🛡️ NIST NVD CVE Scraper

🚀 Export the global CVE catalogue in seconds. Pull 240,000+ CVE records from the official NIST National Vulnerability Database with CVSS v4, v3.1, and v2 scores, CWE weaknesses, CPE configurations, and full reference lists. No sign-up, no rate-limit headaches, no parser engineering.

🕒 Last updated: 2026-05-15 · 📊 21 fields per record · 🛡️ 240,000+ CVEs · 🎯 4 scoring systems · 📚 800+ CWE weakness types

The NIST NVD CVE Scraper pulls vulnerabilities from the official NIST National Vulnerability Database (NVD) and returns 21 normalised fields per record, including CVSS v4 / v3 / v2 base scores, weakness classifications, CPE 2.3 configurations, and curated reference links. The underlying catalogue is the canonical source of truth for U.S. federal vulnerability tracking and is consumed by every major SIEM, vulnerability scanner, and cloud security platform on the planet.

The catalogue covers every published CVE since 1999, four CVSS scoring systems, hundreds of CWE weakness families, and millions of CPE product mappings spanning operating systems, applications, libraries, and firmware. This Actor makes that data downloadable as CSV, Excel, JSON, or XML in minutes. Filters apply at the source, so you skip pagination, rate-limit handling, and field normalisation entirely.

🎯 Target Audience	💡 Primary Use Cases
Security teams, vulnerability managers, threat researchers, SOC analysts, DevSecOps engineers, compliance officers, security tool builders	CVE feed enrichment, patch prioritisation, SIEM integration, CVSS-based reporting, CPE matching, supply-chain risk, security dashboard automation

---

📋 What the NIST NVD CVE Scraper does

Five workflows in a single Actor:

• 🔎 Single CVE lookup. Fetch one record by its identifier, e.g. CVE-2021-44228.
• 📦 Batch CVE lookup. Pass an array of IDs and get every match in one run.
• 🔠 Keyword search. Free-text search across CVE descriptions for terms like openssl, log4j, or remote code execution.
• 🎚️ Severity + CWE filters. Restrict to Critical / High / Medium / Low or to a specific weakness type.
• 📅 Date-window crawl. Pull every CVE published inside a 120-day window for incremental syncs.

Each record includes the CVE identifier, source CNA, publication and modification timestamps, English description, all available CVSS scores, weakness list, affected configurations (CPE 2.3 with version ranges), and curated references with tags.

💡 Why it matters: the NVD is the foundation of every vulnerability scanner, patch-management workflow, and security advisory pipeline. Building your own ingestion means handling pagination, the 120-day window cap, retry-after headers, and CVSS v2/v3/v4 normalisation by hand. This Actor skips all of that and gives you a clean, downloadable dataset.

---

🎬 Full Demo

🚧 Coming soon: a 3-minute walkthrough showing how to go from sign-up to a downloaded CVE dataset.

---

⚙️ Input

Input	Type	Default	Behavior
cveId	string	""	Single CVE ID (e.g. CVE-2024-1234). Overrides all other filters.
cveIds	string[]	[]	Batch list of CVE IDs (recommended max ~100 per run).
keyword	string	""	Free-text search across CVE descriptions.
severity	enum	""	One of CRITICAL / HIGH / MEDIUM / LOW. Empty for all.
cweId	string	""	Filter by CWE weakness ID (e.g. CWE-79).
pubStartDate, pubEndDate	ISO 8601	""	Publish-date window. Both required together. Max 120-day span.
hasKev	boolean	false	Restrict to CVEs in the CISA Known Exploited Vulnerabilities catalog.
hasOval, hasCertAlerts, hasCertNotes	boolean	false	Restrict to records with OVAL / US-CERT alerts / US-CERT notes.
noRejected	boolean	false	Skip CVEs in REJECTED status.
sourceIdentifier	string	""	Filter by submitting CNA (e.g. cve@mitre.org).
virtualMatchString	string	""	CPE 2.3 match string (e.g. cpe:2.3:a:apache:log4j).
maxItems	integer	10	Records to return. Free plan caps at 10, paid plan at 1,000,000.

Example: every Critical CVE published in Q1 2024.

{
    "maxItems": 500,
    "severity": "CRITICAL",
    "pubStartDate": "2024-01-01T00:00:00.000",
    "pubEndDate": "2024-03-31T23:59:59.999"
}

Example: batch lookup of the Log4Shell family.

{
    "cveIds": ["CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105", "CVE-2021-44832"]
}

⚠️ Good to Know: the official NIST NVD source enforces a 120-day publish-date window per query. The Actor respects this limit and warns when only one of pubStartDate / pubEndDate is supplied. For longer date ranges, run the Actor on a schedule with rolling windows.

---

📊 Output

Each record contains 21 fields. Download the dataset as CSV, Excel, JSON, or XML.

