NVD CVE Vulnerability Database - Security & Compliance Intelligence

Search the NIST National Vulnerability Database (NVD) for CVE security vulnerabilities. Filter by keyword, CVSS severity, and publication date. Extract structured data for vulnerability monitoring, security compliance, patch management, and threat intelligence workflows.

No API key required. Uses the official NVD CVE API 2.0.

What you get

Each CVE record includes:

• CVE ID (e.g. CVE-2021-44228)
• Description — plain-English explanation of the vulnerability
• Severity — CVSS v3 severity: CRITICAL, HIGH, MEDIUM, or LOW
• CVSS score — base score from 0.0 to 10.0
• CVSS vector string — full CVSS v3 vector for scoring details
• CWE ID — weakness category (e.g. CWE-79 for XSS, CWE-89 for SQL injection)
• Affected products — CPE URI list of vulnerable software and versions (up to 50 per CVE)
• Published date and last modified date
• Source URL — direct link to the NVD detail page

Use cases

• Vulnerability monitoring: Track new CRITICAL and HIGH CVEs affecting your technology stack
• Security compliance: Audit CVE exposure across specific software components for SOC 2, ISO 27001, or FedRAMP
• Patch management: Identify unpatched vulnerabilities by keyword or product CPE
• Threat intelligence: Correlate CVE data with CVSS scores and CWE categories for risk prioritization
• Penetration testing research: Find known vulnerabilities by keyword (e.g. "apache", "openssl", "remote code execution")
• Security tooling: Enrich SIEM, vulnerability scanners, or asset management systems with NVD data

Input

Field	Type	Description
keywordSearch	string	Keyword to search CVE descriptions (e.g. log4j, apache, buffer overflow)
severity	string	CVSS v3 severity filter: CRITICAL, HIGH, MEDIUM, LOW, or blank for all
pubStartDate	string	Published on or after this date: YYYY-MM-DD or YYYY-MM-DDTHH:MM:SS.mmm
pubEndDate	string	Published on or before this date: YYYY-MM-DD or YYYY-MM-DDTHH:MM:SS.mmm
maxResults	integer	Max records to return (default 100, max 20,000)

All fields are optional. With no filters, returns the most recently published CVEs.

Output example

{
  "cveId": "CVE-2021-44228",
  "description": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints...",
  "severity": "CRITICAL",
  "cvssScore": 10.0,
  "cvssVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
  "cweId": "CWE-917",
  "affectedProducts": [
    "cpe:2.3:a:apache:log4j:2.0:beta9:*:*:*:*:*:*",
    "cpe:2.3:a:apache:log4j:2.0:rc1:*:*:*:*:*:*"
  ],
  "publishedDate": "2021-12-10T10:15:09.143",
  "lastModifiedDate": "2023-04-03T20:15:08.127",
  "sourceUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228"
}

Rate limits

The NVD API allows 5 requests per 30-second rolling window without an API key. This actor paginates automatically and respects the rate limit between pages. Large queries (>2,000 results) will take additional time due to enforced delays between pages.

Data source

Uses the official NVD CVE API 2.0 maintained by NIST. Data is authoritative, continuously updated, and free to use. Coverage spans all published CVEs from 1999 to present.