🔬 CIRCL CVE Scraper

🚀 Export the CIRCL Luxembourg CVE search catalogue in seconds. Pull latest CVEs, single CVE detail, vendor and product browse, plus the full CWE catalogue and CAPEC pattern catalogue. No sign-up, no token, no manual pagination.

🕒 Last updated: 2026-05-15 · 📊 24 fields per record · 🔬 240,000+ CVEs · 🏢 25,000+ vendors · 🧬 1,000+ CWE entries · 600+ CAPEC patterns

The CIRCL CVE Scraper pulls vulnerabilities, weakness catalogues, and attack patterns from the CIRCL Luxembourg CVE search catalogue and returns 24 normalised fields per CVE record, including the CVE identifier, summary, publication and modification timestamps, CVSS v4 / v3 / v2 base scores, CWE list, CAPEC patterns, references, vulnerable configurations, and provider metadata. The catalogue is maintained by the Computer Incident Response Center Luxembourg, a national CERT, and is one of the most widely used open mirrors of the global CVE list with extra cross-references that the upstream sources do not provide in a single place.

The catalogue covers 240,000+ CVEs spanning every published year, 25,000+ vendor slugs, the full Common Weakness Enumeration list, and 600+ Common Attack Pattern Enumeration entries. This Actor makes that data downloadable as CSV, Excel, JSON, or XML in minutes. Eight modes cover everything from latest-published feeds to vendor-product browse to CWE-CAPEC mapping.

🎯 Target Audience	💡 Primary Use Cases
Security teams, threat researchers, vulnerability managers, vendor risk analysts, DevSecOps engineers, security tool builders, ML researchers	Cross-reference CVE / CWE / CAPEC, vendor risk research, latest-CVE feeds, attack-pattern mapping, training datasets, complementing NVD with extra metadata

---

📋 What the CIRCL CVE Scraper does

Eight workflows in a single Actor:

• 🆕 Latest published CVEs. Pull the N most recently published vulnerabilities.
• 🆔 Single CVE by ID. Look up one CVE detail page (e.g. CVE-2021-44228).
• 📦 Batch CVE lookup. Pass an array of CVE IDs and get every match in one run.
• 🏢 Browse vendor. List every product known under a vendor slug like apache or microsoft.
• 🔍 Search vendor + product. Return every CVE for a vendor / product pair (e.g. apache / log4j).
• 🛢️ DB info. Get the last database update timestamp for cache invalidation.
• 🧬 CWE catalogue. List every Common Weakness Enumeration entry.
• 🎯 CAPEC patterns for a CWE. Map a CWE to its related CAPEC attack patterns.
• 🏷️ Vendors index. List every vendor slug known to CIRCL.

Each CVE record includes the identifier, summary, state, assigner CNA, publication and modification timestamps, CVSS v4 / v3 / v2 base scores and severities, CWE list, CAPEC patterns, references, vulnerable configurations, vulnerable products, impact and access metrics, and provider metadata.

💡 Why it matters: the upstream CVE feeds are split across NVD, MITRE, and dozens of CNAs. CIRCL aggregates them with extra cross-references like CWE-to-CAPEC mapping that no single source exposes. Building your own cross-walk means engineering a multi-source pipeline. This Actor skips all of that.

---

🎬 Full Demo

🚧 Coming soon: a 3-minute walkthrough showing how to go from sign-up to a downloaded CVE dataset.

---

⚙️ Input

Input	Type	Default	Behavior
mode	enum	"latest"	One of latest, byId, browseVendor, searchProduct, dbInfo, cwe, capec, vendor.
cveId	string	""	Single CVE ID for byId. Also used as the CWE numeric ID for capec mode.
cveIds	string[]	[]	Batch CVE IDs for byId mode (recommended max ~100 per run).
vendor	string	""	Lowercase vendor slug for browseVendor and searchProduct (e.g. apache, microsoft).
product	string	""	Lowercase product slug for searchProduct (e.g. log4j, tomcat).
count	integer	100	Number of latest CVEs to fetch in latest mode (max 1,000).
maxItems	integer	10	Records to return. Free plan caps at 10, paid plan at 1,000,000.

Example: latest 50 CVEs published.

{
    "mode": "latest",
    "count": 50,
    "maxItems": 50
}

Example: every CVE for Apache Log4j.

{
    "mode": "searchProduct",
    "vendor": "apache",
    "product": "log4j",
    "maxItems": 100
}

⚠️ Good to Know: vendor and product slugs are lowercase and follow CIRCL conventions (e.g. microsoft / windows_10, not Microsoft / Windows 10). Use mode=vendor first to discover available slugs.

---

📊 Output

Each CVE record contains 24 fields. Download the dataset as CSV, Excel, JSON, or XML.