🧾 Schema

Field	Type	Example
🆔 cveId	string	"CVE-2021-44228"
🔗 url	string	"https://nvd.nist.gov/vuln/detail/CVE-2021-44228"
🏢 sourceIdentifier	string | null	"security-advisories@github.com"
📅 published	ISO 8601 | null	"2021-12-10T10:15:09.143"
🕒 lastModified	ISO 8601 | null	"2025-04-03T01:03:51.193"
🚦 vulnStatus	string | null	"Modified"
📝 description	string | null	"Apache Log4j2 2.0-beta9 through 2.15.0..."
🎯 cvssV4BaseScore	number | null	null
🎯 cvssV4Severity	string | null	null
🎯 cvssV4VectorString	string | null	null
🎯 cvssV3BaseScore	number | null	10.0
🎯 cvssV3BaseSeverity	string | null	"CRITICAL"
🎯 cvssV3VectorString	string | null	"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
🎯 cvssV2BaseScore	number | null	9.3
🎯 cvssV2BaseSeverity	string | null	"HIGH"
🎯 cvssV2VectorString	string | null	"AV:N/AC:M/Au:N/C:C/I:C/A:C"
🧬 weaknesses	string[]	["CWE-20", "CWE-400", "CWE-502"]
🧱 configurations	object[]	[{ "operator": "OR", "cpeMatches": [...] }]
📚 references	object[]	[{ "url": "https://logging.apache.org/...", "tags": ["Vendor Advisory"] }]
🕒 scrapedAt	ISO 8601	"2026-05-15T00:00:00.000Z"
❌ error	string | null	null

📦 Sample record

---

✨ Why choose this Actor

	Capability
🛡️	Authoritative source. Pulls directly from the official NIST National Vulnerability Database, the canonical CVE catalogue.
🎯	Multi-version CVSS. v4, v3.1, v3.0, and v2 base scores plus vector strings, all normalised in one record.
🧱	CPE 2.3 configurations. Affected product matches with version ranges, ready to join with asset inventories.
🧬	CWE weakness mapping. Each CVE comes with its full list of associated weakness types.
📚	Curated references. Vendor advisories, exploit links, US-CERT notes, and third-party analysis tagged at the source.
🔁	Always fresh. Every run hits the live catalogue, so the dataset reflects current scoring and modification dates.
🚫	No sign-up. Works with public vulnerability data. No login or token needed.

📊 The NVD is consumed by every major SIEM, EDR, vulnerability scanner, and cloud security platform on the planet. Owning a clean local copy is a multiplier for every downstream security workflow.

---

📈 How it compares to alternatives

Approach	Cost	Coverage	Refresh	Filters	Setup
⭐ NIST NVD CVE Scraper (this Actor)	$5 free credit, then pay-per-use	240,000+ CVEs	Live per run	severity, CWE, CPE, date, KEV, source	⚡ 2 min
Commercial threat-intel feeds	$10,000+/year	Curated subset	Streaming	Many	⏳ Days
Manual exports	Free	Full	Stale	None	🐢 Hours
Self-built ingestion	Engineering time	Full	Custom	Custom	🛠️ Weeks

Pick this Actor when you want the canonical CVE catalogue without writing pagination, retry, or normalisation code.

---

🚀 How to use

1. 📝 Sign up. Create a free account with $5 credit (takes 2 minutes).
2. 🌐 Open the Actor. Go to the NIST NVD CVE Scraper page on the Apify Store.
3. 🎯 Set input. Pick a severity, keyword, CVE ID, or date window, then set maxItems.
4. 🚀 Run it. Click Start and let the Actor collect your data.
5. 📥 Download. Grab your results in the Dataset tab as CSV, Excel, JSON, or XML.

⏱️ Total time from signup to downloaded dataset: 3-5 minutes. No coding required.

---

💼 Business use cases

🛡️ Vulnerability Management Daily ingestion of new CVEs into your scanner backend CVSS-based prioritisation queues for patch teams KEV-aware triage workflows for active exploitation Compliance evidence packs for SOC 2, ISO 27001, FedRAMP	🔍 Threat Intelligence & Research Track new Critical and High CVEs in near real time Build research datasets filtered by CWE family Map CVE growth by vendor, product, or year Cross-reference with KEV and exploit prediction feeds
🛠️ DevSecOps & SBOM Match CPE strings against your software bill of materials CI gate that fails builds on Critical CVEs in dependencies Supply-chain risk reports filtered by ecosystem Pull requests that auto-link CVEs to fix branches	📊 Security Reporting & Dashboards Executive dashboards showing CVE counts by severity over time Vendor scorecards based on CVE volume and median CVSS Customer-facing trust pages with patch SLAs Regulatory reporting for finance, healthcare, and energy

---

🔌 Automating NIST NVD CVE Scraper

Control the scraper programmatically for scheduled runs and pipeline integrations:

• 🟢 Node.js. Install the apify-client NPM package.
• 🐍 Python. Use the apify-client PyPI package.
• 📚 See the Apify documentation for full details.

The Apify Schedules feature lets you trigger this Actor on any cron interval. Hourly, daily, or weekly refreshes keep your downstream vulnerability database in sync automatically.

