NVD CVE Vulnerability Crawler

Extract CVE vulnerability records from the NIST National Vulnerability Database API 2.0. Each record includes CVSS v3.1 scores, severity ratings, attack vectors, CWE weakness classifications, affected products in CPE format, and flags for known exploits and available patches.

NVD CVE Crawler Features

• Filter CVEs by keyword, CVSS severity, vendor/product CPE string, publication date, and last-modified date
• Returns full CVSS v3.1 metrics: base score, severity, vector string, attack vector, attack complexity, privileges required, scope, and all three impact dimensions
• Resolves CWE IDs to human-readable weakness names for the top ~100 most common weakness types
• Extracts vendor and product names directly from CPE strings — no post-processing required
• Flags exploit_available and patch_available from NVD reference tags, so you can filter by exploitability without reading each advisory
• Handles rate limiting automatically: 5 req/30s without an API key, 50 req/30s with one
• Supports incremental runs via lastModStartDate — pull only CVEs modified since your last run
• No proxies needed. The NVD API is a public government service

Who Uses NVD CVE Data and Why?

• Security engineers — build vulnerability dashboards filtered to the specific vendors and products in their environment
• Threat intelligence analysts — monitor new critical and high-severity CVEs as they are published, with exploit and patch status included
• Compliance teams — pull CVE records by date range and severity to document exposure windows and patch response times
• Penetration testers — enumerate known exploitable vulnerabilities for a target vendor or product before an engagement
• Software vendors — track CVEs assigned to their own products and set up alerts when new ones are published

How NVD CVE Crawler Works

1. You provide at least one filter — a keyword, severity level, CPE vendor/product string, or date range. A completely open query with maxItems set to 0 is blocked to prevent accidentally crawling all 338K+ records.
2. The crawler calls NVD's REST API with up to 2,000 results per page, paginating automatically until it reaches maxItems or exhausts the result set.
3. Each raw vulnerability object is transformed into a flat, consistent record: CVSS metrics are promoted to top-level fields, CWE IDs are resolved to names, vendor and product are extracted from the first vulnerable CPE match, and reference URLs are deduplicated.
4. Records are saved to the Apify dataset as they arrive, so partial results are available even if you stop the run early.

Input

Search by keyword and severity

{
  "keywordSearch": "remote code execution",
  "cvssV3Severity": "CRITICAL",
  "maxItems": 100
}

Pull CVEs for a specific vendor

{
  "vendor": "cpe:2.3:*:apache:http_server:*",
  "pubStartDate": "2024-01-01T00:00:00.000",
  "maxItems": 500
}

Incremental update — only new modifications

{
  "lastModStartDate": "2026-03-01T00:00:00.000",
  "apiKey": "your-nvd-api-key-here",
  "maxItems": 0
}

Input Parameters

Field	Type	Default	Description
keywordSearch	string	""	Search CVE descriptions for keywords, e.g. buffer overflow, SQL injection, remote code execution.
cvssV3Severity	string	""	Filter by CVSS v3.1 severity: LOW, MEDIUM, HIGH, or CRITICAL. Leave empty for all severities.
vendor	string	""	Filter by vendor or product using CPE format, e.g. cpe:2.3:*:microsoft:* or cpe:2.3:*:apache:http_server:*.
pubStartDate	string	""	Include only CVEs published on or after this date. ISO 8601 format: YYYY-MM-DDTHH:MM:SS.000.
pubEndDate	string	""	Include only CVEs published on or before this date. ISO 8601 format.
lastModStartDate	string	""	Include only CVEs last modified on or after this date. Useful for incremental runs.
apiKey	string	""	Optional NVD API key for higher rate limits (50 req/30s vs 5 req/30s). Free at nvd.nist.gov/developers/request-an-api-key.
maxItems	integer	500	Maximum number of CVE records to return. Set to 0 for unlimited — requires at least one filter.
proxyConfiguration	object	disabled	Proxy settings. Disabled by default — the NVD API does not require proxies.