🧾 Schema

Field	Type	Example
🆔 cveId	string	"CVE-2021-44228"
🔗 url	string	"https://cve.circl.lu/cve/CVE-2021-44228"
🏷️ title	string | null	"Apache Log4j2 Remote Code Execution"
📝 summary	string | null	"Apache Log4j2 2.0-beta9 through 2.15.0..."
🚦 state	string | null	"PUBLISHED"
🏢 assigner	string | null	"GitHub_M"
📅 published	ISO 8601 | null	"2021-12-10T10:15:09Z"
🕒 modified	ISO 8601 | null	"2025-04-03T01:03:51Z"
🕒 last_modified	ISO 8601 | null	"2025-04-03T01:03:51Z"
🎯 cvss	number | null	10.0
🎯 cvss3	number | null	10.0
🎯 cvss4	number | null	10.0
🚦 severity	string | null	"CRITICAL"
🧬 cwe	string[]	["CWE-20", "CWE-400", "CWE-502"]
📚 references	string[]	["https://logging.apache.org/log4j/2.x/security.html", "..."]
🧱 vulnerable_configuration	string[]	["cpe:2.3:a:apache:log4j:2.0:*:*:*:*:*:*:*"]
📦 vulnerable_product	string[]	["cpe:2.3:a:apache:log4j:*"]
🎯 capec	string[]	["CAPEC-242"]
💥 impact	object	{ "confidentiality": "HIGH", "integrity": "HIGH", "availability": "HIGH" }
🔓 access	object	{ "vector": "NETWORK", "complexity": "LOW", "authentication": "NONE" }
📦 affected	object[]	[{ "vendor": "apache", "product": "log4j", "versions": [...] }]
🎯 metrics	object[]	[{ "version": "3.1", "baseScore": 10.0, "baseSeverity": "CRITICAL" }]
🛢️ dataVersion	string | null	"5.1"
🕒 scrapedAt	ISO 8601	"2026-05-15T00:00:00.000Z"

📦 Sample record

---

✨ Why choose this Actor

	Capability
🔬	Authoritative source. Pulls directly from the CIRCL Luxembourg CVE search catalogue, a national CERT-maintained mirror.
🎯	Multi-version CVSS. v4, v3.1, v3.0, and v2 base scores plus vector strings, all normalised.
🧬	CWE + CAPEC. Cross-walk a CVE to its weaknesses and from those to attack patterns.
🏢	Vendor + product browse. Discover every product CIRCL knows for a vendor and every CVE for the pair.
🆕	Latest feed. Daily-fresh list of the most recently published CVEs in one call.
🛢️	DB info. Surface the last update timestamp for cache control.
🚫	No sign-up. Works with public vulnerability data. No login or token needed.

📊 CIRCL aggregates CVE data with cross-references no single upstream source exposes. Owning a clean local copy is a multiplier for every research and prioritisation workflow.

---

📈 How it compares to alternatives

Approach	Cost	Coverage	Refresh	Modes	Setup
⭐ CIRCL CVE Scraper (this Actor)	$5 free credit, then pay-per-use	240,000+ CVEs	Live per run	8 modes incl. CWE / CAPEC	⚡ 2 min
Commercial threat-intel platforms	$10,000+/year	Curated subset	Streaming	Many	⏳ Days
Direct upstream feeds	Free	Single source	Variable	Limited	🛠️ Hours
Self-built ingestion	Engineering time	Full	Custom	Custom	🐢 Weeks

Pick this Actor when you want the CIRCL aggregate with vendor browse and CWE-CAPEC cross-walks ready to go.

---

🚀 How to use

1. 📝 Sign up. Create a free account with $5 credit (takes 2 minutes).
2. 🌐 Open the Actor. Go to the CIRCL CVE Scraper page on the Apify Store.
3. 🎯 Set input. Pick a mode (latest / byId / vendor / product / cwe / capec), then set maxItems.
4. 🚀 Run it. Click Start and let the Actor collect your data.
5. 📥 Download. Grab your results in the Dataset tab as CSV, Excel, JSON, or XML.

⏱️ Total time from signup to downloaded dataset: 3-5 minutes. No coding required.

---

💼 Business use cases

🛡️ Vulnerability Management Daily ingestion of latest published CVEs CWE-aware patch prioritisation queues Vendor-product browse for asset-targeted CVE feeds Cross-walk CVE / CWE / CAPEC for richer triage context	🔍 Threat Intelligence & Research Map CVE waves against attack patterns via CAPEC Build vendor risk scorecards based on CVE volume Research datasets filtered by CWE family Track CNA assigner activity and submission patterns
🧬 Security Tooling Build internal CWE catalogues with descriptions and links Power CVE-to-CAPEC mapping in red-team reports Drive vendor pickers in vulnerability dashboards Replace bespoke MITRE / NVD scrapers with one feed	📊 Reporting & Compliance Compliance evidence packs with CWE coverage Vendor scorecards for procurement and supplier reviews Customer-facing trust pages with CWE/CAPEC context Quarterly threat-landscape reports

---

🔌 Automating CIRCL CVE Scraper

Control the scraper programmatically for scheduled runs and pipeline integrations:

• 🟢 Node.js. Install the apify-client NPM package.
• 🐍 Python. Use the apify-client PyPI package.
• 📚 See the Apify documentation for full details.

The Apify Schedules feature lets you trigger this Actor on any cron interval. Hourly, daily, or weekly refreshes keep your downstream vulnerability database in sync automatically.