---

🌟 Beyond business use cases

Data like this powers more than commercial workflows. The same structured records support research, education, civic projects, and personal initiatives.

🎓 Research and academia Vulnerability disclosure trend analysis for academic papers CWE family co-occurrence studies and ML training sets Reproducible studies with cited, versioned dataset pulls Coursework on secure software engineering and risk modelling	🎨 Personal and creative Hobbyist security dashboards and home-lab CVE feeds Newsletter and blog research on the latest disclosures Portfolio projects that show off security data engineering Personal alerting bots for vendors you actually use
🤝 Non-profit and civic Local government IT teams tracking exposure to known threats Civic-tech projects mapping CVE risk for critical infrastructure Open-source maintainers monitoring downstream impact Educational outreach for security literacy programmes	🧪 Experimentation Train CVE-classification or severity-prediction models Prototype agent pipelines that summarise advisories Test SIEM rules against historical CVE waves Build dashboards on top of live vulnerability feeds

---

🤖 Ask an AI assistant about this scraper

Open a ready-to-send prompt about this ParseForge actor in the AI of your choice:

• 💬 ChatGPT
• 🧠 Claude
• 🔍 Perplexity
• 🅒 Copilot

---

❓ Frequently Asked Questions

🧩 How does it work?

Configure your filters in the input form, click Start, and the Actor pulls matching CVEs from the official NIST NVD source, normalises CVSS v4 / v3 / v2 scoring, and emits one clean record per vulnerability.

📏 How accurate is the data?

The records are mirror-copies of the official NIST NVD catalogue at run time. Description text, CVSS scores, CWE mappings, and CPE configurations are taken verbatim from the source.

🔁 How often is the dataset refreshed?

The official NIST source updates continuously as CNAs publish new CVEs and analysts revise existing ones. Every run of this Actor reflects the catalogue as of run time.

🎯 Which CVSS versions are included?

All four. The Actor surfaces CVSS v4.0, v3.1, v3.0, and v2 base scores plus vector strings whenever the source provides them. Older CVEs may carry only v2; newer ones may have v3 and v4.

📅 Why does the date filter cap at 120 days?

The official source enforces this window per query. To pull longer ranges, schedule the Actor with rolling 120-day windows or fetch by CVE ID list instead.

🧬 What is a CWE?

CWE (Common Weakness Enumeration) is the standard taxonomy of software weaknesses. Each CVE is mapped to one or more CWE IDs that classify the underlying flaw type, like buffer overflow or cross-site scripting.

🧱 What is a CPE?

CPE (Common Platform Enumeration) 2.3 is the standard product naming scheme. The Actor returns full CPE match strings with version ranges, ready to join against asset inventories or software bills of materials.

⏰ Can I schedule regular runs?

Yes. Use Apify Schedules to run this Actor on any cron interval. A common pattern is a 60-minute schedule that pulls the latest published CVEs and pushes them into a SIEM or ticketing system.

⚖️ Is this data legal to use?

The NIST NVD is a U.S. government public dataset with no restrictions on use, including commercial use. You should still review the official terms for your specific application.

💳 Do I need a paid Apify plan to use this Actor?

No. The free Apify plan is enough for testing and small runs (10 records per run). A paid plan lifts the limit and gives you scheduling, higher concurrency, and larger datasets.

🆘 What if I need help?

Our support team is here to help. Contact us through the Apify platform or use the Tally form linked below.

---

🔌 Integrate with any app

NIST NVD CVE Scraper connects to any cloud service via Apify integrations:

• Make - Automate multi-step workflows
• Zapier - Connect with 5,000+ apps
• Slack - Get CVE alerts in your security channels
• Airbyte - Pipe CVE data into your warehouse
• GitHub - Trigger runs from commits and releases
• Google Drive - Export datasets straight to Sheets

You can also use webhooks to trigger downstream actions when a run finishes. Push fresh CVE data into your ticketing system, or alert your team in Slack when a new Critical hits the catalogue.

---

🔗 Recommended Actors

• 🚨 CISA KEV Scraper - Known Exploited Vulnerabilities catalogue with due dates
• 📈 EPSS Exploit Prediction Scraper - 30-day exploitation probability scores
• 🐙 GitHub Security Advisories Scraper - GHSA + CVE advisories with patched versions
• 📦 OSV Vulnerabilities Scraper - Open source vulnerabilities across PyPI, npm, Go, Maven and more
• 🔬 CIRCL CVE Scraper - CIRCL Luxembourg CVE catalogue with CWE and CAPEC

💡 Pro Tip: browse the complete ParseForge collection for more security and reference-data scrapers.

---

🆘 Need Help? Open our contact form to request a new scraper, propose a custom data project, or report an issue.

---

⚠️ Disclaimer: this Actor is an independent tool and is not affiliated with, endorsed by, or sponsored by NIST, the U.S. government, or any of the CNAs that contribute to the NVD catalogue. All trademarks mentioned are the property of their respective owners. Only publicly available vulnerability data is collected.