key).

Fetch a Single CVE

curl "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2021-44228"

Fetch CVEs by Keyword

curl "https://services.nvd.nist.gov/rest/json/cves/2.0?keywordSearch=log4j&resultsPerPage=10"

Fetch CVEs Modified in the Last 7 Days

curl "https://services.nvd.nist.gov/rest/json/cves/2.0?\
lastModStartDate=2026-06-26T00:00:00.000&\
lastModEndDate=2026-07-03T23:59:59.000"

The API returns JSON with full CVE metadata including CVSS vectors, CWE IDs, CPE matches, and references. This powers many commercial vulnerability management tools and open-source scanners.

The NVD Analysis Backlog Problem

In February 2024, NIST announced it was pausing enrichment of new CVE entries due to resource constraints, creating a significant backlog. By mid-2024, tens of thousands of CVEs were listed in the NVD with the status "Awaiting Analysis" — meaning they had a CVE ID and description from MITRE, but no CVSS score, CWE, or CPE data from NIST yet.

This caused real problems for organisations that rely on NVD data to drive automated scanning and risk scoring. A CVE without a CVSS score cannot be prioritised by most vulnerability management tools.

NIST began addressing the backlog through a combination of increased staffing and automation, and also announced a new consortium model called the NVD Consortium to share enrichment responsibilities with industry partners. By 2026, the backlog was being processed more consistently, but the episode highlighted the risk of depending on a single government database as the sole source of vulnerability intelligence.

Practical tip: During periods of NVD backlog, use alternative sources like the CISA KEV catalog, vendor security advisories, or commercial feeds (Vulners, Snyk, OSV) to fill the gap for high-priority vulnerabilities.

NVD Alternatives and Supplements

The NVD is the gold standard but is not the only source of vulnerability data. Use it alongside these resources.

SourceBest ForURL
CISA KEV CatalogActively exploited vulnerabilities — patch these firstcisa.gov/known-exploited-vulnerabilities
OSV (Open Source Vulnerabilities)Open source package vulnerabilities (npm, PyPI, Maven)osv.dev
GitHub Advisory DatabaseVulnerabilities in GitHub-hosted open source projectsgithub.com/advisories
VulnersAggregated feed with exploit availability datavulners.com
Snyk Vulnerability DBDeveloper-focused, deep package ecosystem coveragesecurity.snyk.io
OpenCVESelf-hosted NVD alternative with alertingopencve.io
Vendor AdvisoriesOfficial patches and mitigations from Microsoft, Cisco, Red Hat, etc.Varies by vendor

For most organisations, the NVD is the foundation, the CISA KEV catalog is the priority filter, and vendor advisories are the patch source. Together they form a complete, practical vulnerability intelligence workflow.

Frequently Asked Questions

What is the NVD?
The National Vulnerability Database (NVD) is a US government repository of standards-based vulnerability management data maintained by NIST. It enriches CVE entries with CVSS scores, CWE classifications, and CPE identifiers.
Who maintains the NVD?
The NVD is maintained by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the US Department of Commerce.
Is NVD the same as CVE?
No. CVE IDs are assigned by MITRE and CNAs. The NVD is a separate database that enriches CVE entries with additional analysis such as CVSS scores, affected software lists (CPE), and patch links.
How do I search the NVD?
You can search the NVD at nvd.nist.gov by CVE ID, keyword, vendor name, or CVSS score range. The NVD also offers a free REST API at services.nvd.nist.gov for programmatic access.
Why do some CVEs have no CVSS score in the NVD?
New CVEs are sometimes listed as "Awaiting Analysis" while NIST analysts process them. During periods of high volume or resource constraints (as seen in 2024), this backlog can be significant. Use alternative sources like vendor advisories or CISA KEV for urgent prioritisation.