---

🌟 Beyond business use cases

Data like this powers more than commercial workflows. The same structured records support research, education, civic projects, and personal initiatives.

🎓 Research and academia Vulnerability disclosure trend analysis for academic papers CWE / CAPEC mapping studies and ML training sets Coursework on secure software engineering and risk modelling Reproducible studies with cited, versioned dataset pulls	🎨 Personal and creative Hobbyist CVE dashboards and home-lab feeds Newsletter and blog research on the latest disclosures Portfolio projects that show off security data engineering Personal alerting bots for vendors you care about
🤝 Non-profit and civic National CERT mirrors for downstream research Civic-tech projects mapping CVE risk for critical infrastructure Open-source maintainers monitoring downstream impact Educational outreach for security literacy programmes	🧪 Experimentation Train CWE-classification or attack-pattern models Prototype agent pipelines that summarise advisories Test SIEM rules against historical CVE waves Build dashboards on top of live vulnerability feeds

---

🤖 Ask an AI assistant about this scraper

Open a ready-to-send prompt about this ParseForge actor in the AI of your choice:

• 💬 ChatGPT
• 🧠 Claude
• 🔍 Perplexity
• 🅒 Copilot

---

❓ Frequently Asked Questions

🧩 What is CIRCL?

CIRCL (Computer Incident Response Center Luxembourg) is the national CERT for the private and non-governmental sector in Luxembourg. They operate the cve.circl.lu catalogue, a widely used open mirror of the global CVE list with extra cross-references.

🆚 How is this different from the NIST NVD scraper?

CIRCL aggregates CVE data with extra cross-references like CWE-to-CAPEC mapping, vendor / product browse, and a full CWE catalogue mode. NIST NVD is the canonical U.S. source. Many teams use both: NVD for authoritative CVSS scoring, CIRCL for cross-walks and discovery.

🎯 Which CVSS versions are included?

All four. The Actor surfaces CVSS v4.0, v3.1, v3.0, and v2 base scores plus vector strings whenever the source provides them.

🧬 What is CWE?

CWE (Common Weakness Enumeration) is the standard taxonomy of software weaknesses. Use mode=cwe to dump the full catalogue.

🎯 What is CAPEC?

CAPEC (Common Attack Pattern Enumeration and Classification) catalogues attacker techniques. Use mode=capec with a CWE numeric ID in the cveId field to surface attack patterns related to that weakness.

🔁 How often is the dataset refreshed?

CIRCL refreshes from upstream sources continuously. Use mode=dbInfo to read the last update timestamp for cache invalidation.

🏢 How do I find vendor and product slugs?

Use mode=vendor to list every vendor known to CIRCL, then mode=browseVendor with the vendor slug to list its products. Slugs are lowercase and use underscores.

⏰ Can I schedule regular runs?

Yes. Use Apify Schedules to run this Actor on any cron interval. A common pattern is an hourly schedule on mode=latest to keep a downstream CVE feed fresh.

⚖️ Is this data legal to use?

CIRCL publishes the catalogue under permissive open licensing for non-commercial and commercial use. You should review the source terms for your specific application.

💳 Do I need a paid Apify plan to use this Actor?

No. The free Apify plan is enough for testing and small runs (10 records per run). A paid plan lifts the limit and gives you scheduling, higher concurrency, and larger datasets.

🆘 What if I need help?

Our support team is here to help. Contact us through the Apify platform or use the Tally form linked below.

---

🔌 Integrate with any app

CIRCL CVE Scraper connects to any cloud service via Apify integrations:

• Make - Automate multi-step workflows
• Zapier - Connect with 5,000+ apps
• Slack - Get CVE alerts in your security channels
• Airbyte - Pipe CVE data into your warehouse
• GitHub - Trigger runs from commits and releases
• Google Drive - Export datasets straight to Sheets

You can also use webhooks to trigger downstream actions when a run finishes. Push fresh CVE data into your ticketing system, or alert your team in Slack when a vendor you track gets a new disclosure.

---

🔗 Recommended Actors

• 🛡️ NIST NVD CVE Scraper - Official NVD catalogue with CVSS v4/v3/v2 scores
• 🚨 CISA KEV Scraper - Known Exploited Vulnerabilities catalogue with due dates
• 📈 EPSS Exploit Prediction Scraper - 30-day exploitation probability scores
• 🐙 GitHub Security Advisories Scraper - GHSA + CVE advisories with patched versions
• 📦 OSV Vulnerabilities Scraper - Open source vulnerabilities across 30+ ecosystems

💡 Pro Tip: browse the complete ParseForge collection for more security and reference-data scrapers.

---

🆘 Need Help? Open our contact form to request a new scraper, propose a custom data project, or report an issue.

---

⚠️ Disclaimer: this Actor is an independent tool and is not affiliated with, endorsed by, or sponsored by CIRCL Luxembourg, MITRE, or any of the CNAs that contribute to the CVE catalogue. All trademarks mentioned are the property of their respective owners. Only publicly available vulnerability data is collected.