NVD CVE Crawler Output Fields

{
  "cve_id": "CVE-2024-49113",
  "description": "A null pointer dereference in the LDAP library of Windows LDAP Client allows an unauthorized attacker to cause a denial of service over a network.",
  "published_date": "2024-12-10T18:15:45.983",
  "last_modified_date": "2025-01-08T19:43:29.213",
  "cvss_v31_score": 7.5,
  "cvss_v31_severity": "HIGH",
  "cvss_v31_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
  "attack_vector": "NETWORK",
  "attack_complexity": "LOW",
  "privileges_required": "NONE",
  "user_interaction": "NONE",
  "scope": "UNCHANGED",
  "confidentiality_impact": "NONE",
  "integrity_impact": "NONE",
  "availability_impact": "HIGH",
  "cwe_id": "CWE-476",
  "cwe_name": "NULL Pointer Dereference",
  "affected_products": [
    "cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.20857:*:*:*:*:*:x64:*",
    "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.6659:*:*:*:*:*:*:*"
  ],
  "vendor": "microsoft",
  "product": "windows_10_1507",
  "references": [
    "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49113"
  ],
  "exploit_available": false,
  "patch_available": true,
  "source": "secure@microsoft.com"
}

Field	Type	Description
cve_id	string	CVE identifier, e.g. CVE-2024-49113
description	string	Vulnerability description text (English)
published_date	string	Date and time the CVE was published (ISO 8601)
last_modified_date	string	Date and time the CVE was last modified (ISO 8601)
cvss_v31_score	number	CVSS v3.1 base score, 0.0–10.0. Null if not yet scored.
cvss_v31_severity	string	CVSS v3.1 severity label: NONE, LOW, MEDIUM, HIGH, or CRITICAL
cvss_v31_vector	string	Full CVSS v3.1 vector string
attack_vector	string	How the vulnerability is exploited: NETWORK, ADJACENT_NETWORK, LOCAL, or PHYSICAL
attack_complexity	string	Conditions beyond attacker control: LOW or HIGH
privileges_required	string	Level of access needed before exploitation: NONE, LOW, or HIGH
user_interaction	string	Whether a user must act for exploitation: NONE or REQUIRED
scope	string	Whether exploitation can affect resources beyond the vulnerable component: UNCHANGED or CHANGED
confidentiality_impact	string	Impact on data confidentiality: NONE, LOW, or HIGH
integrity_impact	string	Impact on data integrity: NONE, LOW, or HIGH
availability_impact	string	Impact on system availability: NONE, LOW, or HIGH
cwe_id	string	CWE weakness identifier, e.g. CWE-79
cwe_name	string	Human-readable CWE weakness name, e.g. Cross-site Scripting
affected_products	string[]	List of vulnerable CPE strings from NVD configurations
vendor	string	Primary affected vendor name, extracted from the first vulnerable CPE
product	string	Primary affected product name, extracted from the first vulnerable CPE
references	string[]	Deduplicated list of reference URLs: advisories, patches, exploit write-ups
exploit_available	boolean	true if any reference is tagged Exploit by NVD
patch_available	boolean	true if any reference is tagged Patch by NVD
source	string	Organization that submitted the CVE (usually a vendor PSIRT or MITRE)

FAQ

How many CVE records does the NVD contain? NVD CVE Crawler pulls from the full NVD database — approximately 338,000 records as of early 2026, growing by roughly 2,000–3,000 per month. All records back to 1999 are available through the API.

Do I need an API key? No, but it helps. Without a key, NVD CVE Crawler paces requests at 5 per 30 seconds. With a free NVD API key, that limit rises to 50 per 30 seconds, which is the difference between a slow crawl and a fast one on large result sets. Registration takes about two minutes at nvd.nist.gov/developers/request-an-api-key.

Can I run this on a schedule to catch new vulnerabilities? Yes. Set lastModStartDate to the datetime of your last run and NVD CVE Crawler returns only records modified since then. Combine with a daily or weekly Apify schedule for a lightweight continuous feed.

Why does the crawler require at least one filter? Running with no filters and maxItems set to 0 would attempt to pull the entire 338K-record database in a single run. That is almost certainly not what you want and would be expensive. Set any filter — a keyword, severity level, date range, or CPE string — and the constraint is lifted.

Are CVSS v2 scores included? Not currently. NVD CVE Crawler extracts CVSS v3.1 metrics only, which NVD designates as the primary scoring system for CVEs published from 2018 onward. Older CVEs that were never rescored under v3.1 will have null CVSS fields.

Need More Features?

Need additional fields, CVSS v2 support, or a feed integrated directly into your pipeline? File an issue or get in touch.

Why Use NVD CVE Crawler?

• No infrastructure required — the NVD API is a public government service with no authentication barrier, no proxy cost, and no rate-limit arms race. NVD CVE Crawler handles the pacing and retries; you get the data.
• Structured from the start — CVSS metrics are promoted to top-level fields, CWE IDs are resolved to names, and reference URLs are deduplicated. The output is ready for analysis without a transformation step.
• Priced per record — roughly $0.001 per CVE record, which makes a targeted pull of 1,000 critical-severity vulnerabilities cost about $1.00. No subscription, no minimum.