Table of Contents
What is the NVD?
The National Vulnerability Database (NVD) is the United States government's official repository of vulnerability management data. Maintained by the National Institute of Standards and Technology (NIST), it serves as the central enrichment layer on top of the CVE list maintained by MITRE.
Think of the CVE list as a raw catalogue of vulnerability IDs and brief descriptions. The NVD takes each CVE entry and adds structured, standardised analysis: severity scores, affected software lists, weakness classifications, and links to patches and advisories. This enrichment is what makes the NVD indispensable for security teams, compliance auditors, and software vendors worldwide.
NVD vs CVE: What is the Difference?
People often use "CVE" and "NVD" interchangeably, but they are managed by different organisations with different roles.
| Dimension | CVE List (MITRE) | NVD (NIST) |
|---|---|---|
| Managed by | MITRE Corporation | NIST (US Dept of Commerce) |
| Purpose | Assign unique IDs to vulnerabilities | Enrich CVEs with analysis data |
| CVSS scores | Sometimes provided by the CNA | Always calculated by NIST analysts |
| CWE classification | No | Yes |
| CPE affected software | No | Yes |
| Patch links | Sometimes in references | Structured reference tags (Patch, Vendor Advisory) |
| API available | Yes (api.cve.org) | Yes (services.nvd.nist.gov) |
In practice, most security tools pull from the NVD because it provides a complete, structured picture. The CVE list is the authoritative source for IDs and descriptions; the NVD is the authoritative source for severity and classification.
What the NVD Adds to CVE Entries
When NIST analysts process a new CVE, they add several layers of structured data.
CVSS Scores
The NVD calculates CVSS v3.1 (and sometimes v2.0) Base Scores for every CVE. This gives a 0–10 numeric severity that security teams can use to prioritise patching. The NVD score is considered the reference score — vendors can provide their own CVSS vectors, which the NVD stores separately as "CNA-supplied scores."
CWE — Weakness Classification
Every CVE gets mapped to one or more Common Weakness Enumerations (CWE). CWE is a taxonomy of software weaknesses. For example:
- CWE-79 — Cross-site Scripting (XSS)
- CWE-89 — SQL Injection
- CWE-787 — Out-of-bounds Write (buffer overflow)
- CWE-22 — Path Traversal
Knowing the CWE helps developers understand the class of vulnerability and apply the right defensive coding patterns, not just the specific patch for one CVE.
CPE — Affected Software List
Common Platform Enumeration (CPE) is a structured naming scheme for hardware and software. The NVD attaches a list of CPE entries to each CVE, specifying exactly which vendor, product, and version ranges are affected.
A CPE string looks like this:
cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*
Breaking it down: a = application, apache = vendor, log4j = product, * = any version. Security scanners use CPE data to match vulnerabilities against the software inventory in your environment — this is how tools like Qualys, Tenable, and Wiz know which CVEs apply to your systems.
Reference Tags
The NVD adds structured tags to each reference URL, categorising them as: Patch, Vendor Advisory, Exploit, Mailing List, Third Party Advisory, or VDB Entry. This makes it easy to jump straight to the vendor's official patch notice rather than reading through a long list of links.
How to Search the NVD
The NVD web interface is at nvd.nist.gov. Here are the most useful search approaches.
Search by CVE ID
If you already know the CVE number, type it directly into the search box. For example, searching CVE-2021-44228 immediately shows the Log4Shell entry with CVSS 10.0, CWE-917, CPE list, and all references.
Search by Keyword
Enter a product name, vendor, or technology to find all related CVEs. Searching apache log4j returns dozens of entries. Tip: use the Advanced Search to filter by CVSS score range (e.g., 9.0–10.0 for critical only) and publication date.
Filter by CVSS Severity
In Advanced Search, the CVSS Score filter lets you narrow results to only Critical (9.0+) or High (7.0–8.9) vulnerabilities — useful when you want to build a prioritised patch list for a specific product.
Filter by CWE
You can search for all CVEs of a particular weakness type, such as all SQL injection vulnerabilities (CWE-89) in a specific vendor's products. This is useful for compliance teams that need to demonstrate control over specific weakness categories.
The NVD API
The NVD offers a free, public REST API at services.nvd.nist.gov/rest/json/cves/2.0. No authentication is required for basic use, though you can request an API key for higher rate limits (50 requests per 30 seconds vs 5 per 30 seconds without a key).
Fetch a Single CVE
curl "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2021-44228"
Fetch CVEs by Keyword
curl "https://services.nvd.nist.gov/rest/json/cves/2.0?keywordSearch=log4j&resultsPerPage=10"
Fetch CVEs Modified in the Last 7 Days
curl "https://services.nvd.nist.gov/rest/json/cves/2.0?\
lastModStartDate=2026-06-26T00:00:00.000&\
lastModEndDate=2026-07-03T23:59:59.000"
The API returns JSON with full CVE metadata including CVSS vectors, CWE IDs, CPE matches, and references. This powers many commercial vulnerability management tools and open-source scanners.
The NVD Analysis Backlog Problem
In February 2024, NIST announced it was pausing enrichment of new CVE entries due to resource constraints, creating a significant backlog. By mid-2024, tens of thousands of CVEs were listed in the NVD with the status "Awaiting Analysis" — meaning they had a CVE ID and description from MITRE, but no CVSS score, CWE, or CPE data from NIST yet.
This caused real problems for organisations that rely on NVD data to drive automated scanning and risk scoring. A CVE without a CVSS score cannot be prioritised by most vulnerability management tools.
NIST began addressing the backlog through a combination of increased staffing and automation, and also announced a new consortium model called the NVD Consortium to share enrichment responsibilities with industry partners. By 2026, the backlog was being processed more consistently, but the episode highlighted the risk of depending on a single government database as the sole source of vulnerability intelligence.
NVD Alternatives and Supplements
The NVD is the gold standard but is not the only source of vulnerability data. Use it alongside these resources.
| Source | Best For | URL |
|---|---|---|
| CISA KEV Catalog | Actively exploited vulnerabilities — patch these first | cisa.gov/known-exploited-vulnerabilities |
| OSV (Open Source Vulnerabilities) | Open source package vulnerabilities (npm, PyPI, Maven) | osv.dev |
| GitHub Advisory Database | Vulnerabilities in GitHub-hosted open source projects | github.com/advisories |
| Vulners | Aggregated feed with exploit availability data | vulners.com |
| Snyk Vulnerability DB | Developer-focused, deep package ecosystem coverage | security.snyk.io |
| OpenCVE | Self-hosted NVD alternative with alerting | opencve.io |
| Vendor Advisories | Official patches and mitigations from Microsoft, Cisco, Red Hat, etc. | Varies by vendor |
For most organisations, the NVD is the foundation, the CISA KEV catalog is the priority filter, and vendor advisories are the patch source. Together they form a complete, practical vulnerability intelligence workflow.